summaryrefslogtreecommitdiff
path: root/package/openswan/linux-2.6.22.6-openswan-2.4.9.kernel-2.6-klips.patch
blob: 751eb2ba8a51e53d3c406e3fbc54f22974bae206 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1793
1794
1795
1796
1797
1798
1799
1800
1801
1802
1803
1804
1805
1806
1807
1808
1809
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
1820
1821
1822
1823
1824
1825
1826
1827
1828
1829
1830
1831
1832
1833
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855
1856
1857
1858
1859
1860
1861
1862
1863
1864
1865
1866
1867
1868
1869
1870
1871
1872
1873
1874
1875
1876
1877
1878
1879
1880
1881
1882
1883
1884
1885
1886
1887
1888
1889
1890
1891
1892
1893
1894
1895
1896
1897
1898
1899
1900
1901
1902
1903
1904
1905
1906
1907
1908
1909
1910
1911
1912
1913
1914
1915
1916
1917
1918
1919
1920
1921
1922
1923
1924
1925
1926
1927
1928
1929
1930
1931
1932
1933
1934
1935
1936
1937
1938
1939
1940
1941
1942
1943
1944
1945
1946
1947
1948
1949
1950
1951
1952
1953
1954
1955
1956
1957
1958
1959
1960
1961
1962
1963
1964
1965
1966
1967
1968
1969
1970
1971
1972
1973
1974
1975
1976
1977
1978
1979
1980
1981
1982
1983
1984
1985
1986
1987
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026
2027
2028
2029
2030
2031
2032
2033
2034
2035
2036
2037
2038
2039
2040
2041
2042
2043
2044
2045
2046
2047
2048
2049
2050
2051
2052
2053
2054
2055
2056
2057
2058
2059
2060
2061
2062
2063
2064
2065
2066
2067
2068
2069
2070
2071
2072
2073
2074
2075
2076
2077
2078
2079
2080
2081
2082
2083
2084
2085
2086
2087
2088
2089
2090
2091
2092
2093
2094
2095
2096
2097
2098
2099
2100
2101
2102
2103
2104
2105
2106
2107
2108
2109
2110
2111
2112
2113
2114
2115
2116
2117
2118
2119
2120
2121
2122
2123
2124
2125
2126
2127
2128
2129
2130
2131
2132
2133
2134
2135
2136
2137
2138
2139
2140
2141
2142
2143
2144
2145
2146
2147
2148
2149
2150
2151
2152
2153
2154
2155
2156
2157
2158
2159
2160
2161
2162
2163
2164
2165
2166
2167
2168
2169
2170
2171
2172
2173
2174
2175
2176
2177
2178
2179
2180
2181
2182
2183
2184
2185
2186
2187
2188
2189
2190
2191
2192
2193
2194
2195
2196
2197
2198
2199
2200
2201
2202
2203
2204
2205
2206
2207
2208
2209
2210
2211
2212
2213
2214
2215
2216
2217
2218
2219
2220
2221
2222
2223
2224
2225
2226
2227
2228
2229
2230
2231
2232
2233
2234
2235
2236
2237
2238
2239
2240
2241
2242
2243
2244
2245
2246
2247
2248
2249
2250
2251
2252
2253
2254
2255
2256
2257
2258
2259
2260
2261
2262
2263
2264
2265
2266
2267
2268
2269
2270
2271
2272
2273
2274
2275
2276
2277
2278
2279
2280
2281
2282
2283
2284
2285
2286
2287
2288
2289
2290
2291
2292
2293
2294
2295
2296
2297
2298
2299
2300
2301
2302
2303
2304
2305
2306
2307
2308
2309
2310
2311
2312
2313
2314
2315
2316
2317
2318
2319
2320
2321
2322
2323
2324
2325
2326
2327
2328
2329
2330
2331
2332
2333
2334
2335
2336
2337
2338
2339
2340
2341
2342
2343
2344
2345
2346
2347
2348
2349
2350
2351
2352
2353
2354
2355
2356
2357
2358
2359
2360
2361
2362
2363
2364
2365
2366
2367
2368
2369
2370
2371
2372
2373
2374
2375
2376
2377
2378
2379
2380
2381
2382
2383
2384
2385
2386
2387
2388
2389
2390
2391
2392
2393
2394
2395
2396
2397
2398
2399
2400
2401
2402
2403
2404
2405
2406
2407
2408
2409
2410
2411
2412
2413
2414
2415
2416
2417
2418
2419
2420
2421
2422
2423
2424
2425
2426
2427
2428
2429
2430
2431
2432
2433
2434
2435
2436
2437
2438
2439
2440
2441
2442
2443
2444
2445
2446
2447
2448
2449
2450
2451
2452
2453
2454
2455
2456
2457
2458
2459
2460
2461
2462
2463
2464
2465
2466
2467
2468
2469
2470
2471
2472
2473
2474
2475
2476
2477
2478
2479
2480
2481
2482
2483
2484
2485
2486
2487
2488
2489
2490
2491
2492
2493
2494
2495
2496
2497
2498
2499
2500
2501
2502
2503
2504
2505
2506
2507
2508
2509
2510
2511
2512
2513
2514
2515
2516
2517
2518
2519
2520
2521
2522
2523
2524
2525
2526
2527
2528
2529
2530
2531
2532
2533
2534
2535
2536
2537
2538
2539
2540
2541
2542
2543
2544
2545
2546
2547
2548
2549
2550
2551
2552
2553
2554
2555
2556
2557
2558
2559
2560
2561
2562
2563
2564
2565
2566
2567
2568
2569
2570
2571
2572
2573
2574
2575
2576
2577
2578
2579
2580
2581
2582
2583
2584
2585
2586
2587
2588
2589
2590
2591
2592
2593
2594
2595
2596
2597
2598
2599
2600
2601
2602
2603
2604
2605
2606
2607
2608
2609
2610
2611
2612
2613
2614
2615
2616
2617
2618
2619
2620
2621
2622
2623
2624
2625
2626
2627
2628
2629
2630
2631
2632
2633
2634
2635
2636
2637
2638
2639
2640
2641
2642
2643
2644
2645
2646
2647
2648
2649
2650
2651
2652
2653
2654
2655
2656
2657
2658
2659
2660
2661
2662
2663
2664
2665
2666
2667
2668
2669
2670
2671
2672
2673
2674
2675
2676
2677
2678
2679
2680
2681
2682
2683
2684
2685
2686
2687
2688
2689
2690
2691
2692
2693
2694
2695
2696
2697
2698
2699
2700
2701
2702
2703
2704
2705
2706
2707
2708
2709
2710
2711
2712
2713
2714
2715
2716
2717
2718
2719
2720
2721
2722
2723
2724
2725
2726
2727
2728
2729
2730
2731
2732
2733
2734
2735
2736
2737
2738
2739
2740
2741
2742
2743
2744
2745
2746
2747
2748
2749
2750
2751
2752
2753
2754
2755
2756
2757
2758
2759
2760
2761
2762
2763
2764
2765
2766
2767
2768
2769
2770
2771
2772
2773
2774
2775
2776
2777
2778
2779
2780
2781
2782
2783
2784
2785
2786
2787
2788
2789
2790
2791
2792
2793
2794
2795
2796
2797
2798
2799
2800
2801
2802
2803
2804
2805
2806
2807
2808
2809
2810
2811
2812
2813
2814
2815
2816
2817
2818
2819
2820
2821
2822
2823
2824
2825
2826
2827
2828
2829
2830
2831
2832
2833
2834
2835
2836
2837
2838
2839
2840
2841
2842
2843
2844
2845
2846
2847
2848
2849
2850
2851
2852
2853
2854
2855
2856
2857
2858
2859
2860
2861
2862
2863
2864
2865
2866
2867
2868
2869
2870
2871
2872
2873
2874
2875
2876
2877
2878
2879
2880
2881
2882
2883
2884
2885
2886
2887
2888
2889
2890
2891
2892
2893
2894
2895
2896
2897
2898
2899
2900
2901
2902
2903
2904
2905
2906
2907
2908
2909
2910
2911
2912
2913
2914
2915
2916
2917
2918
2919
2920
2921
2922
2923
2924
2925
2926
2927
2928
2929
2930
2931
2932
2933
2934
2935
2936
2937
2938
2939
2940
2941
2942
2943
2944
2945
2946
2947
2948
2949
2950
2951
2952
2953
2954
2955
2956
2957
2958
2959
2960
2961
2962
2963
2964
2965
2966
2967
2968
2969
2970
2971
2972
2973
2974
2975
2976
2977
2978
2979
2980
2981
2982
2983
2984
2985
2986
2987
2988
2989
2990
2991
2992
2993
2994
2995
2996
2997
2998
2999
3000
3001
3002
3003
3004
3005
3006
3007
3008
3009
3010
3011
3012
3013
3014
3015
3016
3017
3018
3019
3020
3021
3022
3023
3024
3025
3026
3027
3028
3029
3030
3031
3032
3033
3034
3035
3036
3037
3038
3039
3040
3041
3042
3043
3044
3045
3046
3047
3048
3049
3050
3051
3052
3053
3054
3055
3056
3057
3058
3059
3060
3061
3062
3063
3064
3065
3066
3067
3068
3069
3070
3071
3072
3073
3074
3075
3076
3077
3078
3079
3080
3081
3082
3083
3084
3085
3086
3087
3088
3089
3090
3091
3092
3093
3094
3095
3096
3097
3098
3099
3100
3101
3102
3103
3104
3105
3106
3107
3108
3109
3110
3111
3112
3113
3114
3115
3116
3117
3118
3119
3120
3121
3122
3123
3124
3125
3126
3127
3128
3129
3130
3131
3132
3133
3134
3135
3136
3137
3138
3139
3140
3141
3142
3143
3144
3145
3146
3147
3148
3149
3150
3151
3152
3153
3154
3155
3156
3157
3158
3159
3160
3161
3162
3163
3164
3165
3166
3167
3168
3169
3170
3171
3172
3173
3174
3175
3176
3177
3178
3179
3180
3181
3182
3183
3184
3185
3186
3187
3188
3189
3190
3191
3192
3193
3194
3195
3196
3197
3198
3199
3200
3201
3202
3203
3204
3205
3206
3207
3208
3209
3210
3211
3212
3213
3214
3215
3216
3217
3218
3219
3220
3221
3222
3223
3224
3225
3226
3227
3228
3229
3230
3231
3232
3233
3234
3235
3236
3237
3238
3239
3240
3241
3242
3243
3244
3245
3246
3247
3248
3249
3250
3251
3252
3253
3254
3255
3256
3257
3258
3259
3260
3261
3262
3263
3264
3265
3266
3267
3268
3269
3270
3271
3272
3273
3274
3275
3276
3277
3278
3279
3280
3281
3282
3283
3284
3285
3286
3287
3288
3289
3290
3291
3292
3293
3294
3295
3296
3297
3298
3299
3300
3301
3302
3303
3304
3305
3306
3307
3308
3309
3310
3311
3312
3313
3314
3315
3316
3317
3318
3319
3320
3321
3322
3323
3324
3325
3326
3327
3328
3329
3330
3331
3332
3333
3334
3335
3336
3337
3338
3339
3340
3341
3342
3343
3344
3345
3346
3347
3348
3349
3350
3351
3352
3353
3354
3355
3356
3357
3358
3359
3360
3361
3362
3363
3364
3365
3366
3367
3368
3369
3370
3371
3372
3373
3374
3375
3376
3377
3378
3379
3380
3381
3382
3383
3384
3385
3386
3387
3388
3389
3390
3391
3392
3393
3394
3395
3396
3397
3398
3399
3400
3401
3402
3403
3404
3405
3406
3407
3408
3409
3410
3411
3412
3413
3414
3415
3416
3417
3418
3419
3420
3421
3422
3423
3424
3425
3426
3427
3428
3429
3430
3431
3432
3433
3434
3435
3436
3437
3438
3439
3440
3441
3442
3443
3444
3445
3446
3447
3448
3449
3450
3451
3452
3453
3454
3455
3456
3457
3458
3459
3460
3461
3462
3463
3464
3465
3466
3467
3468
3469
3470
3471
3472
3473
3474
3475
3476
3477
3478
3479
3480
3481
3482
3483
3484
3485
3486
3487
3488
3489
3490
3491
3492
3493
3494
3495
3496
3497
3498
3499
3500
3501
3502
3503
3504
3505
3506
3507
3508
3509
3510
3511
3512
3513
3514
3515
3516
3517
3518
3519
3520
3521
3522
3523
3524
3525
3526
3527
3528
3529
3530
3531
3532
3533
3534
3535
3536
3537
3538
3539
3540
3541
3542
3543
3544
3545
3546
3547
3548
3549
3550
3551
3552
3553
3554
3555
3556
3557
3558
3559
3560
3561
3562
3563
3564
3565
3566
3567
3568
3569
3570
3571
3572
3573
3574
3575
3576
3577
3578
3579
3580
3581
3582
3583
3584
3585
3586
3587
3588
3589
3590
3591
3592
3593
3594
3595
3596
3597
3598
3599
3600
3601
3602
3603
3604
3605
3606
3607
3608
3609
3610
3611
3612
3613
3614
3615
3616
3617
3618
3619
3620
3621
3622
3623
3624
3625
3626
3627
3628
3629
3630
3631
3632
3633
3634
3635
3636
3637
3638
3639
3640
3641
3642
3643
3644
3645
3646
3647
3648
3649
3650
3651
3652
3653
3654
3655
3656
3657
3658
3659
3660
3661
3662
3663
3664
3665
3666
3667
3668
3669
3670
3671
3672
3673
3674
3675
3676
3677
3678
3679
3680
3681
3682
3683
3684
3685
3686
3687
3688
3689
3690
3691
3692
3693
3694
3695
3696
3697
3698
3699
3700
3701
3702
3703
3704
3705
3706
3707
3708
3709
3710
3711
3712
3713
3714
3715
3716
3717
3718
3719
3720
3721
3722
3723
3724
3725
3726
3727
3728
3729
3730
3731
3732
3733
3734
3735
3736
3737
3738
3739
3740
3741
3742
3743
3744
3745
3746
3747
3748
3749
3750
3751
3752
3753
3754
3755
3756
3757
3758
3759
3760
3761
3762
3763
3764
3765
3766
3767
3768
3769
3770
3771
3772
3773
3774
3775
3776
3777
3778
3779
3780
3781
3782
3783
3784
3785
3786
3787
3788
3789
3790
3791
3792
3793
3794
3795
3796
3797
3798
3799
3800
3801
3802
3803
3804
3805
3806
3807
3808
3809
3810
3811
3812
3813
3814
3815
3816
3817
3818
3819
3820
3821
3822
3823
3824
3825
3826
3827
3828
3829
3830
3831
3832
3833
3834
3835
3836
3837
3838
3839
3840
3841
3842
3843
3844
3845
3846
3847
3848
3849
3850
3851
3852
3853
3854
3855
3856
3857
3858
3859
3860
3861
3862
3863
3864
3865
3866
3867
3868
3869
3870
3871
3872
3873
3874
3875
3876
3877
3878
3879
3880
3881
3882
3883
3884
3885
3886
3887
3888
3889
3890
3891
3892
3893
3894
3895
3896
3897
3898
3899
3900
3901
3902
3903
3904
3905
3906
3907
3908
3909
3910
3911
3912
3913
3914
3915
3916
3917
3918
3919
3920
3921
3922
3923
3924
3925
3926
3927
3928
3929
3930
3931
3932
3933
3934
3935
3936
3937
3938
3939
3940
3941
3942
3943
3944
3945
3946
3947
3948
3949
3950
3951
3952
3953
3954
3955
3956
3957
3958
3959
3960
3961
3962
3963
3964
3965
3966
3967
3968
3969
3970
3971
3972
3973
3974
3975
3976
3977
3978
3979
3980
3981
3982
3983
3984
3985
3986
3987
3988
3989
3990
3991
3992
3993
3994
3995
3996
3997
3998
3999
4000
4001
4002
4003
4004
4005
4006
4007
4008
4009
4010
4011
4012
4013
4014
4015
4016
4017
4018
4019
4020
4021
4022
4023
4024
4025
4026
4027
4028
4029
4030
4031
4032
4033
4034
4035
4036
4037
4038
4039
4040
4041
4042
4043
4044
4045
4046
4047
4048
4049
4050
4051
4052
4053
4054
4055
4056
4057
4058
4059
4060
4061
4062
4063
4064
4065
4066
4067
4068
4069
4070
4071
4072
4073
4074
4075
4076
4077
4078
4079
4080
4081
4082
4083
4084
4085
4086
4087
4088
4089
4090
4091
4092
4093
4094
4095
4096
4097
4098
4099
4100
4101
4102
4103
4104
4105
4106
4107
4108
4109
4110
4111
4112
4113
4114
4115
4116
4117
4118
4119
4120
4121
4122
4123
4124
4125
4126
4127
4128
4129
4130
4131
4132
4133
4134
4135
4136
4137
4138
4139
4140
4141
4142
4143
4144
4145
4146
4147
4148
4149
4150
4151
4152
4153
4154
4155
4156
4157
4158
4159
4160
4161
4162
4163
4164
4165
4166
4167
4168
4169
4170
4171
4172
4173
4174
4175
4176
4177
4178
4179
4180
4181
4182
4183
4184
4185
4186
4187
4188
4189
4190
4191
4192
4193
4194
4195
4196
4197
4198
4199
4200
4201
4202
4203
4204
4205
4206
4207
4208
4209
4210
4211
4212
4213
4214
4215
4216
4217
4218
4219
4220
4221
4222
4223
4224
4225
4226
4227
4228
4229
4230
4231
4232
4233
4234
4235
4236
4237
4238
4239
4240
4241
4242
4243
4244
4245
4246
4247
4248
4249
4250
4251
4252
4253
4254
4255
4256
4257
4258
4259
4260
4261
4262
4263
4264
4265
4266
4267
4268
4269
4270
4271
4272
4273
4274
4275
4276
4277
4278
4279
4280
4281
4282
4283
4284
4285
4286
4287
4288
4289
4290
4291
4292
4293
4294
4295
4296
4297
4298
4299
4300
4301
4302
4303
4304
4305
4306
4307
4308
4309
4310
4311
4312
4313
4314
4315
4316
4317
4318
4319
4320
4321
4322
4323
4324
4325
4326
4327
4328
4329
4330
4331
4332
4333
4334
4335
4336
4337
4338
4339
4340
4341
4342
4343
4344
4345
4346
4347
4348
4349
4350
4351
4352
4353
4354
4355
4356
4357
4358
4359
4360
4361
4362
4363
4364
4365
4366
4367
4368
4369
4370
4371
4372
4373
4374
4375
4376
4377
4378
4379
4380
4381
4382
4383
4384
4385
4386
4387
4388
4389
4390
4391
4392
4393
4394
4395
4396
4397
4398
4399
4400
4401
4402
4403
4404
4405
4406
4407
4408
4409
4410
4411
4412
4413
4414
4415
4416
4417
4418
4419
4420
4421
4422
4423
4424
4425
4426
4427
4428
4429
4430
4431
4432
4433
4434
4435
4436
4437
4438
4439
4440
4441
4442
4443
4444
4445
4446
4447
4448
4449
4450
4451
4452
4453
4454
4455
4456
4457
4458
4459
4460
4461
4462
4463
4464
4465
4466
4467
4468
4469
4470
4471
4472
4473
4474
4475
4476
4477
4478
4479
4480
4481
4482
4483
4484
4485
4486
4487
4488
4489
4490
4491
4492
4493
4494
4495
4496
4497
4498
4499
4500
4501
4502
4503
4504
4505
4506
4507
4508
4509
4510
4511
4512
4513
4514
4515
4516
4517
4518
4519
4520
4521
4522
4523
4524
4525
4526
4527
4528
4529
4530
4531
4532
4533
4534
4535
4536
4537
4538
4539
4540
4541
4542
4543
4544
4545
4546
4547
4548
4549
4550
4551
4552
4553
4554
4555
4556
4557
4558
4559
4560
4561
4562
4563
4564
4565
4566
4567
4568
4569
4570
4571
4572
4573
4574
4575
4576
4577
4578
4579
4580
4581
4582
4583
4584
4585
4586
4587
4588
4589
4590
4591
4592
4593
4594
4595
4596
4597
4598
4599
4600
4601
4602
4603
4604
4605
4606
4607
4608
4609
4610
4611
4612
4613
4614
4615
4616
4617
4618
4619
4620
4621
4622
4623
4624
4625
4626
4627
4628
4629
4630
4631
4632
4633
4634
4635
4636
4637
4638
4639
4640
4641
4642
4643
4644
4645
4646
4647
4648
4649
4650
4651
4652
4653
4654
4655
4656
4657
4658
4659
4660
4661
4662
4663
4664
4665
4666
4667
4668
4669
4670
4671
4672
4673
4674
4675
4676
4677
4678
4679
4680
4681
4682
4683
4684
4685
4686
4687
4688
4689
4690
4691
4692
4693
4694
4695
4696
4697
4698
4699
4700
4701
4702
4703
4704
4705
4706
4707
4708
4709
4710
4711
4712
4713
4714
4715
4716
4717
4718
4719
4720
4721
4722
4723
4724
4725
4726
4727
4728
4729
4730
4731
4732
4733
4734
4735
4736
4737
4738
4739
4740
4741
4742
4743
4744
4745
4746
4747
4748
4749
4750
4751
4752
4753
4754
4755
4756
4757
4758
4759
4760
4761
4762
4763
4764
4765
4766
4767
4768
4769
4770
4771
4772
4773
4774
4775
4776
4777
4778
4779
4780
4781
4782
4783
4784
4785
4786
4787
4788
4789
4790
4791
4792
4793
4794
4795
4796
4797
4798
4799
4800
4801
4802
4803
4804
4805
4806
4807
4808
4809
4810
4811
4812
4813
4814
4815
4816
4817
4818
4819
4820
4821
4822
4823
4824
4825
4826
4827
4828
4829
4830
4831
4832
4833
4834
4835
4836
4837
4838
4839
4840
4841
4842
4843
4844
4845
4846
4847
4848
4849
4850
4851
4852
4853
4854
4855
4856
4857
4858
4859
4860
4861
4862
4863
4864
4865
4866
4867
4868
4869
4870
4871
4872
4873
4874
4875
4876
4877
4878
4879
4880
4881
4882
4883
4884
4885
4886
4887
4888
4889
4890
4891
4892
4893
4894
4895
4896
4897
4898
4899
4900
4901
4902
4903
4904
4905
4906
4907
4908
4909
4910
4911
4912
4913
4914
4915
4916
4917
4918
4919
4920
4921
4922
4923
4924
4925
4926
4927
4928
4929
4930
4931
4932
4933
4934
4935
4936
4937
4938
4939
4940
4941
4942
4943
4944
4945
4946
4947
4948
4949
4950
4951
4952
4953
4954
4955
4956
4957
4958
4959
4960
4961
4962
4963
4964
4965
4966
4967
4968
4969
4970
4971
4972
4973
4974
4975
4976
4977
4978
4979
4980
4981
4982
4983
4984
4985
4986
4987
4988
4989
4990
4991
4992
4993
4994
4995
4996
4997
4998
4999
5000
5001
5002
5003
5004
5005
5006
5007
5008
5009
5010
5011
5012
5013
5014
5015
5016
5017
5018
5019
5020
5021
5022
5023
5024
5025
5026
5027
5028
5029
5030
5031
5032
5033
5034
5035
5036
5037
5038
5039
5040
5041
5042
5043
5044
5045
5046
5047
5048
5049
5050
5051
5052
5053
5054
5055
5056
5057
5058
5059
5060
5061
5062
5063
5064
5065
5066
5067
5068
5069
5070
5071
5072
5073
5074
5075
5076
5077
5078
5079
5080
5081
5082
5083
5084
5085
5086
5087
5088
5089
5090
5091
5092
5093
5094
5095
5096
5097
5098
5099
5100
5101
5102
5103
5104
5105
5106
5107
5108
5109
5110
5111
5112
5113
5114
5115
5116
5117
5118
5119
5120
5121
5122
5123
5124
5125
5126
5127
5128
5129
5130
5131
5132
5133
5134
5135
5136
5137
5138
5139
5140
5141
5142
5143
5144
5145
5146
5147
5148
5149
5150
5151
5152
5153
5154
5155
5156
5157
5158
5159
5160
5161
5162
5163
5164
5165
5166
5167
5168
5169
5170
5171
5172
5173
5174
5175
5176
5177
5178
5179
5180
5181
5182
5183
5184
5185
5186
5187
5188
5189
5190
5191
5192
5193
5194
5195
5196
5197
5198
5199
5200
5201
5202
5203
5204
5205
5206
5207
5208
5209
5210
5211
5212
5213
5214
5215
5216
5217
5218
5219
5220
5221
5222
5223
5224
5225
5226
5227
5228
5229
5230
5231
5232
5233
5234
5235
5236
5237
5238
5239
5240
5241
5242
5243
5244
5245
5246
5247
5248
5249
5250
5251
5252
5253
5254
5255
5256
5257
5258
5259
5260
5261
5262
5263
5264
5265
5266
5267
5268
5269
5270
5271
5272
5273
5274
5275
5276
5277
5278
5279
5280
5281
5282
5283
5284
5285
5286
5287
5288
5289
5290
5291
5292
5293
5294
5295
5296
5297
5298
5299
5300
5301
5302
5303
5304
5305
5306
5307
5308
5309
5310
5311
5312
5313
5314
5315
5316
5317
5318
5319
5320
5321
5322
5323
5324
5325
5326
5327
5328
5329
5330
5331
5332
5333
5334
5335
5336
5337
5338
5339
5340
5341
5342
5343
5344
5345
5346
5347
5348
5349
5350
5351
5352
5353
5354
5355
5356
5357
5358
5359
5360
5361
5362
5363
5364
5365
5366
5367
5368
5369
5370
5371
5372
5373
5374
5375
5376
5377
5378
5379
5380
5381
5382
5383
5384
5385
5386
5387
5388
5389
5390
5391
5392
5393
5394
5395
5396
5397
5398
5399
5400
5401
5402
5403
5404
5405
5406
5407
5408
5409
5410
5411
5412
5413
5414
5415
5416
5417
5418
5419
5420
5421
5422
5423
5424
5425
5426
5427
5428
5429
5430
5431
5432
5433
5434
5435
5436
5437
5438
5439
5440
5441
5442
5443
5444
5445
5446
5447
5448
5449
5450
5451
5452
5453
5454
5455
5456
5457
5458
5459
5460
5461
5462
5463
5464
5465
5466
5467
5468
5469
5470
5471
5472
5473
5474
5475
5476
5477
5478
5479
5480
5481
5482
5483
5484
5485
5486
5487
5488
5489
5490
5491
5492
5493
5494
5495
5496
5497
5498
5499
5500
5501
5502
5503
5504
5505
5506
5507
5508
5509
5510
5511
5512
5513
5514
5515
5516
5517
5518
5519
5520
5521
5522
5523
5524
5525
5526
5527
5528
5529
5530
5531
5532
5533
5534
5535
5536
5537
5538
5539
5540
5541
5542
5543
5544
5545
5546
5547
5548
5549
5550
5551
5552
5553
5554
5555
5556
5557
5558
5559
5560
5561
5562
5563
5564
5565
5566
5567
5568
5569
5570
5571
5572
5573
5574
5575
5576
5577
5578
5579
5580
5581
5582
5583
5584
5585
5586
5587
5588
5589
5590
5591
5592
5593
5594
5595
5596
5597
5598
5599
5600
5601
5602
5603
5604
5605
5606
5607
5608
5609
5610
5611
5612
5613
5614
5615
5616
5617
5618
5619
5620
5621
5622
5623
5624
5625
5626
5627
5628
5629
5630
5631
5632
5633
5634
5635
5636
5637
5638
5639
5640
5641
5642
5643
5644
5645
5646
5647
5648
5649
5650
5651
5652
5653
5654
5655
5656
5657
5658
5659
5660
5661
5662
5663
5664
5665
5666
5667
5668
5669
5670
5671
5672
5673
5674
5675
5676
5677
5678
5679
5680
5681
5682
5683
5684
5685
5686
5687
5688
5689
5690
5691
5692
5693
5694
5695
5696
5697
5698
5699
5700
5701
5702
5703
5704
5705
5706
5707
5708
5709
5710
5711
5712
5713
5714
5715
5716
5717
5718
5719
5720
5721
5722
5723
5724
5725
5726
5727
5728
5729
5730
5731
5732
5733
5734
5735
5736
5737
5738
5739
5740
5741
5742
5743
5744
5745
5746
5747
5748
5749
5750
5751
5752
5753
5754
5755
5756
5757
5758
5759
5760
5761
5762
5763
5764
5765
5766
5767
5768
5769
5770
5771
5772
5773
5774
5775
5776
5777
5778
5779
5780
5781
5782
5783
5784
5785
5786
5787
5788
5789
5790
5791
5792
5793
5794
5795
5796
5797
5798
5799
5800
5801
5802
5803
5804
5805
5806
5807
5808
5809
5810
5811
5812
5813
5814
5815
5816
5817
5818
5819
5820
5821
5822
5823
5824
5825
5826
5827
5828
5829
5830
5831
5832
5833
5834
5835
5836
5837
5838
5839
5840
5841
5842
5843
5844
5845
5846
5847
5848
5849
5850
5851
5852
5853
5854
5855
5856
5857
5858
5859
5860
5861
5862
5863
5864
5865
5866
5867
5868
5869
5870
5871
5872
5873
5874
5875
5876
5877
5878
5879
5880
5881
5882
5883
5884
5885
5886
5887
5888
5889
5890
5891
5892
5893
5894
5895
5896
5897
5898
5899
5900
5901
5902
5903
5904
5905
5906
5907
5908
5909
5910
5911
5912
5913
5914
5915
5916
5917
5918
5919
5920
5921
5922
5923
5924
5925
5926
5927
5928
5929
5930
5931
5932
5933
5934
5935
5936
5937
5938
5939
5940
5941
5942
5943
5944
5945
5946
5947
5948
5949
5950
5951
5952
5953
5954
5955
5956
5957
5958
5959
5960
5961
5962
5963
5964
5965
5966
5967
5968
5969
5970
5971
5972
5973
5974
5975
5976
5977
5978
5979
5980
5981
5982
5983
5984
5985
5986
5987
5988
5989
5990
5991
5992
5993
5994
5995
5996
5997
5998
5999
6000
6001
6002
6003
6004
6005
6006
6007
6008
6009
6010
6011
6012
6013
6014
6015
6016
6017
6018
6019
6020
6021
6022
6023
6024
6025
6026
6027
6028
6029
6030
6031
6032
6033
6034
6035
6036
6037
6038
6039
6040
6041
6042
6043
6044
6045
6046
6047
6048
6049
6050
6051
6052
6053
6054
6055
6056
6057
6058
6059
6060
6061
6062
6063
6064
6065
6066
6067
6068
6069
6070
6071
6072
6073
6074
6075
6076
6077
6078
6079
6080
6081
6082
6083
6084
6085
6086
6087
6088
6089
6090
6091
6092
6093
6094
6095
6096
6097
6098
6099
6100
6101
6102
6103
6104
6105
6106
6107
6108
6109
6110
6111
6112
6113
6114
6115
6116
6117
6118
6119
6120
6121
6122
6123
6124
6125
6126
6127
6128
6129
6130
6131
6132
6133
6134
6135
6136
6137
6138
6139
6140
6141
6142
6143
6144
6145
6146
6147
6148
6149
6150
6151
6152
6153
6154
6155
6156
6157
6158
6159
6160
6161
6162
6163
6164
6165
6166
6167
6168
6169
6170
6171
6172
6173
6174
6175
6176
6177
6178
6179
6180
6181
6182
6183
6184
6185
6186
6187
6188
6189
6190
6191
6192
6193
6194
6195
6196
6197
6198
6199
6200
6201
6202
6203
6204
6205
6206
6207
6208
6209
6210
6211
6212
6213
6214
6215
6216
6217
6218
6219
6220
6221
6222
6223
6224
6225
6226
6227
6228
6229
6230
6231
6232
6233
6234
6235
6236
6237
6238
6239
6240
6241
6242
6243
6244
6245
6246
6247
6248
6249
6250
6251
6252
6253
6254
6255
6256
6257
6258
6259
6260
6261
6262
6263
6264
6265
6266
6267
6268
6269
6270
6271
6272
6273
6274
6275
6276
6277
6278
6279
6280
6281
6282
6283
6284
6285
6286
6287
6288
6289
6290
6291
6292
6293
6294
6295
6296
6297
6298
6299
6300
6301
6302
6303
6304
6305
6306
6307
6308
6309
6310
6311
6312
6313
6314
6315
6316
6317
6318
6319
6320
6321
6322
6323
6324
6325
6326
6327
6328
6329
6330
6331
6332
6333
6334
6335
6336
6337
6338
6339
6340
6341
6342
6343
6344
6345
6346
6347
6348
6349
6350
6351
6352
6353
6354
6355
6356
6357
6358
6359
6360
6361
6362
6363
6364
6365
6366
6367
6368
6369
6370
6371
6372
6373
6374
6375
6376
6377
6378
6379
6380
6381
6382
6383
6384
6385
6386
6387
6388
6389
6390
6391
6392
6393
6394
6395
6396
6397
6398
6399
6400
6401
6402
6403
6404
6405
6406
6407
6408
6409
6410
6411
6412
6413
6414
6415
6416
6417
6418
6419
6420
6421
6422
6423
6424
6425
6426
6427
6428
6429
6430
6431
6432
6433
6434
6435
6436
6437
6438
6439
6440
6441
6442
6443
6444
6445
6446
6447
6448
6449
6450
6451
6452
6453
6454
6455
6456
6457
6458
6459
6460
6461
6462
6463
6464
6465
6466
6467
6468
6469
6470
6471
6472
6473
6474
6475
6476
6477
6478
6479
6480
6481
6482
6483
6484
6485
6486
6487
6488
6489
6490
6491
6492
6493
6494
6495
6496
6497
6498
6499
6500
6501
6502
6503
6504
6505
6506
6507
6508
6509
6510
6511
6512
6513
6514
6515
6516
6517
6518
6519
6520
6521
6522
6523
6524
6525
6526
6527
6528
6529
6530
6531
6532
6533
6534
6535
6536
6537
6538
6539
6540
6541
6542
6543
6544
6545
6546
6547
6548
6549
6550
6551
6552
6553
6554
6555
6556
6557
6558
6559
6560
6561
6562
6563
6564
6565
6566
6567
6568
6569
6570
6571
6572
6573
6574
6575
6576
6577
6578
6579
6580
6581
6582
6583
6584
6585
6586
6587
6588
6589
6590
6591
6592
6593
6594
6595
6596
6597
6598
6599
6600
6601
6602
6603
6604
6605
6606
6607
6608
6609
6610
6611
6612
6613
6614
6615
6616
6617
6618
6619
6620
6621
6622
6623
6624
6625
6626
6627
6628
6629
6630
6631
6632
6633
6634
6635
6636
6637
6638
6639
6640
6641
6642
6643
6644
6645
6646
6647
6648
6649
6650
6651
6652
6653
6654
6655
6656
6657
6658
6659
6660
6661
6662
6663
6664
6665
6666
6667
6668
6669
6670
6671
6672
6673
6674
6675
6676
6677
6678
6679
6680
6681
6682
6683
6684
6685
6686
6687
6688
6689
6690
6691
6692
6693
6694
6695
6696
6697
6698
6699
6700
6701
6702
6703
6704
6705
6706
6707
6708
6709
6710
6711
6712
6713
6714
6715
6716
6717
6718
6719
6720
6721
6722
6723
6724
6725
6726
6727
6728
6729
6730
6731
6732
6733
6734
6735
6736
6737
6738
6739
6740
6741
6742
6743
6744
6745
6746
6747
6748
6749
6750
6751
6752
6753
6754
6755
6756
6757
6758
6759
6760
6761
6762
6763
6764
6765
6766
6767
6768
6769
6770
6771
6772
6773
6774
6775
6776
6777
6778
6779
6780
6781
6782
6783
6784
6785
6786
6787
6788
6789
6790
6791
6792
6793
6794
6795
6796
6797
6798
6799
6800
6801
6802
6803
6804
6805
6806
6807
6808
6809
6810
6811
6812
6813
6814
6815
6816
6817
6818
6819
6820
6821
6822
6823
6824
6825
6826
6827
6828
6829
6830
6831
6832
6833
6834
6835
6836
6837
6838
6839
6840
6841
6842
6843
6844
6845
6846
6847
6848
6849
6850
6851
6852
6853
6854
6855
6856
6857
6858
6859
6860
6861
6862
6863
6864
6865
6866
6867
6868
6869
6870
6871
6872
6873
6874
6875
6876
6877
6878
6879
6880
6881
6882
6883
6884
6885
6886
6887
6888
6889
6890
6891
6892
6893
6894
6895
6896
6897
6898
6899
6900
6901
6902
6903
6904
6905
6906
6907
6908
6909
6910
6911
6912
6913
6914
6915
6916
6917
6918
6919
6920
6921
6922
6923
6924
6925
6926
6927
6928
6929
6930
6931
6932
6933
6934
6935
6936
6937
6938
6939
6940
6941
6942
6943
6944
6945
6946
6947
6948
6949
6950
6951
6952
6953
6954
6955
6956
6957
6958
6959
6960
6961
6962
6963
6964
6965
6966
6967
6968
6969
6970
6971
6972
6973
6974
6975
6976
6977
6978
6979
6980
6981
6982
6983
6984
6985
6986
6987
6988
6989
6990
6991
6992
6993
6994
6995
6996
6997
6998
6999
7000
7001
7002
7003
7004
7005
7006
7007
7008
7009
7010
7011
7012
7013
7014
7015
7016
7017
7018
7019
7020
7021
7022
7023
7024
7025
7026
7027
7028
7029
7030
7031
7032
7033
7034
7035
7036
7037
7038
7039
7040
7041
7042
7043
7044
7045
7046
7047
7048
7049
7050
7051
7052
7053
7054
7055
7056
7057
7058
7059
7060
7061
7062
7063
7064
7065
7066
7067
7068
7069
7070
7071
7072
7073
7074
7075
7076
7077
7078
7079
7080
7081
7082
7083
7084
7085
7086
7087
7088
7089
7090
7091
7092
7093
7094
7095
7096
7097
7098
7099
7100
7101
7102
7103
7104
7105
7106
7107
7108
7109
7110
7111
7112
7113
7114
7115
7116
7117
7118
7119
7120
7121
7122
7123
7124
7125
7126
7127
7128
7129
7130
7131
7132
7133
7134
7135
7136
7137
7138
7139
7140
7141
7142
7143
7144
7145
7146
7147
7148
7149
7150
7151
7152
7153
7154
7155
7156
7157
7158
7159
7160
7161
7162
7163
7164
7165
7166
7167
7168
7169
7170
7171
7172
7173
7174
7175
7176
7177
7178
7179
7180
7181
7182
7183
7184
7185
7186
7187
7188
7189
7190
7191
7192
7193
7194
7195
7196
7197
7198
7199
7200
7201
7202
7203
7204
7205
7206
7207
7208
7209
7210
7211
7212
7213
7214
7215
7216
7217
7218
7219
7220
7221
7222
7223
7224
7225
7226
7227
7228
7229
7230
7231
7232
7233
7234
7235
7236
7237
7238
7239
7240
7241
7242
7243
7244
7245
7246
7247
7248
7249
7250
7251
7252
7253
7254
7255
7256
7257
7258
7259
7260
7261
7262
7263
7264
7265
7266
7267
7268
7269
7270
7271
7272
7273
7274
7275
7276
7277
7278
7279
7280
7281
7282
7283
7284
7285
7286
7287
7288
7289
7290
7291
7292
7293
7294
7295
7296
7297
7298
7299
7300
7301
7302
7303
7304
7305
7306
7307
7308
7309
7310
7311
7312
7313
7314
7315
7316
7317
7318
7319
7320
7321
7322
7323
7324
7325
7326
7327
7328
7329
7330
7331
7332
7333
7334
7335
7336
7337
7338
7339
7340
7341
7342
7343
7344
7345
7346
7347
7348
7349
7350
7351
7352
7353
7354
7355
7356
7357
7358
7359
7360
7361
7362
7363
7364
7365
7366
7367
7368
7369
7370
7371
7372
7373
7374
7375
7376
7377
7378
7379
7380
7381
7382
7383
7384
7385
7386
7387
7388
7389
7390
7391
7392
7393
7394
7395
7396
7397
7398
7399
7400
7401
7402
7403
7404
7405
7406
7407
7408
7409
7410
7411
7412
7413
7414
7415
7416
7417
7418
7419
7420
7421
7422
7423
7424
7425
7426
7427
7428
7429
7430
7431
7432
7433
7434
7435
7436
7437
7438
7439
7440
7441
7442
7443
7444
7445
7446
7447
7448
7449
7450
7451
7452
7453
7454
7455
7456
7457
7458
7459
7460
7461
7462
7463
7464
7465
7466
7467
7468
7469
7470
7471
7472
7473
7474
7475
7476
7477
7478
7479
7480
7481
7482
7483
7484
7485
7486
7487
7488
7489
7490
7491
7492
7493
7494
7495
7496
7497
7498
7499
7500
7501
7502
7503
7504
7505
7506
7507
7508
7509
7510
7511
7512
7513
7514
7515
7516
7517
7518
7519
7520
7521
7522
7523
7524
7525
7526
7527
7528
7529
7530
7531
7532
7533
7534
7535
7536
7537
7538
7539
7540
7541
7542
7543
7544
7545
7546
7547
7548
7549
7550
7551
7552
7553
7554
7555
7556
7557
7558
7559
7560
7561
7562
7563
7564
7565
7566
7567
7568
7569
7570
7571
7572
7573
7574
7575
7576
7577
7578
7579
7580
7581
7582
7583
7584
7585
7586
7587
7588
7589
7590
7591
7592
7593
7594
7595
7596
7597
7598
7599
7600
7601
7602
7603
7604
7605
7606
7607
7608
7609
7610
7611
7612
7613
7614
7615
7616
7617
7618
7619
7620
7621
7622
7623
7624
7625
7626
7627
7628
7629
7630
7631
7632
7633
7634
7635
7636
7637
7638
7639
7640
7641
7642
7643
7644
7645
7646
7647
7648
7649
7650
7651
7652
7653
7654
7655
7656
7657
7658
7659
7660
7661
7662
7663
7664
7665
7666
7667
7668
7669
7670
7671
7672
7673
7674
7675
7676
7677
7678
7679
7680
7681
7682
7683
7684
7685
7686
7687
7688
7689
7690
7691
7692
7693
7694
7695
7696
7697
7698
7699
7700
7701
7702
7703
7704
7705
7706
7707
7708
7709
7710
7711
7712
7713
7714
7715
7716
7717
7718
7719
7720
7721
7722
7723
7724
7725
7726
7727
7728
7729
7730
7731
7732
7733
7734
7735
7736
7737
7738
7739
7740
7741
7742
7743
7744
7745
7746
7747
7748
7749
7750
7751
7752
7753
7754
7755
7756
7757
7758
7759
7760
7761
7762
7763
7764
7765
7766
7767
7768
7769
7770
7771
7772
7773
7774
7775
7776
7777
7778
7779
7780
7781
7782
7783
7784
7785
7786
7787
7788
7789
7790
7791
7792
7793
7794
7795
7796
7797
7798
7799
7800
7801
7802
7803
7804
7805
7806
7807
7808
7809
7810
7811
7812
7813
7814
7815
7816
7817
7818
7819
7820
7821
7822
7823
7824
7825
7826
7827
7828
7829
7830
7831
7832
7833
7834
7835
7836
7837
7838
7839
7840
7841
7842
7843
7844
7845
7846
7847
7848
7849
7850
7851
7852
7853
7854
7855
7856
7857
7858
7859
7860
7861
7862
7863
7864
7865
7866
7867
7868
7869
7870
7871
7872
7873
7874
7875
7876
7877
7878
7879
7880
7881
7882
7883
7884
7885
7886
7887
7888
7889
7890
7891
7892
7893
7894
7895
7896
7897
7898
7899
7900
7901
7902
7903
7904
7905
7906
7907
7908
7909
7910
7911
7912
7913
7914
7915
7916
7917
7918
7919
7920
7921
7922
7923
7924
7925
7926
7927
7928
7929
7930
7931
7932
7933
7934
7935
7936
7937
7938
7939
7940
7941
7942
7943
7944
7945
7946
7947
7948
7949
7950
7951
7952
7953
7954
7955
7956
7957
7958
7959
7960
7961
7962
7963
7964
7965
7966
7967
7968
7969
7970
7971
7972
7973
7974
7975
7976
7977
7978
7979
7980
7981
7982
7983
7984
7985
7986
7987
7988
7989
7990
7991
7992
7993
7994
7995
7996
7997
7998
7999
8000
8001
8002
8003
8004
8005
8006
8007
8008
8009
8010
8011
8012
8013
8014
8015
8016
8017
8018
8019
8020
8021
8022
8023
8024
8025
8026
8027
8028
8029
8030
8031
8032
8033
8034
8035
8036
8037
8038
8039
8040
8041
8042
8043
8044
8045
8046
8047
8048
8049
8050
8051
8052
8053
8054
8055
8056
8057
8058
8059
8060
8061
8062
8063
8064
8065
8066
8067
8068
8069
8070
8071
8072
8073
8074
8075
8076
8077
8078
8079
8080
8081
8082
8083
8084
8085
8086
8087
8088
8089
8090
8091
8092
8093
8094
8095
8096
8097
8098
8099
8100
8101
8102
8103
8104
8105
8106
8107
8108
8109
8110
8111
8112
8113
8114
8115
8116
8117
8118
8119
8120
8121
8122
8123
8124
8125
8126
8127
8128
8129
8130
8131
8132
8133
8134
8135
8136
8137
8138
8139
8140
8141
8142
8143
8144
8145
8146
8147
8148
8149
8150
8151
8152
8153
8154
8155
8156
8157
8158
8159
8160
8161
8162
8163
8164
8165
8166
8167
8168
8169
8170
8171
8172
8173
8174
8175
8176
8177
8178
8179
8180
8181
8182
8183
8184
8185
8186
8187
8188
8189
8190
8191
8192
8193
8194
8195
8196
8197
8198
8199
8200
8201
8202
8203
8204
8205
8206
8207
8208
8209
8210
8211
8212
8213
8214
8215
8216
8217
8218
8219
8220
8221
8222
8223
8224
8225
8226
8227
8228
8229
8230
8231
8232
8233
8234
8235
8236
8237
8238
8239
8240
8241
8242
8243
8244
8245
8246
8247
8248
8249
8250
8251
8252
8253
8254
8255
8256
8257
8258
8259
8260
8261
8262
8263
8264
8265
8266
8267
8268
8269
8270
8271
8272
8273
8274
8275
8276
8277
8278
8279
8280
8281
8282
8283
8284
8285
8286
8287
8288
8289
8290
8291
8292
8293
8294
8295
8296
8297
8298
8299
8300
8301
8302
8303
8304
8305
8306
8307
8308
8309
8310
8311
8312
8313
8314
8315
8316
8317
8318
8319
8320
8321
8322
8323
8324
8325
8326
8327
8328
8329
8330
8331
8332
8333
8334
8335
8336
8337
8338
8339
8340
8341
8342
8343
8344
8345
8346
8347
8348
8349
8350
8351
8352
8353
8354
8355
8356
8357
8358
8359
8360
8361
8362
8363
8364
8365
8366
8367
8368
8369
8370
8371
8372
8373
8374
8375
8376
8377
8378
8379
8380
8381
8382
8383
8384
8385
8386
8387
8388
8389
8390
8391
8392
8393
8394
8395
8396
8397
8398
8399
8400
8401
8402
8403
8404
8405
8406
8407
8408
8409
8410
8411
8412
8413
8414
8415
8416
8417
8418
8419
8420
8421
8422
8423
8424
8425
8426
8427
8428
8429
8430
8431
8432
8433
8434
8435
8436
8437
8438
8439
8440
8441
8442
8443
8444
8445
8446
8447
8448
8449
8450
8451
8452
8453
8454
8455
8456
8457
8458
8459
8460
8461
8462
8463
8464
8465
8466
8467
8468
8469
8470
8471
8472
8473
8474
8475
8476
8477
8478
8479
8480
8481
8482
8483
8484
8485
8486
8487
8488
8489
8490
8491
8492
8493
8494
8495
8496
8497
8498
8499
8500
8501
8502
8503
8504
8505
8506
8507
8508
8509
8510
8511
8512
8513
8514
8515
8516
8517
8518
8519
8520
8521
8522
8523
8524
8525
8526
8527
8528
8529
8530
8531
8532
8533
8534
8535
8536
8537
8538
8539
8540
8541
8542
8543
8544
8545
8546
8547
8548
8549
8550
8551
8552
8553
8554
8555
8556
8557
8558
8559
8560
8561
8562
8563
8564
8565
8566
8567
8568
8569
8570
8571
8572
8573
8574
8575
8576
8577
8578
8579
8580
8581
8582
8583
8584
8585
8586
8587
8588
8589
8590
8591
8592
8593
8594
8595
8596
8597
8598
8599
8600
8601
8602
8603
8604
8605
8606
8607
8608
8609
8610
8611
8612
8613
8614
8615
8616
8617
8618
8619
8620
8621
8622
8623
8624
8625
8626
8627
8628
8629
8630
8631
8632
8633
8634
8635
8636
8637
8638
8639
8640
8641
8642
8643
8644
8645
8646
8647
8648
8649
8650
8651
8652
8653
8654
8655
8656
8657
8658
8659
8660
8661
8662
8663
8664
8665
8666
8667
8668
8669
8670
8671
8672
8673
8674
8675
8676
8677
8678
8679
8680
8681
8682
8683
8684
8685
8686
8687
8688
8689
8690
8691
8692
8693
8694
8695
8696
8697
8698
8699
8700
8701
8702
8703
8704
8705
8706
8707
8708
8709
8710
8711
8712
8713
8714
8715
8716
8717
8718
8719
8720
8721
8722
8723
8724
8725
8726
8727
8728
8729
8730
8731
8732
8733
8734
8735
8736
8737
8738
8739
8740
8741
8742
8743
8744
8745
8746
8747
8748
8749
8750
8751
8752
8753
8754
8755
8756
8757
8758
8759
8760
8761
8762
8763
8764
8765
8766
8767
8768
8769
8770
8771
8772
8773
8774
8775
8776
8777
8778
8779
8780
8781
8782
8783
8784
8785
8786
8787
8788
8789
8790
8791
8792
8793
8794
8795
8796
8797
8798
8799
8800
8801
8802
8803
8804
8805
8806
8807
8808
8809
8810
8811
8812
8813
8814
8815
8816
8817
8818
8819
8820
8821
8822
8823
8824
8825
8826
8827
8828
8829
8830
8831
8832
8833
8834
8835
8836
8837
8838
8839
8840
8841
8842
8843
8844
8845
8846
8847
8848
8849
8850
8851
8852
8853
8854
8855
8856
8857
8858
8859
8860
8861
8862
8863
8864
8865
8866
8867
8868
8869
8870
8871
8872
8873
8874
8875
8876
8877
8878
8879
8880
8881
8882
8883
8884
8885
8886
8887
8888
8889
8890
8891
8892
8893
8894
8895
8896
8897
8898
8899
8900
8901
8902
8903
8904
8905
8906
8907
8908
8909
8910
8911
8912
8913
8914
8915
8916
8917
8918
8919
8920
8921
8922
8923
8924
8925
8926
8927
8928
8929
8930
8931
8932
8933
8934
8935
8936
8937
8938
8939
8940
8941
8942
8943
8944
8945
8946
8947
8948
8949
8950
8951
8952
8953
8954
8955
8956
8957
8958
8959
8960
8961
8962
8963
8964
8965
8966
8967
8968
8969
8970
8971
8972
8973
8974
8975
8976
8977
8978
8979
8980
8981
8982
8983
8984
8985
8986
8987
8988
8989
8990
8991
8992
8993
8994
8995
8996
8997
8998
8999
9000
9001
9002
9003
9004
9005
9006
9007
9008
9009
9010
9011
9012
9013
9014
9015
9016
9017
9018
9019
9020
9021
9022
9023
9024
9025
9026
9027
9028
9029
9030
9031
9032
9033
9034
9035
9036
9037
9038
9039
9040
9041
9042
9043
9044
9045
9046
9047
9048
9049
9050
9051
9052
9053
9054
9055
9056
9057
9058
9059
9060
9061
9062
9063
9064
9065
9066
9067
9068
9069
9070
9071
9072
9073
9074
9075
9076
9077
9078
9079
9080
9081
9082
9083
9084
9085
9086
9087
9088
9089
9090
9091
9092
9093
9094
9095
9096
9097
9098
9099
9100
9101
9102
9103
9104
9105
9106
9107
9108
9109
9110
9111
9112
9113
9114
9115
9116
9117
9118
9119
9120
9121
9122
9123
9124
9125
9126
9127
9128
9129
9130
9131
9132
9133
9134
9135
9136
9137
9138
9139
9140
9141
9142
9143
9144
9145
9146
9147
9148
9149
9150
9151
9152
9153
9154
9155
9156
9157
9158
9159
9160
9161
9162
9163
9164
9165
9166
9167
9168
9169
9170
9171
9172
9173
9174
9175
9176
9177
9178
9179
9180
9181
9182
9183
9184
9185
9186
9187
9188
9189
9190
9191
9192
9193
9194
9195
9196
9197
9198
9199
9200
9201
9202
9203
9204
9205
9206
9207
9208
9209
9210
9211
9212
9213
9214
9215
9216
9217
9218
9219
9220
9221
9222
9223
9224
9225
9226
9227
9228
9229
9230
9231
9232
9233
9234
9235
9236
9237
9238
9239
9240
9241
9242
9243
9244
9245
9246
9247
9248
9249
9250
9251
9252
9253
9254
9255
9256
9257
9258
9259
9260
9261
9262
9263
9264
9265
9266
9267
9268
9269
9270
9271
9272
9273
9274
9275
9276
9277
9278
9279
9280
9281
9282
9283
9284
9285
9286
9287
9288
9289
9290
9291
9292
9293
9294
9295
9296
9297
9298
9299
9300
9301
9302
9303
9304
9305
9306
9307
9308
9309
9310
9311
9312
9313
9314
9315
9316
9317
9318
9319
9320
9321
9322
9323
9324
9325
9326
9327
9328
9329
9330
9331
9332
9333
9334
9335
9336
9337
9338
9339
9340
9341
9342
9343
9344
9345
9346
9347
9348
9349
9350
9351
9352
9353
9354
9355
9356
9357
9358
9359
9360
9361
9362
9363
9364
9365
9366
9367
9368
9369
9370
9371
9372
9373
9374
9375
9376
9377
9378
9379
9380
9381
9382
9383
9384
9385
9386
9387
9388
9389
9390
9391
9392
9393
9394
9395
9396
9397
9398
9399
9400
9401
9402
9403
9404
9405
9406
9407
9408
9409
9410
9411
9412
9413
9414
9415
9416
9417
9418
9419
9420
9421
9422
9423
9424
9425
9426
9427
9428
9429
9430
9431
9432
9433
9434
9435
9436
9437
9438
9439
9440
9441
9442
9443
9444
9445
9446
9447
9448
9449
9450
9451
9452
9453
9454
9455
9456
9457
9458
9459
9460
9461
9462
9463
9464
9465
9466
9467
9468
9469
9470
9471
9472
9473
9474
9475
9476
9477
9478
9479
9480
9481
9482
9483
9484
9485
9486
9487
9488
9489
9490
9491
9492
9493
9494
9495
9496
9497
9498
9499
9500
9501
9502
9503
9504
9505
9506
9507
9508
9509
9510
9511
9512
9513
9514
9515
9516
9517
9518
9519
9520
9521
9522
9523
9524
9525
9526
9527
9528
9529
9530
9531
9532
9533
9534
9535
9536
9537
9538
9539
9540
9541
9542
9543
9544
9545
9546
9547
9548
9549
9550
9551
9552
9553
9554
9555
9556
9557
9558
9559
9560
9561
9562
9563
9564
9565
9566
9567
9568
9569
9570
9571
9572
9573
9574
9575
9576
9577
9578
9579
9580
9581
9582
9583
9584
9585
9586
9587
9588
9589
9590
9591
9592
9593
9594
9595
9596
9597
9598
9599
9600
9601
9602
9603
9604
9605
9606
9607
9608
9609
9610
9611
9612
9613
9614
9615
9616
9617
9618
9619
9620
9621
9622
9623
9624
9625
9626
9627
9628
9629
9630
9631
9632
9633
9634
9635
9636
9637
9638
9639
9640
9641
9642
9643
9644
9645
9646
9647
9648
9649
9650
9651
9652
9653
9654
9655
9656
9657
9658
9659
9660
9661
9662
9663
9664
9665
9666
9667
9668
9669
9670
9671
9672
9673
9674
9675
9676
9677
9678
9679
9680
9681
9682
9683
9684
9685
9686
9687
9688
9689
9690
9691
9692
9693
9694
9695
9696
9697
9698
9699
9700
9701
9702
9703
9704
9705
9706
9707
9708
9709
9710
9711
9712
9713
9714
9715
9716
9717
9718
9719
9720
9721
9722
9723
9724
9725
9726
9727
9728
9729
9730
9731
9732
9733
9734
9735
9736
9737
9738
9739
9740
9741
9742
9743
9744
9745
9746
9747
9748
9749
9750
9751
9752
9753
9754
9755
9756
9757
9758
9759
9760
9761
9762
9763
9764
9765
9766
9767
9768
9769
9770
9771
9772
9773
9774
9775
9776
9777
9778
9779
9780
9781
9782
9783
9784
9785
9786
9787
9788
9789
9790
9791
9792
9793
9794
9795
9796
9797
9798
9799
9800
9801
9802
9803
9804
9805
9806
9807
9808
9809
9810
9811
9812
9813
9814
9815
9816
9817
9818
9819
9820
9821
9822
9823
9824
9825
9826
9827
9828
9829
9830
9831
9832
9833
9834
9835
9836
9837
9838
9839
9840
9841
9842
9843
9844
9845
9846
9847
9848
9849
9850
9851
9852
9853
9854
9855
9856
9857
9858
9859
9860
9861
9862
9863
9864
9865
9866
9867
9868
9869
9870
9871
9872
9873
9874
9875
9876
9877
9878
9879
9880
9881
9882
9883
9884
9885
9886
9887
9888
9889
9890
9891
9892
9893
9894
9895
9896
9897
9898
9899
9900
9901
9902
9903
9904
9905
9906
9907
9908
9909
9910
9911
9912
9913
9914
9915
9916
9917
9918
9919
9920
9921
9922
9923
9924
9925
9926
9927
9928
9929
9930
9931
9932
9933
9934
9935
9936
9937
9938
9939
9940
9941
9942
9943
9944
9945
9946
9947
9948
9949
9950
9951
9952
9953
9954
9955
9956
9957
9958
9959
9960
9961
9962
9963
9964
9965
9966
9967
9968
9969
9970
9971
9972
9973
9974
9975
9976
9977
9978
9979
9980
9981
9982
9983
9984
9985
9986
9987
9988
9989
9990
9991
9992
9993
9994
9995
9996
9997
9998
9999
10000
10001
10002
10003
10004
10005
10006
10007
10008
10009
10010
10011
10012
10013
10014
10015
10016
10017
10018
10019
10020
10021
10022
10023
10024
10025
10026
10027
10028
10029
10030
10031
10032
10033
10034
10035
10036
10037
10038
10039
10040
10041
10042
10043
10044
10045
10046
10047
10048
10049
10050
10051
10052
10053
10054
10055
10056
10057
10058
10059
10060
10061
10062
10063
10064
10065
10066
10067
10068
10069
10070
10071
10072
10073
10074
10075
10076
10077
10078
10079
10080
10081
10082
10083
10084
10085
10086
10087
10088
10089
10090
10091
10092
10093
10094
10095
10096
10097
10098
10099
10100
10101
10102
10103
10104
10105
10106
10107
10108
10109
10110
10111
10112
10113
10114
10115
10116
10117
10118
10119
10120
10121
10122
10123
10124
10125
10126
10127
10128
10129
10130
10131
10132
10133
10134
10135
10136
10137
10138
10139
10140
10141
10142
10143
10144
10145
10146
10147
10148
10149
10150
10151
10152
10153
10154
10155
10156
10157
10158
10159
10160
10161
10162
10163
10164
10165
10166
10167
10168
10169
10170
10171
10172
10173
10174
10175
10176
10177
10178
10179
10180
10181
10182
10183
10184
10185
10186
10187
10188
10189
10190
10191
10192
10193
10194
10195
10196
10197
10198
10199
10200
10201
10202
10203
10204
10205
10206
10207
10208
10209
10210
10211
10212
10213
10214
10215
10216
10217
10218
10219
10220
10221
10222
10223
10224
10225
10226
10227
10228
10229
10230
10231
10232
10233
10234
10235
10236
10237
10238
10239
10240
10241
10242
10243
10244
10245
10246
10247
10248
10249
10250
10251
10252
10253
10254
10255
10256
10257
10258
10259
10260
10261
10262
10263
10264
10265
10266
10267
10268
10269
10270
10271
10272
10273
10274
10275
10276
10277
10278
10279
10280
10281
10282
10283
10284
10285
10286
10287
10288
10289
10290
10291
10292
10293
10294
10295
10296
10297
10298
10299
10300
10301
10302
10303
10304
10305
10306
10307
10308
10309
10310
10311
10312
10313
10314
10315
10316
10317
10318
10319
10320
10321
10322
10323
10324
10325
10326
10327
10328
10329
10330
10331
10332
10333
10334
10335
10336
10337
10338
10339
10340
10341
10342
10343
10344
10345
10346
10347
10348
10349
10350
10351
10352
10353
10354
10355
10356
10357
10358
10359
10360
10361
10362
10363
10364
10365
10366
10367
10368
10369
10370
10371
10372
10373
10374
10375
10376
10377
10378
10379
10380
10381
10382
10383
10384
10385
10386
10387
10388
10389
10390
10391
10392
10393
10394
10395
10396
10397
10398
10399
10400
10401
10402
10403
10404
10405
10406
10407
10408
10409
10410
10411
10412
10413
10414
10415
10416
10417
10418
10419
10420
10421
10422
10423
10424
10425
10426
10427
10428
10429
10430
10431
10432
10433
10434
10435
10436
10437
10438
10439
10440
10441
10442
10443
10444
10445
10446
10447
10448
10449
10450
10451
10452
10453
10454
10455
10456
10457
10458
10459
10460
10461
10462
10463
10464
10465
10466
10467
10468
10469
10470
10471
10472
10473
10474
10475
10476
10477
10478
10479
10480
10481
10482
10483
10484
10485
10486
10487
10488
10489
10490
10491
10492
10493
10494
10495
10496
10497
10498
10499
10500
10501
10502
10503
10504
10505
10506
10507
10508
10509
10510
10511
10512
10513
10514
10515
10516
10517
10518
10519
10520
10521
10522
10523
10524
10525
10526
10527
10528
10529
10530
10531
10532
10533
10534
10535
10536
10537
10538
10539
10540
10541
10542
10543
10544
10545
10546
10547
10548
10549
10550
10551
10552
10553
10554
10555
10556
10557
10558
10559
10560
10561
10562
10563
10564
10565
10566
10567
10568
10569
10570
10571
10572
10573
10574
10575
10576
10577
10578
10579
10580
10581
10582
10583
10584
10585
10586
10587
10588
10589
10590
10591
10592
10593
10594
10595
10596
10597
10598
10599
10600
10601
10602
10603
10604
10605
10606
10607
10608
10609
10610
10611
10612
10613
10614
10615
10616
10617
10618
10619
10620
10621
10622
10623
10624
10625
10626
10627
10628
10629
10630
10631
10632
10633
10634
10635
10636
10637
10638
10639
10640
10641
10642
10643
10644
10645
10646
10647
10648
10649
10650
10651
10652
10653
10654
10655
10656
10657
10658
10659
10660
10661
10662
10663
10664
10665
10666
10667
10668
10669
10670
10671
10672
10673
10674
10675
10676
10677
10678
10679
10680
10681
10682
10683
10684
10685
10686
10687
10688
10689
10690
10691
10692
10693
10694
10695
10696
10697
10698
10699
10700
10701
10702
10703
10704
10705
10706
10707
10708
10709
10710
10711
10712
10713
10714
10715
10716
10717
10718
10719
10720
10721
10722
10723
10724
10725
10726
10727
10728
10729
10730
10731
10732
10733
10734
10735
10736
10737
10738
10739
10740
10741
10742
10743
10744
10745
10746
10747
10748
10749
10750
10751
10752
10753
10754
10755
10756
10757
10758
10759
10760
10761
10762
10763
10764
10765
10766
10767
10768
10769
10770
10771
10772
10773
10774
10775
10776
10777
10778
10779
10780
10781
10782
10783
10784
10785
10786
10787
10788
10789
10790
10791
10792
10793
10794
10795
10796
10797
10798
10799
10800
10801
10802
10803
10804
10805
10806
10807
10808
10809
10810
10811
10812
10813
10814
10815
10816
10817
10818
10819
10820
10821
10822
10823
10824
10825
10826
10827
10828
10829
10830
10831
10832
10833
10834
10835
10836
10837
10838
10839
10840
10841
10842
10843
10844
10845
10846
10847
10848
10849
10850
10851
10852
10853
10854
10855
10856
10857
10858
10859
10860
10861
10862
10863
10864
10865
10866
10867
10868
10869
10870
10871
10872
10873
10874
10875
10876
10877
10878
10879
10880
10881
10882
10883
10884
10885
10886
10887
10888
10889
10890
10891
10892
10893
10894
10895
10896
10897
10898
10899
10900
10901
10902
10903
10904
10905
10906
10907
10908
10909
10910
10911
10912
10913
10914
10915
10916
10917
10918
10919
10920
10921
10922
10923
10924
10925
10926
10927
10928
10929
10930
10931
10932
10933
10934
10935
10936
10937
10938
10939
10940
10941
10942
10943
10944
10945
10946
10947
10948
10949
10950
10951
10952
10953
10954
10955
10956
10957
10958
10959
10960
10961
10962
10963
10964
10965
10966
10967
10968
10969
10970
10971
10972
10973
10974
10975
10976
10977
10978
10979
10980
10981
10982
10983
10984
10985
10986
10987
10988
10989
10990
10991
10992
10993
10994
10995
10996
10997
10998
10999
11000
11001
11002
11003
11004
11005
11006
11007
11008
11009
11010
11011
11012
11013
11014
11015
11016
11017
11018
11019
11020
11021
11022
11023
11024
11025
11026
11027
11028
11029
11030
11031
11032
11033
11034
11035
11036
11037
11038
11039
11040
11041
11042
11043
11044
11045
11046
11047
11048
11049
11050
11051
11052
11053
11054
11055
11056
11057
11058
11059
11060
11061
11062
11063
11064
11065
11066
11067
11068
11069
11070
11071
11072
11073
11074
11075
11076
11077
11078
11079
11080
11081
11082
11083
11084
11085
11086
11087
11088
11089
11090
11091
11092
11093
11094
11095
11096
11097
11098
11099
11100
11101
11102
11103
11104
11105
11106
11107
11108
11109
11110
11111
11112
11113
11114
11115
11116
11117
11118
11119
11120
11121
11122
11123
11124
11125
11126
11127
11128
11129
11130
11131
11132
11133
11134
11135
11136
11137
11138
11139
11140
11141
11142
11143
11144
11145
11146
11147
11148
11149
11150
11151
11152
11153
11154
11155
11156
11157
11158
11159
11160
11161
11162
11163
11164
11165
11166
11167
11168
11169
11170
11171
11172
11173
11174
11175
11176
11177
11178
11179
11180
11181
11182
11183
11184
11185
11186
11187
11188
11189
11190
11191
11192
11193
11194
11195
11196
11197
11198
11199
11200
11201
11202
11203
11204
11205
11206
11207
11208
11209
11210
11211
11212
11213
11214
11215
11216
11217
11218
11219
11220
11221
11222
11223
11224
11225
11226
11227
11228
11229
11230
11231
11232
11233
11234
11235
11236
11237
11238
11239
11240
11241
11242
11243
11244
11245
11246
11247
11248
11249
11250
11251
11252
11253
11254
11255
11256
11257
11258
11259
11260
11261
11262
11263
11264
11265
11266
11267
11268
11269
11270
11271
11272
11273
11274
11275
11276
11277
11278
11279
11280
11281
11282
11283
11284
11285
11286
11287
11288
11289
11290
11291
11292
11293
11294
11295
11296
11297
11298
11299
11300
11301
11302
11303
11304
11305
11306
11307
11308
11309
11310
11311
11312
11313
11314
11315
11316
11317
11318
11319
11320
11321
11322
11323
11324
11325
11326
11327
11328
11329
11330
11331
11332
11333
11334
11335
11336
11337
11338
11339
11340
11341
11342
11343
11344
11345
11346
11347
11348
11349
11350
11351
11352
11353
11354
11355
11356
11357
11358
11359
11360
11361
11362
11363
11364
11365
11366
11367
11368
11369
11370
11371
11372
11373
11374
11375
11376
11377
11378
11379
11380
11381
11382
11383
11384
11385
11386
11387
11388
11389
11390
11391
11392
11393
11394
11395
11396
11397
11398
11399
11400
11401
11402
11403
11404
11405
11406
11407
11408
11409
11410
11411
11412
11413
11414
11415
11416
11417
11418
11419
11420
11421
11422
11423
11424
11425
11426
11427
11428
11429
11430
11431
11432
11433
11434
11435
11436
11437
11438
11439
11440
11441
11442
11443
11444
11445
11446
11447
11448
11449
11450
11451
11452
11453
11454
11455
11456
11457
11458
11459
11460
11461
11462
11463
11464
11465
11466
11467
11468
11469
11470
11471
11472
11473
11474
11475
11476
11477
11478
11479
11480
11481
11482
11483
11484
11485
11486
11487
11488
11489
11490
11491
11492
11493
11494
11495
11496
11497
11498
11499
11500
11501
11502
11503
11504
11505
11506
11507
11508
11509
11510
11511
11512
11513
11514
11515
11516
11517
11518
11519
11520
11521
11522
11523
11524
11525
11526
11527
11528
11529
11530
11531
11532
11533
11534
11535
11536
11537
11538
11539
11540
11541
11542
11543
11544
11545
11546
11547
11548
11549
11550
11551
11552
11553
11554
11555
11556
11557
11558
11559
11560
11561
11562
11563
11564
11565
11566
11567
11568
11569
11570
11571
11572
11573
11574
11575
11576
11577
11578
11579
11580
11581
11582
11583
11584
11585
11586
11587
11588
11589
11590
11591
11592
11593
11594
11595
11596
11597
11598
11599
11600
11601
11602
11603
11604
11605
11606
11607
11608
11609
11610
11611
11612
11613
11614
11615
11616
11617
11618
11619
11620
11621
11622
11623
11624
11625
11626
11627
11628
11629
11630
11631
11632
11633
11634
11635
11636
11637
11638
11639
11640
11641
11642
11643
11644
11645
11646
11647
11648
11649
11650
11651
11652
11653
11654
11655
11656
11657
11658
11659
11660
11661
11662
11663
11664
11665
11666
11667
11668
11669
11670
11671
11672
11673
11674
11675
11676
11677
11678
11679
11680
11681
11682
11683
11684
11685
11686
11687
11688
11689
11690
11691
11692
11693
11694
11695
11696
11697
11698
11699
11700
11701
11702
11703
11704
11705
11706
11707
11708
11709
11710
11711
11712
11713
11714
11715
11716
11717
11718
11719
11720
11721
11722
11723
11724
11725
11726
11727
11728
11729
11730
11731
11732
11733
11734
11735
11736
11737
11738
11739
11740
11741
11742
11743
11744
11745
11746
11747
11748
11749
11750
11751
11752
11753
11754
11755
11756
11757
11758
11759
11760
11761
11762
11763
11764
11765
11766
11767
11768
11769
11770
11771
11772
11773
11774
11775
11776
11777
11778
11779
11780
11781
11782
11783
11784
11785
11786
11787
11788
11789
11790
11791
11792
11793
11794
11795
11796
11797
11798
11799
11800
11801
11802
11803
11804
11805
11806
11807
11808
11809
11810
11811
11812
11813
11814
11815
11816
11817
11818
11819
11820
11821
11822
11823
11824
11825
11826
11827
11828
11829
11830
11831
11832
11833
11834
11835
11836
11837
11838
11839
11840
11841
11842
11843
11844
11845
11846
11847
11848
11849
11850
11851
11852
11853
11854
11855
11856
11857
11858
11859
11860
11861
11862
11863
11864
11865
11866
11867
11868
11869
11870
11871
11872
11873
11874
11875
11876
11877
11878
11879
11880
11881
11882
11883
11884
11885
11886
11887
11888
11889
11890
11891
11892
11893
11894
11895
11896
11897
11898
11899
11900
11901
11902
11903
11904
11905
11906
11907
11908
11909
11910
11911
11912
11913
11914
11915
11916
11917
11918
11919
11920
11921
11922
11923
11924
11925
11926
11927
11928
11929
11930
11931
11932
11933
11934
11935
11936
11937
11938
11939
11940
11941
11942
11943
11944
11945
11946
11947
11948
11949
11950
11951
11952
11953
11954
11955
11956
11957
11958
11959
11960
11961
11962
11963
11964
11965
11966
11967
11968
11969
11970
11971
11972
11973
11974
11975
11976
11977
11978
11979
11980
11981
11982
11983
11984
11985
11986
11987
11988
11989
11990
11991
11992
11993
11994
11995
11996
11997
11998
11999
12000
12001
12002
12003
12004
12005
12006
12007
12008
12009
12010
12011
12012
12013
12014
12015
12016
12017
12018
12019
12020
12021
12022
12023
12024
12025
12026
12027
12028
12029
12030
12031
12032
12033
12034
12035
12036
12037
12038
12039
12040
12041
12042
12043
12044
12045
12046
12047
12048
12049
12050
12051
12052
12053
12054
12055
12056
12057
12058
12059
12060
12061
12062
12063
12064
12065
12066
12067
12068
12069
12070
12071
12072
12073
12074
12075
12076
12077
12078
12079
12080
12081
12082
12083
12084
12085
12086
12087
12088
12089
12090
12091
12092
12093
12094
12095
12096
12097
12098
12099
12100
12101
12102
12103
12104
12105
12106
12107
12108
12109
12110
12111
12112
12113
12114
12115
12116
12117
12118
12119
12120
12121
12122
12123
12124
12125
12126
12127
12128
12129
12130
12131
12132
12133
12134
12135
12136
12137
12138
12139
12140
12141
12142
12143
12144
12145
12146
12147
12148
12149
12150
12151
12152
12153
12154
12155
12156
12157
12158
12159
12160
12161
12162
12163
12164
12165
12166
12167
12168
12169
12170
12171
12172
12173
12174
12175
12176
12177
12178
12179
12180
12181
12182
12183
12184
12185
12186
12187
12188
12189
12190
12191
12192
12193
12194
12195
12196
12197
12198
12199
12200
12201
12202
12203
12204
12205
12206
12207
12208
12209
12210
12211
12212
12213
12214
12215
12216
12217
12218
12219
12220
12221
12222
12223
12224
12225
12226
12227
12228
12229
12230
12231
12232
12233
12234
12235
12236
12237
12238
12239
12240
12241
12242
12243
12244
12245
12246
12247
12248
12249
12250
12251
12252
12253
12254
12255
12256
12257
12258
12259
12260
12261
12262
12263
12264
12265
12266
12267
12268
12269
12270
12271
12272
12273
12274
12275
12276
12277
12278
12279
12280
12281
12282
12283
12284
12285
12286
12287
12288
12289
12290
12291
12292
12293
12294
12295
12296
12297
12298
12299
12300
12301
12302
12303
12304
12305
12306
12307
12308
12309
12310
12311
12312
12313
12314
12315
12316
12317
12318
12319
12320
12321
12322
12323
12324
12325
12326
12327
12328
12329
12330
12331
12332
12333
12334
12335
12336
12337
12338
12339
12340
12341
12342
12343
12344
12345
12346
12347
12348
12349
12350
12351
12352
12353
12354
12355
12356
12357
12358
12359
12360
12361
12362
12363
12364
12365
12366
12367
12368
12369
12370
12371
12372
12373
12374
12375
12376
12377
12378
12379
12380
12381
12382
12383
12384
12385
12386
12387
12388
12389
12390
12391
12392
12393
12394
12395
12396
12397
12398
12399
12400
12401
12402
12403
12404
12405
12406
12407
12408
12409
12410
12411
12412
12413
12414
12415
12416
12417
12418
12419
12420
12421
12422
12423
12424
12425
12426
12427
12428
12429
12430
12431
12432
12433
12434
12435
12436
12437
12438
12439
12440
12441
12442
12443
12444
12445
12446
12447
12448
12449
12450
12451
12452
12453
12454
12455
12456
12457
12458
12459
12460
12461
12462
12463
12464
12465
12466
12467
12468
12469
12470
12471
12472
12473
12474
12475
12476
12477
12478
12479
12480
12481
12482
12483
12484
12485
12486
12487
12488
12489
12490
12491
12492
12493
12494
12495
12496
12497
12498
12499
12500
12501
12502
12503
12504
12505
12506
12507
12508
12509
12510
12511
12512
12513
12514
12515
12516
12517
12518
12519
12520
12521
12522
12523
12524
12525
12526
12527
12528
12529
12530
12531
12532
12533
12534
12535
12536
12537
12538
12539
12540
12541
12542
12543
12544
12545
12546
12547
12548
12549
12550
12551
12552
12553
12554
12555
12556
12557
12558
12559
12560
12561
12562
12563
12564
12565
12566
12567
12568
12569
12570
12571
12572
12573
12574
12575
12576
12577
12578
12579
12580
12581
12582
12583
12584
12585
12586
12587
12588
12589
12590
12591
12592
12593
12594
12595
12596
12597
12598
12599
12600
12601
12602
12603
12604
12605
12606
12607
12608
12609
12610
12611
12612
12613
12614
12615
12616
12617
12618
12619
12620
12621
12622
12623
12624
12625
12626
12627
12628
12629
12630
12631
12632
12633
12634
12635
12636
12637
12638
12639
12640
12641
12642
12643
12644
12645
12646
12647
12648
12649
12650
12651
12652
12653
12654
12655
12656
12657
12658
12659
12660
12661
12662
12663
12664
12665
12666
12667
12668
12669
12670
12671
12672
12673
12674
12675
12676
12677
12678
12679
12680
12681
12682
12683
12684
12685
12686
12687
12688
12689
12690
12691
12692
12693
12694
12695
12696
12697
12698
12699
12700
12701
12702
12703
12704
12705
12706
12707
12708
12709
12710
12711
12712
12713
12714
12715
12716
12717
12718
12719
12720
12721
12722
12723
12724
12725
12726
12727
12728
12729
12730
12731
12732
12733
12734
12735
12736
12737
12738
12739
12740
12741
12742
12743
12744
12745
12746
12747
12748
12749
12750
12751
12752
12753
12754
12755
12756
12757
12758
12759
12760
12761
12762
12763
12764
12765
12766
12767
12768
12769
12770
12771
12772
12773
12774
12775
12776
12777
12778
12779
12780
12781
12782
12783
12784
12785
12786
12787
12788
12789
12790
12791
12792
12793
12794
12795
12796
12797
12798
12799
12800
12801
12802
12803
12804
12805
12806
12807
12808
12809
12810
12811
12812
12813
12814
12815
12816
12817
12818
12819
12820
12821
12822
12823
12824
12825
12826
12827
12828
12829
12830
12831
12832
12833
12834
12835
12836
12837
12838
12839
12840
12841
12842
12843
12844
12845
12846
12847
12848
12849
12850
12851
12852
12853
12854
12855
12856
12857
12858
12859
12860
12861
12862
12863
12864
12865
12866
12867
12868
12869
12870
12871
12872
12873
12874
12875
12876
12877
12878
12879
12880
12881
12882
12883
12884
12885
12886
12887
12888
12889
12890
12891
12892
12893
12894
12895
12896
12897
12898
12899
12900
12901
12902
12903
12904
12905
12906
12907
12908
12909
12910
12911
12912
12913
12914
12915
12916
12917
12918
12919
12920
12921
12922
12923
12924
12925
12926
12927
12928
12929
12930
12931
12932
12933
12934
12935
12936
12937
12938
12939
12940
12941
12942
12943
12944
12945
12946
12947
12948
12949
12950
12951
12952
12953
12954
12955
12956
12957
12958
12959
12960
12961
12962
12963
12964
12965
12966
12967
12968
12969
12970
12971
12972
12973
12974
12975
12976
12977
12978
12979
12980
12981
12982
12983
12984
12985
12986
12987
12988
12989
12990
12991
12992
12993
12994
12995
12996
12997
12998
12999
13000
13001
13002
13003
13004
13005
13006
13007
13008
13009
13010
13011
13012
13013
13014
13015
13016
13017
13018
13019
13020
13021
13022
13023
13024
13025
13026
13027
13028
13029
13030
13031
13032
13033
13034
13035
13036
13037
13038
13039
13040
13041
13042
13043
13044
13045
13046
13047
13048
13049
13050
13051
13052
13053
13054
13055
13056
13057
13058
13059
13060
13061
13062
13063
13064
13065
13066
13067
13068
13069
13070
13071
13072
13073
13074
13075
13076
13077
13078
13079
13080
13081
13082
13083
13084
13085
13086
13087
13088
13089
13090
13091
13092
13093
13094
13095
13096
13097
13098
13099
13100
13101
13102
13103
13104
13105
13106
13107
13108
13109
13110
13111
13112
13113
13114
13115
13116
13117
13118
13119
13120
13121
13122
13123
13124
13125
13126
13127
13128
13129
13130
13131
13132
13133
13134
13135
13136
13137
13138
13139
13140
13141
13142
13143
13144
13145
13146
13147
13148
13149
13150
13151
13152
13153
13154
13155
13156
13157
13158
13159
13160
13161
13162
13163
13164
13165
13166
13167
13168
13169
13170
13171
13172
13173
13174
13175
13176
13177
13178
13179
13180
13181
13182
13183
13184
13185
13186
13187
13188
13189
13190
13191
13192
13193
13194
13195
13196
13197
13198
13199
13200
13201
13202
13203
13204
13205
13206
13207
13208
13209
13210
13211
13212
13213
13214
13215
13216
13217
13218
13219
13220
13221
13222
13223
13224
13225
13226
13227
13228
13229
13230
13231
13232
13233
13234
13235
13236
13237
13238
13239
13240
13241
13242
13243
13244
13245
13246
13247
13248
13249
13250
13251
13252
13253
13254
13255
13256
13257
13258
13259
13260
13261
13262
13263
13264
13265
13266
13267
13268
13269
13270
13271
13272
13273
13274
13275
13276
13277
13278
13279
13280
13281
13282
13283
13284
13285
13286
13287
13288
13289
13290
13291
13292
13293
13294
13295
13296
13297
13298
13299
13300
13301
13302
13303
13304
13305
13306
13307
13308
13309
13310
13311
13312
13313
13314
13315
13316
13317
13318
13319
13320
13321
13322
13323
13324
13325
13326
13327
13328
13329
13330
13331
13332
13333
13334
13335
13336
13337
13338
13339
13340
13341
13342
13343
13344
13345
13346
13347
13348
13349
13350
13351
13352
13353
13354
13355
13356
13357
13358
13359
13360
13361
13362
13363
13364
13365
13366
13367
13368
13369
13370
13371
13372
13373
13374
13375
13376
13377
13378
13379
13380
13381
13382
13383
13384
13385
13386
13387
13388
13389
13390
13391
13392
13393
13394
13395
13396
13397
13398
13399
13400
13401
13402
13403
13404
13405
13406
13407
13408
13409
13410
13411
13412
13413
13414
13415
13416
13417
13418
13419
13420
13421
13422
13423
13424
13425
13426
13427
13428
13429
13430
13431
13432
13433
13434
13435
13436
13437
13438
13439
13440
13441
13442
13443
13444
13445
13446
13447
13448
13449
13450
13451
13452
13453
13454
13455
13456
13457
13458
13459
13460
13461
13462
13463
13464
13465
13466
13467
13468
13469
13470
13471
13472
13473
13474
13475
13476
13477
13478
13479
13480
13481
13482
13483
13484
13485
13486
13487
13488
13489
13490
13491
13492
13493
13494
13495
13496
13497
13498
13499
13500
13501
13502
13503
13504
13505
13506
13507
13508
13509
13510
13511
13512
13513
13514
13515
13516
13517
13518
13519
13520
13521
13522
13523
13524
13525
13526
13527
13528
13529
13530
13531
13532
13533
13534
13535
13536
13537
13538
13539
13540
13541
13542
13543
13544
13545
13546
13547
13548
13549
13550
13551
13552
13553
13554
13555
13556
13557
13558
13559
13560
13561
13562
13563
13564
13565
13566
13567
13568
13569
13570
13571
13572
13573
13574
13575
13576
13577
13578
13579
13580
13581
13582
13583
13584
13585
13586
13587
13588
13589
13590
13591
13592
13593
13594
13595
13596
13597
13598
13599
13600
13601
13602
13603
13604
13605
13606
13607
13608
13609
13610
13611
13612
13613
13614
13615
13616
13617
13618
13619
13620
13621
13622
13623
13624
13625
13626
13627
13628
13629
13630
13631
13632
13633
13634
13635
13636
13637
13638
13639
13640
13641
13642
13643
13644
13645
13646
13647
13648
13649
13650
13651
13652
13653
13654
13655
13656
13657
13658
13659
13660
13661
13662
13663
13664
13665
13666
13667
13668
13669
13670
13671
13672
13673
13674
13675
13676
13677
13678
13679
13680
13681
13682
13683
13684
13685
13686
13687
13688
13689
13690
13691
13692
13693
13694
13695
13696
13697
13698
13699
13700
13701
13702
13703
13704
13705
13706
13707
13708
13709
13710
13711
13712
13713
13714
13715
13716
13717
13718
13719
13720
13721
13722
13723
13724
13725
13726
13727
13728
13729
13730
13731
13732
13733
13734
13735
13736
13737
13738
13739
13740
13741
13742
13743
13744
13745
13746
13747
13748
13749
13750
13751
13752
13753
13754
13755
13756
13757
13758
13759
13760
13761
13762
13763
13764
13765
13766
13767
13768
13769
13770
13771
13772
13773
13774
13775
13776
13777
13778
13779
13780
13781
13782
13783
13784
13785
13786
13787
13788
13789
13790
13791
13792
13793
13794
13795
13796
13797
13798
13799
13800
13801
13802
13803
13804
13805
13806
13807
13808
13809
13810
13811
13812
13813
13814
13815
13816
13817
13818
13819
13820
13821
13822
13823
13824
13825
13826
13827
13828
13829
13830
13831
13832
13833
13834
13835
13836
13837
13838
13839
13840
13841
13842
13843
13844
13845
13846
13847
13848
13849
13850
13851
13852
13853
13854
13855
13856
13857
13858
13859
13860
13861
13862
13863
13864
13865
13866
13867
13868
13869
13870
13871
13872
13873
13874
13875
13876
13877
13878
13879
13880
13881
13882
13883
13884
13885
13886
13887
13888
13889
13890
13891
13892
13893
13894
13895
13896
13897
13898
13899
13900
13901
13902
13903
13904
13905
13906
13907
13908
13909
13910
13911
13912
13913
13914
13915
13916
13917
13918
13919
13920
13921
13922
13923
13924
13925
13926
13927
13928
13929
13930
13931
13932
13933
13934
13935
13936
13937
13938
13939
13940
13941
13942
13943
13944
13945
13946
13947
13948
13949
13950
13951
13952
13953
13954
13955
13956
13957
13958
13959
13960
13961
13962
13963
13964
13965
13966
13967
13968
13969
13970
13971
13972
13973
13974
13975
13976
13977
13978
13979
13980
13981
13982
13983
13984
13985
13986
13987
13988
13989
13990
13991
13992
13993
13994
13995
13996
13997
13998
13999
14000
14001
14002
14003
14004
14005
14006
14007
14008
14009
14010
14011
14012
14013
14014
14015
14016
14017
14018
14019
14020
14021
14022
14023
14024
14025
14026
14027
14028
14029
14030
14031
14032
14033
14034
14035
14036
14037
14038
14039
14040
14041
14042
14043
14044
14045
14046
14047
14048
14049
14050
14051
14052
14053
14054
14055
14056
14057
14058
14059
14060
14061
14062
14063
14064
14065
14066
14067
14068
14069
14070
14071
14072
14073
14074
14075
14076
14077
14078
14079
14080
14081
14082
14083
14084
14085
14086
14087
14088
14089
14090
14091
14092
14093
14094
14095
14096
14097
14098
14099
14100
14101
14102
14103
14104
14105
14106
14107
14108
14109
14110
14111
14112
14113
14114
14115
14116
14117
14118
14119
14120
14121
14122
14123
14124
14125
14126
14127
14128
14129
14130
14131
14132
14133
14134
14135
14136
14137
14138
14139
14140
14141
14142
14143
14144
14145
14146
14147
14148
14149
14150
14151
14152
14153
14154
14155
14156
14157
14158
14159
14160
14161
14162
14163
14164
14165
14166
14167
14168
14169
14170
14171
14172
14173
14174
14175
14176
14177
14178
14179
14180
14181
14182
14183
14184
14185
14186
14187
14188
14189
14190
14191
14192
14193
14194
14195
14196
14197
14198
14199
14200
14201
14202
14203
14204
14205
14206
14207
14208
14209
14210
14211
14212
14213
14214
14215
14216
14217
14218
14219
14220
14221
14222
14223
14224
14225
14226
14227
14228
14229
14230
14231
14232
14233
14234
14235
14236
14237
14238
14239
14240
14241
14242
14243
14244
14245
14246
14247
14248
14249
14250
14251
14252
14253
14254
14255
14256
14257
14258
14259
14260
14261
14262
14263
14264
14265
14266
14267
14268
14269
14270
14271
14272
14273
14274
14275
14276
14277
14278
14279
14280
14281
14282
14283
14284
14285
14286
14287
14288
14289
14290
14291
14292
14293
14294
14295
14296
14297
14298
14299
14300
14301
14302
14303
14304
14305
14306
14307
14308
14309
14310
14311
14312
14313
14314
14315
14316
14317
14318
14319
14320
14321
14322
14323
14324
14325
14326
14327
14328
14329
14330
14331
14332
14333
14334
14335
14336
14337
14338
14339
14340
14341
14342
14343
14344
14345
14346
14347
14348
14349
14350
14351
14352
14353
14354
14355
14356
14357
14358
14359
14360
14361
14362
14363
14364
14365
14366
14367
14368
14369
14370
14371
14372
14373
14374
14375
14376
14377
14378
14379
14380
14381
14382
14383
14384
14385
14386
14387
14388
14389
14390
14391
14392
14393
14394
14395
14396
14397
14398
14399
14400
14401
14402
14403
14404
14405
14406
14407
14408
14409
14410
14411
14412
14413
14414
14415
14416
14417
14418
14419
14420
14421
14422
14423
14424
14425
14426
14427
14428
14429
14430
14431
14432
14433
14434
14435
14436
14437
14438
14439
14440
14441
14442
14443
14444
14445
14446
14447
14448
14449
14450
14451
14452
14453
14454
14455
14456
14457
14458
14459
14460
14461
14462
14463
14464
14465
14466
14467
14468
14469
14470
14471
14472
14473
14474
14475
14476
14477
14478
14479
14480
14481
14482
14483
14484
14485
14486
14487
14488
14489
14490
14491
14492
14493
14494
14495
14496
14497
14498
14499
14500
14501
14502
14503
14504
14505
14506
14507
14508
14509
14510
14511
14512
14513
14514
14515
14516
14517
14518
14519
14520
14521
14522
14523
14524
14525
14526
14527
14528
14529
14530
14531
14532
14533
14534
14535
14536
14537
14538
14539
14540
14541
14542
14543
14544
14545
14546
14547
14548
14549
14550
14551
14552
14553
14554
14555
14556
14557
14558
14559
14560
14561
14562
14563
14564
14565
14566
14567
14568
14569
14570
14571
14572
14573
14574
14575
14576
14577
14578
14579
14580
14581
14582
14583
14584
14585
14586
14587
14588
14589
14590
14591
14592
14593
14594
14595
14596
14597
14598
14599
14600
14601
14602
14603
14604
14605
14606
14607
14608
14609
14610
14611
14612
14613
14614
14615
14616
14617
14618
14619
14620
14621
14622
14623
14624
14625
14626
14627
14628
14629
14630
14631
14632
14633
14634
14635
14636
14637
14638
14639
14640
14641
14642
14643
14644
14645
14646
14647
14648
14649
14650
14651
14652
14653
14654
14655
14656
14657
14658
14659
14660
14661
14662
14663
14664
14665
14666
14667
14668
14669
14670
14671
14672
14673
14674
14675
14676
14677
14678
14679
14680
14681
14682
14683
14684
14685
14686
14687
14688
14689
14690
14691
14692
14693
14694
14695
14696
14697
14698
14699
14700
14701
14702
14703
14704
14705
14706
14707
14708
14709
14710
14711
14712
14713
14714
14715
14716
14717
14718
14719
14720
14721
14722
14723
14724
14725
14726
14727
14728
14729
14730
14731
14732
14733
14734
14735
14736
14737
14738
14739
14740
14741
14742
14743
14744
14745
14746
14747
14748
14749
14750
14751
14752
14753
14754
14755
14756
14757
14758
14759
14760
14761
14762
14763
14764
14765
14766
14767
14768
14769
14770
14771
14772
14773
14774
14775
14776
14777
14778
14779
14780
14781
14782
14783
14784
14785
14786
14787
14788
14789
14790
14791
14792
14793
14794
14795
14796
14797
14798
14799
14800
14801
14802
14803
14804
14805
14806
14807
14808
14809
14810
14811
14812
14813
14814
14815
14816
14817
14818
14819
14820
14821
14822
14823
14824
14825
14826
14827
14828
14829
14830
14831
14832
14833
14834
14835
14836
14837
14838
14839
14840
14841
14842
14843
14844
14845
14846
14847
14848
14849
14850
14851
14852
14853
14854
14855
14856
14857
14858
14859
14860
14861
14862
14863
14864
14865
14866
14867
14868
14869
14870
14871
14872
14873
14874
14875
14876
14877
14878
14879
14880
14881
14882
14883
14884
14885
14886
14887
14888
14889
14890
14891
14892
14893
14894
14895
14896
14897
14898
14899
14900
14901
14902
14903
14904
14905
14906
14907
14908
14909
14910
14911
14912
14913
14914
14915
14916
14917
14918
14919
14920
14921
14922
14923
14924
14925
14926
14927
14928
14929
14930
14931
14932
14933
14934
14935
14936
14937
14938
14939
14940
14941
14942
14943
14944
14945
14946
14947
14948
14949
14950
14951
14952
14953
14954
14955
14956
14957
14958
14959
14960
14961
14962
14963
14964
14965
14966
14967
14968
14969
14970
14971
14972
14973
14974
14975
14976
14977
14978
14979
14980
14981
14982
14983
14984
14985
14986
14987
14988
14989
14990
14991
14992
14993
14994
14995
14996
14997
14998
14999
15000
15001
15002
15003
15004
15005
15006
15007
15008
15009
15010
15011
15012
15013
15014
15015
15016
15017
15018
15019
15020
15021
15022
15023
15024
15025
15026
15027
15028
15029
15030
15031
15032
15033
15034
15035
15036
15037
15038
15039
15040
15041
15042
15043
15044
15045
15046
15047
15048
15049
15050
15051
15052
15053
15054
15055
15056
15057
15058
15059
15060
15061
15062
15063
15064
15065
15066
15067
15068
15069
15070
15071
15072
15073
15074
15075
15076
15077
15078
15079
15080
15081
15082
15083
15084
15085
15086
15087
15088
15089
15090
15091
15092
15093
15094
15095
15096
15097
15098
15099
15100
15101
15102
15103
15104
15105
15106
15107
15108
15109
15110
15111
15112
15113
15114
15115
15116
15117
15118
15119
15120
15121
15122
15123
15124
15125
15126
15127
15128
15129
15130
15131
15132
15133
15134
15135
15136
15137
15138
15139
15140
15141
15142
15143
15144
15145
15146
15147
15148
15149
15150
15151
15152
15153
15154
15155
15156
15157
15158
15159
15160
15161
15162
15163
15164
15165
15166
15167
15168
15169
15170
15171
15172
15173
15174
15175
15176
15177
15178
15179
15180
15181
15182
15183
15184
15185
15186
15187
15188
15189
15190
15191
15192
15193
15194
15195
15196
15197
15198
15199
15200
15201
15202
15203
15204
15205
15206
15207
15208
15209
15210
15211
15212
15213
15214
15215
15216
15217
15218
15219
15220
15221
15222
15223
15224
15225
15226
15227
15228
15229
15230
15231
15232
15233
15234
15235
15236
15237
15238
15239
15240
15241
15242
15243
15244
15245
15246
15247
15248
15249
15250
15251
15252
15253
15254
15255
15256
15257
15258
15259
15260
15261
15262
15263
15264
15265
15266
15267
15268
15269
15270
15271
15272
15273
15274
15275
15276
15277
15278
15279
15280
15281
15282
15283
15284
15285
15286
15287
15288
15289
15290
15291
15292
15293
15294
15295
15296
15297
15298
15299
15300
15301
15302
15303
15304
15305
15306
15307
15308
15309
15310
15311
15312
15313
15314
15315
15316
15317
15318
15319
15320
15321
15322
15323
15324
15325
15326
15327
15328
15329
15330
15331
15332
15333
15334
15335
15336
15337
15338
15339
15340
15341
15342
15343
15344
15345
15346
15347
15348
15349
15350
15351
15352
15353
15354
15355
15356
15357
15358
15359
15360
15361
15362
15363
15364
15365
15366
15367
15368
15369
15370
15371
15372
15373
15374
15375
15376
15377
15378
15379
15380
15381
15382
15383
15384
15385
15386
15387
15388
15389
15390
15391
15392
15393
15394
15395
15396
15397
15398
15399
15400
15401
15402
15403
15404
15405
15406
15407
15408
15409
15410
15411
15412
15413
15414
15415
15416
15417
15418
15419
15420
15421
15422
15423
15424
15425
15426
15427
15428
15429
15430
15431
15432
15433
15434
15435
15436
15437
15438
15439
15440
15441
15442
15443
15444
15445
15446
15447
15448
15449
15450
15451
15452
15453
15454
15455
15456
15457
15458
15459
15460
15461
15462
15463
15464
15465
15466
15467
15468
15469
15470
15471
15472
15473
15474
15475
15476
15477
15478
15479
15480
15481
15482
15483
15484
15485
15486
15487
15488
15489
15490
15491
15492
15493
15494
15495
15496
15497
15498
15499
15500
15501
15502
15503
15504
15505
15506
15507
15508
15509
15510
15511
15512
15513
15514
15515
15516
15517
15518
15519
15520
15521
15522
15523
15524
15525
15526
15527
15528
15529
15530
15531
15532
15533
15534
15535
15536
15537
15538
15539
15540
15541
15542
15543
15544
15545
15546
15547
15548
15549
15550
15551
15552
15553
15554
15555
15556
15557
15558
15559
15560
15561
15562
15563
15564
15565
15566
15567
15568
15569
15570
15571
15572
15573
15574
15575
15576
15577
15578
15579
15580
15581
15582
15583
15584
15585
15586
15587
15588
15589
15590
15591
15592
15593
15594
15595
15596
15597
15598
15599
15600
15601
15602
15603
15604
15605
15606
15607
15608
15609
15610
15611
15612
15613
15614
15615
15616
15617
15618
15619
15620
15621
15622
15623
15624
15625
15626
15627
15628
15629
15630
15631
15632
15633
15634
15635
15636
15637
15638
15639
15640
15641
15642
15643
15644
15645
15646
15647
15648
15649
15650
15651
15652
15653
15654
15655
15656
15657
15658
15659
15660
15661
15662
15663
15664
15665
15666
15667
15668
15669
15670
15671
15672
15673
15674
15675
15676
15677
15678
15679
15680
15681
15682
15683
15684
15685
15686
15687
15688
15689
15690
15691
15692
15693
15694
15695
15696
15697
15698
15699
15700
15701
15702
15703
15704
15705
15706
15707
15708
15709
15710
15711
15712
15713
15714
15715
15716
15717
15718
15719
15720
15721
15722
15723
15724
15725
15726
15727
15728
15729
15730
15731
15732
15733
15734
15735
15736
15737
15738
15739
15740
15741
15742
15743
15744
15745
15746
15747
15748
15749
15750
15751
15752
15753
15754
15755
15756
15757
15758
15759
15760
15761
15762
15763
15764
15765
15766
15767
15768
15769
15770
15771
15772
15773
15774
15775
15776
15777
15778
15779
15780
15781
15782
15783
15784
15785
15786
15787
15788
15789
15790
15791
15792
15793
15794
15795
15796
15797
15798
15799
15800
15801
15802
15803
15804
15805
15806
15807
15808
15809
15810
15811
15812
15813
15814
15815
15816
15817
15818
15819
15820
15821
15822
15823
15824
15825
15826
15827
15828
15829
15830
15831
15832
15833
15834
15835
15836
15837
15838
15839
15840
15841
15842
15843
15844
15845
15846
15847
15848
15849
15850
15851
15852
15853
15854
15855
15856
15857
15858
15859
15860
15861
15862
15863
15864
15865
15866
15867
15868
15869
15870
15871
15872
15873
15874
15875
15876
15877
15878
15879
15880
15881
15882
15883
15884
15885
15886
15887
15888
15889
15890
15891
15892
15893
15894
15895
15896
15897
15898
15899
15900
15901
15902
15903
15904
15905
15906
15907
15908
15909
15910
15911
15912
15913
15914
15915
15916
15917
15918
15919
15920
15921
15922
15923
15924
15925
15926
15927
15928
15929
15930
15931
15932
15933
15934
15935
15936
15937
15938
15939
15940
15941
15942
15943
15944
15945
15946
15947
15948
15949
15950
15951
15952
15953
15954
15955
15956
15957
15958
15959
15960
15961
15962
15963
15964
15965
15966
15967
15968
15969
15970
15971
15972
15973
15974
15975
15976
15977
15978
15979
15980
15981
15982
15983
15984
15985
15986
15987
15988
15989
15990
15991
15992
15993
15994
15995
15996
15997
15998
15999
16000
16001
16002
16003
16004
16005
16006
16007
16008
16009
16010
16011
16012
16013
16014
16015
16016
16017
16018
16019
16020
16021
16022
16023
16024
16025
16026
16027
16028
16029
16030
16031
16032
16033
16034
16035
16036
16037
16038
16039
16040
16041
16042
16043
16044
16045
16046
16047
16048
16049
16050
16051
16052
16053
16054
16055
16056
16057
16058
16059
16060
16061
16062
16063
16064
16065
16066
16067
16068
16069
16070
16071
16072
16073
16074
16075
16076
16077
16078
16079
16080
16081
16082
16083
16084
16085
16086
16087
16088
16089
16090
16091
16092
16093
16094
16095
16096
16097
16098
16099
16100
16101
16102
16103
16104
16105
16106
16107
16108
16109
16110
16111
16112
16113
16114
16115
16116
16117
16118
16119
16120
16121
16122
16123
16124
16125
16126
16127
16128
16129
16130
16131
16132
16133
16134
16135
16136
16137
16138
16139
16140
16141
16142
16143
16144
16145
16146
16147
16148
16149
16150
16151
16152
16153
16154
16155
16156
16157
16158
16159
16160
16161
16162
16163
16164
16165
16166
16167
16168
16169
16170
16171
16172
16173
16174
16175
16176
16177
16178
16179
16180
16181
16182
16183
16184
16185
16186
16187
16188
16189
16190
16191
16192
16193
16194
16195
16196
16197
16198
16199
16200
16201
16202
16203
16204
16205
16206
16207
16208
16209
16210
16211
16212
16213
16214
16215
16216
16217
16218
16219
16220
16221
16222
16223
16224
16225
16226
16227
16228
16229
16230
16231
16232
16233
16234
16235
16236
16237
16238
16239
16240
16241
16242
16243
16244
16245
16246
16247
16248
16249
16250
16251
16252
16253
16254
16255
16256
16257
16258
16259
16260
16261
16262
16263
16264
16265
16266
16267
16268
16269
16270
16271
16272
16273
16274
16275
16276
16277
16278
16279
16280
16281
16282
16283
16284
16285
16286
16287
16288
16289
16290
16291
16292
16293
16294
16295
16296
16297
16298
16299
16300
16301
16302
16303
16304
16305
16306
16307
16308
16309
16310
16311
16312
16313
16314
16315
16316
16317
16318
16319
16320
16321
16322
16323
16324
16325
16326
16327
16328
16329
16330
16331
16332
16333
16334
16335
16336
16337
16338
16339
16340
16341
16342
16343
16344
16345
16346
16347
16348
16349
16350
16351
16352
16353
16354
16355
16356
16357
16358
16359
16360
16361
16362
16363
16364
16365
16366
16367
16368
16369
16370
16371
16372
16373
16374
16375
16376
16377
16378
16379
16380
16381
16382
16383
16384
16385
16386
16387
16388
16389
16390
16391
16392
16393
16394
16395
16396
16397
16398
16399
16400
16401
16402
16403
16404
16405
16406
16407
16408
16409
16410
16411
16412
16413
16414
16415
16416
16417
16418
16419
16420
16421
16422
16423
16424
16425
16426
16427
16428
16429
16430
16431
16432
16433
16434
16435
16436
16437
16438
16439
16440
16441
16442
16443
16444
16445
16446
16447
16448
16449
16450
16451
16452
16453
16454
16455
16456
16457
16458
16459
16460
16461
16462
16463
16464
16465
16466
16467
16468
16469
16470
16471
16472
16473
16474
16475
16476
16477
16478
16479
16480
16481
16482
16483
16484
16485
16486
16487
16488
16489
16490
16491
16492
16493
16494
16495
16496
16497
16498
16499
16500
16501
16502
16503
16504
16505
16506
16507
16508
16509
16510
16511
16512
16513
16514
16515
16516
16517
16518
16519
16520
16521
16522
16523
16524
16525
16526
16527
16528
16529
16530
16531
16532
16533
16534
16535
16536
16537
16538
16539
16540
16541
16542
16543
16544
16545
16546
16547
16548
16549
16550
16551
16552
16553
16554
16555
16556
16557
16558
16559
16560
16561
16562
16563
16564
16565
16566
16567
16568
16569
16570
16571
16572
16573
16574
16575
16576
16577
16578
16579
16580
16581
16582
16583
16584
16585
16586
16587
16588
16589
16590
16591
16592
16593
16594
16595
16596
16597
16598
16599
16600
16601
16602
16603
16604
16605
16606
16607
16608
16609
16610
16611
16612
16613
16614
16615
16616
16617
16618
16619
16620
16621
16622
16623
16624
16625
16626
16627
16628
16629
16630
16631
16632
16633
16634
16635
16636
16637
16638
16639
16640
16641
16642
16643
16644
16645
16646
16647
16648
16649
16650
16651
16652
16653
16654
16655
16656
16657
16658
16659
16660
16661
16662
16663
16664
16665
16666
16667
16668
16669
16670
16671
16672
16673
16674
16675
16676
16677
16678
16679
16680
16681
16682
16683
16684
16685
16686
16687
16688
16689
16690
16691
16692
16693
16694
16695
16696
16697
16698
16699
16700
16701
16702
16703
16704
16705
16706
16707
16708
16709
16710
16711
16712
16713
16714
16715
16716
16717
16718
16719
16720
16721
16722
16723
16724
16725
16726
16727
16728
16729
16730
16731
16732
16733
16734
16735
16736
16737
16738
16739
16740
16741
16742
16743
16744
16745
16746
16747
16748
16749
16750
16751
16752
16753
16754
16755
16756
16757
16758
16759
16760
16761
16762
16763
16764
16765
16766
16767
16768
16769
16770
16771
16772
16773
16774
16775
16776
16777
16778
16779
16780
16781
16782
16783
16784
16785
16786
16787
16788
16789
16790
16791
16792
16793
16794
16795
16796
16797
16798
16799
16800
16801
16802
16803
16804
16805
16806
16807
16808
16809
16810
16811
16812
16813
16814
16815
16816
16817
16818
16819
16820
16821
16822
16823
16824
16825
16826
16827
16828
16829
16830
16831
16832
16833
16834
16835
16836
16837
16838
16839
16840
16841
16842
16843
16844
16845
16846
16847
16848
16849
16850
16851
16852
16853
16854
16855
16856
16857
16858
16859
16860
16861
16862
16863
16864
16865
16866
16867
16868
16869
16870
16871
16872
16873
16874
16875
16876
16877
16878
16879
16880
16881
16882
16883
16884
16885
16886
16887
16888
16889
16890
16891
16892
16893
16894
16895
16896
16897
16898
16899
16900
16901
16902
16903
16904
16905
16906
16907
16908
16909
16910
16911
16912
16913
16914
16915
16916
16917
16918
16919
16920
16921
16922
16923
16924
16925
16926
16927
16928
16929
16930
16931
16932
16933
16934
16935
16936
16937
16938
16939
16940
16941
16942
16943
16944
16945
16946
16947
16948
16949
16950
16951
16952
16953
16954
16955
16956
16957
16958
16959
16960
16961
16962
16963
16964
16965
16966
16967
16968
16969
16970
16971
16972
16973
16974
16975
16976
16977
16978
16979
16980
16981
16982
16983
16984
16985
16986
16987
16988
16989
16990
16991
16992
16993
16994
16995
16996
16997
16998
16999
17000
17001
17002
17003
17004
17005
17006
17007
17008
17009
17010
17011
17012
17013
17014
17015
17016
17017
17018
17019
17020
17021
17022
17023
17024
17025
17026
17027
17028
17029
17030
17031
17032
17033
17034
17035
17036
17037
17038
17039
17040
17041
17042
17043
17044
17045
17046
17047
17048
17049
17050
17051
17052
17053
17054
17055
17056
17057
17058
17059
17060
17061
17062
17063
17064
17065
17066
17067
17068
17069
17070
17071
17072
17073
17074
17075
17076
17077
17078
17079
17080
17081
17082
17083
17084
17085
17086
17087
17088
17089
17090
17091
17092
17093
17094
17095
17096
17097
17098
17099
17100
17101
17102
17103
17104
17105
17106
17107
17108
17109
17110
17111
17112
17113
17114
17115
17116
17117
17118
17119
17120
17121
17122
17123
17124
17125
17126
17127
17128
17129
17130
17131
17132
17133
17134
17135
17136
17137
17138
17139
17140
17141
17142
17143
17144
17145
17146
17147
17148
17149
17150
17151
17152
17153
17154
17155
17156
17157
17158
17159
17160
17161
17162
17163
17164
17165
17166
17167
17168
17169
17170
17171
17172
17173
17174
17175
17176
17177
17178
17179
17180
17181
17182
17183
17184
17185
17186
17187
17188
17189
17190
17191
17192
17193
17194
17195
17196
17197
17198
17199
17200
17201
17202
17203
17204
17205
17206
17207
17208
17209
17210
17211
17212
17213
17214
17215
17216
17217
17218
17219
17220
17221
17222
17223
17224
17225
17226
17227
17228
17229
17230
17231
17232
17233
17234
17235
17236
17237
17238
17239
17240
17241
17242
17243
17244
17245
17246
17247
17248
17249
17250
17251
17252
17253
17254
17255
17256
17257
17258
17259
17260
17261
17262
17263
17264
17265
17266
17267
17268
17269
17270
17271
17272
17273
17274
17275
17276
17277
17278
17279
17280
17281
17282
17283
17284
17285
17286
17287
17288
17289
17290
17291
17292
17293
17294
17295
17296
17297
17298
17299
17300
17301
17302
17303
17304
17305
17306
17307
17308
17309
17310
17311
17312
17313
17314
17315
17316
17317
17318
17319
17320
17321
17322
17323
17324
17325
17326
17327
17328
17329
17330
17331
17332
17333
17334
17335
17336
17337
17338
17339
17340
17341
17342
17343
17344
17345
17346
17347
17348
17349
17350
17351
17352
17353
17354
17355
17356
17357
17358
17359
17360
17361
17362
17363
17364
17365
17366
17367
17368
17369
17370
17371
17372
17373
17374
17375
17376
17377
17378
17379
17380
17381
17382
17383
17384
17385
17386
17387
17388
17389
17390
17391
17392
17393
17394
17395
17396
17397
17398
17399
17400
17401
17402
17403
17404
17405
17406
17407
17408
17409
17410
17411
17412
17413
17414
17415
17416
17417
17418
17419
17420
17421
17422
17423
17424
17425
17426
17427
17428
17429
17430
17431
17432
17433
17434
17435
17436
17437
17438
17439
17440
17441
17442
17443
17444
17445
17446
17447
17448
17449
17450
17451
17452
17453
17454
17455
17456
17457
17458
17459
17460
17461
17462
17463
17464
17465
17466
17467
17468
17469
17470
17471
17472
17473
17474
17475
17476
17477
17478
17479
17480
17481
17482
17483
17484
17485
17486
17487
17488
17489
17490
17491
17492
17493
17494
17495
17496
17497
17498
17499
17500
17501
17502
17503
17504
17505
17506
17507
17508
17509
17510
17511
17512
17513
17514
17515
17516
17517
17518
17519
17520
17521
17522
17523
17524
17525
17526
17527
17528
17529
17530
17531
17532
17533
17534
17535
17536
17537
17538
17539
17540
17541
17542
17543
17544
17545
17546
17547
17548
17549
17550
17551
17552
17553
17554
17555
17556
17557
17558
17559
17560
17561
17562
17563
17564
17565
17566
17567
17568
17569
17570
17571
17572
17573
17574
17575
17576
17577
17578
17579
17580
17581
17582
17583
17584
17585
17586
17587
17588
17589
17590
17591
17592
17593
17594
17595
17596
17597
17598
17599
17600
17601
17602
17603
17604
17605
17606
17607
17608
17609
17610
17611
17612
17613
17614
17615
17616
17617
17618
17619
17620
17621
17622
17623
17624
17625
17626
17627
17628
17629
17630
17631
17632
17633
17634
17635
17636
17637
17638
17639
17640
17641
17642
17643
17644
17645
17646
17647
17648
17649
17650
17651
17652
17653
17654
17655
17656
17657
17658
17659
17660
17661
17662
17663
17664
17665
17666
17667
17668
17669
17670
17671
17672
17673
17674
17675
17676
17677
17678
17679
17680
17681
17682
17683
17684
17685
17686
17687
17688
17689
17690
17691
17692
17693
17694
17695
17696
17697
17698
17699
17700
17701
17702
17703
17704
17705
17706
17707
17708
17709
17710
17711
17712
17713
17714
17715
17716
17717
17718
17719
17720
17721
17722
17723
17724
17725
17726
17727
17728
17729
17730
17731
17732
17733
17734
17735
17736
17737
17738
17739
17740
17741
17742
17743
17744
17745
17746
17747
17748
17749
17750
17751
17752
17753
17754
17755
17756
17757
17758
17759
17760
17761
17762
17763
17764
17765
17766
17767
17768
17769
17770
17771
17772
17773
17774
17775
17776
17777
17778
17779
17780
17781
17782
17783
17784
17785
17786
17787
17788
17789
17790
17791
17792
17793
17794
17795
17796
17797
17798
17799
17800
17801
17802
17803
17804
17805
17806
17807
17808
17809
17810
17811
17812
17813
17814
17815
17816
17817
17818
17819
17820
17821
17822
17823
17824
17825
17826
17827
17828
17829
17830
17831
17832
17833
17834
17835
17836
17837
17838
17839
17840
17841
17842
17843
17844
17845
17846
17847
17848
17849
17850
17851
17852
17853
17854
17855
17856
17857
17858
17859
17860
17861
17862
17863
17864
17865
17866
17867
17868
17869
17870
17871
17872
17873
17874
17875
17876
17877
17878
17879
17880
17881
17882
17883
17884
17885
17886
17887
17888
17889
17890
17891
17892
17893
17894
17895
17896
17897
17898
17899
17900
17901
17902
17903
17904
17905
17906
17907
17908
17909
17910
17911
17912
17913
17914
17915
17916
17917
17918
17919
17920
17921
17922
17923
17924
17925
17926
17927
17928
17929
17930
17931
17932
17933
17934
17935
17936
17937
17938
17939
17940
17941
17942
17943
17944
17945
17946
17947
17948
17949
17950
17951
17952
17953
17954
17955
17956
17957
17958
17959
17960
17961
17962
17963
17964
17965
17966
17967
17968
17969
17970
17971
17972
17973
17974
17975
17976
17977
17978
17979
17980
17981
17982
17983
17984
17985
17986
17987
17988
17989
17990
17991
17992
17993
17994
17995
17996
17997
17998
17999
18000
18001
18002
18003
18004
18005
18006
18007
18008
18009
18010
18011
18012
18013
18014
18015
18016
18017
18018
18019
18020
18021
18022
18023
18024
18025
18026
18027
18028
18029
18030
18031
18032
18033
18034
18035
18036
18037
18038
18039
18040
18041
18042
18043
18044
18045
18046
18047
18048
18049
18050
18051
18052
18053
18054
18055
18056
18057
18058
18059
18060
18061
18062
18063
18064
18065
18066
18067
18068
18069
18070
18071
18072
18073
18074
18075
18076
18077
18078
18079
18080
18081
18082
18083
18084
18085
18086
18087
18088
18089
18090
18091
18092
18093
18094
18095
18096
18097
18098
18099
18100
18101
18102
18103
18104
18105
18106
18107
18108
18109
18110
18111
18112
18113
18114
18115
18116
18117
18118
18119
18120
18121
18122
18123
18124
18125
18126
18127
18128
18129
18130
18131
18132
18133
18134
18135
18136
18137
18138
18139
18140
18141
18142
18143
18144
18145
18146
18147
18148
18149
18150
18151
18152
18153
18154
18155
18156
18157
18158
18159
18160
18161
18162
18163
18164
18165
18166
18167
18168
18169
18170
18171
18172
18173
18174
18175
18176
18177
18178
18179
18180
18181
18182
18183
18184
18185
18186
18187
18188
18189
18190
18191
18192
18193
18194
18195
18196
18197
18198
18199
18200
18201
18202
18203
18204
18205
18206
18207
18208
18209
18210
18211
18212
18213
18214
18215
18216
18217
18218
18219
18220
18221
18222
18223
18224
18225
18226
18227
18228
18229
18230
18231
18232
18233
18234
18235
18236
18237
18238
18239
18240
18241
18242
18243
18244
18245
18246
18247
18248
18249
18250
18251
18252
18253
18254
18255
18256
18257
18258
18259
18260
18261
18262
18263
18264
18265
18266
18267
18268
18269
18270
18271
18272
18273
18274
18275
18276
18277
18278
18279
18280
18281
18282
18283
18284
18285
18286
18287
18288
18289
18290
18291
18292
18293
18294
18295
18296
18297
18298
18299
18300
18301
18302
18303
18304
18305
18306
18307
18308
18309
18310
18311
18312
18313
18314
18315
18316
18317
18318
18319
18320
18321
18322
18323
18324
18325
18326
18327
18328
18329
18330
18331
18332
18333
18334
18335
18336
18337
18338
18339
18340
18341
18342
18343
18344
18345
18346
18347
18348
18349
18350
18351
18352
18353
18354
18355
18356
18357
18358
18359
18360
18361
18362
18363
18364
18365
18366
18367
18368
18369
18370
18371
18372
18373
18374
18375
18376
18377
18378
18379
18380
18381
18382
18383
18384
18385
18386
18387
18388
18389
18390
18391
18392
18393
18394
18395
18396
18397
18398
18399
18400
18401
18402
18403
18404
18405
18406
18407
18408
18409
18410
18411
18412
18413
18414
18415
18416
18417
18418
18419
18420
18421
18422
18423
18424
18425
18426
18427
18428
18429
18430
18431
18432
18433
18434
18435
18436
18437
18438
18439
18440
18441
18442
18443
18444
18445
18446
18447
18448
18449
18450
18451
18452
18453
18454
18455
18456
18457
18458
18459
18460
18461
18462
18463
18464
18465
18466
18467
18468
18469
18470
18471
18472
18473
18474
18475
18476
18477
18478
18479
18480
18481
18482
18483
18484
18485
18486
18487
18488
18489
18490
18491
18492
18493
18494
18495
18496
18497
18498
18499
18500
18501
18502
18503
18504
18505
18506
18507
18508
18509
18510
18511
18512
18513
18514
18515
18516
18517
18518
18519
18520
18521
18522
18523
18524
18525
18526
18527
18528
18529
18530
18531
18532
18533
18534
18535
18536
18537
18538
18539
18540
18541
18542
18543
18544
18545
18546
18547
18548
18549
18550
18551
18552
18553
18554
18555
18556
18557
18558
18559
18560
18561
18562
18563
18564
18565
18566
18567
18568
18569
18570
18571
18572
18573
18574
18575
18576
18577
18578
18579
18580
18581
18582
18583
18584
18585
18586
18587
18588
18589
18590
18591
18592
18593
18594
18595
18596
18597
18598
18599
18600
18601
18602
18603
18604
18605
18606
18607
18608
18609
18610
18611
18612
18613
18614
18615
18616
18617
18618
18619
18620
18621
18622
18623
18624
18625
18626
18627
18628
18629
18630
18631
18632
18633
18634
18635
18636
18637
18638
18639
18640
18641
18642
18643
18644
18645
18646
18647
18648
18649
18650
18651
18652
18653
18654
18655
18656
18657
18658
18659
18660
18661
18662
18663
18664
18665
18666
18667
18668
18669
18670
18671
18672
18673
18674
18675
18676
18677
18678
18679
18680
18681
18682
18683
18684
18685
18686
18687
18688
18689
18690
18691
18692
18693
18694
18695
18696
18697
18698
18699
18700
18701
18702
18703
18704
18705
18706
18707
18708
18709
18710
18711
18712
18713
18714
18715
18716
18717
18718
18719
18720
18721
18722
18723
18724
18725
18726
18727
18728
18729
18730
18731
18732
18733
18734
18735
18736
18737
18738
18739
18740
18741
18742
18743
18744
18745
18746
18747
18748
18749
18750
18751
18752
18753
18754
18755
18756
18757
18758
18759
18760
18761
18762
18763
18764
18765
18766
18767
18768
18769
18770
18771
18772
18773
18774
18775
18776
18777
18778
18779
18780
18781
18782
18783
18784
18785
18786
18787
18788
18789
18790
18791
18792
18793
18794
18795
18796
18797
18798
18799
18800
18801
18802
18803
18804
18805
18806
18807
18808
18809
18810
18811
18812
18813
18814
18815
18816
18817
18818
18819
18820
18821
18822
18823
18824
18825
18826
18827
18828
18829
18830
18831
18832
18833
18834
18835
18836
18837
18838
18839
18840
18841
18842
18843
18844
18845
18846
18847
18848
18849
18850
18851
18852
18853
18854
18855
18856
18857
18858
18859
18860
18861
18862
18863
18864
18865
18866
18867
18868
18869
18870
18871
18872
18873
18874
18875
18876
18877
18878
18879
18880
18881
18882
18883
18884
18885
18886
18887
18888
18889
18890
18891
18892
18893
18894
18895
18896
18897
18898
18899
18900
18901
18902
18903
18904
18905
18906
18907
18908
18909
18910
18911
18912
18913
18914
18915
18916
18917
18918
18919
18920
18921
18922
18923
18924
18925
18926
18927
18928
18929
18930
18931
18932
18933
18934
18935
18936
18937
18938
18939
18940
18941
18942
18943
18944
18945
18946
18947
18948
18949
18950
18951
18952
18953
18954
18955
18956
18957
18958
18959
18960
18961
18962
18963
18964
18965
18966
18967
18968
18969
18970
18971
18972
18973
18974
18975
18976
18977
18978
18979
18980
18981
18982
18983
18984
18985
18986
18987
18988
18989
18990
18991
18992
18993
18994
18995
18996
18997
18998
18999
19000
19001
19002
19003
19004
19005
19006
19007
19008
19009
19010
19011
19012
19013
19014
19015
19016
19017
19018
19019
19020
19021
19022
19023
19024
19025
19026
19027
19028
19029
19030
19031
19032
19033
19034
19035
19036
19037
19038
19039
19040
19041
19042
19043
19044
19045
19046
19047
19048
19049
19050
19051
19052
19053
19054
19055
19056
19057
19058
19059
19060
19061
19062
19063
19064
19065
19066
19067
19068
19069
19070
19071
19072
19073
19074
19075
19076
19077
19078
19079
19080
19081
19082
19083
19084
19085
19086
19087
19088
19089
19090
19091
19092
19093
19094
19095
19096
19097
19098
19099
19100
19101
19102
19103
19104
19105
19106
19107
19108
19109
19110
19111
19112
19113
19114
19115
19116
19117
19118
19119
19120
19121
19122
19123
19124
19125
19126
19127
19128
19129
19130
19131
19132
19133
19134
19135
19136
19137
19138
19139
19140
19141
19142
19143
19144
19145
19146
19147
19148
19149
19150
19151
19152
19153
19154
19155
19156
19157
19158
19159
19160
19161
19162
19163
19164
19165
19166
19167
19168
19169
19170
19171
19172
19173
19174
19175
19176
19177
19178
19179
19180
19181
19182
19183
19184
19185
19186
19187
19188
19189
19190
19191
19192
19193
19194
19195
19196
19197
19198
19199
19200
19201
19202
19203
19204
19205
19206
19207
19208
19209
19210
19211
19212
19213
19214
19215
19216
19217
19218
19219
19220
19221
19222
19223
19224
19225
19226
19227
19228
19229
19230
19231
19232
19233
19234
19235
19236
19237
19238
19239
19240
19241
19242
19243
19244
19245
19246
19247
19248
19249
19250
19251
19252
19253
19254
19255
19256
19257
19258
19259
19260
19261
19262
19263
19264
19265
19266
19267
19268
19269
19270
19271
19272
19273
19274
19275
19276
19277
19278
19279
19280
19281
19282
19283
19284
19285
19286
19287
19288
19289
19290
19291
19292
19293
19294
19295
19296
19297
19298
19299
19300
19301
19302
19303
19304
19305
19306
19307
19308
19309
19310
19311
19312
19313
19314
19315
19316
19317
19318
19319
19320
19321
19322
19323
19324
19325
19326
19327
19328
19329
19330
19331
19332
19333
19334
19335
19336
19337
19338
19339
19340
19341
19342
19343
19344
19345
19346
19347
19348
19349
19350
19351
19352
19353
19354
19355
19356
19357
19358
19359
19360
19361
19362
19363
19364
19365
19366
19367
19368
19369
19370
19371
19372
19373
19374
19375
19376
19377
19378
19379
19380
19381
19382
19383
19384
19385
19386
19387
19388
19389
19390
19391
19392
19393
19394
19395
19396
19397
19398
19399
19400
19401
19402
19403
19404
19405
19406
19407
19408
19409
19410
19411
19412
19413
19414
19415
19416
19417
19418
19419
19420
19421
19422
19423
19424
19425
19426
19427
19428
19429
19430
19431
19432
19433
19434
19435
19436
19437
19438
19439
19440
19441
19442
19443
19444
19445
19446
19447
19448
19449
19450
19451
19452
19453
19454
19455
19456
19457
19458
19459
19460
19461
19462
19463
19464
19465
19466
19467
19468
19469
19470
19471
19472
19473
19474
19475
19476
19477
19478
19479
19480
19481
19482
19483
19484
19485
19486
19487
19488
19489
19490
19491
19492
19493
19494
19495
19496
19497
19498
19499
19500
19501
19502
19503
19504
19505
19506
19507
19508
19509
19510
19511
19512
19513
19514
19515
19516
19517
19518
19519
19520
19521
19522
19523
19524
19525
19526
19527
19528
19529
19530
19531
19532
19533
19534
19535
19536
19537
19538
19539
19540
19541
19542
19543
19544
19545
19546
19547
19548
19549
19550
19551
19552
19553
19554
19555
19556
19557
19558
19559
19560
19561
19562
19563
19564
19565
19566
19567
19568
19569
19570
19571
19572
19573
19574
19575
19576
19577
19578
19579
19580
19581
19582
19583
19584
19585
19586
19587
19588
19589
19590
19591
19592
19593
19594
19595
19596
19597
19598
19599
19600
19601
19602
19603
19604
19605
19606
19607
19608
19609
19610
19611
19612
19613
19614
19615
19616
19617
19618
19619
19620
19621
19622
19623
19624
19625
19626
19627
19628
19629
19630
19631
19632
19633
19634
19635
19636
19637
19638
19639
19640
19641
19642
19643
19644
19645
19646
19647
19648
19649
19650
19651
19652
19653
19654
19655
19656
19657
19658
19659
19660
19661
19662
19663
19664
19665
19666
19667
19668
19669
19670
19671
19672
19673
19674
19675
19676
19677
19678
19679
19680
19681
19682
19683
19684
19685
19686
19687
19688
19689
19690
19691
19692
19693
19694
19695
19696
19697
19698
19699
19700
19701
19702
19703
19704
19705
19706
19707
19708
19709
19710
19711
19712
19713
19714
19715
19716
19717
19718
19719
19720
19721
19722
19723
19724
19725
19726
19727
19728
19729
19730
19731
19732
19733
19734
19735
19736
19737
19738
19739
19740
19741
19742
19743
19744
19745
19746
19747
19748
19749
19750
19751
19752
19753
19754
19755
19756
19757
19758
19759
19760
19761
19762
19763
19764
19765
19766
19767
19768
19769
19770
19771
19772
19773
19774
19775
19776
19777
19778
19779
19780
19781
19782
19783
19784
19785
19786
19787
19788
19789
19790
19791
19792
19793
19794
19795
19796
19797
19798
19799
19800
19801
19802
19803
19804
19805
19806
19807
19808
19809
19810
19811
19812
19813
19814
19815
19816
19817
19818
19819
19820
19821
19822
19823
19824
19825
19826
19827
19828
19829
19830
19831
19832
19833
19834
19835
19836
19837
19838
19839
19840
19841
19842
19843
19844
19845
19846
19847
19848
19849
19850
19851
19852
19853
19854
19855
19856
19857
19858
19859
19860
19861
19862
19863
19864
19865
19866
19867
19868
19869
19870
19871
19872
19873
19874
19875
19876
19877
19878
19879
19880
19881
19882
19883
19884
19885
19886
19887
19888
19889
19890
19891
19892
19893
19894
19895
19896
19897
19898
19899
19900
19901
19902
19903
19904
19905
19906
19907
19908
19909
19910
19911
19912
19913
19914
19915
19916
19917
19918
19919
19920
19921
19922
19923
19924
19925
19926
19927
19928
19929
19930
19931
19932
19933
19934
19935
19936
19937
19938
19939
19940
19941
19942
19943
19944
19945
19946
19947
19948
19949
19950
19951
19952
19953
19954
19955
19956
19957
19958
19959
19960
19961
19962
19963
19964
19965
19966
19967
19968
19969
19970
19971
19972
19973
19974
19975
19976
19977
19978
19979
19980
19981
19982
19983
19984
19985
19986
19987
19988
19989
19990
19991
19992
19993
19994
19995
19996
19997
19998
19999
20000
20001
20002
20003
20004
20005
20006
20007
20008
20009
20010
20011
20012
20013
20014
20015
20016
20017
20018
20019
20020
20021
20022
20023
20024
20025
20026
20027
20028
20029
20030
20031
20032
20033
20034
20035
20036
20037
20038
20039
20040
20041
20042
20043
20044
20045
20046
20047
20048
20049
20050
20051
20052
20053
20054
20055
20056
20057
20058
20059
20060
20061
20062
20063
20064
20065
20066
20067
20068
20069
20070
20071
20072
20073
20074
20075
20076
20077
20078
20079
20080
20081
20082
20083
20084
20085
20086
20087
20088
20089
20090
20091
20092
20093
20094
20095
20096
20097
20098
20099
20100
20101
20102
20103
20104
20105
20106
20107
20108
20109
20110
20111
20112
20113
20114
20115
20116
20117
20118
20119
20120
20121
20122
20123
20124
20125
20126
20127
20128
20129
20130
20131
20132
20133
20134
20135
20136
20137
20138
20139
20140
20141
20142
20143
20144
20145
20146
20147
20148
20149
20150
20151
20152
20153
20154
20155
20156
20157
20158
20159
20160
20161
20162
20163
20164
20165
20166
20167
20168
20169
20170
20171
20172
20173
20174
20175
20176
20177
20178
20179
20180
20181
20182
20183
20184
20185
20186
20187
20188
20189
20190
20191
20192
20193
20194
20195
20196
20197
20198
20199
20200
20201
20202
20203
20204
20205
20206
20207
20208
20209
20210
20211
20212
20213
20214
20215
20216
20217
20218
20219
20220
20221
20222
20223
20224
20225
20226
20227
20228
20229
20230
20231
20232
20233
20234
20235
20236
20237
20238
20239
20240
20241
20242
20243
20244
20245
20246
20247
20248
20249
20250
20251
20252
20253
20254
20255
20256
20257
20258
20259
20260
20261
20262
20263
20264
20265
20266
20267
20268
20269
20270
20271
20272
20273
20274
20275
20276
20277
20278
20279
20280
20281
20282
20283
20284
20285
20286
20287
20288
20289
20290
20291
20292
20293
20294
20295
20296
20297
20298
20299
20300
20301
20302
20303
20304
20305
20306
20307
20308
20309
20310
20311
20312
20313
20314
20315
20316
20317
20318
20319
20320
20321
20322
20323
20324
20325
20326
20327
20328
20329
20330
20331
20332
20333
20334
20335
20336
20337
20338
20339
20340
20341
20342
20343
20344
20345
20346
20347
20348
20349
20350
20351
20352
20353
20354
20355
20356
20357
20358
20359
20360
20361
20362
20363
20364
20365
20366
20367
20368
20369
20370
20371
20372
20373
20374
20375
20376
20377
20378
20379
20380
20381
20382
20383
20384
20385
20386
20387
20388
20389
20390
20391
20392
20393
20394
20395
20396
20397
20398
20399
20400
20401
20402
20403
20404
20405
20406
20407
20408
20409
20410
20411
20412
20413
20414
20415
20416
20417
20418
20419
20420
20421
20422
20423
20424
20425
20426
20427
20428
20429
20430
20431
20432
20433
20434
20435
20436
20437
20438
20439
20440
20441
20442
20443
20444
20445
20446
20447
20448
20449
20450
20451
20452
20453
20454
20455
20456
20457
20458
20459
20460
20461
20462
20463
20464
20465
20466
20467
20468
20469
20470
20471
20472
20473
20474
20475
20476
20477
20478
20479
20480
20481
20482
20483
20484
20485
20486
20487
20488
20489
20490
20491
20492
20493
20494
20495
20496
20497
20498
20499
20500
20501
20502
20503
20504
20505
20506
20507
20508
20509
20510
20511
20512
20513
20514
20515
20516
20517
20518
20519
20520
20521
20522
20523
20524
20525
20526
20527
20528
20529
20530
20531
20532
20533
20534
20535
20536
20537
20538
20539
20540
20541
20542
20543
20544
20545
20546
20547
20548
20549
20550
20551
20552
20553
20554
20555
20556
20557
20558
20559
20560
20561
20562
20563
20564
20565
20566
20567
20568
20569
20570
20571
20572
20573
20574
20575
20576
20577
20578
20579
20580
20581
20582
20583
20584
20585
20586
20587
20588
20589
20590
20591
20592
20593
20594
20595
20596
20597
20598
20599
20600
20601
20602
20603
20604
20605
20606
20607
20608
20609
20610
20611
20612
20613
20614
20615
20616
20617
20618
20619
20620
20621
20622
20623
20624
20625
20626
20627
20628
20629
20630
20631
20632
20633
20634
20635
20636
20637
20638
20639
20640
20641
20642
20643
20644
20645
20646
20647
20648
20649
20650
20651
20652
20653
20654
20655
20656
20657
20658
20659
20660
20661
20662
20663
20664
20665
20666
20667
20668
20669
20670
20671
20672
20673
20674
20675
20676
20677
20678
20679
20680
20681
20682
20683
20684
20685
20686
20687
20688
20689
20690
20691
20692
20693
20694
20695
20696
20697
20698
20699
20700
20701
20702
20703
20704
20705
20706
20707
20708
20709
20710
20711
20712
20713
20714
20715
20716
20717
20718
20719
20720
20721
20722
20723
20724
20725
20726
20727
20728
20729
20730
20731
20732
20733
20734
20735
20736
20737
20738
20739
20740
20741
20742
20743
20744
20745
20746
20747
20748
20749
20750
20751
20752
20753
20754
20755
20756
20757
20758
20759
20760
20761
20762
20763
20764
20765
20766
20767
20768
20769
20770
20771
20772
20773
20774
20775
20776
20777
20778
20779
20780
20781
20782
20783
20784
20785
20786
20787
20788
20789
20790
20791
20792
20793
20794
20795
20796
20797
20798
20799
20800
20801
20802
20803
20804
20805
20806
20807
20808
20809
20810
20811
20812
20813
20814
20815
20816
20817
20818
20819
20820
20821
20822
20823
20824
20825
20826
20827
20828
20829
20830
20831
20832
20833
20834
20835
20836
20837
20838
20839
20840
20841
20842
20843
20844
20845
20846
20847
20848
20849
20850
20851
20852
20853
20854
20855
20856
20857
20858
20859
20860
20861
20862
20863
20864
20865
20866
20867
20868
20869
20870
20871
20872
20873
20874
20875
20876
20877
20878
20879
20880
20881
20882
20883
20884
20885
20886
20887
20888
20889
20890
20891
20892
20893
20894
20895
20896
20897
20898
20899
20900
20901
20902
20903
20904
20905
20906
20907
20908
20909
20910
20911
20912
20913
20914
20915
20916
20917
20918
20919
20920
20921
20922
20923
20924
20925
20926
20927
20928
20929
20930
20931
20932
20933
20934
20935
20936
20937
20938
20939
20940
20941
20942
20943
20944
20945
20946
20947
20948
20949
20950
20951
20952
20953
20954
20955
20956
20957
20958
20959
20960
20961
20962
20963
20964
20965
20966
20967
20968
20969
20970
20971
20972
20973
20974
20975
20976
20977
20978
20979
20980
20981
20982
20983
20984
20985
20986
20987
20988
20989
20990
20991
20992
20993
20994
20995
20996
20997
20998
20999
21000
21001
21002
21003
21004
21005
21006
21007
21008
21009
21010
21011
21012
21013
21014
21015
21016
21017
21018
21019
21020
21021
21022
21023
21024
21025
21026
21027
21028
21029
21030
21031
21032
21033
21034
21035
21036
21037
21038
21039
21040
21041
21042
21043
21044
21045
21046
21047
21048
21049
21050
21051
21052
21053
21054
21055
21056
21057
21058
21059
21060
21061
21062
21063
21064
21065
21066
21067
21068
21069
21070
21071
21072
21073
21074
21075
21076
21077
21078
21079
21080
21081
21082
21083
21084
21085
21086
21087
21088
21089
21090
21091
21092
21093
21094
21095
21096
21097
21098
21099
21100
21101
21102
21103
21104
21105
21106
21107
21108
21109
21110
21111
21112
21113
21114
21115
21116
21117
21118
21119
21120
21121
21122
21123
21124
21125
21126
21127
21128
21129
21130
21131
21132
21133
21134
21135
21136
21137
21138
21139
21140
21141
21142
21143
21144
21145
21146
21147
21148
21149
21150
21151
21152
21153
21154
21155
21156
21157
21158
21159
21160
21161
21162
21163
21164
21165
21166
21167
21168
21169
21170
21171
21172
21173
21174
21175
21176
21177
21178
21179
21180
21181
21182
21183
21184
21185
21186
21187
21188
21189
21190
21191
21192
21193
21194
21195
21196
21197
21198
21199
21200
21201
21202
21203
21204
21205
21206
21207
21208
21209
21210
21211
21212
21213
21214
21215
21216
21217
21218
21219
21220
21221
21222
21223
21224
21225
21226
21227
21228
21229
21230
21231
21232
21233
21234
21235
21236
21237
21238
21239
21240
21241
21242
21243
21244
21245
21246
21247
21248
21249
21250
21251
21252
21253
21254
21255
21256
21257
21258
21259
21260
21261
21262
21263
21264
21265
21266
21267
21268
21269
21270
21271
21272
21273
21274
21275
21276
21277
21278
21279
21280
21281
21282
21283
21284
21285
21286
21287
21288
21289
21290
21291
21292
21293
21294
21295
21296
21297
21298
21299
21300
21301
21302
21303
21304
21305
21306
21307
21308
21309
21310
21311
21312
21313
21314
21315
21316
21317
21318
21319
21320
21321
21322
21323
21324
21325
21326
21327
21328
21329
21330
21331
21332
21333
21334
21335
21336
21337
21338
21339
21340
21341
21342
21343
21344
21345
21346
21347
21348
21349
21350
21351
21352
21353
21354
21355
21356
21357
21358
21359
21360
21361
21362
21363
21364
21365
21366
21367
21368
21369
21370
21371
21372
21373
21374
21375
21376
21377
21378
21379
21380
21381
21382
21383
21384
21385
21386
21387
21388
21389
21390
21391
21392
21393
21394
21395
21396
21397
21398
21399
21400
21401
21402
21403
21404
21405
21406
21407
21408
21409
21410
21411
21412
21413
21414
21415
21416
21417
21418
21419
21420
21421
21422
21423
21424
21425
21426
21427
21428
21429
21430
21431
21432
21433
21434
21435
21436
21437
21438
21439
21440
21441
21442
21443
21444
21445
21446
21447
21448
21449
21450
21451
21452
21453
21454
21455
21456
21457
21458
21459
21460
21461
21462
21463
21464
21465
21466
21467
21468
21469
21470
21471
21472
21473
21474
21475
21476
21477
21478
21479
21480
21481
21482
21483
21484
21485
21486
21487
21488
21489
21490
21491
21492
21493
21494
21495
21496
21497
21498
21499
21500
21501
21502
21503
21504
21505
21506
21507
21508
21509
21510
21511
21512
21513
21514
21515
21516
21517
21518
21519
21520
21521
21522
21523
21524
21525
21526
21527
21528
21529
21530
21531
21532
21533
21534
21535
21536
21537
21538
21539
21540
21541
21542
21543
21544
21545
21546
21547
21548
21549
21550
21551
21552
21553
21554
21555
21556
21557
21558
21559
21560
21561
21562
21563
21564
21565
21566
21567
21568
21569
21570
21571
21572
21573
21574
21575
21576
21577
21578
21579
21580
21581
21582
21583
21584
21585
21586
21587
21588
21589
21590
21591
21592
21593
21594
21595
21596
21597
21598
21599
21600
21601
21602
21603
21604
21605
21606
21607
21608
21609
21610
21611
21612
21613
21614
21615
21616
21617
21618
21619
21620
21621
21622
21623
21624
21625
21626
21627
21628
21629
21630
21631
21632
21633
21634
21635
21636
21637
21638
21639
21640
21641
21642
21643
21644
21645
21646
21647
21648
21649
21650
21651
21652
21653
21654
21655
21656
21657
21658
21659
21660
21661
21662
21663
21664
21665
21666
21667
21668
21669
21670
21671
21672
21673
21674
21675
21676
21677
21678
21679
21680
21681
21682
21683
21684
21685
21686
21687
21688
21689
21690
21691
21692
21693
21694
21695
21696
21697
21698
21699
21700
21701
21702
21703
21704
21705
21706
21707
21708
21709
21710
21711
21712
21713
21714
21715
21716
21717
21718
21719
21720
21721
21722
21723
21724
21725
21726
21727
21728
21729
21730
21731
21732
21733
21734
21735
21736
21737
21738
21739
21740
21741
21742
21743
21744
21745
21746
21747
21748
21749
21750
21751
21752
21753
21754
21755
21756
21757
21758
21759
21760
21761
21762
21763
21764
21765
21766
21767
21768
21769
21770
21771
21772
21773
21774
21775
21776
21777
21778
21779
21780
21781
21782
21783
21784
21785
21786
21787
21788
21789
21790
21791
21792
21793
21794
21795
21796
21797
21798
21799
21800
21801
21802
21803
21804
21805
21806
21807
21808
21809
21810
21811
21812
21813
21814
21815
21816
21817
21818
21819
21820
21821
21822
21823
21824
21825
21826
21827
21828
21829
21830
21831
21832
21833
21834
21835
21836
21837
21838
21839
21840
21841
21842
21843
21844
21845
21846
21847
21848
21849
21850
21851
21852
21853
21854
21855
21856
21857
21858
21859
21860
21861
21862
21863
21864
21865
21866
21867
21868
21869
21870
21871
21872
21873
21874
21875
21876
21877
21878
21879
21880
21881
21882
21883
21884
21885
21886
21887
21888
21889
21890
21891
21892
21893
21894
21895
21896
21897
21898
21899
21900
21901
21902
21903
21904
21905
21906
21907
21908
21909
21910
21911
21912
21913
21914
21915
21916
21917
21918
21919
21920
21921
21922
21923
21924
21925
21926
21927
21928
21929
21930
21931
21932
21933
21934
21935
21936
21937
21938
21939
21940
21941
21942
21943
21944
21945
21946
21947
21948
21949
21950
21951
21952
21953
21954
21955
21956
21957
21958
21959
21960
21961
21962
21963
21964
21965
21966
21967
21968
21969
21970
21971
21972
21973
21974
21975
21976
21977
21978
21979
21980
21981
21982
21983
21984
21985
21986
21987
21988
21989
21990
21991
21992
21993
21994
21995
21996
21997
21998
21999
22000
22001
22002
22003
22004
22005
22006
22007
22008
22009
22010
22011
22012
22013
22014
22015
22016
22017
22018
22019
22020
22021
22022
22023
22024
22025
22026
22027
22028
22029
22030
22031
22032
22033
22034
22035
22036
22037
22038
22039
22040
22041
22042
22043
22044
22045
22046
22047
22048
22049
22050
22051
22052
22053
22054
22055
22056
22057
22058
22059
22060
22061
22062
22063
22064
22065
22066
22067
22068
22069
22070
22071
22072
22073
22074
22075
22076
22077
22078
22079
22080
22081
22082
22083
22084
22085
22086
22087
22088
22089
22090
22091
22092
22093
22094
22095
22096
22097
22098
22099
22100
22101
22102
22103
22104
22105
22106
22107
22108
22109
22110
22111
22112
22113
22114
22115
22116
22117
22118
22119
22120
22121
22122
22123
22124
22125
22126
22127
22128
22129
22130
22131
22132
22133
22134
22135
22136
22137
22138
22139
22140
22141
22142
22143
22144
22145
22146
22147
22148
22149
22150
22151
22152
22153
22154
22155
22156
22157
22158
22159
22160
22161
22162
22163
22164
22165
22166
22167
22168
22169
22170
22171
22172
22173
22174
22175
22176
22177
22178
22179
22180
22181
22182
22183
22184
22185
22186
22187
22188
22189
22190
22191
22192
22193
22194
22195
22196
22197
22198
22199
22200
22201
22202
22203
22204
22205
22206
22207
22208
22209
22210
22211
22212
22213
22214
22215
22216
22217
22218
22219
22220
22221
22222
22223
22224
22225
22226
22227
22228
22229
22230
22231
22232
22233
22234
22235
22236
22237
22238
22239
22240
22241
22242
22243
22244
22245
22246
22247
22248
22249
22250
22251
22252
22253
22254
22255
22256
22257
22258
22259
22260
22261
22262
22263
22264
22265
22266
22267
22268
22269
22270
22271
22272
22273
22274
22275
22276
22277
22278
22279
22280
22281
22282
22283
22284
22285
22286
22287
22288
22289
22290
22291
22292
22293
22294
22295
22296
22297
22298
22299
22300
22301
22302
22303
22304
22305
22306
22307
22308
22309
22310
22311
22312
22313
22314
22315
22316
22317
22318
22319
22320
22321
22322
22323
22324
22325
22326
22327
22328
22329
22330
22331
22332
22333
22334
22335
22336
22337
22338
22339
22340
22341
22342
22343
22344
22345
22346
22347
22348
22349
22350
22351
22352
22353
22354
22355
22356
22357
22358
22359
22360
22361
22362
22363
22364
22365
22366
22367
22368
22369
22370
22371
22372
22373
22374
22375
22376
22377
22378
22379
22380
22381
22382
22383
22384
22385
22386
22387
22388
22389
22390
22391
22392
22393
22394
22395
22396
22397
22398
22399
22400
22401
22402
22403
22404
22405
22406
22407
22408
22409
22410
22411
22412
22413
22414
22415
22416
22417
22418
22419
22420
22421
22422
22423
22424
22425
22426
22427
22428
22429
22430
22431
22432
22433
22434
22435
22436
22437
22438
22439
22440
22441
22442
22443
22444
22445
22446
22447
22448
22449
22450
22451
22452
22453
22454
22455
22456
22457
22458
22459
22460
22461
22462
22463
22464
22465
22466
22467
22468
22469
22470
22471
22472
22473
22474
22475
22476
22477
22478
22479
22480
22481
22482
22483
22484
22485
22486
22487
22488
22489
22490
22491
22492
22493
22494
22495
22496
22497
22498
22499
22500
22501
22502
22503
22504
22505
22506
22507
22508
22509
22510
22511
22512
22513
22514
22515
22516
22517
22518
22519
22520
22521
22522
22523
22524
22525
22526
22527
22528
22529
22530
22531
22532
22533
22534
22535
22536
22537
22538
22539
22540
22541
22542
22543
22544
22545
22546
22547
22548
22549
22550
22551
22552
22553
22554
22555
22556
22557
22558
22559
22560
22561
22562
22563
22564
22565
22566
22567
22568
22569
22570
22571
22572
22573
22574
22575
22576
22577
22578
22579
22580
22581
22582
22583
22584
22585
22586
22587
22588
22589
22590
22591
22592
22593
22594
22595
22596
22597
22598
22599
22600
22601
22602
22603
22604
22605
22606
22607
22608
22609
22610
22611
22612
22613
22614
22615
22616
22617
22618
22619
22620
22621
22622
22623
22624
22625
22626
22627
22628
22629
22630
22631
22632
22633
22634
22635
22636
22637
22638
22639
22640
22641
22642
22643
22644
22645
22646
22647
22648
22649
22650
22651
22652
22653
22654
22655
22656
22657
22658
22659
22660
22661
22662
22663
22664
22665
22666
22667
22668
22669
22670
22671
22672
22673
22674
22675
22676
22677
22678
22679
22680
22681
22682
22683
22684
22685
22686
22687
22688
22689
22690
22691
22692
22693
22694
22695
22696
22697
22698
22699
22700
22701
22702
22703
22704
22705
22706
22707
22708
22709
22710
22711
22712
22713
22714
22715
22716
22717
22718
22719
22720
22721
22722
22723
22724
22725
22726
22727
22728
22729
22730
22731
22732
22733
22734
22735
22736
22737
22738
22739
22740
22741
22742
22743
22744
22745
22746
22747
22748
22749
22750
22751
22752
22753
22754
22755
22756
22757
22758
22759
22760
22761
22762
22763
22764
22765
22766
22767
22768
22769
22770
22771
22772
22773
22774
22775
22776
22777
22778
22779
22780
22781
22782
22783
22784
22785
22786
22787
22788
22789
22790
22791
22792
22793
22794
22795
22796
22797
22798
22799
22800
22801
22802
22803
22804
22805
22806
22807
22808
22809
22810
22811
22812
22813
22814
22815
22816
22817
22818
22819
22820
22821
22822
22823
22824
22825
22826
22827
22828
22829
22830
22831
22832
22833
22834
22835
22836
22837
22838
22839
22840
22841
22842
22843
22844
22845
22846
22847
22848
22849
22850
22851
22852
22853
22854
22855
22856
22857
22858
22859
22860
22861
22862
22863
22864
22865
22866
22867
22868
22869
22870
22871
22872
22873
22874
22875
22876
22877
22878
22879
22880
22881
22882
22883
22884
22885
22886
22887
22888
22889
22890
22891
22892
22893
22894
22895
22896
22897
22898
22899
22900
22901
22902
22903
22904
22905
22906
22907
22908
22909
22910
22911
22912
22913
22914
22915
22916
22917
22918
22919
22920
22921
22922
22923
22924
22925
22926
22927
22928
22929
22930
22931
22932
22933
22934
22935
22936
22937
22938
22939
22940
22941
22942
22943
22944
22945
22946
22947
22948
22949
22950
22951
22952
22953
22954
22955
22956
22957
22958
22959
22960
22961
22962
22963
22964
22965
22966
22967
22968
22969
22970
22971
22972
22973
22974
22975
22976
22977
22978
22979
22980
22981
22982
22983
22984
22985
22986
22987
22988
22989
22990
22991
22992
22993
22994
22995
22996
22997
22998
22999
23000
23001
23002
23003
23004
23005
23006
23007
23008
23009
23010
23011
23012
23013
23014
23015
23016
23017
23018
23019
23020
23021
23022
23023
23024
23025
23026
23027
23028
23029
23030
23031
23032
23033
23034
23035
23036
23037
23038
23039
23040
23041
23042
23043
23044
23045
23046
23047
23048
23049
23050
23051
23052
23053
23054
23055
23056
23057
23058
23059
23060
23061
23062
23063
23064
23065
23066
23067
23068
23069
23070
23071
23072
23073
23074
23075
23076
23077
23078
23079
23080
23081
23082
23083
23084
23085
23086
23087
23088
23089
23090
23091
23092
23093
23094
23095
23096
23097
23098
23099
23100
23101
23102
23103
23104
23105
23106
23107
23108
23109
23110
23111
23112
23113
23114
23115
23116
23117
23118
23119
23120
23121
23122
23123
23124
23125
23126
23127
23128
23129
23130
23131
23132
23133
23134
23135
23136
23137
23138
23139
23140
23141
23142
23143
23144
23145
23146
23147
23148
23149
23150
23151
23152
23153
23154
23155
23156
23157
23158
23159
23160
23161
23162
23163
23164
23165
23166
23167
23168
23169
23170
23171
23172
23173
23174
23175
23176
23177
23178
23179
23180
23181
23182
23183
23184
23185
23186
23187
23188
23189
23190
23191
23192
23193
23194
23195
23196
23197
23198
23199
23200
23201
23202
23203
23204
23205
23206
23207
23208
23209
23210
23211
23212
23213
23214
23215
23216
23217
23218
23219
23220
23221
23222
23223
23224
23225
23226
23227
23228
23229
23230
23231
23232
23233
23234
23235
23236
23237
23238
23239
23240
23241
23242
23243
23244
23245
23246
23247
23248
23249
23250
23251
23252
23253
23254
23255
23256
23257
23258
23259
23260
23261
23262
23263
23264
23265
23266
23267
23268
23269
23270
23271
23272
23273
23274
23275
23276
23277
23278
23279
23280
23281
23282
23283
23284
23285
23286
23287
23288
23289
23290
23291
23292
23293
23294
23295
23296
23297
23298
23299
23300
23301
23302
23303
23304
23305
23306
23307
23308
23309
23310
23311
23312
23313
23314
23315
23316
23317
23318
23319
23320
23321
23322
23323
23324
23325
23326
23327
23328
23329
23330
23331
23332
23333
23334
23335
23336
23337
23338
23339
23340
23341
23342
23343
23344
23345
23346
23347
23348
23349
23350
23351
23352
23353
23354
23355
23356
23357
23358
23359
23360
23361
23362
23363
23364
23365
23366
23367
23368
23369
23370
23371
23372
23373
23374
23375
23376
23377
23378
23379
23380
23381
23382
23383
23384
23385
23386
23387
23388
23389
23390
23391
23392
23393
23394
23395
23396
23397
23398
23399
23400
23401
23402
23403
23404
23405
23406
23407
23408
23409
23410
23411
23412
23413
23414
23415
23416
23417
23418
23419
23420
23421
23422
23423
23424
23425
23426
23427
23428
23429
23430
23431
23432
23433
23434
23435
23436
23437
23438
23439
23440
23441
23442
23443
23444
23445
23446
23447
23448
23449
23450
23451
23452
23453
23454
23455
23456
23457
23458
23459
23460
23461
23462
23463
23464
23465
23466
23467
23468
23469
23470
23471
23472
23473
23474
23475
23476
23477
23478
23479
23480
23481
23482
23483
23484
23485
23486
23487
23488
23489
23490
23491
23492
23493
23494
23495
23496
23497
23498
23499
23500
23501
23502
23503
23504
23505
23506
23507
23508
23509
23510
23511
23512
23513
23514
23515
23516
23517
23518
23519
23520
23521
23522
23523
23524
23525
23526
23527
23528
23529
23530
23531
23532
23533
23534
23535
23536
23537
23538
23539
23540
23541
23542
23543
23544
23545
23546
23547
23548
23549
23550
23551
23552
23553
23554
23555
23556
23557
23558
23559
23560
23561
23562
23563
23564
23565
23566
23567
23568
23569
23570
23571
23572
23573
23574
23575
23576
23577
23578
23579
23580
23581
23582
23583
23584
23585
23586
23587
23588
23589
23590
23591
23592
23593
23594
23595
23596
23597
23598
23599
23600
23601
23602
23603
23604
23605
23606
23607
23608
23609
23610
23611
23612
23613
23614
23615
23616
23617
23618
23619
23620
23621
23622
23623
23624
23625
23626
23627
23628
23629
23630
23631
23632
23633
23634
23635
23636
23637
23638
23639
23640
23641
23642
23643
23644
23645
23646
23647
23648
23649
23650
23651
23652
23653
23654
23655
23656
23657
23658
23659
23660
23661
23662
23663
23664
23665
23666
23667
23668
23669
23670
23671
23672
23673
23674
23675
23676
23677
23678
23679
23680
23681
23682
23683
23684
23685
23686
23687
23688
23689
23690
23691
23692
23693
23694
23695
23696
23697
23698
23699
23700
23701
23702
23703
23704
23705
23706
23707
23708
23709
23710
23711
23712
23713
23714
23715
23716
23717
23718
23719
23720
23721
23722
23723
23724
23725
23726
23727
23728
23729
23730
23731
23732
23733
23734
23735
23736
23737
23738
23739
23740
23741
23742
23743
23744
23745
23746
23747
23748
23749
23750
23751
23752
23753
23754
23755
23756
23757
23758
23759
23760
23761
23762
23763
23764
23765
23766
23767
23768
23769
23770
23771
23772
23773
23774
23775
23776
23777
23778
23779
23780
23781
23782
23783
23784
23785
23786
23787
23788
23789
23790
23791
23792
23793
23794
23795
23796
23797
23798
23799
23800
23801
23802
23803
23804
23805
23806
23807
23808
23809
23810
23811
23812
23813
23814
23815
23816
23817
23818
23819
23820
23821
23822
23823
23824
23825
23826
23827
23828
23829
23830
23831
23832
23833
23834
23835
23836
23837
23838
23839
23840
23841
23842
23843
23844
23845
23846
23847
23848
23849
23850
23851
23852
23853
23854
23855
23856
23857
23858
23859
23860
23861
23862
23863
23864
23865
23866
23867
23868
23869
23870
23871
23872
23873
23874
23875
23876
23877
23878
23879
23880
23881
23882
23883
23884
23885
23886
23887
23888
23889
23890
23891
23892
23893
23894
23895
23896
23897
23898
23899
23900
23901
23902
23903
23904
23905
23906
23907
23908
23909
23910
23911
23912
23913
23914
23915
23916
23917
23918
23919
23920
23921
23922
23923
23924
23925
23926
23927
23928
23929
23930
23931
23932
23933
23934
23935
23936
23937
23938
23939
23940
23941
23942
23943
23944
23945
23946
23947
23948
23949
23950
23951
23952
23953
23954
23955
23956
23957
23958
23959
23960
23961
23962
23963
23964
23965
23966
23967
23968
23969
23970
23971
23972
23973
23974
23975
23976
23977
23978
23979
23980
23981
23982
23983
23984
23985
23986
23987
23988
23989
23990
23991
23992
23993
23994
23995
23996
23997
23998
23999
24000
24001
24002
24003
24004
24005
24006
24007
24008
24009
24010
24011
24012
24013
24014
24015
24016
24017
24018
24019
24020
24021
24022
24023
24024
24025
24026
24027
24028
24029
24030
24031
24032
24033
24034
24035
24036
24037
24038
24039
24040
24041
24042
24043
24044
24045
24046
24047
24048
24049
24050
24051
24052
24053
24054
24055
24056
24057
24058
24059
24060
24061
24062
24063
24064
24065
24066
24067
24068
24069
24070
24071
24072
24073
24074
24075
24076
24077
24078
24079
24080
24081
24082
24083
24084
24085
24086
24087
24088
24089
24090
24091
24092
24093
24094
24095
24096
24097
24098
24099
24100
24101
24102
24103
24104
24105
24106
24107
24108
24109
24110
24111
24112
24113
24114
24115
24116
24117
24118
24119
24120
24121
24122
24123
24124
24125
24126
24127
24128
24129
24130
24131
24132
24133
24134
24135
24136
24137
24138
24139
24140
24141
24142
24143
24144
24145
24146
24147
24148
24149
24150
24151
24152
24153
24154
24155
24156
24157
24158
24159
24160
24161
24162
24163
24164
24165
24166
24167
24168
24169
24170
24171
24172
24173
24174
24175
24176
24177
24178
24179
24180
24181
24182
24183
24184
24185
24186
24187
24188
24189
24190
24191
24192
24193
24194
24195
24196
24197
24198
24199
24200
24201
24202
24203
24204
24205
24206
24207
24208
24209
24210
24211
24212
24213
24214
24215
24216
24217
24218
24219
24220
24221
24222
24223
24224
24225
24226
24227
24228
24229
24230
24231
24232
24233
24234
24235
24236
24237
24238
24239
24240
24241
24242
24243
24244
24245
24246
24247
24248
24249
24250
24251
24252
24253
24254
24255
24256
24257
24258
24259
24260
24261
24262
24263
24264
24265
24266
24267
24268
24269
24270
24271
24272
24273
24274
24275
24276
24277
24278
24279
24280
24281
24282
24283
24284
24285
24286
24287
24288
24289
24290
24291
24292
24293
24294
24295
24296
24297
24298
24299
24300
24301
24302
24303
24304
24305
24306
24307
24308
24309
24310
24311
24312
24313
24314
24315
24316
24317
24318
24319
24320
24321
24322
24323
24324
24325
24326
24327
24328
24329
24330
24331
24332
24333
24334
24335
24336
24337
24338
24339
24340
24341
24342
24343
24344
24345
24346
24347
24348
24349
24350
24351
24352
24353
24354
24355
24356
24357
24358
24359
24360
24361
24362
24363
24364
24365
24366
24367
24368
24369
24370
24371
24372
24373
24374
24375
24376
24377
24378
24379
24380
24381
24382
24383
24384
24385
24386
24387
24388
24389
24390
24391
24392
24393
24394
24395
24396
24397
24398
24399
24400
24401
24402
24403
24404
24405
24406
24407
24408
24409
24410
24411
24412
24413
24414
24415
24416
24417
24418
24419
24420
24421
24422
24423
24424
24425
24426
24427
24428
24429
24430
24431
24432
24433
24434
24435
24436
24437
24438
24439
24440
24441
24442
24443
24444
24445
24446
24447
24448
24449
24450
24451
24452
24453
24454
24455
24456
24457
24458
24459
24460
24461
24462
24463
24464
24465
24466
24467
24468
24469
24470
24471
24472
24473
24474
24475
24476
24477
24478
24479
24480
24481
24482
24483
24484
24485
24486
24487
24488
24489
24490
24491
24492
24493
24494
24495
24496
24497
24498
24499
24500
24501
24502
24503
24504
24505
24506
24507
24508
24509
24510
24511
24512
24513
24514
24515
24516
24517
24518
24519
24520
24521
24522
24523
24524
24525
24526
24527
24528
24529
24530
24531
24532
24533
24534
24535
24536
24537
24538
24539
24540
24541
24542
24543
24544
24545
24546
24547
24548
24549
24550
24551
24552
24553
24554
24555
24556
24557
24558
24559
24560
24561
24562
24563
24564
24565
24566
24567
24568
24569
24570
24571
24572
24573
24574
24575
24576
24577
24578
24579
24580
24581
24582
24583
24584
24585
24586
24587
24588
24589
24590
24591
24592
24593
24594
24595
24596
24597
24598
24599
24600
24601
24602
24603
24604
24605
24606
24607
24608
24609
24610
24611
24612
24613
24614
24615
24616
24617
24618
24619
24620
24621
24622
24623
24624
24625
24626
24627
24628
24629
24630
24631
24632
24633
24634
24635
24636
24637
24638
24639
24640
24641
24642
24643
24644
24645
24646
24647
24648
24649
24650
24651
24652
24653
24654
24655
24656
24657
24658
24659
24660
24661
24662
24663
24664
24665
24666
24667
24668
24669
24670
24671
24672
24673
24674
24675
24676
24677
24678
24679
24680
24681
24682
24683
24684
24685
24686
24687
24688
24689
24690
24691
24692
24693
24694
24695
24696
24697
24698
24699
24700
24701
24702
24703
24704
24705
24706
24707
24708
24709
24710
24711
24712
24713
24714
24715
24716
24717
24718
24719
24720
24721
24722
24723
24724
24725
24726
24727
24728
24729
24730
24731
24732
24733
24734
24735
24736
24737
24738
24739
24740
24741
24742
24743
24744
24745
24746
24747
24748
24749
24750
24751
24752
24753
24754
24755
24756
24757
24758
24759
24760
24761
24762
24763
24764
24765
24766
24767
24768
24769
24770
24771
24772
24773
24774
24775
24776
24777
24778
24779
24780
24781
24782
24783
24784
24785
24786
24787
24788
24789
24790
24791
24792
24793
24794
24795
24796
24797
24798
24799
24800
24801
24802
24803
24804
24805
24806
24807
24808
24809
24810
24811
24812
24813
24814
24815
24816
24817
24818
24819
24820
24821
24822
24823
24824
24825
24826
24827
24828
24829
24830
24831
24832
24833
24834
24835
24836
24837
24838
24839
24840
24841
24842
24843
24844
24845
24846
24847
24848
24849
24850
24851
24852
24853
24854
24855
24856
24857
24858
24859
24860
24861
24862
24863
24864
24865
24866
24867
24868
24869
24870
24871
24872
24873
24874
24875
24876
24877
24878
24879
24880
24881
24882
24883
24884
24885
24886
24887
24888
24889
24890
24891
24892
24893
24894
24895
24896
24897
24898
24899
24900
24901
24902
24903
24904
24905
24906
24907
24908
24909
24910
24911
24912
24913
24914
24915
24916
24917
24918
24919
24920
24921
24922
24923
24924
24925
24926
24927
24928
24929
24930
24931
24932
24933
24934
24935
24936
24937
24938
24939
24940
24941
24942
24943
24944
24945
24946
24947
24948
24949
24950
24951
24952
24953
24954
24955
24956
24957
24958
24959
24960
24961
24962
24963
24964
24965
24966
24967
24968
24969
24970
24971
24972
24973
24974
24975
24976
24977
24978
24979
24980
24981
24982
24983
24984
24985
24986
24987
24988
24989
24990
24991
24992
24993
24994
24995
24996
24997
24998
24999
25000
25001
25002
25003
25004
25005
25006
25007
25008
25009
25010
25011
25012
25013
25014
25015
25016
25017
25018
25019
25020
25021
25022
25023
25024
25025
25026
25027
25028
25029
25030
25031
25032
25033
25034
25035
25036
25037
25038
25039
25040
25041
25042
25043
25044
25045
25046
25047
25048
25049
25050
25051
25052
25053
25054
25055
25056
25057
25058
25059
25060
25061
25062
25063
25064
25065
25066
25067
25068
25069
25070
25071
25072
25073
25074
25075
25076
25077
25078
25079
25080
25081
25082
25083
25084
25085
25086
25087
25088
25089
25090
25091
25092
25093
25094
25095
25096
25097
25098
25099
25100
25101
25102
25103
25104
25105
25106
25107
25108
25109
25110
25111
25112
25113
25114
25115
25116
25117
25118
25119
25120
25121
25122
25123
25124
25125
25126
25127
25128
25129
25130
25131
25132
25133
25134
25135
25136
25137
25138
25139
25140
25141
25142
25143
25144
25145
25146
25147
25148
25149
25150
25151
25152
25153
25154
25155
25156
25157
25158
25159
25160
25161
25162
25163
25164
25165
25166
25167
25168
25169
25170
25171
25172
25173
25174
25175
25176
25177
25178
25179
25180
25181
25182
25183
25184
25185
25186
25187
25188
25189
25190
25191
25192
25193
25194
25195
25196
25197
25198
25199
25200
25201
25202
25203
25204
25205
25206
25207
25208
25209
25210
25211
25212
25213
25214
25215
25216
25217
25218
25219
25220
25221
25222
25223
25224
25225
25226
25227
25228
25229
25230
25231
25232
25233
25234
25235
25236
25237
25238
25239
25240
25241
25242
25243
25244
25245
25246
25247
25248
25249
25250
25251
25252
25253
25254
25255
25256
25257
25258
25259
25260
25261
25262
25263
25264
25265
25266
25267
25268
25269
25270
25271
25272
25273
25274
25275
25276
25277
25278
25279
25280
25281
25282
25283
25284
25285
25286
25287
25288
25289
25290
25291
25292
25293
25294
25295
25296
25297
25298
25299
25300
25301
25302
25303
25304
25305
25306
25307
25308
25309
25310
25311
25312
25313
25314
25315
25316
25317
25318
25319
25320
25321
25322
25323
25324
25325
25326
25327
25328
25329
25330
25331
25332
25333
25334
25335
25336
25337
25338
25339
25340
25341
25342
25343
25344
25345
25346
25347
25348
25349
25350
25351
25352
25353
25354
25355
25356
25357
25358
25359
25360
25361
25362
25363
25364
25365
25366
25367
25368
25369
25370
25371
25372
25373
25374
25375
25376
25377
25378
25379
25380
25381
25382
25383
25384
25385
25386
25387
25388
25389
25390
25391
25392
25393
25394
25395
25396
25397
25398
25399
25400
25401
25402
25403
25404
25405
25406
25407
25408
25409
25410
25411
25412
25413
25414
25415
25416
25417
25418
25419
25420
25421
25422
25423
25424
25425
25426
25427
25428
25429
25430
25431
25432
25433
25434
25435
25436
25437
25438
25439
25440
25441
25442
25443
25444
25445
25446
25447
25448
25449
25450
25451
25452
25453
25454
25455
25456
25457
25458
25459
25460
25461
25462
25463
25464
25465
25466
25467
25468
25469
25470
25471
25472
25473
25474
25475
25476
25477
25478
25479
25480
25481
25482
25483
25484
25485
25486
25487
25488
25489
25490
25491
25492
25493
25494
25495
25496
25497
25498
25499
25500
25501
25502
25503
25504
25505
25506
25507
25508
25509
25510
25511
25512
25513
25514
25515
25516
25517
25518
25519
25520
25521
25522
25523
25524
25525
25526
25527
25528
25529
25530
25531
25532
25533
25534
25535
25536
25537
25538
25539
25540
25541
25542
25543
25544
25545
25546
25547
25548
25549
25550
25551
25552
25553
25554
25555
25556
25557
25558
25559
25560
25561
25562
25563
25564
25565
25566
25567
25568
25569
25570
25571
25572
25573
25574
25575
25576
25577
25578
25579
25580
25581
25582
25583
25584
25585
25586
25587
25588
25589
25590
25591
25592
25593
25594
25595
25596
25597
25598
25599
25600
25601
25602
25603
25604
25605
25606
25607
25608
25609
25610
25611
25612
25613
25614
25615
25616
25617
25618
25619
25620
25621
25622
25623
25624
25625
25626
25627
25628
25629
25630
25631
25632
25633
25634
25635
25636
25637
25638
25639
25640
25641
25642
25643
25644
25645
25646
25647
25648
25649
25650
25651
25652
25653
25654
25655
25656
25657
25658
25659
25660
25661
25662
25663
25664
25665
25666
25667
25668
25669
25670
25671
25672
25673
25674
25675
25676
25677
25678
25679
25680
25681
25682
25683
25684
25685
25686
25687
25688
25689
25690
25691
25692
25693
25694
25695
25696
25697
25698
25699
25700
25701
25702
25703
25704
25705
25706
25707
25708
25709
25710
25711
25712
25713
25714
25715
25716
25717
25718
25719
25720
25721
25722
25723
25724
25725
25726
25727
25728
25729
25730
25731
25732
25733
25734
25735
25736
25737
25738
25739
25740
25741
25742
25743
25744
25745
25746
25747
25748
25749
25750
25751
25752
25753
25754
25755
25756
25757
25758
25759
25760
25761
25762
25763
25764
25765
25766
25767
25768
25769
25770
25771
25772
25773
25774
25775
25776
25777
25778
25779
25780
25781
25782
25783
25784
25785
25786
25787
25788
25789
25790
25791
25792
25793
25794
25795
25796
25797
25798
25799
25800
25801
25802
25803
25804
25805
25806
25807
25808
25809
25810
25811
25812
25813
25814
25815
25816
25817
25818
25819
25820
25821
25822
25823
25824
25825
25826
25827
25828
25829
25830
25831
25832
25833
25834
25835
25836
25837
25838
25839
25840
25841
25842
25843
25844
25845
25846
25847
25848
25849
25850
25851
25852
25853
25854
25855
25856
25857
25858
25859
25860
25861
25862
25863
25864
25865
25866
25867
25868
25869
25870
25871
25872
25873
25874
25875
25876
25877
25878
25879
25880
25881
25882
25883
25884
25885
25886
25887
25888
25889
25890
25891
25892
25893
25894
25895
25896
25897
25898
25899
25900
25901
25902
25903
25904
25905
25906
25907
25908
25909
25910
25911
25912
25913
25914
25915
25916
25917
25918
25919
25920
25921
25922
25923
25924
25925
25926
25927
25928
25929
25930
25931
25932
25933
25934
25935
25936
25937
25938
25939
25940
25941
25942
25943
25944
25945
25946
25947
25948
25949
25950
25951
25952
25953
25954
25955
25956
25957
25958
25959
25960
25961
25962
25963
25964
25965
25966
25967
25968
25969
25970
25971
25972
25973
25974
25975
25976
25977
25978
25979
25980
25981
25982
25983
25984
25985
25986
25987
25988
25989
25990
25991
25992
25993
25994
25995
25996
25997
25998
25999
26000
26001
26002
26003
26004
26005
26006
26007
26008
26009
26010
26011
26012
26013
26014
26015
26016
26017
26018
26019
26020
26021
26022
26023
26024
26025
26026
26027
26028
26029
26030
26031
26032
26033
26034
26035
26036
26037
26038
26039
26040
26041
26042
26043
26044
26045
26046
26047
26048
26049
26050
26051
26052
26053
26054
26055
26056
26057
26058
26059
26060
26061
26062
26063
26064
26065
26066
26067
26068
26069
26070
26071
26072
26073
26074
26075
26076
26077
26078
26079
26080
26081
26082
26083
26084
26085
26086
26087
26088
26089
26090
26091
26092
26093
26094
26095
26096
26097
26098
26099
26100
26101
26102
26103
26104
26105
26106
26107
26108
26109
26110
26111
26112
26113
26114
26115
26116
26117
26118
26119
26120
26121
26122
26123
26124
26125
26126
26127
26128
26129
26130
26131
26132
26133
26134
26135
26136
26137
26138
26139
26140
26141
26142
26143
26144
26145
26146
26147
26148
26149
26150
26151
26152
26153
26154
26155
26156
26157
26158
26159
26160
26161
26162
26163
26164
26165
26166
26167
26168
26169
26170
26171
26172
26173
26174
26175
26176
26177
26178
26179
26180
26181
26182
26183
26184
26185
26186
26187
26188
26189
26190
26191
26192
26193
26194
26195
26196
26197
26198
26199
26200
26201
26202
26203
26204
26205
26206
26207
26208
26209
26210
26211
26212
26213
26214
26215
26216
26217
26218
26219
26220
26221
26222
26223
26224
26225
26226
26227
26228
26229
26230
26231
26232
26233
26234
26235
26236
26237
26238
26239
26240
26241
26242
26243
26244
26245
26246
26247
26248
26249
26250
26251
26252
26253
26254
26255
26256
26257
26258
26259
26260
26261
26262
26263
26264
26265
26266
26267
26268
26269
26270
26271
26272
26273
26274
26275
26276
26277
26278
26279
26280
26281
26282
26283
26284
26285
26286
26287
26288
26289
26290
26291
26292
26293
26294
26295
26296
26297
26298
26299
26300
26301
26302
26303
26304
26305
26306
26307
26308
26309
26310
26311
26312
26313
26314
26315
26316
26317
26318
26319
26320
26321
26322
26323
26324
26325
26326
26327
26328
26329
26330
26331
26332
26333
26334
26335
26336
26337
26338
26339
26340
26341
26342
26343
26344
26345
26346
26347
26348
26349
26350
26351
26352
26353
26354
26355
26356
26357
26358
26359
26360
26361
26362
26363
26364
26365
26366
26367
26368
26369
26370
26371
26372
26373
26374
26375
26376
26377
26378
26379
26380
26381
26382
26383
26384
26385
26386
26387
26388
26389
26390
26391
26392
26393
26394
26395
26396
26397
26398
26399
26400
26401
26402
26403
26404
26405
26406
26407
26408
26409
26410
26411
26412
26413
26414
26415
26416
26417
26418
26419
26420
26421
26422
26423
26424
26425
26426
26427
26428
26429
26430
26431
26432
26433
26434
26435
26436
26437
26438
26439
26440
26441
26442
26443
26444
26445
26446
26447
26448
26449
26450
26451
26452
26453
26454
26455
26456
26457
26458
26459
26460
26461
26462
26463
26464
26465
26466
26467
26468
26469
26470
26471
26472
26473
26474
26475
26476
26477
26478
26479
26480
26481
26482
26483
26484
26485
26486
26487
26488
26489
26490
26491
26492
26493
26494
26495
26496
26497
26498
26499
26500
26501
26502
26503
26504
26505
26506
26507
26508
26509
26510
26511
26512
26513
26514
26515
26516
26517
26518
26519
26520
26521
26522
26523
26524
26525
26526
26527
26528
26529
26530
26531
26532
26533
26534
26535
26536
26537
26538
26539
26540
26541
26542
26543
26544
26545
26546
26547
26548
26549
26550
26551
26552
26553
26554
26555
26556
26557
26558
26559
26560
26561
26562
26563
26564
26565
26566
26567
26568
26569
26570
26571
26572
26573
26574
26575
26576
26577
26578
26579
26580
26581
26582
26583
26584
26585
26586
26587
26588
26589
26590
26591
26592
26593
26594
26595
26596
26597
26598
26599
26600
26601
26602
26603
26604
26605
26606
26607
26608
26609
26610
26611
26612
26613
26614
26615
26616
26617
26618
26619
26620
26621
26622
26623
26624
26625
26626
26627
26628
26629
26630
26631
26632
26633
26634
26635
26636
26637
26638
26639
26640
26641
26642
26643
26644
26645
26646
26647
26648
26649
26650
26651
26652
26653
26654
26655
26656
26657
26658
26659
26660
26661
26662
26663
26664
26665
26666
26667
26668
26669
26670
26671
26672
26673
26674
26675
26676
26677
26678
26679
26680
26681
26682
26683
26684
26685
26686
26687
26688
26689
26690
26691
26692
26693
26694
26695
26696
26697
26698
26699
26700
26701
26702
26703
26704
26705
26706
26707
26708
26709
26710
26711
26712
26713
26714
26715
26716
26717
26718
26719
26720
26721
26722
26723
26724
26725
26726
26727
26728
26729
26730
26731
26732
26733
26734
26735
26736
26737
26738
26739
26740
26741
26742
26743
26744
26745
26746
26747
26748
26749
26750
26751
26752
26753
26754
26755
26756
26757
26758
26759
26760
26761
26762
26763
26764
26765
26766
26767
26768
26769
26770
26771
26772
26773
26774
26775
26776
26777
26778
26779
26780
26781
26782
26783
26784
26785
26786
26787
26788
26789
26790
26791
26792
26793
26794
26795
26796
26797
26798
26799
26800
26801
26802
26803
26804
26805
26806
26807
26808
26809
26810
26811
26812
26813
26814
26815
26816
26817
26818
26819
26820
26821
26822
26823
26824
26825
26826
26827
26828
26829
26830
26831
26832
26833
26834
26835
26836
26837
26838
26839
26840
26841
26842
26843
26844
26845
26846
26847
26848
26849
26850
26851
26852
26853
26854
26855
26856
26857
26858
26859
26860
26861
26862
26863
26864
26865
26866
26867
26868
26869
26870
26871
26872
26873
26874
26875
26876
26877
26878
26879
26880
26881
26882
26883
26884
26885
26886
26887
26888
26889
26890
26891
26892
26893
26894
26895
26896
26897
26898
26899
26900
26901
26902
26903
26904
26905
26906
26907
26908
26909
26910
26911
26912
26913
26914
26915
26916
26917
26918
26919
26920
26921
26922
26923
26924
26925
26926
26927
26928
26929
26930
26931
26932
26933
26934
26935
26936
26937
26938
26939
26940
26941
26942
26943
26944
26945
26946
26947
26948
26949
26950
26951
26952
26953
26954
26955
26956
26957
26958
26959
26960
26961
26962
26963
26964
26965
26966
26967
26968
26969
26970
26971
26972
26973
26974
26975
26976
26977
26978
26979
26980
26981
26982
26983
26984
26985
26986
26987
26988
26989
26990
26991
26992
26993
26994
26995
26996
26997
26998
26999
27000
27001
27002
27003
27004
27005
27006
27007
27008
27009
27010
27011
27012
27013
27014
27015
27016
27017
27018
27019
27020
27021
27022
27023
27024
27025
27026
27027
27028
27029
27030
27031
27032
27033
27034
27035
27036
27037
27038
27039
27040
27041
27042
27043
27044
27045
27046
27047
27048
27049
27050
27051
27052
27053
27054
27055
27056
27057
27058
27059
27060
27061
27062
27063
27064
27065
27066
27067
27068
27069
27070
27071
27072
27073
27074
27075
27076
27077
27078
27079
27080
27081
27082
27083
27084
27085
27086
27087
27088
27089
27090
27091
27092
27093
27094
27095
27096
27097
27098
27099
27100
27101
27102
27103
27104
27105
27106
27107
27108
27109
27110
27111
27112
27113
27114
27115
27116
27117
27118
27119
27120
27121
27122
27123
27124
27125
27126
27127
27128
27129
27130
27131
27132
27133
27134
27135
27136
27137
27138
27139
27140
27141
27142
27143
27144
27145
27146
27147
27148
27149
27150
27151
27152
27153
27154
27155
27156
27157
27158
27159
27160
27161
27162
27163
27164
27165
27166
27167
27168
27169
27170
27171
27172
27173
27174
27175
27176
27177
27178
27179
27180
27181
27182
27183
27184
27185
27186
27187
27188
27189
27190
27191
27192
27193
27194
27195
27196
27197
27198
27199
27200
27201
27202
27203
27204
27205
27206
27207
27208
27209
27210
27211
27212
27213
27214
27215
27216
27217
27218
27219
27220
27221
27222
27223
27224
27225
27226
27227
27228
27229
27230
27231
27232
27233
27234
27235
27236
27237
27238
27239
27240
27241
27242
27243
27244
27245
27246
27247
27248
27249
27250
27251
27252
27253
27254
27255
27256
27257
27258
27259
27260
27261
27262
27263
27264
27265
27266
27267
27268
27269
27270
27271
27272
27273
27274
27275
27276
27277
27278
27279
27280
27281
27282
27283
27284
27285
27286
27287
27288
27289
27290
27291
27292
27293
27294
27295
27296
27297
27298
27299
27300
27301
27302
27303
27304
27305
27306
27307
27308
27309
27310
27311
27312
27313
27314
27315
27316
27317
27318
27319
27320
27321
27322
27323
27324
27325
27326
27327
27328
27329
27330
27331
27332
27333
27334
27335
27336
27337
27338
27339
27340
27341
27342
27343
27344
27345
27346
27347
27348
27349
27350
27351
27352
27353
27354
27355
27356
27357
27358
27359
27360
27361
27362
27363
27364
27365
27366
27367
27368
27369
27370
27371
27372
27373
27374
27375
27376
27377
27378
27379
27380
27381
27382
27383
27384
27385
27386
27387
27388
27389
27390
27391
27392
27393
27394
27395
27396
27397
27398
27399
27400
27401
27402
27403
27404
27405
27406
27407
27408
27409
27410
27411
27412
27413
27414
27415
27416
27417
27418
27419
27420
27421
27422
27423
27424
27425
27426
27427
27428
27429
27430
27431
27432
27433
27434
27435
27436
27437
27438
27439
27440
27441
27442
27443
27444
27445
27446
27447
27448
27449
27450
27451
27452
27453
27454
27455
27456
27457
27458
27459
27460
27461
27462
27463
27464
27465
27466
27467
27468
27469
27470
27471
27472
27473
27474
27475
27476
27477
27478
27479
27480
27481
27482
27483
27484
27485
27486
27487
27488
27489
27490
27491
27492
27493
27494
27495
27496
27497
27498
27499
27500
27501
27502
27503
27504
27505
27506
27507
27508
27509
27510
27511
27512
27513
27514
27515
27516
27517
27518
27519
27520
27521
27522
27523
27524
27525
27526
27527
27528
27529
27530
27531
27532
27533
27534
27535
27536
27537
27538
27539
27540
27541
27542
27543
27544
27545
27546
27547
27548
27549
27550
27551
27552
27553
27554
27555
27556
27557
27558
27559
27560
27561
27562
27563
27564
27565
27566
27567
27568
27569
27570
27571
27572
27573
27574
27575
27576
27577
27578
27579
27580
27581
27582
27583
27584
27585
27586
27587
27588
27589
27590
27591
27592
27593
27594
27595
27596
27597
27598
27599
27600
27601
27602
27603
27604
27605
27606
27607
27608
27609
27610
27611
27612
27613
27614
27615
27616
27617
27618
27619
27620
27621
27622
27623
27624
27625
27626
27627
27628
27629
27630
27631
27632
27633
27634
27635
27636
27637
27638
27639
27640
27641
27642
27643
27644
27645
27646
27647
27648
27649
27650
27651
27652
27653
27654
27655
27656
27657
27658
27659
27660
27661
27662
27663
27664
27665
27666
27667
27668
27669
27670
27671
27672
27673
27674
27675
27676
27677
27678
27679
27680
27681
27682
27683
27684
27685
27686
27687
27688
27689
27690
27691
27692
27693
27694
27695
27696
27697
27698
27699
27700
27701
27702
27703
27704
27705
27706
27707
27708
27709
27710
27711
27712
27713
27714
27715
27716
27717
27718
27719
27720
27721
27722
27723
27724
27725
27726
27727
27728
27729
27730
27731
27732
27733
27734
27735
27736
27737
27738
27739
27740
27741
27742
27743
27744
27745
27746
27747
27748
27749
27750
27751
27752
27753
27754
27755
27756
27757
27758
27759
27760
27761
27762
27763
27764
27765
27766
27767
27768
27769
27770
27771
27772
27773
27774
27775
27776
27777
27778
27779
27780
27781
27782
27783
27784
27785
27786
27787
27788
27789
27790
27791
27792
27793
27794
27795
27796
27797
27798
27799
27800
27801
27802
27803
27804
27805
27806
27807
27808
27809
27810
27811
27812
27813
27814
27815
27816
27817
27818
27819
27820
27821
27822
27823
27824
27825
27826
27827
27828
27829
27830
27831
27832
27833
27834
27835
27836
27837
27838
27839
27840
27841
27842
27843
27844
27845
27846
27847
27848
27849
27850
27851
27852
27853
27854
27855
27856
27857
27858
27859
27860
27861
27862
27863
27864
27865
27866
27867
27868
27869
27870
27871
27872
27873
27874
27875
27876
27877
27878
27879
27880
27881
27882
27883
27884
27885
27886
27887
27888
27889
27890
27891
27892
27893
27894
27895
27896
27897
27898
27899
27900
27901
27902
27903
27904
27905
27906
27907
27908
27909
27910
27911
27912
27913
27914
27915
27916
27917
27918
27919
27920
27921
27922
27923
27924
27925
27926
27927
27928
27929
27930
27931
27932
27933
27934
27935
27936
27937
27938
27939
27940
27941
27942
27943
27944
27945
27946
27947
27948
27949
27950
27951
27952
27953
27954
27955
27956
27957
27958
27959
27960
27961
27962
27963
27964
27965
27966
27967
27968
27969
27970
27971
27972
27973
27974
27975
27976
27977
27978
27979
27980
27981
27982
27983
27984
27985
27986
27987
27988
27989
27990
27991
27992
27993
27994
27995
27996
27997
27998
27999
28000
28001
28002
28003
28004
28005
28006
28007
28008
28009
28010
28011
28012
28013
28014
28015
28016
28017
28018
28019
28020
28021
28022
28023
28024
28025
28026
28027
28028
28029
28030
28031
28032
28033
28034
28035
28036
28037
28038
28039
28040
28041
28042
28043
28044
28045
28046
28047
28048
28049
28050
28051
28052
28053
28054
28055
28056
28057
28058
28059
28060
28061
28062
28063
28064
28065
28066
28067
28068
28069
28070
28071
28072
28073
28074
28075
28076
28077
28078
28079
28080
28081
28082
28083
28084
28085
28086
28087
28088
28089
28090
28091
28092
28093
28094
28095
28096
28097
28098
28099
28100
28101
28102
28103
28104
28105
28106
28107
28108
28109
28110
28111
28112
28113
28114
28115
28116
28117
28118
28119
28120
28121
28122
28123
28124
28125
28126
28127
28128
28129
28130
28131
28132
28133
28134
28135
28136
28137
28138
28139
28140
28141
28142
28143
28144
28145
28146
28147
28148
28149
28150
28151
28152
28153
28154
28155
28156
28157
28158
28159
28160
28161
28162
28163
28164
28165
28166
28167
28168
28169
28170
28171
28172
28173
28174
28175
28176
28177
28178
28179
28180
28181
28182
28183
28184
28185
28186
28187
28188
28189
28190
28191
28192
28193
28194
28195
28196
28197
28198
28199
28200
28201
28202
28203
28204
28205
28206
28207
28208
28209
28210
28211
28212
28213
28214
28215
28216
28217
28218
28219
28220
28221
28222
28223
28224
28225
28226
28227
28228
28229
28230
28231
28232
28233
28234
28235
28236
28237
28238
28239
28240
28241
28242
28243
28244
28245
28246
28247
28248
28249
28250
28251
28252
28253
28254
28255
28256
28257
28258
28259
28260
28261
28262
28263
28264
28265
28266
28267
28268
28269
28270
28271
28272
28273
28274
28275
28276
28277
28278
28279
28280
28281
28282
28283
28284
28285
28286
28287
28288
28289
28290
28291
28292
28293
28294
28295
28296
28297
28298
28299
28300
28301
28302
28303
28304
28305
28306
28307
28308
28309
28310
28311
28312
28313
28314
28315
28316
28317
28318
28319
28320
28321
28322
28323
28324
28325
28326
28327
28328
28329
28330
28331
28332
28333
28334
28335
28336
28337
28338
28339
28340
28341
28342
28343
28344
28345
28346
28347
28348
28349
28350
28351
28352
28353
28354
28355
28356
28357
28358
28359
28360
28361
28362
28363
28364
28365
28366
28367
28368
28369
28370
28371
28372
28373
28374
28375
28376
28377
28378
28379
28380
28381
28382
28383
28384
28385
28386
28387
28388
28389
28390
28391
28392
28393
28394
28395
28396
28397
28398
28399
28400
28401
28402
28403
28404
28405
28406
28407
28408
28409
28410
28411
28412
28413
28414
28415
28416
28417
28418
28419
28420
28421
28422
28423
28424
28425
28426
28427
28428
28429
28430
28431
28432
28433
28434
28435
28436
28437
28438
28439
28440
28441
28442
28443
28444
28445
28446
28447
28448
28449
28450
28451
28452
28453
28454
28455
28456
28457
28458
28459
28460
28461
28462
28463
28464
28465
28466
28467
28468
28469
28470
28471
28472
28473
28474
28475
28476
28477
28478
28479
28480
28481
28482
28483
28484
28485
28486
28487
28488
28489
28490
28491
28492
28493
28494
28495
28496
28497
28498
28499
28500
28501
28502
28503
28504
28505
28506
28507
28508
28509
28510
28511
28512
28513
28514
28515
28516
28517
28518
28519
28520
28521
28522
28523
28524
28525
28526
28527
28528
28529
28530
28531
28532
28533
28534
28535
28536
28537
28538
28539
28540
28541
28542
28543
28544
28545
28546
28547
28548
28549
28550
28551
28552
28553
28554
28555
28556
28557
28558
28559
28560
28561
28562
28563
28564
28565
28566
28567
28568
28569
28570
28571
28572
28573
28574
28575
28576
28577
28578
28579
28580
28581
28582
28583
28584
28585
28586
28587
28588
28589
28590
28591
28592
28593
28594
28595
28596
28597
28598
28599
28600
28601
28602
28603
28604
28605
28606
28607
28608
28609
28610
28611
28612
28613
28614
28615
28616
28617
28618
28619
28620
28621
28622
28623
28624
28625
28626
28627
28628
28629
28630
28631
28632
28633
28634
28635
28636
28637
28638
28639
28640
28641
28642
28643
28644
28645
28646
28647
28648
28649
28650
28651
28652
28653
28654
28655
28656
28657
28658
28659
28660
28661
28662
28663
28664
28665
28666
28667
28668
28669
28670
28671
28672
28673
28674
28675
28676
28677
28678
28679
28680
28681
28682
28683
28684
28685
28686
28687
28688
28689
28690
28691
28692
28693
28694
28695
28696
28697
28698
28699
28700
28701
28702
28703
28704
28705
28706
28707
28708
28709
28710
28711
28712
28713
28714
28715
28716
28717
28718
28719
28720
28721
28722
28723
28724
28725
28726
28727
28728
28729
28730
28731
28732
28733
28734
28735
28736
28737
28738
28739
28740
28741
28742
28743
28744
28745
28746
28747
28748
28749
28750
28751
28752
28753
28754
28755
28756
28757
28758
28759
28760
28761
28762
28763
28764
28765
28766
28767
28768
28769
28770
28771
28772
28773
28774
28775
28776
28777
28778
28779
28780
28781
28782
28783
28784
28785
28786
28787
28788
28789
28790
28791
28792
28793
28794
28795
28796
28797
28798
28799
28800
28801
28802
28803
28804
28805
28806
28807
28808
28809
28810
28811
28812
28813
28814
28815
28816
28817
28818
28819
28820
28821
28822
28823
28824
28825
28826
28827
28828
28829
28830
28831
28832
28833
28834
28835
28836
28837
28838
28839
28840
28841
28842
28843
28844
28845
28846
28847
28848
28849
28850
28851
28852
28853
28854
28855
28856
28857
28858
28859
28860
28861
28862
28863
28864
28865
28866
28867
28868
28869
28870
28871
28872
28873
28874
28875
28876
28877
28878
28879
28880
28881
28882
28883
28884
28885
28886
28887
28888
28889
28890
28891
28892
28893
28894
28895
28896
28897
28898
28899
28900
28901
28902
28903
28904
28905
28906
28907
28908
28909
28910
28911
28912
28913
28914
28915
28916
28917
28918
28919
28920
28921
28922
28923
28924
28925
28926
28927
28928
28929
28930
28931
28932
28933
28934
28935
28936
28937
28938
28939
28940
28941
28942
28943
28944
28945
28946
28947
28948
28949
28950
28951
28952
28953
28954
28955
28956
28957
28958
28959
28960
28961
28962
28963
28964
28965
28966
28967
28968
28969
28970
28971
28972
28973
28974
28975
28976
28977
28978
28979
28980
28981
28982
28983
28984
28985
28986
28987
28988
28989
28990
28991
28992
28993
28994
28995
28996
28997
28998
28999
29000
29001
29002
29003
29004
29005
29006
29007
29008
29009
29010
29011
29012
29013
29014
29015
29016
29017
29018
29019
29020
29021
29022
29023
29024
29025
29026
29027
29028
29029
29030
29031
29032
29033
29034
29035
29036
29037
29038
29039
29040
29041
29042
29043
29044
29045
29046
29047
29048
29049
29050
29051
29052
29053
29054
29055
29056
29057
29058
29059
29060
29061
29062
29063
29064
29065
29066
29067
29068
29069
29070
29071
29072
29073
29074
29075
29076
29077
29078
29079
29080
29081
29082
29083
29084
29085
29086
29087
29088
29089
29090
29091
29092
29093
29094
29095
29096
29097
29098
29099
29100
29101
29102
29103
29104
29105
29106
29107
29108
29109
29110
29111
29112
29113
29114
29115
29116
29117
29118
29119
29120
29121
29122
29123
29124
29125
29126
29127
29128
29129
29130
29131
29132
29133
29134
29135
29136
29137
29138
29139
29140
29141
29142
29143
29144
29145
29146
29147
29148
29149
29150
29151
29152
29153
29154
29155
29156
29157
29158
29159
29160
29161
29162
29163
29164
29165
29166
29167
29168
29169
29170
29171
29172
29173
29174
29175
29176
29177
29178
29179
29180
29181
29182
29183
29184
29185
29186
29187
29188
29189
29190
29191
29192
29193
29194
29195
29196
29197
29198
29199
29200
29201
29202
29203
29204
29205
29206
29207
29208
29209
29210
29211
29212
29213
29214
29215
29216
29217
29218
29219
29220
29221
29222
29223
29224
29225
29226
29227
29228
29229
29230
29231
29232
29233
29234
29235
29236
29237
29238
29239
29240
29241
29242
29243
29244
29245
29246
29247
29248
29249
29250
29251
29252
29253
29254
29255
29256
29257
29258
29259
29260
29261
29262
29263
29264
29265
29266
29267
29268
29269
29270
29271
29272
29273
29274
29275
29276
29277
29278
29279
29280
29281
29282
29283
29284
29285
29286
29287
29288
29289
29290
29291
29292
29293
29294
29295
29296
29297
29298
29299
29300
29301
29302
29303
29304
29305
29306
29307
29308
29309
29310
29311
29312
29313
29314
29315
29316
29317
29318
29319
29320
29321
29322
29323
29324
29325
29326
29327
29328
29329
29330
29331
29332
29333
29334
29335
29336
29337
29338
29339
29340
29341
29342
29343
29344
29345
29346
29347
29348
29349
29350
29351
29352
29353
29354
29355
29356
29357
29358
29359
29360
29361
29362
29363
29364
29365
29366
29367
29368
29369
29370
29371
29372
29373
29374
29375
29376
29377
29378
29379
29380
29381
29382
29383
29384
29385
29386
29387
29388
29389
29390
29391
29392
29393
29394
29395
29396
29397
29398
29399
29400
29401
29402
29403
29404
29405
29406
29407
29408
29409
29410
29411
29412
29413
29414
29415
29416
29417
29418
29419
29420
29421
29422
29423
29424
29425
29426
29427
29428
29429
29430
29431
29432
29433
29434
29435
29436
29437
29438
29439
29440
29441
29442
29443
29444
29445
29446
29447
29448
29449
29450
29451
29452
29453
29454
29455
29456
29457
29458
29459
29460
29461
29462
29463
29464
29465
29466
29467
29468
29469
29470
29471
29472
29473
29474
29475
29476
29477
29478
29479
29480
29481
29482
29483
29484
29485
29486
29487
29488
29489
29490
29491
29492
29493
29494
29495
29496
29497
29498
29499
29500
29501
29502
29503
29504
29505
29506
29507
29508
29509
29510
29511
29512
29513
29514
29515
29516
29517
29518
29519
29520
29521
29522
29523
29524
29525
29526
29527
29528
29529
29530
29531
29532
29533
29534
29535
29536
29537
29538
29539
29540
29541
29542
29543
29544
29545
29546
29547
29548
29549
29550
29551
29552
29553
29554
29555
29556
29557
29558
29559
29560
29561
29562
29563
29564
29565
29566
29567
29568
29569
29570
29571
29572
29573
29574
29575
29576
29577
29578
29579
29580
29581
29582
29583
29584
29585
29586
29587
29588
29589
29590
29591
29592
29593
29594
29595
29596
29597
29598
29599
29600
29601
29602
29603
29604
29605
29606
29607
29608
29609
29610
29611
29612
29613
29614
29615
29616
29617
29618
29619
29620
29621
29622
29623
29624
29625
29626
29627
29628
29629
29630
29631
29632
29633
29634
29635
29636
29637
29638
29639
29640
29641
29642
29643
29644
29645
29646
29647
29648
29649
29650
29651
29652
29653
29654
29655
29656
29657
29658
29659
29660
29661
29662
29663
29664
29665
29666
29667
29668
29669
29670
29671
29672
29673
29674
29675
29676
29677
29678
29679
29680
29681
29682
29683
29684
29685
29686
29687
29688
29689
29690
29691
29692
29693
29694
29695
29696
29697
29698
29699
29700
29701
29702
29703
29704
29705
29706
29707
29708
29709
29710
29711
29712
29713
29714
29715
29716
29717
29718
29719
29720
29721
29722
29723
29724
29725
29726
29727
29728
29729
29730
29731
29732
29733
29734
29735
29736
29737
29738
29739
29740
29741
29742
29743
29744
29745
29746
29747
29748
29749
29750
29751
29752
29753
29754
29755
29756
29757
29758
29759
29760
29761
29762
29763
29764
29765
29766
29767
29768
29769
29770
29771
29772
29773
29774
29775
29776
29777
29778
29779
29780
29781
29782
29783
29784
29785
29786
29787
29788
29789
29790
29791
29792
29793
29794
29795
29796
29797
29798
29799
29800
29801
29802
29803
29804
29805
29806
29807
29808
29809
29810
29811
29812
29813
29814
29815
29816
29817
29818
29819
29820
29821
29822
29823
29824
29825
29826
29827
29828
29829
29830
29831
29832
29833
29834
29835
29836
29837
29838
29839
29840
29841
29842
29843
29844
29845
29846
29847
29848
29849
29850
29851
29852
29853
29854
29855
29856
29857
29858
29859
29860
29861
29862
29863
29864
29865
29866
29867
29868
29869
29870
29871
29872
29873
29874
29875
29876
29877
29878
29879
29880
29881
29882
29883
29884
29885
29886
29887
29888
29889
29890
29891
29892
29893
29894
29895
29896
29897
29898
29899
29900
29901
29902
29903
29904
29905
29906
29907
29908
29909
29910
29911
29912
29913
29914
29915
29916
29917
29918
29919
29920
29921
29922
29923
29924
29925
29926
29927
29928
29929
29930
29931
29932
29933
29934
29935
29936
29937
29938
29939
29940
29941
29942
29943
29944
29945
29946
29947
29948
29949
29950
29951
29952
29953
29954
29955
29956
29957
29958
29959
29960
29961
29962
29963
29964
29965
29966
29967
29968
29969
29970
29971
29972
29973
29974
29975
29976
29977
29978
29979
29980
29981
29982
29983
29984
29985
29986
29987
29988
29989
29990
29991
29992
29993
29994
29995
29996
29997
29998
29999
30000
30001
30002
30003
30004
30005
30006
30007
30008
30009
30010
30011
30012
30013
30014
30015
30016
30017
30018
30019
30020
30021
30022
30023
30024
30025
30026
30027
30028
30029
30030
30031
30032
30033
30034
30035
30036
30037
30038
30039
30040
30041
30042
30043
30044
30045
30046
30047
30048
30049
30050
30051
30052
30053
30054
30055
30056
30057
30058
30059
30060
30061
30062
30063
30064
30065
30066
30067
30068
30069
30070
30071
30072
30073
30074
30075
30076
30077
30078
30079
30080
30081
30082
30083
30084
30085
30086
30087
30088
30089
30090
30091
30092
30093
30094
30095
30096
30097
30098
30099
30100
30101
30102
30103
30104
30105
30106
30107
30108
30109
30110
30111
30112
30113
30114
30115
30116
30117
30118
30119
30120
30121
30122
30123
30124
30125
30126
30127
30128
30129
30130
30131
30132
30133
30134
30135
30136
30137
30138
30139
30140
30141
30142
30143
30144
30145
30146
30147
30148
30149
30150
30151
30152
30153
30154
30155
30156
30157
30158
30159
30160
30161
30162
30163
30164
30165
30166
30167
30168
30169
30170
30171
30172
30173
30174
30175
30176
30177
30178
30179
30180
30181
30182
30183
30184
30185
30186
30187
30188
30189
30190
30191
30192
30193
30194
30195
30196
30197
30198
30199
30200
30201
30202
30203
30204
30205
30206
30207
30208
30209
30210
30211
30212
30213
30214
30215
30216
30217
30218
30219
30220
30221
30222
30223
30224
30225
30226
30227
30228
30229
30230
30231
30232
30233
30234
30235
30236
30237
30238
30239
30240
30241
30242
30243
30244
30245
30246
30247
30248
30249
30250
30251
30252
30253
30254
30255
30256
30257
30258
30259
30260
30261
30262
30263
30264
30265
30266
30267
30268
30269
30270
30271
30272
30273
30274
30275
30276
30277
30278
30279
30280
30281
30282
30283
30284
30285
30286
30287
30288
30289
30290
30291
30292
30293
30294
30295
30296
30297
30298
30299
30300
30301
30302
30303
30304
30305
30306
30307
30308
30309
30310
30311
30312
30313
30314
30315
30316
30317
30318
30319
30320
30321
30322
30323
30324
30325
30326
30327
30328
30329
30330
30331
30332
30333
30334
30335
30336
30337
30338
30339
30340
30341
30342
30343
30344
30345
30346
30347
30348
30349
30350
30351
30352
30353
30354
30355
30356
30357
30358
30359
30360
30361
30362
30363
30364
30365
30366
30367
30368
30369
30370
30371
30372
30373
30374
30375
30376
30377
30378
30379
30380
30381
30382
30383
30384
30385
30386
30387
30388
30389
30390
30391
30392
30393
30394
30395
30396
30397
30398
30399
30400
30401
30402
30403
30404
30405
30406
30407
30408
30409
30410
30411
30412
30413
30414
30415
30416
30417
30418
30419
30420
30421
30422
30423
30424
30425
30426
30427
30428
30429
30430
30431
30432
30433
30434
30435
30436
30437
30438
30439
30440
30441
30442
30443
30444
30445
30446
30447
30448
30449
30450
30451
30452
30453
30454
30455
30456
30457
30458
30459
30460
30461
30462
30463
30464
30465
30466
30467
30468
30469
30470
30471
30472
30473
30474
30475
30476
30477
30478
30479
30480
30481
30482
30483
30484
30485
30486
30487
30488
30489
30490
30491
30492
30493
30494
30495
30496
30497
30498
30499
30500
30501
30502
30503
30504
30505
30506
30507
30508
30509
30510
30511
30512
30513
30514
30515
30516
30517
30518
30519
30520
30521
30522
30523
30524
30525
30526
30527
30528
30529
30530
30531
30532
30533
30534
30535
30536
30537
30538
30539
30540
30541
30542
30543
30544
30545
30546
30547
30548
30549
30550
30551
30552
30553
30554
30555
30556
30557
30558
30559
30560
30561
30562
30563
30564
30565
30566
30567
30568
30569
30570
30571
30572
30573
30574
30575
30576
30577
30578
30579
30580
30581
30582
30583
30584
30585
30586
30587
30588
30589
30590
30591
30592
30593
30594
30595
30596
30597
30598
30599
30600
30601
30602
30603
30604
30605
30606
30607
30608
30609
30610
30611
30612
30613
30614
30615
30616
30617
30618
30619
30620
30621
30622
30623
30624
30625
30626
30627
30628
30629
30630
30631
30632
30633
30634
30635
30636
30637
30638
30639
30640
30641
30642
30643
30644
30645
30646
30647
30648
30649
30650
30651
30652
30653
30654
30655
30656
30657
30658
30659
30660
30661
30662
30663
30664
30665
30666
30667
30668
30669
30670
30671
30672
30673
30674
30675
30676
30677
30678
30679
30680
30681
30682
30683
30684
30685
30686
30687
30688
30689
30690
30691
30692
30693
30694
30695
30696
30697
30698
30699
30700
30701
30702
30703
30704
30705
30706
30707
30708
30709
30710
30711
30712
30713
30714
30715
30716
30717
30718
30719
30720
30721
30722
30723
30724
30725
30726
30727
30728
30729
30730
30731
30732
30733
30734
30735
30736
30737
30738
30739
30740
30741
30742
30743
30744
30745
30746
30747
30748
30749
30750
30751
30752
30753
30754
30755
30756
30757
30758
30759
30760
30761
30762
30763
30764
30765
30766
30767
30768
30769
30770
30771
30772
30773
30774
30775
30776
30777
30778
30779
30780
30781
30782
30783
30784
30785
30786
30787
30788
30789
30790
30791
30792
30793
30794
30795
30796
30797
30798
30799
30800
30801
30802
30803
30804
30805
30806
30807
30808
30809
30810
30811
30812
30813
30814
30815
30816
30817
30818
30819
30820
30821
30822
30823
30824
30825
30826
30827
30828
30829
30830
30831
30832
30833
30834
30835
30836
30837
30838
30839
30840
30841
30842
30843
30844
30845
30846
30847
30848
30849
30850
30851
30852
30853
30854
30855
30856
30857
30858
30859
30860
30861
30862
30863
30864
30865
30866
30867
30868
30869
30870
30871
30872
30873
30874
30875
30876
30877
30878
30879
30880
30881
30882
30883
30884
30885
30886
30887
30888
30889
30890
30891
30892
30893
30894
30895
30896
30897
30898
30899
30900
30901
30902
30903
30904
30905
30906
30907
30908
30909
30910
30911
30912
30913
30914
30915
30916
30917
30918
30919
30920
30921
30922
30923
30924
30925
30926
30927
30928
30929
30930
30931
30932
30933
30934
30935
30936
30937
30938
30939
30940
30941
30942
30943
30944
30945
30946
30947
30948
30949
30950
30951
30952
30953
30954
30955
30956
30957
30958
30959
30960
30961
30962
30963
30964
30965
30966
30967
30968
30969
30970
30971
30972
30973
30974
30975
30976
30977
30978
30979
30980
30981
30982
30983
30984
30985
30986
30987
30988
30989
30990
30991
30992
30993
30994
30995
30996
30997
30998
30999
31000
31001
31002
31003
31004
31005
31006
31007
31008
31009
31010
31011
31012
31013
31014
31015
31016
31017
31018
31019
31020
31021
31022
31023
31024
31025
31026
31027
31028
31029
31030
31031
31032
31033
31034
31035
31036
31037
31038
31039
31040
31041
31042
31043
31044
31045
31046
31047
31048
31049
31050
31051
31052
31053
31054
31055
31056
31057
31058
31059
31060
31061
31062
31063
31064
31065
31066
31067
31068
31069
31070
31071
31072
31073
31074
31075
31076
31077
31078
31079
31080
31081
31082
31083
31084
31085
31086
31087
31088
31089
31090
31091
31092
31093
31094
31095
31096
31097
31098
31099
31100
31101
31102
31103
31104
31105
31106
31107
31108
31109
31110
31111
31112
31113
31114
31115
31116
31117
31118
31119
31120
31121
31122
31123
31124
31125
31126
31127
31128
31129
31130
31131
31132
31133
31134
31135
31136
31137
31138
31139
31140
31141
31142
31143
31144
31145
31146
31147
31148
31149
31150
31151
31152
31153
31154
31155
31156
31157
31158
31159
31160
31161
31162
31163
31164
31165
31166
31167
31168
31169
31170
31171
31172
31173
31174
31175
31176
31177
31178
31179
31180
31181
31182
31183
31184
31185
31186
31187
31188
31189
31190
31191
31192
31193
31194
31195
31196
31197
31198
31199
31200
31201
31202
31203
31204
31205
31206
31207
31208
31209
31210
31211
31212
31213
31214
31215
31216
31217
31218
31219
31220
31221
31222
31223
31224
31225
31226
31227
31228
31229
31230
31231
31232
31233
31234
31235
31236
31237
31238
31239
31240
31241
31242
31243
31244
31245
31246
31247
31248
31249
31250
31251
31252
31253
31254
31255
31256
31257
31258
31259
31260
31261
31262
31263
31264
31265
31266
31267
31268
31269
31270
31271
31272
31273
31274
31275
31276
31277
31278
31279
31280
31281
31282
31283
31284
31285
31286
31287
31288
31289
31290
31291
31292
31293
31294
31295
31296
31297
31298
31299
31300
31301
31302
31303
31304
31305
31306
31307
31308
31309
31310
31311
31312
31313
31314
31315
31316
31317
31318
31319
31320
31321
31322
31323
31324
31325
31326
31327
31328
31329
31330
31331
31332
31333
31334
31335
31336
31337
31338
31339
31340
31341
31342
31343
31344
31345
31346
31347
31348
31349
31350
31351
31352
31353
31354
31355
31356
31357
31358
31359
31360
31361
31362
31363
31364
31365
31366
31367
31368
31369
31370
31371
31372
31373
31374
31375
31376
31377
31378
31379
31380
31381
31382
31383
31384
31385
31386
31387
31388
31389
31390
31391
31392
31393
31394
31395
31396
31397
31398
31399
31400
31401
31402
31403
31404
31405
31406
31407
31408
31409
31410
31411
31412
31413
31414
31415
31416
31417
31418
31419
31420
31421
31422
31423
31424
31425
31426
31427
31428
31429
31430
31431
31432
31433
31434
31435
31436
31437
31438
31439
31440
31441
31442
31443
31444
31445
31446
31447
31448
31449
31450
31451
31452
31453
31454
31455
31456
31457
31458
31459
31460
31461
31462
31463
31464
31465
31466
31467
31468
31469
31470
31471
31472
31473
31474
31475
31476
31477
31478
31479
31480
31481
31482
31483
31484
31485
31486
31487
31488
31489
31490
31491
31492
31493
31494
31495
31496
31497
31498
31499
31500
31501
31502
31503
31504
31505
31506
31507
31508
31509
31510
31511
31512
31513
31514
31515
31516
31517
31518
31519
31520
31521
31522
31523
31524
31525
31526
31527
31528
31529
31530
31531
31532
31533
31534
31535
31536
31537
31538
31539
31540
31541
31542
31543
31544
31545
31546
31547
31548
31549
31550
31551
31552
31553
31554
31555
31556
31557
31558
31559
31560
31561
31562
31563
31564
31565
31566
31567
31568
31569
31570
31571
31572
31573
31574
31575
31576
31577
31578
31579
31580
31581
31582
31583
31584
31585
31586
31587
31588
31589
31590
31591
31592
31593
31594
31595
31596
31597
31598
31599
31600
31601
31602
31603
31604
31605
31606
31607
31608
31609
31610
31611
31612
31613
31614
31615
31616
31617
31618
31619
31620
31621
31622
31623
31624
31625
31626
31627
31628
31629
31630
31631
31632
31633
31634
31635
31636
31637
31638
31639
31640
31641
31642
31643
31644
31645
31646
31647
31648
31649
31650
31651
31652
31653
31654
31655
31656
31657
31658
31659
31660
31661
31662
31663
31664
31665
31666
31667
31668
31669
31670
31671
31672
31673
31674
31675
31676
31677
31678
31679
31680
31681
31682
31683
31684
31685
31686
31687
31688
31689
31690
31691
31692
31693
31694
31695
31696
31697
31698
31699
31700
31701
31702
31703
31704
31705
31706
31707
31708
31709
31710
31711
31712
31713
31714
31715
31716
31717
31718
31719
31720
31721
31722
31723
31724
31725
31726
31727
31728
31729
31730
31731
31732
31733
31734
31735
31736
31737
31738
31739
31740
31741
31742
31743
31744
31745
31746
31747
31748
31749
31750
31751
31752
31753
31754
31755
31756
31757
31758
31759
31760
31761
31762
31763
31764
31765
31766
31767
31768
31769
31770
31771
31772
31773
31774
31775
31776
31777
31778
31779
31780
31781
31782
31783
31784
31785
31786
31787
31788
31789
31790
31791
31792
31793
31794
31795
31796
31797
31798
31799
31800
31801
31802
31803
31804
31805
31806
31807
31808
31809
31810
31811
31812
31813
31814
31815
31816
31817
31818
31819
31820
31821
31822
31823
31824
31825
31826
31827
31828
31829
31830
31831
31832
31833
31834
31835
31836
31837
31838
31839
31840
31841
31842
31843
31844
31845
31846
31847
31848
31849
31850
31851
31852
31853
31854
31855
31856
31857
31858
31859
31860
31861
31862
31863
31864
31865
31866
31867
31868
31869
31870
31871
31872
31873
31874
31875
31876
31877
31878
31879
31880
31881
31882
31883
31884
31885
31886
31887
31888
31889
31890
31891
31892
31893
31894
31895
31896
31897
31898
31899
31900
31901
31902
31903
31904
31905
31906
31907
31908
31909
31910
31911
31912
31913
31914
31915
31916
31917
31918
31919
31920
31921
31922
31923
31924
31925
31926
31927
31928
31929
31930
31931
31932
31933
31934
31935
31936
31937
31938
31939
31940
31941
31942
31943
31944
31945
31946
31947
31948
31949
31950
31951
31952
31953
31954
31955
31956
31957
31958
31959
31960
31961
31962
31963
31964
31965
31966
31967
31968
31969
31970
31971
31972
31973
31974
31975
31976
31977
31978
31979
31980
31981
31982
31983
31984
31985
31986
31987
31988
31989
31990
31991
31992
31993
31994
31995
31996
31997
31998
31999
32000
32001
32002
32003
32004
32005
32006
32007
32008
32009
32010
32011
32012
32013
32014
32015
32016
32017
32018
32019
32020
32021
32022
32023
32024
32025
32026
32027
32028
32029
32030
32031
32032
32033
32034
32035
32036
32037
32038
32039
32040
32041
32042
32043
32044
32045
32046
32047
32048
32049
32050
32051
32052
32053
32054
32055
32056
32057
32058
32059
32060
32061
32062
32063
32064
32065
32066
32067
32068
32069
32070
32071
32072
32073
32074
32075
32076
32077
32078
32079
32080
32081
32082
32083
32084
32085
32086
32087
32088
32089
32090
32091
32092
32093
32094
32095
32096
32097
32098
32099
32100
32101
32102
32103
32104
32105
32106
32107
32108
32109
32110
32111
32112
32113
32114
32115
32116
32117
32118
32119
32120
32121
32122
32123
32124
32125
32126
32127
32128
32129
32130
32131
32132
32133
32134
32135
32136
32137
32138
32139
32140
32141
32142
32143
32144
32145
32146
32147
32148
32149
32150
32151
32152
32153
32154
32155
32156
32157
32158
32159
32160
32161
32162
32163
32164
32165
32166
32167
32168
32169
32170
32171
32172
32173
32174
32175
32176
32177
32178
32179
32180
32181
32182
32183
32184
32185
32186
32187
32188
32189
32190
32191
32192
32193
32194
32195
32196
32197
32198
32199
32200
32201
32202
32203
32204
32205
32206
32207
32208
32209
32210
32211
32212
32213
32214
32215
32216
32217
32218
32219
32220
32221
32222
32223
32224
32225
32226
32227
32228
32229
32230
32231
32232
32233
32234
32235
32236
32237
32238
32239
32240
32241
32242
32243
32244
32245
32246
32247
32248
32249
32250
32251
32252
32253
32254
32255
32256
32257
32258
32259
32260
32261
32262
32263
32264
32265
32266
32267
32268
32269
32270
32271
32272
32273
32274
32275
32276
32277
32278
32279
32280
32281
32282
32283
32284
32285
32286
32287
32288
32289
32290
32291
32292
32293
32294
32295
32296
32297
32298
32299
32300
32301
32302
32303
32304
32305
32306
32307
32308
32309
32310
32311
32312
32313
32314
32315
32316
32317
32318
32319
32320
32321
32322
32323
32324
32325
32326
32327
32328
32329
32330
32331
32332
32333
32334
32335
32336
32337
32338
32339
32340
32341
32342
32343
32344
32345
32346
32347
32348
32349
32350
32351
32352
32353
32354
32355
32356
32357
32358
32359
32360
32361
32362
32363
32364
32365
32366
32367
32368
32369
32370
32371
32372
32373
32374
32375
32376
32377
32378
32379
32380
32381
32382
32383
32384
32385
32386
32387
32388
32389
32390
32391
32392
32393
32394
32395
32396
32397
32398
32399
32400
32401
32402
32403
32404
32405
32406
32407
32408
32409
32410
32411
32412
32413
32414
32415
32416
32417
32418
32419
32420
32421
32422
32423
32424
32425
32426
32427
32428
32429
32430
32431
32432
32433
32434
32435
32436
32437
32438
32439
32440
32441
32442
32443
32444
32445
32446
32447
32448
32449
32450
32451
32452
32453
32454
32455
32456
32457
32458
32459
32460
32461
32462
32463
32464
32465
32466
32467
32468
32469
32470
32471
32472
32473
32474
32475
32476
32477
32478
32479
32480
32481
32482
32483
32484
32485
32486
32487
32488
32489
32490
32491
32492
32493
32494
32495
32496
32497
32498
32499
32500
32501
32502
32503
32504
32505
32506
32507
32508
32509
32510
32511
32512
32513
32514
32515
32516
32517
32518
32519
32520
32521
32522
32523
32524
32525
32526
32527
32528
32529
32530
32531
32532
32533
32534
32535
32536
32537
32538
32539
32540
32541
32542
32543
32544
32545
32546
32547
32548
32549
32550
32551
32552
32553
32554
32555
32556
32557
32558
32559
32560
32561
32562
32563
32564
32565
32566
32567
32568
32569
32570
32571
32572
32573
32574
32575
32576
32577
32578
32579
32580
32581
32582
32583
32584
32585
32586
32587
32588
32589
32590
32591
32592
32593
32594
32595
32596
32597
32598
32599
32600
32601
32602
32603
32604
32605
32606
32607
32608
32609
32610
32611
32612
32613
32614
32615
32616
32617
32618
32619
32620
32621
32622
32623
32624
32625
32626
32627
32628
32629
32630
32631
32632
32633
32634
32635
32636
32637
32638
32639
32640
32641
32642
32643
32644
32645
32646
32647
32648
32649
32650
32651
32652
32653
32654
32655
32656
32657
32658
32659
32660
32661
32662
32663
32664
32665
32666
32667
32668
32669
32670
32671
32672
32673
32674
32675
32676
32677
32678
32679
32680
32681
32682
32683
32684
32685
32686
32687
32688
32689
32690
32691
32692
32693
32694
32695
32696
32697
32698
32699
32700
32701
32702
32703
32704
32705
32706
32707
32708
32709
32710
32711
32712
32713
32714
32715
32716
32717
32718
32719
32720
32721
32722
32723
32724
32725
32726
32727
32728
32729
32730
32731
32732
32733
32734
32735
32736
32737
32738
32739
32740
32741
32742
32743
32744
32745
32746
32747
32748
32749
32750
32751
32752
32753
32754
32755
32756
32757
32758
32759
32760
32761
32762
32763
32764
32765
32766
32767
32768
32769
32770
32771
32772
32773
32774
32775
32776
32777
32778
32779
32780
32781
32782
32783
32784
32785
32786
32787
32788
32789
32790
32791
32792
32793
32794
32795
32796
32797
32798
32799
32800
32801
32802
32803
32804
32805
32806
32807
32808
32809
32810
32811
32812
32813
32814
32815
32816
32817
32818
32819
32820
32821
32822
32823
32824
32825
32826
32827
32828
32829
32830
32831
32832
32833
32834
32835
32836
32837
32838
32839
32840
32841
32842
32843
32844
32845
32846
32847
32848
32849
32850
32851
32852
32853
32854
32855
32856
32857
32858
32859
32860
32861
32862
32863
32864
32865
32866
32867
32868
32869
32870
32871
32872
32873
32874
32875
32876
32877
32878
32879
32880
32881
32882
32883
32884
32885
32886
32887
32888
32889
32890
32891
32892
32893
32894
32895
32896
32897
32898
32899
32900
32901
32902
32903
32904
32905
32906
32907
32908
32909
32910
32911
32912
32913
32914
32915
32916
32917
32918
32919
32920
32921
32922
32923
32924
32925
32926
32927
32928
32929
32930
32931
32932
32933
32934
32935
32936
32937
32938
32939
32940
32941
32942
32943
32944
32945
32946
32947
32948
32949
32950
32951
32952
32953
32954
32955
32956
32957
32958
32959
32960
32961
32962
32963
32964
32965
32966
32967
32968
32969
32970
32971
32972
32973
32974
32975
32976
32977
32978
32979
32980
32981
32982
32983
32984
32985
32986
32987
32988
32989
32990
32991
32992
32993
32994
32995
32996
32997
32998
32999
33000
33001
33002
33003
33004
33005
33006
33007
33008
33009
33010
33011
33012
33013
33014
33015
33016
33017
33018
33019
33020
33021
33022
33023
33024
33025
33026
33027
33028
33029
33030
33031
33032
33033
33034
33035
33036
33037
33038
33039
33040
33041
33042
33043
33044
33045
33046
33047
33048
33049
33050
33051
33052
33053
33054
33055
33056
33057
33058
33059
33060
33061
33062
33063
33064
33065
33066
33067
33068
33069
33070
33071
33072
33073
33074
33075
33076
33077
33078
33079
33080
33081
33082
33083
33084
33085
33086
33087
33088
33089
33090
33091
33092
33093
33094
33095
33096
33097
33098
33099
33100
33101
33102
33103
33104
33105
33106
33107
33108
33109
33110
33111
33112
33113
33114
33115
33116
33117
33118
33119
33120
33121
33122
33123
33124
33125
33126
33127
33128
33129
33130
33131
33132
33133
33134
33135
33136
33137
33138
33139
33140
33141
33142
33143
33144
33145
33146
33147
33148
33149
33150
33151
33152
33153
33154
33155
33156
33157
33158
33159
33160
33161
33162
33163
33164
33165
33166
33167
33168
33169
33170
33171
33172
33173
33174
33175
33176
33177
33178
33179
33180
33181
33182
33183
33184
33185
33186
33187
33188
33189
33190
33191
33192
33193
33194
33195
33196
33197
33198
33199
33200
33201
33202
33203
33204
33205
33206
33207
33208
33209
33210
33211
33212
33213
33214
33215
33216
33217
33218
33219
33220
33221
33222
33223
33224
33225
33226
33227
33228
33229
33230
33231
33232
33233
33234
33235
33236
33237
33238
33239
33240
33241
33242
33243
33244
33245
33246
33247
33248
33249
33250
33251
33252
33253
33254
33255
33256
33257
33258
33259
33260
33261
33262
33263
33264
33265
33266
33267
33268
33269
33270
33271
33272
33273
33274
33275
33276
33277
33278
33279
33280
33281
33282
33283
33284
33285
33286
33287
33288
33289
33290
33291
33292
33293
33294
33295
33296
33297
33298
33299
33300
33301
33302
33303
33304
33305
33306
33307
33308
33309
33310
33311
33312
33313
33314
33315
33316
33317
33318
33319
33320
33321
33322
33323
33324
33325
33326
33327
33328
33329
33330
33331
33332
33333
33334
33335
33336
33337
33338
33339
33340
33341
33342
33343
33344
33345
33346
33347
33348
33349
33350
33351
33352
33353
33354
33355
33356
33357
33358
33359
33360
33361
33362
33363
33364
33365
33366
33367
33368
33369
33370
33371
33372
33373
33374
33375
33376
33377
33378
33379
33380
33381
33382
33383
33384
33385
33386
33387
33388
33389
33390
33391
33392
33393
33394
33395
33396
33397
33398
33399
33400
33401
33402
33403
33404
33405
33406
33407
33408
33409
33410
33411
33412
33413
33414
33415
33416
33417
33418
33419
33420
33421
33422
33423
33424
33425
33426
33427
33428
33429
33430
33431
33432
33433
33434
33435
33436
33437
33438
33439
33440
33441
33442
33443
33444
33445
33446
33447
33448
33449
33450
33451
33452
33453
33454
33455
33456
33457
33458
33459
33460
33461
33462
33463
33464
33465
33466
33467
33468
33469
33470
33471
33472
33473
33474
33475
33476
33477
33478
33479
33480
33481
33482
33483
33484
33485
33486
33487
33488
33489
33490
33491
33492
33493
33494
33495
33496
33497
33498
33499
33500
33501
33502
33503
33504
33505
33506
33507
33508
33509
33510
33511
33512
33513
33514
33515
33516
33517
33518
33519
33520
33521
33522
33523
33524
33525
33526
33527
33528
33529
33530
33531
33532
33533
33534
33535
33536
33537
33538
33539
33540
33541
33542
33543
33544
33545
33546
33547
33548
33549
33550
33551
33552
33553
33554
33555
33556
33557
33558
33559
33560
33561
33562
33563
33564
33565
33566
33567
33568
33569
33570
33571
33572
33573
33574
33575
33576
33577
33578
33579
33580
33581
33582
33583
33584
33585
33586
33587
33588
33589
33590
33591
33592
33593
33594
33595
33596
33597
33598
33599
33600
33601
33602
33603
33604
33605
33606
33607
33608
33609
33610
33611
33612
33613
33614
33615
33616
33617
33618
33619
33620
33621
33622
33623
33624
33625
33626
33627
33628
33629
33630
33631
33632
33633
33634
33635
33636
33637
33638
33639
33640
33641
33642
33643
33644
33645
33646
33647
33648
33649
33650
33651
33652
33653
33654
33655
33656
33657
33658
33659
33660
33661
33662
33663
33664
33665
33666
33667
33668
33669
33670
33671
33672
33673
33674
33675
33676
33677
33678
33679
33680
33681
33682
33683
33684
33685
33686
33687
33688
33689
33690
33691
33692
33693
33694
33695
33696
33697
33698
33699
33700
33701
33702
33703
33704
33705
33706
33707
33708
33709
33710
33711
33712
33713
33714
33715
33716
33717
33718
33719
33720
33721
33722
33723
33724
33725
33726
33727
33728
33729
33730
33731
33732
33733
33734
33735
33736
33737
33738
33739
33740
33741
33742
33743
33744
33745
33746
33747
33748
33749
33750
33751
33752
33753
33754
33755
33756
33757
33758
33759
33760
33761
33762
33763
33764
33765
33766
33767
33768
33769
33770
33771
33772
33773
33774
33775
33776
33777
33778
33779
33780
33781
33782
33783
33784
33785
33786
33787
33788
33789
33790
33791
33792
33793
33794
33795
33796
33797
33798
33799
33800
33801
33802
33803
33804
33805
33806
33807
33808
33809
33810
33811
33812
33813
33814
33815
33816
33817
33818
33819
33820
33821
33822
33823
33824
33825
33826
33827
33828
33829
33830
33831
33832
33833
33834
33835
33836
33837
33838
33839
33840
33841
33842
33843
33844
33845
33846
33847
33848
33849
33850
33851
33852
33853
33854
33855
33856
33857
33858
33859
33860
33861
33862
33863
33864
33865
33866
33867
33868
33869
33870
33871
33872
33873
33874
33875
33876
33877
33878
33879
33880
33881
33882
33883
33884
33885
33886
33887
33888
33889
33890
33891
33892
33893
33894
33895
33896
33897
33898
33899
33900
33901
33902
33903
33904
33905
33906
33907
33908
33909
33910
33911
33912
33913
33914
33915
33916
33917
33918
33919
33920
33921
33922
33923
33924
33925
33926
33927
33928
33929
33930
33931
33932
33933
33934
33935
33936
33937
33938
33939
33940
33941
33942
33943
33944
33945
33946
33947
33948
33949
33950
33951
33952
33953
33954
33955
33956
33957
33958
33959
33960
33961
33962
33963
33964
33965
33966
33967
33968
33969
33970
33971
33972
33973
33974
33975
33976
33977
33978
33979
33980
33981
33982
33983
33984
33985
33986
33987
33988
33989
33990
33991
33992
33993
33994
33995
33996
33997
33998
33999
34000
34001
34002
34003
34004
34005
34006
34007
34008
34009
34010
34011
34012
34013
34014
34015
34016
34017
34018
34019
34020
34021
34022
34023
34024
34025
34026
34027
34028
34029
34030
34031
34032
34033
34034
34035
34036
34037
34038
34039
34040
34041
34042
34043
34044
34045
34046
34047
34048
34049
34050
34051
34052
34053
34054
34055
34056
34057
34058
34059
34060
34061
34062
34063
34064
34065
34066
34067
34068
34069
34070
34071
34072
34073
34074
34075
34076
34077
34078
34079
34080
34081
34082
34083
34084
34085
34086
34087
34088
34089
34090
34091
34092
34093
34094
34095
34096
34097
34098
34099
34100
34101
34102
34103
34104
34105
34106
34107
34108
34109
34110
34111
34112
34113
34114
34115
34116
34117
34118
34119
34120
34121
34122
34123
34124
34125
34126
34127
34128
34129
34130
34131
34132
34133
34134
34135
34136
34137
34138
34139
34140
34141
34142
34143
34144
34145
34146
34147
34148
34149
34150
34151
34152
34153
34154
34155
34156
34157
34158
34159
34160
34161
34162
34163
34164
34165
34166
34167
34168
34169
34170
34171
34172
34173
34174
34175
34176
34177
34178
34179
34180
34181
34182
34183
34184
34185
34186
34187
34188
34189
34190
34191
34192
34193
34194
34195
34196
34197
34198
34199
34200
34201
34202
34203
34204
34205
34206
34207
34208
34209
34210
34211
34212
34213
34214
34215
34216
34217
34218
34219
34220
34221
34222
34223
34224
34225
34226
34227
34228
34229
34230
34231
34232
34233
34234
34235
34236
34237
34238
34239
34240
34241
34242
34243
34244
34245
34246
34247
34248
34249
34250
34251
34252
34253
34254
34255
34256
34257
34258
34259
34260
34261
34262
34263
34264
34265
34266
34267
34268
34269
34270
34271
34272
34273
34274
34275
34276
34277
34278
34279
34280
34281
34282
34283
34284
34285
34286
34287
34288
34289
34290
34291
34292
34293
34294
34295
34296
34297
34298
34299
34300
34301
34302
34303
34304
34305
34306
34307
34308
34309
34310
34311
34312
34313
34314
34315
34316
34317
34318
34319
34320
34321
34322
34323
34324
34325
34326
34327
34328
34329
34330
34331
34332
34333
34334
34335
34336
34337
34338
34339
34340
34341
34342
34343
34344
34345
34346
34347
34348
34349
34350
34351
34352
34353
34354
34355
34356
34357
34358
34359
34360
34361
34362
34363
34364
34365
34366
34367
34368
34369
34370
34371
34372
34373
34374
34375
34376
34377
34378
34379
34380
34381
34382
34383
34384
34385
34386
34387
34388
34389
34390
34391
34392
34393
34394
34395
34396
34397
34398
34399
34400
34401
34402
34403
34404
34405
34406
34407
34408
34409
34410
34411
34412
34413
34414
34415
34416
34417
34418
34419
34420
34421
34422
34423
34424
34425
34426
34427
34428
34429
34430
34431
34432
34433
34434
34435
34436
34437
34438
34439
34440
34441
34442
34443
34444
34445
34446
34447
34448
34449
34450
34451
34452
34453
34454
34455
34456
34457
34458
34459
34460
34461
34462
34463
34464
34465
34466
34467
34468
34469
34470
34471
34472
34473
34474
34475
34476
34477
34478
34479
34480
34481
34482
34483
34484
34485
34486
34487
34488
34489
34490
34491
34492
34493
34494
34495
34496
34497
34498
34499
34500
34501
34502
34503
34504
34505
34506
34507
34508
34509
34510
34511
34512
34513
34514
34515
34516
34517
34518
34519
34520
34521
34522
34523
34524
34525
34526
34527
34528
34529
34530
34531
34532
34533
34534
34535
34536
34537
34538
34539
34540
34541
34542
34543
34544
34545
34546
34547
34548
34549
34550
34551
34552
34553
34554
34555
34556
34557
34558
34559
34560
34561
34562
34563
34564
34565
34566
34567
34568
34569
34570
34571
34572
34573
34574
34575
34576
34577
34578
34579
34580
34581
34582
34583
34584
34585
34586
34587
34588
34589
34590
34591
34592
34593
34594
34595
34596
34597
34598
34599
34600
34601
34602
34603
34604
34605
34606
34607
34608
34609
34610
34611
34612
34613
34614
34615
34616
34617
34618
34619
34620
34621
34622
34623
34624
34625
34626
34627
34628
34629
34630
34631
34632
34633
34634
34635
34636
34637
34638
34639
34640
34641
34642
34643
34644
34645
34646
34647
34648
34649
34650
34651
34652
34653
34654
34655
34656
34657
34658
34659
34660
34661
34662
34663
34664
34665
34666
34667
34668
34669
34670
34671
34672
34673
34674
34675
34676
34677
34678
34679
34680
34681
34682
34683
34684
34685
34686
34687
34688
34689
34690
34691
34692
34693
34694
34695
34696
34697
34698
34699
34700
34701
34702
34703
34704
34705
34706
34707
34708
34709
34710
34711
34712
34713
34714
34715
34716
34717
34718
34719
34720
34721
34722
34723
34724
34725
34726
34727
34728
34729
34730
34731
34732
34733
34734
34735
34736
34737
34738
34739
34740
34741
34742
34743
34744
34745
34746
34747
34748
34749
34750
34751
34752
34753
34754
34755
34756
34757
34758
34759
34760
34761
34762
34763
34764
34765
34766
34767
34768
34769
34770
34771
34772
34773
34774
34775
34776
34777
34778
34779
34780
34781
34782
34783
34784
34785
34786
34787
34788
34789
34790
34791
34792
34793
34794
34795
34796
34797
34798
34799
34800
34801
34802
34803
34804
34805
34806
34807
34808
34809
34810
34811
34812
34813
34814
34815
34816
34817
34818
34819
34820
34821
34822
34823
34824
34825
34826
34827
34828
34829
34830
34831
34832
34833
34834
34835
34836
34837
34838
34839
34840
34841
34842
34843
34844
34845
34846
34847
34848
34849
34850
34851
34852
34853
34854
34855
34856
34857
34858
34859
34860
34861
34862
34863
34864
34865
34866
34867
34868
34869
34870
34871
34872
34873
34874
34875
34876
34877
34878
34879
34880
34881
34882
34883
34884
34885
34886
34887
34888
34889
34890
34891
34892
34893
34894
34895
34896
34897
34898
34899
34900
34901
34902
34903
34904
34905
34906
34907
34908
34909
34910
34911
34912
34913
34914
34915
34916
34917
34918
34919
34920
34921
34922
34923
34924
34925
34926
34927
34928
34929
34930
34931
34932
34933
34934
34935
34936
34937
34938
34939
34940
34941
34942
34943
34944
34945
34946
34947
34948
34949
34950
34951
34952
34953
34954
34955
34956
34957
34958
34959
34960
34961
34962
34963
34964
34965
34966
34967
34968
34969
34970
34971
34972
34973
34974
34975
34976
34977
34978
34979
34980
34981
34982
34983
34984
34985
34986
34987
34988
34989
34990
34991
34992
34993
34994
34995
34996
34997
34998
34999
35000
35001
35002
35003
35004
35005
35006
35007
35008
35009
35010
35011
35012
35013
35014
35015
35016
35017
35018
35019
35020
35021
35022
35023
35024
35025
35026
35027
35028
35029
35030
35031
35032
35033
35034
35035
35036
35037
35038
35039
35040
35041
35042
35043
35044
35045
35046
35047
35048
35049
35050
35051
35052
35053
35054
35055
35056
35057
35058
35059
35060
35061
35062
35063
35064
35065
35066
35067
35068
35069
35070
35071
35072
35073
35074
35075
35076
35077
35078
35079
35080
35081
35082
35083
35084
35085
35086
35087
35088
35089
35090
35091
35092
35093
35094
35095
35096
35097
35098
35099
35100
35101
35102
35103
35104
35105
35106
35107
35108
35109
35110
35111
35112
35113
35114
35115
35116
35117
35118
35119
35120
35121
35122
35123
35124
35125
35126
35127
35128
35129
35130
35131
35132
35133
35134
35135
35136
35137
35138
35139
35140
35141
35142
35143
35144
35145
35146
35147
35148
35149
35150
35151
35152
35153
35154
35155
35156
35157
35158
35159
35160
35161
35162
35163
35164
35165
35166
35167
35168
35169
35170
35171
35172
35173
35174
35175
35176
35177
35178
35179
35180
35181
35182
35183
35184
35185
35186
35187
35188
35189
35190
35191
35192
35193
35194
35195
35196
35197
35198
35199
35200
35201
35202
35203
35204
35205
35206
35207
35208
35209
35210
35211
35212
35213
35214
35215
35216
35217
35218
35219
35220
35221
35222
35223
35224
35225
35226
35227
35228
35229
35230
35231
35232
35233
35234
35235
35236
35237
35238
35239
35240
35241
35242
35243
35244
35245
35246
35247
35248
35249
35250
35251
35252
35253
35254
35255
35256
35257
35258
35259
35260
35261
35262
35263
35264
35265
35266
35267
35268
35269
35270
35271
35272
35273
35274
35275
35276
35277
35278
35279
35280
35281
35282
35283
35284
35285
35286
35287
35288
35289
35290
35291
35292
35293
35294
35295
35296
35297
35298
35299
35300
35301
35302
35303
35304
35305
35306
35307
35308
35309
35310
35311
35312
35313
35314
35315
35316
35317
35318
35319
35320
35321
35322
35323
35324
35325
35326
35327
35328
35329
35330
35331
35332
35333
35334
35335
35336
35337
35338
35339
35340
35341
35342
35343
35344
35345
35346
35347
35348
35349
35350
35351
35352
35353
35354
35355
35356
35357
35358
35359
35360
35361
35362
35363
35364
35365
35366
35367
35368
35369
35370
35371
35372
35373
35374
35375
35376
35377
35378
35379
35380
35381
35382
35383
35384
35385
35386
35387
35388
35389
35390
35391
35392
35393
35394
35395
35396
35397
35398
35399
35400
35401
35402
35403
35404
35405
35406
35407
35408
35409
35410
35411
35412
35413
35414
35415
35416
35417
35418
35419
35420
35421
35422
35423
35424
35425
35426
35427
35428
35429
35430
35431
35432
35433
35434
35435
35436
35437
35438
35439
35440
35441
35442
35443
35444
35445
35446
35447
35448
35449
35450
35451
35452
35453
35454
35455
35456
35457
35458
35459
35460
35461
35462
35463
35464
35465
35466
35467
35468
35469
35470
35471
35472
35473
35474
35475
35476
35477
35478
35479
35480
35481
35482
35483
35484
35485
35486
35487
35488
35489
35490
35491
35492
35493
35494
35495
35496
35497
35498
35499
35500
35501
35502
35503
35504
35505
35506
35507
35508
35509
35510
35511
35512
35513
35514
35515
35516
35517
35518
35519
35520
35521
35522
35523
35524
35525
35526
35527
35528
35529
35530
35531
35532
35533
35534
35535
35536
35537
35538
35539
35540
35541
35542
35543
35544
35545
35546
35547
35548
35549
35550
35551
35552
35553
35554
35555
35556
35557
35558
35559
35560
35561
35562
35563
35564
35565
35566
35567
35568
35569
35570
35571
35572
35573
35574
35575
35576
35577
35578
35579
35580
35581
35582
35583
35584
35585
35586
35587
35588
35589
35590
35591
35592
35593
35594
35595
35596
35597
35598
35599
35600
35601
35602
35603
35604
35605
35606
35607
35608
35609
35610
35611
35612
35613
35614
35615
35616
35617
35618
35619
35620
35621
35622
35623
35624
35625
35626
35627
35628
35629
35630
35631
35632
35633
35634
35635
35636
35637
35638
35639
35640
35641
35642
35643
35644
35645
35646
35647
35648
35649
35650
35651
35652
35653
35654
35655
35656
35657
35658
35659
35660
35661
35662
35663
35664
35665
35666
35667
35668
35669
35670
35671
35672
35673
35674
35675
35676
35677
35678
35679
35680
35681
35682
35683
35684
35685
35686
35687
35688
35689
35690
35691
35692
35693
35694
35695
35696
35697
35698
35699
35700
35701
35702
35703
35704
35705
35706
35707
35708
35709
35710
35711
35712
35713
35714
35715
35716
35717
35718
35719
35720
35721
35722
35723
35724
35725
35726
35727
35728
35729
35730
35731
35732
35733
35734
35735
35736
35737
35738
35739
35740
35741
35742
35743
35744
35745
35746
35747
35748
35749
35750
35751
35752
35753
35754
35755
35756
35757
35758
35759
35760
35761
35762
35763
35764
35765
35766
35767
35768
35769
35770
35771
35772
35773
35774
35775
35776
35777
35778
35779
35780
35781
35782
35783
35784
35785
35786
35787
35788
35789
35790
35791
35792
35793
35794
35795
35796
35797
35798
35799
35800
35801
35802
35803
35804
35805
35806
35807
35808
35809
35810
35811
35812
35813
35814
35815
35816
35817
35818
35819
35820
35821
35822
35823
35824
35825
35826
35827
35828
35829
35830
35831
35832
35833
35834
35835
35836
35837
35838
35839
35840
35841
35842
35843
35844
35845
35846
35847
35848
35849
35850
35851
35852
35853
35854
35855
35856
35857
35858
35859
35860
35861
35862
35863
35864
35865
35866
35867
35868
35869
35870
35871
35872
35873
35874
35875
35876
35877
35878
35879
35880
35881
35882
35883
35884
35885
35886
35887
35888
35889
35890
35891
35892
35893
35894
35895
35896
35897
35898
35899
35900
35901
35902
35903
35904
35905
35906
35907
35908
35909
35910
35911
35912
35913
35914
35915
35916
35917
35918
35919
35920
35921
35922
35923
35924
35925
35926
35927
35928
35929
35930
35931
35932
35933
35934
35935
35936
35937
35938
35939
35940
35941
35942
35943
35944
35945
35946
35947
35948
35949
35950
35951
35952
35953
35954
35955
35956
35957
35958
35959
35960
35961
35962
35963
35964
35965
35966
35967
35968
35969
35970
35971
35972
35973
35974
35975
35976
35977
35978
35979
35980
35981
35982
35983
35984
35985
35986
35987
35988
35989
35990
35991
35992
35993
35994
35995
35996
35997
35998
35999
36000
36001
36002
36003
36004
36005
36006
36007
36008
36009
36010
36011
36012
36013
36014
36015
36016
36017
36018
36019
36020
36021
36022
36023
36024
36025
36026
36027
36028
36029
36030
36031
36032
36033
36034
36035
36036
36037
36038
36039
36040
36041
36042
36043
36044
36045
36046
36047
36048
36049
36050
36051
36052
36053
36054
36055
36056
36057
36058
36059
36060
36061
36062
36063
36064
36065
36066
36067
36068
36069
36070
36071
36072
36073
36074
36075
36076
36077
36078
36079
36080
36081
36082
36083
36084
36085
36086
36087
36088
36089
36090
36091
36092
36093
36094
36095
36096
36097
36098
36099
36100
36101
36102
36103
36104
36105
36106
36107
36108
36109
36110
36111
36112
36113
36114
36115
36116
36117
36118
36119
36120
36121
36122
36123
36124
36125
36126
36127
36128
36129
36130
36131
36132
36133
36134
36135
36136
36137
36138
36139
36140
36141
36142
36143
36144
36145
36146
36147
36148
36149
36150
36151
36152
36153
36154
36155
36156
36157
36158
36159
36160
36161
36162
36163
36164
36165
36166
36167
36168
36169
36170
36171
36172
36173
36174
36175
36176
36177
36178
36179
36180
36181
36182
36183
36184
36185
36186
36187
36188
36189
36190
36191
36192
36193
36194
36195
36196
36197
36198
36199
36200
36201
36202
36203
36204
36205
36206
36207
36208
36209
36210
36211
36212
36213
36214
36215
36216
36217
36218
36219
36220
36221
36222
36223
36224
36225
36226
36227
36228
36229
36230
36231
36232
36233
36234
36235
36236
36237
36238
36239
36240
36241
36242
36243
36244
36245
36246
36247
36248
36249
36250
36251
36252
36253
36254
36255
36256
36257
36258
36259
36260
36261
36262
36263
36264
36265
36266
36267
36268
36269
36270
36271
36272
36273
36274
36275
36276
36277
36278
36279
36280
36281
36282
36283
36284
36285
36286
36287
36288
36289
36290
36291
36292
36293
36294
36295
36296
36297
36298
36299
36300
36301
36302
36303
36304
36305
36306
36307
36308
36309
36310
36311
36312
36313
36314
36315
36316
36317
36318
36319
36320
36321
36322
36323
36324
36325
36326
36327
36328
36329
36330
36331
36332
36333
36334
36335
36336
36337
36338
36339
36340
36341
36342
36343
36344
36345
36346
36347
36348
36349
36350
36351
36352
36353
36354
36355
36356
36357
36358
36359
36360
36361
36362
36363
36364
36365
36366
36367
36368
36369
36370
36371
36372
36373
36374
36375
36376
36377
36378
36379
36380
36381
36382
36383
36384
36385
36386
36387
36388
36389
36390
36391
36392
36393
36394
36395
36396
36397
36398
36399
36400
36401
36402
36403
36404
36405
36406
36407
36408
36409
36410
36411
36412
36413
36414
36415
36416
36417
36418
36419
36420
36421
36422
36423
36424
36425
36426
36427
36428
36429
36430
36431
36432
36433
36434
36435
36436
36437
36438
36439
36440
36441
36442
36443
36444
36445
36446
36447
36448
36449
36450
36451
36452
36453
36454
36455
36456
36457
36458
36459
36460
36461
36462
36463
36464
36465
36466
36467
36468
36469
36470
36471
36472
36473
36474
36475
36476
36477
36478
36479
36480
36481
36482
36483
36484
36485
36486
36487
36488
36489
36490
36491
36492
36493
36494
36495
36496
36497
36498
36499
36500
36501
36502
36503
36504
36505
36506
36507
36508
36509
36510
36511
36512
36513
36514
36515
36516
36517
36518
36519
36520
36521
36522
36523
36524
36525
36526
36527
36528
36529
36530
36531
36532
36533
36534
36535
36536
36537
36538
36539
36540
36541
36542
36543
36544
36545
36546
36547
36548
36549
36550
36551
36552
36553
36554
36555
36556
36557
36558
36559
36560
36561
36562
36563
36564
36565
36566
36567
36568
36569
36570
36571
36572
36573
36574
36575
36576
36577
36578
36579
36580
36581
36582
36583
36584
36585
36586
36587
36588
36589
36590
36591
36592
36593
36594
36595
36596
36597
36598
36599
36600
36601
36602
36603
36604
36605
36606
36607
36608
36609
36610
36611
36612
36613
36614
36615
36616
36617
36618
36619
36620
36621
36622
36623
36624
36625
36626
36627
36628
36629
36630
36631
36632
36633
36634
36635
36636
36637
36638
36639
36640
36641
36642
36643
36644
36645
36646
36647
36648
36649
36650
36651
36652
36653
36654
36655
36656
36657
36658
36659
36660
36661
36662
36663
36664
36665
36666
36667
36668
36669
36670
36671
36672
36673
36674
36675
36676
36677
36678
36679
36680
36681
36682
36683
36684
36685
36686
36687
36688
36689
36690
36691
36692
36693
36694
36695
36696
36697
36698
36699
36700
36701
36702
36703
36704
36705
36706
36707
36708
36709
36710
36711
36712
36713
36714
36715
36716
36717
36718
36719
36720
36721
36722
36723
36724
36725
36726
36727
36728
36729
36730
36731
36732
36733
36734
36735
36736
36737
36738
36739
36740
36741
36742
36743
36744
36745
36746
36747
36748
36749
36750
36751
36752
36753
36754
36755
36756
36757
36758
36759
36760
36761
36762
36763
36764
36765
36766
36767
36768
36769
36770
36771
36772
36773
36774
36775
36776
36777
36778
36779
36780
36781
36782
36783
36784
36785
36786
36787
36788
36789
36790
36791
36792
36793
36794
36795
36796
36797
36798
36799
36800
36801
36802
36803
36804
36805
36806
36807
36808
36809
36810
36811
36812
36813
36814
36815
36816
36817
36818
36819
36820
36821
36822
36823
36824
36825
36826
36827
36828
36829
36830
36831
36832
36833
36834
36835
36836
36837
36838
36839
36840
36841
36842
36843
36844
36845
36846
36847
36848
36849
36850
36851
36852
36853
36854
36855
36856
36857
36858
36859
36860
36861
36862
36863
36864
36865
36866
36867
36868
36869
36870
36871
36872
36873
36874
36875
36876
36877
36878
36879
36880
36881
36882
36883
36884
36885
36886
36887
36888
36889
36890
36891
36892
36893
36894
36895
36896
36897
36898
36899
36900
36901
36902
36903
36904
36905
36906
36907
36908
36909
36910
36911
36912
36913
36914
36915
36916
36917
36918
36919
36920
36921
36922
36923
36924
36925
36926
36927
36928
36929
36930
36931
36932
36933
36934
36935
36936
36937
36938
36939
36940
36941
36942
36943
36944
36945
36946
36947
36948
36949
36950
36951
36952
36953
36954
36955
36956
36957
36958
36959
36960
36961
36962
36963
36964
36965
36966
36967
36968
36969
36970
36971
36972
36973
36974
36975
36976
36977
36978
36979
36980
36981
36982
36983
36984
36985
36986
36987
36988
36989
36990
36991
36992
36993
36994
36995
36996
36997
36998
36999
37000
37001
37002
37003
37004
37005
37006
37007
37008
37009
37010
37011
37012
37013
37014
37015
37016
37017
37018
37019
37020
37021
37022
37023
37024
37025
37026
37027
37028
37029
37030
37031
37032
37033
37034
37035
37036
37037
37038
37039
37040
37041
37042
37043
37044
37045
37046
37047
37048
37049
37050
37051
37052
37053
37054
37055
37056
37057
37058
37059
37060
37061
37062
37063
37064
37065
37066
37067
37068
37069
37070
37071
37072
37073
37074
37075
37076
37077
37078
37079
37080
37081
37082
37083
37084
37085
37086
37087
37088
37089
37090
37091
37092
37093
37094
37095
37096
37097
37098
37099
37100
37101
37102
37103
37104
37105
37106
37107
37108
37109
37110
37111
37112
37113
37114
37115
37116
37117
37118
37119
37120
37121
37122
37123
37124
37125
37126
37127
37128
37129
37130
37131
37132
37133
37134
37135
37136
37137
37138
37139
37140
37141
37142
37143
37144
37145
37146
37147
37148
37149
37150
37151
37152
37153
37154
37155
37156
37157
37158
37159
37160
37161
37162
37163
37164
37165
37166
37167
37168
37169
37170
37171
37172
37173
37174
37175
37176
37177
37178
37179
37180
37181
37182
37183
37184
37185
37186
37187
37188
37189
37190
37191
37192
37193
37194
37195
37196
37197
37198
37199
37200
37201
37202
37203
37204
37205
37206
37207
37208
37209
37210
37211
37212
37213
37214
37215
37216
37217
37218
37219
37220
37221
37222
37223
37224
37225
37226
37227
37228
37229
37230
37231
37232
37233
37234
37235
37236
37237
37238
37239
37240
37241
37242
37243
37244
37245
37246
37247
37248
37249
37250
37251
37252
37253
37254
37255
37256
37257
37258
37259
37260
37261
37262
37263
37264
37265
37266
37267
37268
37269
37270
37271
37272
37273
37274
37275
37276
37277
37278
37279
37280
37281
37282
37283
37284
37285
37286
37287
37288
37289
37290
37291
37292
37293
37294
37295
37296
37297
37298
37299
37300
37301
37302
37303
37304
37305
37306
37307
37308
37309
37310
37311
37312
37313
37314
37315
37316
37317
37318
37319
37320
37321
37322
37323
37324
37325
37326
37327
37328
37329
37330
37331
37332
37333
37334
37335
37336
37337
37338
37339
37340
37341
37342
37343
37344
37345
37346
37347
37348
37349
37350
37351
37352
37353
37354
37355
37356
37357
37358
37359
37360
37361
37362
37363
37364
37365
37366
37367
37368
37369
37370
37371
37372
37373
37374
37375
37376
37377
37378
37379
37380
37381
37382
37383
37384
37385
37386
37387
37388
37389
37390
37391
37392
37393
37394
37395
37396
37397
37398
37399
37400
37401
37402
37403
37404
37405
37406
37407
37408
37409
37410
37411
37412
37413
37414
37415
37416
37417
37418
37419
37420
37421
37422
37423
37424
37425
37426
37427
37428
37429
37430
37431
37432
37433
37434
37435
37436
37437
37438
37439
37440
37441
37442
37443
37444
37445
37446
37447
37448
37449
37450
37451
37452
37453
37454
37455
37456
37457
37458
37459
37460
37461
37462
37463
37464
37465
37466
37467
37468
37469
37470
37471
37472
37473
37474
37475
37476
37477
37478
37479
37480
37481
37482
37483
37484
37485
37486
37487
37488
37489
37490
37491
37492
37493
37494
37495
37496
37497
37498
37499
37500
37501
37502
37503
37504
37505
37506
37507
37508
37509
37510
37511
37512
37513
37514
37515
37516
37517
37518
37519
37520
37521
37522
37523
37524
37525
37526
37527
37528
37529
37530
37531
37532
37533
37534
37535
37536
37537
37538
37539
37540
37541
37542
37543
37544
37545
37546
37547
37548
37549
37550
37551
37552
37553
37554
37555
37556
37557
37558
37559
37560
37561
37562
37563
37564
37565
37566
37567
37568
37569
37570
37571
37572
37573
37574
37575
37576
37577
37578
37579
37580
37581
37582
37583
37584
37585
37586
37587
37588
37589
37590
37591
37592
37593
37594
37595
37596
37597
37598
37599
37600
37601
37602
37603
37604
37605
37606
37607
37608
37609
37610
37611
37612
37613
37614
37615
37616
37617
37618
37619
37620
37621
37622
37623
37624
37625
37626
37627
37628
37629
37630
37631
37632
37633
37634
37635
37636
37637
37638
37639
37640
37641
37642
37643
37644
37645
37646
37647
37648
37649
37650
37651
37652
37653
37654
37655
37656
37657
37658
37659
37660
37661
37662
37663
37664
37665
37666
37667
37668
37669
37670
37671
37672
37673
37674
37675
37676
37677
37678
37679
37680
37681
37682
37683
37684
37685
37686
37687
37688
37689
37690
37691
37692
37693
37694
37695
37696
37697
37698
37699
37700
37701
37702
37703
37704
37705
37706
37707
37708
37709
37710
37711
37712
37713
37714
37715
37716
37717
37718
37719
37720
37721
37722
37723
37724
37725
37726
37727
37728
37729
37730
37731
37732
37733
37734
37735
37736
37737
37738
37739
37740
37741
37742
37743
37744
37745
37746
37747
37748
37749
37750
37751
37752
37753
37754
37755
37756
37757
37758
37759
37760
37761
37762
37763
37764
37765
37766
37767
37768
37769
37770
37771
37772
37773
37774
37775
37776
37777
37778
37779
37780
37781
37782
37783
37784
37785
37786
37787
37788
37789
37790
37791
37792
37793
37794
37795
37796
37797
37798
37799
37800
37801
37802
37803
37804
37805
37806
37807
37808
37809
37810
37811
37812
37813
37814
37815
37816
37817
37818
37819
37820
37821
37822
37823
37824
37825
37826
37827
37828
37829
37830
37831
37832
37833
37834
37835
37836
37837
37838
37839
37840
37841
37842
37843
37844
37845
37846
37847
37848
37849
37850
37851
37852
37853
37854
37855
37856
37857
37858
37859
37860
37861
37862
37863
37864
37865
37866
37867
37868
37869
37870
37871
37872
37873
37874
37875
37876
37877
37878
37879
37880
37881
37882
37883
37884
37885
37886
37887
37888
37889
37890
37891
37892
37893
37894
37895
37896
37897
37898
37899
37900
37901
37902
37903
37904
37905
37906
37907
37908
37909
37910
37911
37912
37913
37914
37915
37916
37917
37918
37919
37920
37921
37922
37923
37924
37925
37926
37927
37928
37929
37930
37931
37932
37933
37934
37935
37936
37937
37938
37939
37940
37941
37942
37943
37944
37945
37946
37947
37948
37949
37950
37951
37952
37953
37954
37955
37956
37957
37958
37959
37960
37961
37962
37963
37964
37965
37966
37967
37968
37969
37970
37971
37972
37973
37974
37975
37976
37977
37978
37979
37980
37981
37982
37983
37984
37985
37986
37987
37988
37989
37990
37991
37992
37993
37994
37995
37996
37997
37998
37999
38000
38001
38002
38003
38004
38005
38006
38007
38008
38009
38010
38011
38012
38013
38014
38015
38016
38017
38018
38019
38020
38021
38022
38023
38024
38025
38026
38027
38028
38029
38030
38031
38032
38033
38034
38035
38036
38037
38038
38039
38040
38041
38042
38043
38044
38045
38046
38047
38048
38049
38050
38051
38052
38053
38054
38055
38056
38057
38058
38059
38060
38061
38062
38063
38064
38065
38066
38067
38068
38069
38070
38071
38072
38073
38074
38075
38076
38077
38078
38079
38080
38081
38082
38083
38084
38085
38086
38087
38088
38089
38090
38091
38092
38093
38094
38095
38096
38097
38098
38099
38100
38101
38102
38103
38104
38105
38106
38107
38108
38109
38110
38111
38112
38113
38114
38115
38116
38117
38118
38119
38120
38121
38122
38123
38124
38125
38126
38127
38128
38129
38130
38131
38132
38133
38134
38135
38136
38137
38138
38139
38140
38141
38142
38143
38144
38145
38146
38147
38148
38149
38150
38151
38152
38153
38154
38155
38156
38157
38158
38159
38160
38161
38162
38163
38164
38165
38166
38167
38168
38169
38170
38171
38172
38173
38174
38175
38176
38177
38178
38179
38180
38181
38182
38183
38184
38185
38186
38187
38188
38189
38190
38191
38192
38193
38194
38195
38196
38197
38198
38199
38200
38201
38202
38203
38204
38205
38206
38207
38208
38209
38210
38211
38212
38213
38214
38215
38216
38217
38218
38219
38220
38221
38222
38223
38224
38225
38226
38227
38228
38229
38230
38231
38232
38233
38234
38235
38236
38237
38238
38239
38240
38241
38242
38243
38244
38245
38246
38247
38248
38249
38250
38251
38252
38253
38254
38255
38256
38257
38258
38259
38260
38261
38262
38263
38264
38265
38266
38267
38268
38269
38270
38271
38272
38273
38274
38275
38276
38277
38278
38279
38280
38281
38282
38283
38284
38285
38286
38287
38288
38289
38290
38291
38292
38293
38294
38295
38296
38297
38298
38299
38300
38301
38302
38303
38304
38305
38306
38307
38308
38309
38310
38311
38312
38313
38314
38315
38316
38317
38318
38319
38320
38321
38322
38323
38324
38325
38326
38327
38328
38329
38330
38331
38332
38333
38334
38335
38336
38337
38338
38339
38340
38341
38342
38343
38344
38345
38346
38347
38348
38349
38350
38351
38352
38353
38354
38355
38356
38357
38358
38359
38360
38361
38362
38363
38364
38365
38366
38367
38368
38369
38370
38371
38372
38373
38374
38375
38376
38377
38378
38379
38380
38381
38382
38383
38384
38385
38386
38387
38388
38389
38390
38391
38392
38393
38394
38395
38396
38397
38398
38399
38400
38401
38402
38403
38404
38405
38406
38407
38408
38409
38410
38411
38412
38413
38414
38415
38416
38417
38418
38419
38420
38421
38422
38423
38424
38425
38426
38427
38428
38429
38430
38431
38432
38433
38434
38435
38436
38437
38438
38439
38440
38441
38442
38443
38444
38445
38446
38447
38448
38449
38450
38451
38452
38453
38454
38455
38456
38457
38458
38459
38460
38461
38462
38463
38464
38465
38466
38467
38468
38469
38470
38471
38472
38473
38474
38475
38476
38477
38478
38479
38480
38481
38482
38483
38484
38485
38486
38487
38488
38489
38490
38491
38492
38493
38494
38495
38496
38497
38498
38499
38500
38501
38502
38503
38504
38505
38506
38507
38508
38509
38510
38511
38512
38513
38514
38515
38516
38517
38518
38519
38520
38521
38522
38523
38524
38525
38526
38527
38528
38529
38530
38531
38532
38533
38534
38535
38536
38537
38538
38539
38540
38541
38542
38543
38544
38545
38546
38547
38548
38549
38550
38551
38552
38553
38554
38555
38556
38557
38558
38559
38560
38561
38562
38563
38564
38565
38566
38567
38568
38569
38570
38571
38572
38573
38574
38575
38576
38577
38578
38579
38580
38581
38582
38583
38584
38585
38586
38587
38588
38589
38590
38591
38592
38593
38594
38595
38596
38597
38598
38599
38600
38601
38602
38603
38604
38605
38606
38607
38608
38609
38610
38611
38612
38613
38614
38615
38616
38617
38618
38619
38620
38621
38622
38623
38624
38625
38626
38627
38628
38629
38630
38631
38632
38633
38634
38635
38636
38637
38638
38639
38640
38641
38642
38643
38644
38645
38646
38647
38648
38649
38650
38651
38652
38653
38654
38655
38656
38657
38658
38659
38660
38661
38662
38663
38664
38665
38666
38667
38668
38669
38670
38671
38672
38673
38674
38675
38676
38677
38678
38679
38680
38681
38682
38683
38684
38685
38686
38687
38688
38689
38690
38691
38692
38693
38694
38695
38696
38697
38698
38699
38700
38701
38702
38703
38704
38705
38706
38707
38708
38709
38710
38711
38712
38713
38714
38715
38716
38717
38718
38719
38720
38721
38722
38723
38724
38725
38726
38727
38728
38729
38730
38731
38732
38733
38734
38735
38736
38737
38738
38739
38740
38741
38742
38743
38744
38745
38746
38747
38748
38749
38750
38751
38752
38753
38754
38755
38756
38757
38758
38759
38760
38761
38762
38763
38764
38765
38766
38767
38768
38769
38770
38771
38772
38773
38774
38775
38776
38777
38778
38779
38780
38781
38782
38783
38784
38785
38786
38787
38788
38789
38790
38791
38792
38793
38794
38795
38796
38797
38798
38799
38800
38801
38802
38803
38804
38805
38806
38807
38808
38809
38810
38811
38812
38813
38814
38815
38816
38817
38818
38819
38820
38821
38822
38823
38824
38825
38826
38827
38828
38829
38830
38831
38832
38833
38834
38835
38836
38837
38838
38839
38840
38841
38842
38843
38844
38845
38846
38847
38848
38849
38850
38851
38852
38853
38854
38855
38856
38857
38858
38859
38860
38861
38862
38863
38864
38865
38866
38867
38868
38869
38870
38871
38872
38873
38874
38875
38876
38877
38878
38879
38880
38881
38882
38883
38884
38885
38886
38887
38888
38889
38890
38891
38892
38893
38894
38895
38896
38897
38898
38899
38900
38901
38902
38903
38904
38905
38906
38907
38908
38909
38910
38911
38912
38913
38914
38915
38916
38917
38918
38919
38920
38921
38922
38923
38924
38925
38926
38927
38928
38929
38930
38931
38932
38933
38934
38935
38936
38937
38938
38939
38940
38941
38942
38943
38944
38945
38946
38947
38948
38949
38950
38951
38952
38953
38954
38955
38956
38957
38958
38959
38960
38961
38962
38963
38964
38965
38966
38967
38968
38969
38970
38971
38972
38973
38974
38975
38976
38977
38978
38979
38980
38981
38982
38983
38984
38985
38986
38987
38988
38989
38990
38991
38992
38993
38994
38995
38996
38997
38998
38999
39000
39001
39002
39003
39004
39005
39006
39007
39008
39009
39010
39011
39012
39013
39014
39015
39016
39017
39018
39019
39020
39021
39022
39023
39024
39025
39026
39027
39028
39029
39030
39031
39032
39033
39034
39035
39036
39037
39038
39039
39040
39041
39042
39043
39044
39045
39046
39047
39048
39049
39050
39051
39052
39053
39054
39055
39056
39057
39058
39059
39060
39061
39062
39063
39064
39065
39066
39067
39068
39069
39070
39071
39072
39073
39074
39075
39076
39077
39078
39079
39080
39081
39082
39083
39084
39085
39086
39087
39088
39089
39090
39091
39092
39093
39094
39095
39096
39097
39098
39099
39100
39101
39102
39103
39104
39105
39106
39107
39108
39109
39110
39111
39112
39113
39114
39115
39116
39117
39118
39119
39120
39121
39122
39123
39124
39125
39126
39127
39128
39129
39130
39131
39132
39133
39134
39135
39136
39137
39138
39139
39140
39141
39142
39143
39144
39145
39146
39147
39148
39149
39150
39151
39152
39153
39154
39155
39156
39157
39158
39159
39160
39161
39162
39163
39164
39165
39166
39167
39168
39169
39170
39171
39172
39173
39174
39175
39176
39177
39178
39179
39180
39181
39182
39183
39184
39185
39186
39187
39188
39189
39190
39191
39192
39193
39194
39195
39196
39197
39198
39199
39200
39201
39202
39203
39204
39205
39206
39207
39208
39209
39210
39211
39212
39213
39214
39215
39216
39217
39218
39219
39220
39221
39222
39223
39224
39225
39226
39227
39228
39229
39230
39231
39232
39233
39234
39235
39236
39237
39238
39239
39240
39241
39242
39243
39244
39245
39246
39247
39248
39249
39250
39251
39252
39253
39254
39255
39256
39257
39258
39259
39260
39261
39262
39263
39264
39265
39266
39267
39268
39269
39270
39271
39272
39273
39274
39275
39276
39277
39278
39279
39280
39281
39282
39283
39284
39285
39286
39287
39288
39289
39290
39291
39292
39293
39294
39295
39296
39297
39298
39299
39300
39301
39302
39303
39304
39305
39306
39307
39308
39309
39310
39311
39312
39313
39314
39315
39316
39317
39318
39319
39320
39321
39322
39323
39324
39325
39326
39327
39328
39329
39330
39331
39332
39333
39334
39335
39336
39337
39338
39339
39340
39341
39342
39343
39344
39345
39346
39347
39348
39349
39350
39351
39352
39353
39354
39355
39356
39357
39358
39359
39360
39361
39362
39363
39364
39365
39366
39367
39368
39369
39370
39371
39372
39373
39374
39375
39376
39377
39378
39379
39380
39381
39382
39383
39384
39385
39386
39387
39388
39389
39390
39391
39392
39393
39394
39395
39396
39397
39398
39399
39400
39401
39402
39403
39404
39405
39406
39407
39408
39409
39410
39411
39412
39413
39414
39415
39416
39417
39418
39419
39420
39421
39422
39423
39424
39425
39426
39427
39428
39429
39430
39431
39432
39433
39434
39435
39436
39437
39438
39439
39440
39441
39442
39443
39444
39445
39446
39447
39448
39449
39450
39451
39452
39453
39454
39455
39456
39457
39458
39459
39460
39461
39462
39463
39464
39465
39466
39467
39468
39469
39470
39471
39472
39473
39474
39475
39476
39477
39478
39479
39480
39481
39482
39483
39484
39485
39486
39487
39488
39489
39490
39491
39492
39493
39494
39495
39496
39497
39498
39499
39500
39501
39502
39503
39504
39505
39506
39507
39508
39509
39510
39511
39512
39513
39514
39515
39516
39517
39518
39519
39520
39521
39522
39523
39524
39525
39526
39527
39528
39529
39530
39531
39532
39533
39534
39535
39536
39537
39538
39539
39540
39541
39542
39543
39544
39545
39546
39547
39548
39549
39550
39551
39552
39553
39554
39555
39556
39557
39558
39559
39560
39561
39562
39563
39564
39565
39566
39567
39568
39569
39570
39571
39572
39573
39574
39575
39576
39577
39578
39579
39580
39581
39582
39583
39584
39585
39586
39587
39588
39589
39590
39591
39592
39593
39594
39595
39596
39597
39598
39599
39600
39601
39602
39603
39604
39605
39606
39607
39608
39609
39610
39611
39612
39613
39614
39615
39616
39617
39618
39619
39620
39621
39622
39623
39624
39625
39626
39627
39628
39629
39630
39631
39632
39633
39634
39635
39636
39637
39638
39639
39640
39641
39642
39643
39644
39645
39646
39647
39648
39649
39650
39651
39652
39653
39654
39655
39656
39657
39658
39659
39660
39661
39662
39663
39664
39665
39666
39667
39668
39669
39670
39671
39672
39673
39674
39675
39676
39677
39678
39679
39680
39681
39682
39683
39684
39685
39686
39687
39688
39689
39690
39691
39692
39693
39694
39695
39696
39697
39698
39699
39700
39701
39702
39703
39704
39705
39706
39707
39708
39709
39710
39711
39712
39713
39714
39715
39716
39717
39718
39719
39720
39721
39722
39723
39724
39725
39726
39727
39728
39729
39730
39731
39732
39733
39734
39735
39736
39737
39738
39739
39740
39741
39742
39743
39744
39745
39746
39747
39748
39749
39750
39751
39752
39753
39754
39755
39756
39757
39758
39759
39760
39761
39762
39763
39764
39765
39766
39767
39768
39769
39770
39771
39772
39773
39774
39775
39776
39777
39778
39779
39780
39781
39782
39783
39784
39785
39786
39787
39788
39789
39790
39791
39792
39793
39794
39795
39796
39797
39798
39799
39800
39801
39802
39803
39804
39805
39806
39807
39808
39809
39810
39811
39812
39813
39814
39815
39816
39817
39818
39819
39820
39821
39822
39823
39824
39825
39826
39827
39828
39829
39830
39831
39832
39833
39834
39835
39836
39837
39838
39839
39840
39841
39842
39843
39844
39845
39846
39847
39848
39849
39850
39851
39852
39853
39854
39855
39856
39857
39858
39859
39860
39861
39862
39863
39864
39865
39866
39867
39868
39869
39870
39871
39872
39873
39874
39875
39876
39877
39878
39879
39880
39881
39882
39883
39884
39885
39886
39887
39888
39889
39890
39891
39892
39893
39894
39895
39896
39897
39898
39899
39900
39901
39902
39903
39904
39905
39906
39907
39908
39909
39910
39911
39912
39913
39914
39915
39916
39917
39918
39919
39920
39921
39922
39923
39924
39925
39926
39927
39928
39929
39930
39931
39932
39933
39934
39935
39936
39937
39938
39939
39940
39941
39942
39943
39944
39945
39946
39947
39948
39949
39950
39951
39952
39953
39954
39955
39956
39957
39958
39959
39960
39961
39962
39963
39964
39965
39966
39967
39968
39969
39970
39971
39972
39973
39974
39975
39976
39977
39978
39979
39980
39981
39982
39983
39984
39985
39986
39987
39988
39989
39990
39991
39992
39993
39994
39995
39996
39997
39998
39999
40000
40001
40002
40003
40004
40005
40006
40007
40008
40009
40010
40011
40012
40013
40014
40015
40016
40017
40018
40019
40020
40021
40022
40023
40024
40025
40026
40027
40028
40029
40030
40031
40032
40033
40034
40035
40036
40037
40038
40039
40040
40041
40042
40043
40044
40045
40046
40047
40048
40049
40050
40051
40052
40053
40054
40055
40056
40057
40058
40059
40060
40061
40062
40063
40064
40065
40066
40067
40068
40069
40070
40071
40072
40073
40074
40075
40076
40077
40078
40079
40080
40081
40082
40083
40084
40085
40086
40087
40088
40089
40090
40091
40092
40093
40094
40095
40096
40097
40098
40099
40100
40101
40102
40103
40104
40105
40106
40107
40108
40109
40110
40111
40112
40113
40114
40115
40116
40117
40118
40119
40120
40121
40122
40123
40124
40125
40126
40127
40128
40129
40130
40131
40132
40133
40134
40135
40136
40137
40138
40139
40140
40141
40142
40143
40144
40145
40146
40147
40148
40149
40150
40151
40152
40153
40154
40155
40156
40157
40158
40159
40160
40161
40162
40163
40164
40165
40166
40167
40168
40169
40170
40171
40172
40173
40174
40175
40176
40177
40178
40179
40180
40181
40182
40183
40184
40185
40186
40187
40188
40189
40190
40191
40192
40193
40194
40195
40196
40197
40198
40199
40200
40201
40202
40203
40204
40205
40206
40207
40208
40209
40210
40211
40212
40213
40214
40215
40216
40217
40218
40219
40220
40221
40222
40223
40224
40225
40226
40227
40228
40229
40230
40231
40232
40233
40234
40235
40236
40237
40238
40239
40240
40241
40242
40243
40244
40245
40246
40247
40248
40249
40250
40251
40252
40253
40254
40255
40256
40257
40258
40259
40260
40261
40262
40263
40264
40265
40266
40267
40268
40269
40270
40271
40272
40273
40274
40275
40276
40277
40278
40279
40280
40281
40282
40283
40284
40285
40286
40287
40288
40289
40290
40291
40292
40293
40294
40295
40296
40297
40298
40299
40300
40301
40302
40303
40304
40305
40306
40307
40308
40309
40310
40311
40312
40313
40314
40315
40316
40317
40318
40319
40320
40321
40322
40323
40324
40325
40326
40327
40328
40329
40330
40331
40332
40333
40334
40335
40336
40337
40338
40339
40340
40341
40342
40343
40344
40345
40346
40347
40348
40349
40350
40351
40352
40353
40354
40355
40356
40357
40358
40359
40360
40361
40362
40363
40364
40365
40366
40367
40368
40369
40370
40371
40372
40373
40374
40375
40376
40377
40378
40379
40380
40381
40382
40383
40384
40385
40386
40387
40388
40389
40390
40391
40392
40393
40394
40395
40396
40397
40398
40399
40400
40401
40402
40403
40404
40405
40406
40407
40408
40409
40410
40411
40412
40413
40414
40415
40416
40417
40418
40419
40420
40421
40422
40423
40424
40425
40426
40427
40428
40429
40430
40431
40432
40433
40434
40435
40436
40437
40438
40439
40440
40441
40442
40443
40444
40445
40446
40447
40448
40449
40450
40451
40452
40453
40454
40455
40456
40457
40458
40459
40460
40461
40462
40463
40464
40465
40466
40467
40468
40469
40470
40471
40472
40473
40474
40475
40476
40477
40478
40479
40480
40481
40482
40483
40484
40485
40486
40487
40488
40489
40490
40491
40492
40493
40494
40495
40496
40497
40498
40499
40500
40501
40502
40503
40504
40505
40506
40507
40508
40509
40510
40511
40512
40513
40514
40515
40516
40517
40518
40519
40520
40521
40522
40523
40524
40525
40526
40527
40528
40529
40530
40531
40532
40533
40534
40535
40536
40537
40538
40539
40540
40541
40542
40543
40544
40545
40546
40547
40548
40549
40550
40551
40552
40553
40554
40555
40556
40557
40558
40559
40560
40561
40562
40563
40564
40565
40566
40567
40568
40569
40570
40571
40572
40573
40574
40575
40576
40577
40578
40579
40580
40581
40582
40583
40584
40585
40586
40587
40588
40589
40590
40591
40592
40593
40594
40595
40596
40597
40598
40599
40600
40601
40602
40603
40604
40605
40606
40607
40608
40609
40610
40611
40612
40613
40614
40615
40616
40617
40618
40619
40620
40621
40622
40623
40624
40625
40626
40627
40628
40629
40630
40631
40632
40633
40634
40635
40636
40637
40638
40639
40640
40641
40642
40643
40644
40645
40646
40647
40648
40649
40650
40651
40652
40653
40654
40655
40656
40657
40658
40659
40660
40661
40662
40663
40664
40665
40666
40667
40668
40669
40670
40671
40672
40673
40674
40675
40676
40677
40678
40679
40680
40681
40682
40683
40684
40685
40686
40687
40688
40689
40690
40691
40692
40693
40694
40695
40696
40697
40698
40699
40700
40701
40702
40703
40704
40705
40706
40707
40708
40709
40710
40711
40712
40713
40714
40715
40716
40717
40718
40719
40720
40721
40722
40723
40724
40725
40726
40727
40728
40729
40730
40731
40732
40733
40734
40735
40736
40737
40738
40739
40740
40741
40742
40743
40744
40745
40746
40747
40748
40749
40750
40751
40752
40753
40754
40755
40756
40757
40758
40759
40760
40761
40762
40763
40764
40765
40766
40767
40768
40769
40770
40771
40772
40773
40774
40775
40776
40777
40778
40779
40780
40781
40782
40783
40784
40785
40786
40787
40788
40789
40790
40791
40792
40793
40794
40795
40796
40797
40798
40799
40800
40801
40802
40803
40804
40805
40806
40807
40808
40809
40810
40811
40812
40813
40814
40815
40816
40817
40818
40819
40820
40821
40822
40823
40824
40825
40826
40827
40828
40829
40830
40831
40832
40833
40834
40835
40836
40837
40838
40839
40840
40841
40842
40843
40844
40845
40846
40847
40848
40849
40850
40851
40852
40853
40854
40855
40856
40857
40858
40859
40860
40861
40862
40863
40864
40865
40866
40867
40868
40869
40870
40871
40872
40873
40874
40875
40876
40877
40878
40879
40880
40881
40882
40883
40884
40885
40886
40887
40888
40889
40890
40891
40892
40893
40894
40895
40896
40897
40898
40899
40900
40901
40902
40903
40904
40905
40906
40907
40908
40909
40910
40911
40912
40913
40914
40915
40916
40917
40918
40919
40920
40921
40922
40923
40924
40925
40926
40927
40928
40929
40930
40931
40932
40933
40934
40935
40936
40937
40938
40939
40940
40941
40942
40943
40944
40945
40946
40947
40948
40949
40950
40951
40952
40953
40954
40955
40956
40957
40958
40959
40960
40961
40962
40963
40964
40965
40966
40967
40968
40969
40970
40971
40972
40973
40974
40975
40976
40977
40978
40979
40980
40981
40982
40983
40984
40985
40986
40987
40988
40989
40990
40991
40992
40993
40994
40995
40996
40997
40998
40999
41000
41001
41002
41003
41004
41005
41006
41007
41008
41009
41010
41011
41012
41013
41014
41015
41016
41017
41018
41019
41020
41021
41022
41023
41024
41025
41026
41027
41028
41029
41030
41031
41032
41033
41034
41035
41036
41037
41038
41039
41040
41041
41042
41043
41044
41045
41046
41047
41048
41049
41050
41051
41052
41053
41054
41055
41056
41057
41058
41059
41060
41061
41062
41063
41064
41065
41066
41067
41068
41069
41070
41071
41072
41073
41074
41075
41076
41077
41078
41079
41080
41081
41082
41083
41084
41085
41086
41087
41088
41089
41090
41091
41092
41093
41094
41095
41096
41097
41098
41099
41100
41101
41102
41103
41104
41105
41106
41107
41108
41109
41110
41111
41112
41113
41114
41115
41116
41117
41118
41119
41120
41121
41122
41123
41124
41125
41126
41127
41128
41129
41130
41131
41132
41133
41134
41135
41136
41137
41138
41139
41140
41141
41142
41143
41144
41145
41146
41147
41148
41149
41150
41151
41152
41153
41154
41155
41156
41157
41158
41159
41160
41161
41162
41163
41164
41165
41166
41167
41168
41169
41170
41171
41172
41173
41174
41175
41176
41177
41178
41179
41180
41181
41182
41183
41184
41185
41186
41187
41188
41189
41190
41191
41192
41193
41194
41195
41196
41197
41198
41199
41200
41201
41202
41203
41204
41205
41206
41207
41208
41209
41210
41211
41212
41213
41214
41215
41216
41217
41218
41219
41220
41221
41222
41223
41224
41225
41226
41227
41228
41229
41230
41231
41232
41233
41234
41235
41236
41237
41238
41239
41240
41241
41242
41243
41244
41245
41246
41247
41248
41249
41250
41251
41252
41253
41254
41255
41256
41257
41258
41259
41260
41261
41262
41263
41264
41265
41266
41267
41268
41269
41270
41271
41272
41273
41274
41275
41276
41277
41278
41279
41280
41281
41282
41283
41284
41285
41286
41287
41288
41289
41290
41291
41292
41293
41294
41295
41296
41297
41298
41299
41300
41301
41302
41303
41304
41305
41306
41307
41308
41309
41310
41311
41312
41313
41314
41315
41316
41317
41318
41319
41320
41321
41322
41323
41324
41325
41326
41327
41328
41329
41330
41331
41332
41333
41334
41335
41336
41337
41338
41339
41340
41341
41342
41343
41344
41345
41346
41347
41348
41349
41350
41351
41352
41353
41354
41355
41356
41357
41358
41359
41360
41361
41362
41363
41364
41365
41366
41367
41368
41369
41370
41371
41372
41373
41374
41375
41376
41377
41378
41379
41380
41381
41382
41383
41384
41385
41386
41387
41388
41389
41390
41391
41392
41393
41394
41395
41396
41397
41398
41399
41400
41401
41402
41403
41404
41405
41406
41407
41408
41409
41410
41411
41412
41413
41414
41415
41416
41417
41418
41419
41420
41421
41422
41423
41424
41425
41426
41427
41428
41429
41430
41431
41432
41433
41434
41435
41436
41437
41438
41439
41440
41441
41442
41443
41444
41445
41446
41447
41448
41449
41450
41451
41452
41453
41454
41455
41456
41457
41458
41459
41460
41461
41462
41463
41464
41465
41466
41467
41468
41469
41470
41471
41472
41473
41474
41475
41476
41477
41478
41479
41480
41481
41482
41483
41484
41485
41486
41487
41488
41489
41490
41491
41492
41493
41494
41495
41496
41497
41498
41499
41500
41501
41502
41503
41504
41505
41506
41507
41508
41509
41510
41511
41512
41513
41514
41515
41516
41517
41518
41519
41520
41521
41522
41523
41524
41525
41526
41527
41528
41529
41530
41531
41532
41533
41534
41535
41536
41537
41538
41539
41540
41541
41542
41543
41544
41545
41546
41547
41548
41549
41550
41551
41552
41553
41554
41555
41556
41557
41558
41559
41560
41561
41562
41563
41564
41565
41566
41567
41568
41569
41570
41571
41572
41573
41574
41575
41576
41577
41578
41579
41580
41581
41582
41583
41584
41585
41586
41587
41588
41589
41590
41591
41592
41593
41594
41595
41596
41597
41598
41599
41600
41601
41602
41603
41604
41605
41606
41607
41608
41609
41610
41611
41612
41613
41614
41615
41616
41617
41618
41619
41620
41621
41622
41623
41624
41625
41626
41627
41628
41629
41630
41631
41632
41633
41634
41635
41636
41637
41638
41639
41640
41641
41642
41643
41644
41645
41646
41647
41648
41649
41650
41651
41652
41653
41654
41655
41656
41657
41658
41659
41660
41661
41662
41663
41664
41665
41666
41667
41668
41669
41670
41671
41672
41673
41674
41675
41676
41677
41678
41679
41680
41681
41682
41683
41684
41685
41686
41687
41688
41689
41690
41691
41692
41693
41694
41695
41696
41697
41698
41699
41700
41701
41702
41703
41704
41705
41706
41707
41708
41709
41710
41711
41712
41713
41714
41715
41716
41717
41718
41719
41720
41721
41722
41723
41724
41725
41726
41727
41728
41729
41730
41731
41732
41733
41734
41735
41736
41737
41738
41739
41740
41741
41742
41743
41744
41745
41746
41747
41748
41749
41750
41751
41752
41753
41754
41755
41756
41757
41758
41759
41760
41761
41762
41763
41764
41765
41766
41767
41768
41769
41770
41771
41772
41773
41774
41775
41776
41777
41778
41779
41780
41781
41782
41783
41784
41785
41786
41787
41788
41789
41790
41791
41792
41793
41794
41795
41796
41797
41798
41799
41800
41801
41802
41803
41804
41805
41806
41807
41808
41809
41810
41811
41812
41813
41814
41815
41816
41817
41818
41819
41820
41821
41822
41823
41824
41825
41826
41827
41828
41829
41830
41831
41832
41833
41834
41835
41836
41837
41838
41839
41840
41841
41842
41843
41844
41845
41846
41847
41848
41849
41850
41851
41852
41853
41854
41855
41856
41857
41858
41859
41860
41861
41862
41863
41864
41865
41866
41867
41868
41869
41870
41871
41872
41873
41874
41875
41876
41877
41878
41879
41880
41881
41882
41883
41884
41885
41886
41887
41888
41889
41890
41891
41892
41893
41894
41895
41896
41897
41898
41899
41900
41901
41902
41903
41904
41905
41906
41907
41908
41909
41910
41911
41912
41913
41914
41915
41916
41917
41918
41919
41920
41921
41922
41923
41924
41925
41926
41927
41928
41929
41930
41931
41932
41933
41934
41935
41936
41937
41938
41939
41940
41941
41942
41943
41944
41945
41946
41947
41948
41949
41950
41951
41952
41953
41954
41955
41956
41957
41958
41959
41960
41961
41962
41963
41964
41965
41966
41967
41968
41969
41970
41971
41972
41973
41974
41975
41976
41977
41978
41979
41980
41981
41982
41983
41984
41985
41986
41987
41988
41989
41990
41991
41992
41993
41994
41995
41996
41997
41998
41999
42000
42001
42002
42003
42004
42005
42006
42007
42008
42009
42010
42011
42012
42013
42014
42015
42016
42017
42018
42019
42020
42021
42022
42023
42024
42025
42026
42027
42028
42029
42030
42031
42032
42033
42034
42035
42036
42037
42038
42039
42040
42041
42042
42043
42044
42045
42046
42047
42048
42049
42050
42051
42052
42053
42054
42055
42056
42057
42058
42059
42060
42061
42062
42063
42064
42065
42066
42067
42068
42069
42070
42071
42072
42073
42074
42075
42076
42077
42078
42079
42080
42081
42082
42083
42084
42085
42086
42087
42088
42089
42090
42091
42092
42093
42094
42095
42096
42097
42098
42099
42100
42101
42102
42103
42104
42105
42106
42107
42108
42109
42110
42111
42112
42113
42114
42115
42116
42117
42118
42119
42120
42121
42122
42123
42124
42125
42126
42127
42128
42129
42130
42131
42132
42133
42134
42135
42136
42137
42138
42139
42140
42141
42142
42143
42144
42145
42146
42147
42148
42149
42150
42151
42152
42153
42154
42155
42156
42157
42158
42159
42160
42161
42162
42163
42164
42165
42166
42167
42168
42169
42170
42171
42172
42173
42174
42175
42176
42177
42178
42179
42180
42181
42182
42183
42184
42185
42186
42187
42188
42189
42190
42191
42192
42193
42194
42195
42196
42197
42198
42199
42200
42201
42202
42203
42204
42205
42206
42207
42208
42209
42210
42211
42212
42213
42214
42215
42216
42217
42218
42219
42220
42221
42222
42223
42224
42225
42226
42227
42228
42229
42230
42231
42232
42233
42234
42235
42236
42237
42238
42239
42240
42241
42242
42243
42244
42245
42246
42247
42248
42249
42250
42251
42252
42253
42254
42255
42256
42257
42258
42259
42260
42261
42262
42263
42264
42265
42266
42267
42268
42269
42270
42271
42272
42273
42274
42275
42276
42277
42278
42279
42280
42281
42282
42283
42284
42285
42286
42287
42288
42289
42290
42291
42292
42293
42294
42295
42296
42297
42298
42299
42300
42301
42302
42303
42304
42305
42306
42307
42308
42309
42310
42311
42312
42313
42314
42315
42316
42317
42318
42319
42320
42321
42322
42323
42324
42325
42326
42327
42328
42329
42330
42331
42332
42333
42334
42335
42336
42337
42338
42339
42340
42341
42342
42343
42344
42345
42346
42347
42348
42349
42350
42351
42352
42353
42354
42355
42356
42357
42358
42359
42360
42361
42362
42363
42364
42365
42366
42367
42368
42369
42370
42371
42372
42373
42374
42375
42376
42377
42378
42379
42380
42381
42382
42383
42384
42385
42386
42387
42388
42389
42390
42391
42392
42393
42394
42395
42396
42397
42398
42399
42400
42401
42402
42403
42404
42405
42406
42407
42408
42409
42410
42411
42412
42413
42414
42415
42416
42417
42418
42419
42420
42421
42422
42423
42424
42425
42426
42427
42428
42429
42430
42431
42432
42433
42434
42435
42436
42437
42438
42439
42440
42441
42442
42443
42444
42445
42446
42447
42448
42449
42450
42451
42452
42453
42454
42455
42456
42457
42458
42459
42460
42461
42462
42463
42464
42465
42466
42467
42468
42469
42470
42471
42472
42473
42474
42475
42476
42477
42478
42479
42480
42481
42482
42483
42484
42485
42486
42487
42488
42489
42490
42491
42492
42493
42494
42495
42496
42497
42498
42499
42500
42501
42502
42503
42504
42505
42506
42507
42508
42509
42510
42511
42512
42513
42514
42515
42516
42517
42518
42519
42520
42521
42522
42523
42524
42525
42526
42527
42528
42529
42530
42531
42532
42533
42534
42535
42536
42537
42538
42539
42540
42541
42542
42543
42544
42545
42546
42547
42548
42549
42550
42551
42552
42553
42554
42555
42556
42557
42558
42559
42560
42561
42562
42563
42564
42565
42566
42567
42568
42569
42570
42571
42572
42573
42574
42575
42576
42577
42578
42579
42580
42581
42582
42583
42584
42585
42586
42587
42588
42589
42590
42591
42592
42593
42594
42595
42596
42597
42598
42599
42600
42601
42602
42603
42604
42605
42606
42607
42608
42609
42610
42611
42612
42613
42614
42615
42616
42617
42618
42619
42620
42621
42622
42623
42624
42625
42626
42627
42628
42629
42630
42631
42632
42633
42634
42635
42636
42637
42638
42639
42640
42641
42642
42643
42644
42645
42646
42647
42648
42649
42650
42651
42652
42653
42654
42655
42656
42657
42658
42659
42660
42661
42662
42663
42664
42665
42666
42667
42668
42669
42670
42671
42672
42673
42674
42675
42676
42677
42678
42679
42680
42681
42682
42683
42684
42685
42686
42687
42688
42689
42690
42691
42692
42693
42694
42695
42696
42697
42698
42699
42700
42701
42702
42703
42704
42705
42706
42707
42708
42709
42710
42711
42712
42713
42714
42715
42716
42717
42718
42719
42720
42721
42722
42723
42724
42725
42726
42727
42728
42729
42730
42731
42732
42733
42734
42735
42736
42737
42738
42739
42740
42741
42742
42743
42744
42745
42746
42747
42748
42749
42750
42751
42752
42753
42754
42755
42756
42757
42758
42759
42760
42761
42762
42763
42764
42765
42766
42767
42768
42769
42770
42771
42772
42773
42774
42775
42776
42777
42778
42779
42780
42781
42782
42783
42784
42785
42786
42787
42788
42789
42790
42791
42792
42793
42794
42795
42796
42797
42798
42799
42800
42801
42802
42803
42804
42805
42806
42807
42808
42809
42810
42811
42812
42813
42814
42815
42816
42817
42818
42819
42820
42821
42822
42823
42824
42825
42826
42827
42828
42829
42830
42831
42832
42833
42834
42835
42836
42837
42838
42839
42840
42841
42842
42843
42844
42845
42846
42847
42848
42849
42850
42851
42852
42853
42854
42855
42856
42857
42858
42859
42860
42861
42862
42863
42864
42865
42866
42867
42868
42869
42870
42871
42872
42873
42874
42875
42876
42877
42878
42879
42880
42881
42882
42883
42884
42885
42886
42887
42888
42889
42890
42891
42892
42893
42894
42895
42896
42897
42898
42899
42900
42901
42902
42903
42904
42905
42906
42907
42908
42909
42910
42911
42912
42913
42914
42915
42916
42917
42918
42919
42920
42921
42922
42923
42924
42925
42926
42927
42928
42929
42930
42931
42932
42933
42934
42935
42936
42937
42938
42939
42940
42941
42942
42943
42944
42945
42946
42947
42948
42949
42950
42951
42952
42953
42954
42955
42956
42957
42958
42959
42960
42961
42962
42963
42964
42965
42966
42967
42968
42969
42970
42971
42972
42973
42974
42975
42976
42977
42978
42979
42980
42981
42982
42983
42984
42985
42986
42987
42988
42989
42990
42991
42992
42993
42994
42995
42996
42997
42998
42999
43000
43001
43002
43003
43004
43005
43006
43007
43008
43009
43010
43011
43012
43013
43014
43015
43016
43017
43018
43019
43020
43021
43022
43023
43024
43025
43026
43027
43028
43029
43030
43031
43032
43033
43034
43035
43036
43037
43038
43039
43040
43041
43042
43043
43044
43045
43046
43047
43048
43049
43050
43051
43052
43053
43054
43055
43056
43057
43058
43059
43060
43061
43062
43063
43064
43065
43066
43067
43068
43069
43070
43071
43072
43073
43074
43075
43076
43077
43078
43079
43080
43081
43082
43083
43084
43085
43086
43087
43088
43089
43090
43091
43092
43093
43094
43095
43096
43097
43098
43099
43100
43101
43102
43103
43104
43105
43106
43107
43108
43109
43110
43111
43112
43113
43114
43115
43116
43117
43118
43119
43120
43121
43122
43123
43124
43125
43126
43127
43128
43129
43130
43131
43132
43133
43134
43135
43136
43137
43138
43139
43140
43141
43142
43143
43144
43145
43146
43147
43148
43149
43150
43151
43152
43153
43154
43155
43156
43157
43158
43159
43160
43161
43162
43163
43164
43165
43166
43167
43168
43169
43170
43171
43172
43173
43174
43175
43176
43177
43178
43179
43180
43181
43182
43183
43184
43185
43186
43187
43188
43189
43190
43191
43192
43193
43194
43195
43196
43197
43198
43199
43200
43201
43202
43203
43204
43205
43206
43207
43208
43209
43210
43211
43212
43213
43214
43215
43216
43217
43218
43219
43220
43221
43222
43223
43224
43225
43226
43227
43228
43229
43230
43231
43232
43233
43234
43235
43236
43237
43238
43239
43240
43241
43242
43243
43244
43245
43246
43247
43248
43249
43250
43251
43252
43253
43254
43255
43256
43257
43258
43259
43260
43261
43262
43263
43264
43265
43266
43267
43268
43269
43270
43271
43272
43273
43274
43275
43276
43277
43278
43279
43280
43281
43282
43283
43284
43285
43286
43287
43288
43289
43290
43291
43292
43293
43294
43295
43296
43297
43298
43299
43300
43301
43302
43303
43304
43305
43306
43307
43308
43309
43310
43311
43312
43313
43314
43315
43316
43317
43318
43319
43320
43321
43322
43323
43324
43325
43326
43327
43328
43329
43330
43331
43332
43333
43334
43335
43336
43337
43338
43339
43340
43341
43342
43343
43344
43345
43346
43347
43348
43349
43350
43351
43352
43353
43354
43355
43356
43357
43358
43359
43360
43361
43362
43363
43364
43365
43366
43367
43368
43369
43370
43371
43372
43373
43374
43375
43376
43377
43378
43379
43380
43381
43382
43383
43384
43385
43386
43387
43388
43389
43390
43391
43392
43393
43394
43395
43396
43397
43398
43399
43400
43401
43402
43403
43404
43405
43406
43407
43408
43409
43410
43411
43412
43413
43414
43415
43416
43417
43418
43419
43420
43421
43422
43423
43424
43425
43426
43427
43428
43429
43430
43431
43432
43433
43434
43435
43436
43437
43438
43439
43440
43441
43442
43443
43444
43445
43446
43447
43448
43449
43450
43451
43452
43453
43454
43455
43456
43457
43458
43459
43460
43461
43462
43463
43464
43465
43466
43467
43468
43469
43470
43471
43472
43473
43474
43475
43476
43477
43478
43479
43480
43481
43482
43483
43484
43485
43486
43487
43488
43489
43490
43491
43492
43493
43494
43495
43496
43497
43498
43499
43500
43501
43502
43503
43504
43505
43506
43507
43508
43509
43510
43511
43512
43513
43514
43515
43516
43517
43518
43519
43520
43521
43522
43523
43524
43525
43526
43527
43528
43529
43530
43531
43532
43533
43534
43535
43536
43537
43538
43539
43540
43541
43542
43543
43544
43545
43546
43547
43548
43549
43550
43551
43552
43553
43554
43555
43556
43557
43558
43559
43560
43561
43562
43563
43564
43565
43566
43567
43568
43569
43570
43571
43572
43573
43574
43575
43576
43577
43578
43579
43580
43581
43582
43583
43584
43585
43586
43587
43588
43589
43590
43591
43592
43593
43594
43595
43596
43597
43598
43599
43600
43601
43602
43603
43604
43605
43606
43607
43608
43609
43610
43611
43612
43613
43614
43615
43616
43617
43618
43619
43620
43621
43622
43623
43624
43625
43626
43627
43628
43629
43630
43631
43632
43633
43634
43635
43636
43637
43638
43639
43640
43641
43642
43643
43644
43645
43646
43647
43648
43649
43650
43651
43652
43653
43654
43655
43656
43657
43658
43659
43660
43661
43662
43663
43664
43665
43666
43667
43668
43669
43670
43671
43672
43673
43674
43675
43676
43677
43678
43679
43680
43681
43682
43683
43684
43685
43686
43687
43688
43689
43690
43691
43692
43693
43694
43695
43696
43697
43698
43699
43700
43701
43702
43703
43704
43705
43706
43707
43708
43709
43710
43711
43712
43713
43714
43715
43716
43717
43718
43719
43720
43721
43722
43723
43724
43725
43726
43727
43728
43729
43730
43731
43732
43733
43734
43735
43736
43737
43738
43739
43740
43741
43742
43743
43744
43745
43746
43747
43748
43749
43750
43751
43752
43753
43754
43755
43756
43757
43758
43759
43760
43761
43762
43763
43764
43765
43766
43767
43768
43769
43770
43771
43772
43773
43774
43775
43776
43777
43778
43779
43780
43781
43782
43783
43784
43785
43786
43787
43788
43789
43790
43791
43792
43793
43794
43795
43796
43797
43798
43799
43800
43801
43802
43803
43804
43805
43806
43807
43808
43809
43810
43811
43812
43813
43814
43815
43816
43817
43818
43819
43820
43821
43822
43823
43824
43825
43826
43827
43828
43829
43830
43831
43832
43833
43834
43835
43836
43837
43838
43839
43840
43841
43842
43843
43844
43845
43846
43847
43848
43849
43850
43851
43852
43853
43854
43855
43856
43857
43858
43859
43860
43861
43862
43863
43864
43865
43866
43867
43868
43869
43870
43871
43872
43873
43874
43875
43876
43877
43878
43879
43880
43881
43882
43883
43884
43885
43886
43887
43888
43889
43890
43891
43892
43893
43894
43895
43896
43897
43898
43899
43900
43901
43902
43903
43904
43905
43906
43907
43908
43909
43910
43911
43912
43913
43914
43915
43916
43917
43918
43919
43920
43921
43922
43923
43924
43925
43926
43927
43928
43929
43930
43931
43932
43933
43934
43935
43936
43937
43938
43939
43940
43941
43942
43943
43944
43945
43946
43947
43948
43949
43950
43951
43952
43953
43954
43955
43956
43957
43958
43959
43960
43961
43962
43963
43964
43965
43966
43967
43968
43969
43970
43971
43972
43973
43974
43975
43976
43977
43978
43979
43980
43981
43982
43983
43984
43985
43986
43987
43988
43989
43990
43991
43992
43993
43994
43995
43996
43997
43998
43999
44000
44001
44002
44003
44004
44005
44006
44007
44008
44009
44010
44011
44012
44013
44014
44015
44016
44017
44018
44019
44020
44021
44022
44023
44024
44025
44026
44027
44028
44029
44030
44031
44032
44033
44034
44035
44036
44037
44038
44039
44040
44041
44042
44043
44044
44045
44046
44047
44048
44049
44050
44051
44052
44053
44054
44055
44056
44057
44058
44059
44060
44061
44062
44063
44064
44065
44066
44067
44068
44069
44070
44071
44072
44073
44074
44075
44076
44077
44078
44079
44080
44081
44082
44083
44084
44085
44086
44087
44088
44089
44090
44091
44092
44093
44094
44095
44096
44097
44098
44099
44100
44101
44102
44103
44104
44105
44106
44107
44108
44109
44110
44111
44112
44113
44114
44115
44116
44117
44118
44119
44120
44121
44122
44123
44124
44125
44126
44127
44128
44129
44130
44131
44132
44133
44134
44135
44136
44137
44138
44139
44140
44141
44142
44143
44144
44145
44146
44147
44148
44149
44150
44151
44152
44153
44154
44155
44156
44157
44158
44159
44160
44161
44162
44163
44164
44165
44166
44167
44168
44169
44170
44171
44172
44173
44174
44175
44176
44177
44178
44179
44180
44181
44182
44183
44184
44185
44186
44187
44188
44189
44190
44191
44192
44193
44194
44195
44196
44197
44198
44199
44200
44201
44202
44203
44204
44205
44206
44207
44208
44209
44210
44211
44212
44213
44214
44215
44216
44217
44218
44219
44220
44221
44222
44223
44224
44225
44226
44227
44228
44229
44230
44231
44232
44233
44234
44235
44236
44237
44238
44239
44240
44241
44242
44243
44244
44245
44246
44247
44248
44249
44250
44251
44252
44253
44254
44255
44256
44257
44258
44259
44260
44261
44262
44263
44264
44265
44266
44267
44268
44269
44270
44271
44272
44273
44274
44275
44276
44277
44278
44279
44280
44281
44282
44283
44284
44285
44286
44287
44288
44289
44290
44291
44292
44293
44294
44295
44296
44297
44298
44299
44300
44301
44302
44303
44304
44305
44306
44307
44308
44309
44310
44311
44312
44313
44314
44315
44316
44317
44318
44319
44320
44321
44322
44323
44324
44325
44326
44327
44328
44329
44330
44331
44332
44333
44334
44335
44336
44337
44338
44339
44340
44341
44342
44343
44344
44345
44346
44347
44348
44349
44350
44351
44352
44353
44354
44355
44356
44357
44358
44359
44360
44361
44362
44363
44364
44365
44366
44367
44368
44369
44370
44371
44372
44373
44374
44375
44376
44377
44378
44379
44380
44381
44382
44383
44384
44385
44386
44387
44388
44389
44390
44391
44392
44393
44394
44395
44396
44397
44398
44399
44400
44401
44402
44403
44404
44405
44406
44407
44408
44409
44410
44411
44412
44413
44414
44415
44416
44417
44418
44419
44420
44421
44422
44423
44424
44425
44426
44427
44428
44429
44430
44431
44432
44433
44434
44435
44436
44437
44438
44439
44440
44441
44442
44443
44444
44445
44446
44447
44448
44449
44450
44451
44452
44453
44454
44455
44456
44457
44458
44459
44460
44461
44462
44463
44464
44465
44466
44467
44468
44469
44470
44471
44472
44473
44474
44475
44476
44477
44478
44479
44480
44481
44482
44483
44484
44485
44486
44487
44488
44489
44490
44491
44492
44493
44494
44495
44496
44497
44498
44499
44500
44501
44502
44503
44504
44505
44506
44507
44508
44509
44510
44511
44512
44513
44514
44515
44516
44517
44518
44519
44520
44521
44522
44523
44524
44525
44526
44527
44528
44529
44530
44531
44532
44533
44534
44535
44536
44537
44538
44539
44540
44541
44542
44543
44544
44545
44546
44547
44548
44549
44550
44551
44552
44553
44554
44555
44556
44557
44558
44559
44560
44561
44562
44563
44564
44565
44566
44567
44568
44569
44570
44571
44572
44573
44574
44575
44576
44577
44578
44579
44580
44581
44582
44583
44584
44585
44586
44587
44588
44589
44590
44591
44592
44593
44594
44595
44596
44597
44598
44599
44600
44601
44602
44603
44604
44605
44606
44607
44608
44609
44610
44611
44612
44613
44614
44615
44616
44617
44618
44619
44620
44621
44622
44623
44624
44625
44626
44627
44628
44629
44630
44631
44632
44633
44634
44635
44636
44637
44638
44639
44640
44641
44642
44643
44644
44645
44646
44647
44648
44649
44650
44651
44652
44653
44654
44655
44656
44657
44658
44659
44660
44661
44662
44663
44664
44665
44666
44667
44668
44669
44670
44671
44672
44673
44674
44675
44676
44677
44678
44679
44680
44681
44682
44683
44684
44685
44686
44687
44688
44689
44690
44691
44692
44693
44694
44695
44696
44697
44698
44699
44700
44701
44702
44703
44704
44705
44706
44707
44708
44709
44710
44711
44712
44713
44714
44715
44716
44717
44718
44719
44720
44721
44722
44723
44724
44725
44726
44727
44728
44729
44730
44731
44732
44733
44734
44735
44736
44737
44738
44739
44740
44741
44742
44743
44744
44745
44746
44747
44748
44749
44750
44751
44752
44753
44754
44755
44756
44757
44758
44759
44760
44761
44762
44763
44764
44765
44766
44767
44768
44769
44770
44771
44772
44773
44774
44775
44776
44777
44778
44779
44780
44781
44782
44783
44784
44785
44786
44787
44788
44789
44790
44791
44792
44793
44794
44795
44796
44797
44798
44799
44800
44801
44802
44803
44804
44805
44806
44807
44808
44809
44810
44811
44812
44813
44814
44815
44816
44817
44818
44819
44820
44821
44822
44823
44824
44825
44826
44827
44828
44829
44830
44831
44832
44833
44834
44835
44836
44837
44838
44839
44840
44841
44842
44843
44844
44845
44846
44847
44848
44849
44850
44851
44852
44853
44854
44855
44856
44857
44858
44859
44860
44861
44862
44863
44864
44865
44866
44867
44868
44869
44870
44871
44872
44873
44874
44875
44876
44877
44878
44879
44880
44881
44882
44883
44884
44885
44886
44887
44888
44889
44890
44891
44892
44893
44894
44895
44896
44897
44898
44899
44900
44901
44902
44903
44904
44905
44906
44907
44908
44909
44910
44911
44912
44913
44914
44915
44916
44917
44918
44919
44920
44921
44922
44923
44924
44925
44926
44927
44928
44929
44930
44931
44932
44933
44934
44935
44936
44937
44938
44939
44940
44941
44942
44943
44944
44945
44946
44947
44948
44949
44950
44951
44952
44953
44954
44955
44956
44957
44958
44959
44960
44961
44962
44963
44964
44965
44966
44967
44968
44969
44970
44971
44972
44973
44974
44975
44976
44977
44978
44979
44980
44981
44982
44983
44984
44985
44986
44987
44988
44989
44990
44991
44992
44993
44994
44995
44996
44997
44998
44999
45000
45001
45002
45003
45004
45005
45006
45007
45008
45009
45010
45011
45012
45013
45014
45015
45016
45017
45018
45019
45020
45021
45022
45023
45024
45025
45026
45027
45028
45029
45030
45031
45032
45033
45034
45035
45036
45037
45038
45039
45040
45041
45042
45043
45044
45045
45046
45047
45048
45049
45050
45051
45052
45053
45054
45055
45056
45057
45058
45059
45060
45061
45062
45063
45064
45065
45066
45067
45068
45069
45070
45071
45072
45073
45074
45075
45076
45077
45078
45079
45080
45081
45082
45083
45084
45085
45086
45087
45088
45089
45090
45091
45092
45093
45094
45095
45096
45097
45098
45099
45100
45101
45102
45103
45104
45105
45106
45107
45108
45109
45110
45111
45112
45113
45114
45115
45116
45117
45118
45119
45120
45121
45122
45123
45124
45125
45126
45127
45128
45129
45130
45131
45132
45133
45134
45135
45136
45137
45138
45139
45140
45141
45142
45143
45144
45145
45146
45147
45148
45149
45150
45151
45152
45153
45154
45155
45156
45157
45158
45159
45160
45161
45162
45163
45164
45165
45166
45167
45168
45169
45170
45171
45172
45173
45174
45175
45176
45177
45178
45179
45180
45181
45182
45183
45184
45185
45186
45187
45188
45189
45190
45191
45192
45193
45194
45195
45196
45197
45198
45199
45200
45201
45202
45203
45204
45205
45206
45207
45208
45209
45210
45211
45212
45213
45214
45215
45216
45217
45218
45219
45220
45221
45222
45223
45224
45225
45226
45227
45228
45229
45230
45231
45232
45233
45234
45235
45236
45237
45238
45239
45240
45241
45242
45243
45244
45245
45246
45247
45248
45249
45250
45251
45252
45253
45254
45255
45256
45257
45258
45259
45260
45261
45262
45263
45264
45265
45266
45267
45268
45269
45270
45271
45272
45273
45274
45275
45276
45277
45278
45279
45280
45281
45282
45283
45284
45285
45286
45287
45288
45289
45290
45291
45292
45293
45294
45295
45296
45297
45298
45299
45300
45301
45302
45303
45304
45305
45306
45307
45308
45309
45310
45311
45312
45313
45314
45315
45316
45317
45318
45319
45320
45321
45322
45323
45324
45325
45326
45327
45328
45329
45330
45331
45332
45333
45334
45335
45336
45337
45338
45339
45340
45341
45342
45343
45344
45345
45346
45347
45348
45349
45350
45351
45352
45353
45354
45355
45356
45357
45358
45359
45360
45361
45362
45363
45364
45365
45366
45367
45368
45369
45370
45371
45372
45373
45374
45375
45376
45377
45378
45379
45380
45381
45382
45383
45384
45385
45386
45387
45388
45389
45390
45391
45392
45393
45394
45395
45396
45397
45398
45399
45400
45401
45402
45403
45404
45405
45406
45407
45408
45409
45410
45411
45412
45413
45414
45415
45416
45417
45418
45419
45420
45421
45422
45423
45424
45425
45426
45427
45428
45429
45430
45431
45432
45433
45434
45435
45436
45437
45438
45439
45440
45441
45442
45443
45444
45445
45446
45447
45448
45449
45450
45451
45452
45453
45454
45455
45456
45457
45458
45459
45460
45461
45462
45463
45464
45465
45466
45467
45468
45469
45470
45471
45472
45473
45474
45475
45476
45477
45478
45479
45480
45481
45482
45483
45484
45485
45486
45487
45488
45489
45490
45491
45492
45493
45494
45495
45496
45497
45498
45499
45500
45501
45502
45503
45504
45505
45506
45507
45508
45509
45510
45511
45512
45513
45514
45515
45516
45517
45518
45519
45520
45521
45522
45523
45524
45525
45526
45527
45528
45529
45530
45531
45532
45533
45534
45535
45536
45537
45538
45539
45540
45541
45542
45543
45544
45545
45546
45547
45548
45549
45550
45551
45552
45553
45554
45555
45556
45557
45558
45559
45560
45561
45562
45563
45564
45565
45566
45567
45568
45569
45570
45571
45572
45573
45574
45575
45576
45577
45578
45579
45580
45581
45582
45583
45584
45585
45586
45587
45588
45589
45590
45591
45592
45593
45594
45595
45596
45597
45598
45599
45600
45601
45602
45603
45604
45605
45606
45607
45608
45609
45610
45611
45612
45613
45614
45615
45616
45617
45618
45619
45620
45621
45622
45623
45624
45625
45626
45627
45628
45629
45630
45631
45632
45633
45634
45635
45636
45637
45638
45639
45640
45641
45642
45643
45644
45645
45646
45647
45648
45649
45650
45651
45652
45653
45654
45655
45656
45657
45658
45659
45660
45661
45662
45663
45664
45665
45666
45667
45668
45669
45670
45671
45672
45673
45674
45675
45676
45677
45678
45679
45680
45681
45682
45683
45684
45685
45686
45687
45688
45689
45690
45691
45692
45693
45694
45695
45696
45697
45698
45699
45700
45701
45702
45703
45704
45705
45706
45707
45708
45709
45710
45711
45712
45713
45714
45715
45716
45717
45718
45719
45720
45721
45722
45723
45724
45725
45726
45727
45728
45729
45730
45731
45732
45733
45734
45735
45736
45737
45738
45739
45740
45741
45742
45743
45744
45745
45746
45747
45748
45749
45750
45751
45752
45753
45754
45755
45756
45757
45758
45759
45760
45761
45762
45763
45764
45765
45766
45767
45768
45769
45770
45771
45772
45773
45774
45775
45776
45777
45778
45779
45780
45781
45782
45783
45784
45785
45786
45787
45788
45789
45790
45791
45792
45793
45794
45795
45796
45797
45798
45799
45800
45801
45802
45803
45804
45805
45806
45807
45808
45809
45810
45811
45812
45813
45814
45815
45816
45817
45818
45819
45820
45821
45822
45823
45824
45825
45826
45827
45828
45829
45830
45831
45832
45833
45834
45835
45836
45837
45838
45839
45840
45841
45842
45843
45844
45845
45846
45847
45848
45849
45850
45851
45852
45853
45854
45855
45856
45857
45858
45859
45860
45861
45862
45863
45864
45865
45866
45867
45868
45869
45870
45871
45872
45873
45874
45875
45876
45877
45878
45879
45880
45881
45882
45883
45884
45885
45886
45887
45888
45889
45890
45891
45892
45893
45894
45895
45896
45897
45898
45899
45900
45901
45902
45903
45904
45905
45906
45907
45908
45909
45910
45911
45912
45913
45914
45915
45916
45917
45918
45919
45920
45921
45922
45923
45924
45925
45926
45927
45928
45929
45930
45931
45932
45933
45934
45935
45936
45937
45938
45939
45940
45941
45942
45943
45944
45945
45946
45947
45948
45949
45950
45951
45952
45953
45954
45955
45956
45957
45958
45959
45960
45961
45962
45963
45964
45965
45966
45967
45968
45969
45970
45971
45972
45973
45974
45975
45976
45977
45978
45979
45980
45981
45982
45983
45984
45985
45986
45987
45988
45989
45990
45991
45992
45993
45994
45995
45996
45997
45998
45999
46000
46001
46002
46003
46004
46005
46006
46007
46008
46009
46010
46011
46012
46013
46014
46015
46016
46017
46018
46019
46020
46021
46022
46023
46024
46025
46026
46027
46028
46029
46030
46031
46032
46033
46034
46035
46036
46037
46038
46039
46040
46041
46042
46043
46044
46045
46046
46047
46048
46049
46050
46051
46052
46053
46054
46055
46056
46057
46058
46059
46060
46061
46062
46063
46064
46065
46066
46067
46068
46069
46070
46071
46072
46073
46074
46075
46076
46077
46078
46079
46080
46081
46082
46083
46084
46085
46086
46087
46088
46089
46090
46091
46092
46093
46094
46095
46096
46097
46098
46099
46100
46101
46102
46103
46104
46105
46106
46107
46108
46109
46110
46111
46112
46113
46114
46115
46116
46117
46118
46119
46120
46121
46122
46123
46124
46125
46126
46127
46128
46129
46130
46131
46132
46133
46134
46135
46136
46137
46138
46139
46140
46141
46142
46143
46144
46145
46146
46147
46148
46149
46150
46151
46152
46153
46154
46155
46156
46157
46158
46159
46160
46161
46162
46163
46164
46165
46166
46167
46168
46169
46170
46171
46172
46173
46174
46175
46176
46177
46178
46179
46180
46181
46182
46183
46184
46185
46186
46187
46188
46189
46190
46191
46192
46193
46194
46195
46196
46197
46198
46199
46200
46201
46202
46203
46204
46205
46206
46207
46208
46209
46210
46211
46212
46213
46214
46215
46216
46217
46218
46219
46220
46221
46222
46223
46224
46225
46226
46227
46228
46229
46230
46231
46232
46233
46234
46235
46236
46237
46238
46239
46240
46241
46242
46243
46244
46245
46246
46247
46248
46249
46250
46251
46252
46253
46254
46255
46256
46257
46258
46259
46260
46261
46262
46263
46264
46265
46266
46267
46268
46269
46270
46271
46272
46273
46274
46275
46276
46277
46278
46279
46280
46281
46282
46283
46284
46285
46286
46287
46288
46289
46290
46291
46292
46293
46294
46295
46296
46297
46298
46299
46300
46301
46302
46303
46304
46305
46306
46307
46308
46309
46310
46311
46312
46313
46314
46315
46316
46317
46318
46319
46320
46321
46322
46323
46324
46325
46326
46327
46328
46329
46330
46331
46332
46333
46334
46335
46336
46337
46338
46339
46340
46341
46342
46343
46344
46345
46346
46347
46348
46349
46350
46351
46352
46353
46354
46355
46356
46357
46358
46359
46360
46361
46362
46363
46364
46365
46366
46367
46368
46369
46370
46371
46372
46373
46374
46375
46376
46377
46378
46379
46380
46381
46382
46383
46384
46385
46386
46387
46388
46389
46390
46391
46392
46393
46394
46395
46396
46397
46398
46399
46400
46401
46402
46403
46404
46405
46406
46407
46408
46409
46410
46411
46412
46413
46414
46415
46416
46417
46418
46419
46420
46421
46422
46423
46424
46425
46426
46427
46428
46429
46430
46431
46432
46433
46434
46435
46436
46437
46438
46439
46440
46441
46442
46443
46444
46445
46446
46447
46448
46449
46450
46451
46452
46453
46454
46455
46456
46457
46458
46459
46460
46461
46462
46463
46464
46465
46466
46467
46468
46469
46470
46471
46472
46473
46474
46475
46476
46477
46478
46479
46480
46481
46482
46483
46484
46485
46486
46487
46488
46489
46490
46491
46492
46493
46494
46495
46496
46497
46498
46499
46500
46501
46502
46503
46504
46505
46506
46507
46508
46509
46510
46511
46512
46513
46514
46515
46516
46517
46518
46519
46520
46521
46522
46523
46524
46525
46526
46527
46528
46529
46530
46531
46532
46533
46534
46535
46536
46537
46538
46539
46540
46541
46542
46543
46544
46545
46546
46547
46548
46549
46550
46551
46552
46553
46554
46555
46556
46557
46558
46559
46560
46561
46562
46563
46564
46565
46566
46567
46568
46569
46570
46571
46572
46573
46574
46575
46576
46577
46578
46579
46580
46581
46582
46583
46584
46585
46586
46587
46588
46589
46590
46591
46592
46593
46594
46595
46596
46597
46598
46599
46600
46601
46602
46603
46604
46605
46606
46607
46608
46609
46610
46611
46612
46613
46614
46615
46616
46617
46618
46619
46620
46621
46622
46623
46624
46625
46626
46627
46628
46629
46630
46631
46632
46633
46634
46635
46636
46637
46638
46639
46640
46641
46642
46643
46644
46645
46646
46647
46648
46649
46650
46651
46652
46653
46654
46655
46656
46657
46658
46659
46660
46661
46662
46663
46664
46665
46666
46667
46668
46669
46670
46671
46672
46673
46674
46675
46676
46677
46678
46679
46680
46681
46682
46683
46684
46685
46686
46687
46688
46689
46690
46691
46692
46693
46694
46695
46696
46697
46698
46699
46700
46701
46702
46703
46704
46705
46706
46707
46708
46709
46710
46711
46712
46713
46714
46715
46716
46717
46718
46719
46720
46721
46722
46723
46724
46725
46726
46727
46728
46729
46730
46731
46732
46733
46734
46735
46736
46737
46738
46739
46740
46741
46742
46743
46744
46745
46746
46747
46748
46749
46750
46751
46752
46753
46754
46755
46756
46757
46758
46759
46760
46761
46762
46763
46764
46765
46766
46767
46768
46769
46770
46771
46772
46773
46774
46775
46776
46777
46778
46779
46780
46781
46782
46783
46784
46785
46786
46787
46788
46789
46790
46791
46792
46793
46794
46795
46796
46797
46798
46799
46800
46801
46802
46803
46804
46805
46806
46807
46808
46809
46810
46811
46812
46813
46814
46815
46816
46817
46818
46819
46820
46821
46822
46823
46824
46825
46826
46827
46828
46829
46830
46831
46832
46833
46834
46835
46836
46837
46838
46839
46840
46841
46842
46843
46844
46845
46846
46847
46848
46849
46850
46851
46852
46853
46854
46855
46856
46857
46858
46859
46860
46861
46862
46863
46864
46865
46866
46867
46868
46869
46870
46871
46872
46873
46874
46875
46876
46877
46878
46879
46880
46881
46882
46883
46884
46885
46886
46887
46888
46889
46890
46891
46892
46893
46894
46895
46896
46897
46898
46899
46900
46901
46902
46903
46904
46905
46906
46907
46908
46909
46910
46911
46912
46913
46914
46915
46916
46917
46918
46919
46920
46921
46922
46923
46924
46925
46926
46927
46928
46929
46930
46931
46932
46933
46934
46935
46936
46937
46938
46939
46940
46941
46942
46943
46944
46945
46946
46947
46948
46949
46950
46951
46952
46953
46954
46955
46956
46957
46958
46959
46960
46961
46962
46963
46964
46965
46966
46967
46968
46969
46970
46971
46972
46973
46974
46975
46976
46977
46978
46979
46980
46981
46982
46983
46984
46985
46986
46987
46988
46989
46990
46991
46992
46993
46994
46995
46996
46997
46998
46999
47000
47001
47002
47003
47004
47005
47006
47007
47008
47009
47010
47011
47012
47013
47014
47015
47016
47017
47018
47019
47020
47021
47022
47023
47024
47025
47026
47027
47028
47029
47030
47031
47032
47033
47034
47035
47036
47037
47038
47039
47040
47041
47042
47043
47044
47045
47046
47047
47048
47049
47050
47051
47052
47053
47054
47055
47056
47057
47058
47059
47060
47061
47062
47063
47064
47065
47066
47067
47068
47069
47070
47071
47072
47073
47074
47075
47076
47077
47078
47079
47080
47081
47082
47083
47084
47085
47086
47087
47088
47089
47090
47091
47092
47093
47094
47095
47096
47097
47098
47099
47100
47101
47102
47103
47104
47105
47106
47107
47108
47109
47110
47111
47112
47113
47114
47115
47116
47117
47118
47119
47120
47121
47122
47123
47124
47125
47126
47127
47128
47129
47130
47131
47132
47133
47134
47135
47136
47137
47138
47139
47140
47141
47142
47143
47144
47145
47146
47147
47148
47149
47150
47151
47152
47153
47154
47155
47156
47157
47158
47159
47160
47161
47162
47163
47164
47165
47166
47167
47168
47169
47170
47171
47172
47173
47174
47175
47176
47177
47178
47179
47180
47181
47182
47183
47184
47185
47186
47187
47188
47189
47190
47191
47192
47193
47194
47195
47196
47197
47198
47199
47200
47201
47202
47203
47204
47205
47206
47207
47208
47209
47210
47211
47212
47213
47214
47215
47216
47217
47218
47219
47220
47221
47222
47223
47224
47225
47226
47227
47228
47229
47230
47231
47232
47233
47234
47235
47236
47237
47238
47239
47240
47241
47242
47243
47244
47245
47246
47247
47248
47249
47250
47251
47252
47253
47254
47255
47256
47257
47258
47259
47260
47261
47262
47263
47264
47265
47266
47267
47268
47269
47270
47271
47272
47273
47274
47275
47276
47277
47278
47279
47280
47281
47282
47283
47284
47285
47286
47287
47288
47289
47290
47291
47292
47293
47294
47295
47296
47297
47298
47299
47300
47301
47302
47303
47304
47305
47306
47307
47308
47309
47310
47311
47312
47313
47314
47315
47316
47317
47318
47319
47320
47321
47322
47323
47324
47325
47326
47327
47328
47329
47330
47331
47332
47333
47334
47335
47336
47337
47338
47339
47340
47341
47342
47343
47344
47345
47346
47347
47348
47349
47350
47351
47352
47353
47354
47355
47356
47357
47358
47359
47360
47361
47362
47363
47364
47365
47366
47367
47368
47369
47370
47371
47372
47373
47374
47375
47376
47377
47378
47379
47380
47381
47382
47383
47384
47385
47386
47387
47388
47389
47390
47391
47392
47393
47394
47395
47396
47397
47398
47399
47400
47401
47402
47403
47404
47405
47406
47407
47408
47409
47410
47411
47412
47413
47414
47415
47416
47417
47418
47419
47420
47421
47422
47423
47424
47425
47426
47427
47428
47429
47430
47431
47432
47433
47434
47435
47436
47437
47438
47439
47440
47441
47442
47443
47444
47445
47446
47447
47448
47449
47450
47451
47452
47453
47454
47455
47456
47457
47458
47459
47460
47461
47462
47463
47464
47465
47466
47467
47468
47469
47470
47471
47472
47473
47474
47475
47476
47477
47478
47479
47480
47481
47482
47483
47484
47485
47486
47487
47488
47489
47490
47491
47492
47493
47494
47495
47496
47497
47498
47499
47500
47501
47502
47503
47504
47505
47506
47507
47508
47509
47510
47511
47512
47513
47514
47515
47516
47517
47518
47519
47520
47521
47522
47523
47524
47525
47526
47527
47528
47529
47530
47531
47532
47533
47534
47535
47536
47537
47538
47539
47540
47541
47542
47543
47544
47545
47546
47547
47548
47549
47550
47551
47552
47553
47554
47555
47556
47557
47558
47559
47560
47561
47562
47563
47564
47565
47566
47567
47568
47569
47570
47571
47572
47573
47574
47575
47576
47577
47578
47579
47580
47581
47582
47583
47584
47585
47586
47587
47588
47589
47590
47591
47592
47593
47594
47595
47596
47597
47598
47599
47600
47601
47602
47603
47604
47605
47606
47607
47608
47609
47610
47611
47612
47613
47614
47615
47616
47617
47618
47619
47620
47621
47622
47623
47624
47625
47626
47627
47628
47629
47630
47631
47632
47633
47634
47635
47636
47637
47638
47639
47640
47641
47642
47643
47644
47645
47646
47647
47648
47649
47650
47651
47652
47653
47654
47655
47656
47657
47658
47659
47660
47661
47662
47663
47664
47665
47666
47667
47668
47669
47670
47671
47672
47673
47674
47675
47676
47677
47678
47679
47680
47681
47682
47683
47684
47685
47686
47687
47688
47689
47690
47691
47692
47693
47694
47695
47696
47697
47698
47699
47700
47701
47702
47703
47704
47705
47706
47707
47708
47709
47710
47711
47712
47713
47714
47715
47716
47717
47718
47719
47720
47721
47722
47723
47724
47725
47726
47727
47728
47729
47730
47731
47732
47733
47734
47735
47736
47737
47738
47739
47740
47741
47742
47743
47744
47745
47746
47747
47748
47749
47750
47751
47752
47753
47754
47755
47756
47757
47758
47759
47760
47761
47762
47763
47764
47765
47766
47767
47768
47769
47770
47771
47772
47773
47774
47775
47776
47777
47778
47779
47780
47781
47782
47783
47784
47785
47786
47787
47788
47789
47790
47791
47792
47793
47794
47795
47796
47797
47798
47799
47800
47801
47802
47803
47804
47805
47806
47807
47808
47809
47810
47811
47812
47813
47814
47815
47816
47817
47818
47819
47820
47821
47822
47823
47824
47825
47826
47827
47828
47829
47830
47831
47832
47833
47834
47835
47836
47837
47838
47839
47840
47841
47842
47843
47844
47845
47846
47847
47848
47849
47850
47851
47852
47853
47854
47855
47856
47857
47858
47859
47860
47861
47862
47863
47864
47865
47866
47867
47868
47869
47870
47871
47872
47873
47874
47875
47876
47877
47878
47879
47880
47881
47882
47883
47884
47885
47886
47887
47888
47889
47890
47891
47892
47893
47894
47895
47896
47897
47898
47899
47900
47901
47902
47903
47904
47905
47906
47907
47908
47909
47910
47911
47912
47913
47914
47915
47916
47917
47918
47919
47920
47921
47922
47923
47924
47925
47926
47927
47928
47929
47930
47931
47932
47933
47934
47935
47936
47937
47938
47939
47940
47941
47942
47943
47944
47945
47946
47947
47948
47949
47950
47951
47952
47953
47954
47955
47956
47957
47958
47959
47960
47961
47962
47963
47964
47965
47966
47967
47968
47969
47970
47971
47972
47973
47974
47975
47976
47977
47978
47979
47980
47981
47982
47983
47984
47985
47986
47987
47988
47989
47990
47991
47992
47993
47994
47995
47996
47997
47998
47999
48000
48001
48002
48003
48004
48005
48006
48007
48008
48009
48010
48011
48012
48013
48014
48015
48016
48017
48018
48019
48020
48021
48022
48023
48024
48025
48026
48027
48028
48029
48030
48031
48032
48033
48034
48035
48036
48037
48038
48039
48040
48041
48042
48043
48044
48045
48046
48047
48048
48049
48050
48051
48052
48053
48054
48055
48056
48057
48058
48059
48060
48061
48062
48063
48064
48065
48066
48067
48068
48069
48070
48071
48072
48073
48074
48075
48076
48077
48078
48079
48080
48081
48082
48083
48084
48085
48086
48087
48088
48089
48090
48091
48092
48093
48094
48095
48096
48097
48098
48099
48100
48101
48102
48103
48104
48105
48106
48107
48108
48109
48110
48111
48112
48113
48114
48115
48116
48117
48118
48119
48120
48121
48122
48123
48124
48125
48126
48127
48128
48129
48130
48131
48132
48133
48134
48135
48136
48137
48138
48139
48140
48141
48142
48143
48144
48145
48146
48147
48148
48149
48150
48151
48152
48153
48154
48155
48156
48157
48158
48159
48160
48161
48162
48163
48164
48165
48166
48167
48168
48169
48170
48171
48172
48173
48174
48175
48176
48177
48178
48179
48180
48181
48182
48183
48184
48185
48186
48187
48188
48189
48190
48191
48192
48193
48194
48195
48196
48197
48198
48199
48200
48201
48202
48203
48204
48205
48206
48207
48208
48209
48210
48211
48212
48213
48214
48215
48216
48217
48218
48219
48220
48221
48222
48223
48224
48225
48226
48227
48228
48229
48230
48231
48232
48233
48234
48235
48236
48237
48238
48239
48240
48241
48242
48243
48244
48245
48246
48247
48248
48249
48250
48251
48252
48253
48254
48255
48256
48257
48258
48259
48260
48261
48262
48263
48264
48265
48266
48267
48268
48269
48270
48271
48272
48273
48274
48275
48276
48277
48278
48279
48280
48281
48282
48283
48284
48285
48286
48287
48288
48289
48290
48291
48292
48293
48294
48295
48296
48297
48298
48299
48300
48301
48302
48303
48304
48305
48306
48307
48308
48309
48310
48311
48312
48313
48314
48315
48316
48317
48318
48319
48320
48321
48322
48323
48324
48325
48326
48327
48328
48329
48330
48331
48332
48333
48334
48335
48336
48337
48338
48339
48340
48341
48342
48343
48344
48345
48346
48347
48348
48349
48350
48351
48352
48353
48354
48355
48356
48357
48358
48359
48360
48361
48362
48363
48364
48365
48366
48367
48368
48369
48370
48371
48372
48373
48374
48375
48376
48377
48378
48379
48380
48381
48382
48383
48384
48385
48386
48387
48388
48389
48390
48391
48392
48393
48394
48395
48396
48397
48398
48399
48400
48401
48402
48403
48404
48405
48406
48407
48408
48409
48410
48411
48412
48413
48414
48415
48416
48417
48418
48419
48420
48421
48422
48423
48424
48425
48426
48427
48428
48429
48430
48431
48432
48433
48434
48435
48436
48437
48438
48439
48440
48441
48442
48443
48444
48445
48446
48447
48448
48449
48450
48451
48452
48453
48454
48455
48456
48457
48458
48459
48460
48461
48462
48463
48464
48465
48466
48467
48468
48469
48470
48471
48472
48473
48474
48475
48476
48477
48478
48479
48480
48481
48482
48483
48484
48485
48486
48487
48488
48489
48490
48491
48492
48493
48494
48495
48496
48497
48498
48499
48500
48501
48502
48503
48504
48505
48506
48507
48508
48509
48510
48511
48512
48513
48514
48515
48516
48517
48518
48519
48520
48521
48522
48523
48524
48525
48526
48527
48528
48529
48530
48531
48532
48533
48534
48535
48536
48537
48538
48539
48540
48541
48542
48543
48544
48545
48546
48547
48548
48549
48550
48551
48552
48553
48554
48555
48556
48557
48558
48559
48560
48561
48562
48563
48564
48565
48566
48567
48568
48569
48570
48571
48572
48573
48574
48575
48576
48577
48578
48579
48580
48581
48582
48583
48584
48585
48586
48587
48588
48589
48590
48591
48592
48593
48594
48595
48596
48597
48598
48599
48600
48601
48602
48603
48604
48605
48606
48607
48608
48609
48610
48611
48612
48613
48614
48615
48616
48617
48618
48619
48620
48621
48622
48623
48624
48625
48626
48627
48628
48629
48630
48631
48632
48633
48634
48635
48636
48637
48638
48639
48640
48641
48642
48643
48644
48645
48646
48647
48648
48649
48650
48651
48652
48653
48654
48655
48656
48657
48658
48659
48660
48661
48662
48663
48664
48665
48666
48667
48668
48669
48670
48671
48672
48673
48674
48675
48676
48677
48678
48679
48680
48681
48682
48683
48684
48685
48686
48687
48688
48689
48690
48691
48692
48693
48694
48695
48696
48697
48698
48699
48700
48701
48702
48703
48704
48705
48706
48707
48708
48709
48710
48711
48712
48713
48714
48715
48716
48717
48718
48719
48720
48721
48722
48723
48724
48725
48726
48727
48728
48729
48730
48731
48732
48733
48734
48735
48736
48737
48738
48739
48740
48741
48742
48743
48744
48745
48746
48747
48748
48749
48750
48751
48752
48753
48754
48755
48756
48757
48758
48759
48760
48761
48762
48763
48764
48765
48766
48767
48768
48769
48770
48771
48772
48773
48774
48775
48776
48777
48778
48779
48780
48781
48782
48783
48784
48785
48786
48787
48788
48789
48790
48791
48792
48793
48794
48795
48796
48797
48798
48799
48800
48801
48802
48803
48804
48805
48806
48807
48808
48809
48810
48811
48812
48813
48814
48815
48816
48817
48818
48819
48820
48821
48822
48823
48824
48825
48826
48827
48828
48829
48830
48831
48832
48833
48834
48835
48836
48837
48838
48839
48840
48841
48842
48843
48844
48845
48846
48847
48848
48849
48850
48851
48852
48853
48854
48855
48856
48857
48858
48859
48860
48861
48862
48863
48864
48865
48866
48867
48868
48869
48870
48871
48872
48873
48874
48875
48876
48877
48878
48879
48880
48881
48882
48883
48884
48885
48886
48887
48888
48889
48890
48891
48892
48893
48894
48895
48896
48897
48898
48899
48900
48901
48902
48903
48904
48905
48906
48907
48908
48909
48910
48911
48912
48913
48914
48915
48916
48917
48918
48919
48920
48921
48922
48923
48924
48925
48926
48927
48928
48929
48930
48931
48932
48933
48934
48935
48936
48937
48938
48939
48940
48941
48942
48943
48944
48945
48946
48947
48948
48949
48950
48951
48952
48953
48954
48955
48956
48957
48958
48959
48960
48961
48962
48963
48964
48965
48966
48967
48968
48969
48970
48971
48972
48973
48974
48975
48976
48977
48978
48979
48980
48981
48982
48983
48984
48985
48986
48987
48988
48989
48990
48991
48992
48993
48994
48995
48996
48997
48998
48999
49000
49001
49002
49003
49004
49005
49006
49007
49008
49009
49010
49011
49012
49013
49014
49015
49016
49017
49018
49019
49020
49021
49022
49023
49024
49025
49026
49027
49028
49029
49030
49031
49032
49033
49034
49035
49036
49037
49038
49039
49040
49041
49042
49043
49044
49045
49046
49047
49048
49049
49050
49051
49052
49053
49054
49055
49056
49057
49058
49059
49060
49061
49062
49063
49064
49065
49066
49067
49068
49069
49070
49071
49072
49073
49074
49075
49076
49077
49078
49079
49080
49081
49082
49083
49084
49085
49086
49087
49088
49089
49090
49091
49092
49093
49094
49095
49096
49097
49098
49099
49100
49101
49102
49103
49104
49105
49106
49107
49108
49109
49110
49111
49112
49113
49114
49115
49116
49117
49118
49119
49120
49121
49122
49123
49124
49125
49126
49127
49128
49129
49130
49131
49132
49133
49134
49135
49136
49137
49138
49139
49140
49141
49142
49143
49144
49145
49146
49147
49148
49149
49150
49151
49152
49153
49154
49155
49156
49157
49158
49159
49160
49161
49162
49163
49164
49165
49166
49167
49168
49169
49170
49171
49172
49173
49174
49175
49176
49177
49178
49179
49180
49181
49182
49183
49184
49185
49186
49187
49188
49189
49190
49191
49192
49193
49194
49195
49196
49197
49198
49199
49200
49201
49202
49203
49204
49205
49206
49207
49208
49209
49210
49211
49212
49213
49214
49215
49216
49217
49218
49219
49220
49221
49222
49223
49224
49225
49226
49227
49228
49229
49230
49231
49232
49233
49234
49235
49236
49237
49238
49239
49240
49241
49242
49243
49244
49245
49246
49247
49248
49249
49250
49251
49252
49253
49254
49255
49256
49257
49258
49259
49260
49261
49262
49263
49264
49265
49266
49267
49268
49269
49270
49271
49272
49273
49274
49275
49276
49277
49278
49279
49280
49281
49282
49283
49284
49285
49286
49287
49288
49289
49290
49291
49292
49293
49294
49295
49296
49297
49298
49299
49300
49301
49302
49303
49304
49305
49306
49307
49308
49309
49310
49311
49312
49313
49314
49315
49316
49317
49318
49319
49320
49321
49322
49323
49324
49325
49326
49327
49328
49329
49330
49331
49332
49333
49334
49335
49336
49337
49338
49339
49340
49341
49342
49343
49344
49345
49346
49347
49348
49349
49350
49351
49352
49353
49354
49355
49356
49357
49358
49359
49360
49361
49362
49363
49364
49365
49366
49367
49368
49369
49370
49371
49372
49373
49374
49375
49376
49377
49378
49379
49380
49381
49382
49383
49384
49385
49386
49387
49388
49389
49390
49391
49392
49393
49394
49395
49396
49397
49398
49399
49400
49401
49402
49403
49404
49405
49406
49407
49408
49409
49410
49411
49412
49413
49414
49415
49416
49417
49418
49419
49420
49421
49422
49423
49424
49425
49426
49427
49428
49429
49430
49431
49432
49433
49434
49435
49436
49437
49438
49439
49440
49441
49442
49443
49444
49445
49446
49447
49448
49449
49450
49451
49452
49453
49454
49455
49456
49457
49458
49459
49460
49461
49462
49463
49464
49465
49466
49467
49468
49469
49470
49471
49472
49473
49474
49475
49476
49477
49478
49479
49480
49481
49482
49483
49484
49485
49486
49487
49488
49489
49490
49491
49492
49493
49494
49495
49496
49497
49498
49499
49500
49501
49502
49503
49504
49505
49506
49507
49508
49509
49510
49511
49512
49513
49514
49515
49516
49517
49518
49519
49520
49521
49522
49523
49524
49525
49526
49527
49528
49529
49530
49531
49532
49533
49534
49535
49536
49537
49538
49539
49540
49541
49542
49543
49544
49545
49546
49547
49548
49549
49550
49551
49552
49553
49554
49555
49556
49557
49558
49559
49560
49561
49562
49563
49564
49565
49566
49567
49568
49569
49570
49571
49572
49573
49574
49575
49576
49577
49578
49579
49580
49581
49582
49583
49584
49585
49586
49587
49588
49589
49590
49591
49592
49593
49594
49595
49596
49597
49598
49599
49600
49601
49602
49603
49604
49605
49606
49607
49608
49609
49610
49611
49612
49613
49614
49615
49616
49617
49618
49619
49620
49621
49622
49623
49624
49625
49626
49627
49628
49629
49630
49631
49632
49633
49634
49635
49636
49637
49638
49639
49640
49641
49642
49643
49644
49645
49646
49647
49648
49649
49650
49651
49652
49653
49654
49655
49656
49657
49658
49659
49660
49661
49662
49663
49664
49665
49666
49667
49668
49669
49670
49671
49672
49673
49674
49675
49676
49677
49678
49679
49680
49681
49682
49683
49684
49685
49686
49687
49688
49689
49690
49691
49692
49693
49694
49695
49696
49697
49698
49699
49700
49701
49702
49703
49704
49705
49706
49707
49708
49709
49710
49711
49712
49713
49714
49715
49716
49717
49718
49719
49720
49721
49722
49723
49724
49725
49726
49727
49728
49729
49730
49731
49732
49733
49734
49735
49736
49737
49738
49739
49740
49741
49742
49743
49744
49745
49746
49747
49748
49749
49750
49751
49752
49753
49754
49755
49756
49757
49758
49759
49760
49761
49762
49763
49764
49765
49766
49767
49768
49769
49770
49771
49772
49773
49774
49775
49776
49777
49778
49779
49780
49781
49782
49783
49784
49785
49786
49787
49788
49789
49790
49791
49792
49793
49794
49795
49796
49797
49798
49799
49800
49801
49802
49803
49804
49805
49806
49807
49808
49809
49810
49811
49812
49813
49814
49815
49816
49817
49818
49819
49820
49821
49822
49823
49824
49825
49826
49827
49828
49829
49830
49831
49832
49833
49834
49835
49836
49837
49838
49839
49840
49841
49842
49843
49844
49845
49846
49847
49848
49849
49850
49851
49852
49853
49854
49855
49856
49857
49858
49859
49860
49861
49862
49863
49864
49865
49866
49867
49868
49869
49870
49871
49872
49873
49874
49875
49876
49877
49878
49879
49880
49881
49882
49883
49884
49885
49886
49887
49888
49889
49890
49891
49892
49893
49894
49895
49896
49897
49898
49899
49900
49901
49902
49903
49904
49905
49906
49907
49908
49909
49910
49911
49912
49913
49914
49915
49916
49917
49918
49919
49920
49921
49922
49923
49924
49925
49926
49927
49928
49929
49930
49931
49932
49933
49934
49935
49936
49937
49938
49939
49940
49941
49942
49943
49944
49945
49946
49947
49948
49949
49950
49951
49952
49953
49954
49955
49956
49957
49958
49959
49960
49961
49962
49963
49964
49965
49966
49967
49968
49969
49970
49971
49972
49973
49974
49975
49976
49977
49978
49979
49980
49981
49982
49983
49984
49985
49986
49987
49988
49989
49990
49991
49992
49993
49994
49995
49996
49997
49998
49999
50000
50001
50002
50003
50004
50005
50006
50007
50008
50009
50010
50011
50012
50013
50014
50015
50016
50017
50018
50019
50020
50021
50022
50023
50024
50025
50026
50027
50028
50029
50030
50031
50032
50033
50034
50035
50036
50037
50038
50039
50040
50041
50042
50043
50044
50045
50046
50047
50048
50049
50050
50051
50052
50053
50054
50055
50056
50057
50058
50059
50060
50061
50062
50063
50064
50065
50066
50067
50068
50069
50070
50071
50072
50073
50074
50075
50076
50077
50078
50079
50080
50081
50082
50083
50084
50085
50086
50087
50088
50089
50090
50091
50092
50093
50094
50095
50096
50097
50098
50099
50100
50101
50102
50103
50104
50105
50106
50107
50108
50109
50110
50111
50112
50113
50114
50115
50116
50117
50118
50119
50120
50121
50122
50123
50124
50125
50126
50127
50128
50129
50130
50131
50132
50133
50134
50135
50136
50137
50138
50139
50140
50141
50142
50143
50144
50145
50146
50147
50148
50149
50150
50151
50152
50153
50154
50155
50156
50157
50158
50159
50160
50161
50162
50163
50164
50165
50166
50167
50168
50169
50170
50171
50172
50173
50174
50175
50176
50177
50178
50179
50180
50181
50182
50183
50184
50185
50186
50187
50188
50189
50190
50191
50192
50193
50194
50195
50196
50197
50198
50199
50200
50201
50202
50203
50204
50205
50206
50207
50208
50209
50210
50211
50212
50213
50214
50215
50216
50217
50218
50219
50220
50221
50222
50223
50224
50225
50226
50227
50228
50229
50230
50231
50232
50233
50234
50235
50236
50237
50238
50239
50240
50241
50242
50243
50244
50245
50246
50247
50248
50249
50250
50251
50252
50253
50254
50255
50256
50257
50258
50259
50260
50261
50262
50263
50264
50265
50266
50267
50268
50269
50270
50271
50272
50273
50274
50275
50276
50277
50278
50279
50280
50281
50282
50283
50284
50285
50286
50287
50288
50289
50290
50291
50292
50293
50294
50295
50296
50297
50298
50299
50300
50301
50302
50303
50304
50305
50306
50307
50308
50309
50310
50311
50312
50313
50314
50315
50316
50317
50318
50319
50320
50321
50322
50323
50324
50325
50326
50327
50328
50329
50330
50331
50332
50333
50334
50335
50336
50337
50338
50339
50340
50341
50342
50343
50344
50345
50346
50347
50348
50349
50350
50351
50352
50353
50354
50355
50356
50357
50358
50359
50360
50361
50362
50363
50364
50365
50366
50367
50368
50369
50370
50371
50372
50373
50374
50375
50376
50377
50378
50379
50380
50381
50382
50383
50384
50385
50386
50387
50388
50389
50390
50391
50392
50393
50394
50395
50396
50397
50398
50399
50400
50401
50402
50403
50404
50405
50406
50407
50408
50409
50410
50411
50412
50413
50414
50415
50416
50417
50418
50419
50420
50421
50422
50423
50424
50425
50426
50427
50428
50429
50430
50431
50432
50433
50434
50435
50436
50437
50438
50439
50440
50441
50442
50443
50444
50445
50446
50447
50448
50449
50450
50451
50452
50453
50454
50455
50456
50457
50458
50459
50460
50461
50462
50463
50464
50465
50466
50467
50468
50469
50470
50471
50472
50473
50474
50475
50476
50477
50478
50479
50480
50481
50482
50483
50484
50485
50486
50487
50488
50489
50490
50491
50492
50493
50494
50495
50496
50497
50498
50499
50500
50501
50502
50503
50504
50505
50506
50507
50508
50509
50510
50511
50512
50513
50514
50515
50516
50517
50518
50519
50520
50521
50522
50523
50524
50525
50526
50527
50528
50529
50530
50531
50532
50533
50534
50535
50536
50537
50538
50539
50540
50541
50542
50543
50544
50545
50546
50547
50548
50549
50550
50551
50552
50553
50554
50555
50556
50557
50558
50559
50560
50561
50562
50563
50564
50565
50566
50567
50568
50569
50570
50571
50572
50573
50574
50575
50576
50577
50578
50579
50580
50581
50582
50583
50584
50585
50586
50587
50588
50589
50590
50591
50592
50593
50594
50595
50596
50597
50598
50599
50600
50601
50602
50603
50604
50605
50606
50607
50608
50609
50610
50611
50612
50613
50614
50615
50616
50617
50618
50619
50620
50621
50622
50623
50624
50625
50626
50627
50628
50629
50630
50631
50632
50633
50634
50635
50636
50637
50638
50639
50640
50641
50642
50643
50644
50645
50646
50647
50648
50649
50650
50651
50652
50653
50654
50655
50656
50657
50658
50659
50660
50661
50662
50663
50664
50665
50666
50667
50668
50669
50670
50671
50672
50673
50674
50675
50676
50677
50678
50679
50680
50681
50682
50683
50684
50685
50686
50687
50688
50689
50690
50691
50692
50693
50694
50695
50696
50697
50698
50699
50700
50701
50702
50703
50704
50705
50706
50707
50708
50709
50710
50711
50712
50713
50714
50715
50716
50717
50718
50719
50720
50721
50722
50723
50724
50725
50726
50727
50728
50729
50730
50731
50732
50733
50734
50735
50736
50737
50738
50739
50740
50741
50742
50743
50744
50745
50746
50747
50748
50749
50750
50751
50752
50753
50754
50755
50756
50757
50758
50759
50760
50761
50762
50763
50764
50765
50766
50767
50768
50769
50770
50771
50772
50773
50774
50775
50776
50777
50778
50779
50780
50781
50782
50783
50784
50785
50786
50787
50788
50789
50790
50791
50792
50793
50794
50795
50796
50797
50798
50799
50800
50801
50802
50803
50804
50805
50806
50807
50808
50809
50810
50811
50812
50813
50814
50815
50816
50817
50818
50819
50820
50821
50822
50823
50824
50825
50826
50827
50828
50829
50830
50831
50832
50833
50834
50835
50836
50837
50838
50839
50840
50841
50842
50843
50844
50845
50846
50847
50848
50849
50850
50851
50852
50853
50854
50855
50856
50857
50858
50859
50860
50861
50862
50863
50864
50865
50866
50867
50868
50869
50870
50871
50872
50873
50874
50875
50876
50877
50878
50879
50880
50881
50882
50883
50884
50885
50886
50887
50888
50889
50890
50891
50892
50893
50894
50895
50896
50897
50898
50899
50900
50901
50902
50903
50904
50905
50906
50907
50908
50909
50910
50911
50912
50913
50914
50915
50916
50917
50918
50919
50920
50921
50922
50923
50924
50925
50926
50927
50928
50929
50930
50931
50932
50933
50934
50935
50936
50937
50938
50939
50940
50941
50942
50943
50944
50945
50946
50947
50948
50949
50950
50951
50952
50953
50954
50955
50956
50957
50958
50959
50960
50961
50962
50963
50964
50965
50966
50967
50968
50969
50970
50971
50972
50973
50974
50975
50976
50977
50978
50979
50980
50981
50982
50983
50984
50985
50986
50987
50988
50989
50990
50991
50992
50993
50994
50995
50996
50997
50998
50999
51000
51001
51002
51003
51004
51005
51006
51007
51008
51009
51010
51011
51012
51013
51014
51015
51016
51017
51018
51019
51020
51021
51022
51023
51024
51025
51026
51027
51028
51029
51030
51031
51032
51033
51034
51035
51036
51037
51038
51039
51040
51041
51042
51043
51044
51045
51046
51047
51048
51049
51050
51051
51052
51053
51054
51055
51056
51057
51058
51059
51060
51061
51062
51063
51064
51065
51066
51067
51068
51069
51070
51071
51072
51073
51074
51075
51076
51077
51078
51079
51080
51081
51082
51083
51084
51085
51086
51087
51088
51089
51090
51091
51092
51093
51094
51095
51096
51097
51098
51099
51100
51101
51102
51103
51104
51105
51106
51107
51108
51109
51110
51111
51112
51113
51114
51115
51116
51117
51118
51119
51120
51121
51122
51123
51124
51125
51126
51127
51128
51129
51130
51131
51132
51133
51134
51135
51136
51137
51138
51139
51140
51141
51142
51143
51144
51145
51146
51147
51148
51149
51150
51151
51152
51153
51154
51155
51156
51157
51158
51159
51160
51161
51162
51163
51164
51165
51166
51167
51168
51169
51170
51171
51172
51173
51174
51175
51176
51177
51178
51179
51180
51181
51182
51183
51184
51185
51186
51187
51188
51189
51190
51191
51192
51193
51194
51195
51196
51197
51198
51199
51200
51201
51202
51203
51204
51205
51206
51207
51208
51209
51210
51211
51212
51213
51214
51215
51216
51217
51218
51219
51220
51221
51222
51223
51224
51225
51226
51227
51228
51229
51230
51231
51232
51233
51234
51235
51236
51237
51238
51239
51240
51241
51242
51243
51244
51245
51246
51247
51248
51249
51250
51251
51252
51253
51254
51255
51256
51257
51258
51259
51260
51261
51262
51263
51264
51265
51266
51267
51268
51269
51270
51271
51272
51273
51274
51275
51276
51277
51278
51279
51280
51281
51282
51283
51284
51285
51286
51287
51288
51289
51290
51291
51292
51293
51294
51295
51296
51297
51298
51299
51300
51301
51302
51303
51304
51305
51306
51307
51308
51309
51310
51311
51312
51313
51314
51315
51316
51317
51318
51319
51320
51321
51322
51323
51324
51325
51326
51327
51328
51329
51330
51331
51332
51333
51334
51335
51336
51337
51338
51339
51340
51341
51342
51343
51344
51345
51346
51347
51348
51349
51350
51351
51352
51353
51354
51355
51356
51357
51358
51359
51360
51361
51362
51363
51364
51365
51366
51367
51368
51369
51370
51371
51372
51373
51374
51375
51376
51377
51378
51379
51380
51381
51382
51383
51384
51385
51386
51387
51388
51389
51390
51391
51392
51393
51394
51395
51396
51397
51398
51399
51400
51401
51402
51403
51404
51405
51406
51407
51408
51409
51410
51411
51412
51413
51414
51415
51416
51417
51418
51419
51420
51421
51422
51423
51424
51425
51426
51427
51428
51429
51430
51431
51432
51433
51434
51435
51436
51437
51438
51439
51440
51441
51442
51443
51444
51445
51446
51447
51448
51449
51450
51451
51452
51453
51454
51455
51456
51457
51458
51459
51460
51461
51462
51463
51464
51465
51466
51467
51468
51469
51470
51471
51472
51473
51474
51475
51476
51477
51478
51479
51480
51481
51482
51483
51484
51485
51486
51487
51488
51489
51490
51491
51492
51493
51494
51495
51496
51497
51498
51499
51500
51501
51502
51503
51504
51505
51506
51507
51508
51509
51510
51511
51512
51513
51514
51515
51516
51517
51518
51519
51520
51521
51522
51523
51524
51525
51526
51527
51528
51529
51530
51531
51532
51533
51534
51535
51536
51537
51538
51539
51540
51541
51542
51543
51544
51545
51546
51547
51548
51549
51550
51551
51552
51553
51554
51555
51556
51557
51558
51559
51560
51561
51562
51563
51564
51565
51566
51567
51568
51569
51570
51571
51572
51573
51574
51575
51576
51577
51578
51579
51580
51581
51582
51583
51584
51585
51586
51587
51588
51589
51590
51591
51592
51593
51594
51595
51596
51597
51598
51599
51600
51601
51602
51603
51604
51605
51606
51607
51608
51609
51610
51611
51612
51613
51614
51615
51616
51617
51618
51619
51620
51621
51622
51623
51624
51625
51626
51627
51628
51629
51630
51631
51632
51633
51634
51635
51636
51637
51638
51639
51640
51641
51642
51643
51644
51645
51646
51647
51648
51649
51650
51651
51652
51653
51654
51655
51656
51657
51658
51659
51660
51661
51662
51663
51664
51665
51666
51667
51668
51669
51670
51671
51672
51673
51674
51675
51676
51677
51678
51679
51680
51681
51682
51683
51684
51685
51686
51687
51688
51689
51690
51691
51692
51693
51694
51695
51696
51697
51698
51699
51700
51701
51702
51703
51704
51705
51706
51707
51708
51709
51710
51711
51712
51713
51714
51715
51716
51717
51718
51719
51720
51721
51722
51723
51724
51725
51726
51727
51728
51729
51730
51731
51732
51733
51734
51735
51736
51737
51738
51739
51740
51741
51742
51743
51744
51745
51746
51747
51748
51749
51750
51751
51752
51753
51754
51755
51756
51757
51758
51759
51760
51761
51762
51763
51764
51765
51766
51767
51768
51769
51770
51771
51772
51773
51774
51775
51776
51777
51778
51779
51780
51781
51782
51783
51784
51785
51786
51787
51788
51789
51790
51791
51792
51793
51794
51795
51796
51797
51798
51799
51800
51801
51802
51803
51804
51805
51806
51807
51808
51809
51810
51811
51812
51813
51814
51815
51816
51817
51818
51819
51820
51821
51822
51823
51824
51825
51826
51827
51828
51829
51830
51831
51832
51833
51834
51835
51836
51837
51838
51839
51840
51841
51842
51843
51844
51845
51846
51847
51848
51849
51850
51851
51852
51853
51854
51855
51856
51857
51858
51859
51860
51861
51862
51863
51864
51865
51866
51867
51868
51869
51870
51871
51872
51873
51874
51875
51876
51877
51878
51879
51880
51881
51882
51883
51884
51885
51886
51887
51888
51889
51890
51891
51892
51893
51894
51895
51896
51897
51898
51899
51900
51901
51902
51903
51904
51905
51906
51907
51908
51909
51910
51911
51912
51913
51914
51915
51916
51917
51918
51919
51920
51921
51922
51923
51924
51925
51926
51927
51928
51929
51930
51931
51932
51933
51934
51935
51936
51937
51938
51939
51940
51941
51942
51943
51944
51945
51946
51947
51948
51949
51950
51951
51952
51953
51954
51955
51956
51957
51958
51959
51960
51961
51962
51963
51964
51965
51966
51967
51968
51969
51970
51971
51972
51973
51974
51975
51976
51977
51978
51979
51980
51981
51982
51983
51984
51985
51986
51987
51988
51989
51990
51991
51992
51993
51994
51995
51996
51997
51998
51999
52000
52001
52002
52003
52004
52005
52006
52007
52008
52009
52010
52011
52012
52013
52014
52015
52016
52017
52018
52019
52020
52021
52022
52023
52024
52025
52026
52027
52028
52029
52030
52031
52032
52033
52034
52035
52036
52037
52038
52039
52040
52041
52042
52043
52044
52045
52046
52047
52048
52049
52050
52051
52052
52053
52054
52055
52056
52057
52058
52059
52060
52061
52062
52063
52064
52065
52066
52067
52068
52069
52070
52071
52072
52073
52074
52075
52076
52077
52078
52079
52080
52081
52082
52083
52084
52085
52086
52087
52088
52089
52090
52091
52092
52093
52094
52095
52096
52097
52098
52099
52100
52101
52102
52103
52104
52105
52106
52107
52108
52109
52110
52111
52112
52113
52114
52115
52116
52117
52118
52119
52120
52121
52122
52123
52124
52125
52126
52127
52128
52129
52130
52131
52132
52133
52134
52135
52136
52137
52138
52139
52140
52141
52142
52143
52144
52145
52146
52147
52148
52149
52150
52151
52152
52153
52154
52155
52156
52157
52158
52159
52160
52161
52162
52163
52164
52165
52166
52167
52168
52169
52170
52171
52172
52173
52174
52175
52176
52177
52178
52179
52180
52181
52182
52183
52184
52185
52186
52187
52188
52189
52190
52191
52192
52193
52194
52195
52196
52197
52198
52199
52200
52201
52202
52203
52204
52205
52206
52207
52208
52209
52210
52211
52212
52213
52214
52215
52216
52217
52218
52219
52220
52221
52222
52223
52224
52225
52226
52227
52228
52229
52230
52231
52232
52233
52234
52235
52236
52237
52238
52239
52240
52241
52242
52243
52244
52245
52246
52247
52248
52249
52250
52251
52252
52253
52254
52255
52256
52257
52258
52259
52260
52261
52262
52263
52264
52265
52266
52267
52268
52269
52270
52271
52272
52273
52274
52275
52276
52277
52278
52279
52280
52281
52282
52283
52284
52285
52286
52287
52288
52289
52290
52291
52292
52293
52294
52295
52296
52297
52298
52299
52300
52301
52302
52303
52304
52305
52306
52307
52308
52309
52310
52311
52312
52313
52314
52315
52316
52317
52318
52319
52320
52321
52322
52323
52324
52325
52326
52327
52328
52329
52330
52331
52332
52333
52334
52335
52336
52337
52338
52339
52340
52341
52342
52343
52344
52345
52346
52347
52348
52349
52350
52351
52352
52353
52354
52355
52356
52357
52358
52359
52360
52361
52362
52363
52364
52365
52366
52367
52368
52369
52370
52371
52372
52373
52374
52375
52376
52377
52378
52379
52380
52381
52382
52383
52384
52385
52386
52387
52388
52389
52390
52391
52392
52393
52394
52395
52396
52397
52398
52399
52400
52401
52402
52403
52404
52405
52406
52407
52408
52409
52410
52411
52412
52413
52414
52415
52416
52417
52418
52419
52420
52421
52422
52423
52424
52425
52426
52427
52428
52429
52430
52431
52432
52433
52434
52435
52436
52437
52438
52439
52440
52441
52442
52443
52444
52445
52446
52447
52448
52449
52450
52451
52452
52453
52454
52455
52456
52457
52458
52459
52460
52461
52462
52463
52464
52465
52466
52467
52468
52469
52470
52471
52472
52473
52474
52475
52476
52477
52478
52479
52480
52481
52482
52483
52484
52485
52486
52487
52488
52489
52490
52491
52492
52493
52494
52495
52496
52497
52498
52499
52500
52501
52502
52503
52504
52505
52506
52507
52508
52509
52510
52511
52512
52513
52514
52515
52516
52517
52518
52519
52520
52521
52522
52523
52524
52525
52526
52527
52528
52529
52530
52531
52532
52533
52534
52535
52536
52537
52538
52539
52540
52541
52542
52543
52544
52545
52546
52547
52548
52549
52550
52551
52552
52553
52554
52555
52556
52557
52558
52559
52560
52561
52562
52563
52564
52565
52566
52567
52568
52569
52570
52571
52572
52573
52574
52575
52576
52577
52578
52579
52580
52581
52582
52583
52584
52585
52586
52587
52588
52589
52590
52591
52592
52593
52594
52595
52596
52597
52598
52599
52600
52601
52602
52603
52604
52605
52606
52607
52608
52609
52610
52611
52612
52613
52614
52615
52616
52617
52618
52619
52620
52621
52622
52623
52624
52625
52626
52627
52628
52629
52630
52631
52632
52633
52634
52635
52636
52637
52638
52639
52640
52641
52642
52643
52644
52645
52646
52647
52648
52649
52650
52651
52652
52653
52654
52655
52656
52657
52658
52659
52660
52661
52662
52663
52664
52665
52666
52667
52668
52669
52670
52671
52672
52673
52674
52675
52676
52677
52678
52679
52680
52681
52682
52683
52684
52685
52686
52687
52688
52689
52690
52691
52692
52693
52694
52695
52696
52697
52698
52699
52700
52701
52702
52703
52704
52705
52706
52707
52708
52709
52710
52711
52712
52713
52714
52715
52716
52717
52718
52719
52720
52721
52722
52723
52724
52725
52726
52727
52728
52729
52730
52731
52732
52733
52734
52735
52736
52737
52738
52739
52740
52741
52742
52743
52744
52745
52746
52747
52748
52749
52750
52751
52752
52753
52754
52755
52756
52757
52758
52759
52760
52761
52762
52763
52764
52765
52766
52767
52768
52769
52770
52771
52772
52773
52774
52775
52776
52777
52778
52779
52780
52781
52782
52783
52784
52785
52786
52787
52788
52789
52790
52791
52792
52793
52794
52795
52796
52797
52798
52799
52800
52801
52802
52803
52804
52805
52806
52807
52808
52809
52810
52811
52812
52813
52814
52815
52816
52817
52818
52819
52820
52821
52822
52823
52824
52825
52826
52827
52828
52829
52830
52831
52832
52833
52834
52835
52836
52837
52838
52839
52840
52841
52842
52843
52844
52845
52846
52847
52848
52849
52850
52851
52852
52853
52854
52855
52856
52857
52858
52859
52860
52861
52862
52863
52864
52865
52866
52867
52868
52869
52870
52871
52872
52873
52874
52875
52876
52877
52878
52879
52880
52881
52882
52883
52884
52885
52886
52887
52888
52889
52890
52891
52892
52893
52894
52895
52896
52897
52898
52899
52900
52901
52902
52903
52904
52905
52906
52907
52908
52909
52910
52911
52912
52913
52914
52915
52916
52917
52918
52919
52920
52921
52922
52923
52924
52925
52926
52927
52928
52929
52930
52931
52932
52933
52934
52935
52936
52937
52938
52939
52940
52941
52942
52943
52944
52945
52946
52947
52948
52949
52950
52951
52952
52953
52954
52955
52956
52957
52958
52959
52960
52961
52962
52963
52964
52965
52966
52967
52968
52969
52970
52971
52972
52973
52974
52975
52976
52977
52978
52979
52980
52981
52982
52983
52984
52985
52986
52987
52988
52989
52990
52991
52992
52993
52994
52995
52996
52997
52998
52999
53000
53001
53002
53003
53004
53005
53006
53007
53008
53009
53010
53011
53012
53013
53014
53015
53016
53017
53018
53019
53020
53021
53022
53023
53024
53025
53026
53027
53028
53029
53030
53031
53032
53033
53034
53035
53036
53037
53038
53039
53040
53041
53042
53043
53044
53045
53046
53047
53048
53049
53050
53051
53052
53053
53054
53055
53056
53057
53058
53059
53060
53061
53062
53063
53064
53065
53066
53067
53068
53069
53070
53071
53072
53073
53074
53075
53076
53077
53078
53079
53080
53081
53082
53083
53084
53085
53086
53087
53088
53089
53090
53091
53092
53093
53094
53095
53096
53097
53098
53099
53100
53101
53102
53103
53104
53105
53106
53107
53108
53109
53110
53111
53112
53113
53114
53115
53116
53117
53118
53119
53120
53121
53122
53123
53124
53125
53126
53127
53128
53129
53130
53131
53132
53133
53134
53135
53136
53137
53138
53139
53140
53141
53142
53143
53144
53145
53146
53147
53148
53149
53150
53151
53152
53153
53154
53155
53156
53157
53158
53159
53160
53161
53162
53163
53164
53165
53166
53167
53168
53169
53170
53171
53172
53173
53174
53175
53176
53177
53178
53179
53180
53181
53182
53183
53184
53185
53186
53187
53188
53189
53190
53191
53192
53193
53194
53195
53196
53197
53198
53199
53200
53201
53202
53203
53204
53205
53206
53207
53208
53209
53210
53211
53212
53213
53214
53215
53216
53217
53218
53219
53220
53221
53222
53223
53224
53225
53226
53227
53228
53229
53230
53231
53232
53233
53234
53235
53236
53237
53238
53239
53240
53241
53242
53243
53244
53245
53246
53247
53248
53249
53250
53251
53252
53253
53254
53255
53256
53257
53258
53259
53260
53261
53262
53263
53264
53265
53266
53267
53268
53269
53270
53271
53272
53273
53274
53275
53276
53277
53278
53279
53280
53281
53282
53283
53284
53285
53286
53287
53288
53289
53290
53291
53292
53293
53294
53295
53296
53297
53298
53299
53300
53301
53302
53303
53304
53305
53306
53307
53308
53309
53310
53311
53312
53313
53314
53315
53316
53317
53318
53319
53320
53321
53322
53323
53324
53325
53326
53327
53328
53329
53330
53331
53332
53333
53334
53335
53336
53337
53338
53339
53340
53341
53342
53343
53344
53345
53346
53347
53348
53349
53350
53351
53352
53353
53354
53355
53356
53357
53358
53359
53360
53361
53362
53363
53364
53365
53366
53367
53368
53369
53370
53371
53372
53373
53374
53375
53376
53377
53378
53379
53380
53381
53382
53383
53384
53385
53386
53387
53388
53389
53390
53391
53392
53393
53394
53395
53396
53397
53398
53399
53400
53401
53402
53403
53404
53405
53406
53407
53408
53409
53410
53411
53412
53413
53414
53415
53416
53417
53418
53419
53420
53421
53422
53423
53424
53425
53426
53427
53428
53429
53430
53431
53432
53433
53434
53435
53436
53437
53438
53439
53440
53441
53442
53443
53444
53445
53446
53447
53448
53449
53450
53451
53452
53453
53454
53455
53456
53457
53458
53459
53460
53461
53462
53463
53464
53465
53466
53467
53468
53469
53470
53471
53472
53473
53474
53475
53476
53477
53478
53479
53480
53481
53482
53483
53484
53485
53486
53487
53488
53489
53490
53491
53492
53493
53494
53495
53496
53497
53498
53499
53500
53501
53502
53503
53504
53505
53506
53507
53508
53509
53510
53511
53512
53513
53514
53515
53516
53517
53518
53519
53520
53521
53522
53523
53524
53525
53526
53527
53528
53529
53530
53531
53532
53533
53534
53535
53536
53537
53538
53539
53540
53541
53542
53543
53544
53545
53546
53547
53548
53549
53550
53551
53552
53553
53554
53555
53556
53557
53558
53559
53560
53561
53562
53563
53564
53565
53566
53567
53568
53569
53570
53571
53572
53573
53574
53575
53576
53577
53578
53579
53580
53581
53582
53583
53584
53585
53586
53587
53588
53589
53590
53591
53592
53593
53594
53595
53596
53597
53598
53599
53600
53601
53602
53603
53604
53605
53606
53607
53608
53609
53610
53611
53612
53613
53614
53615
53616
53617
53618
53619
53620
53621
53622
53623
53624
53625
53626
53627
53628
53629
53630
53631
53632
53633
53634
53635
53636
53637
53638
53639
53640
53641
53642
53643
53644
53645
53646
53647
53648
53649
53650
53651
53652
53653
53654
53655
53656
53657
53658
53659
53660
53661
53662
53663
53664
53665
53666
53667
53668
53669
53670
53671
53672
53673
53674
53675
53676
53677
53678
53679
53680
53681
53682
53683
53684
53685
53686
53687
53688
53689
53690
53691
53692
53693
53694
53695
53696
53697
53698
53699
53700
53701
53702
53703
53704
53705
53706
53707
53708
53709
53710
53711
53712
53713
53714
53715
53716
53717
53718
53719
53720
53721
53722
53723
53724
53725
53726
53727
53728
53729
53730
53731
53732
53733
53734
53735
53736
53737
53738
53739
53740
53741
53742
53743
53744
53745
53746
53747
53748
53749
53750
53751
53752
53753
53754
53755
53756
53757
53758
53759
53760
53761
53762
53763
53764
53765
53766
53767
53768
53769
53770
53771
53772
53773
53774
53775
53776
53777
53778
53779
53780
53781
53782
53783
53784
53785
53786
53787
53788
53789
53790
53791
53792
53793
53794
53795
53796
53797
53798
53799
53800
53801
53802
53803
53804
53805
53806
53807
53808
53809
53810
53811
53812
53813
53814
53815
53816
53817
53818
53819
53820
53821
53822
53823
53824
53825
53826
53827
53828
53829
53830
53831
53832
53833
53834
53835
53836
53837
53838
53839
53840
53841
53842
53843
53844
53845
53846
53847
53848
53849
53850
53851
53852
53853
53854
53855
53856
53857
53858
53859
53860
53861
53862
53863
53864
53865
53866
53867
53868
53869
53870
53871
53872
53873
53874
53875
53876
53877
53878
53879
53880
53881
53882
53883
53884
53885
53886
53887
53888
53889
53890
53891
53892
53893
53894
53895
53896
53897
53898
53899
53900
53901
53902
53903
53904
53905
53906
53907
53908
53909
53910
53911
53912
53913
53914
53915
53916
53917
53918
53919
53920
53921
53922
53923
53924
53925
53926
53927
53928
53929
53930
53931
53932
53933
53934
53935
53936
53937
53938
53939
53940
53941
53942
53943
53944
53945
53946
53947
53948
53949
53950
53951
53952
53953
53954
53955
53956
53957
53958
53959
53960
53961
53962
53963
53964
53965
53966
53967
53968
53969
53970
53971
53972
53973
53974
53975
53976
53977
53978
53979
53980
53981
53982
53983
53984
53985
53986
53987
53988
53989
53990
53991
53992
53993
53994
53995
53996
53997
53998
53999
54000
54001
54002
54003
54004
54005
54006
54007
54008
54009
54010
54011
54012
54013
54014
54015
54016
54017
54018
54019
54020
54021
54022
54023
54024
54025
54026
54027
54028
54029
54030
54031
54032
54033
54034
54035
54036
54037
54038
54039
54040
54041
54042
54043
54044
54045
54046
54047
54048
54049
54050
54051
54052
54053
54054
54055
54056
54057
54058
54059
54060
54061
54062
54063
54064
54065
54066
54067
54068
54069
54070
54071
54072
54073
54074
54075
54076
54077
54078
54079
54080
54081
54082
54083
54084
54085
54086
54087
54088
54089
54090
54091
54092
54093
54094
54095
54096
54097
54098
54099
54100
54101
54102
54103
54104
54105
54106
54107
54108
54109
54110
54111
54112
54113
54114
54115
54116
54117
54118
54119
54120
54121
54122
54123
54124
54125
54126
54127
54128
54129
54130
54131
54132
54133
54134
54135
54136
54137
54138
54139
54140
54141
54142
54143
54144
54145
54146
54147
54148
54149
54150
54151
54152
54153
54154
54155
54156
54157
54158
54159
54160
54161
54162
54163
54164
54165
54166
54167
54168
54169
54170
54171
54172
54173
54174
54175
54176
54177
54178
54179
54180
54181
54182
54183
54184
54185
54186
54187
54188
54189
54190
54191
54192
54193
54194
54195
54196
54197
54198
54199
54200
54201
54202
54203
54204
54205
54206
54207
54208
54209
54210
54211
54212
54213
54214
54215
54216
54217
54218
54219
54220
54221
54222
54223
54224
54225
54226
54227
54228
54229
54230
54231
54232
54233
54234
54235
54236
54237
54238
54239
54240
54241
54242
54243
54244
54245
54246
54247
54248
54249
54250
54251
54252
54253
54254
54255
54256
54257
54258
54259
54260
54261
54262
54263
54264
54265
54266
54267
54268
54269
54270
54271
54272
54273
54274
54275
54276
54277
54278
54279
54280
54281
54282
54283
54284
54285
54286
54287
54288
54289
54290
54291
54292
54293
54294
54295
54296
54297
54298
54299
54300
54301
54302
54303
54304
54305
54306
54307
54308
54309
54310
54311
54312
54313
54314
54315
54316
54317
54318
54319
54320
54321
54322
54323
54324
54325
54326
54327
54328
54329
54330
54331
54332
54333
54334
54335
54336
54337
54338
54339
54340
54341
54342
54343
54344
54345
54346
54347
54348
54349
54350
54351
54352
54353
54354
54355
54356
54357
54358
54359
54360
54361
54362
54363
54364
54365
54366
54367
54368
54369
54370
54371
54372
54373
54374
54375
54376
54377
54378
54379
54380
54381
54382
54383
54384
54385
54386
54387
54388
54389
54390
54391
54392
54393
54394
54395
54396
54397
54398
54399
54400
54401
54402
54403
54404
54405
54406
54407
54408
54409
54410
54411
54412
54413
54414
54415
54416
54417
54418
54419
54420
54421
54422
54423
54424
54425
54426
54427
54428
54429
54430
54431
54432
54433
54434
54435
54436
54437
54438
54439
54440
54441
54442
54443
54444
54445
54446
54447
54448
54449
54450
54451
54452
54453
54454
54455
54456
54457
54458
54459
54460
54461
54462
54463
54464
54465
54466
54467
54468
54469
54470
54471
54472
54473
54474
54475
54476
54477
54478
54479
54480
54481
54482
54483
54484
54485
54486
54487
54488
54489
54490
54491
54492
54493
54494
54495
54496
54497
54498
54499
54500
54501
54502
54503
54504
54505
54506
54507
54508
54509
54510
54511
54512
54513
54514
54515
54516
54517
54518
54519
54520
54521
54522
54523
54524
54525
54526
54527
54528
54529
54530
54531
54532
54533
54534
54535
54536
54537
54538
54539
54540
54541
54542
54543
54544
54545
54546
54547
54548
54549
54550
54551
54552
54553
54554
54555
54556
54557
54558
54559
54560
54561
54562
54563
54564
54565
54566
54567
54568
54569
54570
54571
54572
54573
54574
54575
54576
54577
54578
54579
54580
54581
54582
54583
54584
54585
54586
54587
54588
54589
54590
54591
54592
54593
54594
54595
54596
54597
54598
54599
54600
54601
54602
54603
54604
54605
54606
54607
54608
54609
54610
54611
54612
54613
54614
54615
54616
54617
54618
54619
54620
54621
54622
54623
54624
54625
54626
54627
54628
54629
54630
54631
54632
54633
54634
54635
54636
54637
54638
54639
54640
54641
54642
54643
54644
54645
54646
54647
54648
54649
54650
54651
54652
54653
54654
54655
54656
54657
54658
54659
54660
54661
54662
54663
54664
54665
54666
54667
54668
54669
54670
54671
54672
54673
54674
54675
54676
54677
54678
54679
54680
54681
54682
54683
54684
54685
54686
54687
54688
54689
54690
54691
54692
54693
54694
54695
54696
54697
54698
54699
54700
54701
54702
54703
54704
54705
54706
54707
54708
54709
54710
54711
54712
54713
54714
54715
54716
54717
54718
54719
54720
54721
54722
54723
54724
54725
54726
54727
54728
54729
54730
54731
54732
54733
54734
54735
54736
54737
54738
54739
54740
54741
54742
54743
54744
54745
54746
54747
54748
54749
54750
54751
54752
54753
54754
54755
54756
54757
54758
54759
54760
54761
54762
54763
54764
54765
54766
54767
54768
54769
54770
54771
54772
54773
54774
54775
54776
54777
54778
54779
54780
54781
54782
54783
54784
54785
54786
54787
54788
54789
54790
54791
54792
54793
54794
54795
54796
54797
54798
54799
54800
54801
54802
54803
54804
54805
54806
54807
54808
54809
54810
54811
54812
54813
54814
54815
54816
54817
54818
54819
54820
54821
54822
54823
54824
54825
54826
54827
54828
54829
54830
54831
54832
54833
54834
54835
54836
54837
54838
54839
54840
54841
54842
54843
54844
54845
54846
54847
54848
54849
54850
54851
54852
54853
54854
54855
54856
54857
54858
54859
54860
54861
54862
54863
54864
54865
54866
54867
54868
54869
54870
54871
54872
54873
54874
54875
54876
54877
54878
54879
54880
54881
54882
54883
54884
54885
54886
54887
54888
54889
54890
54891
54892
54893
54894
54895
54896
54897
54898
54899
54900
54901
54902
54903
54904
54905
54906
54907
54908
54909
54910
54911
54912
54913
54914
54915
54916
54917
54918
54919
54920
54921
54922
54923
54924
54925
54926
54927
54928
54929
54930
54931
54932
54933
54934
54935
54936
54937
54938
54939
54940
54941
54942
54943
54944
54945
54946
54947
54948
54949
54950
54951
54952
54953
54954
54955
54956
54957
54958
54959
54960
54961
54962
54963
54964
54965
54966
54967
54968
54969
54970
54971
54972
54973
54974
54975
54976
54977
54978
54979
54980
54981
54982
54983
54984
54985
54986
54987
54988
54989
54990
54991
54992
54993
54994
54995
54996
54997
54998
54999
55000
55001
55002
55003
55004
55005
55006
55007
55008
55009
55010
55011
55012
55013
55014
55015
55016
55017
55018
55019
55020
55021
55022
55023
55024
55025
55026
55027
55028
55029
55030
55031
55032
55033
55034
55035
55036
55037
55038
55039
55040
55041
55042
55043
55044
55045
55046
55047
55048
55049
55050
55051
55052
55053
55054
55055
55056
55057
55058
55059
55060
55061
55062
55063
55064
55065
55066
55067
55068
55069
55070
55071
55072
55073
55074
55075
55076
55077
55078
55079
55080
55081
55082
55083
55084
55085
55086
55087
55088
55089
55090
55091
55092
55093
55094
55095
55096
55097
55098
55099
55100
55101
55102
55103
55104
55105
55106
55107
55108
55109
55110
55111
55112
55113
55114
55115
55116
55117
55118
55119
55120
55121
55122
55123
55124
55125
55126
55127
55128
55129
55130
55131
55132
55133
55134
55135
55136
55137
55138
55139
55140
55141
55142
55143
55144
55145
55146
55147
55148
55149
55150
55151
55152
55153
55154
55155
55156
55157
55158
55159
55160
55161
55162
55163
55164
55165
55166
55167
55168
55169
55170
55171
55172
55173
55174
55175
55176
55177
55178
55179
55180
55181
55182
55183
55184
55185
55186
55187
55188
55189
55190
55191
55192
55193
55194
55195
55196
55197
55198
55199
55200
55201
55202
55203
55204
55205
55206
55207
55208
55209
55210
55211
55212
55213
55214
55215
55216
55217
55218
55219
55220
55221
55222
55223
55224
55225
55226
55227
55228
55229
55230
55231
55232
55233
55234
55235
55236
55237
55238
55239
55240
55241
55242
55243
55244
55245
55246
55247
55248
55249
55250
55251
55252
55253
55254
55255
55256
55257
55258
55259
55260
55261
55262
55263
55264
55265
55266
55267
55268
55269
55270
55271
55272
55273
55274
55275
55276
55277
55278
55279
55280
55281
55282
55283
55284
55285
55286
55287
55288
55289
55290
55291
55292
55293
55294
55295
55296
55297
55298
55299
55300
55301
55302
55303
55304
55305
55306
55307
55308
55309
55310
55311
55312
55313
55314
55315
55316
55317
55318
55319
55320
55321
55322
55323
55324
55325
55326
55327
55328
55329
55330
55331
55332
55333
55334
55335
55336
55337
55338
55339
55340
55341
55342
55343
55344
55345
55346
55347
55348
55349
55350
55351
55352
55353
55354
55355
55356
55357
55358
55359
55360
55361
55362
55363
55364
55365
55366
55367
55368
55369
55370
55371
55372
55373
55374
55375
55376
55377
55378
55379
55380
55381
55382
55383
55384
55385
55386
55387
55388
55389
55390
55391
55392
55393
55394
55395
55396
55397
55398
55399
55400
55401
55402
55403
55404
55405
55406
55407
55408
55409
55410
55411
55412
55413
55414
55415
55416
55417
55418
55419
55420
55421
55422
55423
55424
55425
55426
55427
55428
55429
55430
55431
55432
55433
55434
55435
55436
55437
55438
55439
55440
55441
55442
55443
55444
55445
55446
55447
55448
55449
55450
55451
55452
55453
55454
55455
55456
55457
55458
55459
55460
55461
55462
55463
55464
55465
55466
55467
55468
55469
55470
55471
55472
55473
55474
55475
55476
55477
55478
55479
55480
55481
55482
55483
55484
55485
55486
55487
55488
55489
55490
55491
55492
55493
55494
55495
55496
55497
55498
55499
55500
55501
55502
55503
55504
55505
55506
55507
55508
55509
55510
55511
55512
55513
55514
55515
55516
55517
55518
55519
55520
55521
55522
55523
55524
55525
55526
55527
55528
55529
55530
55531
55532
55533
55534
55535
55536
55537
55538
55539
55540
55541
55542
55543
55544
55545
55546
55547
55548
55549
55550
55551
55552
55553
55554
55555
55556
55557
55558
55559
55560
55561
55562
55563
55564
55565
55566
55567
55568
55569
55570
55571
55572
55573
55574
55575
55576
55577
55578
55579
55580
55581
55582
55583
55584
55585
55586
55587
55588
55589
55590
55591
55592
55593
55594
55595
55596
55597
55598
55599
55600
55601
55602
55603
55604
55605
55606
55607
55608
55609
55610
55611
55612
55613
55614
55615
55616
55617
55618
55619
55620
55621
55622
55623
55624
55625
55626
55627
55628
55629
55630
55631
55632
55633
55634
55635
55636
55637
55638
55639
55640
55641
55642
55643
55644
55645
55646
55647
55648
55649
55650
55651
55652
55653
55654
55655
55656
55657
55658
55659
55660
55661
55662
55663
55664
55665
55666
55667
55668
55669
55670
55671
55672
55673
55674
55675
55676
55677
55678
55679
55680
55681
55682
55683
55684
55685
55686
55687
55688
55689
55690
55691
55692
55693
55694
55695
55696
55697
55698
55699
55700
55701
55702
55703
55704
55705
55706
55707
55708
55709
55710
55711
55712
55713
55714
55715
55716
55717
55718
55719
55720
55721
55722
55723
55724
55725
55726
55727
55728
55729
55730
55731
55732
55733
55734
55735
55736
55737
55738
55739
55740
55741
55742
55743
55744
55745
55746
55747
55748
55749
55750
55751
55752
55753
55754
55755
55756
55757
55758
55759
55760
55761
55762
55763
55764
55765
55766
55767
55768
55769
55770
55771
55772
55773
55774
55775
55776
55777
55778
55779
55780
55781
55782
55783
55784
55785
55786
55787
55788
55789
55790
55791
55792
55793
55794
55795
55796
55797
55798
55799
55800
55801
55802
55803
55804
55805
55806
55807
55808
55809
55810
55811
55812
55813
55814
55815
55816
55817
55818
55819
55820
55821
55822
55823
55824
55825
55826
55827
55828
55829
55830
55831
55832
55833
55834
55835
55836
55837
55838
55839
55840
55841
55842
55843
55844
55845
55846
55847
55848
55849
55850
55851
55852
55853
55854
55855
55856
55857
55858
55859
55860
55861
55862
55863
55864
55865
55866
55867
55868
55869
55870
55871
55872
55873
55874
55875
55876
55877
55878
55879
55880
55881
55882
55883
55884
55885
55886
55887
55888
55889
55890
55891
55892
55893
55894
55895
55896
55897
55898
55899
55900
55901
55902
55903
55904
55905
55906
55907
55908
55909
55910
55911
55912
55913
55914
55915
55916
55917
55918
55919
55920
55921
55922
55923
55924
55925
55926
55927
55928
55929
55930
55931
55932
55933
55934
55935
55936
55937
55938
55939
55940
55941
55942
55943
55944
55945
55946
55947
55948
55949
55950
55951
55952
55953
55954
55955
55956
55957
55958
55959
55960
55961
55962
55963
55964
55965
55966
55967
55968
55969
55970
55971
55972
55973
55974
55975
55976
55977
55978
55979
55980
55981
55982
55983
55984
55985
55986
55987
55988
55989
55990
55991
55992
55993
55994
55995
55996
55997
55998
55999
56000
56001
56002
56003
56004
56005
56006
56007
56008
56009
56010
56011
56012
56013
56014
56015
56016
56017
56018
56019
56020
56021
56022
56023
56024
56025
56026
56027
56028
56029
56030
56031
56032
56033
56034
56035
56036
56037
56038
56039
56040
56041
56042
56043
56044
56045
56046
56047
56048
56049
56050
56051
56052
56053
56054
56055
56056
56057
56058
56059
56060
56061
56062
56063
56064
56065
56066
56067
56068
56069
56070
56071
56072
56073
56074
56075
56076
56077
56078
56079
56080
56081
56082
56083
56084
56085
56086
56087
56088
56089
56090
56091
56092
56093
56094
56095
56096
56097
56098
56099
56100
56101
56102
56103
56104
56105
56106
56107
56108
56109
56110
56111
56112
56113
56114
56115
56116
56117
56118
56119
56120
56121
56122
56123
56124
56125
56126
56127
56128
56129
56130
56131
56132
56133
56134
56135
56136
56137
56138
56139
56140
56141
56142
56143
56144
56145
56146
56147
56148
56149
56150
56151
56152
56153
56154
56155
56156
56157
56158
56159
56160
56161
56162
56163
56164
56165
56166
56167
56168
56169
56170
56171
56172
56173
56174
56175
56176
56177
56178
56179
56180
56181
56182
56183
56184
56185
56186
56187
56188
56189
56190
56191
56192
56193
56194
56195
56196
56197
56198
56199
56200
56201
56202
56203
56204
56205
56206
56207
56208
56209
56210
56211
56212
56213
56214
56215
56216
56217
56218
56219
56220
56221
56222
56223
56224
56225
56226
56227
56228
56229
56230
56231
56232
56233
56234
56235
56236
56237
56238
56239
56240
56241
56242
56243
56244
56245
56246
56247
56248
56249
56250
56251
56252
56253
56254
56255
56256
56257
56258
56259
56260
56261
56262
56263
56264
56265
56266
56267
56268
56269
56270
56271
56272
56273
56274
56275
56276
56277
56278
56279
56280
56281
56282
56283
56284
56285
56286
56287
56288
56289
56290
56291
56292
56293
56294
56295
56296
56297
56298
56299
56300
56301
56302
56303
56304
56305
56306
56307
56308
56309
56310
56311
56312
56313
56314
56315
56316
56317
56318
56319
56320
56321
56322
56323
56324
56325
56326
56327
56328
56329
56330
56331
56332
56333
56334
56335
56336
56337
56338
56339
56340
56341
56342
56343
56344
56345
56346
56347
56348
56349
56350
56351
56352
56353
56354
56355
56356
56357
56358
56359
56360
56361
56362
56363
56364
56365
56366
56367
56368
56369
56370
56371
56372
56373
56374
56375
56376
56377
56378
56379
56380
56381
56382
56383
56384
56385
56386
56387
56388
56389
56390
56391
56392
56393
56394
56395
56396
56397
56398
56399
56400
56401
56402
56403
56404
56405
56406
56407
56408
56409
56410
56411
56412
56413
56414
56415
56416
56417
56418
56419
56420
56421
56422
56423
56424
56425
56426
56427
56428
56429
56430
56431
56432
56433
56434
56435
56436
56437
56438
56439
56440
56441
56442
56443
56444
56445
56446
56447
56448
56449
56450
56451
56452
56453
56454
56455
56456
56457
56458
56459
56460
56461
56462
56463
56464
56465
56466
56467
56468
56469
56470
56471
56472
56473
56474
56475
56476
56477
56478
56479
56480
56481
56482
56483
56484
56485
56486
56487
56488
56489
56490
56491
56492
56493
56494
56495
56496
56497
56498
56499
56500
56501
56502
56503
56504
56505
56506
56507
56508
56509
56510
56511
56512
56513
56514
56515
56516
56517
56518
56519
56520
56521
56522
56523
56524
56525
56526
56527
56528
56529
56530
56531
56532
56533
56534
56535
56536
56537
56538
56539
56540
56541
56542
56543
56544
56545
56546
56547
56548
56549
56550
56551
56552
56553
56554
56555
56556
56557
56558
56559
56560
56561
56562
56563
56564
56565
56566
56567
56568
56569
56570
56571
56572
56573
56574
56575
56576
56577
56578
56579
56580
56581
56582
56583
56584
56585
56586
56587
56588
56589
56590
56591
56592
56593
56594
56595
56596
56597
56598
56599
56600
56601
56602
56603
56604
56605
56606
56607
56608
56609
56610
56611
56612
56613
56614
56615
56616
56617
56618
56619
56620
56621
56622
56623
56624
56625
56626
56627
56628
56629
56630
56631
56632
56633
56634
56635
56636
56637
56638
56639
56640
56641
56642
56643
56644
56645
56646
56647
56648
56649
56650
56651
56652
56653
56654
56655
56656
56657
56658
56659
56660
56661
56662
56663
56664
56665
56666
56667
56668
56669
56670
56671
56672
56673
56674
56675
56676
56677
56678
56679
56680
56681
56682
56683
56684
56685
56686
56687
56688
56689
56690
56691
56692
56693
56694
56695
56696
56697
56698
56699
56700
56701
56702
56703
56704
56705
56706
56707
56708
56709
56710
56711
56712
56713
56714
56715
56716
56717
56718
56719
56720
56721
56722
56723
56724
56725
56726
56727
56728
56729
56730
56731
56732
56733
56734
56735
56736
56737
56738
56739
56740
56741
56742
56743
56744
56745
56746
56747
56748
56749
56750
56751
56752
56753
56754
56755
56756
56757
56758
56759
56760
56761
56762
56763
56764
56765
56766
56767
56768
56769
56770
56771
56772
56773
56774
56775
56776
56777
56778
56779
56780
56781
56782
56783
56784
56785
56786
56787
56788
56789
56790
56791
56792
56793
56794
56795
56796
56797
56798
56799
56800
56801
56802
56803
56804
56805
56806
56807
56808
56809
56810
56811
56812
56813
56814
56815
56816
56817
56818
56819
56820
56821
56822
56823
56824
56825
56826
56827
56828
56829
56830
56831
56832
56833
56834
56835
56836
56837
56838
56839
56840
56841
56842
56843
56844
56845
56846
56847
56848
56849
56850
56851
56852
56853
56854
56855
56856
56857
56858
56859
56860
56861
56862
56863
56864
56865
56866
56867
56868
56869
56870
56871
56872
56873
56874
56875
56876
56877
56878
56879
56880
56881
56882
56883
56884
56885
56886
56887
56888
56889
56890
56891
56892
56893
56894
56895
56896
56897
56898
56899
56900
56901
56902
56903
56904
56905
56906
56907
56908
56909
56910
56911
56912
56913
56914
56915
56916
56917
56918
56919
56920
56921
56922
56923
56924
56925
56926
56927
56928
56929
56930
56931
56932
56933
56934
56935
56936
56937
56938
56939
56940
56941
56942
56943
56944
56945
56946
56947
56948
56949
56950
56951
56952
56953
56954
56955
56956
56957
56958
56959
56960
56961
56962
56963
56964
56965
56966
56967
56968
56969
56970
56971
56972
56973
56974
56975
56976
56977
56978
56979
56980
56981
56982
56983
56984
56985
56986
56987
56988
56989
56990
56991
56992
56993
56994
56995
56996
56997
56998
56999
57000
57001
57002
57003
57004
57005
57006
57007
57008
57009
57010
57011
57012
57013
57014
57015
57016
57017
57018
57019
57020
57021
57022
57023
57024
57025
57026
57027
57028
57029
57030
57031
57032
57033
57034
57035
57036
57037
57038
57039
57040
57041
57042
57043
57044
57045
57046
57047
57048
57049
57050
57051
57052
57053
57054
57055
57056
57057
57058
57059
57060
57061
57062
57063
57064
57065
57066
57067
57068
57069
57070
57071
57072
57073
57074
57075
57076
57077
57078
57079
57080
57081
57082
57083
57084
57085
57086
57087
57088
57089
57090
57091
57092
57093
57094
57095
57096
57097
57098
57099
57100
57101
57102
57103
57104
57105
57106
57107
57108
57109
57110
57111
57112
57113
57114
57115
57116
57117
57118
57119
57120
57121
57122
57123
57124
57125
57126
57127
57128
57129
57130
57131
57132
57133
57134
57135
57136
57137
57138
57139
57140
57141
57142
57143
57144
57145
57146
57147
57148
57149
57150
57151
57152
57153
57154
57155
57156
57157
57158
57159
57160
57161
57162
57163
57164
57165
57166
57167
57168
57169
57170
57171
57172
57173
57174
57175
57176
57177
57178
57179
57180
57181
57182
57183
57184
57185
57186
57187
57188
57189
57190
57191
57192
57193
57194
57195
57196
57197
57198
57199
57200
57201
57202
57203
57204
57205
57206
57207
57208
57209
57210
57211
57212
57213
57214
57215
57216
57217
57218
57219
57220
57221
57222
57223
57224
57225
57226
57227
57228
57229
57230
57231
57232
57233
57234
57235
57236
57237
57238
57239
57240
57241
57242
57243
57244
57245
57246
57247
57248
57249
57250
57251
57252
57253
57254
57255
57256
57257
57258
57259
57260
57261
57262
57263
57264
57265
57266
57267
57268
57269
57270
57271
57272
57273
57274
57275
57276
57277
57278
57279
57280
57281
57282
57283
57284
57285
57286
57287
57288
57289
57290
57291
57292
57293
57294
57295
57296
57297
57298
57299
57300
57301
57302
57303
57304
57305
57306
57307
57308
57309
57310
57311
57312
57313
57314
57315
57316
57317
57318
57319
57320
57321
57322
57323
57324
57325
57326
57327
57328
57329
57330
57331
57332
57333
57334
57335
57336
57337
57338
57339
57340
57341
57342
57343
57344
57345
57346
57347
57348
57349
57350
57351
57352
57353
57354
57355
57356
57357
57358
57359
57360
57361
57362
57363
57364
57365
57366
57367
57368
57369
57370
57371
57372
57373
57374
57375
57376
57377
57378
57379
57380
57381
57382
57383
57384
57385
57386
57387
57388
57389
57390
57391
57392
57393
57394
57395
57396
57397
57398
57399
57400
57401
57402
57403
57404
57405
57406
57407
57408
57409
57410
57411
57412
57413
57414
57415
57416
57417
57418
57419
57420
57421
57422
57423
57424
57425
57426
57427
57428
57429
57430
57431
57432
57433
57434
57435
57436
57437
57438
57439
57440
57441
57442
57443
57444
57445
57446
57447
57448
57449
57450
57451
57452
57453
57454
57455
57456
57457
57458
57459
57460
57461
57462
57463
57464
57465
57466
57467
57468
57469
57470
57471
57472
57473
57474
57475
57476
57477
57478
57479
57480
57481
57482
57483
57484
57485
57486
57487
57488
57489
57490
57491
57492
57493
57494
57495
57496
57497
57498
57499
57500
57501
57502
57503
57504
57505
57506
57507
57508
57509
57510
57511
57512
57513
57514
57515
57516
57517
57518
57519
57520
57521
57522
57523
57524
57525
57526
57527
57528
57529
57530
57531
57532
57533
57534
57535
57536
57537
57538
57539
57540
57541
57542
57543
57544
57545
57546
57547
57548
57549
57550
57551
57552
57553
57554
57555
57556
57557
57558
57559
57560
57561
57562
57563
57564
57565
57566
57567
57568
57569
57570
57571
57572
57573
57574
57575
57576
57577
57578
57579
57580
57581
57582
57583
57584
57585
57586
57587
57588
57589
57590
57591
57592
57593
57594
57595
57596
57597
57598
57599
57600
57601
57602
57603
57604
57605
57606
57607
57608
57609
57610
57611
57612
57613
57614
57615
57616
57617
57618
57619
57620
57621
57622
57623
57624
57625
57626
57627
57628
57629
57630
57631
57632
57633
57634
57635
57636
57637
57638
57639
57640
57641
57642
57643
57644
57645
57646
57647
57648
57649
57650
57651
57652
57653
57654
57655
57656
57657
57658
57659
57660
57661
57662
57663
57664
57665
57666
57667
57668
57669
57670
57671
57672
57673
57674
57675
57676
57677
57678
57679
57680
57681
57682
57683
57684
57685
57686
57687
57688
57689
57690
57691
57692
57693
57694
57695
57696
57697
57698
57699
57700
57701
57702
57703
57704
57705
57706
57707
57708
57709
57710
57711
57712
57713
57714
57715
57716
57717
57718
57719
57720
57721
57722
57723
57724
57725
57726
57727
57728
57729
57730
57731
57732
57733
57734
57735
57736
57737
57738
57739
57740
57741
57742
57743
57744
57745
57746
57747
57748
57749
57750
57751
57752
57753
57754
57755
57756
57757
57758
57759
57760
57761
57762
57763
57764
57765
57766
57767
57768
57769
57770
57771
57772
57773
57774
57775
57776
57777
57778
57779
57780
57781
57782
57783
57784
57785
57786
57787
57788
57789
57790
57791
57792
57793
57794
57795
57796
57797
57798
57799
57800
57801
57802
57803
57804
57805
57806
57807
57808
57809
57810
57811
57812
57813
57814
57815
57816
57817
57818
57819
57820
57821
57822
57823
57824
57825
57826
57827
57828
57829
57830
57831
57832
57833
57834
57835
57836
57837
57838
57839
57840
57841
57842
57843
57844
57845
57846
57847
57848
57849
57850
57851
57852
57853
57854
57855
57856
57857
57858
57859
57860
57861
57862
57863
57864
57865
57866
57867
57868
57869
57870
57871
57872
57873
57874
57875
57876
57877
57878
57879
57880
57881
57882
57883
57884
57885
57886
57887
57888
57889
57890
57891
57892
57893
57894
57895
57896
57897
57898
57899
57900
57901
57902
57903
57904
57905
57906
57907
57908
57909
57910
57911
57912
57913
57914
57915
57916
57917
57918
57919
57920
57921
57922
57923
57924
57925
57926
57927
57928
57929
57930
57931
57932
57933
57934
57935
57936
57937
57938
57939
57940
57941
57942
57943
57944
57945
57946
57947
57948
57949
57950
57951
57952
57953
57954
57955
57956
57957
57958
57959
57960
57961
57962
57963
57964
57965
57966
57967
57968
57969
57970
57971
57972
57973
57974
57975
57976
57977
57978
57979
57980
57981
57982
57983
57984
57985
57986
57987
57988
57989
57990
57991
57992
57993
57994
57995
57996
57997
57998
57999
58000
58001
58002
58003
58004
58005
58006
58007
58008
58009
58010
58011
58012
58013
58014
58015
58016
58017
58018
58019
58020
58021
58022
58023
58024
58025
58026
58027
58028
58029
58030
58031
58032
58033
58034
58035
58036
58037
58038
58039
58040
58041
58042
58043
58044
58045
58046
58047
58048
58049
58050
58051
58052
58053
58054
58055
58056
58057
58058
58059
58060
58061
58062
58063
58064
58065
58066
58067
58068
58069
58070
58071
58072
58073
58074
58075
58076
58077
58078
58079
58080
58081
58082
58083
58084
58085
58086
58087
58088
58089
58090
58091
58092
58093
58094
58095
58096
58097
58098
58099
58100
58101
58102
58103
58104
58105
58106
58107
58108
58109
58110
58111
58112
58113
58114
58115
58116
58117
58118
58119
58120
58121
58122
58123
58124
58125
58126
58127
58128
58129
58130
58131
58132
58133
58134
58135
58136
58137
58138
58139
58140
58141
58142
58143
58144
58145
58146
58147
58148
58149
58150
58151
58152
58153
58154
58155
58156
58157
58158
58159
58160
58161
58162
58163
58164
58165
58166
58167
58168
58169
58170
58171
58172
58173
58174
58175
58176
58177
58178
58179
58180
58181
58182
58183
58184
58185
58186
58187
58188
58189
58190
58191
58192
58193
58194
58195
58196
58197
58198
58199
58200
58201
58202
58203
58204
58205
58206
58207
58208
58209
58210
58211
58212
58213
58214
58215
58216
58217
58218
58219
58220
58221
58222
58223
58224
58225
58226
58227
58228
58229
58230
58231
58232
58233
58234
58235
58236
58237
58238
58239
58240
58241
58242
58243
58244
58245
58246
58247
58248
58249
58250
58251
58252
58253
58254
58255
58256
58257
58258
58259
58260
58261
58262
58263
58264
58265
58266
58267
58268
58269
58270
58271
58272
58273
58274
58275
58276
58277
58278
58279
58280
58281
58282
58283
58284
58285
58286
58287
58288
58289
58290
58291
58292
58293
58294
58295
58296
58297
58298
58299
58300
58301
58302
58303
58304
58305
58306
58307
58308
58309
58310
58311
58312
58313
58314
58315
58316
58317
58318
58319
58320
58321
58322
58323
58324
58325
58326
58327
58328
58329
58330
58331
58332
58333
58334
58335
58336
58337
58338
58339
58340
58341
58342
58343
58344
58345
58346
58347
58348
58349
58350
58351
58352
58353
58354
58355
58356
58357
58358
58359
58360
58361
58362
58363
58364
58365
58366
58367
58368
58369
58370
58371
58372
58373
58374
58375
58376
58377
58378
58379
58380
58381
58382
58383
58384
58385
58386
58387
58388
58389
58390
58391
58392
58393
58394
58395
58396
58397
58398
58399
58400
58401
58402
58403
58404
58405
58406
58407
58408
58409
58410
58411
58412
58413
58414
58415
58416
58417
58418
58419
58420
58421
58422
58423
58424
58425
58426
58427
58428
58429
58430
58431
58432
58433
58434
58435
58436
58437
58438
58439
58440
58441
58442
58443
58444
58445
58446
58447
58448
58449
58450
58451
58452
58453
58454
58455
58456
58457
58458
58459
58460
58461
58462
58463
58464
58465
58466
58467
58468
58469
58470
58471
58472
58473
58474
58475
58476
58477
58478
58479
58480
58481
58482
58483
58484
58485
58486
58487
58488
58489
58490
58491
58492
58493
58494
58495
58496
58497
58498
58499
58500
58501
58502
58503
58504
58505
58506
58507
58508
58509
58510
58511
58512
58513
58514
58515
58516
58517
58518
58519
58520
58521
58522
58523
58524
58525
58526
58527
58528
58529
58530
58531
58532
58533
58534
58535
58536
58537
58538
58539
58540
58541
58542
58543
58544
58545
58546
58547
58548
58549
58550
58551
58552
58553
58554
58555
58556
58557
58558
58559
58560
58561
58562
58563
58564
58565
58566
58567
58568
58569
58570
58571
58572
58573
58574
58575
58576
58577
58578
58579
58580
58581
58582
58583
58584
58585
58586
58587
58588
58589
58590
58591
58592
58593
58594
58595
58596
58597
58598
58599
58600
58601
58602
58603
58604
58605
58606
58607
58608
58609
58610
58611
58612
58613
58614
58615
58616
58617
58618
58619
58620
58621
58622
58623
58624
58625
58626
58627
58628
58629
58630
58631
58632
58633
58634
58635
58636
58637
58638
58639
58640
58641
58642
58643
58644
58645
58646
58647
58648
58649
58650
58651
58652
58653
58654
58655
58656
58657
58658
58659
58660
58661
58662
58663
58664
58665
58666
58667
58668
58669
58670
58671
58672
58673
58674
58675
58676
58677
58678
58679
58680
58681
58682
58683
58684
58685
58686
58687
58688
58689
58690
58691
58692
58693
58694
58695
58696
58697
58698
58699
58700
58701
58702
58703
58704
58705
58706
58707
58708
58709
58710
58711
58712
58713
58714
58715
58716
58717
58718
58719
58720
58721
58722
58723
58724
58725
58726
58727
58728
58729
58730
58731
58732
58733
58734
58735
58736
58737
58738
58739
58740
58741
58742
58743
58744
58745
58746
58747
58748
58749
58750
58751
58752
58753
58754
58755
58756
58757
58758
58759
58760
58761
58762
58763
58764
58765
58766
58767
58768
58769
58770
58771
58772
58773
58774
58775
58776
58777
58778
58779
58780
58781
58782
58783
58784
58785
58786
58787
58788
58789
58790
58791
58792
58793
58794
58795
58796
58797
58798
58799
58800
58801
58802
58803
58804
58805
58806
58807
58808
58809
58810
58811
58812
58813
58814
58815
58816
58817
58818
58819
58820
58821
58822
58823
58824
58825
58826
58827
58828
58829
58830
58831
58832
58833
58834
58835
58836
58837
58838
58839
58840
58841
58842
58843
58844
58845
58846
58847
58848
58849
58850
58851
58852
58853
58854
58855
58856
58857
58858
58859
58860
58861
58862
58863
58864
58865
58866
58867
58868
58869
58870
58871
58872
58873
58874
58875
58876
58877
58878
58879
58880
58881
58882
58883
58884
58885
58886
58887
58888
58889
58890
58891
58892
58893
58894
58895
58896
58897
58898
58899
58900
58901
58902
58903
58904
58905
58906
58907
58908
58909
58910
58911
58912
58913
58914
58915
58916
58917
58918
58919
58920
58921
58922
58923
58924
58925
58926
58927
58928
58929
58930
58931
58932
58933
58934
58935
58936
58937
58938
58939
58940
58941
58942
58943
58944
58945
58946
58947
58948
58949
58950
58951
58952
58953
58954
58955
58956
58957
58958
58959
58960
58961
58962
58963
58964
58965
58966
58967
58968
58969
58970
58971
58972
58973
58974
58975
58976
58977
58978
58979
58980
58981
58982
58983
58984
58985
58986
58987
58988
58989
58990
58991
58992
58993
58994
58995
58996
58997
58998
58999
59000
59001
59002
59003
59004
59005
59006
59007
59008
59009
59010
59011
59012
59013
59014
59015
59016
59017
59018
59019
59020
59021
59022
59023
59024
59025
59026
59027
59028
59029
59030
59031
59032
59033
59034
59035
59036
59037
59038
59039
59040
59041
59042
59043
59044
59045
59046
59047
59048
59049
59050
59051
59052
59053
59054
59055
59056
59057
59058
59059
59060
59061
59062
59063
59064
59065
59066
59067
59068
59069
59070
59071
59072
59073
59074
59075
59076
59077
59078
59079
59080
59081
59082
59083
59084
59085
59086
59087
59088
59089
59090
59091
59092
59093
59094
59095
59096
59097
59098
59099
59100
59101
59102
59103
59104
59105
59106
59107
59108
59109
59110
59111
59112
59113
59114
59115
59116
59117
59118
59119
59120
59121
59122
59123
59124
59125
59126
59127
59128
59129
59130
59131
59132
59133
59134
59135
59136
59137
59138
59139
59140
59141
59142
59143
59144
59145
59146
59147
59148
59149
59150
59151
59152
59153
59154
59155
59156
59157
59158
59159
59160
59161
59162
59163
59164
59165
59166
59167
59168
59169
59170
59171
59172
59173
59174
59175
59176
59177
59178
59179
59180
59181
59182
59183
59184
59185
59186
59187
59188
59189
59190
59191
59192
59193
59194
59195
59196
59197
59198
59199
59200
59201
59202
59203
59204
59205
59206
59207
59208
59209
59210
59211
59212
59213
59214
59215
59216
59217
59218
59219
59220
59221
59222
59223
59224
59225
59226
59227
59228
59229
59230
59231
59232
59233
59234
59235
59236
59237
59238
59239
59240
59241
59242
59243
59244
59245
59246
59247
59248
59249
59250
59251
59252
59253
59254
59255
59256
59257
59258
59259
59260
59261
59262
59263
59264
59265
59266
59267
59268
59269
59270
59271
59272
59273
59274
59275
59276
59277
59278
59279
59280
59281
59282
59283
59284
59285
59286
59287
59288
59289
59290
59291
59292
59293
59294
59295
59296
59297
59298
59299
59300
59301
59302
59303
59304
59305
59306
59307
59308
59309
59310
59311
59312
59313
59314
59315
59316
59317
59318
59319
59320
59321
59322
59323
59324
59325
59326
59327
59328
59329
59330
59331
59332
59333
59334
59335
59336
59337
59338
59339
59340
59341
59342
59343
59344
59345
59346
59347
59348
59349
59350
59351
59352
59353
59354
59355
59356
59357
59358
59359
59360
59361
59362
59363
59364
59365
59366
59367
59368
59369
59370
59371
59372
59373
59374
59375
59376
59377
59378
59379
59380
59381
59382
59383
59384
59385
59386
59387
packaging/utils/kernelpatch 2.6
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/README.openswan-2     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,112 @@
+*
+* RCSID $Id: README.openswan-2,v 1.1 2003/12/10 01:07:49 mcr Exp $
+*
+
+               ****************************************
+               * IPSEC for Linux, Release 2.xx series *
+               ****************************************
+
+
+
+1. Files
+
+The contents of linux/net/ipsec/ (see below) join the linux kernel source tree.
+as provided for higher up.
+
+The programs/ directory contains the user-level utilities which you need
+to run IPSEC.  See the top-level top/INSTALL to compile and install them.
+
+The testing/ directory contains test scripts.
+
+The doc/ directory contains -- what else -- documentation. 
+
+1.1. Kernel files
+
+The following are found in net/ipsec/:
+
+Makefile			The Makefile
+Config.in			The configuration script for make menuconfig
+defconfig			Configuration defaults for first time.
+
+radij.c				General-purpose radix-tree operations
+
+ipsec_ipcomp.c	   IPCOMP encapsulate/decapsulate code.
+ipsec_ah.c	   Authentication Header (AH) encapsulate/decapsulate code.
+ipsec_esp.c	   Encapsulated Security Payload (ESP) encap/decap code.
+
+pfkey_v2.c			PF_KEYv2 socket interface code.
+pfkey_v2_parser.c		PF_KEYv2 message parsing and processing code.
+
+ipsec_init.c			Initialization code, /proc interface.
+ipsec_radij.c			Interface with the radix tree code.
+ipsec_netlink.c			Interface with the netlink code.
+ipsec_xform.c			Routines and structures common to transforms.
+ipsec_tunnel.c			The outgoing packet processing code.
+ipsec_rcv.c			The incoming packet processing code.
+ipsec_md5c.c			Somewhat modified RSADSI MD5 C code.
+ipsec_sha1.c			Somewhat modified Steve Reid SHA-1 C code.
+
+sysctl_net_ipsec.c		/proc/sys/net/ipsec/* variable definitions.
+
+version.c			symbolic link to project version.
+
+radij.h				Headers for radij.c
+
+ipcomp.h			Headers used by IPCOMP code.
+
+ipsec_radij.h			Interface with the radix tree code.
+ipsec_netlink.h			Headers used by the netlink interface.
+ipsec_encap.h			Headers defining encapsulation structures.
+ipsec_xform.h			Transform headers.
+ipsec_tunnel.h			Headers used by tunneling code.
+ipsec_ipe4.h			Headers for the IP-in-IP code.
+ipsec_ah.h			Headers common to AH transforms.
+ipsec_md5h.h			RSADSI MD5 headers.
+ipsec_sha1.h			SHA-1 headers.
+ipsec_esp.h			Headers common to ESP transfroms.
+ipsec_rcv.h			Headers for incoming packet processing code.
+
+1.2. User-level files.
+
+The following are found in utils/:
+
+eroute.c	Create an "extended route" source code
+spi.c		Set up Security Associations source code
+spigrp.c        Link SPIs together source code.
+tncfg.c         Configure the tunneling features of the virtual interface
+		source code
+klipsdebug.c	Set/reset klips debugging features source code.
+version.c	symbolic link to project version.
+
+eroute.8	Create an "extended route" manual page
+spi.8		Set up Security Associations manual page
+spigrp.8        Link SPIs together manual page
+tncfg.8         Configure the tunneling features of the virtual interface
+		manual page
+klipsdebug.8	Set/reset klips debugging features manual page
+
+eroute.5	/proc/net/ipsec_eroute format manual page
+spi.5		/proc/net/ipsec_spi format manual page
+spigrp.5	/proc/net/ipsec_spigrp format manual page
+tncfg.5		/proc/net/ipsec_tncfg format manual page
+klipsdebug.5	/proc/net/ipsec_klipsdebug format manual page
+version.5	/proc/net/ipsec_version format manual page
+pf_key.5	/proc/net/pf_key format manual page
+
+Makefile	Utilities makefile.
+
+*.8		Manpages for the respective utils.
+
+
+1.3. Test files
+
+The test scripts are locate in testing/ and and documentation is found
+at doc/src/umltesting.html. Automated testing via "make check" is available
+provided that the User-Mode-Linux patches are available.
+
+*
+* $Log: README.openswan-2,v $
+* Revision 1.1  2003/12/10 01:07:49  mcr
+* 	documentation for additions.
+*
+*
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/crypto/ciphers/aes/test_main.c     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,41 @@
+#include <stdio.h>
+#include <string.h>
+#include <sys/types.h>
+#include "aes_cbc.h"
+#define AES_BLOCK_SIZE	16
+#define KEY_SIZE 	128	/* bits */
+#define KEY 		"1234567890123456"
+#define STR 		"hola guaso como estaisss ... 012"
+#define STRSZ		(sizeof(STR)-1)
+
+#define EMT_AESCBC_BLKLEN AES_BLOCK_SIZE
+#define AES_CONTEXT_T  aes_context
+#define EMT_ESPAES_KEY_SZ 16
+int pretty_print(const unsigned char *buf, int count) {
+	int i=0;
+	for (;i<count;i++) {
+		if (i%8==0) putchar(' ');
+		if (i%16==0) putchar('\n');
+		printf ("%02hhx ", buf[i]);
+	}
+	putchar('\n');
+	return i;
+}
+//#define SIZE STRSZ/2
+#define SIZE STRSZ
+int main() {
+	int ret;
+	char buf0[SIZE+1], buf1[SIZE+1];
+	char IV[AES_BLOCK_SIZE]="\0\0\0\0\0\0\0\0" "\0\0\0\0\0\0\0\0";
+	aes_context ac;	
+	AES_set_key(&ac, KEY, KEY_SIZE);
+	//pretty_print((char *)&ac.aes_e_key, sizeof(ac.aes_e_key));
+	memset(buf0, 0, sizeof (buf0));
+	memset(buf1, 0, sizeof (buf1));
+	ret=AES_cbc_encrypt(&ac, STR, buf0, SIZE, IV, 1);
+	pretty_print(buf0, SIZE);
+	printf("size=%d ret=%d\n%s\n", SIZE, ret, buf0);
+	ret=AES_cbc_encrypt(&ac, buf0, buf1, SIZE, IV, 0);
+	printf("size=%d ret=%d\n%s\n", SIZE, ret, buf1);
+	return 0;
+}
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/crypto/ciphers/aes/test_main_mac.c     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,30 @@
+#include <stdio.h>
+#include <sys/types.h>
+#include <string.h>
+#include "aes.h"
+#include "aes_xcbc_mac.h"
+#define STR "Hola guasssso c|mo estais ...012"  
+void print_hash(const __u8 *hash) {
+	printf("%08x %08x %08x %08x\n", 
+			*(__u32*)(&hash[0]), 
+			*(__u32*)(&hash[4]), 
+			*(__u32*)(&hash[8]), 
+			*(__u32*)(&hash[12]));
+}
+int main(int argc, char *argv[]) {
+	aes_block key= { 0xdeadbeef, 0xceedcaca, 0xcafebabe, 0xff010204 };
+	__u8  hash[16];
+	char *str = argv[1];
+	aes_context_mac ctx;
+	if (str==NULL) {
+		fprintf(stderr, "pasame el str\n");
+		return 255;
+	}
+	AES_xcbc_mac_set_key(&ctx, (__u8 *)&key, sizeof(key));
+	AES_xcbc_mac_hash(&ctx, str, strlen(str), hash);
+	print_hash(hash);
+	str[2]='x';
+	AES_xcbc_mac_hash(&ctx, str, strlen(str), hash);
+	print_hash(hash);
+	return 0;
+}
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/include/crypto/aes.h     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,97 @@
+// I retain copyright in this code but I encourage its free use provided
+// that I don't carry any responsibility for the results. I am especially 
+// happy to see it used in free and open source software. If you do use 
+// it I would appreciate an acknowledgement of its origin in the code or
+// the product that results and I would also appreciate knowing a little
+// about the use to which it is being put. I am grateful to Frank Yellin
+// for some ideas that are used in this implementation.
+//
+// Dr B. R. Gladman <brg@gladman.uk.net> 6th April 2001.
+//
+// This is an implementation of the AES encryption algorithm (Rijndael)
+// designed by Joan Daemen and Vincent Rijmen. This version is designed
+// to provide both fixed and dynamic block and key lengths and can also 
+// run with either big or little endian internal byte order (see aes.h). 
+// It inputs block and key lengths in bytes with the legal values being 
+// 16, 24 and 32.
+
+/*
+ * Modified by Jari Ruusu,  May 1 2001
+ *  - Fixed some compile warnings, code was ok but gcc warned anyway.
+ *  - Changed basic types: byte -> unsigned char, word -> u_int32_t
+ *  - Major name space cleanup: Names visible to outside now begin
+ *    with "aes_" or "AES_". A lot of stuff moved from aes.h to aes.c
+ *  - Removed C++ and DLL support as part of name space cleanup.
+ *  - Eliminated unnecessary recomputation of tables. (actual bug fix)
+ *  - Merged precomputed constant tables to aes.c file.
+ *  - Removed data alignment restrictions for portability reasons.
+ *  - Made block and key lengths accept bit count (128/192/256)
+ *    as well byte count (16/24/32).
+ *  - Removed all error checks. This change also eliminated the need
+ *    to preinitialize the context struct to zero.
+ *  - Removed some totally unused constants.
+ */
+
+#ifndef _AES_H
+#define _AES_H
+
+#if defined(__linux__) && defined(__KERNEL__)
+#  include <linux/types.h>
+#else 
+#  include <sys/types.h>
+#endif
+
+// CONFIGURATION OPTIONS (see also aes.c)
+//
+// Define AES_BLOCK_SIZE to set the cipher block size (16, 24 or 32) or
+// leave this undefined for dynamically variable block size (this will
+// result in much slower code).
+// IMPORTANT NOTE: AES_BLOCK_SIZE is in BYTES (16, 24, 32 or undefined). If
+// left undefined a slower version providing variable block length is compiled
+
+#define AES_BLOCK_SIZE  16
+
+// The number of key schedule words for different block and key lengths
+// allowing for method of computation which requires the length to be a
+// multiple of the key length
+//
+// Nk =       4   6   8
+//        -------------
+// Nb = 4 |  60  60  64
+//      6 |  96  90  96
+//      8 | 120 120 120
+
+#if !defined(AES_BLOCK_SIZE) || (AES_BLOCK_SIZE == 32)
+#define AES_KS_LENGTH   120
+#define AES_RC_LENGTH    29
+#else
+#define AES_KS_LENGTH   4 * AES_BLOCK_SIZE
+#define AES_RC_LENGTH   (9 * AES_BLOCK_SIZE) / 8 - 8
+#endif
+
+typedef struct
+{
+    u_int32_t    aes_Nkey;      // the number of words in the key input block
+    u_int32_t    aes_Nrnd;      // the number of cipher rounds
+    u_int32_t    aes_e_key[AES_KS_LENGTH];   // the encryption key schedule
+    u_int32_t    aes_d_key[AES_KS_LENGTH];   // the decryption key schedule
+#if !defined(AES_BLOCK_SIZE)
+    u_int32_t    aes_Ncol;      // the number of columns in the cipher state
+#endif
+} aes_context;
+
+// THE CIPHER INTERFACE
+
+#if !defined(AES_BLOCK_SIZE)
+extern void aes_set_blk(aes_context *, const int);
+#endif
+extern void aes_set_key(aes_context *, const unsigned char [], const int, const int);
+extern void aes_encrypt(const aes_context *, const unsigned char [], unsigned char []);
+extern void aes_decrypt(const aes_context *, const unsigned char [], unsigned char []);
+
+// The block length inputs to aes_set_block and aes_set_key are in numbers
+// of bytes or bits.  The calls to subroutines must be made in the above
+// order but multiple calls can be made without repeating earlier calls
+// if their parameters have not changed.
+
+#endif  // _AES_H
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/include/crypto/aes_cbc.h     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,4 @@
+/* Glue header */
+#include "aes.h"
+int AES_set_key(aes_context *aes_ctx, const u_int8_t * key, int keysize);
+int AES_cbc_encrypt(aes_context *ctx, const u_int8_t * in, u_int8_t * out, int ilen, const u_int8_t * iv, int encrypt);
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/include/crypto/aes_xcbc_mac.h     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,12 @@
+#ifndef _AES_XCBC_MAC_H
+#define _AES_XCBC_MAC_H
+
+typedef u_int32_t aes_block[4];
+typedef struct {
+	aes_context ctx_k1;
+	aes_block k2;
+	aes_block k3;
+} aes_context_mac;
+int AES_xcbc_mac_set_key(aes_context_mac *ctxm, const u_int8_t *key, int keylen);
+int AES_xcbc_mac_hash(const aes_context_mac *ctxm, const u_int8_t * in, int ilen, u_int8_t hash[16]);
+#endif /* _AES_XCBC_MAC_H */
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/include/crypto/cbc_generic.h     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,110 @@
+#ifndef _CBC_GENERIC_H
+#define _CBC_GENERIC_H
+/*
+ * CBC macro helpers
+ *
+ * Author: JuanJo Ciarlante <jjo-ipsec@mendoza.gov.ar>
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ * 
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ */
+
+/*
+ * 	Heavily inspired in loop_AES
+ */
+#define CBC_IMPL_BLK16(name, ctx_type, addr_type, enc_func, dec_func) \
+int name(ctx_type *ctx, const u_int8_t * in, u_int8_t * out, int ilen, const u_int8_t * iv, int encrypt) { \
+	int ret=ilen, pos; \
+	const u_int32_t *iv_i; \
+	if ((ilen) % 16) return 0; \
+	if (encrypt) { \
+		pos=0; \
+		while(pos<ilen) { \
+			if (pos==0) \
+				iv_i=(const u_int32_t*) iv; \
+			else \
+				iv_i=(const u_int32_t*) (out-16); \
+			*((u_int32_t *)(&out[ 0])) = iv_i[0]^*((const u_int32_t *)(&in[ 0])); \
+			*((u_int32_t *)(&out[ 4])) = iv_i[1]^*((const u_int32_t *)(&in[ 4])); \
+			*((u_int32_t *)(&out[ 8])) = iv_i[2]^*((const u_int32_t *)(&in[ 8])); \
+			*((u_int32_t *)(&out[12])) = iv_i[3]^*((const u_int32_t *)(&in[12])); \
+			enc_func(ctx, (addr_type) out, (addr_type) out); \
+			in+=16; \
+			out+=16; \
+			pos+=16; \
+		} \
+	} else { \
+		pos=ilen-16; \
+		in+=pos; \
+		out+=pos; \
+		while(pos>=0) { \
+			dec_func(ctx, (const addr_type) in, (addr_type) out); \
+			if (pos==0) \
+				iv_i=(const u_int32_t*) (iv); \
+			else \
+				iv_i=(const u_int32_t*) (in-16); \
+			*((u_int32_t *)(&out[ 0])) ^= iv_i[0]; \
+			*((u_int32_t *)(&out[ 4])) ^= iv_i[1]; \
+			*((u_int32_t *)(&out[ 8])) ^= iv_i[2]; \
+			*((u_int32_t *)(&out[12])) ^= iv_i[3]; \
+			in-=16; \
+			out-=16; \
+			pos-=16; \
+		} \
+	} \
+	return ret; \
+} 
+#define CBC_IMPL_BLK8(name, ctx_type, addr_type,  enc_func, dec_func) \
+int name(ctx_type *ctx, u_int8_t * in, u_int8_t * out, int ilen, const u_int8_t * iv, int encrypt) { \
+	int ret=ilen, pos; \
+	const u_int32_t *iv_i; \
+	if ((ilen) % 8) return 0; \
+	if (encrypt) { \
+		pos=0; \
+		while(pos<ilen) { \
+			if (pos==0) \
+				iv_i=(const u_int32_t*) iv; \
+			else \
+				iv_i=(const u_int32_t*) (out-8); \
+			*((u_int32_t *)(&out[ 0])) = iv_i[0]^*((const u_int32_t *)(&in[ 0])); \
+			*((u_int32_t *)(&out[ 4])) = iv_i[1]^*((const u_int32_t *)(&in[ 4])); \
+			enc_func(ctx, (addr_type)out, (addr_type)out); \
+			in+=8; \
+			out+=8; \
+			pos+=8; \
+		} \
+	} else { \
+		pos=ilen-8; \
+		in+=pos; \
+		out+=pos; \
+		while(pos>=0) { \
+			dec_func(ctx, (const addr_type)in, (addr_type)out); \
+			if (pos==0) \
+				iv_i=(const u_int32_t*) (iv); \
+			else \
+				iv_i=(const u_int32_t*) (in-8); \
+			*((u_int32_t *)(&out[ 0])) ^= iv_i[0]; \
+			*((u_int32_t *)(&out[ 4])) ^= iv_i[1]; \
+			in-=8; \
+			out-=8; \
+			pos-=8; \
+		} \
+	} \
+	return ret; \
+} 
+#define CBC_DECL(name, ctx_type) \
+int name(ctx_type *ctx, u_int8_t * in, u_int8_t * out, int ilen, const u_int8_t * iv, int encrypt)
+/*
+Eg.:
+CBC_IMPL_BLK16(AES_cbc_encrypt, aes_context, u_int8_t *, aes_encrypt, aes_decrypt);
+CBC_DECL(AES_cbc_encrypt, aes_context);
+*/
+#endif /* _CBC_GENERIC_H */
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/include/crypto/des.h     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,298 @@
+/* crypto/des/des.org */
+/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+/* WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING 
+ *
+ * Always modify des.org since des.h is automatically generated from
+ * it during SSLeay configuration.
+ *
+ * WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
+ */
+
+#ifndef HEADER_DES_H
+#define HEADER_DES_H
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+
+/* If this is set to 'unsigned int' on a DEC Alpha, this gives about a
+ * %20 speed up (longs are 8 bytes, int's are 4). */
+/* Must be unsigned int on ia64/Itanium or DES breaks badly */
+
+#ifdef __KERNEL__
+#include <linux/types.h>
+#else
+#include <sys/types.h>
+#endif
+
+#ifndef DES_LONG
+#define DES_LONG u_int32_t
+#endif
+
+typedef unsigned char des_cblock[8];
+typedef struct { des_cblock ks; } des_key_schedule[16];
+
+#define DES_KEY_SZ 	(sizeof(des_cblock))
+#define DES_SCHEDULE_SZ (sizeof(des_key_schedule))
+
+#define DES_ENCRYPT	1
+#define DES_DECRYPT	0
+
+#define DES_CBC_MODE	0
+#define DES_PCBC_MODE	1
+
+#define des_ecb2_encrypt(i,o,k1,k2,e) \
+	des_ecb3_encrypt((i),(o),(k1),(k2),(k1),(e))
+
+#define des_ede2_cbc_encrypt(i,o,l,k1,k2,iv,e) \
+	des_ede3_cbc_encrypt((i),(o),(l),(k1),(k2),(k1),(iv),(e))
+
+#define des_ede2_cfb64_encrypt(i,o,l,k1,k2,iv,n,e) \
+	des_ede3_cfb64_encrypt((i),(o),(l),(k1),(k2),(k1),(iv),(n),(e))
+
+#define des_ede2_ofb64_encrypt(i,o,l,k1,k2,iv,n) \
+	des_ede3_ofb64_encrypt((i),(o),(l),(k1),(k2),(k1),(iv),(n))
+
+#define C_Block des_cblock
+#define Key_schedule des_key_schedule
+#ifdef KERBEROS
+#define ENCRYPT DES_ENCRYPT
+#define DECRYPT DES_DECRYPT
+#endif
+#define KEY_SZ DES_KEY_SZ
+#define string_to_key des_string_to_key
+#define read_pw_string des_read_pw_string
+#define random_key des_random_key
+#define pcbc_encrypt des_pcbc_encrypt
+#define set_key des_set_key
+#define key_sched des_key_sched
+#define ecb_encrypt des_ecb_encrypt
+#define cbc_encrypt des_cbc_encrypt
+#define ncbc_encrypt des_ncbc_encrypt
+#define xcbc_encrypt des_xcbc_encrypt
+#define cbc_cksum des_cbc_cksum
+#define quad_cksum des_quad_cksum
+
+/* For compatibility with the MIT lib - eay 20/05/92 */
+typedef des_key_schedule bit_64;
+#define des_fixup_key_parity des_set_odd_parity
+#define des_check_key_parity check_parity
+
+extern int des_check_key;	/* defaults to false */
+extern int des_rw_mode;		/* defaults to DES_PCBC_MODE */
+
+/* The next line is used to disable full ANSI prototypes, if your
+ * compiler has problems with the prototypes, make sure this line always
+ * evaluates to true :-) */
+#if defined(MSDOS) || defined(__STDC__)
+#undef NOPROTO
+#endif
+#ifndef NOPROTO
+char *des_options(void);
+void des_ecb3_encrypt(des_cblock *input,des_cblock *output,
+	des_key_schedule ks1,des_key_schedule ks2,
+	des_key_schedule ks3, int enc);
+DES_LONG des_cbc_cksum(des_cblock *input,des_cblock *output,
+	long length,des_key_schedule schedule,des_cblock *ivec);
+void des_cbc_encrypt(des_cblock *input,des_cblock *output,long length,
+	des_key_schedule schedule,des_cblock *ivec,int enc);
+void des_ncbc_encrypt(des_cblock *input,des_cblock *output,long length,
+	des_key_schedule schedule,des_cblock *ivec,int enc);
+void des_xcbc_encrypt(des_cblock *input,des_cblock *output,long length,
+	des_key_schedule schedule,des_cblock *ivec,
+	des_cblock *inw,des_cblock *outw,int enc);
+void des_cfb_encrypt(unsigned char *in,unsigned char *out,int numbits,
+	long length,des_key_schedule schedule,des_cblock *ivec,int enc);
+void des_ecb_encrypt(des_cblock *input,des_cblock *output,
+	des_key_schedule ks,int enc);
+void des_encrypt(DES_LONG *data,des_key_schedule ks, int enc);
+void des_encrypt2(DES_LONG *data,des_key_schedule ks, int enc);
+void des_encrypt3(DES_LONG *data, des_key_schedule ks1,
+	des_key_schedule ks2, des_key_schedule ks3);
+void des_decrypt3(DES_LONG *data, des_key_schedule ks1,
+	des_key_schedule ks2, des_key_schedule ks3);
+void des_ede3_cbc_encrypt(des_cblock *input, des_cblock *output, 
+	long length, des_key_schedule ks1, des_key_schedule ks2, 
+	des_key_schedule ks3, des_cblock *ivec, int enc);
+void des_ede3_cfb64_encrypt(unsigned char *in, unsigned char *out,
+	long length, des_key_schedule ks1, des_key_schedule ks2,
+	des_key_schedule ks3, des_cblock *ivec, int *num, int enc);
+void des_ede3_ofb64_encrypt(unsigned char *in, unsigned char *out,
+	long length, des_key_schedule ks1, des_key_schedule ks2,
+	des_key_schedule ks3, des_cblock *ivec, int *num);
+
+void des_xwhite_in2out(des_cblock (*des_key), des_cblock (*in_white),
+	des_cblock (*out_white));
+
+int des_enc_read(int fd,char *buf,int len,des_key_schedule sched,
+	des_cblock *iv);
+int des_enc_write(int fd,char *buf,int len,des_key_schedule sched,
+	des_cblock *iv);
+char *des_fcrypt(const char *buf,const char *salt, char *ret);
+#ifdef PERL5
+char *des_crypt(const char *buf,const char *salt);
+#else
+/* some stupid compilers complain because I have declared char instead
+ * of const char */
+#ifndef __KERNEL__
+#ifdef HEADER_DES_LOCL_H
+char *crypt(const char *buf,const char *salt);
+#else /* HEADER_DES_LOCL_H */
+char *crypt(void);
+#endif /* HEADER_DES_LOCL_H */
+#endif /* __KERNEL__ */
+#endif /* PERL5 */
+void des_ofb_encrypt(unsigned char *in,unsigned char *out,
+	int numbits,long length,des_key_schedule schedule,des_cblock *ivec);
+void des_pcbc_encrypt(des_cblock *input,des_cblock *output,long length,
+	des_key_schedule schedule,des_cblock *ivec,int enc);
+DES_LONG des_quad_cksum(des_cblock *input,des_cblock *output,
+	long length,int out_count,des_cblock *seed);
+void des_random_seed(des_cblock key);
+void des_random_key(des_cblock ret);
+int des_read_password(des_cblock *key,char *prompt,int verify);
+int des_read_2passwords(des_cblock *key1,des_cblock *key2,
+	char *prompt,int verify);
+int des_read_pw_string(char *buf,int length,char *prompt,int verify);
+void des_set_odd_parity(des_cblock *key);
+int des_is_weak_key(des_cblock *key);
+int des_set_key(des_cblock *key,des_key_schedule schedule);
+int des_key_sched(des_cblock *key,des_key_schedule schedule);
+void des_string_to_key(char *str,des_cblock *key);
+void des_string_to_2keys(char *str,des_cblock *key1,des_cblock *key2);
+void des_cfb64_encrypt(unsigned char *in, unsigned char *out, long length,
+	des_key_schedule schedule, des_cblock *ivec, int *num, int enc);
+void des_ofb64_encrypt(unsigned char *in, unsigned char *out, long length,
+	des_key_schedule schedule, des_cblock *ivec, int *num);
+int des_read_pw(char *buf, char *buff, int size, char *prompt, int verify);
+
+/* Extra functions from Mark Murray <mark@grondar.za> */
+/* The following functions are not in the normal unix build or the
+ * SSLeay build.  When using the SSLeay build, use RAND_seed()
+ * and RAND_bytes() instead. */
+int des_new_random_key(des_cblock *key);
+void des_init_random_number_generator(des_cblock *key);
+void des_set_random_generator_seed(des_cblock *key);
+void des_set_sequence_number(des_cblock new_sequence_number);
+void des_generate_random_block(des_cblock *block);
+
+#else
+
+char *des_options();
+void des_ecb3_encrypt();
+DES_LONG des_cbc_cksum();
+void des_cbc_encrypt();
+void des_ncbc_encrypt();
+void des_xcbc_encrypt();
+void des_cfb_encrypt();
+void des_ede3_cfb64_encrypt();
+void des_ede3_ofb64_encrypt();
+void des_ecb_encrypt();
+void des_encrypt();
+void des_encrypt2();
+void des_encrypt3();
+void des_decrypt3();
+void des_ede3_cbc_encrypt();
+int des_enc_read();
+int des_enc_write();
+char *des_fcrypt();
+#ifdef PERL5
+char *des_crypt();
+#else
+char *crypt();
+#endif
+void des_ofb_encrypt();
+void des_pcbc_encrypt();
+DES_LONG des_quad_cksum();
+void des_random_seed();
+void des_random_key();
+int des_read_password();
+int des_read_2passwords();
+int des_read_pw_string();
+void des_set_odd_parity();
+int des_is_weak_key();
+int des_set_key();
+int des_key_sched();
+void des_string_to_key();
+void des_string_to_2keys();
+void des_cfb64_encrypt();
+void des_ofb64_encrypt();
+int des_read_pw();
+void des_xwhite_in2out();
+
+/* Extra functions from Mark Murray <mark@grondar.za> */
+/* The following functions are not in the normal unix build or the
+ * SSLeay build.  When using the SSLeay build, use RAND_seed()
+ * and RAND_bytes() instead. */
+#ifdef FreeBSD
+int des_new_random_key();
+void des_init_random_number_generator();
+void des_set_random_generator_seed();
+void des_set_sequence_number();
+void des_generate_random_block();
+#endif
+
+#endif
+
+#ifdef  __cplusplus
+}
+#endif
+
+#endif
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/include/des/des_locl.h     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,515 @@
+/* crypto/des/des_locl.org */
+/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+/* WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
+ *
+ * Always modify des_locl.org since des_locl.h is automatically generated from
+ * it during SSLeay configuration.
+ *
+ * WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
+ */
+
+#ifndef HEADER_DES_LOCL_H
+#define HEADER_DES_LOCL_H
+
+#if defined(WIN32) || defined(WIN16)
+#ifndef MSDOS
+#define MSDOS
+#endif
+#endif
+
+#include "crypto/des.h"
+
+#ifndef DES_DEFAULT_OPTIONS
+/* the following is tweaked from a config script, that is why it is a
+ * protected undef/define */
+#ifndef DES_PTR
+#define DES_PTR
+#endif
+
+/* This helps C compiler generate the correct code for multiple functional
+ * units.  It reduces register dependancies at the expense of 2 more
+ * registers */
+#ifndef DES_RISC1
+#define DES_RISC1
+#endif
+
+#ifndef DES_RISC2
+#undef DES_RISC2
+#endif
+
+#if defined(DES_RISC1) && defined(DES_RISC2)
+YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED!!!!!
+#endif
+
+/* Unroll the inner loop, this sometimes helps, sometimes hinders.
+ * Very mucy CPU dependant */
+#ifndef DES_UNROLL
+#define DES_UNROLL
+#endif
+
+/* These default values were supplied by
+ * Peter Gutman <pgut001@cs.auckland.ac.nz>
+ * They are only used if nothing else has been defined */
+#if !defined(DES_PTR) && !defined(DES_RISC1) && !defined(DES_RISC2) && !defined(DES_UNROLL)
+/* Special defines which change the way the code is built depending on the
+   CPU and OS.  For SGI machines you can use _MIPS_SZLONG (32 or 64) to find
+   even newer MIPS CPU's, but at the moment one size fits all for
+   optimization options.  Older Sparc's work better with only UNROLL, but
+   there's no way to tell at compile time what it is you're running on */
+ 
+#if defined( sun )		/* Newer Sparc's */
+  #define DES_PTR
+  #define DES_RISC1
+  #define DES_UNROLL
+#elif defined( __ultrix )	/* Older MIPS */
+  #define DES_PTR
+  #define DES_RISC2
+  #define DES_UNROLL
+#elif defined( __osf1__ )	/* Alpha */
+  #define DES_PTR
+  #define DES_RISC2
+#elif defined ( _AIX )		/* RS6000 */
+  /* Unknown */
+#elif defined( __hpux )		/* HP-PA */
+  /* Unknown */
+#elif defined( __aux )		/* 68K */
+  /* Unknown */
+#elif defined( __dgux )		/* 88K (but P6 in latest boxes) */
+  #define DES_UNROLL
+#elif defined( __sgi )		/* Newer MIPS */
+  #define DES_PTR
+  #define DES_RISC2
+  #define DES_UNROLL
+#elif defined( i386 )		/* x86 boxes, should be gcc */
+  #define DES_PTR
+  #define DES_RISC1
+  #define DES_UNROLL
+#endif /* Systems-specific speed defines */
+#endif
+
+#endif /* DES_DEFAULT_OPTIONS */
+
+#ifdef MSDOS		/* Visual C++ 2.1 (Windows NT/95) */
+#include <stdlib.h>
+#include <errno.h>
+#include <time.h>
+#include <io.h>
+#ifndef RAND
+#define RAND
+#endif
+#undef NOPROTO
+#endif
+
+#if defined(__STDC__) || defined(VMS) || defined(M_XENIX) || defined(MSDOS)
+#ifndef __KERNEL__
+#include <string.h>
+#else
+#include <linux/string.h>
+#endif
+#endif
+
+#ifndef RAND
+#define RAND
+#endif
+
+#ifdef linux
+#undef RAND
+#endif
+
+#ifdef MSDOS
+#define getpid() 2
+#define RAND
+#undef NOPROTO
+#endif
+
+#if defined(NOCONST)
+#define const
+#endif
+
+#ifdef __STDC__
+#undef NOPROTO
+#endif
+
+#ifdef RAND
+#define srandom(s) srand(s)
+#define random rand
+#endif
+
+#define ITERATIONS 16
+#define HALF_ITERATIONS 8
+
+/* used in des_read and des_write */
+#define MAXWRITE	(1024*16)
+#define BSIZE		(MAXWRITE+4)
+
+#define c2l(c,l)	(l =((DES_LONG)(*((c)++)))    , \
+			 l|=((DES_LONG)(*((c)++)))<< 8L, \
+			 l|=((DES_LONG)(*((c)++)))<<16L, \
+			 l|=((DES_LONG)(*((c)++)))<<24L)
+
+/* NOTE - c is not incremented as per c2l */
+#define c2ln(c,l1,l2,n)	{ \
+			c+=n; \
+			l1=l2=0; \
+			switch (n) { \
+			case 8: l2 =((DES_LONG)(*(--(c))))<<24L; \
+			case 7: l2|=((DES_LONG)(*(--(c))))<<16L; \
+			case 6: l2|=((DES_LONG)(*(--(c))))<< 8L; \
+			case 5: l2|=((DES_LONG)(*(--(c))));     \
+			case 4: l1 =((DES_LONG)(*(--(c))))<<24L; \
+			case 3: l1|=((DES_LONG)(*(--(c))))<<16L; \
+			case 2: l1|=((DES_LONG)(*(--(c))))<< 8L; \
+			case 1: l1|=((DES_LONG)(*(--(c))));     \
+				} \
+			}
+
+#define l2c(l,c)	(*((c)++)=(unsigned char)(((l)     )&0xff), \
+			 *((c)++)=(unsigned char)(((l)>> 8L)&0xff), \
+			 *((c)++)=(unsigned char)(((l)>>16L)&0xff), \
+			 *((c)++)=(unsigned char)(((l)>>24L)&0xff))
+
+/* replacements for htonl and ntohl since I have no idea what to do
+ * when faced with machines with 8 byte longs. */
+#define HDRSIZE 4
+
+#define n2l(c,l)	(l =((DES_LONG)(*((c)++)))<<24L, \
+			 l|=((DES_LONG)(*((c)++)))<<16L, \
+			 l|=((DES_LONG)(*((c)++)))<< 8L, \
+			 l|=((DES_LONG)(*((c)++))))
+
+#define l2n(l,c)	(*((c)++)=(unsigned char)(((l)>>24L)&0xff), \
+			 *((c)++)=(unsigned char)(((l)>>16L)&0xff), \
+			 *((c)++)=(unsigned char)(((l)>> 8L)&0xff), \
+			 *((c)++)=(unsigned char)(((l)     )&0xff))
+
+/* NOTE - c is not incremented as per l2c */
+#define l2cn(l1,l2,c,n)	{ \
+			c+=n; \
+			switch (n) { \
+			case 8: *(--(c))=(unsigned char)(((l2)>>24L)&0xff); \
+			case 7: *(--(c))=(unsigned char)(((l2)>>16L)&0xff); \
+			case 6: *(--(c))=(unsigned char)(((l2)>> 8L)&0xff); \
+			case 5: *(--(c))=(unsigned char)(((l2)     )&0xff); \
+			case 4: *(--(c))=(unsigned char)(((l1)>>24L)&0xff); \
+			case 3: *(--(c))=(unsigned char)(((l1)>>16L)&0xff); \
+			case 2: *(--(c))=(unsigned char)(((l1)>> 8L)&0xff); \
+			case 1: *(--(c))=(unsigned char)(((l1)     )&0xff); \
+				} \
+			}
+
+#if defined(WIN32)
+#define	ROTATE(a,n)	(_lrotr(a,n))
+#else
+#define	ROTATE(a,n)	(((a)>>(n))+((a)<<(32-(n))))
+#endif
+
+/* Don't worry about the LOAD_DATA() stuff, that is used by
+ * fcrypt() to add it's little bit to the front */
+
+#ifdef DES_FCRYPT
+
+#define LOAD_DATA_tmp(R,S,u,t,E0,E1) \
+	{ DES_LONG tmp; LOAD_DATA(R,S,u,t,E0,E1,tmp); }
+
+#define LOAD_DATA(R,S,u,t,E0,E1,tmp) \
+	t=R^(R>>16L); \
+	u=t&E0; t&=E1; \
+	tmp=(u<<16); u^=R^s[S  ]; u^=tmp; \
+	tmp=(t<<16); t^=R^s[S+1]; t^=tmp
+#else
+#define LOAD_DATA_tmp(a,b,c,d,e,f) LOAD_DATA(a,b,c,d,e,f,g)
+#define LOAD_DATA(R,S,u,t,E0,E1,tmp) \
+	u=R^s[S  ]; \
+	t=R^s[S+1]
+#endif
+
+/* The changes to this macro may help or hinder, depending on the
+ * compiler and the achitecture.  gcc2 always seems to do well :-).
+ * Inspired by Dana How <how@isl.stanford.edu>
+ * DO NOT use the alternative version on machines with 8 byte longs.
+ * It does not seem to work on the Alpha, even when DES_LONG is 4
+ * bytes, probably an issue of accessing non-word aligned objects :-( */
+#ifdef DES_PTR
+
+/* It recently occured to me that 0^0^0^0^0^0^0 == 0, so there
+ * is no reason to not xor all the sub items together.  This potentially
+ * saves a register since things can be xored directly into L */
+
+#if defined(DES_RISC1) || defined(DES_RISC2)
+#ifdef DES_RISC1
+#define D_ENCRYPT(LL,R,S) { \
+	unsigned int u1,u2,u3; \
+	LOAD_DATA(R,S,u,t,E0,E1,u1); \
+	u2=(int)u>>8L; \
+	u1=(int)u&0xfc; \
+	u2&=0xfc; \
+	t=ROTATE(t,4); \
+	u>>=16L; \
+	LL^= *(DES_LONG *)((unsigned char *)des_SP      +u1); \
+	LL^= *(DES_LONG *)((unsigned char *)des_SP+0x200+u2); \
+	u3=(int)(u>>8L); \
+	u1=(int)u&0xfc; \
+	u3&=0xfc; \
+	LL^= *(DES_LONG *)((unsigned char *)des_SP+0x400+u1); \
+	LL^= *(DES_LONG *)((unsigned char *)des_SP+0x600+u3); \
+	u2=(int)t>>8L; \
+	u1=(int)t&0xfc; \
+	u2&=0xfc; \
+	t>>=16L; \
+	LL^= *(DES_LONG *)((unsigned char *)des_SP+0x100+u1); \
+	LL^= *(DES_LONG *)((unsigned char *)des_SP+0x300+u2); \
+	u3=(int)t>>8L; \
+	u1=(int)t&0xfc; \
+	u3&=0xfc; \
+	LL^= *(DES_LONG *)((unsigned char *)des_SP+0x500+u1); \
+	LL^= *(DES_LONG *)((unsigned char *)des_SP+0x700+u3); }
+#endif
+#ifdef DES_RISC2
+#define D_ENCRYPT(LL,R,S) { \
+	unsigned int u1,u2,s1,s2; \
+	LOAD_DATA(R,S,u,t,E0,E1,u1); \
+	u2=(int)u>>8L; \
+	u1=(int)u&0xfc; \
+	u2&=0xfc; \
+	t=ROTATE(t,4); \
+	LL^= *(DES_LONG *)((unsigned char *)des_SP      +u1); \
+	LL^= *(DES_LONG *)((unsigned char *)des_SP+0x200+u2); \
+	s1=(int)(u>>16L); \
+	s2=(int)(u>>24L); \
+	s1&=0xfc; \
+	s2&=0xfc; \
+	LL^= *(DES_LONG *)((unsigned char *)des_SP+0x400+s1); \
+	LL^= *(DES_LONG *)((unsigned char *)des_SP+0x600+s2); \
+	u2=(int)t>>8L; \
+	u1=(int)t&0xfc; \
+	u2&=0xfc; \
+	LL^= *(DES_LONG *)((unsigned char *)des_SP+0x100+u1); \
+	LL^= *(DES_LONG *)((unsigned char *)des_SP+0x300+u2); \
+	s1=(int)(t>>16L); \
+	s2=(int)(t>>24L); \
+	s1&=0xfc; \
+	s2&=0xfc; \
+	LL^= *(DES_LONG *)((unsigned char *)des_SP+0x500+s1); \
+	LL^= *(DES_LONG *)((unsigned char *)des_SP+0x700+s2); }
+#endif
+#else
+#define D_ENCRYPT(LL,R,S) { \
+	LOAD_DATA_tmp(R,S,u,t,E0,E1); \
+	t=ROTATE(t,4); \
+	LL^= \
+	*(DES_LONG *)((unsigned char *)des_SP      +((u     )&0xfc))^ \
+	*(DES_LONG *)((unsigned char *)des_SP+0x200+((u>> 8L)&0xfc))^ \
+	*(DES_LONG *)((unsigned char *)des_SP+0x400+((u>>16L)&0xfc))^ \
+	*(DES_LONG *)((unsigned char *)des_SP+0x600+((u>>24L)&0xfc))^ \
+	*(DES_LONG *)((unsigned char *)des_SP+0x100+((t     )&0xfc))^ \
+	*(DES_LONG *)((unsigned char *)des_SP+0x300+((t>> 8L)&0xfc))^ \
+	*(DES_LONG *)((unsigned char *)des_SP+0x500+((t>>16L)&0xfc))^ \
+	*(DES_LONG *)((unsigned char *)des_SP+0x700+((t>>24L)&0xfc)); }
+#endif
+
+#else /* original version */
+
+#if defined(DES_RISC1) || defined(DES_RISC2)
+#ifdef DES_RISC1
+#define D_ENCRYPT(LL,R,S) {\
+	unsigned int u1,u2,u3; \
+	LOAD_DATA(R,S,u,t,E0,E1,u1); \
+	u>>=2L; \
+	t=ROTATE(t,6); \
+	u2=(int)u>>8L; \
+	u1=(int)u&0x3f; \
+	u2&=0x3f; \
+	u>>=16L; \
+	LL^=des_SPtrans[0][u1]; \
+	LL^=des_SPtrans[2][u2]; \
+	u3=(int)u>>8L; \
+	u1=(int)u&0x3f; \
+	u3&=0x3f; \
+	LL^=des_SPtrans[4][u1]; \
+	LL^=des_SPtrans[6][u3]; \
+	u2=(int)t>>8L; \
+	u1=(int)t&0x3f; \
+	u2&=0x3f; \
+	t>>=16L; \
+	LL^=des_SPtrans[1][u1]; \
+	LL^=des_SPtrans[3][u2]; \
+	u3=(int)t>>8L; \
+	u1=(int)t&0x3f; \
+	u3&=0x3f; \
+	LL^=des_SPtrans[5][u1]; \
+	LL^=des_SPtrans[7][u3]; }
+#endif
+#ifdef DES_RISC2
+#define D_ENCRYPT(LL,R,S) {\
+	unsigned int u1,u2,s1,s2; \
+	LOAD_DATA(R,S,u,t,E0,E1,u1); \
+	u>>=2L; \
+	t=ROTATE(t,6); \
+	u2=(int)u>>8L; \
+	u1=(int)u&0x3f; \
+	u2&=0x3f; \
+	LL^=des_SPtrans[0][u1]; \
+	LL^=des_SPtrans[2][u2]; \
+	s1=(int)u>>16L; \
+	s2=(int)u>>24L; \
+	s1&=0x3f; \
+	s2&=0x3f; \
+	LL^=des_SPtrans[4][s1]; \
+	LL^=des_SPtrans[6][s2]; \
+	u2=(int)t>>8L; \
+	u1=(int)t&0x3f; \
+	u2&=0x3f; \
+	LL^=des_SPtrans[1][u1]; \
+	LL^=des_SPtrans[3][u2]; \
+	s1=(int)t>>16; \
+	s2=(int)t>>24L; \
+	s1&=0x3f; \
+	s2&=0x3f; \
+	LL^=des_SPtrans[5][s1]; \
+	LL^=des_SPtrans[7][s2]; }
+#endif
+
+#else
+
+#define D_ENCRYPT(LL,R,S) {\
+	LOAD_DATA_tmp(R,S,u,t,E0,E1); \
+	t=ROTATE(t,4); \
+	LL^=\
+		des_SPtrans[0][(u>> 2L)&0x3f]^ \
+		des_SPtrans[2][(u>>10L)&0x3f]^ \
+		des_SPtrans[4][(u>>18L)&0x3f]^ \
+		des_SPtrans[6][(u>>26L)&0x3f]^ \
+		des_SPtrans[1][(t>> 2L)&0x3f]^ \
+		des_SPtrans[3][(t>>10L)&0x3f]^ \
+		des_SPtrans[5][(t>>18L)&0x3f]^ \
+		des_SPtrans[7][(t>>26L)&0x3f]; }
+#endif
+#endif
+
+	/* IP and FP
+	 * The problem is more of a geometric problem that random bit fiddling.
+	 0  1  2  3  4  5  6  7      62 54 46 38 30 22 14  6
+	 8  9 10 11 12 13 14 15      60 52 44 36 28 20 12  4
+	16 17 18 19 20 21 22 23      58 50 42 34 26 18 10  2
+	24 25 26 27 28 29 30 31  to  56 48 40 32 24 16  8  0
+
+	32 33 34 35 36 37 38 39      63 55 47 39 31 23 15  7
+	40 41 42 43 44 45 46 47      61 53 45 37 29 21 13  5
+	48 49 50 51 52 53 54 55      59 51 43 35 27 19 11  3
+	56 57 58 59 60 61 62 63      57 49 41 33 25 17  9  1
+
+	The output has been subject to swaps of the form
+	0 1 -> 3 1 but the odd and even bits have been put into
+	2 3    2 0
+	different words.  The main trick is to remember that
+	t=((l>>size)^r)&(mask);
+	r^=t;
+	l^=(t<<size);
+	can be used to swap and move bits between words.
+
+	So l =  0  1  2  3  r = 16 17 18 19
+	        4  5  6  7      20 21 22 23
+	        8  9 10 11      24 25 26 27
+	       12 13 14 15      28 29 30 31
+	becomes (for size == 2 and mask == 0x3333)
+	   t =   2^16  3^17 -- --   l =  0  1 16 17  r =  2  3 18 19
+		 6^20  7^21 -- --        4  5 20 21       6  7 22 23
+		10^24 11^25 -- --        8  9 24 25      10 11 24 25
+		14^28 15^29 -- --       12 13 28 29      14 15 28 29
+
+	Thanks for hints from Richard Outerbridge - he told me IP&FP
+	could be done in 15 xor, 10 shifts and 5 ands.
+	When I finally started to think of the problem in 2D
+	I first got ~42 operations without xors.  When I remembered
+	how to use xors :-) I got it to its final state.
+	*/
+#define PERM_OP(a,b,t,n,m) ((t)=((((a)>>(n))^(b))&(m)),\
+	(b)^=(t),\
+	(a)^=((t)<<(n)))
+
+#define IP(l,r) \
+	{ \
+	register DES_LONG tt; \
+	PERM_OP(r,l,tt, 4,0x0f0f0f0fL); \
+	PERM_OP(l,r,tt,16,0x0000ffffL); \
+	PERM_OP(r,l,tt, 2,0x33333333L); \
+	PERM_OP(l,r,tt, 8,0x00ff00ffL); \
+	PERM_OP(r,l,tt, 1,0x55555555L); \
+	}
+
+#define FP(l,r) \
+	{ \
+	register DES_LONG tt; \
+	PERM_OP(l,r,tt, 1,0x55555555L); \
+	PERM_OP(r,l,tt, 8,0x00ff00ffL); \
+	PERM_OP(l,r,tt, 2,0x33333333L); \
+	PERM_OP(r,l,tt,16,0x0000ffffL); \
+	PERM_OP(l,r,tt, 4,0x0f0f0f0fL); \
+	}
+
+extern const DES_LONG des_SPtrans[8][64];
+
+#ifndef NOPROTO
+void fcrypt_body(DES_LONG *out,des_key_schedule ks,
+	DES_LONG Eswap0, DES_LONG Eswap1);
+#else
+void fcrypt_body();
+#endif
+
+#endif
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/include/des/des_ver.h     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,60 @@
+/* crypto/des/des_ver.h */
+/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+extern char *DES_version;	/* SSLeay version string */
+extern char *libdes_version;	/* old libdes version string */
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/include/des/podd.h     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,75 @@
+/* crypto/des/podd.h */
+/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+static const unsigned char odd_parity[256]={
+  1,  1,  2,  2,  4,  4,  7,  7,  8,  8, 11, 11, 13, 13, 14, 14,
+ 16, 16, 19, 19, 21, 21, 22, 22, 25, 25, 26, 26, 28, 28, 31, 31,
+ 32, 32, 35, 35, 37, 37, 38, 38, 41, 41, 42, 42, 44, 44, 47, 47,
+ 49, 49, 50, 50, 52, 52, 55, 55, 56, 56, 59, 59, 61, 61, 62, 62,
+ 64, 64, 67, 67, 69, 69, 70, 70, 73, 73, 74, 74, 76, 76, 79, 79,
+ 81, 81, 82, 82, 84, 84, 87, 87, 88, 88, 91, 91, 93, 93, 94, 94,
+ 97, 97, 98, 98,100,100,103,103,104,104,107,107,109,109,110,110,
+112,112,115,115,117,117,118,118,121,121,122,122,124,124,127,127,
+128,128,131,131,133,133,134,134,137,137,138,138,140,140,143,143,
+145,145,146,146,148,148,151,151,152,152,155,155,157,157,158,158,
+161,161,162,162,164,164,167,167,168,168,171,171,173,173,174,174,
+176,176,179,179,181,181,182,182,185,185,186,186,188,188,191,191,
+193,193,194,194,196,196,199,199,200,200,203,203,205,205,206,206,
+208,208,211,211,213,213,214,214,217,217,218,218,220,220,223,223,
+224,224,227,227,229,229,230,230,233,233,234,234,236,236,239,239,
+241,241,242,242,244,244,247,247,248,248,251,251,253,253,254,254};
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/include/des/sk.h     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,204 @@
+/* crypto/des/sk.h */
+/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+static const DES_LONG des_skb[8][64]={
+{
+/* for C bits (numbered as per FIPS 46) 1 2 3 4 5 6 */
+0x00000000L,0x00000010L,0x20000000L,0x20000010L,
+0x00010000L,0x00010010L,0x20010000L,0x20010010L,
+0x00000800L,0x00000810L,0x20000800L,0x20000810L,
+0x00010800L,0x00010810L,0x20010800L,0x20010810L,
+0x00000020L,0x00000030L,0x20000020L,0x20000030L,
+0x00010020L,0x00010030L,0x20010020L,0x20010030L,
+0x00000820L,0x00000830L,0x20000820L,0x20000830L,
+0x00010820L,0x00010830L,0x20010820L,0x20010830L,
+0x00080000L,0x00080010L,0x20080000L,0x20080010L,
+0x00090000L,0x00090010L,0x20090000L,0x20090010L,
+0x00080800L,0x00080810L,0x20080800L,0x20080810L,
+0x00090800L,0x00090810L,0x20090800L,0x20090810L,
+0x00080020L,0x00080030L,0x20080020L,0x20080030L,
+0x00090020L,0x00090030L,0x20090020L,0x20090030L,
+0x00080820L,0x00080830L,0x20080820L,0x20080830L,
+0x00090820L,0x00090830L,0x20090820L,0x20090830L,
+},{
+/* for C bits (numbered as per FIPS 46) 7 8 10 11 12 13 */
+0x00000000L,0x02000000L,0x00002000L,0x02002000L,
+0x00200000L,0x02200000L,0x00202000L,0x02202000L,
+0x00000004L,0x02000004L,0x00002004L,0x02002004L,
+0x00200004L,0x02200004L,0x00202004L,0x02202004L,
+0x00000400L,0x02000400L,0x00002400L,0x02002400L,
+0x00200400L,0x02200400L,0x00202400L,0x02202400L,
+0x00000404L,0x02000404L,0x00002404L,0x02002404L,
+0x00200404L,0x02200404L,0x00202404L,0x02202404L,
+0x10000000L,0x12000000L,0x10002000L,0x12002000L,
+0x10200000L,0x12200000L,0x10202000L,0x12202000L,
+0x10000004L,0x12000004L,0x10002004L,0x12002004L,
+0x10200004L,0x12200004L,0x10202004L,0x12202004L,
+0x10000400L,0x12000400L,0x10002400L,0x12002400L,
+0x10200400L,0x12200400L,0x10202400L,0x12202400L,
+0x10000404L,0x12000404L,0x10002404L,0x12002404L,
+0x10200404L,0x12200404L,0x10202404L,0x12202404L,
+},{
+/* for C bits (numbered as per FIPS 46) 14 15 16 17 19 20 */
+0x00000000L,0x00000001L,0x00040000L,0x00040001L,
+0x01000000L,0x01000001L,0x01040000L,0x01040001L,
+0x00000002L,0x00000003L,0x00040002L,0x00040003L,
+0x01000002L,0x01000003L,0x01040002L,0x01040003L,
+0x00000200L,0x00000201L,0x00040200L,0x00040201L,
+0x01000200L,0x01000201L,0x01040200L,0x01040201L,
+0x00000202L,0x00000203L,0x00040202L,0x00040203L,
+0x01000202L,0x01000203L,0x01040202L,0x01040203L,
+0x08000000L,0x08000001L,0x08040000L,0x08040001L,
+0x09000000L,0x09000001L,0x09040000L,0x09040001L,
+0x08000002L,0x08000003L,0x08040002L,0x08040003L,
+0x09000002L,0x09000003L,0x09040002L,0x09040003L,
+0x08000200L,0x08000201L,0x08040200L,0x08040201L,
+0x09000200L,0x09000201L,0x09040200L,0x09040201L,
+0x08000202L,0x08000203L,0x08040202L,0x08040203L,
+0x09000202L,0x09000203L,0x09040202L,0x09040203L,
+},{
+/* for C bits (numbered as per FIPS 46) 21 23 24 26 27 28 */
+0x00000000L,0x00100000L,0x00000100L,0x00100100L,
+0x00000008L,0x00100008L,0x00000108L,0x00100108L,
+0x00001000L,0x00101000L,0x00001100L,0x00101100L,
+0x00001008L,0x00101008L,0x00001108L,0x00101108L,
+0x04000000L,0x04100000L,0x04000100L,0x04100100L,
+0x04000008L,0x04100008L,0x04000108L,0x04100108L,
+0x04001000L,0x04101000L,0x04001100L,0x04101100L,
+0x04001008L,0x04101008L,0x04001108L,0x04101108L,
+0x00020000L,0x00120000L,0x00020100L,0x00120100L,
+0x00020008L,0x00120008L,0x00020108L,0x00120108L,
+0x00021000L,0x00121000L,0x00021100L,0x00121100L,
+0x00021008L,0x00121008L,0x00021108L,0x00121108L,
+0x04020000L,0x04120000L,0x04020100L,0x04120100L,
+0x04020008L,0x04120008L,0x04020108L,0x04120108L,
+0x04021000L,0x04121000L,0x04021100L,0x04121100L,
+0x04021008L,0x04121008L,0x04021108L,0x04121108L,
+},{
+/* for D bits (numbered as per FIPS 46) 1 2 3 4 5 6 */
+0x00000000L,0x10000000L,0x00010000L,0x10010000L,
+0x00000004L,0x10000004L,0x00010004L,0x10010004L,
+0x20000000L,0x30000000L,0x20010000L,0x30010000L,
+0x20000004L,0x30000004L,0x20010004L,0x30010004L,
+0x00100000L,0x10100000L,0x00110000L,0x10110000L,
+0x00100004L,0x10100004L,0x00110004L,0x10110004L,
+0x20100000L,0x30100000L,0x20110000L,0x30110000L,
+0x20100004L,0x30100004L,0x20110004L,0x30110004L,
+0x00001000L,0x10001000L,0x00011000L,0x10011000L,
+0x00001004L,0x10001004L,0x00011004L,0x10011004L,
+0x20001000L,0x30001000L,0x20011000L,0x30011000L,
+0x20001004L,0x30001004L,0x20011004L,0x30011004L,
+0x00101000L,0x10101000L,0x00111000L,0x10111000L,
+0x00101004L,0x10101004L,0x00111004L,0x10111004L,
+0x20101000L,0x30101000L,0x20111000L,0x30111000L,
+0x20101004L,0x30101004L,0x20111004L,0x30111004L,
+},{
+/* for D bits (numbered as per FIPS 46) 8 9 11 12 13 14 */
+0x00000000L,0x08000000L,0x00000008L,0x08000008L,
+0x00000400L,0x08000400L,0x00000408L,0x08000408L,
+0x00020000L,0x08020000L,0x00020008L,0x08020008L,
+0x00020400L,0x08020400L,0x00020408L,0x08020408L,
+0x00000001L,0x08000001L,0x00000009L,0x08000009L,
+0x00000401L,0x08000401L,0x00000409L,0x08000409L,
+0x00020001L,0x08020001L,0x00020009L,0x08020009L,
+0x00020401L,0x08020401L,0x00020409L,0x08020409L,
+0x02000000L,0x0A000000L,0x02000008L,0x0A000008L,
+0x02000400L,0x0A000400L,0x02000408L,0x0A000408L,
+0x02020000L,0x0A020000L,0x02020008L,0x0A020008L,
+0x02020400L,0x0A020400L,0x02020408L,0x0A020408L,
+0x02000001L,0x0A000001L,0x02000009L,0x0A000009L,
+0x02000401L,0x0A000401L,0x02000409L,0x0A000409L,
+0x02020001L,0x0A020001L,0x02020009L,0x0A020009L,
+0x02020401L,0x0A020401L,0x02020409L,0x0A020409L,
+},{
+/* for D bits (numbered as per FIPS 46) 16 17 18 19 20 21 */
+0x00000000L,0x00000100L,0x00080000L,0x00080100L,
+0x01000000L,0x01000100L,0x01080000L,0x01080100L,
+0x00000010L,0x00000110L,0x00080010L,0x00080110L,
+0x01000010L,0x01000110L,0x01080010L,0x01080110L,
+0x00200000L,0x00200100L,0x00280000L,0x00280100L,
+0x01200000L,0x01200100L,0x01280000L,0x01280100L,
+0x00200010L,0x00200110L,0x00280010L,0x00280110L,
+0x01200010L,0x01200110L,0x01280010L,0x01280110L,
+0x00000200L,0x00000300L,0x00080200L,0x00080300L,
+0x01000200L,0x01000300L,0x01080200L,0x01080300L,
+0x00000210L,0x00000310L,0x00080210L,0x00080310L,
+0x01000210L,0x01000310L,0x01080210L,0x01080310L,
+0x00200200L,0x00200300L,0x00280200L,0x00280300L,
+0x01200200L,0x01200300L,0x01280200L,0x01280300L,
+0x00200210L,0x00200310L,0x00280210L,0x00280310L,
+0x01200210L,0x01200310L,0x01280210L,0x01280310L,
+},{
+/* for D bits (numbered as per FIPS 46) 22 23 24 25 27 28 */
+0x00000000L,0x04000000L,0x00040000L,0x04040000L,
+0x00000002L,0x04000002L,0x00040002L,0x04040002L,
+0x00002000L,0x04002000L,0x00042000L,0x04042000L,
+0x00002002L,0x04002002L,0x00042002L,0x04042002L,
+0x00000020L,0x04000020L,0x00040020L,0x04040020L,
+0x00000022L,0x04000022L,0x00040022L,0x04040022L,
+0x00002020L,0x04002020L,0x00042020L,0x04042020L,
+0x00002022L,0x04002022L,0x00042022L,0x04042022L,
+0x00000800L,0x04000800L,0x00040800L,0x04040800L,
+0x00000802L,0x04000802L,0x00040802L,0x04040802L,
+0x00002800L,0x04002800L,0x00042800L,0x04042800L,
+0x00002802L,0x04002802L,0x00042802L,0x04042802L,
+0x00000820L,0x04000820L,0x00040820L,0x04040820L,
+0x00000822L,0x04000822L,0x00040822L,0x04040822L,
+0x00002820L,0x04002820L,0x00042820L,0x04042820L,
+0x00002822L,0x04002822L,0x00042822L,0x04042822L,
+}};
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/include/des/spr.h     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,204 @@
+/* crypto/des/spr.h */
+/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+const DES_LONG des_SPtrans[8][64]={
+{
+/* nibble 0 */
+0x02080800L, 0x00080000L, 0x02000002L, 0x02080802L,
+0x02000000L, 0x00080802L, 0x00080002L, 0x02000002L,
+0x00080802L, 0x02080800L, 0x02080000L, 0x00000802L,
+0x02000802L, 0x02000000L, 0x00000000L, 0x00080002L,
+0x00080000L, 0x00000002L, 0x02000800L, 0x00080800L,
+0x02080802L, 0x02080000L, 0x00000802L, 0x02000800L,
+0x00000002L, 0x00000800L, 0x00080800L, 0x02080002L,
+0x00000800L, 0x02000802L, 0x02080002L, 0x00000000L,
+0x00000000L, 0x02080802L, 0x02000800L, 0x00080002L,
+0x02080800L, 0x00080000L, 0x00000802L, 0x02000800L,
+0x02080002L, 0x00000800L, 0x00080800L, 0x02000002L,
+0x00080802L, 0x00000002L, 0x02000002L, 0x02080000L,
+0x02080802L, 0x00080800L, 0x02080000L, 0x02000802L,
+0x02000000L, 0x00000802L, 0x00080002L, 0x00000000L,
+0x00080000L, 0x02000000L, 0x02000802L, 0x02080800L,
+0x00000002L, 0x02080002L, 0x00000800L, 0x00080802L,
+},{
+/* nibble 1 */
+0x40108010L, 0x00000000L, 0x00108000L, 0x40100000L,
+0x40000010L, 0x00008010L, 0x40008000L, 0x00108000L,
+0x00008000L, 0x40100010L, 0x00000010L, 0x40008000L,
+0x00100010L, 0x40108000L, 0x40100000L, 0x00000010L,
+0x00100000L, 0x40008010L, 0x40100010L, 0x00008000L,
+0x00108010L, 0x40000000L, 0x00000000L, 0x00100010L,
+0x40008010L, 0x00108010L, 0x40108000L, 0x40000010L,
+0x40000000L, 0x00100000L, 0x00008010L, 0x40108010L,
+0x00100010L, 0x40108000L, 0x40008000L, 0x00108010L,
+0x40108010L, 0x00100010L, 0x40000010L, 0x00000000L,
+0x40000000L, 0x00008010L, 0x00100000L, 0x40100010L,
+0x00008000L, 0x40000000L, 0x00108010L, 0x40008010L,
+0x40108000L, 0x00008000L, 0x00000000L, 0x40000010L,
+0x00000010L, 0x40108010L, 0x00108000L, 0x40100000L,
+0x40100010L, 0x00100000L, 0x00008010L, 0x40008000L,
+0x40008010L, 0x00000010L, 0x40100000L, 0x00108000L,
+},{
+/* nibble 2 */
+0x04000001L, 0x04040100L, 0x00000100L, 0x04000101L,
+0x00040001L, 0x04000000L, 0x04000101L, 0x00040100L,
+0x04000100L, 0x00040000L, 0x04040000L, 0x00000001L,
+0x04040101L, 0x00000101L, 0x00000001L, 0x04040001L,
+0x00000000L, 0x00040001L, 0x04040100L, 0x00000100L,
+0x00000101L, 0x04040101L, 0x00040000L, 0x04000001L,
+0x04040001L, 0x04000100L, 0x00040101L, 0x04040000L,
+0x00040100L, 0x00000000L, 0x04000000L, 0x00040101L,
+0x04040100L, 0x00000100L, 0x00000001L, 0x00040000L,
+0x00000101L, 0x00040001L, 0x04040000L, 0x04000101L,
+0x00000000L, 0x04040100L, 0x00040100L, 0x04040001L,
+0x00040001L, 0x04000000L, 0x04040101L, 0x00000001L,
+0x00040101L, 0x04000001L, 0x04000000L, 0x04040101L,
+0x00040000L, 0x04000100L, 0x04000101L, 0x00040100L,
+0x04000100L, 0x00000000L, 0x04040001L, 0x00000101L,
+0x04000001L, 0x00040101L, 0x00000100L, 0x04040000L,
+},{
+/* nibble 3 */
+0x00401008L, 0x10001000L, 0x00000008L, 0x10401008L,
+0x00000000L, 0x10400000L, 0x10001008L, 0x00400008L,
+0x10401000L, 0x10000008L, 0x10000000L, 0x00001008L,
+0x10000008L, 0x00401008L, 0x00400000L, 0x10000000L,
+0x10400008L, 0x00401000L, 0x00001000L, 0x00000008L,
+0x00401000L, 0x10001008L, 0x10400000L, 0x00001000L,
+0x00001008L, 0x00000000L, 0x00400008L, 0x10401000L,
+0x10001000L, 0x10400008L, 0x10401008L, 0x00400000L,
+0x10400008L, 0x00001008L, 0x00400000L, 0x10000008L,
+0x00401000L, 0x10001000L, 0x00000008L, 0x10400000L,
+0x10001008L, 0x00000000L, 0x00001000L, 0x00400008L,
+0x00000000L, 0x10400008L, 0x10401000L, 0x00001000L,
+0x10000000L, 0x10401008L, 0x00401008L, 0x00400000L,
+0x10401008L, 0x00000008L, 0x10001000L, 0x00401008L,
+0x00400008L, 0x00401000L, 0x10400000L, 0x10001008L,
+0x00001008L, 0x10000000L, 0x10000008L, 0x10401000L,
+},{
+/* nibble 4 */
+0x08000000L, 0x00010000L, 0x00000400L, 0x08010420L,
+0x08010020L, 0x08000400L, 0x00010420L, 0x08010000L,
+0x00010000L, 0x00000020L, 0x08000020L, 0x00010400L,
+0x08000420L, 0x08010020L, 0x08010400L, 0x00000000L,
+0x00010400L, 0x08000000L, 0x00010020L, 0x00000420L,
+0x08000400L, 0x00010420L, 0x00000000L, 0x08000020L,
+0x00000020L, 0x08000420L, 0x08010420L, 0x00010020L,
+0x08010000L, 0x00000400L, 0x00000420L, 0x08010400L,
+0x08010400L, 0x08000420L, 0x00010020L, 0x08010000L,
+0x00010000L, 0x00000020L, 0x08000020L, 0x08000400L,
+0x08000000L, 0x00010400L, 0x08010420L, 0x00000000L,
+0x00010420L, 0x08000000L, 0x00000400L, 0x00010020L,
+0x08000420L, 0x00000400L, 0x00000000L, 0x08010420L,
+0x08010020L, 0x08010400L, 0x00000420L, 0x00010000L,
+0x00010400L, 0x08010020L, 0x08000400L, 0x00000420L,
+0x00000020L, 0x00010420L, 0x08010000L, 0x08000020L,
+},{
+/* nibble 5 */
+0x80000040L, 0x00200040L, 0x00000000L, 0x80202000L,
+0x00200040L, 0x00002000L, 0x80002040L, 0x00200000L,
+0x00002040L, 0x80202040L, 0x00202000L, 0x80000000L,
+0x80002000L, 0x80000040L, 0x80200000L, 0x00202040L,
+0x00200000L, 0x80002040L, 0x80200040L, 0x00000000L,
+0x00002000L, 0x00000040L, 0x80202000L, 0x80200040L,
+0x80202040L, 0x80200000L, 0x80000000L, 0x00002040L,
+0x00000040L, 0x00202000L, 0x00202040L, 0x80002000L,
+0x00002040L, 0x80000000L, 0x80002000L, 0x00202040L,
+0x80202000L, 0x00200040L, 0x00000000L, 0x80002000L,
+0x80000000L, 0x00002000L, 0x80200040L, 0x00200000L,
+0x00200040L, 0x80202040L, 0x00202000L, 0x00000040L,
+0x80202040L, 0x00202000L, 0x00200000L, 0x80002040L,
+0x80000040L, 0x80200000L, 0x00202040L, 0x00000000L,
+0x00002000L, 0x80000040L, 0x80002040L, 0x80202000L,
+0x80200000L, 0x00002040L, 0x00000040L, 0x80200040L,
+},{
+/* nibble 6 */
+0x00004000L, 0x00000200L, 0x01000200L, 0x01000004L,
+0x01004204L, 0x00004004L, 0x00004200L, 0x00000000L,
+0x01000000L, 0x01000204L, 0x00000204L, 0x01004000L,
+0x00000004L, 0x01004200L, 0x01004000L, 0x00000204L,
+0x01000204L, 0x00004000L, 0x00004004L, 0x01004204L,
+0x00000000L, 0x01000200L, 0x01000004L, 0x00004200L,
+0x01004004L, 0x00004204L, 0x01004200L, 0x00000004L,
+0x00004204L, 0x01004004L, 0x00000200L, 0x01000000L,
+0x00004204L, 0x01004000L, 0x01004004L, 0x00000204L,
+0x00004000L, 0x00000200L, 0x01000000L, 0x01004004L,
+0x01000204L, 0x00004204L, 0x00004200L, 0x00000000L,
+0x00000200L, 0x01000004L, 0x00000004L, 0x01000200L,
+0x00000000L, 0x01000204L, 0x01000200L, 0x00004200L,
+0x00000204L, 0x00004000L, 0x01004204L, 0x01000000L,
+0x01004200L, 0x00000004L, 0x00004004L, 0x01004204L,
+0x01000004L, 0x01004200L, 0x01004000L, 0x00004004L,
+},{
+/* nibble 7 */
+0x20800080L, 0x20820000L, 0x00020080L, 0x00000000L,
+0x20020000L, 0x00800080L, 0x20800000L, 0x20820080L,
+0x00000080L, 0x20000000L, 0x00820000L, 0x00020080L,
+0x00820080L, 0x20020080L, 0x20000080L, 0x20800000L,
+0x00020000L, 0x00820080L, 0x00800080L, 0x20020000L,
+0x20820080L, 0x20000080L, 0x00000000L, 0x00820000L,
+0x20000000L, 0x00800000L, 0x20020080L, 0x20800080L,
+0x00800000L, 0x00020000L, 0x20820000L, 0x00000080L,
+0x00800000L, 0x00020000L, 0x20000080L, 0x20820080L,
+0x00020080L, 0x20000000L, 0x00000000L, 0x00820000L,
+0x20800080L, 0x20020080L, 0x20020000L, 0x00800080L,
+0x20820000L, 0x00000080L, 0x00800080L, 0x20020000L,
+0x20820080L, 0x00800000L, 0x20800000L, 0x20000080L,
+0x00820000L, 0x00020080L, 0x20020080L, 0x20800000L,
+0x00000080L, 0x20820000L, 0x00820080L, 0x00000000L,
+0x20000000L, 0x20800080L, 0x00020000L, 0x00820080L,
+}};
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/include/mast.h     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,33 @@
+struct mast_callbacks {
+  int (*packet_encap)(struct device *mast, void *context,
+		      struct sk_buff *skb, int flowref);
+  int (*link_inquire)(struct device *mast, void *context);
+};
+
+
+struct device *mast_init (int family,
+			  struct mast_callbacks *callbacks,
+			  unsigned int flags,
+			  unsigned int desired_unit,
+			  unsigned int max_flowref,
+			  void *context);
+
+int mast_destroy(struct device *mast);
+
+int mast_recv(struct device *mast, struct sk_buff *skb, int flowref);
+
+/* free this skb as being useless, increment failure count. */
+int mast_toast(struct device *mast, struct sk_buff *skb, int flowref);
+
+int mast_linkstat (struct device *mast, int flowref,
+		   int status);
+
+int mast_setreference (struct device *mast,
+		       int defaultSA);
+
+int mast_setneighbor (struct device *mast,
+		      struct sockaddr *source,
+		      struct sockaddr *destination,
+		      int flowref);
+
+
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/include/openswan.h     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,518 @@
+#ifndef _OPENSWAN_H
+/*
+ * header file for FreeS/WAN library functions
+ * Copyright (C) 1998, 1999, 2000  Henry Spencer.
+ * Copyright (C) 1999, 2000, 2001  Richard Guy Briggs
+ * 
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Library General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
+ * 
+ * This library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
+ * License for more details.
+ *
+ * RCSID $Id: openswan.h,v 1.93 2005/04/14 20:21:51 mcr Exp $
+ */
+#define	_OPENSWAN_H	/* seen it, no need to see it again */
+
+/* you'd think this should be builtin to compiler... */
+#ifndef TRUE
+#define TRUE 1
+#endif
+
+#ifndef FALSE
+#define FALSE 0
+#endif
+
+
+
+/*
+ * We've just got to have some datatypes defined...  And annoyingly, just
+ * where we get them depends on whether we're in userland or not.
+ */
+/* things that need to come from one place or the other, depending */
+#ifdef __KERNEL__
+#include <linux/types.h>
+#include <linux/socket.h>
+#include <linux/in.h>
+#include <linux/string.h>
+#include <linux/ctype.h>
+#define user_assert(foo)  /*nothing*/
+#else
+#include <sys/types.h>
+#include <netinet/in.h>
+#include <string.h>
+#include <ctype.h>
+#include <assert.h>
+#define user_assert(foo) assert(foo)
+#include <stdio.h>
+
+#  define uint8_t u_int8_t
+#  define uint16_t u_int16_t 
+#  define uint32_t u_int32_t 
+#  define uint64_t u_int64_t 
+
+
+#  define DEBUG_NO_STATIC static
+
+#endif
+
+#include <openswan/ipsec_param.h>
+
+
+/*
+ * Grab the kernel version to see if we have NET_21, and therefore 
+ * IPv6. Some of this is repeated from ipsec_kversions.h. Of course, 
+ * we aren't really testing if the kernel has IPv6, but rather if the
+ * the include files do.
+ */
+#include <linux/version.h>
+#ifndef KERNEL_VERSION
+#define KERNEL_VERSION(x,y,z) (((x)<<16)+((y)<<8)+(z))
+#endif
+
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,1,0)
+#define NET_21
+#endif
+
+#ifndef IPPROTO_COMP
+#  define IPPROTO_COMP 108
+#endif /* !IPPROTO_COMP */
+
+#ifndef IPPROTO_INT
+#  define IPPROTO_INT 61
+#endif /* !IPPROTO_INT */
+
+#ifdef CONFIG_KLIPS_DEBUG
+#ifndef DEBUG_NO_STATIC
+#  define DEBUG_NO_STATIC
+#endif
+#else /* CONFIG_KLIPS_DEBUG */
+#ifndef DEBUG_NO_STATIC
+#  define DEBUG_NO_STATIC static
+#endif
+#endif /* CONFIG_KLIPS_DEBUG */
+
+#if !defined(ESPINUDP_WITH_NON_IKE)
+#define ESPINUDP_WITH_NON_IKE   1  /* draft-ietf-ipsec-nat-t-ike-00/01 */
+#define ESPINUDP_WITH_NON_ESP   2  /* draft-ietf-ipsec-nat-t-ike-02    */
+#endif
+
+/*
+ * Basic data types for the address-handling functions.
+ * ip_address and ip_subnet are supposed to be opaque types; do not
+ * use their definitions directly, they are subject to change!
+ */
+
+/* first, some quick fakes in case we're on an old system with no IPv6 */
+#ifndef s6_addr16
+struct in6_addr {
+	union 
+	{
+		__u8		u6_addr8[16];
+		__u16		u6_addr16[8];
+		__u32		u6_addr32[4];
+	} in6_u;
+#define s6_addr			in6_u.u6_addr8
+#define s6_addr16		in6_u.u6_addr16
+#define s6_addr32		in6_u.u6_addr32
+};
+struct sockaddr_in6 {
+	unsigned short int	sin6_family;    /* AF_INET6 */
+	__u16			sin6_port;      /* Transport layer port # */
+	__u32			sin6_flowinfo;  /* IPv6 flow information */
+	struct in6_addr		sin6_addr;      /* IPv6 address */
+	__u32			sin6_scope_id;  /* scope id (new in RFC2553) */
+};
+#endif	/* !s6_addr16 */
+
+/* then the main types */
+typedef struct {
+	union {
+		struct sockaddr_in v4;
+		struct sockaddr_in6 v6;
+	} u;
+} ip_address;
+typedef struct {
+	ip_address addr;
+	int maskbits;
+} ip_subnet;
+
+/* and the SA ID stuff */
+#ifdef __KERNEL__
+typedef __u32 ipsec_spi_t;
+#else
+typedef u_int32_t ipsec_spi_t;
+#endif
+typedef struct {		/* to identify an SA, we need: */
+        ip_address dst;		/* A. destination host */
+        ipsec_spi_t spi;	/* B. 32-bit SPI, assigned by dest. host */
+#		define	SPI_PASS	256	/* magic values... */
+#		define	SPI_DROP	257	/* ...for use... */
+#		define	SPI_REJECT	258	/* ...with SA_INT */
+#		define	SPI_HOLD	259
+#		define	SPI_TRAP	260
+#		define  SPI_TRAPSUBNET  261
+	int proto;		/* C. protocol */
+#		define	SA_ESP	50	/* IPPROTO_ESP */
+#		define	SA_AH	51	/* IPPROTO_AH */
+#		define	SA_IPIP	4	/* IPPROTO_IPIP */
+#		define	SA_COMP	108	/* IPPROTO_COMP */
+#		define	SA_INT	61	/* IANA reserved for internal use */
+} ip_said;
+
+/* misc */
+typedef const char *err_t;	/* error message, or NULL for success */
+struct prng {			/* pseudo-random-number-generator guts */
+	unsigned char sbox[256];
+	int i, j;
+	unsigned long count;
+};
+
+
+/*
+ * definitions for user space, taken from freeswan/ipsec_sa.h
+ */
+typedef uint32_t IPsecSAref_t;
+
+#define IPSEC_SA_REF_FIELD_WIDTH (8 * sizeof(IPsecSAref_t))
+
+#define IPsecSAref2NFmark(x) ((x) << (IPSEC_SA_REF_FIELD_WIDTH - IPSEC_SA_REF_TABLE_IDX_WIDTH))
+#define NFmark2IPsecSAref(x) ((x) >> (IPSEC_SA_REF_FIELD_WIDTH - IPSEC_SA_REF_TABLE_IDX_WIDTH))
+
+#define IPSEC_SAREF_NULL (~((IPsecSAref_t)0))
+
+/* GCC magic for use in function definitions! */
+#ifdef GCC_LINT
+# define PRINTF_LIKE(n) __attribute__ ((format(printf, n, n+1)))
+# define NEVER_RETURNS __attribute__ ((noreturn))
+# define UNUSED __attribute__ ((unused))
+# define BLANK_FORMAT " "	/* GCC_LINT whines about empty formats */
+#else
+# define PRINTF_LIKE(n)	/* ignore */
+# define NEVER_RETURNS /* ignore */
+# define UNUSED /* ignore */
+# define BLANK_FORMAT ""
+#endif
+
+
+
+
+
+/*
+ * new IPv6-compatible functions
+ */
+
+/* text conversions */
+err_t ttoul(const char *src, size_t srclen, int format, unsigned long *dst);
+size_t ultot(unsigned long src, int format, char *buf, size_t buflen);
+#define	ULTOT_BUF	(22+1)	/* holds 64 bits in octal */
+err_t ttoaddr(const char *src, size_t srclen, int af, ip_address *dst);
+err_t tnatoaddr(const char *src, size_t srclen, int af, ip_address *dst);
+size_t addrtot(const ip_address *src, int format, char *buf, size_t buflen);
+/* RFC 1886 old IPv6 reverse-lookup format is the bulkiest */
+#define	ADDRTOT_BUF	(32*2 + 3 + 1 + 3 + 1 + 1)
+err_t ttosubnet(const char *src, size_t srclen, int af, ip_subnet *dst);
+size_t subnettot(const ip_subnet *src, int format, char *buf, size_t buflen);
+#define	SUBNETTOT_BUF	(ADDRTOT_BUF + 1 + 3)
+size_t subnetporttot(const ip_subnet *src, int format, char *buf, size_t buflen);
+#define	SUBNETPROTOTOT_BUF	(SUBNETTOTO_BUF + ULTOT_BUF)
+err_t ttosa(const char *src, size_t srclen, ip_said *dst);
+size_t satot(const ip_said *src, int format, char *bufptr, size_t buflen);
+#define	SATOT_BUF	(5 + ULTOA_BUF + 1 + ADDRTOT_BUF)
+err_t ttodata(const char *src, size_t srclen, int base, char *buf,
+						size_t buflen, size_t *needed);
+err_t ttodatav(const char *src, size_t srclen, int base,
+	       char *buf,  size_t buflen, size_t *needed,
+	       char *errp, size_t errlen, unsigned int flags);
+#define	TTODATAV_BUF	40	/* ttodatav's largest non-literal message */
+#define TTODATAV_IGNORESPACE  (1<<1)  /* ignore spaces in base64 encodings*/
+#define TTODATAV_SPACECOUNTS  0       /* do not ignore spaces in base64   */
+
+size_t datatot(const char *src, size_t srclen, int format, char *buf,
+								size_t buflen);
+size_t keyblobtoid(const unsigned char *src, size_t srclen, char *dst,
+								size_t dstlen);
+size_t splitkeytoid(const unsigned char *e, size_t elen, const unsigned char *m,
+					size_t mlen, char *dst, size_t dstlen);
+#define	KEYID_BUF	10	/* up to 9 text digits plus NUL */
+err_t ttoprotoport(char *src, size_t src_len, u_int8_t *proto, u_int16_t *port,
+                                                       int *has_port_wildcard);
+
+/* initializations */
+void initsaid(const ip_address *addr, ipsec_spi_t spi, int proto, ip_said *dst);
+err_t loopbackaddr(int af, ip_address *dst);
+err_t unspecaddr(int af, ip_address *dst);
+err_t anyaddr(int af, ip_address *dst);
+err_t initaddr(const unsigned char *src, size_t srclen, int af, ip_address *dst);
+err_t initsubnet(const ip_address *addr, int maskbits, int clash, ip_subnet *dst);
+err_t addrtosubnet(const ip_address *addr, ip_subnet *dst);
+
+/* misc. conversions and related */
+err_t rangetosubnet(const ip_address *from, const ip_address *to, ip_subnet *dst);
+int addrtypeof(const ip_address *src);
+int subnettypeof(const ip_subnet *src);
+size_t addrlenof(const ip_address *src);
+size_t addrbytesptr(const ip_address *src, const unsigned char **dst);
+size_t addrbytesof(const ip_address *src, unsigned char *dst, size_t dstlen);
+int masktocount(const ip_address *src);
+void networkof(const ip_subnet *src, ip_address *dst);
+void maskof(const ip_subnet *src, ip_address *dst);
+
+/* tests */
+int sameaddr(const ip_address *a, const ip_address *b);
+int addrcmp(const ip_address *a, const ip_address *b);
+int samesubnet(const ip_subnet *a, const ip_subnet *b);
+int addrinsubnet(const ip_address *a, const ip_subnet *s);
+int subnetinsubnet(const ip_subnet *a, const ip_subnet *b);
+int subnetishost(const ip_subnet *s);
+int samesaid(const ip_said *a, const ip_said *b);
+int sameaddrtype(const ip_address *a, const ip_address *b);
+int samesubnettype(const ip_subnet *a, const ip_subnet *b);
+int isanyaddr(const ip_address *src);
+int isunspecaddr(const ip_address *src);
+int isloopbackaddr(const ip_address *src);
+
+/* low-level grot */
+int portof(const ip_address *src);
+void setportof(int port, ip_address *dst);
+struct sockaddr *sockaddrof(ip_address *src);
+size_t sockaddrlenof(const ip_address *src);
+
+/* PRNG */
+void prng_init(struct prng *prng, const unsigned char *key, size_t keylen);
+void prng_bytes(struct prng *prng, unsigned char *dst, size_t dstlen);
+unsigned long prng_count(struct prng *prng);
+void prng_final(struct prng *prng);
+
+/* odds and ends */
+const char *ipsec_version_code(void);
+const char *ipsec_version_string(void);
+const char **ipsec_copyright_notice(void);
+
+const char *dns_string_rr(int rr, char *buf, int bufsize);
+const char *dns_string_datetime(time_t seconds,
+				char *buf,
+				int bufsize);
+
+
+/*
+ * old functions, to be deleted eventually
+ */
+
+/* unsigned long */
+const char *			/* NULL for success, else string literal */
+atoul(
+	const char *src,
+	size_t srclen,		/* 0 means strlen(src) */
+	int base,		/* 0 means figure it out */
+	unsigned long *resultp
+);
+size_t				/* space needed for full conversion */
+ultoa(
+	unsigned long n,
+	int base,
+	char *dst,
+	size_t dstlen
+);
+#define	ULTOA_BUF	21	/* just large enough for largest result, */
+				/* assuming 64-bit unsigned long! */
+
+/* Internet addresses */
+const char *			/* NULL for success, else string literal */
+atoaddr(
+	const char *src,
+	size_t srclen,		/* 0 means strlen(src) */
+	struct in_addr *addr
+);
+size_t				/* space needed for full conversion */
+addrtoa(
+	struct in_addr addr,
+	int format,		/* character; 0 means default */
+	char *dst,
+	size_t dstlen
+);
+#define	ADDRTOA_BUF	16	/* just large enough for largest result */
+
+/* subnets */
+const char *			/* NULL for success, else string literal */
+atosubnet(
+	const char *src,
+	size_t srclen,		/* 0 means strlen(src) */
+	struct in_addr *addr,
+	struct in_addr *mask
+);
+size_t				/* space needed for full conversion */
+subnettoa(
+	struct in_addr addr,
+	struct in_addr mask,
+	int format,		/* character; 0 means default */
+	char *dst,
+	size_t dstlen
+);
+#define	SUBNETTOA_BUF	32	/* large enough for worst case result */
+
+/* ranges */
+const char *			/* NULL for success, else string literal */
+atoasr(
+	const char *src,
+	size_t srclen,		/* 0 means strlen(src) */
+	char *type,		/* 'a', 's', 'r' */
+	struct in_addr *addrs	/* two-element array */
+);
+size_t				/* space needed for full conversion */
+rangetoa(
+	struct in_addr *addrs,	/* two-element array */
+	int format,		/* character; 0 means default */
+	char *dst,
+	size_t dstlen
+);
+#define	RANGETOA_BUF	34	/* large enough for worst case result */
+
+/* data types for SA conversion functions */
+
+/* generic data, e.g. keys */
+const char *			/* NULL for success, else string literal */
+atobytes(
+	const char *src,
+	size_t srclen,		/* 0 means strlen(src) */
+	char *dst,
+	size_t dstlen,
+	size_t *lenp		/* NULL means don't bother telling me */
+);
+size_t				/* 0 failure, else true size */
+bytestoa(
+	const char *src,
+	size_t srclen,
+	int format,		/* character; 0 means default */
+	char *dst,
+	size_t dstlen
+);
+
+/* old versions of generic-data functions; deprecated */
+size_t				/* 0 failure, else true size */
+atodata(
+	const char *src,
+	size_t srclen,		/* 0 means strlen(src) */
+	char *dst,
+	size_t dstlen
+);
+size_t				/* 0 failure, else true size */
+datatoa(
+	const char *src,
+	size_t srclen,
+	int format,		/* character; 0 means default */
+	char *dst,
+	size_t dstlen
+);
+
+/* part extraction and special addresses */
+struct in_addr
+subnetof(
+	struct in_addr addr,
+	struct in_addr mask
+);
+struct in_addr
+hostof(
+	struct in_addr addr,
+	struct in_addr mask
+);
+struct in_addr
+broadcastof(
+	struct in_addr addr,
+	struct in_addr mask
+);
+
+/* mask handling */
+int
+goodmask(
+	struct in_addr mask
+);
+int
+masktobits(
+	struct in_addr mask
+);
+struct in_addr
+bitstomask(
+	int n
+);
+
+
+
+/*
+ * general utilities
+ */
+
+#ifndef __KERNEL__
+/* option pickup from files (userland only because of use of FILE) */
+const char *optionsfrom(const char *filename, int *argcp, char ***argvp,
+						int optind, FILE *errorreport);
+
+/* sanitize a string */
+extern size_t sanitize_string(char *buf, size_t size);
+
+#endif
+
+
+/*
+ * ENUM of klips debugging values. Not currently used in klips.
+ * debug flag is actually 32 -bits, but only one bit is ever used,
+ * so we can actually pack it all into a single 32-bit word.
+ */
+enum klips_debug_flags {
+    KDF_VERBOSE     = 0,
+    KDF_XMIT        = 1,
+    KDF_NETLINK     = 2, /* obsolete */
+    KDF_XFORM       = 3,
+    KDF_EROUTE      = 4,
+    KDF_SPI         = 5,
+    KDF_RADIJ       = 6,
+    KDF_ESP         = 7,
+    KDF_AH          = 8, /* obsolete */
+    KDF_RCV         = 9,
+    KDF_TUNNEL      = 10,
+    KDF_PFKEY       = 11,
+    KDF_COMP        = 12
+};
+
+
+/*
+ * Debugging levels for pfkey_lib_debug
+ */
+#define PF_KEY_DEBUG_PARSE_NONE    0
+#define PF_KEY_DEBUG_PARSE_PROBLEM 1
+#define PF_KEY_DEBUG_PARSE_STRUCT  2
+#define PF_KEY_DEBUG_PARSE_FLOW    4
+#define PF_KEY_DEBUG_BUILD         8
+#define PF_KEY_DEBUG_PARSE_MAX    15
+
+extern unsigned int pfkey_lib_debug;  /* bits selecting what to report */
+
+/*
+ * pluto and lwdnsq need to know the maximum size of the commands to,
+ * and replies from lwdnsq. 
+ */
+
+#define LWDNSQ_CMDBUF_LEN      1024
+#define LWDNSQ_RESULT_LEN_MAX  4096
+
+
+/* syntax for passthrough SA */
+#ifndef PASSTHROUGHNAME
+#define	PASSTHROUGHNAME	"%passthrough"
+#define	PASSTHROUGH4NAME	"%passthrough4"
+#define	PASSTHROUGH6NAME	"%passthrough6"
+#define	PASSTHROUGHIS	"tun0@0.0.0.0"
+#define	PASSTHROUGH4IS	"tun0@0.0.0.0"
+#define	PASSTHROUGH6IS	"tun0@::"
+#define	PASSTHROUGHTYPE	"tun"
+#define	PASSTHROUGHSPI	0
+#define	PASSTHROUGHDST	0
+#endif
+
+
+
+#endif /* _OPENSWAN_H */
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/include/openswan/ipcomp.h     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,61 @@
+/*
+ * IPCOMP zlib interface code.
+ * Copyright (C) 2000  Svenning Soerensen <svenning@post5.tele.dk>
+ * Copyright (C) 2000, 2001  Richard Guy Briggs <rgb@conscoop.ottawa.on.ca>
+ * 
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ * 
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+
+ RCSID $Id: ipcomp.h,v 1.14 2004/07/10 19:08:41 mcr Exp $
+
+ */
+
+/* SSS */
+
+#ifndef _IPCOMP_H
+#define _IPCOMP_H
+
+/* Prefix all global deflate symbols with "ipcomp_" to avoid collisions with ppp_deflate & ext2comp */
+#ifndef IPCOMP_PREFIX
+#define IPCOMP_PREFIX
+#endif /* IPCOMP_PREFIX */
+
+#ifndef IPPROTO_COMP
+#define IPPROTO_COMP 108
+#endif /* IPPROTO_COMP */
+
+#ifdef CONFIG_KLIPS_DEBUG
+extern int sysctl_ipsec_debug_ipcomp;
+#endif /* CONFIG_KLIPS_DEBUG */
+
+struct ipcomphdr {			/* IPCOMP header */
+    __u8    ipcomp_nh;		/* Next header (protocol) */
+    __u8    ipcomp_flags;	/* Reserved, must be 0 */
+    __u16   ipcomp_cpi;		/* Compression Parameter Index */
+};
+
+extern struct inet_protocol comp_protocol;
+extern int sysctl_ipsec_debug_ipcomp;
+
+#define IPCOMP_UNCOMPRESSABLE     0x000000001
+#define IPCOMP_COMPRESSIONERROR   0x000000002
+#define IPCOMP_PARMERROR          0x000000004
+#define IPCOMP_DECOMPRESSIONERROR 0x000000008
+
+#define IPCOMP_ADAPT_INITIAL_TRIES	8
+#define IPCOMP_ADAPT_INITIAL_SKIP	4
+#define IPCOMP_ADAPT_SUBSEQ_TRIES	2
+#define IPCOMP_ADAPT_SUBSEQ_SKIP	8
+
+/* Function prototypes */
+struct sk_buff *skb_compress(struct sk_buff *skb, struct ipsec_sa *ips, unsigned int *flags);
+struct sk_buff *skb_decompress(struct sk_buff *skb, struct ipsec_sa *ips, unsigned int *flags);
+
+#endif /* _IPCOMP_H */
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/include/openswan/ipsec_ah.h     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,200 @@
+/*
+ * Authentication Header declarations
+ * Copyright (C) 1996, 1997  John Ioannidis.
+ * Copyright (C) 1998, 1999, 2000, 2001  Richard Guy Briggs.
+ * 
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ * 
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: ipsec_ah.h,v 1.26 2004/09/13 02:22:10 mcr Exp $
+ */
+
+#include "ipsec_md5h.h"
+#include "ipsec_sha1.h"
+
+#ifndef IPPROTO_AH
+#define IPPROTO_AH 51
+#endif /* IPPROTO_AH */
+
+#include "ipsec_auth.h"
+
+#ifdef __KERNEL__
+
+extern struct inet_protocol ah_protocol;
+
+struct options;
+
+struct ahhdr				/* Generic AH header */
+{
+	__u8	ah_nh;			/* Next header (protocol) */
+	__u8	ah_hl;			/* AH length, in 32-bit words */
+	__u16	ah_rv;			/* reserved, must be 0 */
+	__u32	ah_spi;			/* Security Parameters Index */
+        __u32   ah_rpl;                 /* Replay prevention */
+	__u8	ah_data[AHHMAC_HASHLEN];/* Authentication hash */
+};
+#define AH_BASIC_LEN 8      /* basic AH header is 8 bytes, nh,hl,rv,spi
+			     * and the ah_hl, says how many bytes after that
+			     * to cover. */
+
+extern struct xform_functions ah_xform_funcs[];
+
+#ifdef CONFIG_KLIPS_DEBUG
+extern int debug_ah;
+#endif /* CONFIG_KLIPS_DEBUG */
+#endif /* __KERNEL__ */
+
+/*
+ * $Log: ipsec_ah.h,v $
+ * Revision 1.26  2004/09/13 02:22:10  mcr
+ * 	#define inet_protocol if necessary.
+ *
+ * Revision 1.25  2004/09/06 18:35:41  mcr
+ * 	2.6.8.1 gets rid of inet_protocol->net_protocol compatibility,
+ * 	so adjust for that.
+ *
+ * Revision 1.24  2004/07/10 19:08:41  mcr
+ * 	CONFIG_IPSEC -> CONFIG_KLIPS.
+ *
+ * Revision 1.23  2004/04/05 19:55:04  mcr
+ * Moved from linux/include/freeswan/ipsec_ah.h,v
+ *
+ * Revision 1.22  2004/04/05 19:41:05  mcr
+ * 	merged alg-branch code.
+ *
+ * Revision 1.21  2003/12/13 19:10:16  mcr
+ * 	refactored rcv and xmit code - same as FS 2.05.
+ *
+ * Revision 1.22  2003/12/11 20:14:58  mcr
+ * 	refactored the xmit code, to move all encapsulation
+ * 	code into protocol functions. Note that all functions
+ * 	are essentially done by a single function, which is probably
+ * 	wrong.
+ * 	the rcv_functions structures are renamed xform_functions.
+ *
+ * Revision 1.21  2003/12/06 21:21:19  mcr
+ * 	split up receive path into per-transform files, for
+ * 	easier later removal.
+ *
+ * Revision 1.20.8.1  2003/12/22 15:25:52  jjo
+ *      Merged algo-0.8.1-rc11-test1 into alg-branch
+ *
+ * Revision 1.20  2003/02/06 02:21:34  rgb
+ *
+ * Moved "struct auth_alg" from ipsec_rcv.c to ipsec_ah.h .
+ * Changed "struct ah" to "struct ahhdr" and "struct esp" to "struct esphdr".
+ * Removed "#ifdef INBOUND_POLICY_CHECK_eroute" dead code.
+ *
+ * Revision 1.19  2002/09/16 21:19:13  mcr
+ * 	fixes for west-ah-icmp-01 - length of AH header must be
+ * 	calculated properly, and next_header field properly copied.
+ *
+ * Revision 1.18  2002/05/14 02:37:02  rgb
+ * Change reference from _TDB to _IPSA.
+ *
+ * Revision 1.17  2002/04/24 07:36:46  mcr
+ * Moved from ./klips/net/ipsec/ipsec_ah.h,v
+ *
+ * Revision 1.16  2002/02/20 01:27:06  rgb
+ * Ditched a pile of structs only used by the old Netlink interface.
+ *
+ * Revision 1.15  2001/12/11 02:35:57  rgb
+ * Change "struct net_device" to "struct device" for 2.2 compatibility.
+ *
+ * Revision 1.14  2001/11/26 09:23:47  rgb
+ * Merge MCR's ipsec_sa, eroute, proc and struct lifetime changes.
+ *
+ * Revision 1.13.2.1  2001/09/25 02:18:24  mcr
+ * 	replace "struct device" with "struct netdevice"
+ *
+ * Revision 1.13  2001/06/14 19:35:08  rgb
+ * Update copyright date.
+ *
+ * Revision 1.12  2000/09/12 03:21:20  rgb
+ * Cleared out unused htonq.
+ *
+ * Revision 1.11  2000/09/08 19:12:55  rgb
+ * Change references from DEBUG_IPSEC to CONFIG_IPSEC_DEBUG.
+ *
+ * Revision 1.10  2000/01/21 06:13:10  rgb
+ * Tidied up spacing.
+ * Added macros for HMAC padding magic numbers.(kravietz)
+ *
+ * Revision 1.9  1999/12/07 18:16:23  rgb
+ * Fixed comments at end of #endif lines.
+ *
+ * Revision 1.8  1999/04/11 00:28:56  henry
+ * GPL boilerplate
+ *
+ * Revision 1.7  1999/04/06 04:54:25  rgb
+ * Fix/Add RCSID Id: and Log: bits to make PHMDs happy.  This includes
+ * patch shell fixes.
+ *
+ * Revision 1.6  1999/01/26 02:06:01  rgb
+ * Removed CONFIG_IPSEC_ALGO_SWITCH macro.
+ *
+ * Revision 1.5  1999/01/22 06:17:49  rgb
+ * Updated macro comments.
+ * Added context types to support algorithm switch code.
+ * 64-bit clean-up -- converting 'u long long' to __u64.
+ *
+ * Revision 1.4  1998/07/14 15:54:56  rgb
+ * Add #ifdef __KERNEL__ to protect kernel-only structures.
+ *
+ * Revision 1.3  1998/06/30 18:05:16  rgb
+ * Comment out references to htonq.
+ *
+ * Revision 1.2  1998/06/25 19:33:46  rgb
+ * Add prototype for protocol receive function.
+ * Rearrange for more logical layout.
+ *
+ * Revision 1.1  1998/06/18 21:27:43  henry
+ * move sources from klips/src to klips/net/ipsec, to keep stupid
+ * kernel-build scripts happier in the presence of symlinks
+ *
+ * Revision 1.4  1998/05/18 22:28:43  rgb
+ * Disable key printing facilities from /proc/net/ipsec_*.
+ *
+ * Revision 1.3  1998/04/21 21:29:07  rgb
+ * Rearrange debug switches to change on the fly debug output from user
+ * space.  Only kernel changes checked in at this time.  radij.c was also
+ * changed to temporarily remove buggy debugging code in rj_delete causing
+ * an OOPS and hence, netlink device open errors.
+ *
+ * Revision 1.2  1998/04/12 22:03:17  rgb
+ * Updated ESP-3DES-HMAC-MD5-96,
+ * 	ESP-DES-HMAC-MD5-96,
+ * 	AH-HMAC-MD5-96,
+ * 	AH-HMAC-SHA1-96 since Henry started freeswan cvs repository
+ * from old standards (RFC182[5-9] to new (as of March 1998) drafts.
+ *
+ * Fixed eroute references in /proc/net/ipsec*.
+ *
+ * Started to patch module unloading memory leaks in ipsec_netlink and
+ * radij tree unloading.
+ *
+ * Revision 1.1  1998/04/09 03:05:55  henry
+ * sources moved up from linux/net/ipsec
+ *
+ * Revision 1.1.1.1  1998/04/08 05:35:02  henry
+ * RGB's ipsec-0.8pre2.tar.gz ipsec-0.8
+ *
+ * Revision 0.4  1997/01/15 01:28:15  ji
+ * Added definitions for new AH transforms.
+ *
+ * Revision 0.3  1996/11/20 14:35:48  ji
+ * Minor Cleanup.
+ * Rationalized debugging code.
+ *
+ * Revision 0.2  1996/11/02 00:18:33  ji
+ * First limited release.
+ *
+ *
+ */
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/include/openswan/ipsec_alg.h     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,248 @@
+/*
+ * Modular extensions service and registration functions interface
+ *
+ * Author: JuanJo Ciarlante <jjo-ipsec@mendoza.gov.ar>
+ *
+ * ipsec_alg.h,v 1.1.2.1 2003/11/21 18:12:23 jjo Exp
+ *
+ */
+/*
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ * 
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ */
+#ifndef IPSEC_ALG_H
+#define IPSEC_ALG_H
+
+/* 
+ *   gcc >= 3.2 has removed __FUNCTION__, replaced by C99 __func__
+ *   *BUT* its a compiler variable.
+ */
+#if (__GNUC__ >= 3)
+#ifndef __FUNCTION__
+#define __FUNCTION__ __func__
+#endif
+#endif
+
+/*	Version 0.8.1-0 */
+#define IPSEC_ALG_VERSION	0x00080100
+
+#include <linux/types.h>
+#include <linux/list.h>
+#include <asm/atomic.h>
+#include <pfkey.h>
+
+/*	
+ *	The following structs are used via pointers in ipsec_alg object to
+ *	avoid ipsec_alg.h coupling with freeswan headers, thus simplifying
+ *	module development
+ */
+struct ipsec_sa;
+struct esp;
+
+/**************************************
+ *
+ *	Main registration object 
+ *
+ *************************************/
+#define IPSEC_ALG_VERSION_QUAD(v)	\
+	(v>>24),((v>>16)&0xff),((v>>8)&0xff),(v&0xff)
+/*	
+ *	Main ipsec_alg objects: "OOPrograming wannabe"
+ *	Hierachy (carefully handled with _minimal_ cast'ing):
+ *
+ *      ipsec_alg+
+ *		 +->ipsec_alg_enc  (ixt_alg_type=SADB_EXT_SUPPORTED_ENCRYPT)
+ *		 +->ipsec_alg_auth (ixt_alg_type=SADB_EXT_SUPPORTED_AUTH)
+ */
+
+/***************************************************************
+ *
+ * 	INTERFACE object: struct ipsec_alg
+ *
+ ***************************************************************/
+
+#define ixt_alg_type ixt_support.ias_exttype
+#define ixt_alg_id   ixt_support.ias_id
+
+#define IPSEC_ALG_ST_SUPP	0x01
+#define IPSEC_ALG_ST_REGISTERED 0x02
+#define IPSEC_ALG_ST_EXCL	0x04
+struct ipsec_alg {
+	unsigned ixt_version;	/* only allow this version (or 'near')*/ \
+	struct list_head ixt_list;	/* dlinked list */ \
+	struct module *ixt_module;	/* THIS_MODULE */ \
+	unsigned ixt_state;		/* state flags */ \
+	atomic_t ixt_refcnt; 	/* ref. count when pointed from ipsec_sa */ \
+	char ixt_name[16];	/* descriptive short name, eg. "3des" */ \
+	void *ixt_data;		/* private for algo implementation */ \
+	uint8_t  ixt_blocksize;	/* blocksize in bytes */ \
+
+	struct ipsec_alg_supported ixt_support;
+};
+/* 
+ * 	Note the const in cbc_encrypt IV arg:
+ * 	some ciphers like to toast passed IV (eg. 3DES): make a local IV copy
+ */
+struct ipsec_alg_enc {
+	struct ipsec_alg ixt_common;
+	unsigned ixt_e_keylen;		/* raw key length in bytes          */
+	unsigned ixt_e_ctx_size;	/* sa_p->key_e_size */
+	int (*ixt_e_set_key)(struct ipsec_alg_enc *alg, __u8 *key_e, const __u8 *key, size_t keysize);
+	__u8 *(*ixt_e_new_key)(struct ipsec_alg_enc *alg, const __u8 *key, size_t keysize);
+	void (*ixt_e_destroy_key)(struct ipsec_alg_enc *alg, __u8 *key_e);
+	int (*ixt_e_cbc_encrypt)(struct ipsec_alg_enc *alg, __u8 *key_e, __u8 *in, int ilen, const __u8 *iv, int encrypt);
+};
+struct ipsec_alg_auth {
+	struct ipsec_alg ixt_common;
+	unsigned ixt_a_keylen;		/* raw key length in bytes          */
+	unsigned ixt_a_ctx_size;	/* sa_p->key_a_size */
+	unsigned ixt_a_authlen;		/* 'natural' auth. hash len (bytes) */
+	int (*ixt_a_hmac_set_key)(struct ipsec_alg_auth *alg, __u8 *key_a, const __u8 *key, int keylen);
+	int (*ixt_a_hmac_hash)(struct ipsec_alg_auth *alg, __u8 *key_a, const __u8 *dat, int len, __u8 *hash, int hashlen);
+};
+/*	
+ *	These are _copies_ of SADB_EXT_SUPPORTED_{AUTH,ENCRYPT}, 
+ *	to avoid header coupling for true constants
+ *	about headers ... "cp is your friend" --Linus
+ */
+#define IPSEC_ALG_TYPE_AUTH	14
+#define IPSEC_ALG_TYPE_ENCRYPT	15
+
+/***************************************************************
+ *
+ * 	INTERFACE for module loading,testing, and unloading
+ *
+ ***************************************************************/
+/*	-  registration calls 	*/
+int register_ipsec_alg(struct ipsec_alg *);
+int unregister_ipsec_alg(struct ipsec_alg *);
+/*	-  optional (simple test) for algos 	*/
+int ipsec_alg_test(unsigned alg_type, unsigned alg_id, int testparm);
+/*	inline wrappers (usefull for type validation */
+static inline int register_ipsec_alg_enc(struct ipsec_alg_enc *ixt) {
+	return register_ipsec_alg((struct ipsec_alg*)ixt);
+}
+static inline int unregister_ipsec_alg_enc(struct ipsec_alg_enc *ixt) {
+	return unregister_ipsec_alg((struct ipsec_alg*)ixt);
+}
+static inline int register_ipsec_alg_auth(struct ipsec_alg_auth *ixt) {
+	return register_ipsec_alg((struct ipsec_alg*)ixt);
+}
+static inline int unregister_ipsec_alg_auth(struct ipsec_alg_auth *ixt) {
+	return unregister_ipsec_alg((struct ipsec_alg*)ixt);
+}
+
+/*****************************************************************
+ *
+ * 	INTERFACE for ENC services: key creation, encrypt function
+ *
+ *****************************************************************/
+
+#define IPSEC_ALG_ENCRYPT 1
+#define IPSEC_ALG_DECRYPT 0
+
+/* 	encryption key context creation function */
+int ipsec_alg_enc_key_create(struct ipsec_sa *sa_p);
+/* 
+ * 	ipsec_alg_esp_encrypt(): encrypt ilen bytes in idat returns
+ * 	0 or ERR<0
+ */
+int ipsec_alg_esp_encrypt(struct ipsec_sa *sa_p, __u8 *idat, int ilen, const __u8 *iv, int action);
+
+/***************************************************************
+ *
+ * 	INTERFACE for AUTH services: key creation, hash functions
+ *
+ ***************************************************************/
+int ipsec_alg_auth_key_create(struct ipsec_sa *sa_p);
+int ipsec_alg_sa_esp_hash(const struct ipsec_sa *sa_p, const __u8 *espp, int len, __u8 *hash, int hashlen) ;
+#define ipsec_alg_sa_esp_update(c,k,l) ipsec_alg_sa_esp_hash(c,k,l,NULL,0)
+
+/* only called from ipsec_init.c */
+int ipsec_alg_init(void);
+
+/* algo module glue for static algos */
+void ipsec_alg_static_init(void);
+typedef int (*ipsec_alg_init_func_t) (void);
+
+/**********************************************
+ *
+ * 	INTERFACE for ipsec_sa init and wipe
+ *
+ **********************************************/
+
+/* returns true if ipsec_sa has ipsec_alg obj attached */
+/* 
+ * Initializes ipsec_sa's ipsec_alg object, using already loaded
+ * proto, authalg, encalg.; links ipsec_alg objects (enc, auth)
+ */
+int ipsec_alg_sa_init(struct ipsec_sa *sa_p);
+/* 
+ * Destroys ipsec_sa's ipsec_alg object
+ * unlinking ipsec_alg objects
+ */
+int ipsec_alg_sa_wipe(struct ipsec_sa *sa_p);
+
+#define IPSEC_ALG_MODULE_INIT_MOD( func_name )	\
+	static int func_name(void);		\
+	module_init(func_name);			\
+	static int __init func_name(void)
+#define IPSEC_ALG_MODULE_EXIT_MOD( func_name )	\
+	static void func_name(void);		\
+	module_exit(func_name);			\
+	static void __exit func_name(void)
+
+#define IPSEC_ALG_MODULE_INIT_STATIC( func_name )	\
+	extern int func_name(void);		\
+	int func_name(void)
+#define IPSEC_ALG_MODULE_EXIT_STATIC( func_name )	\
+	extern void func_name(void);		\
+	void func_name(void)
+
+/**********************************************
+ *
+ * 	2.2 backport for some 2.4 useful module stuff
+ *
+ **********************************************/
+#ifdef MODULE
+#ifndef THIS_MODULE
+#define THIS_MODULE          (&__this_module)
+#endif
+#ifndef module_init
+typedef int (*__init_module_func_t)(void);
+typedef void (*__cleanup_module_func_t)(void);
+
+#define module_init(x) \
+        int init_module(void) __attribute__((alias(#x))); \
+        static inline __init_module_func_t __init_module_inline(void) \
+        { return x; }
+#define module_exit(x) \
+        void cleanup_module(void) __attribute__((alias(#x))); \
+        static inline __cleanup_module_func_t __cleanup_module_inline(void) \
+        { return x; }
+#endif
+#define IPSEC_ALG_MODULE_INIT( func_name )	IPSEC_ALG_MODULE_INIT_MOD( func_name )	
+#define IPSEC_ALG_MODULE_EXIT( func_name )	IPSEC_ALG_MODULE_EXIT_MOD( func_name )
+
+#else	/* not MODULE */
+#ifndef THIS_MODULE
+#define THIS_MODULE          NULL
+#endif
+/*	
+ *	I only want module_init() magic 
+ *	when algo.c file *is THE MODULE*, in all other
+ *	cases, initialization is called explicitely from ipsec_alg_init()
+ */
+#define IPSEC_ALG_MODULE_INIT( func_name )      IPSEC_ALG_MODULE_INIT_STATIC(func_name)
+#define IPSEC_ALG_MODULE_EXIT( func_name )	IPSEC_ALG_MODULE_EXIT_STATIC(func_name)
+#endif
+
+#endif /* IPSEC_ALG_H */
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/include/openswan/ipsec_alg_3des.h     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,12 @@
+struct TripleDES_context {
+  des_key_schedule s1;
+  des_key_schedule s2;
+  des_key_schedule s3;
+};
+typedef struct TripleDES_context TripleDES_context;
+
+#define ESP_3DES_KEY_SZ 	3*(sizeof(des_cblock))
+#define ESP_3DES_CBC_BLK_LEN    8
+
+
+
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/include/openswan/ipsec_auth.h     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,100 @@
+/*
+ * Authentication Header declarations
+ * Copyright (C) 2003 Michael Richardson <mcr@sandelman.ottawa.on.ca>
+ * 
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ * 
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: ipsec_auth.h,v 1.3 2004/04/06 02:49:08 mcr Exp $
+ */
+
+#include "ipsec_md5h.h"
+#include "ipsec_sha1.h"
+
+#ifndef IPSEC_AUTH_H
+#define IPSEC_AUTH_H
+
+#define AH_FLENGTH		12		/* size of fixed part */
+#define AHMD5_KMAX		64		/* MD5 max 512 bits key */
+#define AHMD5_AMAX		12		/* MD5 96 bits of authenticator */
+
+#define AHMD596_KLEN		16		/* MD5 128 bits key */
+#define AHSHA196_KLEN		20		/* SHA1 160 bits key */
+
+#define AHMD596_ALEN    	16		/* MD5 128 bits authentication length */
+#define AHSHA196_ALEN		20		/* SHA1 160 bits authentication length */
+
+#define AHMD596_BLKLEN  	64		/* MD5 block length */
+#define AHSHA196_BLKLEN 	64		/* SHA1 block length */
+#define AHSHA2_256_BLKLEN 	64		/* SHA2-256 block length */
+#define AHSHA2_384_BLKLEN 	128 		/* SHA2-384 block length (?) */
+#define AHSHA2_512_BLKLEN 	128		/* SHA2-512 block length */
+
+#define AH_BLKLEN_MAX 		128		/* keep up to date! */
+
+
+#define AH_AMAX         	AHSHA196_ALEN   /* keep up to date! */
+#define AHHMAC_HASHLEN  	12              /* authenticator length of 96bits */
+#define AHHMAC_RPLLEN   	4               /* 32 bit replay counter */
+
+#define DB_AH_PKTRX		0x0001
+#define DB_AH_PKTRX2		0x0002
+#define DB_AH_DMP		0x0004
+#define DB_AH_IPSA		0x0010
+#define DB_AH_XF		0x0020
+#define DB_AH_INAU		0x0040
+#define DB_AH_REPLAY		0x0100
+
+#ifdef __KERNEL__
+
+/* General HMAC algorithm is described in RFC 2104 */
+
+#define		HMAC_IPAD	0x36
+#define		HMAC_OPAD	0x5C
+
+struct md5_ctx {
+	MD5_CTX ictx;		/* context after H(K XOR ipad) */
+	MD5_CTX	octx;		/* context after H(K XOR opad) */
+};
+
+struct sha1_ctx {
+	SHA1_CTX ictx;		/* context after H(K XOR ipad) */
+	SHA1_CTX octx;		/* context after H(K XOR opad) */
+};
+
+struct auth_alg {
+	void (*init)(void *ctx);
+	void (*update)(void *ctx, unsigned char *bytes, __u32 len);
+	void (*final)(unsigned char *hash, void *ctx);
+	int hashlen;
+};
+
+struct options;
+
+#endif /* __KERNEL__ */
+#endif /* IPSEC_AUTH_H */
+
+/*
+ * $Log: ipsec_auth.h,v $
+ * Revision 1.3  2004/04/06 02:49:08  mcr
+ * 	pullup of algo code from alg-branch.
+ *
+ * Revision 1.2  2004/04/05 19:55:04  mcr
+ * Moved from linux/include/freeswan/ipsec_auth.h,v
+ *
+ * Revision 1.1  2003/12/13 19:10:16  mcr
+ * 	refactored rcv and xmit code - same as FS 2.05.
+ *
+ * Revision 1.1  2003/12/06 21:21:19  mcr
+ * 	split up receive path into per-transform files, for
+ * 	easier later removal.
+ *
+ *
+ */
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/include/openswan/ipsec_encap.h     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,149 @@
+/*
+ * declarations relevant to encapsulation-like operations
+ * Copyright (C) 1996, 1997  John Ioannidis.
+ * Copyright (C) 1998, 1999, 2000, 2001  Richard Guy Briggs.
+ * 
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ * 
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: ipsec_encap.h,v 1.19 2004/04/05 19:55:04 mcr Exp $
+ */
+
+#ifndef _IPSEC_ENCAP_H_
+
+#define SENT_IP4	16	/* data is two struct in_addr + proto + ports*/
+			/* (2 * sizeof(struct in_addr)) */
+			/* sizeof(struct sockaddr_encap)
+			   - offsetof(struct sockaddr_encap, Sen.Sip4.Src) */
+
+struct sockaddr_encap
+{
+	__u8	sen_len;		/* length */
+	__u8	sen_family;		/* AF_ENCAP */
+	__u16	sen_type;		/* see SENT_* */
+	union
+	{
+		struct			/* SENT_IP4 */
+		{
+			struct in_addr Src;
+			struct in_addr Dst;
+			__u8 Proto;
+			__u16 Sport;
+			__u16 Dport;
+		} Sip4;
+	} Sen;
+};
+
+#define sen_ip_src	Sen.Sip4.Src
+#define sen_ip_dst	Sen.Sip4.Dst
+#define sen_proto       Sen.Sip4.Proto
+#define sen_sport       Sen.Sip4.Sport
+#define sen_dport       Sen.Sip4.Dport
+
+#ifndef AF_ENCAP
+#define AF_ENCAP 26
+#endif /* AF_ENCAP */
+
+#define _IPSEC_ENCAP_H_
+#endif /* _IPSEC_ENCAP_H_ */
+
+/*
+ * $Log: ipsec_encap.h,v $
+ * Revision 1.19  2004/04/05 19:55:04  mcr
+ * Moved from linux/include/freeswan/ipsec_encap.h,v
+ *
+ * Revision 1.18  2003/10/31 02:27:05  mcr
+ * 	pulled up port-selector patches and sa_id elimination.
+ *
+ * Revision 1.17.30.1  2003/09/21 13:59:38  mcr
+ * 	pre-liminary X.509 patch - does not yet pass tests.
+ *
+ * Revision 1.17  2002/04/24 07:36:46  mcr
+ * Moved from ./klips/net/ipsec/ipsec_encap.h,v
+ *
+ * Revision 1.16  2001/11/26 09:23:47  rgb
+ * Merge MCR's ipsec_sa, eroute, proc and struct lifetime changes.
+ *
+ * Revision 1.15.2.1  2001/09/25 02:18:54  mcr
+ * 	struct eroute moved to ipsec_eroute.h
+ *
+ * Revision 1.15  2001/09/14 16:58:36  rgb
+ * Added support for storing the first and last packets through a HOLD.
+ *
+ * Revision 1.14  2001/09/08 21:13:31  rgb
+ * Added pfkey ident extension support for ISAKMPd. (NetCelo)
+ *
+ * Revision 1.13  2001/06/14 19:35:08  rgb
+ * Update copyright date.
+ *
+ * Revision 1.12  2001/05/27 06:12:10  rgb
+ * Added structures for pid, packet count and last access time to eroute.
+ * Added packet count to beginning of /proc/net/ipsec_eroute.
+ *
+ * Revision 1.11  2000/09/08 19:12:56  rgb
+ * Change references from DEBUG_IPSEC to CONFIG_IPSEC_DEBUG.
+ *
+ * Revision 1.10  2000/03/22 16:15:36  rgb
+ * Fixed renaming of dev_get (MB).
+ *
+ * Revision 1.9  2000/01/21 06:13:26  rgb
+ * Added a macro for AF_ENCAP
+ *
+ * Revision 1.8  1999/12/31 14:56:55  rgb
+ * MB fix for 2.3 dev-use-count.
+ *
+ * Revision 1.7  1999/11/18 04:09:18  rgb
+ * Replaced all kernel version macros to shorter, readable form.
+ *
+ * Revision 1.6  1999/09/24 00:34:13  rgb
+ * Add Marc Boucher's support for 2.3.xx+.
+ *
+ * Revision 1.5  1999/04/11 00:28:57  henry
+ * GPL boilerplate
+ *
+ * Revision 1.4  1999/04/06 04:54:25  rgb
+ * Fix/Add RCSID Id: and Log: bits to make PHMDs happy.  This includes
+ * patch shell fixes.
+ *
+ * Revision 1.3  1998/10/19 14:44:28  rgb
+ * Added inclusion of freeswan.h.
+ * sa_id structure implemented and used: now includes protocol.
+ *
+ * Revision 1.2  1998/07/14 18:19:33  rgb
+ * Added #ifdef __KERNEL__ directives to restrict scope of header.
+ *
+ * Revision 1.1  1998/06/18 21:27:44  henry
+ * move sources from klips/src to klips/net/ipsec, to keep stupid
+ * kernel-build scripts happier in the presence of symlinks
+ *
+ * Revision 1.2  1998/04/21 21:29:10  rgb
+ * Rearrange debug switches to change on the fly debug output from user
+ * space.  Only kernel changes checked in at this time.  radij.c was also
+ * changed to temporarily remove buggy debugging code in rj_delete causing
+ * an OOPS and hence, netlink device open errors.
+ *
+ * Revision 1.1  1998/04/09 03:05:58  henry
+ * sources moved up from linux/net/ipsec
+ *
+ * Revision 1.1.1.1  1998/04/08 05:35:02  henry
+ * RGB's ipsec-0.8pre2.tar.gz ipsec-0.8
+ *
+ * Revision 0.4  1997/01/15 01:28:15  ji
+ * Minor cosmetic changes.
+ *
+ * Revision 0.3  1996/11/20 14:35:48  ji
+ * Minor Cleanup.
+ * Rationalized debugging code.
+ *
+ * Revision 0.2  1996/11/02 00:18:33  ji
+ * First limited release.
+ *
+ *
+ */
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/include/openswan/ipsec_eroute.h     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,112 @@
+/*
+ * @(#) declarations of eroute structures
+ *
+ * Copyright (C) 1996, 1997  John Ioannidis.
+ * Copyright (C) 1998, 1999, 2000, 2001  Richard Guy Briggs <rgb@freeswan.org>
+ * Copyright (C) 2001                    Michael Richardson <mcr@freeswan.org>
+ * 
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ * 
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: ipsec_eroute.h,v 1.5 2004/04/05 19:55:05 mcr Exp $
+ *
+ * derived from ipsec_encap.h 1.15 on 2001/9/18 by mcr.
+ *
+ */
+
+#ifndef _IPSEC_EROUTE_H_
+
+#include "radij.h"
+#include "ipsec_encap.h"
+#include "ipsec_radij.h"
+
+/*
+ * The "type" is really part of the address as far as the routing
+ * system is concerned. By using only one bit in the type field
+ * for each type, we sort-of make sure that different types of
+ * encapsulation addresses won't be matched against the wrong type.
+ */
+
+/*
+ * An entry in the radix tree 
+ */
+
+struct rjtentry
+{
+	struct	radij_node rd_nodes[2];	/* tree glue, and other values */
+#define	rd_key(r)	((struct sockaddr_encap *)((r)->rd_nodes->rj_key))
+#define	rd_mask(r)	((struct sockaddr_encap *)((r)->rd_nodes->rj_mask))
+	short	rd_flags;
+	short	rd_count;
+};
+
+struct ident
+{
+	__u16	type;	/* identity type */
+	__u64	id;	/* identity id */
+	__u8	len;	/* identity len */
+	caddr_t	data;	/* identity data */
+};
+
+/*
+ * An encapsulation route consists of a pointer to a 
+ * radix tree entry and a SAID (a destination_address/SPI/protocol triple).
+ */
+
+struct eroute
+{
+	struct rjtentry er_rjt;
+	ip_said er_said;
+	uint32_t er_pid;
+	uint32_t er_count;
+	uint64_t er_lasttime;
+	struct sockaddr_encap er_eaddr; /* MCR get rid of _encap, it is silly*/
+	struct sockaddr_encap er_emask;
+        struct ident er_ident_s;
+        struct ident er_ident_d;
+	struct sk_buff* er_first;
+	struct sk_buff* er_last;
+};
+
+#define er_dst er_said.dst
+#define er_spi er_said.spi
+
+#define _IPSEC_EROUTE_H_
+#endif /* _IPSEC_EROUTE_H_ */
+
+/*
+ * $Log: ipsec_eroute.h,v $
+ * Revision 1.5  2004/04/05 19:55:05  mcr
+ * Moved from linux/include/freeswan/ipsec_eroute.h,v
+ *
+ * Revision 1.4  2003/10/31 02:27:05  mcr
+ * 	pulled up port-selector patches and sa_id elimination.
+ *
+ * Revision 1.3.30.2  2003/10/29 01:10:19  mcr
+ * 	elimited "struct sa_id"
+ *
+ * Revision 1.3.30.1  2003/09/21 13:59:38  mcr
+ * 	pre-liminary X.509 patch - does not yet pass tests.
+ *
+ * Revision 1.3  2002/04/24 07:36:46  mcr
+ * Moved from ./klips/net/ipsec/ipsec_eroute.h,v
+ *
+ * Revision 1.2  2001/11/26 09:16:13  rgb
+ * Merge MCR's ipsec_sa, eroute, proc and struct lifetime changes.
+ *
+ * Revision 1.1.2.1  2001/09/25 02:18:54  mcr
+ * 	struct eroute moved to ipsec_eroute.h
+ *
+ *
+ * Local variables:
+ * c-file-style: "linux"
+ * End:
+ *
+ */
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/include/openswan/ipsec_errs.h     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,53 @@
+/*
+ * @(#) definition of ipsec_errs structure
+ *
+ * Copyright (C) 2001  Richard Guy Briggs  <rgb@freeswan.org>
+ *                 and Michael Richardson  <mcr@freeswan.org>
+ * 
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ * 
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: ipsec_errs.h,v 1.4 2004/04/05 19:55:05 mcr Exp $
+ *
+ */
+
+/* 
+ * This file describes the errors/statistics that FreeSWAN collects.
+ *
+ */
+
+struct ipsec_errs {
+	__u32		ips_alg_errs;	       /* number of algorithm errors */
+	__u32		ips_auth_errs;	       /* # of authentication errors */
+	__u32		ips_encsize_errs;      /* # of encryption size errors*/
+	__u32		ips_encpad_errs;       /* # of encryption pad  errors*/
+	__u32		ips_replaywin_errs;    /* # of pkt sequence errors */
+};
+
+/*
+ * $Log: ipsec_errs.h,v $
+ * Revision 1.4  2004/04/05 19:55:05  mcr
+ * Moved from linux/include/freeswan/ipsec_errs.h,v
+ *
+ * Revision 1.3  2002/04/24 07:36:46  mcr
+ * Moved from ./klips/net/ipsec/ipsec_errs.h,v
+ *
+ * Revision 1.2  2001/11/26 09:16:13  rgb
+ * Merge MCR's ipsec_sa, eroute, proc and struct lifetime changes.
+ *
+ * Revision 1.1.2.1  2001/09/25 02:25:57  mcr
+ * 	lifetime structure created and common functions created.
+ *
+ *
+ * Local variables:
+ * c-file-style: "linux"
+ * End:
+ *
+ */
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/include/openswan/ipsec_esp.h     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,157 @@
+/*
+ * Copyright (C) 1996, 1997  John Ioannidis.
+ * Copyright (C) 1998, 1999, 2000, 2001  Richard Guy Briggs.
+ * 
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ * 
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: ipsec_esp.h,v 1.28 2004/09/13 02:22:10 mcr Exp $
+ */
+
+#include "openswan/ipsec_md5h.h"
+#include "openswan/ipsec_sha1.h"
+
+#include "crypto/des.h"
+
+#ifndef IPPROTO_ESP
+#define IPPROTO_ESP 50
+#endif /* IPPROTO_ESP */
+
+#define ESP_HEADER_LEN		8	/* 64 bits header (spi+rpl)*/
+
+#define EMT_ESPDESCBC_ULEN	20	/* coming from user mode */
+#define EMT_ESPDES_KMAX		64	/* 512 bit secret key enough? */
+#define EMT_ESPDES_KEY_SZ	8	/* 56 bit secret key with parity = 64 bits */
+#define EMT_ESP3DES_KEY_SZ	24	/* 168 bit secret key with parity = 192 bits */
+#define EMT_ESPDES_IV_SZ	8	/* IV size */
+#define ESP_DESCBC_BLKLEN       8       /* DES-CBC block size */
+
+#define ESP_IV_MAXSZ		16	/* This is _critical_ */
+#define ESP_IV_MAXSZ_INT	(ESP_IV_MAXSZ/sizeof(int))
+
+#define DB_ES_PKTRX	0x0001
+#define DB_ES_PKTRX2	0x0002
+#define DB_ES_IPSA	0x0010
+#define DB_ES_XF	0x0020
+#define DB_ES_IPAD	0x0040
+#define DB_ES_INAU	0x0080
+#define DB_ES_OINFO	0x0100
+#define DB_ES_OINFO2	0x0200
+#define DB_ES_OH	0x0400
+#define DB_ES_REPLAY	0x0800
+
+#ifdef __KERNEL__
+struct des_eks {
+	des_key_schedule ks;
+};
+
+extern struct inet_protocol esp_protocol;
+
+struct options;
+
+struct esphdr
+{
+	__u32	esp_spi;		/* Security Parameters Index */
+        __u32   esp_rpl;                /* Replay counter */
+	__u8	esp_iv[8];		/* iv */
+};
+
+extern struct xform_functions esp_xform_funcs[];
+
+#ifdef CONFIG_KLIPS_DEBUG
+extern int debug_esp;
+#endif /* CONFIG_KLIPS_DEBUG */
+#endif /* __KERNEL__ */
+
+/*
+ * $Log: ipsec_esp.h,v $
+ * Revision 1.28  2004/09/13 02:22:10  mcr
+ * 	#define inet_protocol if necessary.
+ *
+ * Revision 1.27  2004/09/06 18:35:41  mcr
+ * 	2.6.8.1 gets rid of inet_protocol->net_protocol compatibility,
+ * 	so adjust for that.
+ *
+ * Revision 1.26  2004/07/10 19:08:41  mcr
+ * 	CONFIG_IPSEC -> CONFIG_KLIPS.
+ *
+ * Revision 1.25  2004/04/06 02:49:08  mcr
+ * 	pullup of algo code from alg-branch.
+ *
+ * Revision 1.24  2004/04/05 19:55:05  mcr
+ * Moved from linux/include/freeswan/ipsec_esp.h,v
+ *
+ * Revision 1.23  2004/04/05 19:41:05  mcr
+ * 	merged alg-branch code.
+ *
+ * Revision 1.22  2003/12/13 19:10:16  mcr
+ * 	refactored rcv and xmit code - same as FS 2.05.
+ *
+ * Revision 1.23  2003/12/11 20:14:58  mcr
+ * 	refactored the xmit code, to move all encapsulation
+ * 	code into protocol functions. Note that all functions
+ * 	are essentially done by a single function, which is probably
+ * 	wrong.
+ * 	the rcv_functions structures are renamed xform_functions.
+ *
+ * Revision 1.22  2003/12/06 21:21:19  mcr
+ * 	split up receive path into per-transform files, for
+ * 	easier later removal.
+ *
+ * Revision 1.21.8.1  2003/12/22 15:25:52  jjo
+ *      Merged algo-0.8.1-rc11-test1 into alg-branch
+ *
+ * Revision 1.21  2003/02/06 02:21:34  rgb
+ *
+ * Moved "struct auth_alg" from ipsec_rcv.c to ipsec_ah.h .
+ * Changed "struct ah" to "struct ahhdr" and "struct esp" to "struct esphdr".
+ * Removed "#ifdef INBOUND_POLICY_CHECK_eroute" dead code.
+ *
+ * Revision 1.20  2002/05/14 02:37:02  rgb
+ * Change reference from _TDB to _IPSA.
+ *
+ * Revision 1.19  2002/04/24 07:55:32  mcr
+ * 	#include patches and Makefiles for post-reorg compilation.
+ *
+ * Revision 1.18  2002/04/24 07:36:46  mcr
+ * Moved from ./klips/net/ipsec/ipsec_esp.h,v
+ *
+ * Revision 1.17  2002/02/20 01:27:07  rgb
+ * Ditched a pile of structs only used by the old Netlink interface.
+ *
+ * Revision 1.16  2001/12/11 02:35:57  rgb
+ * Change "struct net_device" to "struct device" for 2.2 compatibility.
+ *
+ * Revision 1.15  2001/11/26 09:23:48  rgb
+ * Merge MCR's ipsec_sa, eroute, proc and struct lifetime changes.
+ *
+ * Revision 1.14.2.3  2001/10/23 04:16:42  mcr
+ * 	get definition of des_key_schedule from des.h
+ *
+ * Revision 1.14.2.2  2001/10/22 20:33:13  mcr
+ * 	use "des_key_schedule" structure instead of cooking our own.
+ *
+ * Revision 1.14.2.1  2001/09/25 02:18:25  mcr
+ * 	replace "struct device" with "struct netdevice"
+ *
+ * Revision 1.14  2001/06/14 19:35:08  rgb
+ * Update copyright date.
+ *
+ * Revision 1.13  2000/09/08 19:12:56  rgb
+ * Change references from DEBUG_IPSEC to CONFIG_IPSEC_DEBUG.
+ *
+ * Revision 1.12  2000/08/01 14:51:50  rgb
+ * Removed _all_ remaining traces of DES.
+ *
+ * Revision 1.11  2000/01/10 16:36:20  rgb
+ * Ditch last of EME option flags, including initiator.
+ *
+ *
+ */
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/include/openswan/ipsec_ipcomp.h     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,94 @@
+/*
+ * IP compression header declations
+ *
+ * Copyright (C) 2003 Michael Richardson <mcr@sandelman.ottawa.on.ca>
+ * 
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ * 
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: ipsec_ipcomp.h,v 1.4 2004/07/10 19:08:41 mcr Exp $
+ */
+
+#ifndef IPSEC_IPCOMP_H
+#define IPSEC_IPCOMP_H
+
+#include "openswan/ipsec_auth.h"
+
+/* Prefix all global deflate symbols with "ipcomp_" to avoid collisions with ppp_deflate & ext2comp */
+#ifndef IPCOMP_PREFIX
+#define IPCOMP_PREFIX
+#endif /* IPCOMP_PREFIX */
+
+#ifndef IPPROTO_COMP
+#define IPPROTO_COMP 108
+#endif /* IPPROTO_COMP */
+
+#ifdef CONFIG_KLIPS_DEBUG
+extern int sysctl_ipsec_debug_ipcomp;
+#endif /* CONFIG_KLIPS_DEBUG */
+
+struct ipcomphdr {			/* IPCOMP header */
+    __u8    ipcomp_nh;		/* Next header (protocol) */
+    __u8    ipcomp_flags;	/* Reserved, must be 0 */
+    __u16   ipcomp_cpi;		/* Compression Parameter Index */
+};
+
+extern struct inet_protocol comp_protocol;
+extern int sysctl_ipsec_debug_ipcomp;
+
+#define IPCOMP_UNCOMPRESSABLE     0x000000001
+#define IPCOMP_COMPRESSIONERROR   0x000000002
+#define IPCOMP_PARMERROR          0x000000004
+#define IPCOMP_DECOMPRESSIONERROR 0x000000008
+
+#define IPCOMP_ADAPT_INITIAL_TRIES	8
+#define IPCOMP_ADAPT_INITIAL_SKIP	4
+#define IPCOMP_ADAPT_SUBSEQ_TRIES	2
+#define IPCOMP_ADAPT_SUBSEQ_SKIP	8
+
+/* Function prototypes */
+struct sk_buff *skb_compress(struct sk_buff *skb, struct ipsec_sa *ips, unsigned int *flags);
+struct sk_buff *skb_decompress(struct sk_buff *skb, struct ipsec_sa *ips, unsigned int *flags);
+
+extern struct xform_functions ipcomp_xform_funcs[];
+
+#endif /* IPSEC_IPCOMP_H */
+
+/*
+ * $Log: ipsec_ipcomp.h,v $
+ * Revision 1.4  2004/07/10 19:08:41  mcr
+ * 	CONFIG_IPSEC -> CONFIG_KLIPS.
+ *
+ * Revision 1.3  2004/04/06 02:49:08  mcr
+ * 	pullup of algo code from alg-branch.
+ *
+ * Revision 1.2  2004/04/05 19:55:05  mcr
+ * Moved from linux/include/freeswan/ipsec_ipcomp.h,v
+ *
+ * Revision 1.1  2003/12/13 19:10:16  mcr
+ * 	refactored rcv and xmit code - same as FS 2.05.
+ *
+ * Revision 1.2  2003/12/11 20:14:58  mcr
+ * 	refactored the xmit code, to move all encapsulation
+ * 	code into protocol functions. Note that all functions
+ * 	are essentially done by a single function, which is probably
+ * 	wrong.
+ * 	the rcv_functions structures are renamed xform_functions.
+ *
+ * Revision 1.1  2003/12/06 21:21:19  mcr
+ * 	split up receive path into per-transform files, for
+ * 	easier later removal.
+ *
+ *
+ *
+ */
+
+
+
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/include/openswan/ipsec_ipe4.h     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,68 @@
+/*
+ * IP-in-IP Header declarations
+ * Copyright (C) 1996, 1997  John Ioannidis.
+ * Copyright (C) 1998, 1999, 2000, 2001  Richard Guy Briggs.
+ * 
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ * 
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: ipsec_ipe4.h,v 1.6 2004/04/05 19:55:05 mcr Exp $
+ */
+
+/* The packet header is an IP header! */
+
+struct ipe4_xdata			/* transform table data */
+{
+	struct in_addr	i4_src;
+	struct in_addr	i4_dst;
+};
+
+#define EMT_IPE4_ULEN	8	/* coming from user mode */
+ 
+
+/*
+ * $Log: ipsec_ipe4.h,v $
+ * Revision 1.6  2004/04/05 19:55:05  mcr
+ * Moved from linux/include/freeswan/ipsec_ipe4.h,v
+ *
+ * Revision 1.5  2002/04/24 07:36:46  mcr
+ * Moved from ./klips/net/ipsec/ipsec_ipe4.h,v
+ *
+ * Revision 1.4  2001/06/14 19:35:08  rgb
+ * Update copyright date.
+ *
+ * Revision 1.3  1999/04/11 00:28:57  henry
+ * GPL boilerplate
+ *
+ * Revision 1.2  1999/04/06 04:54:25  rgb
+ * Fix/Add RCSID Id: and Log: bits to make PHMDs happy.  This includes
+ * patch shell fixes.
+ *
+ * Revision 1.1  1998/06/18 21:27:47  henry
+ * move sources from klips/src to klips/net/ipsec, to keep stupid
+ * kernel-build scripts happier in the presence of symlinks
+ *
+ * Revision 1.1  1998/04/09 03:06:07  henry
+ * sources moved up from linux/net/ipsec
+ *
+ * Revision 1.1.1.1  1998/04/08 05:35:03  henry
+ * RGB's ipsec-0.8pre2.tar.gz ipsec-0.8
+ *
+ * Revision 0.4  1997/01/15 01:28:15  ji
+ * No changes.
+ *
+ * Revision 0.3  1996/11/20 14:48:53  ji
+ * Release update only.
+ *
+ * Revision 0.2  1996/11/02 00:18:33  ji
+ * First limited release.
+ *
+ *
+ */
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/include/openswan/ipsec_ipip.h     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,45 @@
+/*
+ * Copyright (C) 2003 Michael Richardson <mcr@sandelman.ottawa.on.ca>
+ * 
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ * 
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: ipsec_ipip.h,v 1.2 2004/04/05 19:55:05 mcr Exp $
+ */
+
+#ifndef _IPSEC_IPIP_H_
+
+#ifndef IPPROTO_IPIP
+#define IPPROTO_IPIP 4
+#endif /* IPPROTO_ESP */
+
+extern struct xform_functions ipip_xform_funcs[];
+
+#define _IPSEC_IPIP_H_
+
+#endif /* _IPSEC_IPIP_H_ */
+
+/*
+ * $Log: ipsec_ipip.h,v $
+ * Revision 1.2  2004/04/05 19:55:05  mcr
+ * Moved from linux/include/freeswan/ipsec_ipip.h,v
+ *
+ * Revision 1.1  2003/12/13 19:10:16  mcr
+ * 	refactored rcv and xmit code - same as FS 2.05.
+ *
+ * Revision 1.1  2003/12/11 20:14:58  mcr
+ * 	refactored the xmit code, to move all encapsulation
+ * 	code into protocol functions. Note that all functions
+ * 	are essentially done by a single function, which is probably
+ * 	wrong.
+ * 	the rcv_functions structures are renamed xform_functions.
+ *
+ *
+ */
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/include/openswan/ipsec_kern24.h     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,61 @@
+/*
+ * @(#) routines to makes kernel 2.4 compatible with 2.6 usage.
+ *
+ * Copyright (C) 2004 Michael Richardson <mcr@sandelman.ottawa.on.ca>
+ * 
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ * 
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: ipsec_kern24.h,v 1.4 2005/05/20 03:19:18 mcr Exp $
+ */
+
+#ifndef _IPSEC_KERN24_H
+
+#ifndef NET_26
+#define sk_receive_queue  receive_queue
+#define sk_destruct       destruct
+#define sk_reuse          reuse
+#define sk_zapped         zapped
+#define sk_family         family
+#define sk_protocol       protocol
+#define sk_protinfo       protinfo
+#define sk_sleep          sleep
+#define sk_state_change   state_change
+#define sk_shutdown       shutdown
+#define sk_err            err
+#define sk_stamp          stamp
+#define sk_socket         socket
+#define sk_sndbuf         sndbuf
+#define sock_flag(sk, flag)  sk->dead
+#define sk_for_each(sk, node, plist) for(sk=*plist; sk!=NULL; sk = sk->next)
+#endif
+
+/* deal with 2.4 vs 2.6 issues with module counts */
+
+/* in 2.6, all refcounts are maintained *outside* of the
+ * module to deal with race conditions.
+ */
+
+#ifdef NET_26
+#define KLIPS_INC_USE /* nothing */
+#define KLIPS_DEC_USE /* nothing */
+
+#else
+#define KLIPS_INC_USE MOD_INC_USE_COUNT
+#define KLIPS_DEC_USE MOD_DEC_USE_COUNT
+#endif
+
+extern int printk_ratelimit(void);
+
+
+#define _IPSEC_KERN24_H 1
+
+#endif /* _IPSEC_KERN24_H */
+
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/include/openswan/ipsec_kversion.h     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,352 @@
+#ifndef _OPENSWAN_KVERSIONS_H
+/*
+ * header file for FreeS/WAN library functions
+ * Copyright (C) 1998, 1999, 2000  Henry Spencer.
+ * Copyright (C) 1999, 2000, 2001  Richard Guy Briggs
+ * 
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Library General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
+ * 
+ * This library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
+ * License for more details.
+ *
+ * RCSID $Id: ipsec_kversion.h,v 1.15.2.11 2007/02/20 03:53:16 paul Exp $
+ */
+#define	_OPENSWAN_KVERSIONS_H	/* seen it, no need to see it again */
+
+/*
+ * this file contains a series of atomic defines that depend upon
+ * kernel version numbers. The kernel versions are arranged
+ * in version-order number (which is often not chronological)
+ * and each clause enables or disables a feature.
+ */
+
+/*
+ * First, assorted kernel-version-dependent trickery.
+ */
+#include <linux/version.h>
+#ifndef KERNEL_VERSION
+#define KERNEL_VERSION(x,y,z) (((x)<<16)+((y)<<8)+(z))
+#endif
+
+#if LINUX_VERSION_CODE < KERNEL_VERSION(2,1,0)
+#define HEADER_CACHE_BIND_21
+#error "KLIPS is no longer supported on Linux 2.0. Sorry"
+#endif
+
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,1,0)
+#define SPINLOCK
+#define PROC_FS_21
+#define NETLINK_SOCK
+#define NET_21
+#endif
+
+#if LINUX_VERSION_CODE < KERNEL_VERSION(2,1,19)
+#define net_device_stats enet_statistics
+#endif                                                                         
+
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,3,0)
+#define SPINLOCK_23
+#define NETDEV_23
+#  ifndef CONFIG_IP_ALIAS
+#  define CONFIG_IP_ALIAS
+#  endif
+#include <linux/socket.h>
+#include <linux/skbuff.h>
+#include <linux/netlink.h>
+#  ifdef NETLINK_XFRM
+#  define NETDEV_25
+#  endif
+#endif
+
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,3,25)
+#define PROC_FS_2325
+#undef  PROC_FS_21
+#endif
+
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,3,30)
+#define PROC_NO_DUMMY
+#endif
+
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,3,35)
+#define SKB_COPY_EXPAND
+#endif
+
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,3,37)
+#define IP_SELECT_IDENT
+#endif
+
+#if (LINUX_VERSION_CODE >= KERNEL_VERSION(2,3,50)) && defined(CONFIG_NETFILTER)
+#define SKB_RESET_NFCT
+#endif
+
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,4,2)
+#define IP_SELECT_IDENT_NEW
+#endif
+
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,4,4)
+#define IPH_is_SKB_PULLED
+#define SKB_COW_NEW
+#define PROTO_HANDLER_SINGLE_PARM
+#define IP_FRAGMENT_LINEARIZE 1
+#else /* LINUX_VERSION_CODE >= KERNEL_VERSION(2,4,4) */
+#  ifdef REDHAT_BOGOSITY
+#  define IP_SELECT_IDENT_NEW
+#  define IPH_is_SKB_PULLED
+#  define SKB_COW_NEW
+#  define PROTO_HANDLER_SINGLE_PARM
+#  endif /* REDHAT_BOGOSITY */
+#endif /* LINUX_VERSION_CODE >= KERNEL_VERSION(2,4,4) */
+
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,4,9)
+#define MALLOC_SLAB
+#define LINUX_KERNEL_HAS_SNPRINTF
+#endif                                                                         
+
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
+#define HAVE_NETDEV_PRINTK 1
+#define NET_26
+#endif
+
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,8)
+#define NEED_INET_PROTOCOL
+#endif
+
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,12)
+#define HAVE_SOCK_ZAPPED
+#define NET_26_12_SKALLOC
+#endif
+
+#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,13)
+#define HAVE_SOCK_SECURITY
+/* skb->nf_debug disappared completely in 2.6.13 */
+#define HAVE_SKB_NF_DEBUG
+#endif
+
+#define SYSCTL_IPSEC_DEFAULT_TTL sysctl_ip_default_ttl                      
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,14)
+/* skb->stamp changed to skb->tstamp in 2.6.14 */
+#define HAVE_TSTAMP
+#define HAVE_INET_SK_SPORT
+#undef  SYSCTL_IPSEC_DEFAULT_TTL
+#define SYSCTL_IPSEC_DEFAULT_TTL IPSEC_DEFAULT_TTL
+#else
+#define HAVE_SKB_LIST
+#endif
+
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,18)
+#define HAVE_NEW_SKB_LINEARIZE
+#endif
+
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,20)
+/* skb->nfmark changed to skb->mark in 2.6.20 */
+#define nfmark mark
+#endif
+
+#ifdef NET_21
+#  include <linux/in6.h>
+#else
+     /* old kernel in.h has some IPv6 stuff, but not quite enough */
+#  define	s6_addr16	s6_addr
+#  define	AF_INET6	10
+#  define uint8_t __u8
+#  define uint16_t __u16 
+#  define uint32_t __u32 
+#  define uint64_t __u64 
+#endif
+
+#ifdef NET_21
+# define ipsec_kfree_skb(a) kfree_skb(a)
+#else /* NET_21 */
+# define ipsec_kfree_skb(a) kfree_skb(a, FREE_WRITE)
+#endif /* NET_21 */
+
+#ifdef NETDEV_23
+#if 0
+#ifndef NETDEV_25
+#define device net_device
+#endif
+#endif
+# define ipsec_dev_get dev_get_by_name
+# define __ipsec_dev_get __dev_get_by_name
+# define ipsec_dev_put(x) dev_put(x)
+# define __ipsec_dev_put(x) __dev_put(x)
+# define ipsec_dev_hold(x) dev_hold(x)
+#else /* NETDEV_23 */
+# define ipsec_dev_get dev_get
+# define __ipsec_dev_put(x) 
+# define ipsec_dev_put(x)
+# define ipsec_dev_hold(x) 
+#endif /* NETDEV_23 */
+
+#ifndef SPINLOCK
+#  include <linux/bios32.h>
+     /* simulate spin locks and read/write locks */
+     typedef struct {
+       volatile char lock;
+     } spinlock_t;
+
+     typedef struct {
+       volatile unsigned int lock;
+     } rwlock_t;                                                                     
+
+#  define spin_lock_init(x) { (x)->lock = 0;}
+#  define rw_lock_init(x) { (x)->lock = 0; }
+
+#  define spin_lock(x) { while ((x)->lock) barrier(); (x)->lock=1;}
+#  define spin_lock_irq(x) { cli(); spin_lock(x);}
+#  define spin_lock_irqsave(x,flags) { save_flags(flags); spin_lock_irq(x);}
+
+#  define spin_unlock(x) { (x)->lock=0;}
+#  define spin_unlock_irq(x) { spin_unlock(x); sti();}
+#  define spin_unlock_irqrestore(x,flags) { spin_unlock(x); restore_flags(flags);}
+
+#  define read_lock(x) spin_lock(x)
+#  define read_lock_irq(x) spin_lock_irq(x)
+#  define read_lock_irqsave(x,flags) spin_lock_irqsave(x,flags)
+
+#  define read_unlock(x) spin_unlock(x)
+#  define read_unlock_irq(x) spin_unlock_irq(x)
+#  define read_unlock_irqrestore(x,flags) spin_unlock_irqrestore(x,flags)
+
+#  define write_lock(x) spin_lock(x)
+#  define write_lock_irq(x) spin_lock_irq(x)
+#  define write_lock_irqsave(x,flags) spin_lock_irqsave(x,flags)
+
+#  define write_unlock(x) spin_unlock(x)
+#  define write_unlock_irq(x) spin_unlock_irq(x)
+#  define write_unlock_irqrestore(x,flags) spin_unlock_irqrestore(x,flags)
+#endif /* !SPINLOCK */
+
+#ifndef SPINLOCK_23
+#  define spin_lock_bh(x)  spin_lock_irq(x)
+#  define spin_unlock_bh(x)  spin_unlock_irq(x)
+
+#  define read_lock_bh(x)  read_lock_irq(x)
+#  define read_unlock_bh(x)  read_unlock_irq(x)
+
+#  define write_lock_bh(x)  write_lock_irq(x)
+#  define write_unlock_bh(x)  write_unlock_irq(x)
+#endif /* !SPINLOCK_23 */
+
+#ifndef HAVE_NETDEV_PRINTK
+#define netdev_printk(sevlevel, netdev, msglevel, format, arg...) \
+	printk(sevlevel "%s: " format , netdev->name , ## arg)
+#endif
+
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2,6,0)
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,4,0) 
+#include "openswan/ipsec_kern24.h"
+#else
+#error "kernels before 2.4 are not supported at this time"
+#endif
+#endif
+
+
+#endif /* _OPENSWAN_KVERSIONS_H */
+
+/*
+ * $Log: ipsec_kversion.h,v $
+ * Revision 1.15.2.11  2007/02/20 03:53:16  paul
+ * Added comment, made layout consistent with other checks.
+ *
+ * Revision 1.15.2.10  2007/02/16 19:08:12  paul
+ * Fix for compiling on 2.6.20 (nfmark is now called mark in sk_buff)
+ *
+ * Revision 1.15.2.9  2006/07/29 05:00:40  paul
+ * Added HAVE_NEW_SKB_LINEARIZE for 2.6.18+ kernels where skb_linearize
+ * only takes 1 argument.
+ *
+ * Revision 1.15.2.8  2006/05/01 14:31:52  mcr
+ * FREESWAN->OPENSWAN in #ifdef.
+ *
+ * Revision 1.15.2.7  2006/01/11 02:02:59  mcr
+ * updated patches and DEFAULT_TTL code to work
+ *
+ * Revision 1.15.2.6  2006/01/03 19:25:02  ken
+ * Remove duplicated #ifdef for TTL fix - bad patch
+ *
+ * Revision 1.15.2.5  2006/01/03 18:06:33  ken
+ * Fix for missing sysctl default ttl
+ *
+ * Revision 1.15.2.4  2005/11/27 21:40:14  paul
+ * Pull down TTL fixes from head. this fixes "Unknown symbol sysctl_ip_default_ttl"
+ * in for klips as module.
+ *
+ * Revision 1.15.2.3  2005/11/22 04:11:52  ken
+ * Backport fixes for 2.6.14 kernels from HEAD
+ *
+ * Revision 1.15.2.2  2005/09/01 01:57:19  paul
+ * michael's fixes for 2.6.13 from head
+ *
+ * Revision 1.15.2.1  2005/08/27 23:13:48  paul
+ * Fix for:
+ * 7 weeks ago:  	[NET]: Remove unused security member in sk_buff
+ * changeset 4280: 	328ea53f5fee
+ * parent 4279:	beb0afb0e3f8
+ * author: 	Thomas Graf <tgraf@suug.ch>
+ * date: 	Tue Jul 5 21:12:44 2005
+ * files: 	include/linux/skbuff.h include/linux/tc_ematch/tc_em_meta.h net/core/skbuff.c net/ipv4/ip_output.c net/ipv6/ip6_output.c net/sched/em_meta.c
+ *
+ * This should fix compilation on 2.6.13(rc) kernels
+ *
+ * Revision 1.15  2005/07/19 20:02:15  mcr
+ * 	sk_alloc() interface change.
+ *
+ * Revision 1.14  2005/07/08 16:20:05  mcr
+ * 	fix for 2.6.12 disapperance of sk_zapped field -> sock_flags.
+ *
+ * Revision 1.13  2005/05/20 03:19:18  mcr
+ * 	modifications for use on 2.4.30 kernel, with backported
+ * 	printk_ratelimit(). all warnings removed.
+ *
+ * Revision 1.12  2005/04/13 22:46:21  mcr
+ * 	note that KLIPS does not work on Linux 2.0.
+ *
+ * Revision 1.11  2004/09/13 02:22:26  mcr
+ * 	#define inet_protocol if necessary.
+ *
+ * Revision 1.10  2004/08/03 18:17:15  mcr
+ * 	in 2.6, use "net_device" instead of #define device->net_device.
+ * 	this probably breaks 2.0 compiles.
+ *
+ * Revision 1.9  2004/04/05 19:55:05  mcr
+ * Moved from linux/include/freeswan/ipsec_kversion.h,v
+ *
+ * Revision 1.8  2003/12/13 19:10:16  mcr
+ * 	refactored rcv and xmit code - same as FS 2.05.
+ *
+ * Revision 1.7  2003/07/31 22:48:08  mcr
+ * 	derive NET25-ness from presence of NETLINK_XFRM macro.
+ *
+ * Revision 1.6  2003/06/24 20:22:32  mcr
+ * 	added new global: ipsecdevices[] so that we can keep track of
+ * 	the ipsecX devices. They will be referenced with dev_hold(),
+ * 	so 2.2 may need this as well.
+ *
+ * Revision 1.5  2003/04/03 17:38:09  rgb
+ * Centralised ipsec_kfree_skb and ipsec_dev_{get,put}.
+ *
+ * Revision 1.4  2002/04/24 07:36:46  mcr
+ * Moved from ./klips/net/ipsec/ipsec_kversion.h,v
+ *
+ * Revision 1.3  2002/04/12 03:21:17  mcr
+ * 	three parameter version of ip_select_ident appears first
+ * 	in 2.4.2 (RH7.1) not 2.4.4.
+ *
+ * Revision 1.2  2002/03/08 21:35:22  rgb
+ * Defined LINUX_KERNEL_HAS_SNPRINTF to shut up compiler warnings after
+ * 2.4.9.  (Andreas Piesk).
+ *
+ * Revision 1.1  2002/01/29 02:11:42  mcr
+ * 	removal of kversions.h - sources that needed it now use ipsec_param.h.
+ * 	updating of IPv6 structures to match latest in6.h version.
+ * 	removed dead code from freeswan.h that also duplicated kversions.h
+ * 	code.
+ *
+ *
+ */
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/include/openswan/ipsec_life.h     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,112 @@
+/*
+ * Definitions relevant to IPSEC lifetimes
+ * Copyright (C) 2001  Richard Guy Briggs  <rgb@freeswan.org>
+ *                 and Michael Richardson  <mcr@freeswan.org>
+ * 
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ * 
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: ipsec_life.h,v 1.4 2004/04/05 19:55:05 mcr Exp $
+ *
+ * This file derived from ipsec_xform.h on 2001/9/18 by mcr.
+ *
+ */
+
+/* 
+ * This file describes the book keeping fields for the 
+ *   IPsec Security Association Structure. ("ipsec_sa")
+ *
+ * This structure is never allocated directly by kernel code,
+ * (it is always a static/auto or is part of a structure)
+ * so it does not have a reference count.
+ *
+ */
+
+#ifndef _IPSEC_LIFE_H_
+
+/*
+ *  _count is total count.
+ *  _hard is hard limit (kill SA after this number)
+ *  _soft is soft limit (try to renew SA after this number)
+ *  _last is used in some special cases.
+ *
+ */
+
+struct ipsec_lifetime64
+{
+	__u64           ipl_count;
+	__u64           ipl_soft;
+	__u64           ipl_hard;
+	__u64           ipl_last;  
+};
+
+struct ipsec_lifetimes
+{
+	/* number of bytes processed */
+	struct ipsec_lifetime64 ipl_bytes;
+
+	/* number of packets processed */
+	struct ipsec_lifetime64 ipl_packets;
+
+	/* time since SA was added */
+	struct ipsec_lifetime64 ipl_addtime;
+
+	/* time since SA was first used */
+	struct ipsec_lifetime64 ipl_usetime;
+
+	/* from rfc2367:  
+         *         For CURRENT, the number of different connections,
+         *         endpoints, or flows that the association has been
+         *          allocated towards. For HARD and SOFT, the number of
+         *          these the association may be allocated towards
+         *          before it expires. The concept of a connection,
+         *          flow, or endpoint is system specific.
+	 *
+	 * mcr(2001-9-18) it is unclear what purpose these serve for FreeSWAN.
+	 *          They are maintained for PF_KEY compatibility. 
+	 */
+	struct ipsec_lifetime64 ipl_allocations;
+};
+
+enum ipsec_life_alive {
+	ipsec_life_harddied = -1,
+	ipsec_life_softdied = 0,
+	ipsec_life_okay     = 1
+};
+
+enum ipsec_life_type {
+	ipsec_life_timebased = 1,
+	ipsec_life_countbased= 0
+};
+
+#define _IPSEC_LIFE_H_
+#endif /* _IPSEC_LIFE_H_ */
+
+
+/*
+ * $Log: ipsec_life.h,v $
+ * Revision 1.4  2004/04/05 19:55:05  mcr
+ * Moved from linux/include/freeswan/ipsec_life.h,v
+ *
+ * Revision 1.3  2002/04/24 07:36:46  mcr
+ * Moved from ./klips/net/ipsec/ipsec_life.h,v
+ *
+ * Revision 1.2  2001/11/26 09:16:14  rgb
+ * Merge MCR's ipsec_sa, eroute, proc and struct lifetime changes.
+ *
+ * Revision 1.1.2.1  2001/09/25 02:25:58  mcr
+ * 	lifetime structure created and common functions created.
+ *
+ *
+ * Local variables:
+ * c-file-style: "linux"
+ * End:
+ *
+ */
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/include/openswan/ipsec_md5h.h     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,143 @@
+/*
+ * RCSID $Id: ipsec_md5h.h,v 1.10 2004/09/08 17:21:35 ken Exp $
+ */
+
+/*
+ * The rest of this file is Copyright RSA DSI. See the following comments
+ * for the full Copyright notice.
+ */
+
+#ifndef _IPSEC_MD5H_H_
+#define _IPSEC_MD5H_H_
+
+/* GLOBAL.H - RSAREF types and constants
+ */
+
+/* PROTOTYPES should be set to one if and only if the compiler supports
+     function argument prototyping.
+   The following makes PROTOTYPES default to 0 if it has not already
+     been defined with C compiler flags.
+ */
+#ifndef PROTOTYPES
+#define PROTOTYPES 1
+#endif /* !PROTOTYPES */
+
+/* POINTER defines a generic pointer type */
+typedef __u8 *POINTER;
+
+/* UINT2 defines a two byte word */
+typedef __u16 UINT2;
+
+/* UINT4 defines a four byte word */
+typedef __u32 UINT4;
+
+/* PROTO_LIST is defined depending on how PROTOTYPES is defined above.
+   If using PROTOTYPES, then PROTO_LIST returns the list, otherwise it
+     returns an empty list.
+ */
+
+#if PROTOTYPES
+#define PROTO_LIST(list) list
+#else /* PROTOTYPES */
+#define PROTO_LIST(list) ()
+#endif /* PROTOTYPES */
+
+
+/* MD5.H - header file for MD5C.C
+ */
+
+/* Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All
+rights reserved.
+
+License to copy and use this software is granted provided that it
+is identified as the "RSA Data Security, Inc. MD5 Message-Digest
+Algorithm" in all material mentioning or referencing this software
+or this function.
+
+License is also granted to make and use derivative works provided
+that such works are identified as "derived from the RSA Data
+Security, Inc. MD5 Message-Digest Algorithm" in all material
+mentioning or referencing the derived work.
+
+RSA Data Security, Inc. makes no representations concerning either
+the merchantability of this software or the suitability of this
+software for any particular purpose. It is provided "as is"
+without express or implied warranty of any kind.
+
+These notices must be retained in any copies of any part of this
+documentation and/or software.
+ */
+
+/* MD5 context. */
+typedef struct {
+  UINT4 state[4];                                   /* state (ABCD) */
+  UINT4 count[2];        /* number of bits, modulo 2^64 (lsb first) */
+  unsigned char buffer[64];                         /* input buffer */
+} MD5_CTX;
+
+void osMD5Init PROTO_LIST ((void *));
+void osMD5Update PROTO_LIST
+  ((void *, unsigned char *, __u32));
+void osMD5Final PROTO_LIST ((unsigned char [16], void *));
+ 
+#endif /* _IPSEC_MD5H_H_ */
+
+/*
+ * $Log: ipsec_md5h.h,v $
+ * Revision 1.10  2004/09/08 17:21:35  ken
+ * Rename MD5* -> osMD5 functions to prevent clashes with other symbols exported by kernel modules (CIFS in 2.6 initiated this)
+ *
+ * Revision 1.9  2004/04/05 19:55:05  mcr
+ * Moved from linux/include/freeswan/ipsec_md5h.h,v
+ *
+ * Revision 1.8  2002/09/10 01:45:09  mcr
+ * 	changed type of MD5_CTX and SHA1_CTX to void * so that
+ * 	the function prototypes would match, and could be placed
+ * 	into a pointer to a function.
+ *
+ * Revision 1.7  2002/04/24 07:36:46  mcr
+ * Moved from ./klips/net/ipsec/ipsec_md5h.h,v
+ *
+ * Revision 1.6  1999/12/13 13:59:13  rgb
+ * Quick fix to argument size to Update bugs.
+ *
+ * Revision 1.5  1999/12/07 18:16:23  rgb
+ * Fixed comments at end of #endif lines.
+ *
+ * Revision 1.4  1999/04/06 04:54:26  rgb
+ * Fix/Add RCSID Id: and Log: bits to make PHMDs happy.  This includes
+ * patch shell fixes.
+ *
+ * Revision 1.3  1999/01/22 06:19:58  rgb
+ * 64-bit clean-up.
+ *
+ * Revision 1.2  1998/11/30 13:22:54  rgb
+ * Rationalised all the klips kernel file headers.  They are much shorter
+ * now and won't conflict under RH5.2.
+ *
+ * Revision 1.1  1998/06/18 21:27:48  henry
+ * move sources from klips/src to klips/net/ipsec, to keep stupid
+ * kernel-build scripts happier in the presence of symlinks
+ *
+ * Revision 1.2  1998/04/23 20:54:03  rgb
+ * Fixed md5 and sha1 include file nesting issues, to be cleaned up when
+ * verified.
+ *
+ * Revision 1.1  1998/04/09 03:04:21  henry
+ * sources moved up from linux/net/ipsec
+ * these two include files modified not to include others except in kernel
+ *
+ * Revision 1.1.1.1  1998/04/08 05:35:03  henry
+ * RGB's ipsec-0.8pre2.tar.gz ipsec-0.8
+ *
+ * Revision 0.4  1997/01/15 01:28:15  ji
+ * No changes.
+ *
+ * Revision 0.3  1996/11/20 14:48:53  ji
+ * Release update only.
+ *
+ * Revision 0.2  1996/11/02 00:18:33  ji
+ * First limited release.
+ *
+ *
+ */
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/include/openswan/ipsec_param.h     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,387 @@
+/*
+ * @(#) Openswan tunable paramaters
+ *
+ * Copyright (C) 2001  Richard Guy Briggs  <rgb@freeswan.org>
+ *                 and Michael Richardson  <mcr@freeswan.org>
+ * Copyright (C) 2004  Michael Richardson  <mcr@xelerance.com>
+ * 
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ * 
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: ipsec_param.h,v 1.29.6.3 2006/05/01 14:32:31 mcr Exp $
+ *
+ */
+
+/* 
+ * This file provides a set of #define's which may be tuned by various
+ * people/configurations. It keeps all compile-time tunables in one place.
+ *
+ * This file should be included before all other IPsec kernel-only files.
+ *
+ */
+
+#ifndef _IPSEC_PARAM_H_
+
+#ifdef __KERNEL__
+#include "ipsec_kversion.h"
+#include <linux/ip.h>		/* struct iphdr */
+/* Set number of ipsecX virtual devices here. */
+/* This must be < exp(field width of IPSEC_DEV_FORMAT) */
+/* It must also be reasonable so as not to overload the memory and CPU */
+/* constraints of the host. */
+#define IPSEC_NUM_IF	4
+/* The field width must be < IF_NAM_SIZ - strlen("ipsec") - 1. */
+/* With "ipsec" being 5 characters, that means 10 is the max field width */
+/* but machine memory and CPU constraints are not likely to tollerate */
+/* more than 3 digits.  The default is one digit. */
+/* Update: userland scripts get upset if they can't find "ipsec0", so */
+/* for now, no "0"-padding should be used (which would have been helpful */
+/* to make text-searches work */
+#define IPSEC_DEV_FORMAT "ipsec%d"
+/* For, say, 500 virtual ipsec devices, I would recommend: */
+/* #define IPSEC_NUM_IF	500 */
+/* #define IPSEC_DEV_FORMAT "ipsec%03d" */
+/* Note that the "interfaces=" line in /etc/ipsec.conf would be, um, challenging. */
+
+/* use dynamic ipsecX device allocation */
+#ifndef CONFIG_KLIPS_DYNDEV
+#define CONFIG_KLIPS_DYNDEV 1
+#endif /* CONFIG_KLIPS_DYNDEV */
+
+
+#ifdef CONFIG_KLIPS_BIGGATE
+# define SADB_HASHMOD   8069
+#else /* CONFIG_KLIPS_BIGGATE */
+# define SADB_HASHMOD	257
+#endif /* CONFIG_KLIPS_BIGGATE */
+#endif /* __KERNEL__ */
+
+/*
+ * This is for the SA reference table. This number is related to the
+ * maximum number of SAs that KLIPS can concurrently deal with, plus enough
+ * space for keeping expired SAs around.
+ *
+ * TABLE_MAX_WIDTH is the number of bits that we will use.
+ * MAIN_TABLE_WIDTH is the number of bits used for the primary index table.
+ *
+ */
+#ifndef IPSEC_SA_REF_TABLE_IDX_WIDTH
+# define IPSEC_SA_REF_TABLE_IDX_WIDTH 16
+#endif
+
+#ifndef IPSEC_SA_REF_MAINTABLE_IDX_WIDTH 
+# define IPSEC_SA_REF_MAINTABLE_IDX_WIDTH 4 
+#endif
+
+#ifndef IPSEC_SA_REF_FREELIST_NUM_ENTRIES 
+# define IPSEC_SA_REF_FREELIST_NUM_ENTRIES 256
+#endif
+
+#ifndef IPSEC_SA_REF_CODE 
+# define IPSEC_SA_REF_CODE 1 
+#endif
+
+#ifdef __KERNEL__
+/* This is defined for 2.4, but not 2.2.... */
+#ifndef ARPHRD_VOID
+# define ARPHRD_VOID 0xFFFF
+#endif
+
+/* always turn on IPIP mode */
+#ifndef CONFIG_KLIPS_IPIP 
+#define CONFIG_KLIPS_IPIP 1
+#endif
+
+/*
+ * Worry about PROC_FS stuff
+ */
+#if defined(PROC_FS_2325)
+/* kernel 2.4 */
+# define IPSEC_PROC_LAST_ARG ,int *eof,void *data
+# define IPSEC_PROCFS_DEBUG_NO_STATIC
+# define IPSEC_PROC_SUBDIRS
+#else
+/* kernel <2.4 */
+# define IPSEC_PROCFS_DEBUG_NO_STATIC DEBUG_NO_STATIC
+
+# ifndef PROC_NO_DUMMY
+#  define IPSEC_PROC_LAST_ARG , int dummy
+# else
+#  define IPSEC_PROC_LAST_ARG
+# endif /* !PROC_NO_DUMMY */
+#endif /* PROC_FS_2325 */
+
+#if !defined(LINUX_KERNEL_HAS_SNPRINTF)
+/* GNU CPP specific! */
+# define snprintf(buf, len, fmt...) sprintf(buf, ##fmt)
+#endif /* !LINUX_KERNEL_HAS_SNPRINTF */
+
+#ifdef SPINLOCK
+# ifdef SPINLOCK_23
+#  include <linux/spinlock.h> /* *lock* */
+# else /* SPINLOCK_23 */
+#  include <asm/spinlock.h> /* *lock* */
+# endif /* SPINLOCK_23 */
+#endif /* SPINLOCK */
+
+#ifndef KLIPS_FIXES_DES_PARITY
+# define KLIPS_FIXES_DES_PARITY 1
+#endif /* !KLIPS_FIXES_DES_PARITY */
+
+/* we don't really want to print these unless there are really big problems */
+#ifndef KLIPS_DIVULGE_CYPHER_KEY
+# define KLIPS_DIVULGE_CYPHER_KEY 0
+#endif /* !KLIPS_DIVULGE_CYPHER_KEY */
+
+#ifndef KLIPS_DIVULGE_HMAC_KEY
+# define KLIPS_DIVULGE_HMAC_KEY 0
+#endif /* !KLIPS_DIVULGE_HMAC_KEY */
+
+#ifndef IPSEC_DISALLOW_IPOPTIONS
+# define IPSEC_DISALLOW_IPOPTIONS 1
+#endif /* !KLIPS_DIVULGE_HMAC_KEY */
+
+/* extra toggles for regression testing */
+#ifdef CONFIG_KLIPS_REGRESS
+
+/* 
+ * should pfkey_acquire() become 100% lossy?
+ *
+ */
+extern int sysctl_ipsec_regress_pfkey_lossage;
+#ifndef KLIPS_PFKEY_ACQUIRE_LOSSAGE
+# ifdef CONFIG_KLIPS_PFKEY_ACQUIRE_LOSSAGE
+#  define KLIPS_PFKEY_ACQUIRE_LOSSAGE 100
+# endif /* CONFIG_KLIPS_PFKEY_ACQUIRE_LOSSAGE */
+#else
+#define KLIPS_PFKEY_ACQUIRE_LOSSAGE 0
+#endif /* KLIPS_PFKEY_ACQUIRE_LOSSAGE */
+
+#else /* CONFIG_KLIPS_REGRESS */
+#define KLIPS_PFKEY_ACQUIRE_LOSSAGE 0
+
+#endif /* CONFIG_KLIPS_REGRESS */
+
+
+/*
+ * debugging routines.
+ */
+#define KLIPS_ERROR(flag, format, args...) if(printk_ratelimit() || flag) printk(KERN_ERR "KLIPS " format, ## args)
+#ifdef CONFIG_KLIPS_DEBUG
+extern void ipsec_print_ip(struct iphdr *ip);
+
+#	define KLIPS_PRINT(flag, format, args...) \
+		((flag) ? printk(KERN_INFO format , ## args) : 0)
+#	define KLIPS_PRINTMORE(flag, format, args...) \
+		((flag) ? printk(format , ## args) : 0)
+#	define KLIPS_IP_PRINT(flag, ip) \
+		((flag) ? ipsec_print_ip(ip) : 0)
+#else /* CONFIG_KLIPS_DEBUG */
+#	define KLIPS_PRINT(flag, format, args...) do ; while(0)
+#	define KLIPS_PRINTMORE(flag, format, args...) do ; while(0)
+#	define KLIPS_IP_PRINT(flag, ip) do ; while(0)
+#endif /* CONFIG_KLIPS_DEBUG */
+
+
+/* 
+ * Stupid kernel API differences in APIs. Not only do some
+ * kernels not have ip_select_ident, but some have differing APIs,
+ * and SuSE has one with one parameter, but no way of checking to
+ * see what is really what.
+ */
+
+#ifdef SUSE_LINUX_2_4_19_IS_STUPID
+#define KLIPS_IP_SELECT_IDENT(iph, skb) ip_select_ident(iph)
+#else
+
+/* simplest case, nothing */
+#if !defined(IP_SELECT_IDENT)
+#define KLIPS_IP_SELECT_IDENT(iph, skb)  do { iph->id = htons(ip_id_count++); } while(0)
+#endif
+
+/* kernels > 2.3.37-ish */
+#if defined(IP_SELECT_IDENT) && !defined(IP_SELECT_IDENT_NEW)
+#define KLIPS_IP_SELECT_IDENT(iph, skb) ip_select_ident(iph, skb->dst)
+#endif
+
+/* kernels > 2.4.2 */
+#if defined(IP_SELECT_IDENT) && defined(IP_SELECT_IDENT_NEW)
+#define KLIPS_IP_SELECT_IDENT(iph, skb) ip_select_ident(iph, skb->dst, NULL)
+#endif
+
+#endif /* SUSE_LINUX_2_4_19_IS_STUPID */
+
+/*
+ * make klips fail test:east-espiv-01.
+ * exploit is at testing/attacks/espiv
+ *
+ */
+#define KLIPS_IMPAIRMENT_ESPIV_CBC_ATTACK 0
+
+
+/* IP_FRAGMENT_LINEARIZE is set in freeswan.h if Kernel > 2.4.4 */
+#ifndef IP_FRAGMENT_LINEARIZE
+# define IP_FRAGMENT_LINEARIZE 0
+#endif /* IP_FRAGMENT_LINEARIZE */
+#endif /* __KERNEL__ */
+
+#ifdef NEED_INET_PROTOCOL
+#define inet_protocol net_protocol
+#endif
+
+#if defined(CONFIG_IPSEC_NAT_TRAVERSAL) && CONFIG_IPSEC_NAT_TRAVERSAL
+#define NAT_TRAVERSAL 1
+#else
+/* let people either #undef, or #define = 0 it */
+#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
+#undef CONFIG_IPSEC_NAT_TRAVERSAL
+#endif
+#endif
+
+#ifndef IPSEC_DEFAULT_TTL
+#define IPSEC_DEFAULT_TTL 64
+#endif
+
+#define _IPSEC_PARAM_H_
+#endif /* _IPSEC_PARAM_H_ */
+
+/*
+ * $Log: ipsec_param.h,v $
+ * Revision 1.29.6.3  2006/05/01 14:32:31  mcr
+ * added KLIPS_ERROR and make sure that things work without CONFIG_KLIPS_REGRESS.
+ *
+ * Revision 1.29.6.2  2005/11/27 21:40:14  paul
+ * Pull down TTL fixes from head. this fixes "Unknown symbol sysctl_ip_default_ttl"
+ * in for klips as module.
+ *
+ * Revision 1.29.6.1  2005/08/12 16:24:18  ken
+ * Pull in NAT-T compile logic from HEAD
+ *
+ * Revision 1.29  2005/01/26 00:50:35  mcr
+ * 	adjustment of confusion of CONFIG_IPSEC_NAT vs CONFIG_KLIPS_NAT,
+ * 	and make sure that NAT_TRAVERSAL is set as well to match
+ * 	userspace compiles of code.
+ *
+ * Revision 1.28  2004/09/13 15:50:15  mcr
+ * 	spell NEED_INET properly, not NET_INET.
+ *
+ * Revision 1.27  2004/09/13 02:21:45  mcr
+ * 	always turn on IPIP mode.
+ * 	#define inet_protocol if necessary.
+ *
+ * Revision 1.26  2004/08/17 03:25:43  mcr
+ * 	freeswan->openswan.
+ *
+ * Revision 1.25  2004/07/10 19:08:41  mcr
+ * 	CONFIG_IPSEC -> CONFIG_KLIPS.
+ *
+ * Revision 1.24  2004/04/05 19:55:06  mcr
+ * Moved from linux/include/freeswan/ipsec_param.h,v
+ *
+ * Revision 1.23  2003/12/13 19:10:16  mcr
+ * 	refactored rcv and xmit code - same as FS 2.05.
+ *
+ * Revision 1.22  2003/10/31 02:27:05  mcr
+ * 	pulled up port-selector patches and sa_id elimination.
+ *
+ * Revision 1.21.4.1  2003/10/29 01:10:19  mcr
+ * 	elimited "struct sa_id"
+ *
+ * Revision 1.21  2003/04/03 17:38:18  rgb
+ * Centralised ipsec_kfree_skb and ipsec_dev_{get,put}.
+ * Change indentation for readability.
+ *
+ * Revision 1.20  2003/03/14 08:09:26  rgb
+ * Fixed up CONFIG_IPSEC_DYNDEV definitions.
+ *
+ * Revision 1.19  2003/01/30 02:31:43  rgb
+ *
+ * Rename SAref table macro names for clarity.
+ *
+ * Revision 1.18  2002/09/30 19:06:26  rgb
+ * 	Reduce default table to 16 bits width.
+ *
+ * Revision 1.17  2002/09/20 15:40:29  rgb
+ * Define switch to activate new SAref code.
+ * Prefix macros with "IPSEC_".
+ * Rework saref freelist.
+ * Restrict some bits to kernel context for use to klips utils.
+ *
+ * Revision 1.16  2002/09/20 05:00:31  rgb
+ * Define switch to divulge hmac keys for debugging.
+ * Added IPOPTIONS switch.
+ *
+ * Revision 1.15  2002/09/19 02:34:24  mcr
+ * 	define IPSEC_PROC_SUBDIRS if we are 2.4, and use that in ipsec_proc.c
+ * 	to decide if we are to create /proc/net/ipsec/.
+ *
+ * Revision 1.14  2002/08/30 01:20:54  mcr
+ * 	reorganized 2.0/2.2/2.4 procfs support macro so match
+ * 	2.4 values/typedefs.
+ *
+ * Revision 1.13  2002/07/28 22:03:28  mcr
+ * 	added some documentation to SA_REF_*
+ * 	turned on fix for ESPIV attack, now that we have the attack code.
+ *
+ * Revision 1.12  2002/07/26 08:48:31  rgb
+ * Added SA ref table code.
+ *
+ * Revision 1.11  2002/07/23 02:57:45  rgb
+ * Define ARPHRD_VOID for < 2.4 kernels.
+ *
+ * Revision 1.10  2002/05/27 21:37:28  rgb
+ * Set the defaults sanely for those adventurous enough to try more than 1
+ * digit of ipsec devices.
+ *
+ * Revision 1.9  2002/05/27 18:56:07  rgb
+ * Convert to dynamic ipsec device allocation.
+ *
+ * Revision 1.8  2002/04/24 07:36:47  mcr
+ * Moved from ./klips/net/ipsec/ipsec_param.h,v
+ *
+ * Revision 1.7  2002/04/20 00:12:25  rgb
+ * Added esp IV CBC attack fix, disabled.
+ *
+ * Revision 1.6  2002/01/29 02:11:42  mcr
+ * 	removal of kversions.h - sources that needed it now use ipsec_param.h.
+ * 	updating of IPv6 structures to match latest in6.h version.
+ * 	removed dead code from freeswan.h that also duplicated kversions.h
+ * 	code.
+ *
+ * Revision 1.5  2002/01/28 19:22:01  mcr
+ * 	by default, turn off LINEARIZE option
+ * 	(let kversions.h turn it on)
+ *
+ * Revision 1.4  2002/01/20 20:19:36  mcr
+ * 	renamed option to IP_FRAGMENT_LINEARIZE.
+ *
+ * Revision 1.3  2002/01/12 02:57:25  mcr
+ * 	first regression test causes acquire messages to be lost
+ * 	100% of the time. This is to help testing of pluto.
+ *
+ * Revision 1.2  2001/11/26 09:16:14  rgb
+ * Merge MCR's ipsec_sa, eroute, proc and struct lifetime changes.
+ *
+ * Revision 1.1.2.3  2001/10/23 04:40:16  mcr
+ * 	added #define for DIVULGING session keys in debug output.
+ *
+ * Revision 1.1.2.2  2001/10/22 20:53:25  mcr
+ * 	added a define to control forcing of DES parity.
+ *
+ * Revision 1.1.2.1  2001/09/25 02:20:19  mcr
+ * 	many common kernel configuration questions centralized.
+ * 	more things remain that should be moved from freeswan.h.
+ *
+ *
+ * Local variables:
+ * c-file-style: "linux"
+ * End:
+ *
+ */
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/include/openswan/ipsec_policy.h     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,217 @@
+#ifndef _IPSEC_POLICY_H
+/*
+ * policy interface file between pluto and applications
+ * Copyright (C) 2003              Michael Richardson <mcr@freeswan.org>
+ * 
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Library General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
+ * 
+ * This library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
+ * License for more details.
+ *
+ * RCSID $Id: ipsec_policy.h,v 1.7.6.1 2005/07/26 01:53:07 ken Exp $
+ */
+#define	_IPSEC_POLICY_H 	/* seen it, no need to see it again */
+
+
+/*
+ * this file defines an interface between an application (or rather an
+ * application library) and a key/policy daemon. It provides for inquiries
+ * as to the current state of a connected socket, as well as for general
+ * questions.
+ *
+ * In general, the interface is defined as a series of functional interfaces,
+ * and the policy messages should be internal. However, because this is in
+ * fact an ABI between pieces of the system that may get compiled and revised
+ * seperately, this ABI must be public and revision controlled.
+ *
+ * It is expected that the daemon will always support previous versions.
+ */
+
+#define IPSEC_POLICY_MSG_REVISION (unsigned)200305061
+
+enum ipsec_policy_command {
+  IPSEC_CMD_QUERY_FD       = 1,
+  IPSEC_CMD_QUERY_HOSTPAIR = 2,
+  IPSEC_CMD_QUERY_DSTONLY  = 3,
+};
+
+struct ipsec_policy_msg_head {
+  u_int32_t ipm_version;
+  u_int32_t ipm_msg_len;  
+  u_int32_t ipm_msg_type;
+  u_int32_t ipm_msg_seq;
+};
+
+enum ipsec_privacy_quality {
+  IPSEC_PRIVACY_NONE     = 0,
+  IPSEC_PRIVACY_INTEGRAL = 4,   /* not private at all. AH-like */
+  IPSEC_PRIVACY_UNKNOWN  = 8,   /* something is claimed, but details unavail */
+  IPSEC_PRIVACY_ROT13    = 12,  /* trivially breakable, i.e. 1DES */
+  IPSEC_PRIVACY_GAK      = 16,  /* known eavesdroppers */
+  IPSEC_PRIVACY_PRIVATE  = 32,  /* secure for at least a decade */
+  IPSEC_PRIVACY_STRONG   = 64,  /* ridiculously secure */
+  IPSEC_PRIVACY_TORTOISE = 192, /* even stronger, but very slow */
+  IPSEC_PRIVACY_OTP      = 224, /* some kind of *true* one time pad */
+};
+
+enum ipsec_bandwidth_quality {
+  IPSEC_QOS_UNKNOWN = 0,       /* unknown bandwidth */
+  IPSEC_QOS_INTERACTIVE = 16,  /* reasonably moderate jitter, moderate fast.
+				  Good enough for telnet/ssh. */
+  IPSEC_QOS_VOIP        = 32,  /* faster crypto, predicable jitter */
+  IPSEC_QOS_FTP         = 64,  /* higher throughput crypto, perhaps hardware
+				  offloaded, but latency/jitter may be bad */
+  IPSEC_QOS_WIRESPEED   = 128, /* expect to be able to fill your pipe */
+};
+
+/* moved from programs/pluto/constants.h */
+/* IPsec AH transform values
+ * RFC2407 The Internet IP security Domain of Interpretation for ISAKMP 4.4.3
+ * and in http://www.iana.org/assignments/isakmp-registry
+ */
+enum ipsec_authentication_algo {
+  AH_MD5=2,
+  AH_SHA=3,
+  AH_DES=4,
+  AH_SHA2_256=5,
+  AH_SHA2_384=6,
+  AH_SHA2_512=7
+};
+
+/* IPsec ESP transform values
+ * RFC2407 The Internet IP security Domain of Interpretation for ISAKMP 4.4.4
+ * and from http://www.iana.org/assignments/isakmp-registry
+ */
+
+enum ipsec_cipher_algo {
+  ESP_reserved=0,
+  ESP_DES_IV64=1,
+  ESP_DES=2,
+  ESP_3DES=3,
+  ESP_RC5=4,
+  ESP_IDEA=5,
+  ESP_CAST=6,
+  ESP_BLOWFISH=7,
+  ESP_3IDEA=8,
+  ESP_DES_IV32=9,
+  ESP_RC4=10,
+  ESP_NULL=11,
+  ESP_AES=12,         /* 128 bit AES */
+};
+
+/* IPCOMP transform values
+ * RFC2407 The Internet IP security Domain of Interpretation for ISAKMP 4.4.5
+ */
+
+enum ipsec_comp_algo {
+  IPCOMP_OUI=               1,
+  IPCOMP_DEFLATE=           2,
+  IPCOMP_LZS=               3,
+  IPCOMP_V42BIS=            4
+};
+
+/* Identification type values
+ * RFC 2407 The Internet IP security Domain of Interpretation for ISAKMP 4.6.2.1 
+ */
+
+enum ipsec_id_type {
+  ID_IMPOSSIBLE=             (-2),	/* private to Pluto */
+  ID_MYID=                   (-1),	/* private to Pluto */
+  ID_NONE=                     0,	/* private to Pluto */
+  ID_IPV4_ADDR=                1,
+  ID_FQDN=                     2,
+  ID_USER_FQDN=                3,
+  ID_IPV4_ADDR_SUBNET=         4,
+  ID_IPV6_ADDR=                5,
+  ID_IPV6_ADDR_SUBNET=         6,
+  ID_IPV4_ADDR_RANGE=          7,
+  ID_IPV6_ADDR_RANGE=          8,
+  ID_DER_ASN1_DN=              9,
+  ID_DER_ASN1_GN=              10,
+  ID_KEY_ID=                   11
+};
+
+/* Certificate type values
+ * RFC 2408 ISAKMP, chapter 3.9
+ */
+enum ipsec_cert_type {
+  CERT_NONE=			0,  /* none, or guess from file contents */
+  CERT_PKCS7_WRAPPED_X509=	1,  /* self-signed certificate from disk */
+  CERT_PGP=			2,
+  CERT_DNS_SIGNED_KEY=		3,  /* KEY RR from DNS */
+  CERT_X509_SIGNATURE=		4,
+  CERT_X509_KEY_EXCHANGE=	5,
+  CERT_KERBEROS_TOKENS=		6,
+  CERT_CRL=			7,
+  CERT_ARL=			8,
+  CERT_SPKI=			9,
+  CERT_X509_ATTRIBUTE=		10,
+  CERT_RAW_RSA=                 11, /* raw RSA from config file */ 
+};
+
+/* a SIG record in ASCII */
+struct ipsec_dns_sig {
+  char fqdn[256];
+  char dns_sig[768];     /* empty string if not signed */
+};
+
+struct ipsec_raw_key {
+  char id_name[256];
+  char fs_keyid[8];
+};
+
+struct ipsec_identity {
+  enum ipsec_id_type     ii_type;
+  enum ipsec_cert_type   ii_format;
+  union {
+    struct ipsec_dns_sig ipsec_dns_signed;
+    /* some thing for PGP */
+    /* some thing for PKIX */
+    struct ipsec_raw_key ipsec_raw_key;
+  } ii_credential;
+};
+
+#define IPSEC_MAX_CREDENTIALS 32
+
+struct ipsec_policy_cmd_query {
+  struct ipsec_policy_msg_head head;
+
+  /* Query section */
+  ip_address query_local;     /* us   */
+  ip_address query_remote;    /* them */
+  u_int8_t proto;             /* TCP, ICMP, etc. */
+  u_short src_port, dst_port;
+
+  /* Answer section */
+  enum ipsec_privacy_quality     strength;
+  enum ipsec_bandwidth_quality   bandwidth;
+  enum ipsec_authentication_algo auth_detail;  
+  enum ipsec_cipher_algo         esp_detail;
+  enum ipsec_comp_algo           comp_detail;
+
+  int                            credential_count;
+
+  struct ipsec_identity credentials[IPSEC_MAX_CREDENTIALS];
+};
+
+#define IPSEC_POLICY_SOCKET "/var/run/pluto/pluto.info"
+
+/* prototypes */
+extern err_t ipsec_policy_lookup(int fd, struct ipsec_policy_cmd_query *result);
+extern err_t ipsec_policy_init(void);
+extern err_t ipsec_policy_final(void);
+extern err_t ipsec_policy_readmsg(int policysock,
+				  unsigned char *buf, size_t buflen);
+extern err_t ipsec_policy_sendrecv(unsigned char *buf, size_t buflen);
+extern err_t ipsec_policy_cgilookup(struct ipsec_policy_cmd_query *result);
+
+
+extern const char *ipsec_policy_version_code(void);
+extern const char *ipsec_policy_version_string(void);
+
+#endif /* _IPSEC_POLICY_H */
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/include/openswan/ipsec_proto.h     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,199 @@
+/*
+ * @(#) prototypes for FreeSWAN functions 
+ *
+ * Copyright (C) 2001  Richard Guy Briggs  <rgb@freeswan.org>
+ *                 and Michael Richardson  <mcr@freeswan.org>
+ * 
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ * 
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: ipsec_proto.h,v 1.14 2005/04/29 04:50:03 mcr Exp $
+ *
+ */
+
+#ifndef _IPSEC_PROTO_H_
+
+#include "ipsec_param.h"
+
+/* 
+ * This file is a kernel only file that declares prototypes for
+ * all intra-module function calls and global data structures.
+ *
+ * Include this file last.
+ *
+ */
+
+/* forward references */
+enum ipsec_direction;
+enum ipsec_life_type;
+struct ipsec_lifetime64;
+struct ident;
+struct sockaddr_encap;
+struct ipsec_sa;
+
+/* ipsec_init.c */
+extern struct prng ipsec_prng;
+
+/* ipsec_sa.c */
+extern struct ipsec_sa *ipsec_sadb_hash[SADB_HASHMOD];
+extern spinlock_t       tdb_lock;
+extern int ipsec_sadb_init(void);
+extern int ipsec_sadb_cleanup(__u8);
+
+extern struct ipsec_sa *ipsec_sa_alloc(int*error); 
+
+
+extern struct ipsec_sa *ipsec_sa_getbyid(ip_said *);
+extern int ipsec_sa_put(struct ipsec_sa *);
+extern /* void */ int ipsec_sa_del(struct ipsec_sa *);
+extern /* void */ int ipsec_sa_delchain(struct ipsec_sa *);
+extern /* void */ int ipsec_sa_add(struct ipsec_sa *);
+
+extern int ipsec_sa_init(struct ipsec_sa *ipsp);
+extern int ipsec_sa_wipe(struct ipsec_sa *ipsp);
+
+/* debug declarations */
+
+/* ipsec_proc.c */
+extern int  ipsec_proc_init(void);
+extern void ipsec_proc_cleanup(void);
+
+/* ipsec_rcv.c */
+extern int ipsec_rcv(struct sk_buff *skb);
+extern int klips26_rcv_encap(struct sk_buff *skb, __u16 encap_type);
+
+/* ipsec_xmit.c */
+struct ipsec_xmit_state;
+extern enum ipsec_xmit_value ipsec_xmit_sanity_check_dev(struct ipsec_xmit_state *ixs);
+extern enum ipsec_xmit_value ipsec_xmit_sanity_check_skb(struct ipsec_xmit_state *ixs);
+extern void ipsec_print_ip(struct iphdr *ip);
+
+
+
+/* ipsec_radij.c */
+extern int ipsec_makeroute(struct sockaddr_encap *ea,
+			   struct sockaddr_encap *em,
+			   ip_said said,
+			   uint32_t pid,
+			   struct sk_buff *skb,
+			   struct ident *ident_s,
+			   struct ident *ident_d);
+
+extern int ipsec_breakroute(struct sockaddr_encap *ea,
+			    struct sockaddr_encap *em,
+			    struct sk_buff **first,
+			    struct sk_buff **last);
+
+int ipsec_radijinit(void);
+int ipsec_cleareroutes(void);
+int ipsec_radijcleanup(void);
+
+/* ipsec_life.c */
+extern enum ipsec_life_alive ipsec_lifetime_check(struct ipsec_lifetime64 *il64,
+						  const char *lifename,
+						  const char *saname,
+						  enum ipsec_life_type ilt,
+						  enum ipsec_direction idir,
+						  struct ipsec_sa *ips);
+
+
+extern int ipsec_lifetime_format(char *buffer,
+				 int   buflen,
+				 char *lifename,
+				 enum ipsec_life_type timebaselife,
+				 struct ipsec_lifetime64 *lifetime);
+
+extern void ipsec_lifetime_update_hard(struct ipsec_lifetime64 *lifetime,
+				       __u64 newvalue);
+
+extern void ipsec_lifetime_update_soft(struct ipsec_lifetime64 *lifetime,
+				       __u64 newvalue);
+
+/* ipsec_snprintf.c */
+extern int ipsec_snprintf(char * buf, ssize_t size, const char *fmt, ...);
+extern void ipsec_dmp_block(char *s, caddr_t bb, int len);
+
+
+/* ipsec_alg.c */
+extern int ipsec_alg_init(void);
+
+
+#ifdef CONFIG_KLIPS_DEBUG
+
+extern int debug_xform;
+extern int debug_eroute;
+extern int debug_spi;
+extern int debug_netlink;
+
+#endif /* CONFIG_KLIPS_DEBUG */
+
+
+
+
+#define _IPSEC_PROTO_H
+#endif /* _IPSEC_PROTO_H_ */
+
+/*
+ * $Log: ipsec_proto.h,v $
+ * Revision 1.14  2005/04/29 04:50:03  mcr
+ * 	prototypes for xmit and alg code.
+ *
+ * Revision 1.13  2005/04/17 03:46:07  mcr
+ * 	added prototypes for ipsec_rcv() routines.
+ *
+ * Revision 1.12  2005/04/14 20:28:37  mcr
+ * 	added additional prototypes.
+ *
+ * Revision 1.11  2005/04/14 01:16:28  mcr
+ * 	add prototypes for snprintf.
+ *
+ * Revision 1.10  2005/04/13 22:47:28  mcr
+ * 	make sure that forward references are available.
+ *
+ * Revision 1.9  2004/07/10 19:08:41  mcr
+ * 	CONFIG_IPSEC -> CONFIG_KLIPS.
+ *
+ * Revision 1.8  2004/04/05 19:55:06  mcr
+ * Moved from linux/include/freeswan/ipsec_proto.h,v
+ *
+ * Revision 1.7  2003/10/31 02:27:05  mcr
+ * 	pulled up port-selector patches and sa_id elimination.
+ *
+ * Revision 1.6.30.1  2003/10/29 01:10:19  mcr
+ * 	elimited "struct sa_id"
+ *
+ * Revision 1.6  2002/05/23 07:13:48  rgb
+ * Added ipsec_sa_put() for releasing an ipsec_sa refcount.
+ *
+ * Revision 1.5  2002/05/14 02:36:40  rgb
+ * Converted reference from ipsec_sa_put to ipsec_sa_add to avoid confusion
+ * with "put" usage in the kernel.
+ *
+ * Revision 1.4  2002/04/24 07:36:47  mcr
+ * Moved from ./klips/net/ipsec/ipsec_proto.h,v
+ *
+ * Revision 1.3  2002/04/20 00:12:25  rgb
+ * Added esp IV CBC attack fix, disabled.
+ *
+ * Revision 1.2  2001/11/26 09:16:15  rgb
+ * Merge MCR's ipsec_sa, eroute, proc and struct lifetime changes.
+ *
+ * Revision 1.1.2.1  2001/09/25 02:21:01  mcr
+ * 	ipsec_proto.h created to keep prototypes rather than deal with
+ * 	cyclic dependancies of structures and prototypes in .h files.
+ *
+ *
+ *
+ * Local variables:
+ * c-file-style: "linux"
+ * End:
+ *
+ */
+
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/include/openswan/ipsec_radij.h     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,179 @@
+/*
+ * @(#) Definitions relevant to the IPSEC <> radij tree interfacing
+ * Copyright (C) 1996, 1997  John Ioannidis.
+ * Copyright (C) 1998, 1999, 2000, 2001  Richard Guy Briggs.
+ * 
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ * 
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: ipsec_radij.h,v 1.22 2004/07/10 19:08:41 mcr Exp $
+ */
+
+#ifndef _IPSEC_RADIJ_H
+
+#include <openswan.h>
+
+int ipsec_walk(char *);
+
+int ipsec_rj_walker_procprint(struct radij_node *, void *);
+int ipsec_rj_walker_delete(struct radij_node *, void *);
+
+/* This structure is used to pass information between
+ * ipsec_eroute_get_info and ipsec_rj_walker_procprint
+ * (through rj_walktree) and between calls of ipsec_rj_walker_procprint.
+ */
+struct wsbuf
+{
+       /* from caller of ipsec_eroute_get_info: */
+       char *const buffer;     /* start of buffer provided */
+       const int length;       /* length of buffer provided */
+       const off_t offset;     /* file position of first character of interest */
+       /* accumulated by ipsec_rj_walker_procprint: */
+       int len;        /* number of character filled into buffer */
+       off_t begin;    /* file position contained in buffer[0] (<=offset) */
+};
+
+extern struct radij_node_head *rnh;
+extern spinlock_t eroute_lock;
+
+struct eroute * ipsec_findroute(struct sockaddr_encap *);
+
+#define O1(x) (int)(((x)>>24)&0xff)
+#define O2(x) (int)(((x)>>16)&0xff)
+#define O3(x) (int)(((x)>>8)&0xff)
+#define O4(x) (int)(((x))&0xff)
+
+#ifdef CONFIG_KLIPS_DEBUG
+extern int debug_radij;
+void rj_dumptrees(void);
+
+#define DB_RJ_DUMPTREES	0x0001
+#define DB_RJ_FINDROUTE 0x0002
+#endif /* CONFIG_KLIPS_DEBUG */
+
+#define _IPSEC_RADIJ_H
+#endif
+
+/*
+ * $Log: ipsec_radij.h,v $
+ * Revision 1.22  2004/07/10 19:08:41  mcr
+ * 	CONFIG_IPSEC -> CONFIG_KLIPS.
+ *
+ * Revision 1.21  2004/04/29 11:06:42  ken
+ * Last bits from 2.06 procfs updates
+ *
+ * Revision 1.20  2004/04/06 02:49:08  mcr
+ * 	pullup of algo code from alg-branch.
+ *
+ * Revision 1.19  2004/04/05 19:55:06  mcr
+ * Moved from linux/include/freeswan/ipsec_radij.h,v
+ *
+ * Revision 1.18  2002/04/24 07:36:47  mcr
+ * Moved from ./klips/net/ipsec/ipsec_radij.h,v
+ *
+ * Revision 1.17  2001/11/26 09:23:49  rgb
+ * Merge MCR's ipsec_sa, eroute, proc and struct lifetime changes.
+ *
+ * Revision 1.16.2.1  2001/09/25 02:21:17  mcr
+ * 	ipsec_proto.h created to keep prototypes rather than deal with
+ * 	cyclic dependancies of structures and prototypes in .h files.
+ *
+ * Revision 1.16  2001/09/15 16:24:04  rgb
+ * Re-inject first and last HOLD packet when an eroute REPLACE is done.
+ *
+ * Revision 1.15  2001/09/14 16:58:37  rgb
+ * Added support for storing the first and last packets through a HOLD.
+ *
+ * Revision 1.14  2001/09/08 21:13:32  rgb
+ * Added pfkey ident extension support for ISAKMPd. (NetCelo)
+ *
+ * Revision 1.13  2001/06/14 19:35:09  rgb
+ * Update copyright date.
+ *
+ * Revision 1.12  2001/05/27 06:12:11  rgb
+ * Added structures for pid, packet count and last access time to eroute.
+ * Added packet count to beginning of /proc/net/ipsec_eroute.
+ *
+ * Revision 1.11  2000/09/08 19:12:56  rgb
+ * Change references from DEBUG_IPSEC to CONFIG_IPSEC_DEBUG.
+ *
+ * Revision 1.10  1999/11/17 15:53:39  rgb
+ * Changed all occurrences of #include "../../../lib/freeswan.h"
+ * to #include <freeswan.h> which works due to -Ilibfreeswan in the
+ * klips/net/ipsec/Makefile.
+ *
+ * Revision 1.9  1999/10/01 00:01:23  rgb
+ * Added eroute structure locking.
+ *
+ * Revision 1.8  1999/04/11 00:28:59  henry
+ * GPL boilerplate
+ *
+ * Revision 1.7  1999/04/06 04:54:26  rgb
+ * Fix/Add RCSID Id: and Log: bits to make PHMDs happy.  This includes
+ * patch shell fixes.
+ *
+ * Revision 1.6  1999/01/22 06:23:26  rgb
+ * Cruft clean-out.
+ *
+ * Revision 1.5  1998/10/25 02:42:08  rgb
+ * Change return type on ipsec_breakroute and ipsec_makeroute and add an
+ * argument to be able to transmit more infomation about errors.
+ *
+ * Revision 1.4  1998/10/19 14:44:29  rgb
+ * Added inclusion of freeswan.h.
+ * sa_id structure implemented and used: now includes protocol.
+ *
+ * Revision 1.3  1998/07/28 00:03:31  rgb
+ * Comment out temporary inet_nto4u() kluge.
+ *
+ * Revision 1.2  1998/07/14 18:22:00  rgb
+ * Add function to clear the eroute table.
+ *
+ * Revision 1.1  1998/06/18 21:27:49  henry
+ * move sources from klips/src to klips/net/ipsec, to keep stupid
+ * kernel-build scripts happier in the presence of symlinks
+ *
+ * Revision 1.5  1998/05/25 20:30:38  rgb
+ * Remove temporary ipsec_walk, rj_deltree and rj_delnodes functions.
+ *
+ * Rename ipsec_rj_walker (ipsec_walk) to ipsec_rj_walker_procprint and
+ * add ipsec_rj_walker_delete.
+ *
+ * Revision 1.4  1998/05/21 13:02:56  rgb
+ * Imported definitions from ipsec_radij.c and radij.c to support /proc 3k
+ * limit fix.
+ *
+ * Revision 1.3  1998/04/21 21:29:09  rgb
+ * Rearrange debug switches to change on the fly debug output from user
+ * space.  Only kernel changes checked in at this time.  radij.c was also
+ * changed to temporarily remove buggy debugging code in rj_delete causing
+ * an OOPS and hence, netlink device open errors.
+ *
+ * Revision 1.2  1998/04/14 17:30:39  rgb
+ * Fix up compiling errors for radij tree memory reclamation.
+ *
+ * Revision 1.1  1998/04/09 03:06:10  henry
+ * sources moved up from linux/net/ipsec
+ *
+ * Revision 1.1.1.1  1998/04/08 05:35:04  henry
+ * RGB's ipsec-0.8pre2.tar.gz ipsec-0.8
+ *
+ * Revision 0.4  1997/01/15 01:28:15  ji
+ * No changes.
+ *
+ * Revision 0.3  1996/11/20 14:39:04  ji
+ * Minor cleanups.
+ * Rationalized debugging code.
+ *
+ * Revision 0.2  1996/11/02 00:18:33  ji
+ * First limited release.
+ *
+ *
+ */
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/include/openswan/ipsec_rcv.h     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,199 @@
+/*
+ * 
+ * Copyright (C) 1996, 1997  John Ioannidis.
+ * Copyright (C) 1998, 1999, 2000, 2001  Richard Guy Briggs.
+ * 
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ * 
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: ipsec_rcv.h,v 1.28.2.2 2006/10/06 21:39:26 paul Exp $
+ */
+
+#ifndef IPSEC_RCV_H
+#define IPSEC_RCV_H
+
+#include "openswan/ipsec_auth.h"
+
+#define DB_RX_PKTRX	0x0001
+#define DB_RX_PKTRX2	0x0002
+#define DB_RX_DMP	0x0004
+#define DB_RX_IPSA	0x0010
+#define DB_RX_XF	0x0020
+#define DB_RX_IPAD	0x0040
+#define DB_RX_INAU	0x0080
+#define DB_RX_OINFO	0x0100
+#define DB_RX_OINFO2	0x0200
+#define DB_RX_OH	0x0400
+#define DB_RX_REPLAY	0x0800
+
+#ifdef __KERNEL__
+/* struct options; */
+
+#define __NO_VERSION__
+#ifndef AUTOCONF_INCLUDED
+#include <linux/config.h>	/* for CONFIG_IP_FORWARD */
+#endif
+#ifdef CONFIG_MODULES
+#include <linux/module.h>
+#endif
+#include <linux/version.h>
+#include <openswan.h>
+
+#define IPSEC_BIRTH_TEMPLATE_MAXLEN 256
+
+struct ipsec_birth_reply {
+  int            packet_template_len;
+  unsigned char  packet_template[IPSEC_BIRTH_TEMPLATE_MAXLEN];
+};
+
+extern struct ipsec_birth_reply ipsec_ipv4_birth_packet;
+extern struct ipsec_birth_reply ipsec_ipv6_birth_packet;
+
+enum ipsec_rcv_value {
+	IPSEC_RCV_LASTPROTO=1,
+	IPSEC_RCV_OK=0,
+	IPSEC_RCV_BADPROTO=-1,
+	IPSEC_RCV_BADLEN=-2,
+	IPSEC_RCV_ESP_BADALG=-3,
+	IPSEC_RCV_3DES_BADBLOCKING=-4,
+	IPSEC_RCV_ESP_DECAPFAIL=-5,
+	IPSEC_RCV_DECAPFAIL=-6,
+	IPSEC_RCV_SAIDNOTFOUND=-7,
+	IPSEC_RCV_IPCOMPALONE=-8,
+	IPSEC_RCV_IPCOMPFAILED=-10,
+	IPSEC_RCV_SAIDNOTLIVE=-11,
+	IPSEC_RCV_FAILEDINBOUND=-12,
+	IPSEC_RCV_LIFETIMEFAILED=-13,
+	IPSEC_RCV_BADAUTH=-14,
+	IPSEC_RCV_REPLAYFAILED=-15,
+	IPSEC_RCV_AUTHFAILED=-16,
+	IPSEC_RCV_REPLAYROLLED=-17,
+	IPSEC_RCV_BAD_DECRYPT=-18
+};
+
+struct ipsec_rcv_state {
+	struct sk_buff *skb;
+	struct net_device_stats *stats;
+	struct iphdr    *ipp;          /* the IP header */
+	struct ipsec_sa *ipsp;         /* current SA being processed */
+	int len;                       /* length of packet */
+	int ilen;                      /* length of inner payload (-authlen) */
+	int authlen;                   /* how big is the auth data at end */
+	int hard_header_len;           /* layer 2 size */
+	int iphlen;                    /* how big is IP header */
+	struct auth_alg *authfuncs;
+	ip_said said;
+	char   sa[SATOT_BUF];
+	size_t sa_len;
+	__u8 next_header;
+	__u8 hash[AH_AMAX];
+	char ipsaddr_txt[ADDRTOA_BUF];
+	char ipdaddr_txt[ADDRTOA_BUF];
+	__u8 *octx;
+	__u8 *ictx;
+	int ictx_len;
+	int octx_len;
+	union {
+		struct {
+			struct esphdr *espp;
+		} espstuff;
+		struct {
+			struct ahhdr *ahp;
+		} ahstuff;
+		struct {
+			struct ipcomphdr *compp;
+		} ipcompstuff;
+	} protostuff;
+#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
+	__u8		natt_type;
+	__u16		natt_sport;
+	__u16		natt_dport;
+	int             natt_len; 
+#endif  
+};
+
+extern int
+#ifdef PROTO_HANDLER_SINGLE_PARM
+ipsec_rcv(struct sk_buff *skb);
+#else /* PROTO_HANDLER_SINGLE_PARM */
+ipsec_rcv(struct sk_buff *skb,
+	  unsigned short xlen);
+#endif /* PROTO_HANDLER_SINGLE_PARM */
+
+#ifdef CONFIG_KLIPS_DEBUG
+extern int debug_rcv;
+#define ipsec_rcv_dmp(_x,_y, _z) if (debug_rcv && sysctl_ipsec_debug_verbose) ipsec_dmp_block(_x,_y,_z)
+#else
+#define ipsec_rcv_dmp(_x,_y, _z) do {} while(0)
+#endif /* CONFIG_KLIPS_DEBUG */
+
+extern int sysctl_ipsec_inbound_policy_check;
+#endif /* __KERNEL__ */
+
+extern int klips26_rcv_encap(struct sk_buff *skb, __u16 encap_type);
+
+
+#endif /* IPSEC_RCV_H */
+
+/*
+ * $Log: ipsec_rcv.h,v $
+ * Revision 1.28.2.2  2006/10/06 21:39:26  paul
+ * Fix for 2.6.18+ only include linux/config.h if AUTOCONF_INCLUDED is not
+ * set. This is defined through autoconf.h which is included through the
+ * linux kernel build macros.
+ *
+ * Revision 1.28.2.1  2006/07/10 15:52:20  paul
+ * Fix for bug #642 by Bart Trojanowski
+ *
+ * Revision 1.28  2005/05/11 00:59:45  mcr
+ * 	do not call debug routines if !defined KLIPS_DEBUG.
+ *
+ * Revision 1.27  2005/04/29 04:59:46  mcr
+ * 	use ipsec_dmp_block.
+ *
+ * Revision 1.26  2005/04/13 22:48:35  mcr
+ * 	added comments, and removed some log.
+ * 	removed Linux 2.0 support.
+ *
+ * Revision 1.25  2005/04/08 18:25:37  mcr
+ * 	prototype klips26 encap receive function
+ *
+ * Revision 1.24  2004/08/20 21:45:37  mcr
+ * 	CONFIG_KLIPS_NAT_TRAVERSAL is not used in an attempt to
+ * 	be 26sec compatible. But, some defines where changed.
+ *
+ * Revision 1.23  2004/08/03 18:17:40  mcr
+ * 	in 2.6, use "net_device" instead of #define device->net_device.
+ * 	this probably breaks 2.0 compiles.
+ *
+ * Revision 1.22  2004/07/10 19:08:41  mcr
+ * 	CONFIG_IPSEC -> CONFIG_KLIPS.
+ *
+ * Revision 1.21  2004/04/06 02:49:08  mcr
+ * 	pullup of algo code from alg-branch.
+ *
+ * Revision 1.20  2004/04/05 19:55:06  mcr
+ * Moved from linux/include/freeswan/ipsec_rcv.h,v
+ *
+ * Revision 1.19  2003/12/15 18:13:09  mcr
+ * 	when compiling with NAT traversal, don't assume that the
+ * 	kernel has been patched, unless CONFIG_IPSEC_NAT_NON_ESP
+ * 	is set.
+ *
+ * history elided 2005-04-12.
+ *
+ * Local Variables:
+ * c-basic-offset:8
+ * c-style:linux
+ * End:
+ *
+ */
+
+
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/include/openswan/ipsec_sa.h     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,355 @@
+/*
+ * @(#) Definitions of IPsec Security Association (ipsec_sa)
+ *
+ * Copyright (C) 2001, 2002, 2003
+ *                      Richard Guy Briggs  <rgb@freeswan.org>
+ *                  and Michael Richardson  <mcr@freeswan.org>
+ * 
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ * 
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: ipsec_sa.h,v 1.23 2005/05/11 01:18:59 mcr Exp $
+ *
+ * This file derived from ipsec_xform.h on 2001/9/18 by mcr.
+ *
+ */
+
+/* 
+ * This file describes the IPsec Security Association Structure.
+ *
+ * This structure keeps track of a single transform that may be done
+ * to a set of packets. It can describe applying the transform or
+ * apply the reverse. (e.g. compression vs expansion). However, it
+ * only describes one at a time. To describe both, two structures would
+ * be used, but since the sides of the transform are performed 
+ * on different machines typically it is usual to have only one side
+ * of each association.
+ * 
+ */
+
+#ifndef _IPSEC_SA_H_
+
+#ifdef __KERNEL__
+#include "openswan/ipsec_stats.h"
+#include "openswan/ipsec_life.h"
+#include "openswan/ipsec_eroute.h"
+#endif /* __KERNEL__ */
+#include "openswan/ipsec_param.h"
+
+#include "pfkeyv2.h"
+
+
+/* SAs are held in a table.
+ * Entries in this table are referenced by IPsecSAref_t values.
+ * IPsecSAref_t values are conceptually subscripts.  Because
+ * we want to allocate the table piece-meal, the subscripting
+ * is implemented with two levels, a bit like paged virtual memory.
+ * This representation mechanism is known as an Iliffe Vector.
+ *
+ * The Main table (AKA the refTable) consists of 2^IPSEC_SA_REF_MAINTABLE_IDX_WIDTH
+ * pointers to subtables.
+ * Each subtable has 2^IPSEC_SA_REF_SUBTABLE_IDX_WIDTH entries, each of which
+ * is a pointer to an SA.
+ *
+ * An IPsecSAref_t contains either an exceptional value (signified by the
+ * high-order bit being on) or a reference to a table entry.  A table entry
+ * reference has the subtable subscript in the low-order
+ * IPSEC_SA_REF_SUBTABLE_IDX_WIDTH bits and the Main table subscript
+ * in the next lowest IPSEC_SA_REF_MAINTABLE_IDX_WIDTH bits.
+ *
+ * The Maintable entry for an IPsecSAref_t x, a pointer to its subtable, is
+ * IPsecSAref2table(x).  It is of type struct IPsecSArefSubTable *.
+ *
+ * The pointer to the SA for x is IPsecSAref2SA(x).  It is of type
+ * struct ipsec_sa*.  The macro definition clearly shows the two-level
+ * access needed to find the SA pointer.
+ *
+ * The Maintable is allocated when IPsec is initialized.
+ * Each subtable is allocated when needed, but the first is allocated
+ * when IPsec is initialized.
+ *
+ * IPsecSAref_t is designed to be smaller than an NFmark so that
+ * they can be stored in NFmarks and still leave a few bits for other
+ * purposes.  The spare bits are in the low order of the NFmark
+ * but in the high order of the IPsecSAref_t, so conversion is required.
+ * We pick the upper bits of NFmark on the theory that they are less likely to
+ * interfere with more pedestrian uses of nfmark.
+ */
+
+
+typedef unsigned short int IPsecRefTableUnusedCount;
+
+#define IPSEC_SA_REF_TABLE_NUM_ENTRIES (1 << IPSEC_SA_REF_TABLE_IDX_WIDTH)
+
+#ifdef __KERNEL__
+#if ((IPSEC_SA_REF_TABLE_IDX_WIDTH - (1 + IPSEC_SA_REF_MAINTABLE_IDX_WIDTH)) < 0)
+#error "IPSEC_SA_REF_TABLE_IDX_WIDTH("IPSEC_SA_REF_TABLE_IDX_WIDTH") MUST be < 1 + IPSEC_SA_REF_MAINTABLE_IDX_WIDTH("IPSEC_SA_REF_MAINTABLE_IDX_WIDTH")"
+#endif
+
+#define IPSEC_SA_REF_SUBTABLE_IDX_WIDTH (IPSEC_SA_REF_TABLE_IDX_WIDTH - IPSEC_SA_REF_MAINTABLE_IDX_WIDTH)
+
+#define IPSEC_SA_REF_MAINTABLE_NUM_ENTRIES (1 << IPSEC_SA_REF_MAINTABLE_IDX_WIDTH)
+#define IPSEC_SA_REF_SUBTABLE_NUM_ENTRIES (1 << IPSEC_SA_REF_SUBTABLE_IDX_WIDTH)
+
+#ifdef CONFIG_NETFILTER
+#define IPSEC_SA_REF_HOST_FIELD(x) ((struct sk_buff*)(x))->nfmark
+#define IPSEC_SA_REF_HOST_FIELD_TYPE typeof(IPSEC_SA_REF_HOST_FIELD(NULL))
+#else /* CONFIG_NETFILTER */
+/* just make it work for now, it doesn't matter, since there is no nfmark */
+#define IPSEC_SA_REF_HOST_FIELD_TYPE unsigned long
+#endif /* CONFIG_NETFILTER */
+#define IPSEC_SA_REF_HOST_FIELD_WIDTH (8 * sizeof(IPSEC_SA_REF_HOST_FIELD_TYPE))
+#define IPSEC_SA_REF_FIELD_WIDTH (8 * sizeof(IPsecSAref_t))
+
+#define IPSEC_SA_REF_MASK        (IPSEC_SAREF_NULL >> (IPSEC_SA_REF_FIELD_WIDTH - IPSEC_SA_REF_TABLE_IDX_WIDTH))
+#define IPSEC_SA_REF_TABLE_MASK ((IPSEC_SAREF_NULL >> (IPSEC_SA_REF_FIELD_WIDTH - IPSEC_SA_REF_MAINTABLE_IDX_WIDTH)) << IPSEC_SA_REF_SUBTABLE_IDX_WIDTH)
+#define IPSEC_SA_REF_ENTRY_MASK  (IPSEC_SAREF_NULL >> (IPSEC_SA_REF_FIELD_WIDTH - IPSEC_SA_REF_SUBTABLE_IDX_WIDTH))
+
+#define IPsecSAref2table(x) (((x) & IPSEC_SA_REF_TABLE_MASK) >> IPSEC_SA_REF_SUBTABLE_IDX_WIDTH)
+#define IPsecSAref2entry(x) ((x) & IPSEC_SA_REF_ENTRY_MASK)
+#define IPsecSArefBuild(x,y) (((x) << IPSEC_SA_REF_SUBTABLE_IDX_WIDTH) + (y))
+
+#define IPsecSAref2SA(x) (ipsec_sadb.refTable[IPsecSAref2table(x)]->entry[IPsecSAref2entry(x)])
+#define IPsecSA2SAref(x) ((x)->ips_ref)
+
+#define EMT_INBOUND	0x01	/* SA direction, 1=inbound */
+
+/* 'struct ipsec_sa' should be 64bit aligned when allocated. */
+struct ipsec_sa 	                        
+{
+	IPsecSAref_t	ips_ref;		/* reference table entry number */
+	atomic_t	ips_refcount;		/* reference count for this struct */
+	struct ipsec_sa	*ips_hnext;		/* next in hash chain */
+	struct ipsec_sa	*ips_inext;	 	/* pointer to next xform */
+	struct ipsec_sa	*ips_onext;	 	/* pointer to prev xform */
+
+	struct ifnet	*ips_rcvif;	 	/* related rcv encap interface */
+
+	ip_said	        ips_said;	 	/* SA ID */
+
+	__u32		ips_seq;		/* seq num of msg that initiated this SA */
+	__u32		ips_pid;		/* PID of process that initiated this SA */
+	__u8		ips_authalg;		/* auth algorithm for this SA */
+	__u8		ips_encalg;		/* enc algorithm for this SA */
+
+	struct ipsec_stats ips_errs;
+
+	__u8		ips_replaywin;		/* replay window size */
+	enum sadb_sastate ips_state;		/* state of SA */
+	__u32		ips_replaywin_lastseq;	/* last pkt sequence num */
+	__u64		ips_replaywin_bitmap;	/* bitmap of received pkts */
+	__u32		ips_replaywin_maxdiff;	/* max pkt sequence difference */
+
+	__u32		ips_flags;		/* generic xform flags */
+
+
+	struct ipsec_lifetimes ips_life;	/* lifetime records */
+
+	/* selector information */
+        __u8            ips_transport_protocol; /* protocol for this SA, if ports are involved */
+	struct sockaddr*ips_addr_s;		/* src sockaddr */
+	struct sockaddr*ips_addr_d;		/* dst sockaddr */
+	struct sockaddr*ips_addr_p;		/* proxy sockaddr */
+	__u16		ips_addr_s_size;
+	__u16		ips_addr_d_size;
+	__u16		ips_addr_p_size;
+	ip_address	ips_flow_s;
+	ip_address	ips_flow_d;
+	ip_address	ips_mask_s;
+	ip_address	ips_mask_d;
+
+	__u16		ips_key_bits_a;		/* size of authkey in bits */
+	__u16		ips_auth_bits;		/* size of authenticator in bits */
+	__u16		ips_key_bits_e;		/* size of enckey in bits */
+	__u16		ips_iv_bits;	 	/* size of IV in bits */
+	__u8		ips_iv_size;
+	__u16		ips_key_a_size;
+	__u16		ips_key_e_size;
+
+	caddr_t		ips_key_a;		/* authentication key */
+	caddr_t		ips_key_e;		/* encryption key */
+	caddr_t	        ips_iv;			/* Initialisation Vector */
+
+	struct ident	ips_ident_s;		/* identity src */
+	struct ident	ips_ident_d;		/* identity dst */
+
+        /* these are included even if CONFIG_KLIPS_IPCOMP is off */
+	__u16		ips_comp_adapt_tries;	/* ipcomp self-adaption tries */
+	__u16		ips_comp_adapt_skip;	/* ipcomp self-adaption to-skip */
+	__u64		ips_comp_ratio_cbytes;	/* compressed bytes */
+	__u64		ips_comp_ratio_dbytes;	/* decompressed (or uncompressed) bytes */
+
+        /* these are included even if CONFIG_IPSEC_NAT_TRAVERSAL is off */
+	__u8		ips_natt_type;
+	__u8		ips_natt_reserved[3];
+	__u16		ips_natt_sport;
+	__u16		ips_natt_dport;
+
+	struct sockaddr *ips_natt_oa;
+	__u16		ips_natt_oa_size;
+	__u16		ips_natt_reserved2;
+
+#if 0
+	__u32		ips_sens_dpd;
+	__u8		ips_sens_sens_level;
+	__u8		ips_sens_sens_len;
+	__u64*		ips_sens_sens_bitmap;
+	__u8		ips_sens_integ_level;
+	__u8		ips_sens_integ_len;
+	__u64*		ips_sens_integ_bitmap;
+#endif
+	struct ipsec_alg_enc *ips_alg_enc;
+	struct ipsec_alg_auth *ips_alg_auth;
+	IPsecSAref_t	ips_ref_rel;
+};
+
+struct IPsecSArefSubTable
+{
+	struct ipsec_sa* entry[IPSEC_SA_REF_SUBTABLE_NUM_ENTRIES];
+};
+
+struct ipsec_sadb {
+	struct IPsecSArefSubTable* refTable[IPSEC_SA_REF_MAINTABLE_NUM_ENTRIES];
+	IPsecSAref_t refFreeList[IPSEC_SA_REF_FREELIST_NUM_ENTRIES];
+	int refFreeListHead;
+	int refFreeListTail;
+	IPsecSAref_t refFreeListCont;
+	IPsecSAref_t said_hash[SADB_HASHMOD];
+	spinlock_t sadb_lock;
+};
+
+extern struct ipsec_sadb ipsec_sadb;
+
+extern int ipsec_SAref_recycle(void);
+extern int ipsec_SArefSubTable_alloc(unsigned table);
+extern int ipsec_saref_freelist_init(void);
+extern int ipsec_sadb_init(void);
+extern struct ipsec_sa *ipsec_sa_alloc(int*error); /* pass in error var by pointer */
+extern IPsecSAref_t ipsec_SAref_alloc(int*erorr); /* pass in error var by pointer */
+extern int ipsec_sa_free(struct ipsec_sa* ips);
+extern int ipsec_sa_put(struct ipsec_sa *ips);
+extern int ipsec_sa_add(struct ipsec_sa *ips);
+extern int ipsec_sa_del(struct ipsec_sa *ips);
+extern int ipsec_sa_delchain(struct ipsec_sa *ips);
+extern int ipsec_sadb_cleanup(__u8 proto);
+extern int ipsec_sadb_free(void);
+extern int ipsec_sa_wipe(struct ipsec_sa *ips);
+#endif /* __KERNEL__ */
+
+enum ipsec_direction {
+	ipsec_incoming = 1,
+	ipsec_outgoing = 2
+};
+
+#define _IPSEC_SA_H_
+#endif /* _IPSEC_SA_H_ */
+
+/*
+ * $Log: ipsec_sa.h,v $
+ * Revision 1.23  2005/05/11 01:18:59  mcr
+ * 	do not change structure based upon options, to avoid
+ * 	too many #ifdef.
+ *
+ * Revision 1.22  2005/04/14 01:17:09  mcr
+ * 	change sadb_state to an enum.
+ *
+ * Revision 1.21  2004/08/20 21:45:37  mcr
+ * 	CONFIG_KLIPS_NAT_TRAVERSAL is not used in an attempt to
+ * 	be 26sec compatible. But, some defines where changed.
+ *
+ * Revision 1.20  2004/07/10 19:08:41  mcr
+ * 	CONFIG_IPSEC -> CONFIG_KLIPS.
+ *
+ * Revision 1.19  2004/04/05 19:55:06  mcr
+ * Moved from linux/include/freeswan/ipsec_sa.h,v
+ *
+ * Revision 1.18  2004/04/05 19:41:05  mcr
+ * 	merged alg-branch code.
+ *
+ * Revision 1.17.2.1  2003/12/22 15:25:52  jjo
+ * . Merged algo-0.8.1-rc11-test1 into alg-branch
+ *
+ * Revision 1.17  2003/12/10 01:20:06  mcr
+ * 	NAT-traversal patches to KLIPS.
+ *
+ * Revision 1.16  2003/10/31 02:27:05  mcr
+ * 	pulled up port-selector patches and sa_id elimination.
+ *
+ * Revision 1.15.4.1  2003/10/29 01:10:19  mcr
+ * 	elimited "struct sa_id"
+ *
+ * Revision 1.15  2003/05/11 00:53:09  mcr
+ * 	IPsecSAref_t and macros were moved to freeswan.h.
+ *
+ * Revision 1.14  2003/02/12 19:31:55  rgb
+ * Fixed bug in "file seen" machinery.
+ * Updated copyright year.
+ *
+ * Revision 1.13  2003/01/30 02:31:52  rgb
+ *
+ * Re-wrote comments describing SAref system for accuracy.
+ * Rename SAref table macro names for clarity.
+ * Convert IPsecSAref_t from signed to unsigned to fix apparent SAref exhaustion bug.
+ * Transmit error code through to caller from callee for better diagnosis of problems.
+ * Enclose all macro arguments in parens to avoid any possible obscrure bugs.
+ *
+ * Revision 1.12  2002/10/07 18:31:19  rgb
+ * Change comment to reflect the flexible nature of the main and sub-table widths.
+ * Added a counter for the number of unused entries in each subtable.
+ * Further break up host field type macro to host field.
+ * Move field width sanity checks to ipsec_sa.c
+ * Define a mask for an entire saref.
+ *
+ * Revision 1.11  2002/09/20 15:40:33  rgb
+ * Re-write most of the SAref macros and types to eliminate any pointer references to Entrys.
+ * Fixed SAref/nfmark macros.
+ * Rework saref freeslist.
+ * Place all ipsec sadb globals into one struct.
+ * Restrict some bits to kernel context for use to klips utils.
+ *
+ * Revision 1.10  2002/09/20 05:00:34  rgb
+ * Update copyright date.
+ *
+ * Revision 1.9  2002/09/17 17:19:29  mcr
+ * 	make it compile even if there is no netfilter - we lost
+ * 	functionality, but it works, especially on 2.2.
+ *
+ * Revision 1.8  2002/07/28 22:59:53  mcr
+ * 	clarified/expanded one comment.
+ *
+ * Revision 1.7  2002/07/26 08:48:31  rgb
+ * Added SA ref table code.
+ *
+ * Revision 1.6  2002/05/31 17:27:48  rgb
+ * Comment fix.
+ *
+ * Revision 1.5  2002/05/27 18:55:03  rgb
+ * Remove final vistiges of tdb references via IPSEC_KLIPS1_COMPAT.
+ *
+ * Revision 1.4  2002/05/23 07:13:36  rgb
+ * Convert "usecount" to "refcount" to remove ambiguity.
+ *
+ * Revision 1.3  2002/04/24 07:36:47  mcr
+ * Moved from ./klips/net/ipsec/ipsec_sa.h,v
+ *
+ * Revision 1.2  2001/11/26 09:16:15  rgb
+ * Merge MCR's ipsec_sa, eroute, proc and struct lifetime changes.
+ *
+ * Revision 1.1.2.1  2001/09/25 02:24:58  mcr
+ * 	struct tdb -> struct ipsec_sa.
+ * 	sa(tdb) manipulation functions renamed and moved to ipsec_sa.c
+ * 	ipsec_xform.c removed. header file still contains useful things.
+ *
+ *
+ * Local variables:
+ * c-file-style: "linux"
+ * End:
+ *
+ */
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/include/openswan/ipsec_sha1.h     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,79 @@
+/*
+ * RCSID $Id: ipsec_sha1.h,v 1.8 2004/04/05 19:55:07 mcr Exp $
+ */
+
+/*
+ * Here is the original comment from the distribution:
+
+SHA-1 in C
+By Steve Reid <steve@edmweb.com>
+100% Public Domain
+
+ * Adapted for use by the IPSEC code by John Ioannidis
+ */
+
+
+#ifndef _IPSEC_SHA1_H_
+#define _IPSEC_SHA1_H_
+
+typedef struct
+{
+	__u32	state[5];
+	__u32	count[2];
+	__u8	buffer[64];
+} SHA1_CTX;
+
+void SHA1Transform(__u32 state[5], __u8 buffer[64]);
+void SHA1Init(void *context);
+void SHA1Update(void *context, unsigned char *data, __u32 len);
+void SHA1Final(unsigned char digest[20], void *context);
+
+ 
+#endif /* _IPSEC_SHA1_H_ */
+
+/*
+ * $Log: ipsec_sha1.h,v $
+ * Revision 1.8  2004/04/05 19:55:07  mcr
+ * Moved from linux/include/freeswan/ipsec_sha1.h,v
+ *
+ * Revision 1.7  2002/09/10 01:45:09  mcr
+ * 	changed type of MD5_CTX and SHA1_CTX to void * so that
+ * 	the function prototypes would match, and could be placed
+ * 	into a pointer to a function.
+ *
+ * Revision 1.6  2002/04/24 07:36:47  mcr
+ * Moved from ./klips/net/ipsec/ipsec_sha1.h,v
+ *
+ * Revision 1.5  1999/12/13 13:59:13  rgb
+ * Quick fix to argument size to Update bugs.
+ *
+ * Revision 1.4  1999/12/07 18:16:23  rgb
+ * Fixed comments at end of #endif lines.
+ *
+ * Revision 1.3  1999/04/06 04:54:27  rgb
+ * Fix/Add RCSID Id: and Log: bits to make PHMDs happy.  This includes
+ * patch shell fixes.
+ *
+ * Revision 1.2  1998/11/30 13:22:54  rgb
+ * Rationalised all the klips kernel file headers.  They are much shorter
+ * now and won't conflict under RH5.2.
+ *
+ * Revision 1.1  1998/06/18 21:27:50  henry
+ * move sources from klips/src to klips/net/ipsec, to keep stupid
+ * kernel-build scripts happier in the presence of symlinks
+ *
+ * Revision 1.2  1998/04/23 20:54:05  rgb
+ * Fixed md5 and sha1 include file nesting issues, to be cleaned up when
+ * verified.
+ *
+ * Revision 1.1  1998/04/09 03:04:21  henry
+ * sources moved up from linux/net/ipsec
+ * these two include files modified not to include others except in kernel
+ *
+ * Revision 1.1.1.1  1998/04/08 05:35:04  henry
+ * RGB's ipsec-0.8pre2.tar.gz ipsec-0.8
+ *
+ * Revision 0.4  1997/01/15 01:28:15  ji
+ * New transform
+ *
+ */
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/include/openswan/ipsec_stats.h     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,76 @@
+/*
+ * @(#) definition of ipsec_stats structure
+ *
+ * Copyright (C) 2001  Richard Guy Briggs  <rgb@freeswan.org>
+ *                 and Michael Richardson  <mcr@freeswan.org>
+ * 
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ * 
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: ipsec_stats.h,v 1.7 2005/04/14 01:17:45 mcr Exp $
+ *
+ */
+
+/* 
+ * This file describes the errors/statistics that FreeSWAN collects.
+ */
+
+#ifndef _IPSEC_STATS_H_
+
+struct ipsec_stats {
+	__u32		ips_alg_errs;	       /* number of algorithm errors */
+	__u32		ips_auth_errs;	       /* # of authentication errors */
+	__u32		ips_encsize_errs;      /* # of encryption size errors*/
+	__u32		ips_encpad_errs;       /* # of encryption pad  errors*/
+	__u32		ips_replaywin_errs;    /* # of pkt sequence errors */
+};
+
+#define _IPSEC_STATS_H_
+#endif /* _IPSEC_STATS_H_ */
+
+/*
+ * $Log: ipsec_stats.h,v $
+ * Revision 1.7  2005/04/14 01:17:45  mcr
+ * 	add prototypes for snprintf.
+ *
+ * Revision 1.6  2004/04/05 19:55:07  mcr
+ * Moved from linux/include/freeswan/ipsec_stats.h,v
+ *
+ * Revision 1.5  2004/04/05 19:41:05  mcr
+ * 	merged alg-branch code.
+ *
+ * Revision 1.4  2004/03/28 20:27:19  paul
+ * Included tested and confirmed fixes mcr made and dhr verified for
+ * snprint statements. Changed one other snprintf to use ipsec_snprintf
+ * so it wouldnt break compatibility with 2.0/2.2 kernels. Verified with
+ * dhr. (thanks dhr!)
+ *
+ * Revision 1.4  2004/03/24 01:58:31  mcr
+ *     sprintf->snprintf for formatting into proc buffer.
+ *
+ * Revision 1.3.34.1  2004/04/05 04:30:46  mcr
+ * 	patches for alg-branch to compile/work with 2.x openswan
+ *
+ * Revision 1.3  2002/04/24 07:36:47  mcr
+ * Moved from ./klips/net/ipsec/ipsec_stats.h,v
+ *
+ * Revision 1.2  2001/11/26 09:16:16  rgb
+ * Merge MCR's ipsec_sa, eroute, proc and struct lifetime changes.
+ *
+ * Revision 1.1.2.1  2001/09/25 02:27:00  mcr
+ * 	statistics moved to seperate structure.
+ *
+ *
+ *
+ * Local variables:
+ * c-file-style: "linux"
+ * End:
+ *
+ */
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/include/openswan/ipsec_tunnel.h     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,280 @@
+/*
+ * IPSEC tunneling code
+ * Copyright (C) 1996, 1997  John Ioannidis.
+ * Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003  Richard Guy Briggs.
+ * 
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ * 
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: ipsec_tunnel.h,v 1.33 2005/06/04 16:06:05 mcr Exp $
+ */
+
+
+#ifdef NET_21
+# define DEV_QUEUE_XMIT(skb, device, pri) {\
+	skb->dev = device; \
+	neigh_compat_output(skb); \
+	/* skb->dst->output(skb); */ \
+ }
+# define ICMP_SEND(skb_in, type, code, info, dev) \
+	icmp_send(skb_in, type, code, htonl(info))
+# define IP_SEND(skb, dev) \
+	ip_send(skb);
+#else /* NET_21 */
+# define DEV_QUEUE_XMIT(skb, device, pri) {\
+	dev_queue_xmit(skb, device, pri); \
+ }
+# define ICMP_SEND(skb_in, type, code, info, dev) \
+	icmp_send(skb_in, type, code, info, dev)
+# define IP_SEND(skb, dev) \
+	if(ntohs(iph->tot_len) > physmtu) { \
+		ip_fragment(NULL, skb, dev, 0); \
+		ipsec_kfree_skb(skb); \
+	} else { \
+		dev_queue_xmit(skb, dev, SOPRI_NORMAL); \
+	}
+#endif /* NET_21 */
+
+
+/*
+ * Heavily based on drivers/net/new_tunnel.c.  Lots
+ * of ideas also taken from the 2.1.x version of drivers/net/shaper.c
+ */
+
+struct ipsectunnelconf
+{
+	__u32	cf_cmd;
+	union
+	{
+		char 	cfu_name[12];
+	} cf_u;
+#define cf_name cf_u.cfu_name
+};
+
+#define IPSEC_SET_DEV	(SIOCDEVPRIVATE)
+#define IPSEC_DEL_DEV	(SIOCDEVPRIVATE + 1)
+#define IPSEC_CLR_DEV	(SIOCDEVPRIVATE + 2)
+
+#ifdef __KERNEL__
+#include <linux/version.h>
+#ifndef KERNEL_VERSION
+#  define KERNEL_VERSION(x,y,z) (((x)<<16)+((y)<<8)+(z))
+#endif
+struct ipsecpriv
+{
+	struct sk_buff_head sendq;
+	struct net_device *dev;
+	struct wait_queue *wait_queue;
+	char locked;
+	int  (*hard_start_xmit) (struct sk_buff *skb,
+		struct net_device *dev);
+	int  (*hard_header) (struct sk_buff *skb,
+		struct net_device *dev,
+		unsigned short type,
+		void *daddr,
+		void *saddr,
+		unsigned len);
+#ifdef NET_21
+	int  (*rebuild_header)(struct sk_buff *skb);
+#else /* NET_21 */
+	int  (*rebuild_header)(void *buff, struct net_device *dev,
+			unsigned long raddr, struct sk_buff *skb);
+#endif /* NET_21 */
+	int  (*set_mac_address)(struct net_device *dev, void *addr);
+#ifndef NET_21
+	void (*header_cache_bind)(struct hh_cache **hhp, struct net_device *dev,
+				 unsigned short htype, __u32 daddr);
+#endif /* !NET_21 */
+	void (*header_cache_update)(struct hh_cache *hh, struct net_device *dev, unsigned char *  haddr);
+	struct net_device_stats *(*get_stats)(struct net_device *dev);
+	struct net_device_stats mystats;
+	int mtu;	/* What is the desired MTU? */
+};
+
+extern char ipsec_tunnel_c_version[];
+
+extern struct net_device *ipsecdevices[IPSEC_NUM_IF];
+
+int ipsec_tunnel_init_devices(void);
+
+/* void */ int ipsec_tunnel_cleanup_devices(void);
+
+extern /* void */ int ipsec_init(void);
+
+extern int ipsec_tunnel_start_xmit(struct sk_buff *skb, struct net_device *dev);
+extern struct net_device *ipsec_get_device(int inst);
+
+#ifdef CONFIG_KLIPS_DEBUG
+extern int debug_tunnel;
+extern int sysctl_ipsec_debug_verbose;
+#endif /* CONFIG_KLIPS_DEBUG */
+#endif /* __KERNEL__ */
+
+#ifdef CONFIG_KLIPS_DEBUG
+#define DB_TN_INIT	0x0001
+#define DB_TN_PROCFS	0x0002
+#define DB_TN_XMIT	0x0010
+#define DB_TN_OHDR	0x0020
+#define DB_TN_CROUT	0x0040
+#define DB_TN_OXFS	0x0080
+#define DB_TN_REVEC	0x0100
+#define DB_TN_ENCAP     0x0200
+#endif /* CONFIG_KLIPS_DEBUG */
+
+/*
+ * $Log: ipsec_tunnel.h,v $
+ * Revision 1.33  2005/06/04 16:06:05  mcr
+ * 	better patch for nat-t rcv-device code.
+ *
+ * Revision 1.32  2005/05/21 03:18:35  mcr
+ * 	added additional debug flag tunnelling.
+ *
+ * Revision 1.31  2004/08/03 18:18:02  mcr
+ * 	in 2.6, use "net_device" instead of #define device->net_device.
+ * 	this probably breaks 2.0 compiles.
+ *
+ * Revision 1.30  2004/07/10 19:08:41  mcr
+ * 	CONFIG_IPSEC -> CONFIG_KLIPS.
+ *
+ * Revision 1.29  2004/04/05 19:55:07  mcr
+ * Moved from linux/include/freeswan/ipsec_tunnel.h,v
+ *
+ * Revision 1.28  2003/06/24 20:22:32  mcr
+ * 	added new global: ipsecdevices[] so that we can keep track of
+ * 	the ipsecX devices. They will be referenced with dev_hold(),
+ * 	so 2.2 may need this as well.
+ *
+ * Revision 1.27  2003/04/03 17:38:09  rgb
+ * Centralised ipsec_kfree_skb and ipsec_dev_{get,put}.
+ *
+ * Revision 1.26  2003/02/12 19:32:20  rgb
+ * Updated copyright year.
+ *
+ * Revision 1.25  2002/05/27 18:56:07  rgb
+ * Convert to dynamic ipsec device allocation.
+ *
+ * Revision 1.24  2002/04/24 07:36:48  mcr
+ * Moved from ./klips/net/ipsec/ipsec_tunnel.h,v
+ *
+ * Revision 1.23  2001/11/06 19:50:44  rgb
+ * Moved IP_SEND, ICMP_SEND, DEV_QUEUE_XMIT macros to ipsec_tunnel.h for
+ * use also by pfkey_v2_parser.c
+ *
+ * Revision 1.22  2001/09/15 16:24:05  rgb
+ * Re-inject first and last HOLD packet when an eroute REPLACE is done.
+ *
+ * Revision 1.21  2001/06/14 19:35:10  rgb
+ * Update copyright date.
+ *
+ * Revision 1.20  2000/09/15 11:37:02  rgb
+ * Merge in heavily modified Svenning Soerensen's <svenning@post5.tele.dk>
+ * IPCOMP zlib deflate code.
+ *
+ * Revision 1.19  2000/09/08 19:12:56  rgb
+ * Change references from DEBUG_IPSEC to CONFIG_IPSEC_DEBUG.
+ *
+ * Revision 1.18  2000/07/28 13:50:54  rgb
+ * Changed enet_statistics to net_device_stats and added back compatibility
+ * for pre-2.1.19.
+ *
+ * Revision 1.17  1999/11/19 01:12:15  rgb
+ * Purge unneeded proc_info prototypes, now that static linking uses
+ * dynamic proc_info registration.
+ *
+ * Revision 1.16  1999/11/18 18:51:00  rgb
+ * Changed all device registrations for static linking to
+ * dynamic to reduce the number and size of patches.
+ *
+ * Revision 1.15  1999/11/18 04:14:21  rgb
+ * Replaced all kernel version macros to shorter, readable form.
+ * Added CONFIG_PROC_FS compiler directives in case it is shut off.
+ * Added Marc Boucher's 2.3.25 proc patches.
+ *
+ * Revision 1.14  1999/05/25 02:50:10  rgb
+ * Fix kernel version macros for 2.0.x static linking.
+ *
+ * Revision 1.13  1999/05/25 02:41:06  rgb
+ * Add ipsec_klipsdebug support for static linking.
+ *
+ * Revision 1.12  1999/05/05 22:02:32  rgb
+ * Add a quick and dirty port to 2.2 kernels by Marc Boucher <marc@mbsi.ca>.
+ *
+ * Revision 1.11  1999/04/29 15:19:50  rgb
+ * Add return values to init and cleanup functions.
+ *
+ * Revision 1.10  1999/04/16 16:02:39  rgb
+ * Bump up macro to 4 ipsec I/Fs.
+ *
+ * Revision 1.9  1999/04/15 15:37:25  rgb
+ * Forward check changes from POST1_00 branch.
+ *
+ * Revision 1.5.2.1  1999/04/02 04:26:14  rgb
+ * Backcheck from HEAD, pre1.0.
+ *
+ * Revision 1.8  1999/04/11 00:29:01  henry
+ * GPL boilerplate
+ *
+ * Revision 1.7  1999/04/06 04:54:28  rgb
+ * Fix/Add RCSID Id: and Log: bits to make PHMDs happy.  This includes
+ * patch shell fixes.
+ *
+ * Revision 1.6  1999/03/31 05:44:48  rgb
+ * Keep PMTU reduction private.
+ *
+ * Revision 1.5  1999/02/10 22:31:20  rgb
+ * Change rebuild_header member to reflect generality of link layer.
+ *
+ * Revision 1.4  1998/12/01 13:22:04  rgb
+ * Added support for debug printing of version info.
+ *
+ * Revision 1.3  1998/07/29 20:42:46  rgb
+ * Add a macro for clearing all tunnel devices.
+ * Rearrange structures and declarations for sharing with userspace.
+ *
+ * Revision 1.2  1998/06/25 20:01:45  rgb
+ * Make prototypes available for ipsec_init and ipsec proc_dir_entries
+ * for static linking.
+ *
+ * Revision 1.1  1998/06/18 21:27:50  henry
+ * move sources from klips/src to klips/net/ipsec, to keep stupid
+ * kernel-build scripts happier in the presence of symlinks
+ *
+ * Revision 1.3  1998/05/18 21:51:50  rgb
+ * Added macros for num of I/F's and a procfs debug switch.
+ *
+ * Revision 1.2  1998/04/21 21:29:09  rgb
+ * Rearrange debug switches to change on the fly debug output from user
+ * space.  Only kernel changes checked in at this time.  radij.c was also
+ * changed to temporarily remove buggy debugging code in rj_delete causing
+ * an OOPS and hence, netlink device open errors.
+ *
+ * Revision 1.1  1998/04/09 03:06:13  henry
+ * sources moved up from linux/net/ipsec
+ *
+ * Revision 1.1.1.1  1998/04/08 05:35:05  henry
+ * RGB's ipsec-0.8pre2.tar.gz ipsec-0.8
+ *
+ * Revision 0.5  1997/06/03 04:24:48  ji
+ * Added transport mode.
+ * Changed the way routing is done.
+ * Lots of bug fixes.
+ *
+ * Revision 0.4  1997/01/15 01:28:15  ji
+ * No changes.
+ *
+ * Revision 0.3  1996/11/20 14:39:04  ji
+ * Minor cleanups.
+ * Rationalized debugging code.
+ *
+ * Revision 0.2  1996/11/02 00:18:33  ji
+ * First limited release.
+ *
+ *
+ */
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/include/openswan/ipsec_xform.h     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,257 @@
+/*
+ * Definitions relevant to IPSEC transformations
+ * Copyright (C) 1996, 1997  John Ioannidis.
+ * Copyright (C) 1998, 1999, 2000, 2001  Richard Guy Briggs.
+ * COpyright (C) 2003  Michael Richardson <mcr@sandelman.ottawa.on.ca>
+ * 
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ * 
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: ipsec_xform.h,v 1.41 2004/07/10 19:08:41 mcr Exp $
+ */
+
+#ifndef _IPSEC_XFORM_H_
+
+#include <openswan.h>
+
+#define XF_NONE			0	/* No transform set */
+#define XF_IP4			1	/* IPv4 inside IPv4 */
+#define XF_AHMD5		2	/* AH MD5 */
+#define XF_AHSHA		3	/* AH SHA */
+#define XF_ESP3DES		5	/* ESP DES3-CBC */
+#define XF_AHHMACMD5		6	/* AH-HMAC-MD5 with opt replay prot */
+#define XF_AHHMACSHA1		7	/* AH-HMAC-SHA1 with opt replay prot */
+#define XF_ESP3DESMD5		9	/* triple DES, HMAC-MD-5, 128-bits of authentication */
+#define	XF_ESP3DESMD596		10	/* triple DES, HMAC-MD-5, 96-bits of authentication */
+#define	XF_ESPNULLMD596		12	/* NULL, HMAC-MD-5 with 96-bits of authentication */
+#define	XF_ESPNULLSHA196	13	/* NULL, HMAC-SHA-1 with 96-bits of authentication */
+#define	XF_ESP3DESSHA196	14	/* triple DES, HMAC-SHA-1, 96-bits of authentication */
+#define XF_IP6			15	/* IPv6 inside IPv6 */
+#define XF_COMPDEFLATE		16	/* IPCOMP deflate */
+
+#define XF_CLR			126	/* Clear SA table */
+#define XF_DEL			127	/* Delete SA */
+
+/* IPsec AH transform values
+ * RFC 2407
+ * draft-ietf-ipsec-doi-tc-mib-02.txt
+ */
+
+#define AH_NONE			0
+#define AH_MD5			2
+#define AH_SHA			3
+/* draft-ietf-ipsec-ciph-aes-cbc-03.txt */
+#define AH_SHA2_256		5
+#define AH_SHA2_384		6
+#define AH_SHA2_512		7
+#define AH_RIPEMD		8
+#define AH_MAX			15
+
+/* IPsec ESP transform values */
+
+#define ESP_NONE		0
+#define ESP_DES			2
+#define ESP_3DES		3
+#define ESP_RC5			4
+#define ESP_IDEA		5
+#define ESP_CAST		6
+#define ESP_BLOWFISH		7
+#define ESP_3IDEA		8
+#define ESP_RC4			10
+#define ESP_NULL		11
+#define ESP_AES			12
+
+/* as draft-ietf-ipsec-ciph-aes-cbc-02.txt */
+#define ESP_MARS		249
+#define	ESP_RC6			250
+#define ESP_SERPENT		252
+#define ESP_TWOFISH		253
+			 
+/* IPCOMP transform values */
+
+#define IPCOMP_NONE		0
+#define IPCOMP_OUI		1
+#define IPCOMP_DEFLAT		2
+#define IPCOMP_LZS		3
+#define IPCOMP_V42BIS		4
+
+#define XFT_AUTH		0x0001
+#define XFT_CONF		0x0100
+
+/* available if CONFIG_KLIPS_DEBUG is defined */
+#define DB_XF_INIT		0x0001
+
+#define PROTO2TXT(x) \
+	(x) == IPPROTO_AH ? "AH" : \
+	(x) == IPPROTO_ESP ? "ESP" : \
+	(x) == IPPROTO_IPIP ? "IPIP" : \
+	(x) == IPPROTO_COMP ? "COMP" : \
+	"UNKNOWN_proto"
+static inline const char *enc_name_id (unsigned id) {
+	static char buf[16];
+	snprintf(buf, sizeof(buf), "_ID%d", id);
+	return buf;
+}
+static inline const char *auth_name_id (unsigned id) {
+	static char buf[16];
+	snprintf(buf, sizeof(buf), "_ID%d", id);
+	return buf;
+}
+#define IPS_XFORM_NAME(x) \
+	PROTO2TXT((x)->ips_said.proto), \
+	(x)->ips_said.proto == IPPROTO_COMP ? \
+		((x)->ips_encalg == SADB_X_CALG_DEFLATE ? \
+		 "_DEFLATE" : "_UNKNOWN_comp") : \
+	(x)->ips_encalg == ESP_NONE ? "" : \
+	(x)->ips_encalg == ESP_3DES ? "_3DES" : \
+	(x)->ips_encalg == ESP_AES ? "_AES" : \
+	(x)->ips_encalg == ESP_SERPENT ? "_SERPENT" : \
+	(x)->ips_encalg == ESP_TWOFISH ? "_TWOFISH" : \
+	enc_name_id(x->ips_encalg)/* "_UNKNOWN_encr" */, \
+	(x)->ips_authalg == AH_NONE ? "" : \
+	(x)->ips_authalg == AH_MD5 ? "_HMAC_MD5" : \
+	(x)->ips_authalg == AH_SHA ? "_HMAC_SHA1" : \
+	(x)->ips_authalg == AH_SHA2_256 ? "_HMAC_SHA2_256" : \
+	(x)->ips_authalg == AH_SHA2_384 ? "_HMAC_SHA2_384" : \
+	(x)->ips_authalg == AH_SHA2_512 ? "_HMAC_SHA2_512" : \
+	auth_name_id(x->ips_authalg) /* "_UNKNOWN_auth" */ \
+
+#ifdef __KERNEL__
+struct ipsec_rcv_state;
+struct ipsec_xmit_state;
+
+struct xform_functions {
+	enum ipsec_rcv_value (*rcv_checks)(struct ipsec_rcv_state *irs,
+				       struct sk_buff *skb);
+        enum ipsec_rcv_value (*rcv_decrypt)(struct ipsec_rcv_state *irs);
+
+	enum ipsec_rcv_value (*rcv_setup_auth)(struct ipsec_rcv_state *irs,
+					   struct sk_buff *skb,
+					   __u32          *replay,
+					   unsigned char **authenticator);
+	enum ipsec_rcv_value (*rcv_calc_auth)(struct ipsec_rcv_state *irs,
+					struct sk_buff *skb);
+
+  	enum ipsec_xmit_value (*xmit_setup)(struct ipsec_xmit_state *ixs);
+        enum ipsec_xmit_value (*xmit_encrypt)(struct ipsec_xmit_state *ixs);
+
+	enum ipsec_xmit_value (*xmit_setup_auth)(struct ipsec_xmit_state *ixs,
+					   struct sk_buff *skb,
+					   __u32          *replay,
+					   unsigned char **authenticator);
+	enum ipsec_xmit_value (*xmit_calc_auth)(struct ipsec_xmit_state *ixs,
+					struct sk_buff *skb);
+        int  xmit_headroom;
+	int  xmit_needtailroom;
+};
+
+#endif /* __KERNEL__ */
+
+#ifdef CONFIG_KLIPS_DEBUG
+extern void ipsec_dmp(char *s, caddr_t bb, int len);
+#else /* CONFIG_KLIPS_DEBUG */
+#define ipsec_dmp(_x, _y, _z) 
+#endif /* CONFIG_KLIPS_DEBUG */
+
+
+#define _IPSEC_XFORM_H_
+#endif /* _IPSEC_XFORM_H_ */
+
+/*
+ * $Log: ipsec_xform.h,v $
+ * Revision 1.41  2004/07/10 19:08:41  mcr
+ * 	CONFIG_IPSEC -> CONFIG_KLIPS.
+ *
+ * Revision 1.40  2004/04/06 02:49:08  mcr
+ * 	pullup of algo code from alg-branch.
+ *
+ * Revision 1.39  2004/04/05 19:55:07  mcr
+ * Moved from linux/include/freeswan/ipsec_xform.h,v
+ *
+ * Revision 1.38  2004/04/05 19:41:05  mcr
+ * 	merged alg-branch code.
+ *
+ * Revision 1.37  2003/12/13 19:10:16  mcr
+ * 	refactored rcv and xmit code - same as FS 2.05.
+ *
+ * Revision 1.36.34.1  2003/12/22 15:25:52  jjo
+ *      Merged algo-0.8.1-rc11-test1 into alg-branch
+ *
+ * Revision 1.36  2002/04/24 07:36:48  mcr
+ * Moved from ./klips/net/ipsec/ipsec_xform.h,v
+ *
+ * Revision 1.35  2001/11/26 09:23:51  rgb
+ * Merge MCR's ipsec_sa, eroute, proc and struct lifetime changes.
+ *
+ * Revision 1.33.2.1  2001/09/25 02:24:58  mcr
+ * 	struct tdb -> struct ipsec_sa.
+ * 	sa(tdb) manipulation functions renamed and moved to ipsec_sa.c
+ * 	ipsec_xform.c removed. header file still contains useful things.
+ *
+ * Revision 1.34  2001/11/06 19:47:17  rgb
+ * Changed lifetime_packets to uint32 from uint64.
+ *
+ * Revision 1.33  2001/09/08 21:13:34  rgb
+ * Added pfkey ident extension support for ISAKMPd. (NetCelo)
+ *
+ * Revision 1.32  2001/07/06 07:40:01  rgb
+ * Reformatted for readability.
+ * Added inbound policy checking fields for use with IPIP SAs.
+ *
+ * Revision 1.31  2001/06/14 19:35:11  rgb
+ * Update copyright date.
+ *
+ * Revision 1.30  2001/05/30 08:14:03  rgb
+ * Removed vestiges of esp-null transforms.
+ *
+ * Revision 1.29  2001/01/30 23:42:47  rgb
+ * Allow pfkey msgs from pid other than user context required for ACQUIRE
+ * and subsequent ADD or UDATE.
+ *
+ * Revision 1.28  2000/11/06 04:30:40  rgb
+ * Add Svenning's adaptive content compression.
+ *
+ * Revision 1.27  2000/09/19 00:38:25  rgb
+ * Fixed algorithm name bugs introduced for ipcomp.
+ *
+ * Revision 1.26  2000/09/17 21:36:48  rgb
+ * Added proto2txt macro.
+ *
+ * Revision 1.25  2000/09/17 18:56:47  rgb
+ * Added IPCOMP support.
+ *
+ * Revision 1.24  2000/09/12 19:34:12  rgb
+ * Defined XF_IP6 from Gerhard for ipv6 tunnel support.
+ *
+ * Revision 1.23  2000/09/12 03:23:14  rgb
+ * Cleaned out now unused tdb_xform and tdb_xdata members of struct tdb.
+ *
+ * Revision 1.22  2000/09/08 19:12:56  rgb
+ * Change references from DEBUG_IPSEC to CONFIG_IPSEC_DEBUG.
+ *
+ * Revision 1.21  2000/09/01 18:32:43  rgb
+ * Added (disabled) sensitivity members to tdb struct.
+ *
+ * Revision 1.20  2000/08/30 05:31:01  rgb
+ * Removed all the rest of the references to tdb_spi, tdb_proto, tdb_dst.
+ * Kill remainder of tdb_xform, tdb_xdata, xformsw.
+ *
+ * Revision 1.19  2000/08/01 14:51:52  rgb
+ * Removed _all_ remaining traces of DES.
+ *
+ * Revision 1.18  2000/01/21 06:17:45  rgb
+ * Tidied up spacing.
+ *
+ *
+ * Local variables:
+ * c-file-style: "linux"
+ * End:
+ *
+ */
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/include/openswan/ipsec_xmit.h     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,198 @@
+/*
+ * IPSEC tunneling code
+ * Copyright (C) 1996, 1997  John Ioannidis.
+ * Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003  Richard Guy Briggs.
+ * 
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ * 
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: ipsec_xmit.h,v 1.14 2005/05/11 01:00:26 mcr Exp $
+ */
+
+#include "openswan/ipsec_sa.h"
+
+enum ipsec_xmit_value
+{
+	IPSEC_XMIT_STOLEN=2,
+	IPSEC_XMIT_PASS=1,
+	IPSEC_XMIT_OK=0,
+	IPSEC_XMIT_ERRMEMALLOC=-1,
+	IPSEC_XMIT_ESP_BADALG=-2,
+	IPSEC_XMIT_BADPROTO=-3,
+	IPSEC_XMIT_ESP_PUSHPULLERR=-4,
+	IPSEC_XMIT_BADLEN=-5,
+	IPSEC_XMIT_AH_BADALG=-6,
+	IPSEC_XMIT_SAIDNOTFOUND=-7,
+	IPSEC_XMIT_SAIDNOTLIVE=-8,
+	IPSEC_XMIT_REPLAYROLLED=-9,
+	IPSEC_XMIT_LIFETIMEFAILED=-10,
+	IPSEC_XMIT_CANNOTFRAG=-11,
+	IPSEC_XMIT_MSSERR=-12,
+	IPSEC_XMIT_ERRSKBALLOC=-13,
+	IPSEC_XMIT_ENCAPFAIL=-14,
+	IPSEC_XMIT_NODEV=-15,
+	IPSEC_XMIT_NOPRIVDEV=-16,
+	IPSEC_XMIT_NOPHYSDEV=-17,
+	IPSEC_XMIT_NOSKB=-18,
+	IPSEC_XMIT_NOIPV6=-19,
+	IPSEC_XMIT_NOIPOPTIONS=-20,
+	IPSEC_XMIT_TTLEXPIRED=-21,
+	IPSEC_XMIT_BADHHLEN=-22,
+	IPSEC_XMIT_PUSHPULLERR=-23,
+	IPSEC_XMIT_ROUTEERR=-24,
+	IPSEC_XMIT_RECURSDETECT=-25,
+	IPSEC_XMIT_IPSENDFAILURE=-26,
+	IPSEC_XMIT_ESPUDP=-27,
+	IPSEC_XMIT_ESPUDP_BADTYPE=-28,
+};
+
+struct ipsec_xmit_state
+{
+	struct sk_buff *skb;		/* working skb pointer */
+	struct net_device *dev;		/* working dev pointer */
+	struct ipsecpriv *prv;		/* Our device' private space */
+	struct sk_buff *oskb;		/* Original skb pointer */
+	struct net_device_stats *stats;	/* This device's statistics */
+	struct iphdr  *iph;		/* Our new IP header */
+	__u32   newdst;			/* The other SG's IP address */
+	__u32	orgdst;			/* Original IP destination address */
+	__u32	orgedst;		/* 1st SG's IP address */
+	__u32   newsrc;			/* The new source SG's IP address */
+	__u32	orgsrc;			/* Original IP source address */
+	__u32	innersrc;		/* Innermost IP source address */
+	int	iphlen;			/* IP header length */
+	int	pyldsz;			/* upper protocol payload size */
+	int	headroom;
+	int	tailroom;
+        int     authlen;
+	int     max_headroom;		/* The extra header space needed */
+	int	max_tailroom;		/* The extra stuffing needed */
+	int     ll_headroom;		/* The extra link layer hard_header space needed */
+	int     tot_headroom;		/* The total header space needed */
+	int	tot_tailroom;		/* The totalstuffing needed */
+	__u8	*saved_header;		/* saved copy of the hard header */
+	unsigned short   sport, dport;
+
+	struct sockaddr_encap matcher;	/* eroute search key */
+	struct eroute *eroute;
+	struct ipsec_sa *ipsp, *ipsq;	/* ipsec_sa pointers */
+	char sa_txt[SATOT_BUF];
+	size_t sa_len;
+	int hard_header_stripped;	/* has the hard header been removed yet? */
+	int hard_header_len;
+	struct net_device *physdev;
+/*	struct device *virtdev; */
+	short physmtu;
+	short cur_mtu;          /* copy of prv->mtu, cause prv may == NULL */
+	short mtudiff;
+#ifdef NET_21
+	struct rtable *route;
+#endif /* NET_21 */
+	ip_said outgoing_said;
+#ifdef NET_21
+	int pass;
+#endif /* NET_21 */
+	int error;
+	uint32_t eroute_pid;
+	struct ipsec_sa ips;
+#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
+	uint8_t natt_type;
+	uint8_t natt_head;
+	uint16_t natt_sport;
+	uint16_t natt_dport;
+#endif
+};
+
+enum ipsec_xmit_value
+ipsec_xmit_sanity_check_dev(struct ipsec_xmit_state *ixs);
+
+enum ipsec_xmit_value
+ipsec_xmit_sanity_check_skb(struct ipsec_xmit_state *ixs);
+
+enum ipsec_xmit_value
+ipsec_xmit_encap_bundle(struct ipsec_xmit_state *ixs);
+
+extern void ipsec_extract_ports(struct iphdr * iph, struct sockaddr_encap * er);
+
+
+extern int ipsec_xmit_trap_count;
+extern int ipsec_xmit_trap_sendcount;
+
+#ifdef CONFIG_KLIPS_DEBUG
+extern int debug_tunnel;
+
+#define debug_xmit debug_tunnel
+
+#define ipsec_xmit_dmp(_x,_y, _z) if (debug_xmit && sysctl_ipsec_debug_verbose) ipsec_dmp_block(_x,_y,_z)
+#else
+#define ipsec_xmit_dmp(_x,_y, _z) do {} while(0)
+
+#endif /* CONFIG_KLIPS_DEBUG */
+
+extern int sysctl_ipsec_debug_verbose;
+extern int sysctl_ipsec_icmp;
+extern int sysctl_ipsec_tos;
+
+
+/*
+ * $Log: ipsec_xmit.h,v $
+ * Revision 1.14  2005/05/11 01:00:26  mcr
+ * 	do not call debug routines if !defined KLIPS_DEBUG.
+ *
+ * Revision 1.13  2005/04/29 05:01:38  mcr
+ * 	use ipsec_dmp_block.
+ * 	added cur_mtu to ixs instead of using ixs->dev.
+ *
+ * Revision 1.12  2004/08/20 21:45:37  mcr
+ * 	CONFIG_KLIPS_NAT_TRAVERSAL is not used in an attempt to
+ * 	be 26sec compatible. But, some defines where changed.
+ *
+ * Revision 1.11  2004/08/03 18:18:21  mcr
+ * 	in 2.6, use "net_device" instead of #define device->net_device.
+ * 	this probably breaks 2.0 compiles.
+ *
+ * Revision 1.10  2004/07/10 19:08:41  mcr
+ * 	CONFIG_IPSEC -> CONFIG_KLIPS.
+ *
+ * Revision 1.9  2004/04/06 02:49:08  mcr
+ * 	pullup of algo code from alg-branch.
+ *
+ * Revision 1.8  2004/04/05 19:55:07  mcr
+ * Moved from linux/include/freeswan/ipsec_xmit.h,v
+ *
+ * Revision 1.7  2004/02/03 03:11:40  mcr
+ * 	new xmit type if the UDP encapsulation is wrong.
+ *
+ * Revision 1.6  2003/12/13 19:10:16  mcr
+ * 	refactored rcv and xmit code - same as FS 2.05.
+ *
+ * Revision 1.5  2003/12/10 01:20:06  mcr
+ * 	NAT-traversal patches to KLIPS.
+ *
+ * Revision 1.4  2003/12/06 16:37:04  mcr
+ * 	1.4.7a X.509 patch applied.
+ *
+ * Revision 1.3  2003/10/31 02:27:05  mcr
+ * 	pulled up port-selector patches and sa_id elimination.
+ *
+ * Revision 1.2.4.2  2003/10/29 01:10:19  mcr
+ * 	elimited "struct sa_id"
+ *
+ * Revision 1.2.4.1  2003/09/21 13:59:38  mcr
+ * 	pre-liminary X.509 patch - does not yet pass tests.
+ *
+ * Revision 1.2  2003/06/20 01:42:13  mcr
+ * 	added counters to measure how many ACQUIREs we send to pluto,
+ * 	and how many are successfully sent.
+ *
+ * Revision 1.1  2003/02/12 19:31:03  rgb
+ * Refactored from ipsec_tunnel.c
+ *
+ */
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/include/openswan/passert.h     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,75 @@
+/*
+ * sanitize a string into a printable format.
+ *
+ * Copyright (C) 1998-2002  D. Hugh Redelmeier.
+ * Copyright (C) 2003  Michael Richardson <mcr@freeswan.org>
+ * 
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Library General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
+ * 
+ * This library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
+ * License for more details.
+ *
+ * RCSID $Id: passert.h,v 1.7 2004/10/21 18:44:42 mcr Exp $
+ */
+
+#include "openswan.h"
+
+#ifndef _OPENSWAN_PASSERT_H
+#define _OPENSWAN_PASSERT_H
+/* our versions of assert: log result */
+
+#ifdef DEBUG
+
+typedef void (*openswan_passert_fail_t)(const char *pred_str,
+					const char *file_str,
+					unsigned long line_no) NEVER_RETURNS;
+
+openswan_passert_fail_t openswan_passert_fail;
+
+extern void pexpect_log(const char *pred_str
+			, const char *file_str, unsigned long line_no);
+
+# define impossible() do { \
+    if(openswan_passert_fail) {					\
+      (*openswan_passert_fail)("impossible", __FILE__, __LINE__); \
+    }} while(0)
+
+extern void switch_fail(int n
+    , const char *file_str, unsigned long line_no) NEVER_RETURNS;
+
+# define bad_case(n) switch_fail((int) n, __FILE__, __LINE__)
+
+# define passert(pred) do { \
+	if (!(pred)) \
+	  if(openswan_passert_fail) { \
+	    (*openswan_passert_fail)(#pred, __FILE__, __LINE__);	\
+	  } \
+  } while(0)
+
+# define pexpect(pred) do { \
+	if (!(pred)) \
+	    pexpect_log(#pred, __FILE__, __LINE__); \
+  } while(0)
+
+/* assert that an err_t is NULL; evaluate exactly once */
+# define happy(x) { \
+	err_t ugh = x; \
+	if (ugh != NULL) \
+	  if(openswan_passert_fail) { (*openswan_passert_fail)(ugh, __FILE__, __LINE__); }  \
+    }
+
+#else /*!DEBUG*/
+
+# define impossible() abort()
+# define bad_case(n) abort()
+# define passert(pred)  { }	/* do nothing */
+# define happy(x)  { (void) x; }	/* evaluate non-judgementally */
+
+#endif /*!DEBUG*/
+
+#endif /* _OPENSWAN_PASSERT_H */
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/include/openswan/pfkey_debug.h     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,54 @@
+/*
+ * sanitize a string into a printable format.
+ *
+ * Copyright (C) 1998-2002  D. Hugh Redelmeier.
+ * Copyright (C) 2003  Michael Richardson <mcr@freeswan.org>
+ * 
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Library General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
+ * 
+ * This library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
+ * License for more details.
+ *
+ * RCSID $Id: pfkey_debug.h,v 1.3 2004/04/05 19:55:07 mcr Exp $
+ */
+
+#ifndef _FREESWAN_PFKEY_DEBUG_H
+#define _FREESWAN_PFKEY_DEBUG_H
+
+#ifdef __KERNEL__
+
+/* note, kernel version ignores pfkey levels */
+# define DEBUGGING(level,args...) \
+         KLIPS_PRINT(debug_pfkey, "klips_debug:" args)
+
+# define ERROR(args...) printk(KERN_ERR "klips:" args)
+
+#else
+
+extern unsigned int pfkey_lib_debug;
+
+extern void (*pfkey_debug_func)(const char *message, ...) PRINTF_LIKE(1);
+extern void (*pfkey_error_func)(const char *message, ...) PRINTF_LIKE(1);
+
+#define DEBUGGING(level,args...)  if(pfkey_lib_debug & level) { \
+                              if(pfkey_debug_func != NULL) { \
+                                (*pfkey_debug_func)("pfkey_lib_debug:" args); \
+                              } else { \
+                                printf("pfkey_lib_debug:" args); \
+                              } }
+
+#define ERROR(args...)      if(pfkey_error_func != NULL) { \
+                                (*pfkey_error_func)("pfkey_lib_debug:" args); \
+                              } 
+
+# define MALLOC(size) malloc(size)
+# define FREE(obj) free(obj)
+
+#endif
+
+#endif
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/include/openswan/radij.h     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,280 @@
+/*
+ * RCSID $Id: radij.h,v 1.13 2004/04/05 19:55:08 mcr Exp $
+ */
+
+/*
+ * This file is defived from ${SRC}/sys/net/radix.h of BSD 4.4lite
+ *
+ * Variable and procedure names have been modified so that they don't
+ * conflict with the original BSD code, as a small number of modifications
+ * have been introduced and we may want to reuse this code in BSD.
+ * 
+ * The `j' in `radij' is pronounced as a voiceless guttural (like a Greek
+ * chi or a German ch sound (as `doch', not as in `milch'), or even a 
+ * spanish j as in Juan.  It is not as far back in the throat like
+ * the corresponding Hebrew sound, nor is it a soft breath like the English h.
+ * It has nothing to do with the Dutch ij sound.
+ * 
+ * Here is the appropriate copyright notice:
+ */
+
+/*
+ * Copyright (c) 1988, 1989, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)radix.h	8.1 (Berkeley) 6/10/93
+ */
+
+#ifndef _RADIJ_H_
+#define	_RADIJ_H_
+
+/* 
+#define RJ_DEBUG
+*/
+
+#ifdef __KERNEL__
+
+#ifndef __P
+#ifdef __STDC__
+#define __P(x)  x
+#else
+#define __P(x)  ()
+#endif
+#endif
+
+/*
+ * Radix search tree node layout.
+ */
+
+struct radij_node
+{
+	struct	radij_mask *rj_mklist;	/* list of masks contained in subtree */
+	struct	radij_node *rj_p;	/* parent */
+	short	rj_b;			/* bit offset; -1-index(netmask) */
+	char	rj_bmask;		/* node: mask for bit test*/
+	u_char	rj_flags;		/* enumerated next */
+#define RJF_NORMAL	1		/* leaf contains normal route */
+#define RJF_ROOT	2		/* leaf is root leaf for tree */
+#define RJF_ACTIVE	4		/* This node is alive (for rtfree) */
+	union {
+		struct {			/* leaf only data: */
+			caddr_t	rj_Key;	/* object of search */
+			caddr_t	rj_Mask;	/* netmask, if present */
+			struct	radij_node *rj_Dupedkey;
+		} rj_leaf;
+		struct {			/* node only data: */
+			int	rj_Off;		/* where to start compare */
+			struct	radij_node *rj_L;/* progeny */
+			struct	radij_node *rj_R;/* progeny */
+		}rj_node;
+	}		rj_u;
+#ifdef RJ_DEBUG
+	int rj_info;
+	struct radij_node *rj_twin;
+	struct radij_node *rj_ybro;
+#endif
+};
+
+#define rj_dupedkey rj_u.rj_leaf.rj_Dupedkey
+#define rj_key rj_u.rj_leaf.rj_Key
+#define rj_mask rj_u.rj_leaf.rj_Mask
+#define rj_off rj_u.rj_node.rj_Off
+#define rj_l rj_u.rj_node.rj_L
+#define rj_r rj_u.rj_node.rj_R
+
+/*
+ * Annotations to tree concerning potential routes applying to subtrees.
+ */
+
+extern struct radij_mask {
+	short	rm_b;			/* bit offset; -1-index(netmask) */
+	char	rm_unused;		/* cf. rj_bmask */
+	u_char	rm_flags;		/* cf. rj_flags */
+	struct	radij_mask *rm_mklist;	/* more masks to try */
+	caddr_t	rm_mask;		/* the mask */
+	int	rm_refs;		/* # of references to this struct */
+} *rj_mkfreelist;
+
+#define MKGet(m) {\
+	if (rj_mkfreelist) {\
+		m = rj_mkfreelist; \
+		rj_mkfreelist = (m)->rm_mklist; \
+	} else \
+		R_Malloc(m, struct radij_mask *, sizeof (*(m))); }\
+
+#define MKFree(m) { (m)->rm_mklist = rj_mkfreelist; rj_mkfreelist = (m);}
+
+struct radij_node_head {
+	struct	radij_node *rnh_treetop;
+	int	rnh_addrsize;		/* permit, but not require fixed keys */
+	int	rnh_pktsize;		/* permit, but not require fixed keys */
+#if 0
+	struct	radij_node *(*rnh_addaddr)	/* add based on sockaddr */
+		__P((void *v, void *mask,
+		     struct radij_node_head *head, struct radij_node nodes[]));
+#endif
+	int (*rnh_addaddr)	/* add based on sockaddr */
+		__P((void *v, void *mask,
+		     struct radij_node_head *head, struct radij_node nodes[]));
+	struct	radij_node *(*rnh_addpkt)	/* add based on packet hdr */
+		__P((void *v, void *mask,
+		     struct radij_node_head *head, struct radij_node nodes[]));
+#if 0
+	struct	radij_node *(*rnh_deladdr)	/* remove based on sockaddr */
+		__P((void *v, void *mask, struct radij_node_head *head));
+#endif
+	int (*rnh_deladdr)	/* remove based on sockaddr */
+		__P((void *v, void *mask, struct radij_node_head *head, struct radij_node **node));
+	struct	radij_node *(*rnh_delpkt)	/* remove based on packet hdr */
+		__P((void *v, void *mask, struct radij_node_head *head));
+	struct	radij_node *(*rnh_matchaddr)	/* locate based on sockaddr */
+		__P((void *v, struct radij_node_head *head));
+	struct	radij_node *(*rnh_matchpkt)	/* locate based on packet hdr */
+		__P((void *v, struct radij_node_head *head));
+	int	(*rnh_walktree)			/* traverse tree */
+		__P((struct radij_node_head *head, int (*f)(struct radij_node *rn, void *w), void *w));
+	struct	radij_node rnh_nodes[3];	/* empty tree for common case */
+};
+
+
+#define Bcmp(a, b, n) memcmp(((caddr_t)(b)), ((caddr_t)(a)), (unsigned)(n))
+#define Bcopy(a, b, n) memmove(((caddr_t)(b)), ((caddr_t)(a)), (unsigned)(n))
+#define Bzero(p, n) memset((caddr_t)(p), 0, (unsigned)(n))
+#define R_Malloc(p, t, n) ((p = (t) kmalloc((size_t)(n), GFP_ATOMIC)), Bzero((p),(n)))
+#define Free(p) kfree((caddr_t)p);
+
+void	 rj_init __P((void));
+int	 rj_inithead __P((void **, int));
+int	 rj_refines __P((void *, void *));
+int	 rj_walktree __P((struct radij_node_head *head, int (*f)(struct radij_node *rn, void *w), void *w));
+struct radij_node
+	 *rj_addmask __P((void *, int, int)) /* , rgb */ ;
+int /* * */ rj_addroute __P((void *, void *, struct radij_node_head *,
+			struct radij_node [2])) /* , rgb */ ;
+int /* * */ rj_delete __P((void *, void *, struct radij_node_head *, struct radij_node **)) /* , rgb */ ;
+struct radij_node /* rgb */
+	 *rj_insert __P((void *, struct radij_node_head *, int *,
+			struct radij_node [2])),
+	 *rj_match __P((void *, struct radij_node_head *)),
+	 *rj_newpair __P((void *, int, struct radij_node[2])),
+	 *rj_search __P((void *, struct radij_node *)),
+	 *rj_search_m __P((void *, struct radij_node *, void *));
+
+void rj_deltree(struct radij_node_head *);
+void rj_delnodes(struct radij_node *);
+void rj_free_mkfreelist(void);
+int radijcleartree(void);
+int radijcleanup(void);
+
+extern struct radij_node_head *mask_rjhead;
+extern int maj_keylen;
+#endif /* __KERNEL__ */
+
+#endif /* _RADIJ_H_ */
+
+
+/*
+ * $Log: radij.h,v $
+ * Revision 1.13  2004/04/05 19:55:08  mcr
+ * Moved from linux/include/freeswan/radij.h,v
+ *
+ * Revision 1.12  2002/04/24 07:36:48  mcr
+ * Moved from ./klips/net/ipsec/radij.h,v
+ *
+ * Revision 1.11  2001/09/20 15:33:00  rgb
+ * Min/max cleanup.
+ *
+ * Revision 1.10  1999/11/18 04:09:20  rgb
+ * Replaced all kernel version macros to shorter, readable form.
+ *
+ * Revision 1.9  1999/05/05 22:02:33  rgb
+ * Add a quick and dirty port to 2.2 kernels by Marc Boucher <marc@mbsi.ca>.
+ *
+ * Revision 1.8  1999/04/29 15:24:58  rgb
+ * Add check for existence of macros min/max.
+ *
+ * Revision 1.7  1999/04/11 00:29:02  henry
+ * GPL boilerplate
+ *
+ * Revision 1.6  1999/04/06 04:54:29  rgb
+ * Fix/Add RCSID Id: and Log: bits to make PHMDs happy.  This includes
+ * patch shell fixes.
+ *
+ * Revision 1.5  1999/01/22 06:30:32  rgb
+ * 64-bit clean-up.
+ *
+ * Revision 1.4  1998/11/30 13:22:55  rgb
+ * Rationalised all the klips kernel file headers.  They are much shorter
+ * now and won't conflict under RH5.2.
+ *
+ * Revision 1.3  1998/10/25 02:43:27  rgb
+ * Change return type on rj_addroute and rj_delete and add and argument
+ * to the latter to be able to transmit more infomation about errors.
+ *
+ * Revision 1.2  1998/07/14 18:09:51  rgb
+ * Add a routine to clear eroute table.
+ * Added #ifdef __KERNEL__ directives to restrict scope of header.
+ *
+ * Revision 1.1  1998/06/18 21:30:22  henry
+ * move sources from klips/src to klips/net/ipsec to keep stupid kernel
+ * build scripts happier about symlinks
+ *
+ * Revision 1.4  1998/05/25 20:34:16  rgb
+ * Remove temporary ipsec_walk, rj_deltree and rj_delnodes functions.
+ *
+ * Rename ipsec_rj_walker (ipsec_walk) to ipsec_rj_walker_procprint and
+ * add ipsec_rj_walker_delete.
+ *
+ * Recover memory for eroute table on unload of module.
+ *
+ * Revision 1.3  1998/04/22 16:51:37  rgb
+ * Tidy up radij debug code from recent rash of modifications to debug code.
+ *
+ * Revision 1.2  1998/04/14 17:30:38  rgb
+ * Fix up compiling errors for radij tree memory reclamation.
+ *
+ * Revision 1.1  1998/04/09 03:06:16  henry
+ * sources moved up from linux/net/ipsec
+ *
+ * Revision 1.1.1.1  1998/04/08 05:35:04  henry
+ * RGB's ipsec-0.8pre2.tar.gz ipsec-0.8
+ *
+ * Revision 0.4  1997/01/15 01:28:15  ji
+ * No changes.
+ *
+ * Revision 0.3  1996/11/20 14:44:45  ji
+ * Release update only.
+ *
+ * Revision 0.2  1996/11/02 00:18:33  ji
+ * First limited release.
+ *
+ *
+ */
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/include/pfkey.h     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,529 @@
+/*
+ * FreeS/WAN specific PF_KEY headers
+ * Copyright (C) 1999, 2000, 2001  Richard Guy Briggs.
+ * 
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ * 
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: pfkey.h,v 1.49 2005/05/11 00:57:29 mcr Exp $
+ */
+
+#ifndef __NET_IPSEC_PF_KEY_H
+#define __NET_IPSEC_PF_KEY_H
+#ifdef __KERNEL__
+extern struct proto_ops pfkey_proto_ops;
+typedef struct sock pfkey_sock;
+extern int debug_pfkey;
+
+extern /* void */ int pfkey_init(void);
+extern /* void */ int pfkey_cleanup(void);
+
+struct socket_list
+{
+	struct socket *socketp;
+	struct socket_list *next;
+};
+extern int pfkey_list_insert_socket(struct socket*, struct socket_list**);
+extern int pfkey_list_remove_socket(struct socket*, struct socket_list**);
+extern struct socket_list *pfkey_open_sockets;
+extern struct socket_list *pfkey_registered_sockets[];
+
+struct ipsec_alg_supported
+{
+	uint16_t ias_exttype;
+	uint8_t  ias_id;
+	uint8_t  ias_ivlen;
+	uint16_t ias_keyminbits;
+	uint16_t ias_keymaxbits;
+        char    *ias_name;
+};
+
+extern struct supported_list *pfkey_supported_list[];
+struct supported_list
+{
+	struct ipsec_alg_supported *supportedp;
+	struct supported_list *next;
+};
+extern int pfkey_list_insert_supported(struct ipsec_alg_supported*, struct supported_list**);
+extern int pfkey_list_remove_supported(struct ipsec_alg_supported*, struct supported_list**);
+
+struct sockaddr_key
+{
+	uint16_t	key_family;	/* PF_KEY */
+	uint16_t	key_pad;	/* not used */
+	uint32_t	key_pid;	/* process ID */
+};
+
+struct pfkey_extracted_data
+{
+	struct ipsec_sa* ips;
+	struct ipsec_sa* ips2;
+	struct eroute *eroute;
+};
+
+/* forward reference */
+struct sadb_ext;
+struct sadb_msg;
+struct sockaddr;
+struct sadb_comb;
+struct sadb_sadb;
+struct sadb_alg;
+
+extern int
+pfkey_alloc_eroute(struct eroute** eroute);
+
+extern int
+pfkey_sa_process(struct sadb_ext *pfkey_ext,
+		 struct pfkey_extracted_data* extr);
+
+extern int
+pfkey_lifetime_process(struct sadb_ext *pfkey_ext,
+		       struct pfkey_extracted_data* extr);
+
+extern int
+pfkey_address_process(struct sadb_ext *pfkey_ext,
+		      struct pfkey_extracted_data* extr);
+
+extern int
+pfkey_key_process(struct sadb_ext *pfkey_ext,
+		  struct pfkey_extracted_data* extr);
+
+extern int
+pfkey_ident_process(struct sadb_ext *pfkey_ext,
+		    struct pfkey_extracted_data* extr);
+
+extern int
+pfkey_sens_process(struct sadb_ext *pfkey_ext,
+		   struct pfkey_extracted_data* extr);
+
+extern int
+pfkey_prop_process(struct sadb_ext *pfkey_ext,
+		   struct pfkey_extracted_data* extr);
+
+extern int
+pfkey_supported_process(struct sadb_ext *pfkey_ext,
+			struct pfkey_extracted_data* extr);
+
+extern int
+pfkey_spirange_process(struct sadb_ext *pfkey_ext,
+		       struct pfkey_extracted_data* extr);
+
+extern int
+pfkey_x_kmprivate_process(struct sadb_ext *pfkey_ext,
+			  struct pfkey_extracted_data* extr);
+
+extern int
+pfkey_x_satype_process(struct sadb_ext *pfkey_ext,
+		       struct pfkey_extracted_data* extr);
+
+extern int
+pfkey_x_debug_process(struct sadb_ext *pfkey_ext,
+		      struct pfkey_extracted_data* extr);
+
+extern int pfkey_upmsg(struct socket *, struct sadb_msg *);
+extern int pfkey_expire(struct ipsec_sa *, int);
+extern int pfkey_acquire(struct ipsec_sa *);
+#else /* ! __KERNEL__ */
+
+extern void (*pfkey_debug_func)(const char *message, ...);
+extern void (*pfkey_error_func)(const char *message, ...);
+extern void pfkey_print(struct sadb_msg *msg, FILE *out);
+
+
+#endif /* __KERNEL__ */
+
+extern uint8_t satype2proto(uint8_t satype);
+extern uint8_t proto2satype(uint8_t proto);
+extern char* satype2name(uint8_t satype);
+extern char* proto2name(uint8_t proto);
+
+struct key_opt
+{
+	uint32_t	key_pid;	/* process ID */
+	struct sock	*sk;
+};
+
+#define key_pid(sk) ((struct key_opt*)&((sk)->sk_protinfo))->key_pid
+
+/* XXX-mcr this is not an alignment, this is because the count is in 64-bit
+ * words.
+ */
+#define IPSEC_PFKEYv2_ALIGN (sizeof(uint64_t)/sizeof(uint8_t))
+#define BITS_PER_OCTET 8
+#define OCTETBITS 8
+#define PFKEYBITS 64
+#define DIVUP(x,y) ((x + y -1) / y) /* divide, rounding upwards */
+#define ALIGN_N(x,y) (DIVUP(x,y) * y) /* align on y boundary */
+
+#define IPSEC_PFKEYv2_LEN(x)   ((x) * IPSEC_PFKEYv2_ALIGN)
+#define IPSEC_PFKEYv2_WORDS(x) ((x) / IPSEC_PFKEYv2_ALIGN)
+
+
+#define PFKEYv2_MAX_MSGSIZE 4096
+
+/*
+ * PF_KEYv2 permitted and required extensions in and out bitmaps
+ */
+struct pf_key_ext_parsers_def {
+	int  (*parser)(struct sadb_ext*);
+	char  *parser_name;
+};
+
+
+#define SADB_EXTENSIONS_MAX 31
+extern unsigned int extensions_bitmaps[2/*in/out*/][2/*perm/req*/][SADB_EXTENSIONS_MAX];
+#define EXT_BITS_IN 0
+#define EXT_BITS_OUT 1
+#define EXT_BITS_PERM 0
+#define EXT_BITS_REQ 1
+
+extern void pfkey_extensions_init(struct sadb_ext *extensions[]);
+extern void pfkey_extensions_free(struct sadb_ext *extensions[]);
+extern void pfkey_msg_free(struct sadb_msg **pfkey_msg);
+
+extern int pfkey_msg_parse(struct sadb_msg *pfkey_msg,
+			   struct pf_key_ext_parsers_def *ext_parsers[],
+			   struct sadb_ext **extensions,
+			   int dir);
+
+extern int pfkey_register_reply(int satype, struct sadb_msg *sadb_msg);
+
+/*
+ * PF_KEYv2 build function prototypes
+ */
+
+int
+pfkey_msg_hdr_build(struct sadb_ext**	pfkey_ext,
+		    uint8_t		msg_type,
+		    uint8_t		satype,
+		    uint8_t		msg_errno,
+		    uint32_t		seq,
+		    uint32_t		pid);
+
+int
+pfkey_sa_ref_build(struct sadb_ext **	pfkey_ext,
+	       uint16_t			exttype,
+	       uint32_t			spi, /* in network order */
+	       uint8_t			replay_window,
+	       uint8_t			sa_state,
+	       uint8_t			auth,
+	       uint8_t			encrypt,
+	       uint32_t			flags,
+	       uint32_t/*IPsecSAref_t*/	ref);
+
+int
+pfkey_sa_build(struct sadb_ext **	pfkey_ext,
+	       uint16_t			exttype,
+	       uint32_t			spi, /* in network order */
+	       uint8_t			replay_window,
+	       uint8_t			sa_state,
+	       uint8_t			auth,
+	       uint8_t			encrypt,
+	       uint32_t			flags);
+
+int
+pfkey_lifetime_build(struct sadb_ext **	pfkey_ext,
+		     uint16_t		exttype,
+		     uint32_t		allocations,
+		     uint64_t		bytes,
+		     uint64_t		addtime,
+		     uint64_t		usetime,
+		     uint32_t		packets);
+
+int
+pfkey_address_build(struct sadb_ext**	pfkey_ext,
+		    uint16_t		exttype,
+		    uint8_t		proto,
+		    uint8_t		prefixlen,
+		    struct sockaddr*	address);
+
+int
+pfkey_key_build(struct sadb_ext**	pfkey_ext,
+		uint16_t		exttype,
+		uint16_t		key_bits,
+		char*			key);
+
+int
+pfkey_ident_build(struct sadb_ext**	pfkey_ext,
+		  uint16_t		exttype,
+		  uint16_t		ident_type,
+		  uint64_t		ident_id,
+		  uint8_t               ident_len,
+		  char*			ident_string);
+
+#ifdef __KERNEL__
+extern int pfkey_nat_t_new_mapping(struct ipsec_sa *, struct sockaddr *, __u16);
+extern int pfkey_x_nat_t_type_process(struct sadb_ext *pfkey_ext, struct pfkey_extracted_data* extr);
+extern int pfkey_x_nat_t_port_process(struct sadb_ext *pfkey_ext, struct pfkey_extracted_data* extr);
+#endif /* __KERNEL__ */
+int
+pfkey_x_nat_t_type_build(struct sadb_ext**  pfkey_ext,
+            uint8_t         type);
+int
+pfkey_x_nat_t_port_build(struct sadb_ext**  pfkey_ext,
+            uint16_t         exttype,
+            uint16_t         port);
+
+int
+pfkey_sens_build(struct sadb_ext**	pfkey_ext,
+		 uint32_t		dpd,
+		 uint8_t		sens_level,
+		 uint8_t		sens_len,
+		 uint64_t*		sens_bitmap,
+		 uint8_t		integ_level,
+		 uint8_t		integ_len,
+		 uint64_t*		integ_bitmap);
+
+int pfkey_x_protocol_build(struct sadb_ext **, uint8_t);
+
+
+int
+pfkey_prop_build(struct sadb_ext**	pfkey_ext,
+		 uint8_t		replay,
+		 unsigned int		comb_num,
+		 struct sadb_comb*	comb);
+
+int
+pfkey_supported_build(struct sadb_ext**	pfkey_ext,
+		      uint16_t		exttype,
+		      unsigned int	alg_num,
+		      struct sadb_alg*	alg);
+
+int
+pfkey_spirange_build(struct sadb_ext**	pfkey_ext,
+		     uint16_t		exttype,
+		     uint32_t		min,
+		     uint32_t		max);
+
+int
+pfkey_x_kmprivate_build(struct sadb_ext**	pfkey_ext);
+
+int
+pfkey_x_satype_build(struct sadb_ext**	pfkey_ext,
+		     uint8_t		satype);
+
+int
+pfkey_x_debug_build(struct sadb_ext**	pfkey_ext,
+		    uint32_t            tunnel,
+		    uint32_t		netlink,
+		    uint32_t		xform,
+		    uint32_t		eroute,
+		    uint32_t		spi,
+		    uint32_t		radij,
+		    uint32_t		esp,
+		    uint32_t		ah,
+		    uint32_t		rcv,
+		    uint32_t            pfkey,
+		    uint32_t            ipcomp,
+		    uint32_t            verbose);
+
+int
+pfkey_msg_build(struct sadb_msg**	pfkey_msg,
+		struct sadb_ext*	extensions[],
+		int			dir);
+
+/* in pfkey_v2_debug.c - routines to decode numbers -> strings */
+const char *
+pfkey_v2_sadb_ext_string(int extnum);
+
+const char *
+pfkey_v2_sadb_type_string(int sadb_type);
+
+
+#endif /* __NET_IPSEC_PF_KEY_H */
+
+/*
+ * $Log: pfkey.h,v $
+ * Revision 1.49  2005/05/11 00:57:29  mcr
+ * 	rename struct supported -> struct ipsec_alg_supported.
+ * 	make pfkey.h more standalone.
+ *
+ * Revision 1.48  2005/05/01 03:12:50  mcr
+ * 	include name of algorithm in datastructure.
+ *
+ * Revision 1.47  2004/08/21 00:44:14  mcr
+ * 	simplify definition of nat_t related prototypes.
+ *
+ * Revision 1.46  2004/08/04 16:27:22  mcr
+ * 	2.6 sk_ options.
+ *
+ * Revision 1.45  2004/04/06 02:49:00  mcr
+ * 	pullup of algo code from alg-branch.
+ *
+ * Revision 1.44  2003/12/10 01:20:01  mcr
+ * 	NAT-traversal patches to KLIPS.
+ *
+ * Revision 1.43  2003/10/31 02:26:44  mcr
+ * 	pulled up port-selector patches.
+ *
+ * Revision 1.42.2.2  2003/10/29 01:09:32  mcr
+ * 	added debugging for pfkey library.
+ *
+ * Revision 1.42.2.1  2003/09/21 13:59:34  mcr
+ * 	pre-liminary X.509 patch - does not yet pass tests.
+ *
+ * Revision 1.42  2003/08/25 22:08:19  mcr
+ * 	removed pfkey_proto_init() from pfkey.h for 2.6 support.
+ *
+ * Revision 1.41  2003/05/07 17:28:57  mcr
+ * 	new function pfkey_debug_func added for us in debugging from
+
+ * 	pfkey library.
+ *
+ * Revision 1.40  2003/01/30 02:31:34  rgb
+ *
+ * Convert IPsecSAref_t from signed to unsigned to fix apparent SAref exhaustion bug.
+ *
+ * Revision 1.39  2002/09/20 15:40:21  rgb
+ * Switch from pfkey_alloc_ipsec_sa() to ipsec_sa_alloc().
+ * Added ref parameter to pfkey_sa_build().
+ * Cleaned out unused cruft.
+ *
+ * Revision 1.38  2002/05/14 02:37:24  rgb
+ * Change all references to tdb, TDB or Tunnel Descriptor Block to ips,
+ * ipsec_sa or ipsec_sa.
+ * Added function prototypes for the functions moved to
+ * pfkey_v2_ext_process.c.
+ *
+ * Revision 1.37  2002/04/24 07:36:49  mcr
+ * Moved from ./lib/pfkey.h,v
+ *
+ * Revision 1.36  2002/01/20 20:34:49  mcr
+ * 	added pfkey_v2_sadb_type_string to decode sadb_type to string.
+ *
+ * Revision 1.35  2001/11/27 05:27:47  mcr
+ * 	pfkey parses are now maintained by a structure
+ * 	that includes their name for debug purposes.
+ *
+ * Revision 1.34  2001/11/26 09:23:53  rgb
+ * Merge MCR's ipsec_sa, eroute, proc and struct lifetime changes.
+ *
+ * Revision 1.33  2001/11/06 19:47:47  rgb
+ * Added packet parameter to lifetime and comb structures.
+ *
+ * Revision 1.32  2001/09/08 21:13:34  rgb
+ * Added pfkey ident extension support for ISAKMPd. (NetCelo)
+ *
+ * Revision 1.31  2001/06/14 19:35:16  rgb
+ * Update copyright date.
+ *
+ * Revision 1.30  2001/02/27 07:04:52  rgb
+ * Added satype2name prototype.
+ *
+ * Revision 1.29  2001/02/26 19:59:33  rgb
+ * Ditch unused sadb_satype2proto[], replaced by satype2proto().
+ *
+ * Revision 1.28  2000/10/10 20:10:19  rgb
+ * Added support for debug_ipcomp and debug_verbose to klipsdebug.
+ *
+ * Revision 1.27  2000/09/21 04:20:45  rgb
+ * Fixed array size off-by-one error.  (Thanks Svenning!)
+ *
+ * Revision 1.26  2000/09/12 03:26:05  rgb
+ * Added pfkey_acquire prototype.
+ *
+ * Revision 1.25  2000/09/08 19:21:28  rgb
+ * Fix pfkey_prop_build() parameter to be only single indirection.
+ *
+ * Revision 1.24  2000/09/01 18:46:42  rgb
+ * Added a supported algorithms array lists, one per satype and registered
+ * existing algorithms.
+ * Fixed pfkey_list_{insert,remove}_{socket,support}() to allow change to
+ * list.
+ *
+ * Revision 1.23  2000/08/27 01:55:26  rgb
+ * Define OCTETBITS and PFKEYBITS to avoid using 'magic' numbers in code.
+ *
+ * Revision 1.22  2000/08/20 21:39:23  rgb
+ * Added kernel prototypes for kernel funcitions pfkey_upmsg() and
+ * pfkey_expire().
+ *
+ * Revision 1.21  2000/08/15 17:29:23  rgb
+ * Fixes from SZI to untested pfkey_prop_build().
+ *
+ * Revision 1.20  2000/05/10 20:14:19  rgb
+ * Fleshed out sensitivity, proposal and supported extensions.
+ *
+ * Revision 1.19  2000/03/16 14:07:23  rgb
+ * Renamed ALIGN macro to avoid fighting with others in kernel.
+ *
+ * Revision 1.18  2000/01/22 23:24:06  rgb
+ * Added prototypes for proto2satype(), satype2proto() and proto2name().
+ *
+ * Revision 1.17  2000/01/21 06:26:59  rgb
+ * Converted from double tdb arguments to one structure (extr)
+ * containing pointers to all temporary information structures.
+ * Added klipsdebug switching capability.
+ * Dropped unused argument to pfkey_x_satype_build().
+ *
+ * Revision 1.16  1999/12/29 21:17:41  rgb
+ * Changed pfkey_msg_build() I/F to include a struct sadb_msg**
+ * parameter for cleaner manipulation of extensions[] and to guard
+ * against potential memory leaks.
+ * Changed the I/F to pfkey_msg_free() for the same reason.
+ *
+ * Revision 1.15  1999/12/09 23:12:54  rgb
+ * Added macro for BITS_PER_OCTET.
+ * Added argument to pfkey_sa_build() to do eroutes.
+ *
+ * Revision 1.14  1999/12/08 20:33:25  rgb
+ * Changed sa_family_t to uint16_t for 2.0.xx compatibility.
+ *
+ * Revision 1.13  1999/12/07 19:53:40  rgb
+ * Removed unused first argument from extension parsers.
+ * Changed __u* types to uint* to avoid use of asm/types.h and
+ * sys/types.h in userspace code.
+ * Added function prototypes for pfkey message and extensions
+ * initialisation and cleanup.
+ *
+ * Revision 1.12  1999/12/01 22:19:38  rgb
+ * Change pfkey_sa_build to accept an SPI in network byte order.
+ *
+ * Revision 1.11  1999/11/27 11:55:26  rgb
+ * Added extern sadb_satype2proto to enable moving protocol lookup table
+ * to lib/pfkey_v2_parse.c.
+ * Delete unused, moved typedefs.
+ * Add argument to pfkey_msg_parse() for direction.
+ * Consolidated the 4 1-d extension bitmap arrays into one 4-d array.
+ *
+ * Revision 1.10  1999/11/23 22:29:21  rgb
+ * This file has been moved in the distribution from klips/net/ipsec to
+ * lib.
+ * Add macros for dealing with alignment and rounding up more opaquely.
+ * The uint<n>_t type defines have been moved to freeswan.h to avoid
+ * chicken-and-egg problems.
+ * Add macros for dealing with alignment and rounding up more opaque.
+ * Added prototypes for using extention header bitmaps.
+ * Added prototypes of all the build functions.
+ *
+ * Revision 1.9  1999/11/20 21:59:48  rgb
+ * Moved socketlist type declarations and prototypes for shared use.
+ * Slightly modified scope of sockaddr_key declaration.
+ *
+ * Revision 1.8  1999/11/17 14:34:25  rgb
+ * Protect sa_family_t from being used in userspace with GLIBC<2.
+ *
+ * Revision 1.7  1999/10/27 19:40:35  rgb
+ * Add a maximum PFKEY packet size macro.
+ *
+ * Revision 1.6  1999/10/26 16:58:58  rgb
+ * Created a sockaddr_key and key_opt socket extension structures.
+ *
+ * Revision 1.5  1999/06/10 05:24:41  rgb
+ * Renamed variables to reduce confusion.
+ *
+ * Revision 1.4  1999/04/29 15:21:11  rgb
+ * Add pfkey support to debugging.
+ * Add return values to init and cleanup functions.
+ *
+ * Revision 1.3  1999/04/15 17:58:07  rgb
+ * Add RCSID labels.
+ *
+ */
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/include/pfkeyv2.h     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,472 @@
+/*
+ * RCSID $Id: pfkeyv2.h,v 1.31 2005/04/14 01:14:54 mcr Exp $
+ */
+
+/*
+RFC 2367               PF_KEY Key Management API               July 1998
+
+
+Appendix D: Sample Header File
+
+This file defines structures and symbols for the PF_KEY Version 2
+key management interface. It was written at the U.S. Naval Research
+Laboratory. This file is in the public domain. The authors ask that
+you leave this credit intact on any copies of this file.
+*/
+#ifndef __PFKEY_V2_H
+#define __PFKEY_V2_H 1
+
+#define PF_KEY_V2 2
+#define PFKEYV2_REVISION        199806L
+
+#define SADB_RESERVED    0
+#define SADB_GETSPI      1
+#define SADB_UPDATE      2
+#define SADB_ADD         3
+#define SADB_DELETE      4
+#define SADB_GET         5
+#define SADB_ACQUIRE     6
+#define SADB_REGISTER    7
+#define SADB_EXPIRE      8
+#define SADB_FLUSH       9
+#define SADB_DUMP       10
+#define SADB_X_PROMISC  11
+#define SADB_X_PCHANGE  12
+#define SADB_X_GRPSA    13
+#define SADB_X_ADDFLOW	14
+#define SADB_X_DELFLOW	15
+#define SADB_X_DEBUG	16
+#define SADB_X_NAT_T_NEW_MAPPING  17
+#define SADB_MAX                  17
+
+struct sadb_msg {
+  uint8_t sadb_msg_version;
+  uint8_t sadb_msg_type;
+  uint8_t sadb_msg_errno;
+  uint8_t sadb_msg_satype;
+  uint16_t sadb_msg_len;
+  uint16_t sadb_msg_reserved;
+  uint32_t sadb_msg_seq;
+  uint32_t sadb_msg_pid;
+};
+
+struct sadb_ext {
+  uint16_t sadb_ext_len;
+  uint16_t sadb_ext_type;
+};
+
+struct sadb_sa {
+  uint16_t sadb_sa_len;
+  uint16_t sadb_sa_exttype;
+  uint32_t sadb_sa_spi;
+  uint8_t sadb_sa_replay;
+  uint8_t sadb_sa_state;
+  uint8_t sadb_sa_auth;
+  uint8_t sadb_sa_encrypt;
+  uint32_t sadb_sa_flags;
+  uint32_t /*IPsecSAref_t*/ sadb_x_sa_ref; /* 32 bits */
+  uint8_t sadb_x_reserved[4];
+};
+
+struct sadb_sa_v1 {
+  uint16_t sadb_sa_len;
+  uint16_t sadb_sa_exttype;
+  uint32_t sadb_sa_spi;
+  uint8_t sadb_sa_replay;
+  uint8_t sadb_sa_state;
+  uint8_t sadb_sa_auth;
+  uint8_t sadb_sa_encrypt;
+  uint32_t sadb_sa_flags;
+};
+
+struct sadb_lifetime {
+  uint16_t sadb_lifetime_len;
+  uint16_t sadb_lifetime_exttype;
+  uint32_t sadb_lifetime_allocations;
+  uint64_t sadb_lifetime_bytes;
+  uint64_t sadb_lifetime_addtime;
+  uint64_t sadb_lifetime_usetime;
+  uint32_t sadb_x_lifetime_packets;
+  uint32_t sadb_x_lifetime_reserved;
+};
+
+struct sadb_address {
+  uint16_t sadb_address_len;
+  uint16_t sadb_address_exttype;
+  uint8_t sadb_address_proto;
+  uint8_t sadb_address_prefixlen;
+  uint16_t sadb_address_reserved;
+};
+
+struct sadb_key {
+  uint16_t sadb_key_len;
+  uint16_t sadb_key_exttype;
+  uint16_t sadb_key_bits;
+  uint16_t sadb_key_reserved;
+};
+
+struct sadb_ident {
+  uint16_t sadb_ident_len;
+  uint16_t sadb_ident_exttype;
+  uint16_t sadb_ident_type;
+  uint16_t sadb_ident_reserved;
+  uint64_t sadb_ident_id;
+};
+
+struct sadb_sens {
+  uint16_t sadb_sens_len;
+  uint16_t sadb_sens_exttype;
+  uint32_t sadb_sens_dpd;
+  uint8_t sadb_sens_sens_level;
+  uint8_t sadb_sens_sens_len;
+  uint8_t sadb_sens_integ_level;
+  uint8_t sadb_sens_integ_len;
+  uint32_t sadb_sens_reserved;
+};
+
+struct sadb_prop {
+  uint16_t sadb_prop_len;
+  uint16_t sadb_prop_exttype;
+  uint8_t sadb_prop_replay;
+  uint8_t sadb_prop_reserved[3];
+};
+
+struct sadb_comb {
+  uint8_t sadb_comb_auth;
+  uint8_t sadb_comb_encrypt;
+  uint16_t sadb_comb_flags;
+  uint16_t sadb_comb_auth_minbits;
+  uint16_t sadb_comb_auth_maxbits;
+  uint16_t sadb_comb_encrypt_minbits;
+  uint16_t sadb_comb_encrypt_maxbits;
+  uint32_t sadb_comb_reserved;
+  uint32_t sadb_comb_soft_allocations;
+  uint32_t sadb_comb_hard_allocations;
+  uint64_t sadb_comb_soft_bytes;
+  uint64_t sadb_comb_hard_bytes;
+  uint64_t sadb_comb_soft_addtime;
+  uint64_t sadb_comb_hard_addtime;
+  uint64_t sadb_comb_soft_usetime;
+  uint64_t sadb_comb_hard_usetime;
+  uint32_t sadb_x_comb_soft_packets;
+  uint32_t sadb_x_comb_hard_packets;
+};
+
+struct sadb_supported {
+  uint16_t sadb_supported_len;
+  uint16_t sadb_supported_exttype;
+  uint32_t sadb_supported_reserved;
+};
+
+struct sadb_alg {
+  uint8_t sadb_alg_id;
+  uint8_t sadb_alg_ivlen;
+  uint16_t sadb_alg_minbits;
+  uint16_t sadb_alg_maxbits;
+  uint16_t sadb_alg_reserved;
+};
+
+struct sadb_spirange {
+  uint16_t sadb_spirange_len;
+  uint16_t sadb_spirange_exttype;
+  uint32_t sadb_spirange_min;
+  uint32_t sadb_spirange_max;
+  uint32_t sadb_spirange_reserved;
+};
+
+struct sadb_x_kmprivate {
+  uint16_t sadb_x_kmprivate_len;
+  uint16_t sadb_x_kmprivate_exttype;
+  uint32_t sadb_x_kmprivate_reserved;
+};
+
+struct sadb_x_satype {
+  uint16_t sadb_x_satype_len;
+  uint16_t sadb_x_satype_exttype;
+  uint8_t sadb_x_satype_satype;
+  uint8_t sadb_x_satype_reserved[3];
+};
+  
+struct sadb_x_policy {
+  uint16_t sadb_x_policy_len;
+  uint16_t sadb_x_policy_exttype;
+  uint16_t sadb_x_policy_type;
+  uint8_t sadb_x_policy_dir;
+  uint8_t sadb_x_policy_reserved;
+  uint32_t sadb_x_policy_id;
+  uint32_t sadb_x_policy_reserved2;
+};
+ 
+struct sadb_x_debug {
+  uint16_t sadb_x_debug_len;
+  uint16_t sadb_x_debug_exttype;
+  uint32_t sadb_x_debug_tunnel;
+  uint32_t sadb_x_debug_netlink;
+  uint32_t sadb_x_debug_xform;
+  uint32_t sadb_x_debug_eroute;
+  uint32_t sadb_x_debug_spi;
+  uint32_t sadb_x_debug_radij;
+  uint32_t sadb_x_debug_esp;
+  uint32_t sadb_x_debug_ah;
+  uint32_t sadb_x_debug_rcv;
+  uint32_t sadb_x_debug_pfkey;
+  uint32_t sadb_x_debug_ipcomp;
+  uint32_t sadb_x_debug_verbose;
+  uint8_t sadb_x_debug_reserved[4];
+};
+
+struct sadb_x_nat_t_type {
+  uint16_t sadb_x_nat_t_type_len;
+  uint16_t sadb_x_nat_t_type_exttype;
+  uint8_t sadb_x_nat_t_type_type;
+  uint8_t sadb_x_nat_t_type_reserved[3];
+};
+struct sadb_x_nat_t_port {
+  uint16_t sadb_x_nat_t_port_len;
+  uint16_t sadb_x_nat_t_port_exttype;
+  uint16_t sadb_x_nat_t_port_port;
+  uint16_t sadb_x_nat_t_port_reserved;
+};
+
+/*
+ * A protocol structure for passing through the transport level
+ * protocol.  It contains more fields than are actually used/needed
+ * but it is this way to be compatible with the structure used in
+ * OpenBSD (http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/pfkeyv2.h)
+ */
+struct sadb_protocol {
+  uint16_t sadb_protocol_len;
+  uint16_t sadb_protocol_exttype;
+  uint8_t  sadb_protocol_proto;
+  uint8_t  sadb_protocol_direction;
+  uint8_t  sadb_protocol_flags;
+  uint8_t  sadb_protocol_reserved2;
+};
+
+#define SADB_EXT_RESERVED             0
+#define SADB_EXT_SA                   1
+#define SADB_EXT_LIFETIME_CURRENT     2
+#define SADB_EXT_LIFETIME_HARD        3
+#define SADB_EXT_LIFETIME_SOFT        4
+#define SADB_EXT_ADDRESS_SRC          5
+#define SADB_EXT_ADDRESS_DST          6
+#define SADB_EXT_ADDRESS_PROXY        7
+#define SADB_EXT_KEY_AUTH             8
+#define SADB_EXT_KEY_ENCRYPT          9
+#define SADB_EXT_IDENTITY_SRC         10
+#define SADB_EXT_IDENTITY_DST         11
+#define SADB_EXT_SENSITIVITY          12
+#define SADB_EXT_PROPOSAL             13
+#define SADB_EXT_SUPPORTED_AUTH       14
+#define SADB_EXT_SUPPORTED_ENCRYPT    15
+#define SADB_EXT_SPIRANGE             16
+#define SADB_X_EXT_KMPRIVATE          17
+#define SADB_X_EXT_SATYPE2            18
+#ifdef KERNEL26_HAS_KAME_DUPLICATES
+#define SADB_X_EXT_POLICY             18
+#endif
+#define SADB_X_EXT_SA2                19
+#define SADB_X_EXT_ADDRESS_DST2       20
+#define SADB_X_EXT_ADDRESS_SRC_FLOW   21
+#define SADB_X_EXT_ADDRESS_DST_FLOW   22
+#define SADB_X_EXT_ADDRESS_SRC_MASK   23
+#define SADB_X_EXT_ADDRESS_DST_MASK   24
+#define SADB_X_EXT_DEBUG              25
+#define SADB_X_EXT_PROTOCOL           26
+#define SADB_X_EXT_NAT_T_TYPE         27
+#define SADB_X_EXT_NAT_T_SPORT        28
+#define SADB_X_EXT_NAT_T_DPORT        29
+#define SADB_X_EXT_NAT_T_OA           30
+#define SADB_EXT_MAX                  30
+
+/* SADB_X_DELFLOW required over and above SADB_X_SAFLAGS_CLEARFLOW */
+#define SADB_X_EXT_ADDRESS_DELFLOW \
+	( (1<<SADB_X_EXT_ADDRESS_SRC_FLOW) \
+	| (1<<SADB_X_EXT_ADDRESS_DST_FLOW) \
+	| (1<<SADB_X_EXT_ADDRESS_SRC_MASK) \
+	| (1<<SADB_X_EXT_ADDRESS_DST_MASK))
+
+#define SADB_SATYPE_UNSPEC    0
+#define SADB_SATYPE_AH        2
+#define SADB_SATYPE_ESP       3
+#define SADB_SATYPE_RSVP      5
+#define SADB_SATYPE_OSPFV2    6
+#define SADB_SATYPE_RIPV2     7
+#define SADB_SATYPE_MIP       8
+#define SADB_X_SATYPE_IPIP    9
+#ifdef KERNEL26_HAS_KAME_DUPLICATES
+#define SADB_X_SATYPE_IPCOMP  9   /* ICK! */
+#endif
+#define SADB_X_SATYPE_COMP    10
+#define SADB_X_SATYPE_INT     11
+#define SADB_SATYPE_MAX       11
+
+enum sadb_sastate {
+  SADB_SASTATE_LARVAL=0,
+  SADB_SASTATE_MATURE=1,
+  SADB_SASTATE_DYING=2,
+  SADB_SASTATE_DEAD=3
+};
+#define SADB_SASTATE_MAX 3
+
+#define SADB_SAFLAGS_PFS		1
+#define SADB_X_SAFLAGS_REPLACEFLOW	2
+#define SADB_X_SAFLAGS_CLEARFLOW	4
+#define SADB_X_SAFLAGS_INFLOW		8
+
+/* not obvious, but these are the same values as used in isakmp,
+ * and in freeswan/ipsec_policy.h. If you need to add any, they
+ * should be added as according to 
+ *   http://www.iana.org/assignments/isakmp-registry
+ * 
+ * and if not, then please try to use a private-use value, and
+ * consider asking IANA to assign a value.
+ */
+#define SADB_AALG_NONE                  0
+#define SADB_AALG_MD5HMAC               2
+#define SADB_AALG_SHA1HMAC              3
+#define SADB_X_AALG_SHA2_256HMAC	5
+#define SADB_X_AALG_SHA2_384HMAC	6
+#define SADB_X_AALG_SHA2_512HMAC	7
+#define SADB_X_AALG_RIPEMD160HMAC	8
+#define SADB_X_AALG_NULL		251	/* kame */
+#define SADB_AALG_MAX			251
+
+#define SADB_EALG_NONE                  0
+#define SADB_EALG_DESCBC                2
+#define SADB_EALG_3DESCBC               3
+#define SADB_X_EALG_CASTCBC		6
+#define SADB_X_EALG_BLOWFISHCBC		7
+#define SADB_EALG_NULL			11
+#define SADB_X_EALG_AESCBC		12
+#define SADB_EALG_MAX			255
+
+#define SADB_X_CALG_NONE          0
+#define SADB_X_CALG_OUI           1
+#define SADB_X_CALG_DEFLATE       2
+#define SADB_X_CALG_LZS           3
+#define SADB_X_CALG_V42BIS        4
+#ifdef KERNEL26_HAS_KAME_DUPLICATES
+#define SADB_X_CALG_LZJH          4
+#endif
+#define SADB_X_CALG_MAX           4
+
+#define SADB_X_TALG_NONE          0
+#define SADB_X_TALG_IPv4_in_IPv4  1
+#define SADB_X_TALG_IPv6_in_IPv4  2
+#define SADB_X_TALG_IPv4_in_IPv6  3
+#define SADB_X_TALG_IPv6_in_IPv6  4
+#define SADB_X_TALG_MAX           4
+
+
+#define SADB_IDENTTYPE_RESERVED   0
+#define SADB_IDENTTYPE_PREFIX     1
+#define SADB_IDENTTYPE_FQDN       2
+#define SADB_IDENTTYPE_USERFQDN   3
+#define SADB_X_IDENTTYPE_CONNECTION 4
+#define SADB_IDENTTYPE_MAX        4
+
+#define SADB_KEY_FLAGS_MAX     0
+#endif /* __PFKEY_V2_H */
+
+/*
+ * $Log: pfkeyv2.h,v $
+ * Revision 1.31  2005/04/14 01:14:54  mcr
+ * 	change sadb_state to an enum.
+ *
+ * Revision 1.30  2004/04/06 02:49:00  mcr
+ * 	pullup of algo code from alg-branch.
+ *
+ * Revision 1.29  2003/12/22 21:35:58  mcr
+ * 	new patches from Dr{Who}.
+ *
+ * Revision 1.28  2003/12/22 19:33:15  mcr
+ * 	added 0.6c NAT-T patch.
+ *
+ * Revision 1.27  2003/12/10 01:20:01  mcr
+ * 	NAT-traversal patches to KLIPS.
+ *
+ * Revision 1.26  2003/10/31 02:26:44  mcr
+ * 	pulled up port-selector patches.
+ *
+ * Revision 1.25.4.1  2003/09/21 13:59:34  mcr
+ * 	pre-liminary X.509 patch - does not yet pass tests.
+ *
+ * Revision 1.25  2003/07/31 23:59:17  mcr
+ * 	re-introduce kernel 2.6 duplicate values for now.
+ * 	hope to get them changed!
+ *
+ * Revision 1.24  2003/07/31 22:55:27  mcr
+ * 	added some definitions to keep pfkeyv2.h files in sync.
+ *
+ * Revision 1.23  2003/05/11 00:43:48  mcr
+ * 	added comment about origin of values used
+ *
+ * Revision 1.22  2003/01/30 02:31:34  rgb
+ *
+ * Convert IPsecSAref_t from signed to unsigned to fix apparent SAref exhaustion bug.
+ *
+ * Revision 1.21  2002/12/16 19:26:49  mcr
+ * 	added definition of FS 1.xx sadb structure
+ *
+ * Revision 1.20  2002/09/20 15:40:25  rgb
+ * Added sadb_x_sa_ref to struct sadb_sa.
+ *
+ * Revision 1.19  2002/04/24 07:36:49  mcr
+ * Moved from ./lib/pfkeyv2.h,v
+ *
+ * Revision 1.18  2001/11/06 19:47:47  rgb
+ * Added packet parameter to lifetime and comb structures.
+ *
+ * Revision 1.17  2001/09/08 21:13:35  rgb
+ * Added pfkey ident extension support for ISAKMPd. (NetCelo)
+ *
+ * Revision 1.16  2001/07/06 19:49:46  rgb
+ * Added SADB_X_SAFLAGS_INFLOW for supporting incoming policy checks.
+ *
+ * Revision 1.15  2001/02/26 20:00:43  rgb
+ * Added internal IP protocol 61 for magic SAs.
+ *
+ * Revision 1.14  2001/02/08 18:51:05  rgb
+ * Include RFC document title and appendix subsection title.
+ *
+ * Revision 1.13  2000/10/10 20:10:20  rgb
+ * Added support for debug_ipcomp and debug_verbose to klipsdebug.
+ *
+ * Revision 1.12  2000/09/15 06:41:50  rgb
+ * Added V42BIS constant.
+ *
+ * Revision 1.11  2000/09/12 22:35:37  rgb
+ * Restructured to remove unused extensions from CLEARFLOW messages.
+ *
+ * Revision 1.10  2000/09/12 18:50:09  rgb
+ * Added IPIP tunnel types as algo support.
+ *
+ * Revision 1.9  2000/08/21 16:47:19  rgb
+ * Added SADB_X_CALG_* macros for IPCOMP.
+ *
+ * Revision 1.8  2000/08/09 20:43:34  rgb
+ * Fixed bitmask value for SADB_X_SAFLAGS_CLEAREROUTE.
+ *
+ * Revision 1.7  2000/01/21 06:28:37  rgb
+ * Added flow add/delete message type macros.
+ * Added flow address extension type macros.
+ * Tidied up spacing.
+ * Added klipsdebug switching capability.
+ *
+ * Revision 1.6  1999/11/27 11:56:08  rgb
+ * Add SADB_X_SATYPE_COMP for compression, eventually.
+ *
+ * Revision 1.5  1999/11/23 22:23:16  rgb
+ * This file has been moved in the distribution from klips/net/ipsec to
+ * lib.
+ *
+ * Revision 1.4  1999/04/29 15:23:29  rgb
+ * Add GRPSA support.
+ * Add support for a second SATYPE, SA and DST_ADDRESS.
+ * Add IPPROTO_IPIP support.
+ *
+ * Revision 1.3  1999/04/15 17:58:08  rgb
+ * Add RCSID labels.
+ *
+ */
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/include/zlib/zconf.h     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,309 @@
+/* zconf.h -- configuration of the zlib compression library
+ * Copyright (C) 1995-2002 Jean-loup Gailly.
+ * For conditions of distribution and use, see copyright notice in zlib.h 
+ */
+
+/* @(#) $Id: zconf.h,v 1.4 2004/07/10 07:48:40 mcr Exp $ */
+
+#ifndef _ZCONF_H
+#define _ZCONF_H
+
+/*
+ * If you *really* need a unique prefix for all types and library functions,
+ * compile with -DZ_PREFIX. The "standard" zlib should be compiled without it.
+ */
+#ifdef IPCOMP_PREFIX
+#  define deflateInit_	ipcomp_deflateInit_
+#  define deflate	ipcomp_deflate
+#  define deflateEnd	ipcomp_deflateEnd
+#  define inflateInit_ 	ipcomp_inflateInit_
+#  define inflate	ipcomp_inflate
+#  define inflateEnd	ipcomp_inflateEnd
+#  define deflateInit2_	ipcomp_deflateInit2_
+#  define deflateSetDictionary ipcomp_deflateSetDictionary
+#  define deflateCopy	ipcomp_deflateCopy
+#  define deflateReset	ipcomp_deflateReset
+#  define deflateParams	ipcomp_deflateParams
+#  define inflateInit2_	ipcomp_inflateInit2_
+#  define inflateSetDictionary ipcomp_inflateSetDictionary
+#  define inflateSync	ipcomp_inflateSync
+#  define inflateSyncPoint ipcomp_inflateSyncPoint
+#  define inflateReset	ipcomp_inflateReset
+#  define compress	ipcomp_compress
+#  define compress2	ipcomp_compress2
+#  define uncompress	ipcomp_uncompress
+#  define adler32	ipcomp_adler32
+#  define crc32		ipcomp_crc32
+#  define get_crc_table ipcomp_get_crc_table
+/* SSS: these also need to be prefixed to avoid clash with ppp_deflate and ext2compression */
+#  define inflate_blocks ipcomp_deflate_blocks
+#  define inflate_blocks_free ipcomp_deflate_blocks_free
+#  define inflate_blocks_new ipcomp_inflate_blocks_new
+#  define inflate_blocks_reset ipcomp_inflate_blocks_reset
+#  define inflate_blocks_sync_point ipcomp_inflate_blocks_sync_point
+#  define inflate_set_dictionary ipcomp_inflate_set_dictionary
+#  define inflate_codes ipcomp_inflate_codes
+#  define inflate_codes_free ipcomp_inflate_codes_free
+#  define inflate_codes_new ipcomp_inflate_codes_new
+#  define inflate_fast ipcomp_inflate_fast
+#  define inflate_trees_bits ipcomp_inflate_trees_bits
+#  define inflate_trees_dynamic ipcomp_inflate_trees_dynamic
+#  define inflate_trees_fixed ipcomp_inflate_trees_fixed
+#  define inflate_flush ipcomp_inflate_flush
+#  define inflate_mask ipcomp_inflate_mask
+#  define _dist_code _ipcomp_dist_code
+#  define _length_code _ipcomp_length_code
+#  define _tr_align _ipcomp_tr_align
+#  define _tr_flush_block _ipcomp_tr_flush_block
+#  define _tr_init _ipcomp_tr_init
+#  define _tr_stored_block _ipcomp_tr_stored_block
+#  define _tr_tally _ipcomp_tr_tally
+#  define zError ipcomp_zError
+#  define z_errmsg ipcomp_z_errmsg
+#  define zlibVersion ipcomp_zlibVersion
+#  define match_init ipcomp_match_init
+#  define longest_match ipcomp_longest_match
+#endif
+
+#ifdef Z_PREFIX
+#  define Byte		z_Byte
+#  define uInt		z_uInt
+#  define uLong		z_uLong
+#  define Bytef	        z_Bytef
+#  define charf		z_charf
+#  define intf		z_intf
+#  define uIntf		z_uIntf
+#  define uLongf	z_uLongf
+#  define voidpf	z_voidpf
+#  define voidp		z_voidp
+#endif
+
+#if (defined(_WIN32) || defined(__WIN32__)) && !defined(WIN32)
+#  define WIN32
+#endif
+#if defined(__GNUC__) || defined(WIN32) || defined(__386__) || defined(i386)
+#  ifndef __32BIT__
+#    define __32BIT__
+#  endif
+#endif
+#if defined(__MSDOS__) && !defined(MSDOS)
+#  define MSDOS
+#endif
+
+/*
+ * Compile with -DMAXSEG_64K if the alloc function cannot allocate more
+ * than 64k bytes at a time (needed on systems with 16-bit int).
+ */
+#if defined(MSDOS) && !defined(__32BIT__)
+#  define MAXSEG_64K
+#endif
+#ifdef MSDOS
+#  define UNALIGNED_OK
+#endif
+
+#if (defined(MSDOS) || defined(_WINDOWS) || defined(WIN32))  && !defined(STDC)
+#  define STDC
+#endif
+#if defined(__STDC__) || defined(__cplusplus) || defined(__OS2__)
+#  ifndef STDC
+#    define STDC
+#  endif
+#endif
+
+#ifndef STDC
+#  ifndef const /* cannot use !defined(STDC) && !defined(const) on Mac */
+#    define const
+#  endif
+#endif
+
+/* Some Mac compilers merge all .h files incorrectly: */
+#if defined(__MWERKS__) || defined(applec) ||defined(THINK_C) ||defined(__SC__)
+#  define NO_DUMMY_DECL
+#endif
+
+/* Old Borland C incorrectly complains about missing returns: */
+#if defined(__BORLANDC__) && (__BORLANDC__ < 0x500)
+#  define NEED_DUMMY_RETURN
+#endif
+
+
+/* Maximum value for memLevel in deflateInit2 */
+#ifndef MAX_MEM_LEVEL
+#  ifdef MAXSEG_64K
+#    define MAX_MEM_LEVEL 8
+#  else
+#    define MAX_MEM_LEVEL 9
+#  endif
+#endif
+
+/* Maximum value for windowBits in deflateInit2 and inflateInit2.
+ * WARNING: reducing MAX_WBITS makes minigzip unable to extract .gz files
+ * created by gzip. (Files created by minigzip can still be extracted by
+ * gzip.)
+ */
+#ifndef MAX_WBITS
+#  define MAX_WBITS   15 /* 32K LZ77 window */
+#endif
+
+/* The memory requirements for deflate are (in bytes):
+            (1 << (windowBits+2)) +  (1 << (memLevel+9))
+ that is: 128K for windowBits=15  +  128K for memLevel = 8  (default values)
+ plus a few kilobytes for small objects. For example, if you want to reduce
+ the default memory requirements from 256K to 128K, compile with
+     make CFLAGS="-O -DMAX_WBITS=14 -DMAX_MEM_LEVEL=7"
+ Of course this will generally degrade compression (there's no free lunch).
+
+   The memory requirements for inflate are (in bytes) 1 << windowBits
+ that is, 32K for windowBits=15 (default value) plus a few kilobytes
+ for small objects.
+*/
+
+                        /* Type declarations */
+
+#ifndef OF /* function prototypes */
+#  ifdef STDC
+#    define OF(args)  args
+#  else
+#    define OF(args)  ()
+#  endif
+#endif
+
+/* The following definitions for FAR are needed only for MSDOS mixed
+ * model programming (small or medium model with some far allocations).
+ * This was tested only with MSC; for other MSDOS compilers you may have
+ * to define NO_MEMCPY in zutil.h.  If you don't need the mixed model,
+ * just define FAR to be empty.
+ */
+#if (defined(M_I86SM) || defined(M_I86MM)) && !defined(__32BIT__)
+   /* MSC small or medium model */
+#  define SMALL_MEDIUM
+#  ifdef _MSC_VER
+#    define FAR _far
+#  else
+#    define FAR far
+#  endif
+#endif
+#if defined(__BORLANDC__) && (defined(__SMALL__) || defined(__MEDIUM__))
+#  ifndef __32BIT__
+#    define SMALL_MEDIUM
+#    define FAR _far
+#  endif
+#endif
+
+/* Compile with -DZLIB_DLL for Windows DLL support */
+#if defined(ZLIB_DLL)
+#  if defined(_WINDOWS) || defined(WINDOWS)
+#    ifdef FAR
+#      undef FAR
+#    endif
+#    include <windows.h>
+#    define ZEXPORT  WINAPI
+#    ifdef WIN32
+#      define ZEXPORTVA  WINAPIV
+#    else
+#      define ZEXPORTVA  FAR _cdecl _export
+#    endif
+#  endif
+#  if defined (__BORLANDC__)
+#    if (__BORLANDC__ >= 0x0500) && defined (WIN32)
+#      include <windows.h>
+#      define ZEXPORT __declspec(dllexport) WINAPI
+#      define ZEXPORTRVA __declspec(dllexport) WINAPIV
+#    else
+#      if defined (_Windows) && defined (__DLL__)
+#        define ZEXPORT _export
+#        define ZEXPORTVA _export
+#      endif
+#    endif
+#  endif
+#endif
+
+#if defined (__BEOS__)
+#  if defined (ZLIB_DLL)
+#    define ZEXTERN extern __declspec(dllexport)
+#  else
+#    define ZEXTERN extern __declspec(dllimport)
+#  endif
+#endif
+
+#ifndef ZEXPORT
+#  define ZEXPORT
+#endif
+#ifndef ZEXPORTVA
+#  define ZEXPORTVA
+#endif
+#ifndef ZEXTERN
+#  define ZEXTERN extern
+#endif
+
+#ifndef FAR
+#   define FAR
+#endif
+
+#if !defined(MACOS) && !defined(TARGET_OS_MAC)
+typedef unsigned char  Byte;  /* 8 bits */
+#endif
+typedef unsigned int   uInt;  /* 16 bits or more */
+typedef unsigned long  uLong; /* 32 bits or more */
+
+#ifdef SMALL_MEDIUM
+   /* Borland C/C++ and some old MSC versions ignore FAR inside typedef */
+#  define Bytef Byte FAR
+#else
+   typedef Byte  FAR Bytef;
+#endif
+typedef char  FAR charf;
+typedef int   FAR intf;
+typedef uInt  FAR uIntf;
+typedef uLong FAR uLongf;
+
+#ifdef STDC
+   typedef void FAR *voidpf;
+   typedef void     *voidp;
+#else
+   typedef Byte FAR *voidpf;
+   typedef Byte     *voidp;
+#endif
+
+#ifdef HAVE_UNISTD_H
+#  include <sys/types.h> /* for off_t */
+#  include <unistd.h>    /* for SEEK_* and off_t */
+#  define z_off_t  off_t
+#endif
+#ifndef SEEK_SET
+#  define SEEK_SET        0       /* Seek from beginning of file.  */
+#  define SEEK_CUR        1       /* Seek from current position.  */
+#  define SEEK_END        2       /* Set file pointer to EOF plus "offset" */
+#endif
+#ifndef z_off_t
+#  define  z_off_t long
+#endif
+
+/* MVS linker does not support external names larger than 8 bytes */
+#if defined(__MVS__)
+#   pragma map(deflateInit_,"DEIN")
+#   pragma map(deflateInit2_,"DEIN2")
+#   pragma map(deflateEnd,"DEEND")
+#   pragma map(inflateInit_,"ININ")
+#   pragma map(inflateInit2_,"ININ2")
+#   pragma map(inflateEnd,"INEND")
+#   pragma map(inflateSync,"INSY")
+#   pragma map(inflateSetDictionary,"INSEDI")
+#   pragma map(inflate_blocks,"INBL")
+#   pragma map(inflate_blocks_new,"INBLNE")
+#   pragma map(inflate_blocks_free,"INBLFR")
+#   pragma map(inflate_blocks_reset,"INBLRE")
+#   pragma map(inflate_codes_free,"INCOFR")
+#   pragma map(inflate_codes,"INCO")
+#   pragma map(inflate_fast,"INFA")
+#   pragma map(inflate_flush,"INFLU")
+#   pragma map(inflate_mask,"INMA")
+#   pragma map(inflate_set_dictionary,"INSEDI2")
+#   pragma map(ipcomp_inflate_copyright,"INCOPY")
+#   pragma map(inflate_trees_bits,"INTRBI")
+#   pragma map(inflate_trees_dynamic,"INTRDY")
+#   pragma map(inflate_trees_fixed,"INTRFI")
+#   pragma map(inflate_trees_free,"INTRFR")
+#endif
+
+#endif /* _ZCONF_H */
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/include/zlib/zlib.h     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,893 @@
+/* zlib.h -- interface of the 'zlib' general purpose compression library
+  version 1.1.4, March 11th, 2002
+
+  Copyright (C) 1995-2002 Jean-loup Gailly and Mark Adler
+
+  This software is provided 'as-is', without any express or implied
+  warranty.  In no event will the authors be held liable for any damages
+  arising from the use of this software.
+
+  Permission is granted to anyone to use this software for any purpose,
+  including commercial applications, and to alter it and redistribute it
+  freely, subject to the following restrictions:
+
+  1. The origin of this software must not be misrepresented; you must not
+     claim that you wrote the original software. If you use this software
+     in a product, an acknowledgment in the product documentation would be
+     appreciated but is not required.
+  2. Altered source versions must be plainly marked as such, and must not be
+     misrepresented as being the original software.
+  3. This notice may not be removed or altered from any source distribution.
+
+  Jean-loup Gailly        Mark Adler
+  jloup@gzip.org          madler@alumni.caltech.edu
+
+
+  The data format used by the zlib library is described by RFCs (Request for
+  Comments) 1950 to 1952 in the files ftp://ds.internic.net/rfc/rfc1950.txt
+  (zlib format), rfc1951.txt (deflate format) and rfc1952.txt (gzip format).
+*/
+
+#ifndef _ZLIB_H
+#define _ZLIB_H
+
+#include "zconf.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#define ZLIB_VERSION "1.1.4"
+
+/* 
+     The 'zlib' compression library provides in-memory compression and
+  decompression functions, including integrity checks of the uncompressed
+  data.  This version of the library supports only one compression method
+  (deflation) but other algorithms will be added later and will have the same
+  stream interface.
+
+     Compression can be done in a single step if the buffers are large
+  enough (for example if an input file is mmap'ed), or can be done by
+  repeated calls of the compression function.  In the latter case, the
+  application must provide more input and/or consume the output
+  (providing more output space) before each call.
+
+     The library also supports reading and writing files in gzip (.gz) format
+  with an interface similar to that of stdio.
+
+     The library does not install any signal handler. The decoder checks
+  the consistency of the compressed data, so the library should never
+  crash even in case of corrupted input.
+*/
+
+typedef voidpf (*alloc_func) OF((voidpf opaque, uInt items, uInt size));
+typedef void   (*free_func)  OF((voidpf opaque, voidpf address));
+
+struct internal_state;
+
+typedef struct z_stream_s {
+    Bytef    *next_in;  /* next input byte */
+    uInt     avail_in;  /* number of bytes available at next_in */
+    uLong    total_in;  /* total nb of input bytes read so far */
+
+    Bytef    *next_out; /* next output byte should be put there */
+    uInt     avail_out; /* remaining free space at next_out */
+    uLong    total_out; /* total nb of bytes output so far */
+
+    const char     *msg;      /* last error message, NULL if no error */
+    struct internal_state FAR *state; /* not visible by applications */
+
+    alloc_func zalloc;  /* used to allocate the internal state */
+    free_func  zfree;   /* used to free the internal state */
+    voidpf     opaque;  /* private data object passed to zalloc and zfree */
+
+    int     data_type;  /* best guess about the data type: ascii or binary */
+    uLong   adler;      /* adler32 value of the uncompressed data */
+    uLong   reserved;   /* reserved for future use */
+} z_stream;
+
+typedef z_stream FAR *z_streamp;
+
+/*
+   The application must update next_in and avail_in when avail_in has
+   dropped to zero. It must update next_out and avail_out when avail_out
+   has dropped to zero. The application must initialize zalloc, zfree and
+   opaque before calling the init function. All other fields are set by the
+   compression library and must not be updated by the application.
+
+   The opaque value provided by the application will be passed as the first
+   parameter for calls of zalloc and zfree. This can be useful for custom
+   memory management. The compression library attaches no meaning to the
+   opaque value.
+
+   zalloc must return Z_NULL if there is not enough memory for the object.
+   If zlib is used in a multi-threaded application, zalloc and zfree must be
+   thread safe.
+
+   On 16-bit systems, the functions zalloc and zfree must be able to allocate
+   exactly 65536 bytes, but will not be required to allocate more than this
+   if the symbol MAXSEG_64K is defined (see zconf.h). WARNING: On MSDOS,
+   pointers returned by zalloc for objects of exactly 65536 bytes *must*
+   have their offset normalized to zero. The default allocation function
+   provided by this library ensures this (see zutil.c). To reduce memory
+   requirements and avoid any allocation of 64K objects, at the expense of
+   compression ratio, compile the library with -DMAX_WBITS=14 (see zconf.h).
+
+   The fields total_in and total_out can be used for statistics or
+   progress reports. After compression, total_in holds the total size of
+   the uncompressed data and may be saved for use in the decompressor
+   (particularly if the decompressor wants to decompress everything in
+   a single step).
+*/
+
+                        /* constants */
+
+#define Z_NO_FLUSH      0
+#define Z_PARTIAL_FLUSH 1 /* will be removed, use Z_SYNC_FLUSH instead */
+#define Z_SYNC_FLUSH    2
+#define Z_FULL_FLUSH    3
+#define Z_FINISH        4
+/* Allowed flush values; see deflate() below for details */
+
+#define Z_OK            0
+#define Z_STREAM_END    1
+#define Z_NEED_DICT     2
+#define Z_ERRNO        (-1)
+#define Z_STREAM_ERROR (-2)
+#define Z_DATA_ERROR   (-3)
+#define Z_MEM_ERROR    (-4)
+#define Z_BUF_ERROR    (-5)
+#define Z_VERSION_ERROR (-6)
+/* Return codes for the compression/decompression functions. Negative
+ * values are errors, positive values are used for special but normal events.
+ */
+
+#define Z_NO_COMPRESSION         0
+#define Z_BEST_SPEED             1
+#define Z_BEST_COMPRESSION       9
+#define Z_DEFAULT_COMPRESSION  (-1)
+/* compression levels */
+
+#define Z_FILTERED            1
+#define Z_HUFFMAN_ONLY        2
+#define Z_DEFAULT_STRATEGY    0
+/* compression strategy; see deflateInit2() below for details */
+
+#define Z_BINARY   0
+#define Z_ASCII    1
+#define Z_UNKNOWN  2
+/* Possible values of the data_type field */
+
+#define Z_DEFLATED   8
+/* The deflate compression method (the only one supported in this version) */
+
+#define Z_NULL  0  /* for initializing zalloc, zfree, opaque */
+
+#define zlib_version zlibVersion()
+/* for compatibility with versions < 1.0.2 */
+
+                        /* basic functions */
+
+ZEXTERN const char * ZEXPORT zlibVersion OF((void));
+/* The application can compare zlibVersion and ZLIB_VERSION for consistency.
+   If the first character differs, the library code actually used is
+   not compatible with the zlib.h header file used by the application.
+   This check is automatically made by deflateInit and inflateInit.
+ */
+
+/* 
+ZEXTERN int ZEXPORT deflateInit OF((z_streamp strm, int level));
+
+     Initializes the internal stream state for compression. The fields
+   zalloc, zfree and opaque must be initialized before by the caller.
+   If zalloc and zfree are set to Z_NULL, deflateInit updates them to
+   use default allocation functions.
+
+     The compression level must be Z_DEFAULT_COMPRESSION, or between 0 and 9:
+   1 gives best speed, 9 gives best compression, 0 gives no compression at
+   all (the input data is simply copied a block at a time).
+   Z_DEFAULT_COMPRESSION requests a default compromise between speed and
+   compression (currently equivalent to level 6).
+
+     deflateInit returns Z_OK if success, Z_MEM_ERROR if there was not
+   enough memory, Z_STREAM_ERROR if level is not a valid compression level,
+   Z_VERSION_ERROR if the zlib library version (zlib_version) is incompatible
+   with the version assumed by the caller (ZLIB_VERSION).
+   msg is set to null if there is no error message.  deflateInit does not
+   perform any compression: this will be done by deflate().
+*/
+
+
+ZEXTERN int ZEXPORT deflate OF((z_streamp strm, int flush));
+/*
+    deflate compresses as much data as possible, and stops when the input
+  buffer becomes empty or the output buffer becomes full. It may introduce some
+  output latency (reading input without producing any output) except when
+  forced to flush.
+
+    The detailed semantics are as follows. deflate performs one or both of the
+  following actions:
+
+  - Compress more input starting at next_in and update next_in and avail_in
+    accordingly. If not all input can be processed (because there is not
+    enough room in the output buffer), next_in and avail_in are updated and
+    processing will resume at this point for the next call of deflate().
+
+  - Provide more output starting at next_out and update next_out and avail_out
+    accordingly. This action is forced if the parameter flush is non zero.
+    Forcing flush frequently degrades the compression ratio, so this parameter
+    should be set only when necessary (in interactive applications).
+    Some output may be provided even if flush is not set.
+
+  Before the call of deflate(), the application should ensure that at least
+  one of the actions is possible, by providing more input and/or consuming
+  more output, and updating avail_in or avail_out accordingly; avail_out
+  should never be zero before the call. The application can consume the
+  compressed output when it wants, for example when the output buffer is full
+  (avail_out == 0), or after each call of deflate(). If deflate returns Z_OK
+  and with zero avail_out, it must be called again after making room in the
+  output buffer because there might be more output pending.
+
+    If the parameter flush is set to Z_SYNC_FLUSH, all pending output is
+  flushed to the output buffer and the output is aligned on a byte boundary, so
+  that the decompressor can get all input data available so far. (In particular
+  avail_in is zero after the call if enough output space has been provided
+  before the call.)  Flushing may degrade compression for some compression
+  algorithms and so it should be used only when necessary.
+
+    If flush is set to Z_FULL_FLUSH, all output is flushed as with
+  Z_SYNC_FLUSH, and the compression state is reset so that decompression can
+  restart from this point if previous compressed data has been damaged or if
+  random access is desired. Using Z_FULL_FLUSH too often can seriously degrade
+  the compression.
+
+    If deflate returns with avail_out == 0, this function must be called again
+  with the same value of the flush parameter and more output space (updated
+  avail_out), until the flush is complete (deflate returns with non-zero
+  avail_out).
+
+    If the parameter flush is set to Z_FINISH, pending input is processed,
+  pending output is flushed and deflate returns with Z_STREAM_END if there
+  was enough output space; if deflate returns with Z_OK, this function must be
+  called again with Z_FINISH and more output space (updated avail_out) but no
+  more input data, until it returns with Z_STREAM_END or an error. After
+  deflate has returned Z_STREAM_END, the only possible operations on the
+  stream are deflateReset or deflateEnd.
+  
+    Z_FINISH can be used immediately after deflateInit if all the compression
+  is to be done in a single step. In this case, avail_out must be at least
+  0.1% larger than avail_in plus 12 bytes.  If deflate does not return
+  Z_STREAM_END, then it must be called again as described above.
+
+    deflate() sets strm->adler to the adler32 checksum of all input read
+  so far (that is, total_in bytes).
+
+    deflate() may update data_type if it can make a good guess about
+  the input data type (Z_ASCII or Z_BINARY). In doubt, the data is considered
+  binary. This field is only for information purposes and does not affect
+  the compression algorithm in any manner.
+
+    deflate() returns Z_OK if some progress has been made (more input
+  processed or more output produced), Z_STREAM_END if all input has been
+  consumed and all output has been produced (only when flush is set to
+  Z_FINISH), Z_STREAM_ERROR if the stream state was inconsistent (for example
+  if next_in or next_out was NULL), Z_BUF_ERROR if no progress is possible
+  (for example avail_in or avail_out was zero).
+*/
+
+
+ZEXTERN int ZEXPORT deflateEnd OF((z_streamp strm));
+/*
+     All dynamically allocated data structures for this stream are freed.
+   This function discards any unprocessed input and does not flush any
+   pending output.
+
+     deflateEnd returns Z_OK if success, Z_STREAM_ERROR if the
+   stream state was inconsistent, Z_DATA_ERROR if the stream was freed
+   prematurely (some input or output was discarded). In the error case,
+   msg may be set but then points to a static string (which must not be
+   deallocated).
+*/
+
+
+/* 
+ZEXTERN int ZEXPORT inflateInit OF((z_streamp strm));
+
+     Initializes the internal stream state for decompression. The fields
+   next_in, avail_in, zalloc, zfree and opaque must be initialized before by
+   the caller. If next_in is not Z_NULL and avail_in is large enough (the exact
+   value depends on the compression method), inflateInit determines the
+   compression method from the zlib header and allocates all data structures
+   accordingly; otherwise the allocation will be deferred to the first call of
+   inflate.  If zalloc and zfree are set to Z_NULL, inflateInit updates them to
+   use default allocation functions.
+
+     inflateInit returns Z_OK if success, Z_MEM_ERROR if there was not enough
+   memory, Z_VERSION_ERROR if the zlib library version is incompatible with the
+   version assumed by the caller.  msg is set to null if there is no error
+   message. inflateInit does not perform any decompression apart from reading
+   the zlib header if present: this will be done by inflate().  (So next_in and
+   avail_in may be modified, but next_out and avail_out are unchanged.)
+*/
+
+
+ZEXTERN int ZEXPORT inflate OF((z_streamp strm, int flush));
+/*
+    inflate decompresses as much data as possible, and stops when the input
+  buffer becomes empty or the output buffer becomes full. It may some
+  introduce some output latency (reading input without producing any output)
+  except when forced to flush.
+
+  The detailed semantics are as follows. inflate performs one or both of the
+  following actions:
+
+  - Decompress more input starting at next_in and update next_in and avail_in
+    accordingly. If not all input can be processed (because there is not
+    enough room in the output buffer), next_in is updated and processing
+    will resume at this point for the next call of inflate().
+
+  - Provide more output starting at next_out and update next_out and avail_out
+    accordingly.  inflate() provides as much output as possible, until there
+    is no more input data or no more space in the output buffer (see below
+    about the flush parameter).
+
+  Before the call of inflate(), the application should ensure that at least
+  one of the actions is possible, by providing more input and/or consuming
+  more output, and updating the next_* and avail_* values accordingly.
+  The application can consume the uncompressed output when it wants, for
+  example when the output buffer is full (avail_out == 0), or after each
+  call of inflate(). If inflate returns Z_OK and with zero avail_out, it
+  must be called again after making room in the output buffer because there
+  might be more output pending.
+
+    If the parameter flush is set to Z_SYNC_FLUSH, inflate flushes as much
+  output as possible to the output buffer. The flushing behavior of inflate is
+  not specified for values of the flush parameter other than Z_SYNC_FLUSH
+  and Z_FINISH, but the current implementation actually flushes as much output
+  as possible anyway.
+
+    inflate() should normally be called until it returns Z_STREAM_END or an
+  error. However if all decompression is to be performed in a single step
+  (a single call of inflate), the parameter flush should be set to
+  Z_FINISH. In this case all pending input is processed and all pending
+  output is flushed; avail_out must be large enough to hold all the
+  uncompressed data. (The size of the uncompressed data may have been saved
+  by the compressor for this purpose.) The next operation on this stream must
+  be inflateEnd to deallocate the decompression state. The use of Z_FINISH
+  is never required, but can be used to inform inflate that a faster routine
+  may be used for the single inflate() call.
+
+     If a preset dictionary is needed at this point (see inflateSetDictionary
+  below), inflate sets strm-adler to the adler32 checksum of the
+  dictionary chosen by the compressor and returns Z_NEED_DICT; otherwise 
+  it sets strm->adler to the adler32 checksum of all output produced
+  so far (that is, total_out bytes) and returns Z_OK, Z_STREAM_END or
+  an error code as described below. At the end of the stream, inflate()
+  checks that its computed adler32 checksum is equal to that saved by the
+  compressor and returns Z_STREAM_END only if the checksum is correct.
+
+    inflate() returns Z_OK if some progress has been made (more input processed
+  or more output produced), Z_STREAM_END if the end of the compressed data has
+  been reached and all uncompressed output has been produced, Z_NEED_DICT if a
+  preset dictionary is needed at this point, Z_DATA_ERROR if the input data was
+  corrupted (input stream not conforming to the zlib format or incorrect
+  adler32 checksum), Z_STREAM_ERROR if the stream structure was inconsistent
+  (for example if next_in or next_out was NULL), Z_MEM_ERROR if there was not
+  enough memory, Z_BUF_ERROR if no progress is possible or if there was not
+  enough room in the output buffer when Z_FINISH is used. In the Z_DATA_ERROR
+  case, the application may then call inflateSync to look for a good
+  compression block.
+*/
+
+
+ZEXTERN int ZEXPORT inflateEnd OF((z_streamp strm));
+/*
+     All dynamically allocated data structures for this stream are freed.
+   This function discards any unprocessed input and does not flush any
+   pending output.
+
+     inflateEnd returns Z_OK if success, Z_STREAM_ERROR if the stream state
+   was inconsistent. In the error case, msg may be set but then points to a
+   static string (which must not be deallocated).
+*/
+
+                        /* Advanced functions */
+
+/*
+    The following functions are needed only in some special applications.
+*/
+
+/*   
+ZEXTERN int ZEXPORT deflateInit2 OF((z_streamp strm,
+                                     int  level,
+                                     int  method,
+                                     int  windowBits,
+                                     int  memLevel,
+                                     int  strategy));
+
+     This is another version of deflateInit with more compression options. The
+   fields next_in, zalloc, zfree and opaque must be initialized before by
+   the caller.
+
+     The method parameter is the compression method. It must be Z_DEFLATED in
+   this version of the library.
+
+     The windowBits parameter is the base two logarithm of the window size
+   (the size of the history buffer).  It should be in the range 8..15 for this
+   version of the library. Larger values of this parameter result in better
+   compression at the expense of memory usage. The default value is 15 if
+   deflateInit is used instead.
+
+     The memLevel parameter specifies how much memory should be allocated
+   for the internal compression state. memLevel=1 uses minimum memory but
+   is slow and reduces compression ratio; memLevel=9 uses maximum memory
+   for optimal speed. The default value is 8. See zconf.h for total memory
+   usage as a function of windowBits and memLevel.
+
+     The strategy parameter is used to tune the compression algorithm. Use the
+   value Z_DEFAULT_STRATEGY for normal data, Z_FILTERED for data produced by a
+   filter (or predictor), or Z_HUFFMAN_ONLY to force Huffman encoding only (no
+   string match).  Filtered data consists mostly of small values with a
+   somewhat random distribution. In this case, the compression algorithm is
+   tuned to compress them better. The effect of Z_FILTERED is to force more
+   Huffman coding and less string matching; it is somewhat intermediate
+   between Z_DEFAULT and Z_HUFFMAN_ONLY. The strategy parameter only affects
+   the compression ratio but not the correctness of the compressed output even
+   if it is not set appropriately.
+
+      deflateInit2 returns Z_OK if success, Z_MEM_ERROR if there was not enough
+   memory, Z_STREAM_ERROR if a parameter is invalid (such as an invalid
+   method). msg is set to null if there is no error message.  deflateInit2 does
+   not perform any compression: this will be done by deflate().
+*/
+                            
+ZEXTERN int ZEXPORT deflateSetDictionary OF((z_streamp strm,
+                                             const Bytef *dictionary,
+                                             uInt  dictLength));
+/*
+     Initializes the compression dictionary from the given byte sequence
+   without producing any compressed output. This function must be called
+   immediately after deflateInit, deflateInit2 or deflateReset, before any
+   call of deflate. The compressor and decompressor must use exactly the same
+   dictionary (see inflateSetDictionary).
+
+     The dictionary should consist of strings (byte sequences) that are likely
+   to be encountered later in the data to be compressed, with the most commonly
+   used strings preferably put towards the end of the dictionary. Using a
+   dictionary is most useful when the data to be compressed is short and can be
+   predicted with good accuracy; the data can then be compressed better than
+   with the default empty dictionary.
+
+     Depending on the size of the compression data structures selected by
+   deflateInit or deflateInit2, a part of the dictionary may in effect be
+   discarded, for example if the dictionary is larger than the window size in
+   deflate or deflate2. Thus the strings most likely to be useful should be
+   put at the end of the dictionary, not at the front.
+
+     Upon return of this function, strm->adler is set to the Adler32 value
+   of the dictionary; the decompressor may later use this value to determine
+   which dictionary has been used by the compressor. (The Adler32 value
+   applies to the whole dictionary even if only a subset of the dictionary is
+   actually used by the compressor.)
+
+     deflateSetDictionary returns Z_OK if success, or Z_STREAM_ERROR if a
+   parameter is invalid (such as NULL dictionary) or the stream state is
+   inconsistent (for example if deflate has already been called for this stream
+   or if the compression method is bsort). deflateSetDictionary does not
+   perform any compression: this will be done by deflate().
+*/
+
+ZEXTERN int ZEXPORT deflateCopy OF((z_streamp dest,
+                                    z_streamp source));
+/*
+     Sets the destination stream as a complete copy of the source stream.
+
+     This function can be useful when several compression strategies will be
+   tried, for example when there are several ways of pre-processing the input
+   data with a filter. The streams that will be discarded should then be freed
+   by calling deflateEnd.  Note that deflateCopy duplicates the internal
+   compression state which can be quite large, so this strategy is slow and
+   can consume lots of memory.
+
+     deflateCopy returns Z_OK if success, Z_MEM_ERROR if there was not
+   enough memory, Z_STREAM_ERROR if the source stream state was inconsistent
+   (such as zalloc being NULL). msg is left unchanged in both source and
+   destination.
+*/
+
+ZEXTERN int ZEXPORT deflateReset OF((z_streamp strm));
+/*
+     This function is equivalent to deflateEnd followed by deflateInit,
+   but does not free and reallocate all the internal compression state.
+   The stream will keep the same compression level and any other attributes
+   that may have been set by deflateInit2.
+
+      deflateReset returns Z_OK if success, or Z_STREAM_ERROR if the source
+   stream state was inconsistent (such as zalloc or state being NULL).
+*/
+
+ZEXTERN int ZEXPORT deflateParams OF((z_streamp strm,
+				      int level,
+				      int strategy));
+/*
+     Dynamically update the compression level and compression strategy.  The
+   interpretation of level and strategy is as in deflateInit2.  This can be
+   used to switch between compression and straight copy of the input data, or
+   to switch to a different kind of input data requiring a different
+   strategy. If the compression level is changed, the input available so far
+   is compressed with the old level (and may be flushed); the new level will
+   take effect only at the next call of deflate().
+
+     Before the call of deflateParams, the stream state must be set as for
+   a call of deflate(), since the currently available input may have to
+   be compressed and flushed. In particular, strm->avail_out must be non-zero.
+
+     deflateParams returns Z_OK if success, Z_STREAM_ERROR if the source
+   stream state was inconsistent or if a parameter was invalid, Z_BUF_ERROR
+   if strm->avail_out was zero.
+*/
+
+/*   
+ZEXTERN int ZEXPORT inflateInit2 OF((z_streamp strm,
+                                     int  windowBits));
+
+     This is another version of inflateInit with an extra parameter. The
+   fields next_in, avail_in, zalloc, zfree and opaque must be initialized
+   before by the caller.
+
+     The windowBits parameter is the base two logarithm of the maximum window
+   size (the size of the history buffer).  It should be in the range 8..15 for
+   this version of the library. The default value is 15 if inflateInit is used
+   instead. If a compressed stream with a larger window size is given as
+   input, inflate() will return with the error code Z_DATA_ERROR instead of
+   trying to allocate a larger window.
+
+      inflateInit2 returns Z_OK if success, Z_MEM_ERROR if there was not enough
+   memory, Z_STREAM_ERROR if a parameter is invalid (such as a negative
+   memLevel). msg is set to null if there is no error message.  inflateInit2
+   does not perform any decompression apart from reading the zlib header if
+   present: this will be done by inflate(). (So next_in and avail_in may be
+   modified, but next_out and avail_out are unchanged.)
+*/
+
+ZEXTERN int ZEXPORT inflateSetDictionary OF((z_streamp strm,
+                                             const Bytef *dictionary,
+                                             uInt  dictLength));
+/*
+     Initializes the decompression dictionary from the given uncompressed byte
+   sequence. This function must be called immediately after a call of inflate
+   if this call returned Z_NEED_DICT. The dictionary chosen by the compressor
+   can be determined from the Adler32 value returned by this call of
+   inflate. The compressor and decompressor must use exactly the same
+   dictionary (see deflateSetDictionary).
+
+     inflateSetDictionary returns Z_OK if success, Z_STREAM_ERROR if a
+   parameter is invalid (such as NULL dictionary) or the stream state is
+   inconsistent, Z_DATA_ERROR if the given dictionary doesn't match the
+   expected one (incorrect Adler32 value). inflateSetDictionary does not
+   perform any decompression: this will be done by subsequent calls of
+   inflate().
+*/
+
+ZEXTERN int ZEXPORT inflateSync OF((z_streamp strm));
+/* 
+    Skips invalid compressed data until a full flush point (see above the
+  description of deflate with Z_FULL_FLUSH) can be found, or until all
+  available input is skipped. No output is provided.
+
+    inflateSync returns Z_OK if a full flush point has been found, Z_BUF_ERROR
+  if no more input was provided, Z_DATA_ERROR if no flush point has been found,
+  or Z_STREAM_ERROR if the stream structure was inconsistent. In the success
+  case, the application may save the current current value of total_in which
+  indicates where valid compressed data was found. In the error case, the
+  application may repeatedly call inflateSync, providing more input each time,
+  until success or end of the input data.
+*/
+
+ZEXTERN int ZEXPORT inflateReset OF((z_streamp strm));
+/*
+     This function is equivalent to inflateEnd followed by inflateInit,
+   but does not free and reallocate all the internal decompression state.
+   The stream will keep attributes that may have been set by inflateInit2.
+
+      inflateReset returns Z_OK if success, or Z_STREAM_ERROR if the source
+   stream state was inconsistent (such as zalloc or state being NULL).
+*/
+
+
+                        /* utility functions */
+
+/*
+     The following utility functions are implemented on top of the
+   basic stream-oriented functions. To simplify the interface, some
+   default options are assumed (compression level and memory usage,
+   standard memory allocation functions). The source code of these
+   utility functions can easily be modified if you need special options.
+*/
+
+ZEXTERN int ZEXPORT compress OF((Bytef *dest,   uLongf *destLen,
+                                 const Bytef *source, uLong sourceLen));
+/*
+     Compresses the source buffer into the destination buffer.  sourceLen is
+   the byte length of the source buffer. Upon entry, destLen is the total
+   size of the destination buffer, which must be at least 0.1% larger than
+   sourceLen plus 12 bytes. Upon exit, destLen is the actual size of the
+   compressed buffer.
+     This function can be used to compress a whole file at once if the
+   input file is mmap'ed.
+     compress returns Z_OK if success, Z_MEM_ERROR if there was not
+   enough memory, Z_BUF_ERROR if there was not enough room in the output
+   buffer.
+*/
+
+ZEXTERN int ZEXPORT compress2 OF((Bytef *dest,   uLongf *destLen,
+                                  const Bytef *source, uLong sourceLen,
+                                  int level));
+/*
+     Compresses the source buffer into the destination buffer. The level
+   parameter has the same meaning as in deflateInit.  sourceLen is the byte
+   length of the source buffer. Upon entry, destLen is the total size of the
+   destination buffer, which must be at least 0.1% larger than sourceLen plus
+   12 bytes. Upon exit, destLen is the actual size of the compressed buffer.
+
+     compress2 returns Z_OK if success, Z_MEM_ERROR if there was not enough
+   memory, Z_BUF_ERROR if there was not enough room in the output buffer,
+   Z_STREAM_ERROR if the level parameter is invalid.
+*/
+
+ZEXTERN int ZEXPORT uncompress OF((Bytef *dest,   uLongf *destLen,
+                                   const Bytef *source, uLong sourceLen));
+/*
+     Decompresses the source buffer into the destination buffer.  sourceLen is
+   the byte length of the source buffer. Upon entry, destLen is the total
+   size of the destination buffer, which must be large enough to hold the
+   entire uncompressed data. (The size of the uncompressed data must have
+   been saved previously by the compressor and transmitted to the decompressor
+   by some mechanism outside the scope of this compression library.)
+   Upon exit, destLen is the actual size of the compressed buffer.
+     This function can be used to decompress a whole file at once if the
+   input file is mmap'ed.
+
+     uncompress returns Z_OK if success, Z_MEM_ERROR if there was not
+   enough memory, Z_BUF_ERROR if there was not enough room in the output
+   buffer, or Z_DATA_ERROR if the input data was corrupted.
+*/
+
+
+typedef voidp gzFile;
+
+ZEXTERN gzFile ZEXPORT gzopen  OF((const char *path, const char *mode));
+/*
+     Opens a gzip (.gz) file for reading or writing. The mode parameter
+   is as in fopen ("rb" or "wb") but can also include a compression level
+   ("wb9") or a strategy: 'f' for filtered data as in "wb6f", 'h' for
+   Huffman only compression as in "wb1h". (See the description
+   of deflateInit2 for more information about the strategy parameter.)
+
+     gzopen can be used to read a file which is not in gzip format; in this
+   case gzread will directly read from the file without decompression.
+
+     gzopen returns NULL if the file could not be opened or if there was
+   insufficient memory to allocate the (de)compression state; errno
+   can be checked to distinguish the two cases (if errno is zero, the
+   zlib error is Z_MEM_ERROR).  */
+
+ZEXTERN gzFile ZEXPORT gzdopen  OF((int fd, const char *mode));
+/*
+     gzdopen() associates a gzFile with the file descriptor fd.  File
+   descriptors are obtained from calls like open, dup, creat, pipe or
+   fileno (in the file has been previously opened with fopen).
+   The mode parameter is as in gzopen.
+     The next call of gzclose on the returned gzFile will also close the
+   file descriptor fd, just like fclose(fdopen(fd), mode) closes the file
+   descriptor fd. If you want to keep fd open, use gzdopen(dup(fd), mode).
+     gzdopen returns NULL if there was insufficient memory to allocate
+   the (de)compression state.
+*/
+
+ZEXTERN int ZEXPORT gzsetparams OF((gzFile file, int level, int strategy));
+/*
+     Dynamically update the compression level or strategy. See the description
+   of deflateInit2 for the meaning of these parameters.
+     gzsetparams returns Z_OK if success, or Z_STREAM_ERROR if the file was not
+   opened for writing.
+*/
+
+ZEXTERN int ZEXPORT    gzread  OF((gzFile file, voidp buf, unsigned len));
+/*
+     Reads the given number of uncompressed bytes from the compressed file.
+   If the input file was not in gzip format, gzread copies the given number
+   of bytes into the buffer.
+     gzread returns the number of uncompressed bytes actually read (0 for
+   end of file, -1 for error). */
+
+ZEXTERN int ZEXPORT    gzwrite OF((gzFile file, 
+				   const voidp buf, unsigned len));
+/*
+     Writes the given number of uncompressed bytes into the compressed file.
+   gzwrite returns the number of uncompressed bytes actually written
+   (0 in case of error).
+*/
+
+ZEXTERN int ZEXPORTVA   gzprintf OF((gzFile file, const char *format, ...));
+/*
+     Converts, formats, and writes the args to the compressed file under
+   control of the format string, as in fprintf. gzprintf returns the number of
+   uncompressed bytes actually written (0 in case of error).
+*/
+
+ZEXTERN int ZEXPORT gzputs OF((gzFile file, const char *s));
+/*
+      Writes the given null-terminated string to the compressed file, excluding
+   the terminating null character.
+      gzputs returns the number of characters written, or -1 in case of error.
+*/
+
+ZEXTERN char * ZEXPORT gzgets OF((gzFile file, char *buf, int len));
+/*
+      Reads bytes from the compressed file until len-1 characters are read, or
+   a newline character is read and transferred to buf, or an end-of-file
+   condition is encountered.  The string is then terminated with a null
+   character.
+      gzgets returns buf, or Z_NULL in case of error.
+*/
+
+ZEXTERN int ZEXPORT    gzputc OF((gzFile file, int c));
+/*
+      Writes c, converted to an unsigned char, into the compressed file.
+   gzputc returns the value that was written, or -1 in case of error.
+*/
+
+ZEXTERN int ZEXPORT    gzgetc OF((gzFile file));
+/*
+      Reads one byte from the compressed file. gzgetc returns this byte
+   or -1 in case of end of file or error.
+*/
+
+ZEXTERN int ZEXPORT    gzflush OF((gzFile file, int flush));
+/*
+     Flushes all pending output into the compressed file. The parameter
+   flush is as in the deflate() function. The return value is the zlib
+   error number (see function gzerror below). gzflush returns Z_OK if
+   the flush parameter is Z_FINISH and all output could be flushed.
+     gzflush should be called only when strictly necessary because it can
+   degrade compression.
+*/
+
+ZEXTERN z_off_t ZEXPORT    gzseek OF((gzFile file,
+				      z_off_t offset, int whence));
+/* 
+      Sets the starting position for the next gzread or gzwrite on the
+   given compressed file. The offset represents a number of bytes in the
+   uncompressed data stream. The whence parameter is defined as in lseek(2);
+   the value SEEK_END is not supported.
+     If the file is opened for reading, this function is emulated but can be
+   extremely slow. If the file is opened for writing, only forward seeks are
+   supported; gzseek then compresses a sequence of zeroes up to the new
+   starting position.
+
+      gzseek returns the resulting offset location as measured in bytes from
+   the beginning of the uncompressed stream, or -1 in case of error, in
+   particular if the file is opened for writing and the new starting position
+   would be before the current position.
+*/
+
+ZEXTERN int ZEXPORT    gzrewind OF((gzFile file));
+/*
+     Rewinds the given file. This function is supported only for reading.
+
+   gzrewind(file) is equivalent to (int)gzseek(file, 0L, SEEK_SET)
+*/
+
+ZEXTERN z_off_t ZEXPORT    gztell OF((gzFile file));
+/*
+     Returns the starting position for the next gzread or gzwrite on the
+   given compressed file. This position represents a number of bytes in the
+   uncompressed data stream.
+
+   gztell(file) is equivalent to gzseek(file, 0L, SEEK_CUR)
+*/
+
+ZEXTERN int ZEXPORT gzeof OF((gzFile file));
+/*
+     Returns 1 when EOF has previously been detected reading the given
+   input stream, otherwise zero.
+*/
+
+ZEXTERN int ZEXPORT    gzclose OF((gzFile file));
+/*
+     Flushes all pending output if necessary, closes the compressed file
+   and deallocates all the (de)compression state. The return value is the zlib
+   error number (see function gzerror below).
+*/
+
+ZEXTERN const char * ZEXPORT gzerror OF((gzFile file, int *errnum));
+/*
+     Returns the error message for the last error which occurred on the
+   given compressed file. errnum is set to zlib error number. If an
+   error occurred in the file system and not in the compression library,
+   errnum is set to Z_ERRNO and the application may consult errno
+   to get the exact error code.
+*/
+
+                        /* checksum functions */
+
+/*
+     These functions are not related to compression but are exported
+   anyway because they might be useful in applications using the
+   compression library.
+*/
+
+ZEXTERN uLong ZEXPORT adler32 OF((uLong adler, const Bytef *buf, uInt len));
+
+/*
+     Update a running Adler-32 checksum with the bytes buf[0..len-1] and
+   return the updated checksum. If buf is NULL, this function returns
+   the required initial value for the checksum.
+   An Adler-32 checksum is almost as reliable as a CRC32 but can be computed
+   much faster. Usage example:
+
+     uLong adler = adler32(0L, Z_NULL, 0);
+
+     while (read_buffer(buffer, length) != EOF) {
+       adler = adler32(adler, buffer, length);
+     }
+     if (adler != original_adler) error();
+*/
+
+ZEXTERN uLong ZEXPORT crc32   OF((uLong crc, const Bytef *buf, uInt len));
+/*
+     Update a running crc with the bytes buf[0..len-1] and return the updated
+   crc. If buf is NULL, this function returns the required initial value
+   for the crc. Pre- and post-conditioning (one's complement) is performed
+   within this function so it shouldn't be done by the application.
+   Usage example:
+
+     uLong crc = crc32(0L, Z_NULL, 0);
+
+     while (read_buffer(buffer, length) != EOF) {
+       crc = crc32(crc, buffer, length);
+     }
+     if (crc != original_crc) error();
+*/
+
+
+                        /* various hacks, don't look :) */
+
+/* deflateInit and inflateInit are macros to allow checking the zlib version
+ * and the compiler's view of z_stream:
+ */
+ZEXTERN int ZEXPORT deflateInit_ OF((z_streamp strm, int level,
+                                     const char *version, int stream_size));
+ZEXTERN int ZEXPORT inflateInit_ OF((z_streamp strm,
+                                     const char *version, int stream_size));
+ZEXTERN int ZEXPORT deflateInit2_ OF((z_streamp strm, int  level, int  method,
+                                      int windowBits, int memLevel,
+                                      int strategy, const char *version,
+                                      int stream_size));
+ZEXTERN int ZEXPORT inflateInit2_ OF((z_streamp strm, int  windowBits,
+                                      const char *version, int stream_size));
+#define deflateInit(strm, level) \
+        deflateInit_((strm), (level),       ZLIB_VERSION, sizeof(z_stream))
+#define inflateInit(strm) \
+        inflateInit_((strm),                ZLIB_VERSION, sizeof(z_stream))
+#define deflateInit2(strm, level, method, windowBits, memLevel, strategy) \
+        deflateInit2_((strm),(level),(method),(windowBits),(memLevel),\
+                      (strategy),           ZLIB_VERSION, sizeof(z_stream))
+#define inflateInit2(strm, windowBits) \
+        inflateInit2_((strm), (windowBits), ZLIB_VERSION, sizeof(z_stream))
+
+
+#if !defined(_Z_UTIL_H) && !defined(NO_DUMMY_DECL)
+    struct internal_state {int dummy;}; /* hack for buggy compilers */
+#endif
+
+ZEXTERN const char   * ZEXPORT zError           OF((int err));
+ZEXTERN int            ZEXPORT inflateSyncPoint OF((z_streamp z));
+ZEXTERN const uLongf * ZEXPORT get_crc_table    OF((void));
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _ZLIB_H */
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/include/zlib/zutil.h     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,225 @@
+/* zutil.h -- internal interface and configuration of the compression library
+ * Copyright (C) 1995-2002 Jean-loup Gailly.
+ * For conditions of distribution and use, see copyright notice in zlib.h
+ */
+
+/* WARNING: this file should *not* be used by applications. It is
+   part of the implementation of the compression library and is
+   subject to change. Applications should only use zlib.h.
+ */
+
+/* @(#) $Id: zutil.h,v 1.4 2002/04/24 07:36:48 mcr Exp $ */
+
+#ifndef _Z_UTIL_H
+#define _Z_UTIL_H
+
+#include "zlib.h"
+
+#include <linux/string.h>
+#define HAVE_MEMCPY
+
+#if 0 // #ifdef STDC
+#  include <stddef.h>
+#  include <string.h>
+#  include <stdlib.h>
+#endif
+#ifndef __KERNEL__
+#ifdef NO_ERRNO_H
+    extern int errno;
+#else
+#   include <errno.h>
+#endif
+#endif
+
+#ifndef local
+#  define local static
+#endif
+/* compile with -Dlocal if your debugger can't find static symbols */
+
+typedef unsigned char  uch;
+typedef uch FAR uchf;
+typedef unsigned short ush;
+typedef ush FAR ushf;
+typedef unsigned long  ulg;
+
+extern const char *z_errmsg[10]; /* indexed by 2-zlib_error */
+/* (size given to avoid silly warnings with Visual C++) */
+
+#define ERR_MSG(err) z_errmsg[Z_NEED_DICT-(err)]
+
+#define ERR_RETURN(strm,err) \
+  return (strm->msg = ERR_MSG(err), (err))
+/* To be used only when the state is known to be valid */
+
+        /* common constants */
+
+#ifndef DEF_WBITS
+#  define DEF_WBITS MAX_WBITS
+#endif
+/* default windowBits for decompression. MAX_WBITS is for compression only */
+
+#if MAX_MEM_LEVEL >= 8
+#  define DEF_MEM_LEVEL 8
+#else
+#  define DEF_MEM_LEVEL  MAX_MEM_LEVEL
+#endif
+/* default memLevel */
+
+#define STORED_BLOCK 0
+#define STATIC_TREES 1
+#define DYN_TREES    2
+/* The three kinds of block type */
+
+#define MIN_MATCH  3
+#define MAX_MATCH  258
+/* The minimum and maximum match lengths */
+
+#define PRESET_DICT 0x20 /* preset dictionary flag in zlib header */
+
+        /* target dependencies */
+
+#ifdef MSDOS
+#  define OS_CODE  0x00
+#  if defined(__TURBOC__) || defined(__BORLANDC__)
+#    if(__STDC__ == 1) && (defined(__LARGE__) || defined(__COMPACT__))
+       /* Allow compilation with ANSI keywords only enabled */
+       void _Cdecl farfree( void *block );
+       void *_Cdecl farmalloc( unsigned long nbytes );
+#    else
+#     include <alloc.h>
+#    endif
+#  else /* MSC or DJGPP */
+#    include <malloc.h>
+#  endif
+#endif
+
+#ifdef OS2
+#  define OS_CODE  0x06
+#endif
+
+#ifdef WIN32 /* Window 95 & Windows NT */
+#  define OS_CODE  0x0b
+#endif
+
+#if defined(VAXC) || defined(VMS)
+#  define OS_CODE  0x02
+#  define F_OPEN(name, mode) \
+     fopen((name), (mode), "mbc=60", "ctx=stm", "rfm=fix", "mrs=512")
+#endif
+
+#ifdef AMIGA
+#  define OS_CODE  0x01
+#endif
+
+#if defined(ATARI) || defined(atarist)
+#  define OS_CODE  0x05
+#endif
+
+#if defined(MACOS) || defined(TARGET_OS_MAC)
+#  define OS_CODE  0x07
+#  if defined(__MWERKS__) && __dest_os != __be_os && __dest_os != __win32_os
+#    include <unix.h> /* for fdopen */
+#  else
+#    ifndef fdopen
+#      define fdopen(fd,mode) NULL /* No fdopen() */
+#    endif
+#  endif
+#endif
+
+#ifdef __50SERIES /* Prime/PRIMOS */
+#  define OS_CODE  0x0F
+#endif
+
+#ifdef TOPS20
+#  define OS_CODE  0x0a
+#endif
+
+#if defined(_BEOS_) || defined(RISCOS)
+#  define fdopen(fd,mode) NULL /* No fdopen() */
+#endif
+
+#if (defined(_MSC_VER) && (_MSC_VER > 600))
+#  define fdopen(fd,type)  _fdopen(fd,type)
+#endif
+
+
+        /* Common defaults */
+
+#ifndef OS_CODE
+#  define OS_CODE  0x03  /* assume Unix */
+#endif
+
+#ifndef F_OPEN
+#  define F_OPEN(name, mode) fopen((name), (mode))
+#endif
+
+         /* functions */
+
+#ifdef HAVE_STRERROR
+   extern char *strerror OF((int));
+#  define zstrerror(errnum) strerror(errnum)
+#else
+#  define zstrerror(errnum) ""
+#endif
+
+#if defined(pyr)
+#  define NO_MEMCPY
+#endif
+#if defined(SMALL_MEDIUM) && !defined(_MSC_VER) && !defined(__SC__)
+ /* Use our own functions for small and medium model with MSC <= 5.0.
+  * You may have to use the same strategy for Borland C (untested).
+  * The __SC__ check is for Symantec.
+  */
+#  define NO_MEMCPY
+#endif
+#if defined(STDC) && !defined(HAVE_MEMCPY) && !defined(NO_MEMCPY)
+#  define HAVE_MEMCPY
+#endif
+#ifdef HAVE_MEMCPY
+#  ifdef SMALL_MEDIUM /* MSDOS small or medium model */
+#    define zmemcpy _fmemcpy
+#    define zmemcmp _fmemcmp
+#    define zmemzero(dest, len) _fmemset(dest, 0, len)
+#  else
+#    define zmemcpy memcpy
+#    define zmemcmp memcmp
+#    define zmemzero(dest, len) memset(dest, 0, len)
+#  endif
+#else
+   extern void zmemcpy  OF((Bytef* dest, const Bytef* source, uInt len));
+   extern int  zmemcmp  OF((const Bytef* s1, const Bytef* s2, uInt len));
+   extern void zmemzero OF((Bytef* dest, uInt len));
+#endif
+
+/* Diagnostic functions */
+#ifdef DEBUG
+#  include <stdio.h>
+   extern int z_verbose;
+   extern void z_error    OF((char *m));
+#  define Assert(cond,msg) {if(!(cond)) z_error(msg);}
+#  define Trace(x) {if (z_verbose>=0) fprintf x ;}
+#  define Tracev(x) {if (z_verbose>0) fprintf x ;}
+#  define Tracevv(x) {if (z_verbose>1) fprintf x ;}
+#  define Tracec(c,x) {if (z_verbose>0 && (c)) fprintf x ;}
+#  define Tracecv(c,x) {if (z_verbose>1 && (c)) fprintf x ;}
+#else
+#  define Assert(cond,msg)
+#  define Trace(x)
+#  define Tracev(x)
+#  define Tracevv(x)
+#  define Tracec(c,x)
+#  define Tracecv(c,x)
+#endif
+
+
+typedef uLong (ZEXPORT *check_func) OF((uLong check, const Bytef *buf,
+				       uInt len));
+voidpf zcalloc OF((voidpf opaque, unsigned items, unsigned size));
+void   zcfree  OF((voidpf opaque, voidpf ptr));
+
+#define ZALLOC(strm, items, size) \
+           (*((strm)->zalloc))((strm)->opaque, (items), (size))
+#define ZFREE(strm, addr)  (*((strm)->zfree))((strm)->opaque, (voidpf)(addr))
+#define TRY_FREE(s, p) {if (p) ZFREE(s, p);}
+
+#endif /* _Z_UTIL_H */
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/lib/libfreeswan/Makefile.objs     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,21 @@
+obj-y += satot.o
+obj-y += addrtot.o
+obj-y += ultot.o 
+obj-y += addrtypeof.o
+obj-y += anyaddr.o
+obj-y += initaddr.o
+obj-y += ultoa.o 
+obj-y += addrtoa.o 
+obj-y += subnettoa.o 
+obj-y += subnetof.o 
+obj-y += goodmask.o 
+obj-y += datatot.o 
+obj-y += rangetoa.o 
+obj-y += prng.o 
+obj-y += pfkey_v2_parse.o 
+obj-y += pfkey_v2_build.o 
+obj-y += pfkey_v2_debug.o 
+obj-y += pfkey_v2_ext_bits.o 
+
+#version.c:	${LIBFREESWANDIR}/version.in.c ${OPENSWANSRCDIR}/Makefile.ver
+#	sed '/"/s/xxx/$(IPSECVERSION)/' ${LIBFREESWANDIR}/version.in.c >$@
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/lib/zlib/Makefile     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,118 @@
+# (kernel) Makefile for IPCOMP zlib deflate code
+# Copyright (C) 1998, 1999, 2000, 2001  Richard Guy Briggs.
+# Copyright (C) 2000  Svenning Soerensen
+# 
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+# 
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+#
+# RCSID $Id: Makefile,v 1.9 2002/04/24 07:55:32 mcr Exp $
+#
+
+
+
+include ../Makefile.inc
+
+
+
+ifndef TOPDIR
+TOPDIR  := /usr/src/linux
+endif
+
+
+L_TARGET := zlib.a
+
+obj-y :=
+
+include Makefile.objs
+
+EXTRA_CFLAGS += $(KLIPSCOMPILE)
+
+EXTRA_CFLAGS += -Wall 
+#EXTRA_CFLAGS += -Wconversion 
+#EXTRA_CFLAGS += -Wmissing-prototypes 
+EXTRA_CFLAGS += -Wpointer-arith 
+#EXTRA_CFLAGS += -Wcast-qual 
+#EXTRA_CFLAGS += -Wmissing-declarations 
+EXTRA_CFLAGS += -Wstrict-prototypes
+#EXTRA_CFLAGS += -pedantic
+#EXTRA_CFLAGS += -W
+#EXTRA_CFLAGS += -Wwrite-strings 
+EXTRA_CFLAGS += -Wbad-function-cast 
+EXTRA_CFLAGS += -DIPCOMP_PREFIX
+
+.S.o:
+	$(CC) -D__ASSEMBLY__ -DNO_UNDERLINE -traditional -c $< -o $*.o
+
+asm-obj-$(CONFIG_M586)		+= match586.o
+asm-obj-$(CONFIG_M586TSC)	+= match586.o
+asm-obj-$(CONFIG_M586MMX)	+= match586.o
+asm-obj-$(CONFIG_M686)		+= match686.o
+asm-obj-$(CONFIG_MPENTIUMIII)	+= match686.o
+asm-obj-$(CONFIG_MPENTIUM4)	+= match686.o
+asm-obj-$(CONFIG_MK6)		+= match586.o
+asm-obj-$(CONFIG_MK7)		+= match686.o
+asm-obj-$(CONFIG_MCRUSOE)	+= match586.o
+asm-obj-$(CONFIG_MWINCHIPC6)	+= match586.o
+asm-obj-$(CONFIG_MWINCHIP2)	+= match686.o
+asm-obj-$(CONFIG_MWINCHIP3D)	+= match686.o
+
+obj-y += $(asm-obj-y)
+ifneq ($(asm-obj-y),)
+  EXTRA_CFLAGS += -DASMV
+endif
+
+active-objs     := $(sort $(obj-y) $(obj-m))
+L_OBJS          := $(obj-y)
+M_OBJS          := $(obj-m)
+MIX_OBJS        := $(filter $(export-objs), $(active-objs))
+
+include $(TOPDIR)/Rules.make
+
+$(obj-y) :  $(TOPDIR)/include/linux/config.h $(TOPDIR)/include/linux/autoconf.h
+
+
+clean:
+	-rm -f *.o *.a
+
+checkprograms:
+programs: $(L_TARGET)
+
+#
+# $Log: Makefile,v $
+# Revision 1.9  2002/04/24 07:55:32  mcr
+# 	#include patches and Makefiles for post-reorg compilation.
+#
+# Revision 1.8  2002/04/24 07:36:44  mcr
+# Moved from ./zlib/Makefile,v
+#
+# Revision 1.7  2002/03/27 23:34:35  mcr
+# 	added programs: target
+#
+# Revision 1.6  2001/12/05 20:19:08  henry
+# use new compile-control variable
+#
+# Revision 1.5  2001/11/27 16:38:08  mcr
+# 	added new "checkprograms" target to deal with programs that
+# 	are required for "make check", but that may not be ready to
+# 	build for every user due to external dependancies.
+#
+# Revision 1.4  2001/10/24 14:46:24  henry
+# Makefile.inc
+#
+# Revision 1.3  2001/04/21 23:05:24  rgb
+# Update asm directives for 2.4 style makefiles.
+#
+# Revision 1.2  2001/01/29 22:22:00  rgb
+# Convert to 2.4 new style with back compat.
+#
+# Revision 1.1.1.1  2000/09/29 18:51:33  rgb
+# zlib_beginnings
+#
+#
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/lib/zlib/Makefile.objs     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,27 @@
+obj-$(CONFIG_IPSEC_IPCOMP) += adler32.o
+obj-$(CONFIG_IPSEC_IPCOMP) += deflate.o
+obj-$(CONFIG_IPSEC_IPCOMP) += infblock.o
+obj-$(CONFIG_IPSEC_IPCOMP) += infcodes.o
+obj-$(CONFIG_IPSEC_IPCOMP) += inffast.o
+obj-$(CONFIG_IPSEC_IPCOMP) += inflate.o
+obj-$(CONFIG_IPSEC_IPCOMP) += inftrees.o
+obj-$(CONFIG_IPSEC_IPCOMP) += infutil.o
+obj-$(CONFIG_IPSEC_IPCOMP) += trees.o
+obj-$(CONFIG_IPSEC_IPCOMP) += zutil.o
+
+asm-obj-$(CONFIG_M586)          += ${LIBZLIBSRCDIR}/match586.o
+asm-obj-$(CONFIG_M586TSC)       += ${LIBZLIBSRCDIR}/match586.o
+asm-obj-$(CONFIG_M586MMX)       += ${LIBZLIBSRCDIR}/match586.o
+asm-obj-$(CONFIG_M686)          += ${LIBZLIBSRCDIR}/match686.o
+asm-obj-$(CONFIG_MPENTIUMIII)   += ${LIBZLIBSRCDIR}/match686.o
+asm-obj-$(CONFIG_MPENTIUM4)     += ${LIBZLIBSRCDIR}/match686.o
+asm-obj-$(CONFIG_MK6)           += ${LIBZLIBSRCDIR}/match586.o
+asm-obj-$(CONFIG_MK7)           += ${LIBZLIBSRCDIR}/match686.o
+asm-obj-$(CONFIG_MCRUSOE)       += ${LIBZLIBSRCDIR}/match586.o
+asm-obj-$(CONFIG_MWINCHIPC6)    += ${LIBZLIBSRCDIR}/match586.o
+asm-obj-$(CONFIG_MWINCHIP2)     += ${LIBZLIBSRCDIR}/match686.o
+asm-obj-$(CONFIG_MWINCHIP3D)    += ${LIBZLIBSRCDIR}/match686.o
+
+EXTRA_CFLAGS += -DIPCOMP_PREFIX
+
+
--- swan26/net/Kconfig.preipsec	2005-09-01 18:15:19.000000000 -0400
+++ swan26/net/Kconfig	2005-09-03 16:51:17.000000000 -0400
@@ -215,2 +215,6 @@
 
+if INET
+source "net/ipsec/Kconfig"
+endif # if INET
+
 endif   # if NET
--- /distros/kernel/linux-2.6.3-rc4/net/Makefile	Mon Feb 16 21:22:12 2004
+++ ref26/net/Makefile	Thu Feb 19 21:02:25 2004
@@ -42,3 +42,6 @@
 ifeq ($(CONFIG_NET),y)
 obj-$(CONFIG_SYSCTL)		+= sysctl_net.o
 endif
+
+obj-$(CONFIG_KLIPS)             += ipsec/
+
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/Kconfig     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,161 @@
+#
+# IPSEC configuration
+# Copyright (C) 2004 Michael Richardson <mcr@freeswan.org>
+# 
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+# 
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+#
+# RCSID $Id: Kconfig,v 1.6.2.2 2006/10/11 18:14:33 paul Exp $
+
+config KLIPS
+	tristate "Openswan IPsec (KLIPS26)"
+	default n
+	help
+  	  KLIPS is the Openswan (www.openswan.org) Kernel Level IP Security
+	  system. It is extensively tested, and has interoperated with
+	  many other systems. 
+          It provides "ipsecX" devices on which one can do firewalling.
+          The userland, is compatible with both KLIPS and 26sec.
+
+menu "KLIPS options"
+	depends on KLIPS
+
+config KLIPS_ESP
+	bool 'Encapsulating Security Payload - ESP ("VPN")'
+	default y
+	help
+	   This option provides support for the IPSEC Encapsulation Security
+	   Payload (IP protocol 50) which provides packet layer content
+           hiding, and content authentication.
+	   It is recommended to enable this.  RFC2406
+
+config KLIPS_AH
+	bool 'Authentication Header - AH'
+	default n
+	help
+           This option provides support for the IPSEC Authentication Header
+           (IP protocol 51) which provides packet layer sender and content
+           authentication. It does not provide for confidentiality.
+	   It is not recommended to enable this.  RFC2402
+
+config KLIPS_AUTH_HMAC_MD5
+	bool 'HMAC-MD5 authentication algorithm' 
+	default y
+	help
+           The HMAC-MD5 algorithm is used by ESP (and AH) to guarantee packet
+	   integrity. There is little reason not to include it.
+
+config KLIPS_AUTH_HMAC_SHA1
+	bool 'HMAC-SHA1 authentication algorithm' 
+	default y
+	help
+           The HMAC-SHA1 algorithm is used by ESP (and AH) to guarantee packet
+	   integrity. SHA1 is a little slower than MD5, but is said to be 
+	   a bit more secure. There is little reason not to include it.
+
+config KLIPS_ENC_CRYPTOAPI
+	bool 'CryptoAPI algorithm interface'
+	default n
+	help
+	   Enable the algorithm interface to make all CryptoAPI 1.0 algorithms
+	   available to KLIPS.
+
+config KLIPS_ENC_1DES
+	bool 'Include 1DES with CryptoAPI'
+	default n
+	depends on KLIPS_ENC_CRYPTOAPI
+	help
+	   The CryptoAPI interface does not include support for every algorithm
+	   yet, and one that it doesn't support by default is the VERY WEAK
+	   1DES. Select this if you are terminally stupid.
+	
+config KLIPS_ENC_3DES
+	bool '3DES encryption algorithm'
+	default y
+	help
+           The 3DES algorithm is used by ESP to provide for packet privacy.
+	   3DES is 3-repeats of the DES algorithm. 3DES is widely supported,
+	   and analyzed and is considered very secure. 1DES is not supported.
+
+config KLIPS_ENC_AES
+	bool 'AES encryption algorithm'
+	default y
+	help
+           The AES algorithm is used by ESP to provide for packet privacy.
+	   AES the NIST replacement for DES. AES is being widely analyzed,
+           and is very fast.
+
+config KLIPS_ENC_NULL
+	bool 'NULL NON-encryption algorithm'
+	default n
+	help
+	   NON encryption algo , maybe useful for ESP auth only scenarios
+	   (eg: with NAT-T), see RFC 2410.
+
+config KLIPS_IPCOMP
+	bool 'IP compression'
+	default y
+	help
+           The IPcomp protocol is used prior to ESP to make the packet
+	   smaller. Once encrypted, compression will fail, so any link
+	   layer efforts (e.g. PPP) will not work. 
+
+config KLIPS_DEBUG
+	bool 'IPsec debugging'
+	default y 
+	help
+           KLIPS includes a lot of debugging code. Unless there is a real
+	   tangible benefit to removing this code, it should be left in place.
+	   Debugging connections without access to kernel level debugging is
+	   essentially impossible. Leave this on.
+
+endmenu
+
+#
+#
+# $Log: Kconfig,v $
+# Revision 1.6.2.2  2006/10/11 18:14:33  paul
+# Add JuanJo Ciarlante's ESP_NULL patches for KLIPS, but leave it disabled
+# per default.
+#
+# Revision 1.6.2.1  2006/04/20 16:33:06  mcr
+# remove all of CONFIG_KLIPS_ALG --- one can no longer build without it.
+# Fix in-kernel module compilation. Sub-makefiles do not work.
+#
+# Revision 1.6  2005/05/18 20:55:27  mcr
+# 	default cryptoapi to n.
+#
+# Revision 1.5  2005/05/11 01:23:25  mcr
+# 	added 1DES option to cryptoapi.
+#
+# Revision 1.4  2005/04/29 05:29:54  mcr
+# 	add option to include cryptoapi algorithms.
+#
+# Revision 1.3  2004/08/17 03:27:23  mcr
+# 	klips 2.6 edits.
+#
+# Revision 1.2  2004/08/14 03:27:39  mcr
+# 	2.6 kernel build/configuration files.
+#
+# Revision 1.1  2004/08/14 02:47:55  mcr
+# 	kernel build/config patches
+#
+# Revision 1.3  2004/02/24 17:17:04  mcr
+# 	s/CONFIG_IPSEC/CONFIG_KLIPS/ as 26sec uses "CONFIG_IPSEC" to
+# 	turn it on/off as well.
+#
+# Revision 1.2  2004/02/22 06:50:42  mcr
+# 	kernel 2.6 port - merged with 2.4 code.
+#
+# Revision 1.1.2.1  2004/02/20 02:07:53  mcr
+# 	module configuration for KLIPS 2.6
+#
+#
+
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/Makefile     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,195 @@
+# Makefile for KLIPS kernel code as a module    for 2.6 kernels
+#
+# Makefile for KLIPS kernel code as a module
+# Copyright (C) 1998, 1999, 2000,2001  Richard Guy Briggs.
+# Copyright (C) 2002-2004	Michael Richardson <mcr@freeswan.org>
+# 
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+# 
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+#
+# RCSID $Id: Makefile.fs2_6,v 1.8.2.2 2006/10/11 18:14:33 paul Exp $
+#
+# Note! Dependencies are done automagically by 'make dep', which also
+# removes any old dependencies. DON'T put your own dependencies here
+# unless it's something special (ie not a .c file).
+#
+
+OPENSWANSRCDIR?=.
+KLIPS_TOP?=.
+
+-include ${OPENSWANSRCDIR}/Makefile.ver
+
+base-klips-objs := 
+
+base-klips-objs+= ipsec_init.o ipsec_sa.o ipsec_radij.o radij.o
+base-klips-objs+= ipsec_life.o ipsec_proc.o
+base-klips-objs+= ipsec_tunnel.o ipsec_xmit.o ipsec_rcv.o ipsec_ipip.o
+base-klips-objs+= ipsec_snprintf.o
+base-klips-objs+= sysctl_net_ipsec.o 
+base-klips-objs+= pfkey_v2.o pfkey_v2_parser.o pfkey_v2_ext_process.o 
+base-klips-objs+= version.o
+
+base-klips-objs+= satot.o
+base-klips-objs+= addrtot.o
+base-klips-objs+= ultot.o 
+base-klips-objs+= addrtypeof.o
+base-klips-objs+= anyaddr.o
+base-klips-objs+= initaddr.o
+base-klips-objs+= ultoa.o 
+base-klips-objs+= addrtoa.o 
+base-klips-objs+= subnettoa.o 
+base-klips-objs+= subnetof.o 
+base-klips-objs+= goodmask.o 
+base-klips-objs+= datatot.o 
+base-klips-objs+= rangetoa.o 
+base-klips-objs+= prng.o 
+base-klips-objs+= pfkey_v2_parse.o 
+base-klips-objs+= pfkey_v2_build.o 
+base-klips-objs+= pfkey_v2_debug.o 
+base-klips-objs+= pfkey_v2_ext_bits.o 
+base-klips-objs+= version.o
+
+obj-${CONFIG_KLIPS} += ipsec.o
+
+ipsec-objs += ${base-klips-objs}
+
+ipsec-$(CONFIG_KLIPS_ESP)     += ipsec_esp.o
+ipsec-$(CONFIG_KLIPS_IPCOMP)  += ipsec_ipcomp.o
+ipsec-$(CONFIG_KLIPS_AUTH_HMAC_MD5)  += ipsec_md5c.o
+ipsec-$(CONFIG_KLIPS_AUTH_HMAC_SHA1) += ipsec_sha1.o
+
+# AH, if you really think you need it.
+ipsec-$(CONFIG_KLIPS_AH)   += ipsec_ah.o
+
+ipsec-y += ipsec_alg.o 
+
+# include code from DES subdir
+crypto-$(CONFIG_KLIPS_ENC_3DES) += des/ipsec_alg_3des.o
+crypto-$(CONFIG_KLIPS_ENC_3DES) += des/cbc_enc.o
+crypto-$(CONFIG_KLIPS_ENC_3DES) += des/ecb_enc.o
+crypto-$(CONFIG_KLIPS_ENC_3DES) += des/set_key.o
+
+ifeq ($(strip ${SUBARCH}),)
+SUBARCH:=${ARCH}
+endif
+
+# the assembly version expects frame pointers, which are
+# optional in many kernel builds. If you want speed, you should
+# probably use cryptoapi code instead.
+USEASSEMBLY=${SUBARCH}${CONFIG_FRAME_POINTER}
+ifeq (${USEASSEMBLY},i386y)
+crypto-$(CONFIG_KLIPS_ENC_3DES) += des/dx86unix.o
+else
+crypto-$(CONFIG_KLIPS_ENC_3DES) += des/des_enc.o
+endif
+
+# include code from AES subdir
+crypto-$(CONFIG_KLIPS_ENC_AES) += aes/ipsec_alg_aes.o
+crypto-$(CONFIG_KLIPS_ENC_AES) += aes/aes_xcbc_mac.o
+crypto-$(CONFIG_KLIPS_ENC_AES) += aes/aes_cbc.o
+
+ifeq ($(strip ${SUBARCH}),)
+SUBARCH:=${ARCH}
+endif
+
+USEASSEMBLY=${SUBARCH}${CONFIG_FRAME_POINTER}
+ifeq (${USEASSEMBLY},i386y)
+crypto-$(CONFIG_KLIPS_ENC_AES) += aes/aes-i586.o
+else
+crypto-$(CONFIG_KLIPS_ENC_AES) += aes/aes.o
+endif
+
+crypto-$(CONFIG_KLIPS_ENC_NULL) += null/ipsec_alg_null.o
+
+ipsec-y += ${crypto-y}
+
+ipsec-$(CONFIG_KLIPS_ENC_CRYPTOAPI) += ipsec_alg_cryptoapi.o
+
+# IPcomp stuff
+base-ipcomp-objs := ipcomp.o 
+base-ipcomp-objs += adler32.o
+base-ipcomp-objs += deflate.o
+base-ipcomp-objs += infblock.o
+base-ipcomp-objs += infcodes.o
+base-ipcomp-objs += inffast.o
+base-ipcomp-objs += inflate.o
+base-ipcomp-objs += inftrees.o
+base-ipcomp-objs += infutil.o
+base-ipcomp-objs += trees.o
+base-ipcomp-objs += zutil.o
+asm-ipcomp-obj-$(CONFIG_M586)          += match586.o
+asm-ipcomp-obj-$(CONFIG_M586TSC)       += match586.o
+asm-ipcomp-obj-$(CONFIG_M586MMX)       += match586.o
+asm-ipcomp-obj-$(CONFIG_M686)          += match686.o
+asm-ipcomp-obj-$(CONFIG_MPENTIUMIII)   += match686.o
+asm-ipcomp-obj-$(CONFIG_MPENTIUM4)     += match686.o
+asm-ipcomp-obj-$(CONFIG_MK6)           += match586.o
+asm-ipcomp-obj-$(CONFIG_MK7)           += match686.o
+asm-ipcomp-obj-$(CONFIG_MCRUSOE)       += match586.o
+asm-ipcomp-obj-$(CONFIG_MWINCHIPC6)    += match586.o
+asm-ipcomp-obj-$(CONFIG_MWINCHIP2)     += match686.o
+asm-ipcomp-obj-$(CONFIG_MWINCHIP3D)    += match686.o
+base-ipcomp-objs += ${asm-ipcomp-obj-y}
+
+ipsec-$(CONFIG_KLIPS_IPCOMP) += ${base-ipcomp-objs}
+
+EXTRA_CFLAGS += -DIPCOMP_PREFIX
+
+#
+# $Log: Makefile.fs2_6,v $
+# Revision 1.8.2.2  2006/10/11 18:14:33  paul
+# Add JuanJo Ciarlante's ESP_NULL patches for KLIPS, but leave it disabled
+# per default.
+#
+# Revision 1.8.2.1  2006/04/20 16:33:06  mcr
+# remove all of CONFIG_KLIPS_ALG --- one can no longer build without it.
+# Fix in-kernel module compilation. Sub-makefiles do not work.
+#
+# Revision 1.8  2005/05/11 03:15:42  mcr
+# 	adjusted makefiles to sanely build modules properly.
+#
+# Revision 1.7  2005/04/13 22:52:12  mcr
+# 	moved KLIPS specific snprintf() wrapper to seperate file.
+#
+# Revision 1.6  2004/08/22 05:02:03  mcr
+# 	organized symbols such that it is easier to build modules.
+#
+# Revision 1.5  2004/08/18 01:43:56  mcr
+# 	adjusted makefile enumation so that it can be used by module
+# 	wrapper.
+#
+# Revision 1.4  2004/08/17 03:27:23  mcr
+# 	klips 2.6 edits.
+#
+# Revision 1.3  2004/08/04 16:50:13  mcr
+# 	removed duplicate definition of dx86unix.o
+#
+# Revision 1.2  2004/08/03 18:21:09  mcr
+# 	only set KLIPS_TOP and OPENSWANSRCDIR if not already set.
+#
+# Revision 1.1  2004/07/26 15:02:22  mcr
+# 	makefile for KLIPS module for 2.6.
+#
+# Revision 1.3  2004/02/24 17:17:04  mcr
+# 	s/CONFIG_IPSEC/CONFIG_KLIPS/ as 26sec uses "CONFIG_IPSEC" to
+# 	turn it on/off as well.
+#
+# Revision 1.2  2004/02/22 06:50:42  mcr
+# 	kernel 2.6 port - merged with 2.4 code.
+#
+# Revision 1.1.2.1  2004/02/20 02:07:53  mcr
+# 	module configuration for KLIPS 2.6
+#
+#
+# Local Variables:
+# compile-command: "(cd ../../.. && source umlsetup.sh && make -C ${POOLSPACE} module/ipsec.o)"
+# End Variables:
+#
+
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/README-zlib     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,147 @@
+zlib 1.1.4 is a general purpose data compression library.  All the code
+is thread safe.  The data format used by the zlib library
+is described by RFCs (Request for Comments) 1950 to 1952 in the files 
+http://www.ietf.org/rfc/rfc1950.txt (zlib format), rfc1951.txt (deflate
+format) and rfc1952.txt (gzip format). These documents are also available in
+other formats from ftp://ftp.uu.net/graphics/png/documents/zlib/zdoc-index.html
+
+All functions of the compression library are documented in the file zlib.h
+(volunteer to write man pages welcome, contact jloup@gzip.org). A usage
+example of the library is given in the file example.c which also tests that
+the library is working correctly. Another example is given in the file
+minigzip.c. The compression library itself is composed of all source files
+except example.c and minigzip.c.
+
+To compile all files and run the test program, follow the instructions
+given at the top of Makefile. In short "make test; make install"
+should work for most machines. For Unix: "./configure; make test; make install"
+For MSDOS, use one of the special makefiles such as Makefile.msc.
+For VMS, use Make_vms.com or descrip.mms.
+
+Questions about zlib should be sent to <zlib@gzip.org>, or to
+Gilles Vollant <info@winimage.com> for the Windows DLL version.
+The zlib home page is http://www.zlib.org or http://www.gzip.org/zlib/
+Before reporting a problem, please check this site to verify that
+you have the latest version of zlib; otherwise get the latest version and
+check whether the problem still exists or not.
+
+PLEASE read the zlib FAQ http://www.gzip.org/zlib/zlib_faq.html
+before asking for help.
+
+Mark Nelson <markn@ieee.org> wrote an article about zlib for the Jan. 1997
+issue of  Dr. Dobb's Journal; a copy of the article is available in
+http://dogma.net/markn/articles/zlibtool/zlibtool.htm
+
+The changes made in version 1.1.4 are documented in the file ChangeLog.
+The only changes made since 1.1.3 are bug corrections:
+
+- ZFREE was repeated on same allocation on some error conditions.
+  This creates a security problem described in
+  http://www.zlib.org/advisory-2002-03-11.txt
+- Returned incorrect error (Z_MEM_ERROR) on some invalid data
+- Avoid accesses before window for invalid distances with inflate window
+  less than 32K.
+- force windowBits > 8 to avoid a bug in the encoder for a window size
+  of 256 bytes. (A complete fix will be available in 1.1.5).
+
+The beta version 1.1.5beta includes many more changes. A new official
+version 1.1.5 will be released as soon as extensive testing has been
+completed on it.
+
+
+Unsupported third party contributions are provided in directory "contrib".
+
+A Java implementation of zlib is available in the Java Development Kit
+http://www.javasoft.com/products/JDK/1.1/docs/api/Package-java.util.zip.html
+See the zlib home page http://www.zlib.org for details.
+
+A Perl interface to zlib written by Paul Marquess <pmarquess@bfsec.bt.co.uk>
+is in the CPAN (Comprehensive Perl Archive Network) sites
+http://www.cpan.org/modules/by-module/Compress/
+
+A Python interface to zlib written by A.M. Kuchling <amk@magnet.com>
+is available in Python 1.5 and later versions, see
+http://www.python.org/doc/lib/module-zlib.html
+
+A zlib binding for TCL written by Andreas Kupries <a.kupries@westend.com>
+is availlable at http://www.westend.com/~kupries/doc/trf/man/man.html
+
+An experimental package to read and write files in .zip format,
+written on top of zlib by Gilles Vollant <info@winimage.com>, is
+available at http://www.winimage.com/zLibDll/unzip.html
+and also in the contrib/minizip directory of zlib.
+
+
+Notes for some targets:
+
+- To build a Windows DLL version, include in a DLL project zlib.def, zlib.rc
+  and all .c files except example.c and minigzip.c; compile with -DZLIB_DLL
+  The zlib DLL support was initially done by Alessandro Iacopetti and is
+  now maintained by Gilles Vollant <info@winimage.com>. Check the zlib DLL
+  home page at http://www.winimage.com/zLibDll
+
+  From Visual Basic, you can call the DLL functions which do not take
+  a structure as argument: compress, uncompress and all gz* functions.
+  See contrib/visual-basic.txt for more information, or get
+  http://www.tcfb.com/dowseware/cmp-z-it.zip
+
+- For 64-bit Irix, deflate.c must be compiled without any optimization.
+  With -O, one libpng test fails. The test works in 32 bit mode (with
+  the -n32 compiler flag). The compiler bug has been reported to SGI.
+
+- zlib doesn't work with gcc 2.6.3 on a DEC 3000/300LX under OSF/1 2.1   
+  it works when compiled with cc.
+
+- on Digital Unix 4.0D (formely OSF/1) on AlphaServer, the cc option -std1
+  is necessary to get gzprintf working correctly. This is done by configure.
+
+- zlib doesn't work on HP-UX 9.05 with some versions of /bin/cc. It works
+  with other compilers. Use "make test" to check your compiler.
+
+- gzdopen is not supported on RISCOS, BEOS and by some Mac compilers.
+
+- For Turbo C the small model is supported only with reduced performance to
+  avoid any far allocation; it was tested with -DMAX_WBITS=11 -DMAX_MEM_LEVEL=3
+
+- For PalmOs, see http://www.cs.uit.no/~perm/PASTA/pilot/software.html
+  Per Harald Myrvang <perm@stud.cs.uit.no>
+
+
+Acknowledgments:
+
+  The deflate format used by zlib was defined by Phil Katz. The deflate
+  and zlib specifications were written by L. Peter Deutsch. Thanks to all the
+  people who reported problems and suggested various improvements in zlib;
+  they are too numerous to cite here.
+
+Copyright notice:
+
+ (C) 1995-2002 Jean-loup Gailly and Mark Adler
+
+  This software is provided 'as-is', without any express or implied
+  warranty.  In no event will the authors be held liable for any damages
+  arising from the use of this software.
+
+  Permission is granted to anyone to use this software for any purpose,
+  including commercial applications, and to alter it and redistribute it
+  freely, subject to the following restrictions:
+
+  1. The origin of this software must not be misrepresented; you must not
+     claim that you wrote the original software. If you use this software
+     in a product, an acknowledgment in the product documentation would be
+     appreciated but is not required.
+  2. Altered source versions must be plainly marked as such, and must not be
+     misrepresented as being the original software.
+  3. This notice may not be removed or altered from any source distribution.
+
+  Jean-loup Gailly        Mark Adler
+  jloup@gzip.org          madler@alumni.caltech.edu
+
+If you use the zlib library in a product, we would appreciate *not*
+receiving lengthy legal documents to sign. The sources are provided
+for free but without warranty of any kind.  The library has been
+entirely written by Jean-loup Gailly and Mark Adler; it does not
+include third-party code.
+
+If you redistribute modified sources, we would appreciate that you include
+in the file ChangeLog history information documenting your changes.
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/README-zlib.freeswan     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,13 @@
+The only changes made to these files for use in FreeS/WAN are:
+
+ - In zconf.h, macros are defined to prefix global symbols with "ipcomp_"
+   (or "_ipcomp"), when compiled with -DIPCOMP_PREFIX.
+ - The copyright strings are defined local (static)
+
+ The above changes are made to avoid name collisions with ppp_deflate
+ and ext2compr.
+
+ - Files not needed for FreeS/WAN have been removed
+
+ See the "README" file for information about where to obtain the complete
+ zlib package.
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/addrtoa.c     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,67 @@
+/*
+ * addresses to ASCII
+ * Copyright (C) 1998, 1999  Henry Spencer.
+ * 
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Library General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
+ * 
+ * This library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
+ * License for more details.
+ *
+ * RCSID $Id: addrtoa.c,v 1.10 2004/07/10 07:43:47 mcr Exp $
+ */
+#include "openswan.h"
+
+#define	NBYTES	4		/* bytes in an address */
+#define	PERBYTE	4		/* three digits plus a dot or NUL */
+#define	BUFLEN	(NBYTES*PERBYTE)
+
+#if BUFLEN != ADDRTOA_BUF
+#error	"ADDRTOA_BUF in openswan.h inconsistent with addrtoa() code"
+#endif
+
+/*
+ - addrtoa - convert binary address to ASCII dotted decimal
+ */
+size_t				/* space needed for full conversion */
+addrtoa(addr, format, dst, dstlen)
+struct in_addr addr;
+int format;			/* character */
+char *dst;			/* need not be valid if dstlen is 0 */
+size_t dstlen;
+{
+	unsigned long a = ntohl(addr.s_addr);
+	int i;
+	size_t n;
+	unsigned long byte;
+	char buf[BUFLEN];
+	char *p;
+
+	switch (format) {
+	case 0:
+		break;
+	default:
+		return 0;
+		break;
+	}
+
+	p = buf;
+	for (i = NBYTES-1; i >= 0; i--) {
+		byte = (a >> (i*8)) & 0xff;
+		p += ultoa(byte, 10, p, PERBYTE);
+		if (i != 0)
+			*(p-1) = '.';
+	}
+	n = p - buf;
+
+	if (dstlen > 0) {
+		if (n > dstlen)
+			buf[dstlen - 1] = '\0';
+		strcpy(dst, buf);
+	}
+	return n;
+}
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/addrtot.c     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,423 @@
+/*
+ * addresses to text
+ * Copyright (C) 2000  Henry Spencer.
+ * 
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Library General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
+ * 
+ * This library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
+ * License for more details.
+ *
+ * RCSID $Id: addrtot.c,v 1.22.2.1 2005/11/17 22:30:49 paul Exp $
+ */
+
+#if defined(__KERNEL__) && defined(__HAVE_ARCH_STRSTR)
+#include <linux/string.h>
+#endif
+
+#include "openswan.h"
+
+#define	IP4BYTES	4	/* bytes in an IPv4 address */
+#define	PERBYTE		4	/* three digits plus a dot or NUL */
+#define	IP6BYTES	16	/* bytes in an IPv6 address */
+
+/* forwards */
+static size_t normal4(const unsigned char *s, size_t len, char *b, char **dp);
+static size_t normal6(const unsigned char *s, size_t len, char *b, char **dp, int squish);
+static size_t reverse4(const unsigned char *s, size_t len, char *b, char **dp);
+static size_t reverse6(const unsigned char *s, size_t len, char *b, char **dp);
+
+#if defined(__KERNEL__) && !defined(__HAVE_ARCH_STRSTR) 
+#define strstr ipsec_strstr
+/*
+ * Find the first occurrence of find in s.
+ * (from NetBSD 1.6's /src/lib/libc/string/strstr.c)
+ */
+static char *
+strstr(s, find)
+	const char *s, *find;
+{
+	char c, sc;
+	size_t len;
+
+	if ((c = *find++) != 0) {
+		len = strlen(find);
+		do {
+			do {
+				if ((sc = *s++) == 0)
+					return (NULL);
+			} while (sc != c);
+		} while (strncmp(s, find, len) != 0);
+		s--;
+	}
+	/* LINTED interface specification */
+	return ((char *)s);
+}
+#endif
+
+/*
+ - addrtot - convert binary address to text (dotted decimal or IPv6 string)
+ */
+size_t				/* space needed for full conversion */
+addrtot(src, format, dst, dstlen)
+const ip_address *src;
+int format;			/* character */
+char *dst;			/* need not be valid if dstlen is 0 */
+size_t dstlen;
+{
+	const unsigned char *b;
+	size_t n;
+	char buf[1+ADDRTOT_BUF+1];	/* :address: */
+	char *p;
+	int t = addrtypeof(src);
+#	define	TF(t, f)	(((t)<<8) | (f))
+
+	n = addrbytesptr(src, &b);
+	if (n == 0) {
+	bad:
+	  dst[0]='\0';
+	  strncat(dst, "<invalid>", dstlen);
+	  return sizeof("<invalid>");
+	}
+
+	switch (TF(t, format)) {
+	case TF(AF_INET, 0):
+		n = normal4(b, n, buf, &p);
+		break;
+	case TF(AF_INET6, 0):
+		n = normal6(b, n, buf, &p, 1);
+		break;
+	case TF(AF_INET, 'Q'):
+		n = normal4(b, n, buf, &p);
+		break;
+	case TF(AF_INET6, 'Q'):
+		n = normal6(b, n, buf, &p, 0);
+		break;
+	case TF(AF_INET, 'r'):
+		n = reverse4(b, n, buf, &p);
+		break;
+	case TF(AF_INET6, 'r'):
+		n = reverse6(b, n, buf, &p);
+		break;
+	default:		/* including (AF_INET, 'R') */
+	        goto bad;
+		break;
+	}
+
+	if (dstlen > 0) {
+		if (dstlen < n)
+			p[dstlen - 1] = '\0';
+		strcpy(dst, p);
+	}
+	return n;
+}
+
+/*
+ - normal4 - normal IPv4 address-text conversion
+ */
+static size_t			/* size of text, including NUL */
+normal4(srcp, srclen, buf, dstp)
+const unsigned char *srcp;
+size_t srclen;
+char *buf;			/* guaranteed large enough */
+char **dstp;			/* where to put result pointer */
+{
+	int i;
+	char *p;
+
+	if (srclen != IP4BYTES)	/* "can't happen" */
+		return 0;
+	p = buf;
+	for (i = 0; i < IP4BYTES; i++) {
+		p += ultot(srcp[i], 10, p, PERBYTE);
+		if (i != IP4BYTES - 1)
+			*(p-1) = '.';	/* overwrites the NUL */
+	}
+	*dstp = buf;
+	return p - buf;
+}
+
+/*
+ - normal6 - normal IPv6 address-text conversion
+ */
+static size_t			/* size of text, including NUL */
+normal6(srcp, srclen, buf, dstp, squish)
+const unsigned char *srcp;
+size_t srclen;
+char *buf;			/* guaranteed large enough, plus 2 */
+char **dstp;			/* where to put result pointer */
+int    squish;                  /* whether to squish out 0:0 */
+{
+	int i;
+	unsigned long piece;
+	char *p;
+	char *q;
+
+	if (srclen != IP6BYTES)	/* "can't happen" */
+		return 0;
+	p = buf;
+	*p++ = ':';
+	for (i = 0; i < IP6BYTES/2; i++) {
+		piece = (srcp[2*i] << 8) + srcp[2*i + 1];
+		p += ultot(piece, 16, p, 5);	/* 5 = abcd + NUL */
+		*(p-1) = ':';	/* overwrites the NUL */
+	}
+	*p = '\0';
+	q = strstr(buf, ":0:0:");
+	if (squish && q != NULL) {	/* zero squishing is possible */
+		p = q + 1;
+		while (*p == '0' && *(p+1) == ':')
+			p += 2;
+		q++;
+		*q++ = ':';	/* overwrite first 0 */
+		while (*p != '\0')
+			*q++ = *p++;
+		*q = '\0';
+		if (!(*(q-1) == ':' && *(q-2) == ':'))
+			*--q = '\0';	/* strip final : unless :: */
+		p = buf;
+		if (!(*p == ':' && *(p+1) == ':'))
+			p++;	/* skip initial : unless :: */
+	} else {
+		q = p;
+		*--q = '\0';	/* strip final : */
+		p = buf + 1;	/* skip initial : */
+	}
+	*dstp = p;
+	return q - p + 1;
+}
+
+/*
+ - reverse4 - IPv4 reverse-lookup conversion
+ */
+static size_t			/* size of text, including NUL */
+reverse4(srcp, srclen, buf, dstp)
+const unsigned char *srcp;
+size_t srclen;
+char *buf;			/* guaranteed large enough */
+char **dstp;			/* where to put result pointer */
+{
+	int i;
+	char *p;
+
+	if (srclen != IP4BYTES)	/* "can't happen" */
+		return 0;
+	p = buf;
+	for (i = IP4BYTES-1; i >= 0; i--) {
+		p += ultot(srcp[i], 10, p, PERBYTE);
+		*(p-1) = '.';	/* overwrites the NUL */
+	}
+	strcpy(p, "IN-ADDR.ARPA.");
+	*dstp = buf;
+	return strlen(buf) + 1;
+}
+
+/*
+ - reverse6 - IPv6 reverse-lookup conversion (RFC 1886)
+ * A trifle inefficient, really shouldn't use ultot...
+ */
+static size_t			/* size of text, including NUL */
+reverse6(srcp, srclen, buf, dstp)
+const unsigned char *srcp;
+size_t srclen;
+char *buf;			/* guaranteed large enough */
+char **dstp;			/* where to put result pointer */
+{
+	int i;
+	unsigned long piece;
+	char *p;
+
+	if (srclen != IP6BYTES)	/* "can't happen" */
+		return 0;
+	p = buf;
+	for (i = IP6BYTES-1; i >= 0; i--) {
+		piece = srcp[i];
+		p += ultot(piece&0xf, 16, p, 2);
+		*(p-1) = '.';
+		p += ultot(piece>>4, 16, p, 2);
+		*(p-1) = '.';
+	}
+	strcpy(p, "IP6.ARPA.");
+	*dstp = buf;
+	return strlen(buf) + 1;
+}
+
+/*
+ - reverse6 - modern IPv6 reverse-lookup conversion (RFC 2874)
+ * this version removed as it was obsoleted in the end.
+ */
+
+#ifdef ADDRTOT_MAIN
+
+#include <stdio.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+
+void regress(void);
+
+int
+main(int argc, char *argv[])
+{
+	if (argc < 2) {
+		fprintf(stderr, "Usage: %s {addr|net/mask|begin...end|-r}\n",
+								argv[0]);
+		exit(2);
+	}
+
+	if (strcmp(argv[1], "-r") == 0) {
+		regress();
+		fprintf(stderr, "regress() returned?!?\n");
+		exit(1);
+	}
+	exit(0);
+}
+
+struct rtab {
+	char *input;
+        char  format;
+	char *output;			/* NULL means error expected */
+} rtab[] = {
+	{"1.2.3.0",			0, "1.2.3.0"},
+	{"1:2::3:4",                    0, "1:2::3:4"},
+	{"1:2::3:4",                   'Q', "1:2:0:0:0:0:3:4"},
+	{"1:2:0:0:3:4:0:0",             0, "1:2::3:4:0:0"},
+	{"1.2.3.4",                    'r' , "4.3.2.1.IN-ADDR.ARPA."},
+ 	/*                                    0 1 2 3 4 5 6 7 8 9 a b c d e f 0 1 2 3 4 5 6 7 8 9 a b c d e f */
+	{"1:2::3:4",                   'r', "4.0.0.0.3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.0.1.0.0.0.IP6.ARPA."},
+	 {NULL,				0, NULL}
+};
+
+void
+regress()
+{
+	struct rtab *r;
+	int status = 0;
+	ip_address a;
+	char in[100];
+	char buf[100];
+	const char *oops;
+	size_t n;
+
+	for (r = rtab; r->input != NULL; r++) {
+		strcpy(in, r->input);
+
+		/* convert it *to* internal format */
+		oops = ttoaddr(in, strlen(in), 0, &a);
+
+		/* now convert it back */
+
+		n = addrtot(&a, r->format, buf, sizeof(buf));
+
+		if (n == 0 && r->output == NULL)
+			{}		/* okay, error expected */
+		
+		else if (n == 0) {
+			printf("`%s' atoasr failed\n", r->input);
+			status = 1;
+			
+		} else if (r->output == NULL) {
+			printf("`%s' atoasr succeeded unexpectedly '%c'\n",
+							r->input, r->format);
+			status = 1;
+		} else {
+		  if (strcasecmp(r->output, buf) != 0) {
+		    printf("`%s' '%c' gave `%s', expected `%s'\n",
+			   r->input, r->format, buf, r->output);
+		    status = 1;
+		  }
+		}
+	}
+	exit(status);
+}
+
+#endif /* ADDRTOT_MAIN */
+
+/*
+ * $Log: addrtot.c,v $
+ * Revision 1.22.2.1  2005/11/17 22:30:49  paul
+ * pull up strstr fix from head.
+ *
+ * Revision 1.22  2005/05/20 16:47:40  mcr
+ * 	make strstr static if we need it.
+ *
+ * Revision 1.21  2005/03/21 00:35:12  mcr
+ *     test for strstr properly
+ *
+ * Revision 1.20  2004/11/09 22:52:20  mcr
+ * 	until we figure out which kernels have strsep and which
+ * 	do not (UML does not under certain circumstances), then
+ * 	let's just provide our own.
+ *
+ * Revision 1.19  2004/10/08 16:30:33  mcr
+ * 	pull-up of initial crypto-offload work.
+ *
+ * Revision 1.18  2004/09/18 19:33:08  mcr
+ * 	use an appropriate kernel happy ifdef for strstr.
+ *
+ * Revision 1.17  2004/09/15 21:49:02  mcr
+ * 	use local copy of strstr() if this is going in the kernel.
+ * 	Not clear why this worked before, or why this shows up
+ * 	for modules only.
+ *
+ * Revision 1.16  2004/07/10 07:43:47  mcr
+ * Moved from linux/lib/libfreeswan/addrtot.c,v
+ *
+ * Revision 1.15  2004/04/11 17:39:25  mcr
+ * 	removed internal.h requirements.
+ *
+ * Revision 1.14  2004/03/08 01:59:08  ken
+ * freeswan.h -> openswan.h
+ *
+ * Revision 1.13  2004/01/05 23:21:05  mcr
+ * 	if the address type is invalid, then return length of <invalid>
+ * 	string!
+ *
+ * Revision 1.12  2003/12/30 06:42:48  mcr
+ * 	added $Log: addrtot.c,v $
+ * 	added Revision 1.22.2.1  2005/11/17 22:30:49  paul
+ * 	added pull up strstr fix from head.
+ * 	added
+ * 	added Revision 1.22  2005/05/20 16:47:40  mcr
+ * 	added 	make strstr static if we need it.
+ * 	added
+ * 	added Revision 1.21  2005/03/21 00:35:12  mcr
+ * 	added     test for strstr properly
+ * 	added
+ * 	added Revision 1.20  2004/11/09 22:52:20  mcr
+ * 	added 	until we figure out which kernels have strsep and which
+ * 	added 	do not (UML does not under certain circumstances), then
+ * 	added 	let's just provide our own.
+ * 	added
+ * 	added Revision 1.19  2004/10/08 16:30:33  mcr
+ * 	added 	pull-up of initial crypto-offload work.
+ * 	added
+ * 	added Revision 1.18  2004/09/18 19:33:08  mcr
+ * 	added 	use an appropriate kernel happy ifdef for strstr.
+ * 	added
+ * 	added Revision 1.17  2004/09/15 21:49:02  mcr
+ * 	added 	use local copy of strstr() if this is going in the kernel.
+ * 	added 	Not clear why this worked before, or why this shows up
+ * 	added 	for modules only.
+ * 	added
+ * 	added Revision 1.16  2004/07/10 07:43:47  mcr
+ * 	added Moved from linux/lib/libfreeswan/addrtot.c,v
+ * 	added
+ * 	added Revision 1.15  2004/04/11 17:39:25  mcr
+ * 	added 	removed internal.h requirements.
+ * 	added
+ * 	added Revision 1.14  2004/03/08 01:59:08  ken
+ * 	added freeswan.h -> openswan.h
+ * 	added
+ * 	added Revision 1.13  2004/01/05 23:21:05  mcr
+ * 	added 	if the address type is invalid, then return length of <invalid>
+ * 	added 	string!
+ * 	added
+ *
+ *
+ */
+
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/addrtypeof.c     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,93 @@
+/*
+ * extract parts of an ip_address
+ * Copyright (C) 2000  Henry Spencer.
+ * 
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Library General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
+ * 
+ * This library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
+ * License for more details.
+ *
+ * RCSID $Id: addrtypeof.c,v 1.10 2004/07/10 07:43:47 mcr Exp $
+ */
+#include "openswan.h"
+
+/*
+ - addrtypeof - get the type of an ip_address
+ */
+int
+addrtypeof(src)
+const ip_address *src;
+{
+	return src->u.v4.sin_family;
+}
+
+/*
+ - addrbytesptr - get pointer to the address bytes of an ip_address
+ */
+size_t				/* 0 for error */
+addrbytesptr(src, dstp)
+const ip_address *src;
+const unsigned char **dstp;	/* NULL means just a size query */
+{
+	const unsigned char *p;
+	size_t n;
+
+	switch (src->u.v4.sin_family) {
+	case AF_INET:
+		p = (const unsigned char *)&src->u.v4.sin_addr.s_addr;
+		n = 4;
+		break;
+	case AF_INET6:
+		p = (const unsigned char *)&src->u.v6.sin6_addr;
+		n = 16;
+		break;
+	default:
+		return 0;
+		break;
+	}
+
+	if (dstp != NULL)
+		*dstp = p;
+	return n;
+}
+
+/*
+ - addrlenof - get length of the address bytes of an ip_address
+ */
+size_t				/* 0 for error */
+addrlenof(src)
+const ip_address *src;
+{
+	return addrbytesptr(src, NULL);
+}
+
+/*
+ - addrbytesof - get the address bytes of an ip_address
+ */
+size_t				/* 0 for error */
+addrbytesof(src, dst, dstlen)
+const ip_address *src;
+unsigned char *dst;
+size_t dstlen;
+{
+	const unsigned char *p;
+	size_t n;
+	size_t ncopy;
+
+	n = addrbytesptr(src, &p);
+	if (n == 0)
+		return 0;
+
+	if (dstlen > 0) {
+		ncopy = n;
+		if (ncopy > dstlen)
+			ncopy = dstlen;
+		memcpy(dst, p, ncopy);
+	}
+	return n;
+}
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/adler32.c     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,49 @@
+/* adler32.c -- compute the Adler-32 checksum of a data stream
+ * Copyright (C) 1995-2002 Mark Adler
+ * For conditions of distribution and use, see copyright notice in zlib.h 
+ */
+
+/* @(#) $Id: adler32.c,v 1.6 2004/07/10 19:11:18 mcr Exp $ */
+
+#include <zlib/zlib.h>
+#include <zlib/zconf.h>
+
+#define BASE 65521L /* largest prime smaller than 65536 */
+#define NMAX 5552
+/* NMAX is the largest n such that 255n(n+1)/2 + (n+1)(BASE-1) <= 2^32-1 */
+
+#define DO1(buf,i)  {s1 += buf[i]; s2 += s1;}
+#define DO2(buf,i)  DO1(buf,i); DO1(buf,i+1);
+#define DO4(buf,i)  DO2(buf,i); DO2(buf,i+2);
+#define DO8(buf,i)  DO4(buf,i); DO4(buf,i+4);
+#define DO16(buf)   DO8(buf,0); DO8(buf,8);
+
+/* ========================================================================= */
+uLong ZEXPORT adler32(adler, buf, len)
+    uLong adler;
+    const Bytef *buf;
+    uInt len;
+{
+    unsigned long s1 = adler & 0xffff;
+    unsigned long s2 = (adler >> 16) & 0xffff;
+    int k;
+
+    if (buf == Z_NULL) return 1L;
+
+    while (len > 0) {
+        k = len < NMAX ? len : NMAX;
+        len -= k;
+        while (k >= 16) {
+            DO16(buf);
+	    buf += 16;
+            k -= 16;
+        }
+        if (k != 0) do {
+            s1 += *buf++;
+	    s2 += s1;
+        } while (--k);
+        s1 %= BASE;
+        s2 %= BASE;
+    }
+    return (s2 << 16) | s1;
+}
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/aes/Makefile     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,59 @@
+# Makefile for KLIPS 3DES kernel code as a module    for 2.6 kernels
+#
+# Makefile for KLIPS kernel code as a module
+# Copyright (C) 2002-2004	Michael Richardson <mcr@xelerance.com>
+# 
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+# 
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+#
+# RCSID $Id: Makefile.fs2_6,v 1.1.10.1 2005/08/12 16:10:05 ken Exp $
+#
+# Note! Dependencies are done automagically by 'make dep', which also
+# removes any old dependencies. DON'T put your own dependencies here
+# unless it's something special (ie not a .c file).
+#
+
+obj-$(CONFIG_KLIPS_ENC_AES) += ipsec_alg_aes.o
+obj-$(CONFIG_KLIPS_ENC_AES) += aes_xcbc_mac.o
+obj-$(CONFIG_KLIPS_ENC_AES) += aes_cbc.o
+
+ifeq ($(strip ${SUBARCH}),)
+SUBARCH:=${ARCH}
+endif
+
+# the assembly version expects frame pointers, which are
+# optional in many kernel builds. If you want speed, you should
+# probably use cryptoapi code instead.
+USEASSEMBLY=${SUBARCH}${CONFIG_FRAME_POINTER}
+ifeq (${USEASSEMBLY},i386y)
+obj-$(CONFIG_KLIPS_ENC_AES) += aes-i586.o
+else
+obj-$(CONFIG_KLIPS_ENC_AES) += aes.o
+endif
+
+
+#
+# $Log: Makefile.fs2_6,v $
+# Revision 1.1.10.1  2005/08/12 16:10:05  ken
+# do not use assembly code with there are no frame pointers
+#
+# Revision 1.2  2005/08/12 14:13:58  mcr
+# 	do not use assembly code with there are no frame pointers,
+# 	as it does not have the right linkages.
+#
+# Revision 1.1  2004/08/17 03:31:34  mcr
+# 	klips 2.6 edits.
+#
+#
+# Local Variables:
+# compile-command: "(cd ../../.. && source umlsetup.sh && make -C ${POOLSPACE} module/ipsec.o)"
+# End Variables:
+#
+
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/aes/aes-i586.S     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,892 @@
+//
+// Copyright (c) 2001, Dr Brian Gladman <brg@gladman.uk.net>, Worcester, UK.
+// All rights reserved.
+//
+// TERMS
+//
+//  Redistribution and use in source and binary forms, with or without
+//  modification, are permitted subject to the following conditions:
+//
+//  1. Redistributions of source code must retain the above copyright
+//     notice, this list of conditions and the following disclaimer.
+//
+//  2. Redistributions in binary form must reproduce the above copyright
+//     notice, this list of conditions and the following disclaimer in the
+//     documentation and/or other materials provided with the distribution.
+//
+//  3. The copyright holder's name must not be used to endorse or promote
+//     any products derived from this software without his specific prior
+//     written permission.
+//
+//  This software is provided 'as is' with no express or implied warranties
+//  of correctness or fitness for purpose.
+
+// Modified by Jari Ruusu,  December 24 2001
+//  - Converted syntax to GNU CPP/assembler syntax
+//  - C programming interface converted back to "old" API
+//  - Minor portability cleanups and speed optimizations
+
+// An AES (Rijndael) implementation for the Pentium. This version only
+// implements the standard AES block length (128 bits, 16 bytes). This code
+// does not preserve the eax, ecx or edx registers or the artihmetic status
+// flags. However, the ebx, esi, edi, and ebp registers are preserved across
+// calls.
+
+// void aes_set_key(aes_context *cx, const unsigned char key[], const int key_len, const int f)
+// void aes_encrypt(const aes_context *cx, const unsigned char in_blk[], unsigned char out_blk[])
+// void aes_decrypt(const aes_context *cx, const unsigned char in_blk[], unsigned char out_blk[])
+
+#if defined(USE_UNDERLINE)
+# define aes_set_key _aes_set_key
+# define aes_encrypt _aes_encrypt
+# define aes_decrypt _aes_decrypt
+#endif
+#if !defined(ALIGN32BYTES)
+# define ALIGN32BYTES 32
+#endif
+
+	.file	"aes-i586.S"
+	.globl	aes_set_key
+	.globl	aes_encrypt
+	.globl	aes_decrypt
+
+#define tlen	1024	// length of each of 4 'xor' arrays (256 32-bit words)
+
+// offsets to parameters with one register pushed onto stack
+
+#define ctx	8	// AES context structure
+#define in_blk	12	// input byte array address parameter
+#define out_blk	16	// output byte array address parameter
+
+// offsets in context structure
+
+#define nkey	0	// key length, size 4
+#define nrnd	4	// number of rounds, size 4
+#define ekey	8	// encryption key schedule base address, size 256
+#define dkey	264	// decryption key schedule base address, size 256
+
+// This macro performs a forward encryption cycle. It is entered with
+// the first previous round column values in %eax, %ebx, %esi and %edi and
+// exits with the final values in the same registers.
+
+#define fwd_rnd(p1,p2)			 \
+	mov	%ebx,(%esp)		;\
+	movzbl	%al,%edx		;\
+	mov	%eax,%ecx		;\
+	mov	p2(%ebp),%eax		;\
+	mov	%edi,4(%esp)		;\
+	mov	p2+12(%ebp),%edi	;\
+	xor	p1(,%edx,4),%eax	;\
+	movzbl	%ch,%edx		;\
+	shr	$16,%ecx		;\
+	mov	p2+4(%ebp),%ebx		;\
+	xor	p1+tlen(,%edx,4),%edi	;\
+	movzbl	%cl,%edx		;\
+	movzbl	%ch,%ecx		;\
+	xor	p1+3*tlen(,%ecx,4),%ebx	;\
+	mov	%esi,%ecx		;\
+	mov	p1+2*tlen(,%edx,4),%esi	;\
+	movzbl	%cl,%edx		;\
+	xor	p1(,%edx,4),%esi	;\
+	movzbl	%ch,%edx		;\
+	shr	$16,%ecx		;\
+	xor	p1+tlen(,%edx,4),%ebx	;\
+	movzbl	%cl,%edx		;\
+	movzbl	%ch,%ecx		;\
+	xor	p1+2*tlen(,%edx,4),%eax	;\
+	mov	(%esp),%edx		;\
+	xor	p1+3*tlen(,%ecx,4),%edi ;\
+	movzbl	%dl,%ecx		;\
+	xor	p2+8(%ebp),%esi		;\
+	xor	p1(,%ecx,4),%ebx	;\
+	movzbl	%dh,%ecx		;\
+	shr	$16,%edx		;\
+	xor	p1+tlen(,%ecx,4),%eax	;\
+	movzbl	%dl,%ecx		;\
+	movzbl	%dh,%edx		;\
+	xor	p1+2*tlen(,%ecx,4),%edi	;\
+	mov	4(%esp),%ecx		;\
+	xor	p1+3*tlen(,%edx,4),%esi ;\
+	movzbl	%cl,%edx		;\
+	xor	p1(,%edx,4),%edi	;\
+	movzbl	%ch,%edx		;\
+	shr	$16,%ecx		;\
+	xor	p1+tlen(,%edx,4),%esi	;\
+	movzbl	%cl,%edx		;\
+	movzbl	%ch,%ecx		;\
+	xor	p1+2*tlen(,%edx,4),%ebx	;\
+	xor	p1+3*tlen(,%ecx,4),%eax
+
+// This macro performs an inverse encryption cycle. It is entered with
+// the first previous round column values in %eax, %ebx, %esi and %edi and
+// exits with the final values in the same registers.
+
+#define inv_rnd(p1,p2)			 \
+	movzbl	%al,%edx		;\
+	mov	%ebx,(%esp)		;\
+	mov	%eax,%ecx		;\
+	mov	p2(%ebp),%eax		;\
+	mov	%edi,4(%esp)		;\
+	mov	p2+4(%ebp),%ebx		;\
+	xor	p1(,%edx,4),%eax	;\
+	movzbl	%ch,%edx		;\
+	shr	$16,%ecx		;\
+	mov	p2+12(%ebp),%edi	;\
+	xor	p1+tlen(,%edx,4),%ebx	;\
+	movzbl	%cl,%edx		;\
+	movzbl	%ch,%ecx		;\
+	xor	p1+3*tlen(,%ecx,4),%edi	;\
+	mov	%esi,%ecx		;\
+	mov	p1+2*tlen(,%edx,4),%esi	;\
+	movzbl	%cl,%edx		;\
+	xor	p1(,%edx,4),%esi	;\
+	movzbl	%ch,%edx		;\
+	shr	$16,%ecx		;\
+	xor	p1+tlen(,%edx,4),%edi	;\
+	movzbl	%cl,%edx		;\
+	movzbl	%ch,%ecx		;\
+	xor	p1+2*tlen(,%edx,4),%eax	;\
+	mov	(%esp),%edx		;\
+	xor	p1+3*tlen(,%ecx,4),%ebx ;\
+	movzbl	%dl,%ecx		;\
+	xor	p2+8(%ebp),%esi		;\
+	xor	p1(,%ecx,4),%ebx	;\
+	movzbl	%dh,%ecx		;\
+	shr	$16,%edx		;\
+	xor	p1+tlen(,%ecx,4),%esi	;\
+	movzbl	%dl,%ecx		;\
+	movzbl	%dh,%edx		;\
+	xor	p1+2*tlen(,%ecx,4),%edi	;\
+	mov	4(%esp),%ecx		;\
+	xor	p1+3*tlen(,%edx,4),%eax ;\
+	movzbl	%cl,%edx		;\
+	xor	p1(,%edx,4),%edi	;\
+	movzbl	%ch,%edx		;\
+	shr	$16,%ecx		;\
+	xor	p1+tlen(,%edx,4),%eax	;\
+	movzbl	%cl,%edx		;\
+	movzbl	%ch,%ecx		;\
+	xor	p1+2*tlen(,%edx,4),%ebx	;\
+	xor	p1+3*tlen(,%ecx,4),%esi
+
+// AES (Rijndael) Encryption Subroutine
+
+	.text
+	.align	ALIGN32BYTES
+aes_encrypt:
+	push	%ebp
+	mov	ctx(%esp),%ebp		// pointer to context
+	mov	in_blk(%esp),%ecx
+	push	%ebx
+	push	%esi
+	push	%edi
+	mov	nrnd(%ebp),%edx		// number of rounds
+	lea	ekey+16(%ebp),%ebp	// key pointer
+
+// input four columns and xor in first round key
+
+	mov	(%ecx),%eax
+	mov	4(%ecx),%ebx
+	mov	8(%ecx),%esi
+	mov	12(%ecx),%edi
+	xor	-16(%ebp),%eax
+	xor	-12(%ebp),%ebx
+	xor	-8(%ebp),%esi
+	xor	-4(%ebp),%edi
+
+	sub	$8,%esp			// space for register saves on stack
+
+	sub	$10,%edx
+	je	aes_15
+	add	$32,%ebp
+	sub	$2,%edx
+	je	aes_13
+	add	$32,%ebp
+
+	fwd_rnd(aes_ft_tab,-64)		// 14 rounds for 256-bit key
+	fwd_rnd(aes_ft_tab,-48)
+aes_13:	fwd_rnd(aes_ft_tab,-32)		// 12 rounds for 192-bit key
+	fwd_rnd(aes_ft_tab,-16)
+aes_15:	fwd_rnd(aes_ft_tab,0)		// 10 rounds for 128-bit key
+	fwd_rnd(aes_ft_tab,16)
+	fwd_rnd(aes_ft_tab,32)
+	fwd_rnd(aes_ft_tab,48)
+	fwd_rnd(aes_ft_tab,64)
+	fwd_rnd(aes_ft_tab,80)
+	fwd_rnd(aes_ft_tab,96)
+	fwd_rnd(aes_ft_tab,112)
+	fwd_rnd(aes_ft_tab,128)
+	fwd_rnd(aes_fl_tab,144)		// last round uses a different table
+
+// move final values to the output array.
+
+	mov	out_blk+20(%esp),%ebp
+	add	$8,%esp
+	mov	%eax,(%ebp)
+	mov	%ebx,4(%ebp)
+	mov	%esi,8(%ebp)
+	mov	%edi,12(%ebp)
+	pop	%edi
+	pop	%esi
+	pop	%ebx
+	pop	%ebp
+	ret
+
+
+// AES (Rijndael) Decryption Subroutine
+
+	.align	ALIGN32BYTES
+aes_decrypt:
+	push	%ebp
+	mov	ctx(%esp),%ebp		// pointer to context
+	mov	in_blk(%esp),%ecx
+	push	%ebx
+	push	%esi
+	push	%edi
+	mov	nrnd(%ebp),%edx		// number of rounds
+	lea	dkey+16(%ebp),%ebp	// key pointer
+
+// input four columns and xor in first round key
+
+	mov	(%ecx),%eax
+	mov	4(%ecx),%ebx
+	mov	8(%ecx),%esi
+	mov	12(%ecx),%edi
+	xor	-16(%ebp),%eax
+	xor	-12(%ebp),%ebx
+	xor	-8(%ebp),%esi
+	xor	-4(%ebp),%edi
+
+	sub	$8,%esp			// space for register saves on stack
+
+	sub	$10,%edx
+	je	aes_25
+	add	$32,%ebp
+	sub	$2,%edx
+	je	aes_23
+	add	$32,%ebp
+
+	inv_rnd(aes_it_tab,-64)		// 14 rounds for 256-bit key
+	inv_rnd(aes_it_tab,-48)
+aes_23:	inv_rnd(aes_it_tab,-32)		// 12 rounds for 192-bit key
+	inv_rnd(aes_it_tab,-16)
+aes_25:	inv_rnd(aes_it_tab,0)		// 10 rounds for 128-bit key
+	inv_rnd(aes_it_tab,16)
+	inv_rnd(aes_it_tab,32)
+	inv_rnd(aes_it_tab,48)
+	inv_rnd(aes_it_tab,64)
+	inv_rnd(aes_it_tab,80)
+	inv_rnd(aes_it_tab,96)
+	inv_rnd(aes_it_tab,112)
+	inv_rnd(aes_it_tab,128)
+	inv_rnd(aes_il_tab,144)		// last round uses a different table
+
+// move final values to the output array.
+
+	mov	out_blk+20(%esp),%ebp
+	add	$8,%esp
+	mov	%eax,(%ebp)
+	mov	%ebx,4(%ebp)
+	mov	%esi,8(%ebp)
+	mov	%edi,12(%ebp)
+	pop	%edi
+	pop	%esi
+	pop	%ebx
+	pop	%ebp
+	ret
+
+// AES (Rijndael) Key Schedule Subroutine
+
+// input/output parameters
+
+#define aes_cx	12	// AES context
+#define in_key	16	// key input array address
+#define key_ln	20	// key length, bytes (16,24,32) or bits (128,192,256)
+#define ed_flg	24	// 0=create both encr/decr keys, 1=create encr key only
+
+// offsets for locals
+
+#define cnt	-4
+#define kpf	-8
+#define slen	8
+
+// This macro performs a column mixing operation on an input 32-bit
+// word to give a 32-bit result. It uses each of the 4 bytes in the
+// the input column to index 4 different tables of 256 32-bit words
+// that are xored together to form the output value.
+
+#define mix_col(p1)			 \
+	movzbl	%bl,%ecx		;\
+	mov	p1(,%ecx,4),%eax	;\
+	movzbl	%bh,%ecx		;\
+	ror	$16,%ebx		;\
+	xor	p1+tlen(,%ecx,4),%eax	;\
+	movzbl	%bl,%ecx		;\
+	xor	p1+2*tlen(,%ecx,4),%eax	;\
+	movzbl	%bh,%ecx		;\
+	xor	p1+3*tlen(,%ecx,4),%eax
+
+// Key Schedule Macros
+
+#define ksc4(p1)			 \
+	rol	$24,%ebx		;\
+	mix_col(aes_fl_tab)		;\
+	ror	$8,%ebx			;\
+	xor	4*p1+aes_rcon_tab,%eax	;\
+	xor	%eax,%esi		;\
+	xor	%esi,%ebp		;\
+	mov	%esi,16*p1(%edi)	;\
+	mov	%ebp,16*p1+4(%edi)	;\
+	xor	%ebp,%edx		;\
+	xor	%edx,%ebx		;\
+	mov	%edx,16*p1+8(%edi)	;\
+	mov	%ebx,16*p1+12(%edi)
+
+#define ksc6(p1)			 \
+	rol	$24,%ebx		;\
+	mix_col(aes_fl_tab)		;\
+	ror	$8,%ebx			;\
+	xor	4*p1+aes_rcon_tab,%eax	;\
+	xor	24*p1-24(%edi),%eax	;\
+	mov	%eax,24*p1(%edi)	;\
+	xor	24*p1-20(%edi),%eax	;\
+	mov	%eax,24*p1+4(%edi)	;\
+	xor	%eax,%esi		;\
+	xor	%esi,%ebp		;\
+	mov	%esi,24*p1+8(%edi)	;\
+	mov	%ebp,24*p1+12(%edi)	;\
+	xor	%ebp,%edx		;\
+	xor	%edx,%ebx		;\
+	mov	%edx,24*p1+16(%edi)	;\
+	mov	%ebx,24*p1+20(%edi)
+
+#define ksc8(p1)			 \
+	rol	$24,%ebx		;\
+	mix_col(aes_fl_tab)		;\
+	ror	$8,%ebx			;\
+	xor	4*p1+aes_rcon_tab,%eax	;\
+	xor	32*p1-32(%edi),%eax	;\
+	mov	%eax,32*p1(%edi)	;\
+	xor	32*p1-28(%edi),%eax	;\
+	mov	%eax,32*p1+4(%edi)	;\
+	xor	32*p1-24(%edi),%eax	;\
+	mov	%eax,32*p1+8(%edi)	;\
+	xor	32*p1-20(%edi),%eax	;\
+	mov	%eax,32*p1+12(%edi)	;\
+	push	%ebx			;\
+	mov	%eax,%ebx		;\
+	mix_col(aes_fl_tab)		;\
+	pop	%ebx			;\
+	xor	%eax,%esi		;\
+	xor	%esi,%ebp		;\
+	mov	%esi,32*p1+16(%edi)	;\
+	mov	%ebp,32*p1+20(%edi)	;\
+	xor	%ebp,%edx		;\
+	xor	%edx,%ebx		;\
+	mov	%edx,32*p1+24(%edi)	;\
+	mov	%ebx,32*p1+28(%edi)
+
+	.align	ALIGN32BYTES
+aes_set_key:
+	pushfl
+	push	%ebp
+	mov	%esp,%ebp
+	sub	$slen,%esp
+	push	%ebx
+	push	%esi
+	push	%edi
+
+	mov	aes_cx(%ebp),%edx	// edx -> AES context
+
+	mov	key_ln(%ebp),%ecx	// key length
+	cmpl	$128,%ecx
+	jb	aes_30
+	shr	$3,%ecx
+aes_30:	cmpl	$32,%ecx
+	je	aes_32
+	cmpl	$24,%ecx
+	je	aes_32
+	mov	$16,%ecx
+aes_32:	shr	$2,%ecx
+	mov	%ecx,nkey(%edx)
+
+	lea	6(%ecx),%eax		// 10/12/14 for 4/6/8 32-bit key length
+	mov	%eax,nrnd(%edx)
+
+	mov	in_key(%ebp),%esi	// key input array
+	lea	ekey(%edx),%edi		// key position in AES context
+	cld
+	push	%ebp
+	mov	%ecx,%eax		// save key length in eax
+	rep ;	movsl			// words in the key schedule
+	mov	-4(%esi),%ebx		// put some values in registers
+	mov	-8(%esi),%edx		// to allow faster code
+	mov	-12(%esi),%ebp
+	mov	-16(%esi),%esi
+
+	cmpl	$4,%eax			// jump on key size
+	je	aes_36
+	cmpl	$6,%eax
+	je	aes_35
+
+	ksc8(0)
+	ksc8(1)
+	ksc8(2)
+	ksc8(3)
+	ksc8(4)
+	ksc8(5)
+	ksc8(6)
+	jmp	aes_37
+aes_35:	ksc6(0)
+	ksc6(1)
+	ksc6(2)
+	ksc6(3)
+	ksc6(4)
+	ksc6(5)
+	ksc6(6)
+	ksc6(7)
+	jmp	aes_37
+aes_36:	ksc4(0)
+	ksc4(1)
+	ksc4(2)
+	ksc4(3)
+	ksc4(4)
+	ksc4(5)
+	ksc4(6)
+	ksc4(7)
+	ksc4(8)
+	ksc4(9)
+aes_37:	pop	%ebp
+	mov	aes_cx(%ebp),%edx	// edx -> AES context
+	cmpl	$0,ed_flg(%ebp)
+	jne	aes_39
+
+// compile decryption key schedule from encryption schedule - reverse
+// order and do mix_column operation on round keys except first and last
+
+	mov	nrnd(%edx),%eax		// kt = cx->d_key + nc * cx->Nrnd
+	shl	$2,%eax
+	lea	dkey(%edx,%eax,4),%edi
+	lea	ekey(%edx),%esi		// kf = cx->e_key
+
+	movsl				// copy first round key (unmodified)
+	movsl
+	movsl
+	movsl
+	sub	$32,%edi
+	movl	$1,cnt(%ebp)
+aes_38:					// do mix column on each column of
+	lodsl				// each round key
+	mov	%eax,%ebx
+	mix_col(aes_im_tab)
+	stosl
+	lodsl
+	mov	%eax,%ebx
+	mix_col(aes_im_tab)
+	stosl
+	lodsl
+	mov	%eax,%ebx
+	mix_col(aes_im_tab)
+	stosl
+	lodsl
+	mov	%eax,%ebx
+	mix_col(aes_im_tab)
+	stosl
+	sub	$32,%edi
+
+	incl	cnt(%ebp)
+	mov	cnt(%ebp),%eax
+	cmp	nrnd(%edx),%eax
+	jb	aes_38
+
+	movsl				// copy last round key (unmodified)
+	movsl
+	movsl
+	movsl
+aes_39:	pop	%edi
+	pop	%esi
+	pop	%ebx
+	mov	%ebp,%esp
+	pop	%ebp
+	popfl
+	ret
+
+
+// finite field multiplies by {02}, {04} and {08}
+
+#define f2(x)	((x<<1)^(((x>>7)&1)*0x11b))
+#define f4(x)	((x<<2)^(((x>>6)&1)*0x11b)^(((x>>6)&2)*0x11b))
+#define f8(x)	((x<<3)^(((x>>5)&1)*0x11b)^(((x>>5)&2)*0x11b)^(((x>>5)&4)*0x11b))
+
+// finite field multiplies required in table generation
+
+#define f3(x)	(f2(x) ^ x)
+#define f9(x)	(f8(x) ^ x)
+#define fb(x)	(f8(x) ^ f2(x) ^ x)
+#define fd(x)	(f8(x) ^ f4(x) ^ x)
+#define fe(x)	(f8(x) ^ f4(x) ^ f2(x))
+
+// These defines generate the forward table entries
+
+#define u0(x)	((f3(x) << 24) | (x << 16) | (x << 8) | f2(x))
+#define u1(x)	((x << 24) | (x << 16) | (f2(x) << 8) | f3(x))
+#define u2(x)	((x << 24) | (f2(x) << 16) | (f3(x) << 8) | x)
+#define u3(x)	((f2(x) << 24) | (f3(x) << 16) | (x << 8) | x)
+
+// These defines generate the inverse table entries
+
+#define v0(x)	((fb(x) << 24) | (fd(x) << 16) | (f9(x) << 8) | fe(x))
+#define v1(x)	((fd(x) << 24) | (f9(x) << 16) | (fe(x) << 8) | fb(x))
+#define v2(x)	((f9(x) << 24) | (fe(x) << 16) | (fb(x) << 8) | fd(x))
+#define v3(x)	((fe(x) << 24) | (fb(x) << 16) | (fd(x) << 8) | f9(x))
+
+// These defines generate entries for the last round tables
+
+#define w0(x)	(x)
+#define w1(x)	(x <<  8)
+#define w2(x)	(x << 16)
+#define w3(x)	(x << 24)
+
+// macro to generate inverse mix column tables (needed for the key schedule)
+
+#define im_data0(p1) \
+	.long	p1(0x00),p1(0x01),p1(0x02),p1(0x03),p1(0x04),p1(0x05),p1(0x06),p1(0x07) ;\
+	.long	p1(0x08),p1(0x09),p1(0x0a),p1(0x0b),p1(0x0c),p1(0x0d),p1(0x0e),p1(0x0f) ;\
+	.long	p1(0x10),p1(0x11),p1(0x12),p1(0x13),p1(0x14),p1(0x15),p1(0x16),p1(0x17) ;\
+	.long	p1(0x18),p1(0x19),p1(0x1a),p1(0x1b),p1(0x1c),p1(0x1d),p1(0x1e),p1(0x1f)
+#define im_data1(p1) \
+	.long	p1(0x20),p1(0x21),p1(0x22),p1(0x23),p1(0x24),p1(0x25),p1(0x26),p1(0x27) ;\
+	.long	p1(0x28),p1(0x29),p1(0x2a),p1(0x2b),p1(0x2c),p1(0x2d),p1(0x2e),p1(0x2f) ;\
+	.long	p1(0x30),p1(0x31),p1(0x32),p1(0x33),p1(0x34),p1(0x35),p1(0x36),p1(0x37) ;\
+	.long	p1(0x38),p1(0x39),p1(0x3a),p1(0x3b),p1(0x3c),p1(0x3d),p1(0x3e),p1(0x3f)
+#define im_data2(p1) \
+	.long	p1(0x40),p1(0x41),p1(0x42),p1(0x43),p1(0x44),p1(0x45),p1(0x46),p1(0x47) ;\
+	.long	p1(0x48),p1(0x49),p1(0x4a),p1(0x4b),p1(0x4c),p1(0x4d),p1(0x4e),p1(0x4f) ;\
+	.long	p1(0x50),p1(0x51),p1(0x52),p1(0x53),p1(0x54),p1(0x55),p1(0x56),p1(0x57) ;\
+	.long	p1(0x58),p1(0x59),p1(0x5a),p1(0x5b),p1(0x5c),p1(0x5d),p1(0x5e),p1(0x5f)
+#define im_data3(p1) \
+	.long	p1(0x60),p1(0x61),p1(0x62),p1(0x63),p1(0x64),p1(0x65),p1(0x66),p1(0x67) ;\
+	.long	p1(0x68),p1(0x69),p1(0x6a),p1(0x6b),p1(0x6c),p1(0x6d),p1(0x6e),p1(0x6f) ;\
+	.long	p1(0x70),p1(0x71),p1(0x72),p1(0x73),p1(0x74),p1(0x75),p1(0x76),p1(0x77) ;\
+	.long	p1(0x78),p1(0x79),p1(0x7a),p1(0x7b),p1(0x7c),p1(0x7d),p1(0x7e),p1(0x7f)
+#define im_data4(p1) \
+	.long	p1(0x80),p1(0x81),p1(0x82),p1(0x83),p1(0x84),p1(0x85),p1(0x86),p1(0x87) ;\
+	.long	p1(0x88),p1(0x89),p1(0x8a),p1(0x8b),p1(0x8c),p1(0x8d),p1(0x8e),p1(0x8f) ;\
+	.long	p1(0x90),p1(0x91),p1(0x92),p1(0x93),p1(0x94),p1(0x95),p1(0x96),p1(0x97) ;\
+	.long	p1(0x98),p1(0x99),p1(0x9a),p1(0x9b),p1(0x9c),p1(0x9d),p1(0x9e),p1(0x9f)
+#define im_data5(p1) \
+	.long	p1(0xa0),p1(0xa1),p1(0xa2),p1(0xa3),p1(0xa4),p1(0xa5),p1(0xa6),p1(0xa7) ;\
+	.long	p1(0xa8),p1(0xa9),p1(0xaa),p1(0xab),p1(0xac),p1(0xad),p1(0xae),p1(0xaf) ;\
+	.long	p1(0xb0),p1(0xb1),p1(0xb2),p1(0xb3),p1(0xb4),p1(0xb5),p1(0xb6),p1(0xb7) ;\
+	.long	p1(0xb8),p1(0xb9),p1(0xba),p1(0xbb),p1(0xbc),p1(0xbd),p1(0xbe),p1(0xbf)
+#define im_data6(p1) \
+	.long	p1(0xc0),p1(0xc1),p1(0xc2),p1(0xc3),p1(0xc4),p1(0xc5),p1(0xc6),p1(0xc7) ;\
+	.long	p1(0xc8),p1(0xc9),p1(0xca),p1(0xcb),p1(0xcc),p1(0xcd),p1(0xce),p1(0xcf) ;\
+	.long	p1(0xd0),p1(0xd1),p1(0xd2),p1(0xd3),p1(0xd4),p1(0xd5),p1(0xd6),p1(0xd7) ;\
+	.long	p1(0xd8),p1(0xd9),p1(0xda),p1(0xdb),p1(0xdc),p1(0xdd),p1(0xde),p1(0xdf)
+#define im_data7(p1) \
+	.long	p1(0xe0),p1(0xe1),p1(0xe2),p1(0xe3),p1(0xe4),p1(0xe5),p1(0xe6),p1(0xe7) ;\
+	.long	p1(0xe8),p1(0xe9),p1(0xea),p1(0xeb),p1(0xec),p1(0xed),p1(0xee),p1(0xef) ;\
+	.long	p1(0xf0),p1(0xf1),p1(0xf2),p1(0xf3),p1(0xf4),p1(0xf5),p1(0xf6),p1(0xf7) ;\
+	.long	p1(0xf8),p1(0xf9),p1(0xfa),p1(0xfb),p1(0xfc),p1(0xfd),p1(0xfe),p1(0xff)
+
+// S-box data - 256 entries
+
+#define sb_data0(p1) \
+	.long	p1(0x63),p1(0x7c),p1(0x77),p1(0x7b),p1(0xf2),p1(0x6b),p1(0x6f),p1(0xc5) ;\
+	.long	p1(0x30),p1(0x01),p1(0x67),p1(0x2b),p1(0xfe),p1(0xd7),p1(0xab),p1(0x76) ;\
+	.long	p1(0xca),p1(0x82),p1(0xc9),p1(0x7d),p1(0xfa),p1(0x59),p1(0x47),p1(0xf0) ;\
+	.long	p1(0xad),p1(0xd4),p1(0xa2),p1(0xaf),p1(0x9c),p1(0xa4),p1(0x72),p1(0xc0)
+#define sb_data1(p1) \
+	.long	p1(0xb7),p1(0xfd),p1(0x93),p1(0x26),p1(0x36),p1(0x3f),p1(0xf7),p1(0xcc) ;\
+	.long	p1(0x34),p1(0xa5),p1(0xe5),p1(0xf1),p1(0x71),p1(0xd8),p1(0x31),p1(0x15) ;\
+	.long	p1(0x04),p1(0xc7),p1(0x23),p1(0xc3),p1(0x18),p1(0x96),p1(0x05),p1(0x9a) ;\
+	.long	p1(0x07),p1(0x12),p1(0x80),p1(0xe2),p1(0xeb),p1(0x27),p1(0xb2),p1(0x75)
+#define sb_data2(p1) \
+	.long	p1(0x09),p1(0x83),p1(0x2c),p1(0x1a),p1(0x1b),p1(0x6e),p1(0x5a),p1(0xa0) ;\
+	.long	p1(0x52),p1(0x3b),p1(0xd6),p1(0xb3),p1(0x29),p1(0xe3),p1(0x2f),p1(0x84) ;\
+	.long	p1(0x53),p1(0xd1),p1(0x00),p1(0xed),p1(0x20),p1(0xfc),p1(0xb1),p1(0x5b) ;\
+	.long	p1(0x6a),p1(0xcb),p1(0xbe),p1(0x39),p1(0x4a),p1(0x4c),p1(0x58),p1(0xcf)
+#define sb_data3(p1) \
+	.long	p1(0xd0),p1(0xef),p1(0xaa),p1(0xfb),p1(0x43),p1(0x4d),p1(0x33),p1(0x85) ;\
+	.long	p1(0x45),p1(0xf9),p1(0x02),p1(0x7f),p1(0x50),p1(0x3c),p1(0x9f),p1(0xa8) ;\
+	.long	p1(0x51),p1(0xa3),p1(0x40),p1(0x8f),p1(0x92),p1(0x9d),p1(0x38),p1(0xf5) ;\
+	.long	p1(0xbc),p1(0xb6),p1(0xda),p1(0x21),p1(0x10),p1(0xff),p1(0xf3),p1(0xd2)
+#define sb_data4(p1) \
+	.long	p1(0xcd),p1(0x0c),p1(0x13),p1(0xec),p1(0x5f),p1(0x97),p1(0x44),p1(0x17) ;\
+	.long	p1(0xc4),p1(0xa7),p1(0x7e),p1(0x3d),p1(0x64),p1(0x5d),p1(0x19),p1(0x73) ;\
+	.long	p1(0x60),p1(0x81),p1(0x4f),p1(0xdc),p1(0x22),p1(0x2a),p1(0x90),p1(0x88) ;\
+	.long	p1(0x46),p1(0xee),p1(0xb8),p1(0x14),p1(0xde),p1(0x5e),p1(0x0b),p1(0xdb)
+#define sb_data5(p1) \
+	.long	p1(0xe0),p1(0x32),p1(0x3a),p1(0x0a),p1(0x49),p1(0x06),p1(0x24),p1(0x5c) ;\
+	.long	p1(0xc2),p1(0xd3),p1(0xac),p1(0x62),p1(0x91),p1(0x95),p1(0xe4),p1(0x79) ;\
+	.long	p1(0xe7),p1(0xc8),p1(0x37),p1(0x6d),p1(0x8d),p1(0xd5),p1(0x4e),p1(0xa9) ;\
+	.long	p1(0x6c),p1(0x56),p1(0xf4),p1(0xea),p1(0x65),p1(0x7a),p1(0xae),p1(0x08)
+#define sb_data6(p1) \
+	.long	p1(0xba),p1(0x78),p1(0x25),p1(0x2e),p1(0x1c),p1(0xa6),p1(0xb4),p1(0xc6) ;\
+	.long	p1(0xe8),p1(0xdd),p1(0x74),p1(0x1f),p1(0x4b),p1(0xbd),p1(0x8b),p1(0x8a) ;\
+	.long	p1(0x70),p1(0x3e),p1(0xb5),p1(0x66),p1(0x48),p1(0x03),p1(0xf6),p1(0x0e) ;\
+	.long	p1(0x61),p1(0x35),p1(0x57),p1(0xb9),p1(0x86),p1(0xc1),p1(0x1d),p1(0x9e)
+#define sb_data7(p1) \
+	.long	p1(0xe1),p1(0xf8),p1(0x98),p1(0x11),p1(0x69),p1(0xd9),p1(0x8e),p1(0x94) ;\
+	.long	p1(0x9b),p1(0x1e),p1(0x87),p1(0xe9),p1(0xce),p1(0x55),p1(0x28),p1(0xdf) ;\
+	.long	p1(0x8c),p1(0xa1),p1(0x89),p1(0x0d),p1(0xbf),p1(0xe6),p1(0x42),p1(0x68) ;\
+	.long	p1(0x41),p1(0x99),p1(0x2d),p1(0x0f),p1(0xb0),p1(0x54),p1(0xbb),p1(0x16)
+
+// Inverse S-box data - 256 entries
+
+#define ib_data0(p1) \
+	.long	p1(0x52),p1(0x09),p1(0x6a),p1(0xd5),p1(0x30),p1(0x36),p1(0xa5),p1(0x38) ;\
+	.long	p1(0xbf),p1(0x40),p1(0xa3),p1(0x9e),p1(0x81),p1(0xf3),p1(0xd7),p1(0xfb) ;\
+	.long	p1(0x7c),p1(0xe3),p1(0x39),p1(0x82),p1(0x9b),p1(0x2f),p1(0xff),p1(0x87) ;\
+	.long	p1(0x34),p1(0x8e),p1(0x43),p1(0x44),p1(0xc4),p1(0xde),p1(0xe9),p1(0xcb)
+#define ib_data1(p1) \
+	.long	p1(0x54),p1(0x7b),p1(0x94),p1(0x32),p1(0xa6),p1(0xc2),p1(0x23),p1(0x3d) ;\
+	.long	p1(0xee),p1(0x4c),p1(0x95),p1(0x0b),p1(0x42),p1(0xfa),p1(0xc3),p1(0x4e) ;\
+	.long	p1(0x08),p1(0x2e),p1(0xa1),p1(0x66),p1(0x28),p1(0xd9),p1(0x24),p1(0xb2) ;\
+	.long	p1(0x76),p1(0x5b),p1(0xa2),p1(0x49),p1(0x6d),p1(0x8b),p1(0xd1),p1(0x25)
+#define ib_data2(p1) \
+	.long	p1(0x72),p1(0xf8),p1(0xf6),p1(0x64),p1(0x86),p1(0x68),p1(0x98),p1(0x16) ;\
+	.long	p1(0xd4),p1(0xa4),p1(0x5c),p1(0xcc),p1(0x5d),p1(0x65),p1(0xb6),p1(0x92) ;\
+	.long	p1(0x6c),p1(0x70),p1(0x48),p1(0x50),p1(0xfd),p1(0xed),p1(0xb9),p1(0xda) ;\
+	.long	p1(0x5e),p1(0x15),p1(0x46),p1(0x57),p1(0xa7),p1(0x8d),p1(0x9d),p1(0x84)
+#define ib_data3(p1) \
+	.long	p1(0x90),p1(0xd8),p1(0xab),p1(0x00),p1(0x8c),p1(0xbc),p1(0xd3),p1(0x0a) ;\
+	.long	p1(0xf7),p1(0xe4),p1(0x58),p1(0x05),p1(0xb8),p1(0xb3),p1(0x45),p1(0x06) ;\
+	.long	p1(0xd0),p1(0x2c),p1(0x1e),p1(0x8f),p1(0xca),p1(0x3f),p1(0x0f),p1(0x02) ;\
+	.long	p1(0xc1),p1(0xaf),p1(0xbd),p1(0x03),p1(0x01),p1(0x13),p1(0x8a),p1(0x6b)
+#define ib_data4(p1) \
+	.long	p1(0x3a),p1(0x91),p1(0x11),p1(0x41),p1(0x4f),p1(0x67),p1(0xdc),p1(0xea) ;\
+	.long	p1(0x97),p1(0xf2),p1(0xcf),p1(0xce),p1(0xf0),p1(0xb4),p1(0xe6),p1(0x73) ;\
+	.long	p1(0x96),p1(0xac),p1(0x74),p1(0x22),p1(0xe7),p1(0xad),p1(0x35),p1(0x85) ;\
+	.long	p1(0xe2),p1(0xf9),p1(0x37),p1(0xe8),p1(0x1c),p1(0x75),p1(0xdf),p1(0x6e)
+#define ib_data5(p1) \
+	.long	p1(0x47),p1(0xf1),p1(0x1a),p1(0x71),p1(0x1d),p1(0x29),p1(0xc5),p1(0x89) ;\
+	.long	p1(0x6f),p1(0xb7),p1(0x62),p1(0x0e),p1(0xaa),p1(0x18),p1(0xbe),p1(0x1b) ;\
+	.long	p1(0xfc),p1(0x56),p1(0x3e),p1(0x4b),p1(0xc6),p1(0xd2),p1(0x79),p1(0x20) ;\
+	.long	p1(0x9a),p1(0xdb),p1(0xc0),p1(0xfe),p1(0x78),p1(0xcd),p1(0x5a),p1(0xf4)
+#define ib_data6(p1) \
+	.long	p1(0x1f),p1(0xdd),p1(0xa8),p1(0x33),p1(0x88),p1(0x07),p1(0xc7),p1(0x31) ;\
+	.long	p1(0xb1),p1(0x12),p1(0x10),p1(0x59),p1(0x27),p1(0x80),p1(0xec),p1(0x5f) ;\
+	.long	p1(0x60),p1(0x51),p1(0x7f),p1(0xa9),p1(0x19),p1(0xb5),p1(0x4a),p1(0x0d) ;\
+	.long	p1(0x2d),p1(0xe5),p1(0x7a),p1(0x9f),p1(0x93),p1(0xc9),p1(0x9c),p1(0xef)
+#define ib_data7(p1) \
+	.long	p1(0xa0),p1(0xe0),p1(0x3b),p1(0x4d),p1(0xae),p1(0x2a),p1(0xf5),p1(0xb0) ;\
+	.long	p1(0xc8),p1(0xeb),p1(0xbb),p1(0x3c),p1(0x83),p1(0x53),p1(0x99),p1(0x61) ;\
+	.long	p1(0x17),p1(0x2b),p1(0x04),p1(0x7e),p1(0xba),p1(0x77),p1(0xd6),p1(0x26) ;\
+	.long	p1(0xe1),p1(0x69),p1(0x14),p1(0x63),p1(0x55),p1(0x21),p1(0x0c),p1(0x7d)
+
+// The rcon_table (needed for the key schedule)
+//
+// Here is original Dr Brian Gladman's source code:
+//	_rcon_tab:
+//	%assign x   1
+//	%rep 29
+//	    dd  x
+//	%assign x f2(x)
+//	%endrep
+//
+// Here is precomputed output (it's more portable this way):
+
+	.align	ALIGN32BYTES
+aes_rcon_tab:
+	.long	0x01,0x02,0x04,0x08,0x10,0x20,0x40,0x80
+	.long	0x1b,0x36,0x6c,0xd8,0xab,0x4d,0x9a,0x2f
+	.long	0x5e,0xbc,0x63,0xc6,0x97,0x35,0x6a,0xd4
+	.long	0xb3,0x7d,0xfa,0xef,0xc5
+
+// The forward xor tables
+
+	.align	ALIGN32BYTES
+aes_ft_tab:
+	sb_data0(u0)
+	sb_data1(u0)
+	sb_data2(u0)
+	sb_data3(u0)
+	sb_data4(u0)
+	sb_data5(u0)
+	sb_data6(u0)
+	sb_data7(u0)
+
+	sb_data0(u1)
+	sb_data1(u1)
+	sb_data2(u1)
+	sb_data3(u1)
+	sb_data4(u1)
+	sb_data5(u1)
+	sb_data6(u1)
+	sb_data7(u1)
+
+	sb_data0(u2)
+	sb_data1(u2)
+	sb_data2(u2)
+	sb_data3(u2)
+	sb_data4(u2)
+	sb_data5(u2)
+	sb_data6(u2)
+	sb_data7(u2)
+
+	sb_data0(u3)
+	sb_data1(u3)
+	sb_data2(u3)
+	sb_data3(u3)
+	sb_data4(u3)
+	sb_data5(u3)
+	sb_data6(u3)
+	sb_data7(u3)
+
+	.align	ALIGN32BYTES
+aes_fl_tab:
+	sb_data0(w0)
+	sb_data1(w0)
+	sb_data2(w0)
+	sb_data3(w0)
+	sb_data4(w0)
+	sb_data5(w0)
+	sb_data6(w0)
+	sb_data7(w0)
+
+	sb_data0(w1)
+	sb_data1(w1)
+	sb_data2(w1)
+	sb_data3(w1)
+	sb_data4(w1)
+	sb_data5(w1)
+	sb_data6(w1)
+	sb_data7(w1)
+
+	sb_data0(w2)
+	sb_data1(w2)
+	sb_data2(w2)
+	sb_data3(w2)
+	sb_data4(w2)
+	sb_data5(w2)
+	sb_data6(w2)
+	sb_data7(w2)
+
+	sb_data0(w3)
+	sb_data1(w3)
+	sb_data2(w3)
+	sb_data3(w3)
+	sb_data4(w3)
+	sb_data5(w3)
+	sb_data6(w3)
+	sb_data7(w3)
+
+// The inverse xor tables
+
+	.align	ALIGN32BYTES
+aes_it_tab:
+	ib_data0(v0)
+	ib_data1(v0)
+	ib_data2(v0)
+	ib_data3(v0)
+	ib_data4(v0)
+	ib_data5(v0)
+	ib_data6(v0)
+	ib_data7(v0)
+
+	ib_data0(v1)
+	ib_data1(v1)
+	ib_data2(v1)
+	ib_data3(v1)
+	ib_data4(v1)
+	ib_data5(v1)
+	ib_data6(v1)
+	ib_data7(v1)
+
+	ib_data0(v2)
+	ib_data1(v2)
+	ib_data2(v2)
+	ib_data3(v2)
+	ib_data4(v2)
+	ib_data5(v2)
+	ib_data6(v2)
+	ib_data7(v2)
+
+	ib_data0(v3)
+	ib_data1(v3)
+	ib_data2(v3)
+	ib_data3(v3)
+	ib_data4(v3)
+	ib_data5(v3)
+	ib_data6(v3)
+	ib_data7(v3)
+
+	.align	ALIGN32BYTES
+aes_il_tab:
+	ib_data0(w0)
+	ib_data1(w0)
+	ib_data2(w0)
+	ib_data3(w0)
+	ib_data4(w0)
+	ib_data5(w0)
+	ib_data6(w0)
+	ib_data7(w0)
+
+	ib_data0(w1)
+	ib_data1(w1)
+	ib_data2(w1)
+	ib_data3(w1)
+	ib_data4(w1)
+	ib_data5(w1)
+	ib_data6(w1)
+	ib_data7(w1)
+
+	ib_data0(w2)
+	ib_data1(w2)
+	ib_data2(w2)
+	ib_data3(w2)
+	ib_data4(w2)
+	ib_data5(w2)
+	ib_data6(w2)
+	ib_data7(w2)
+
+	ib_data0(w3)
+	ib_data1(w3)
+	ib_data2(w3)
+	ib_data3(w3)
+	ib_data4(w3)
+	ib_data5(w3)
+	ib_data6(w3)
+	ib_data7(w3)
+
+// The inverse mix column tables
+
+	.align	ALIGN32BYTES
+aes_im_tab:
+	im_data0(v0)
+	im_data1(v0)
+	im_data2(v0)
+	im_data3(v0)
+	im_data4(v0)
+	im_data5(v0)
+	im_data6(v0)
+	im_data7(v0)
+
+	im_data0(v1)
+	im_data1(v1)
+	im_data2(v1)
+	im_data3(v1)
+	im_data4(v1)
+	im_data5(v1)
+	im_data6(v1)
+	im_data7(v1)
+
+	im_data0(v2)
+	im_data1(v2)
+	im_data2(v2)
+	im_data3(v2)
+	im_data4(v2)
+	im_data5(v2)
+	im_data6(v2)
+	im_data7(v2)
+
+	im_data0(v3)
+	im_data1(v3)
+	im_data2(v3)
+	im_data3(v3)
+	im_data4(v3)
+	im_data5(v3)
+	im_data6(v3)
+	im_data7(v3)
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/aes/aes.c     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,1415 @@
+// I retain copyright in this code but I encourage its free use provided
+// that I don't carry any responsibility for the results. I am especially 
+// happy to see it used in free and open source software. If you do use 
+// it I would appreciate an acknowledgement of its origin in the code or
+// the product that results and I would also appreciate knowing a little
+// about the use to which it is being put. I am grateful to Frank Yellin
+// for some ideas that are used in this implementation.
+//
+// Dr B. R. Gladman <brg@gladman.uk.net> 6th April 2001.
+//
+// This is an implementation of the AES encryption algorithm (Rijndael)
+// designed by Joan Daemen and Vincent Rijmen. This version is designed
+// to provide both fixed and dynamic block and key lengths and can also 
+// run with either big or little endian internal byte order (see aes.h). 
+// It inputs block and key lengths in bytes with the legal values being 
+// 16, 24 and 32.
+
+/*
+ * Modified by Jari Ruusu,  May 1 2001
+ *  - Fixed some compile warnings, code was ok but gcc warned anyway.
+ *  - Changed basic types: byte -> unsigned char, word -> u_int32_t
+ *  - Major name space cleanup: Names visible to outside now begin
+ *    with "aes_" or "AES_". A lot of stuff moved from aes.h to aes.c
+ *  - Removed C++ and DLL support as part of name space cleanup.
+ *  - Eliminated unnecessary recomputation of tables. (actual bug fix)
+ *  - Merged precomputed constant tables to aes.c file.
+ *  - Removed data alignment restrictions for portability reasons.
+ *  - Made block and key lengths accept bit count (128/192/256)
+ *    as well byte count (16/24/32).
+ *  - Removed all error checks. This change also eliminated the need
+ *    to preinitialize the context struct to zero.
+ *  - Removed some totally unused constants.
+ */
+
+#include "crypto/aes.h"
+
+// CONFIGURATION OPTIONS (see also aes.h)
+//
+// 1.  Define UNROLL for full loop unrolling in encryption and decryption.
+// 2.  Define PARTIAL_UNROLL to unroll two loops in encryption and decryption.
+// 3.  Define FIXED_TABLES for compiled rather than dynamic tables.
+// 4.  Define FF_TABLES to use tables for field multiplies and inverses.
+//     Do not enable this without understanding stack space requirements.
+// 5.  Define ARRAYS to use arrays to hold the local state block. If this
+//     is not defined, individually declared 32-bit words are used.
+// 6.  Define FAST_VARIABLE if a high speed variable block implementation
+//     is needed (essentially three separate fixed block size code sequences)
+// 7.  Define either ONE_TABLE or FOUR_TABLES for a fast table driven 
+//     version using 1 table (2 kbytes of table space) or 4 tables (8
+//     kbytes of table space) for higher speed.
+// 8.  Define either ONE_LR_TABLE or FOUR_LR_TABLES for a further speed 
+//     increase by using tables for the last rounds but with more table
+//     space (2 or 8 kbytes extra).
+// 9.  If neither ONE_TABLE nor FOUR_TABLES is defined, a compact but 
+//     slower version is provided.
+// 10. If fast decryption key scheduling is needed define ONE_IM_TABLE
+//     or FOUR_IM_TABLES for higher speed (2 or 8 kbytes extra).
+
+#define UNROLL
+//#define PARTIAL_UNROLL
+
+#define FIXED_TABLES
+//#define FF_TABLES
+//#define ARRAYS
+#define FAST_VARIABLE
+
+//#define ONE_TABLE
+#define FOUR_TABLES
+
+//#define ONE_LR_TABLE
+#define FOUR_LR_TABLES
+
+//#define ONE_IM_TABLE
+#define FOUR_IM_TABLES
+
+#if defined(UNROLL) && defined (PARTIAL_UNROLL)
+#error both UNROLL and PARTIAL_UNROLL are defined
+#endif
+
+#if defined(ONE_TABLE) && defined (FOUR_TABLES)
+#error both ONE_TABLE and FOUR_TABLES are defined
+#endif
+
+#if defined(ONE_LR_TABLE) && defined (FOUR_LR_TABLES)
+#error both ONE_LR_TABLE and FOUR_LR_TABLES are defined
+#endif
+
+#if defined(ONE_IM_TABLE) && defined (FOUR_IM_TABLES)
+#error both ONE_IM_TABLE and FOUR_IM_TABLES are defined
+#endif
+
+#if defined(AES_BLOCK_SIZE) && AES_BLOCK_SIZE != 16 && AES_BLOCK_SIZE != 24 && AES_BLOCK_SIZE != 32
+#error an illegal block size has been specified
+#endif  
+
+// upr(x,n): rotates bytes within words by n positions, moving bytes 
+// to higher index positions with wrap around into low positions
+// ups(x,n): moves bytes by n positions to higher index positions in 
+// words but without wrap around
+// bval(x,n): extracts a byte from a word
+
+#define upr(x,n)        (((x) << 8 * (n)) | ((x) >> (32 - 8 * (n))))
+#define ups(x,n)        ((x) << 8 * (n))
+#define bval(x,n)       ((unsigned char)((x) >> 8 * (n)))
+#define bytes2word(b0, b1, b2, b3)  \
+        ((u_int32_t)(b3) << 24 | (u_int32_t)(b2) << 16 | (u_int32_t)(b1) << 8 | (b0))
+
+
+/* little endian processor without data alignment restrictions: AES_LE_OK */
+/* original code: i386 */
+#if defined(i386) || defined(_I386) || defined(__i386__) || defined(__i386) 
+#define	AES_LE_OK 1
+/* added (tested): alpha  --jjo */
+#elif defined(__alpha__)|| defined (__alpha)
+#define AES_LE_OK 1
+/* added (tested): ia64  --jjo */
+#elif defined(__ia64__)|| defined (__ia64)
+#define AES_LE_OK 1
+#endif
+
+#ifdef AES_LE_OK
+/* little endian processor without data alignment restrictions */
+#define word_in(x)      *(u_int32_t*)(x)
+#define const_word_in(x)      *(const u_int32_t*)(x)
+#define word_out(x,v)   *(u_int32_t*)(x) = (v)
+#define const_word_out(x,v)   *(const u_int32_t*)(x) = (v)
+#else
+/* slower but generic big endian or with data alignment restrictions */
+/* some additional "const" touches to stop "gcc -Wcast-qual" complains --jjo */
+#define word_in(x)      ((u_int32_t)(((unsigned char *)(x))[0])|((u_int32_t)(((unsigned char *)(x))[1])<<8)|((u_int32_t)(((unsigned char *)(x))[2])<<16)|((u_int32_t)(((unsigned char *)(x))[3])<<24))
+#define const_word_in(x)      ((const u_int32_t)(((const unsigned char *)(x))[0])|((const u_int32_t)(((const unsigned char *)(x))[1])<<8)|((const u_int32_t)(((const unsigned char *)(x))[2])<<16)|((const u_int32_t)(((const unsigned char *)(x))[3])<<24))
+#define word_out(x,v)   ((unsigned char *)(x))[0]=(v),((unsigned char *)(x))[1]=((v)>>8),((unsigned char *)(x))[2]=((v)>>16),((unsigned char *)(x))[3]=((v)>>24)
+#define const_word_out(x,v)   ((const unsigned char *)(x))[0]=(v),((const unsigned char *)(x))[1]=((v)>>8),((const unsigned char *)(x))[2]=((v)>>16),((const unsigned char *)(x))[3]=((v)>>24)
+#endif
+
+// Disable at least some poor combinations of options
+
+#if !defined(ONE_TABLE) && !defined(FOUR_TABLES)
+#define FIXED_TABLES
+#undef  UNROLL
+#undef  ONE_LR_TABLE
+#undef  FOUR_LR_TABLES
+#undef  ONE_IM_TABLE
+#undef  FOUR_IM_TABLES
+#elif !defined(FOUR_TABLES)
+#ifdef  FOUR_LR_TABLES
+#undef  FOUR_LR_TABLES
+#define ONE_LR_TABLE
+#endif
+#ifdef  FOUR_IM_TABLES
+#undef  FOUR_IM_TABLES
+#define ONE_IM_TABLE
+#endif
+#elif !defined(AES_BLOCK_SIZE)
+#if defined(UNROLL)
+#define PARTIAL_UNROLL
+#undef UNROLL
+#endif
+#endif
+
+// the finite field modular polynomial and elements
+
+#define ff_poly 0x011b
+#define ff_hi   0x80
+
+// multiply four bytes in GF(2^8) by 'x' {02} in parallel
+
+#define m1  0x80808080
+#define m2  0x7f7f7f7f
+#define m3  0x0000001b
+#define FFmulX(x)  ((((x) & m2) << 1) ^ ((((x) & m1) >> 7) * m3))
+
+// The following defines provide alternative definitions of FFmulX that might
+// give improved performance if a fast 32-bit multiply is not available. Note
+// that a temporary variable u needs to be defined where FFmulX is used.
+
+// #define FFmulX(x) (u = (x) & m1, u |= (u >> 1), ((x) & m2) << 1) ^ ((u >> 3) | (u >> 6)) 
+// #define m4  0x1b1b1b1b
+// #define FFmulX(x) (u = (x) & m1, ((x) & m2) << 1) ^ ((u - (u >> 7)) & m4) 
+
+// perform column mix operation on four bytes in parallel
+
+#define fwd_mcol(x) (f2 = FFmulX(x), f2 ^ upr(x ^ f2,3) ^ upr(x,2) ^ upr(x,1))
+
+#if defined(FIXED_TABLES)
+
+// the S-Box table
+
+static const unsigned char s_box[256] =
+{
+    0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5,
+    0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76,
+    0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0,
+    0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0,
+    0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc,
+    0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15,
+    0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a,
+    0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75,
+    0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0,
+    0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84,
+    0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b,
+    0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf,
+    0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85,
+    0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8,
+    0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5,
+    0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2,
+    0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17,
+    0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73,
+    0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88,
+    0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb,
+    0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c,
+    0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79,
+    0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9,
+    0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08,
+    0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6,
+    0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a,
+    0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e,
+    0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e,
+    0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94,
+    0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf,
+    0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68,
+    0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16
+};
+
+// the inverse S-Box table
+
+static const unsigned char inv_s_box[256] =
+{
+    0x52, 0x09, 0x6a, 0xd5, 0x30, 0x36, 0xa5, 0x38,
+    0xbf, 0x40, 0xa3, 0x9e, 0x81, 0xf3, 0xd7, 0xfb,
+    0x7c, 0xe3, 0x39, 0x82, 0x9b, 0x2f, 0xff, 0x87,
+    0x34, 0x8e, 0x43, 0x44, 0xc4, 0xde, 0xe9, 0xcb,
+    0x54, 0x7b, 0x94, 0x32, 0xa6, 0xc2, 0x23, 0x3d,
+    0xee, 0x4c, 0x95, 0x0b, 0x42, 0xfa, 0xc3, 0x4e,
+    0x08, 0x2e, 0xa1, 0x66, 0x28, 0xd9, 0x24, 0xb2,
+    0x76, 0x5b, 0xa2, 0x49, 0x6d, 0x8b, 0xd1, 0x25,
+    0x72, 0xf8, 0xf6, 0x64, 0x86, 0x68, 0x98, 0x16,
+    0xd4, 0xa4, 0x5c, 0xcc, 0x5d, 0x65, 0xb6, 0x92,
+    0x6c, 0x70, 0x48, 0x50, 0xfd, 0xed, 0xb9, 0xda,
+    0x5e, 0x15, 0x46, 0x57, 0xa7, 0x8d, 0x9d, 0x84,
+    0x90, 0xd8, 0xab, 0x00, 0x8c, 0xbc, 0xd3, 0x0a,
+    0xf7, 0xe4, 0x58, 0x05, 0xb8, 0xb3, 0x45, 0x06,
+    0xd0, 0x2c, 0x1e, 0x8f, 0xca, 0x3f, 0x0f, 0x02,
+    0xc1, 0xaf, 0xbd, 0x03, 0x01, 0x13, 0x8a, 0x6b,
+    0x3a, 0x91, 0x11, 0x41, 0x4f, 0x67, 0xdc, 0xea,
+    0x97, 0xf2, 0xcf, 0xce, 0xf0, 0xb4, 0xe6, 0x73,
+    0x96, 0xac, 0x74, 0x22, 0xe7, 0xad, 0x35, 0x85,
+    0xe2, 0xf9, 0x37, 0xe8, 0x1c, 0x75, 0xdf, 0x6e,
+    0x47, 0xf1, 0x1a, 0x71, 0x1d, 0x29, 0xc5, 0x89,
+    0x6f, 0xb7, 0x62, 0x0e, 0xaa, 0x18, 0xbe, 0x1b,
+    0xfc, 0x56, 0x3e, 0x4b, 0xc6, 0xd2, 0x79, 0x20,
+    0x9a, 0xdb, 0xc0, 0xfe, 0x78, 0xcd, 0x5a, 0xf4,
+    0x1f, 0xdd, 0xa8, 0x33, 0x88, 0x07, 0xc7, 0x31,
+    0xb1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xec, 0x5f,
+    0x60, 0x51, 0x7f, 0xa9, 0x19, 0xb5, 0x4a, 0x0d,
+    0x2d, 0xe5, 0x7a, 0x9f, 0x93, 0xc9, 0x9c, 0xef,
+    0xa0, 0xe0, 0x3b, 0x4d, 0xae, 0x2a, 0xf5, 0xb0,
+    0xc8, 0xeb, 0xbb, 0x3c, 0x83, 0x53, 0x99, 0x61,
+    0x17, 0x2b, 0x04, 0x7e, 0xba, 0x77, 0xd6, 0x26,
+    0xe1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0c, 0x7d
+};
+
+#define w0(p)          0x000000##p
+
+// Number of elements required in this table for different
+// block and key lengths is:
+//
+// Nk =      4  6  8
+//        ----------
+// Nb = 4 | 10  8  7
+//      6 | 19 12 11
+//      8 | 29 19 14
+//
+// this table can be a table of bytes if the key schedule
+// code is adjusted accordingly
+
+static const u_int32_t rcon_tab[29] =
+{
+    w0(01), w0(02), w0(04), w0(08),
+    w0(10), w0(20), w0(40), w0(80),
+    w0(1b), w0(36), w0(6c), w0(d8),
+    w0(ab), w0(4d), w0(9a), w0(2f),
+    w0(5e), w0(bc), w0(63), w0(c6),
+    w0(97), w0(35), w0(6a), w0(d4),
+    w0(b3), w0(7d), w0(fa), w0(ef),
+    w0(c5)
+};
+
+#undef  w0
+
+#define r0(p,q,r,s) 0x##p##q##r##s
+#define r1(p,q,r,s) 0x##q##r##s##p
+#define r2(p,q,r,s) 0x##r##s##p##q
+#define r3(p,q,r,s) 0x##s##p##q##r
+#define w0(p)          0x000000##p
+#define w1(p)        0x0000##p##00
+#define w2(p)        0x00##p##0000
+#define w3(p)        0x##p##000000
+
+#if defined(FIXED_TABLES) && (defined(ONE_TABLE) || defined(FOUR_TABLES)) 
+
+//  data for forward tables (other than last round)
+
+#define f_table \
+    r(a5,63,63,c6), r(84,7c,7c,f8), r(99,77,77,ee), r(8d,7b,7b,f6),\
+    r(0d,f2,f2,ff), r(bd,6b,6b,d6), r(b1,6f,6f,de), r(54,c5,c5,91),\
+    r(50,30,30,60), r(03,01,01,02), r(a9,67,67,ce), r(7d,2b,2b,56),\
+    r(19,fe,fe,e7), r(62,d7,d7,b5), r(e6,ab,ab,4d), r(9a,76,76,ec),\
+    r(45,ca,ca,8f), r(9d,82,82,1f), r(40,c9,c9,89), r(87,7d,7d,fa),\
+    r(15,fa,fa,ef), r(eb,59,59,b2), r(c9,47,47,8e), r(0b,f0,f0,fb),\
+    r(ec,ad,ad,41), r(67,d4,d4,b3), r(fd,a2,a2,5f), r(ea,af,af,45),\
+    r(bf,9c,9c,23), r(f7,a4,a4,53), r(96,72,72,e4), r(5b,c0,c0,9b),\
+    r(c2,b7,b7,75), r(1c,fd,fd,e1), r(ae,93,93,3d), r(6a,26,26,4c),\
+    r(5a,36,36,6c), r(41,3f,3f,7e), r(02,f7,f7,f5), r(4f,cc,cc,83),\
+    r(5c,34,34,68), r(f4,a5,a5,51), r(34,e5,e5,d1), r(08,f1,f1,f9),\
+    r(93,71,71,e2), r(73,d8,d8,ab), r(53,31,31,62), r(3f,15,15,2a),\
+    r(0c,04,04,08), r(52,c7,c7,95), r(65,23,23,46), r(5e,c3,c3,9d),\
+    r(28,18,18,30), r(a1,96,96,37), r(0f,05,05,0a), r(b5,9a,9a,2f),\
+    r(09,07,07,0e), r(36,12,12,24), r(9b,80,80,1b), r(3d,e2,e2,df),\
+    r(26,eb,eb,cd), r(69,27,27,4e), r(cd,b2,b2,7f), r(9f,75,75,ea),\
+    r(1b,09,09,12), r(9e,83,83,1d), r(74,2c,2c,58), r(2e,1a,1a,34),\
+    r(2d,1b,1b,36), r(b2,6e,6e,dc), r(ee,5a,5a,b4), r(fb,a0,a0,5b),\
+    r(f6,52,52,a4), r(4d,3b,3b,76), r(61,d6,d6,b7), r(ce,b3,b3,7d),\
+    r(7b,29,29,52), r(3e,e3,e3,dd), r(71,2f,2f,5e), r(97,84,84,13),\
+    r(f5,53,53,a6), r(68,d1,d1,b9), r(00,00,00,00), r(2c,ed,ed,c1),\
+    r(60,20,20,40), r(1f,fc,fc,e3), r(c8,b1,b1,79), r(ed,5b,5b,b6),\
+    r(be,6a,6a,d4), r(46,cb,cb,8d), r(d9,be,be,67), r(4b,39,39,72),\
+    r(de,4a,4a,94), r(d4,4c,4c,98), r(e8,58,58,b0), r(4a,cf,cf,85),\
+    r(6b,d0,d0,bb), r(2a,ef,ef,c5), r(e5,aa,aa,4f), r(16,fb,fb,ed),\
+    r(c5,43,43,86), r(d7,4d,4d,9a), r(55,33,33,66), r(94,85,85,11),\
+    r(cf,45,45,8a), r(10,f9,f9,e9), r(06,02,02,04), r(81,7f,7f,fe),\
+    r(f0,50,50,a0), r(44,3c,3c,78), r(ba,9f,9f,25), r(e3,a8,a8,4b),\
+    r(f3,51,51,a2), r(fe,a3,a3,5d), r(c0,40,40,80), r(8a,8f,8f,05),\
+    r(ad,92,92,3f), r(bc,9d,9d,21), r(48,38,38,70), r(04,f5,f5,f1),\
+    r(df,bc,bc,63), r(c1,b6,b6,77), r(75,da,da,af), r(63,21,21,42),\
+    r(30,10,10,20), r(1a,ff,ff,e5), r(0e,f3,f3,fd), r(6d,d2,d2,bf),\
+    r(4c,cd,cd,81), r(14,0c,0c,18), r(35,13,13,26), r(2f,ec,ec,c3),\
+    r(e1,5f,5f,be), r(a2,97,97,35), r(cc,44,44,88), r(39,17,17,2e),\
+    r(57,c4,c4,93), r(f2,a7,a7,55), r(82,7e,7e,fc), r(47,3d,3d,7a),\
+    r(ac,64,64,c8), r(e7,5d,5d,ba), r(2b,19,19,32), r(95,73,73,e6),\
+    r(a0,60,60,c0), r(98,81,81,19), r(d1,4f,4f,9e), r(7f,dc,dc,a3),\
+    r(66,22,22,44), r(7e,2a,2a,54), r(ab,90,90,3b), r(83,88,88,0b),\
+    r(ca,46,46,8c), r(29,ee,ee,c7), r(d3,b8,b8,6b), r(3c,14,14,28),\
+    r(79,de,de,a7), r(e2,5e,5e,bc), r(1d,0b,0b,16), r(76,db,db,ad),\
+    r(3b,e0,e0,db), r(56,32,32,64), r(4e,3a,3a,74), r(1e,0a,0a,14),\
+    r(db,49,49,92), r(0a,06,06,0c), r(6c,24,24,48), r(e4,5c,5c,b8),\
+    r(5d,c2,c2,9f), r(6e,d3,d3,bd), r(ef,ac,ac,43), r(a6,62,62,c4),\
+    r(a8,91,91,39), r(a4,95,95,31), r(37,e4,e4,d3), r(8b,79,79,f2),\
+    r(32,e7,e7,d5), r(43,c8,c8,8b), r(59,37,37,6e), r(b7,6d,6d,da),\
+    r(8c,8d,8d,01), r(64,d5,d5,b1), r(d2,4e,4e,9c), r(e0,a9,a9,49),\
+    r(b4,6c,6c,d8), r(fa,56,56,ac), r(07,f4,f4,f3), r(25,ea,ea,cf),\
+    r(af,65,65,ca), r(8e,7a,7a,f4), r(e9,ae,ae,47), r(18,08,08,10),\
+    r(d5,ba,ba,6f), r(88,78,78,f0), r(6f,25,25,4a), r(72,2e,2e,5c),\
+    r(24,1c,1c,38), r(f1,a6,a6,57), r(c7,b4,b4,73), r(51,c6,c6,97),\
+    r(23,e8,e8,cb), r(7c,dd,dd,a1), r(9c,74,74,e8), r(21,1f,1f,3e),\
+    r(dd,4b,4b,96), r(dc,bd,bd,61), r(86,8b,8b,0d), r(85,8a,8a,0f),\
+    r(90,70,70,e0), r(42,3e,3e,7c), r(c4,b5,b5,71), r(aa,66,66,cc),\
+    r(d8,48,48,90), r(05,03,03,06), r(01,f6,f6,f7), r(12,0e,0e,1c),\
+    r(a3,61,61,c2), r(5f,35,35,6a), r(f9,57,57,ae), r(d0,b9,b9,69),\
+    r(91,86,86,17), r(58,c1,c1,99), r(27,1d,1d,3a), r(b9,9e,9e,27),\
+    r(38,e1,e1,d9), r(13,f8,f8,eb), r(b3,98,98,2b), r(33,11,11,22),\
+    r(bb,69,69,d2), r(70,d9,d9,a9), r(89,8e,8e,07), r(a7,94,94,33),\
+    r(b6,9b,9b,2d), r(22,1e,1e,3c), r(92,87,87,15), r(20,e9,e9,c9),\
+    r(49,ce,ce,87), r(ff,55,55,aa), r(78,28,28,50), r(7a,df,df,a5),\
+    r(8f,8c,8c,03), r(f8,a1,a1,59), r(80,89,89,09), r(17,0d,0d,1a),\
+    r(da,bf,bf,65), r(31,e6,e6,d7), r(c6,42,42,84), r(b8,68,68,d0),\
+    r(c3,41,41,82), r(b0,99,99,29), r(77,2d,2d,5a), r(11,0f,0f,1e),\
+    r(cb,b0,b0,7b), r(fc,54,54,a8), r(d6,bb,bb,6d), r(3a,16,16,2c)
+
+//  data for inverse tables (other than last round)
+
+#define i_table \
+    r(50,a7,f4,51), r(53,65,41,7e), r(c3,a4,17,1a), r(96,5e,27,3a),\
+    r(cb,6b,ab,3b), r(f1,45,9d,1f), r(ab,58,fa,ac), r(93,03,e3,4b),\
+    r(55,fa,30,20), r(f6,6d,76,ad), r(91,76,cc,88), r(25,4c,02,f5),\
+    r(fc,d7,e5,4f), r(d7,cb,2a,c5), r(80,44,35,26), r(8f,a3,62,b5),\
+    r(49,5a,b1,de), r(67,1b,ba,25), r(98,0e,ea,45), r(e1,c0,fe,5d),\
+    r(02,75,2f,c3), r(12,f0,4c,81), r(a3,97,46,8d), r(c6,f9,d3,6b),\
+    r(e7,5f,8f,03), r(95,9c,92,15), r(eb,7a,6d,bf), r(da,59,52,95),\
+    r(2d,83,be,d4), r(d3,21,74,58), r(29,69,e0,49), r(44,c8,c9,8e),\
+    r(6a,89,c2,75), r(78,79,8e,f4), r(6b,3e,58,99), r(dd,71,b9,27),\
+    r(b6,4f,e1,be), r(17,ad,88,f0), r(66,ac,20,c9), r(b4,3a,ce,7d),\
+    r(18,4a,df,63), r(82,31,1a,e5), r(60,33,51,97), r(45,7f,53,62),\
+    r(e0,77,64,b1), r(84,ae,6b,bb), r(1c,a0,81,fe), r(94,2b,08,f9),\
+    r(58,68,48,70), r(19,fd,45,8f), r(87,6c,de,94), r(b7,f8,7b,52),\
+    r(23,d3,73,ab), r(e2,02,4b,72), r(57,8f,1f,e3), r(2a,ab,55,66),\
+    r(07,28,eb,b2), r(03,c2,b5,2f), r(9a,7b,c5,86), r(a5,08,37,d3),\
+    r(f2,87,28,30), r(b2,a5,bf,23), r(ba,6a,03,02), r(5c,82,16,ed),\
+    r(2b,1c,cf,8a), r(92,b4,79,a7), r(f0,f2,07,f3), r(a1,e2,69,4e),\
+    r(cd,f4,da,65), r(d5,be,05,06), r(1f,62,34,d1), r(8a,fe,a6,c4),\
+    r(9d,53,2e,34), r(a0,55,f3,a2), r(32,e1,8a,05), r(75,eb,f6,a4),\
+    r(39,ec,83,0b), r(aa,ef,60,40), r(06,9f,71,5e), r(51,10,6e,bd),\
+    r(f9,8a,21,3e), r(3d,06,dd,96), r(ae,05,3e,dd), r(46,bd,e6,4d),\
+    r(b5,8d,54,91), r(05,5d,c4,71), r(6f,d4,06,04), r(ff,15,50,60),\
+    r(24,fb,98,19), r(97,e9,bd,d6), r(cc,43,40,89), r(77,9e,d9,67),\
+    r(bd,42,e8,b0), r(88,8b,89,07), r(38,5b,19,e7), r(db,ee,c8,79),\
+    r(47,0a,7c,a1), r(e9,0f,42,7c), r(c9,1e,84,f8), r(00,00,00,00),\
+    r(83,86,80,09), r(48,ed,2b,32), r(ac,70,11,1e), r(4e,72,5a,6c),\
+    r(fb,ff,0e,fd), r(56,38,85,0f), r(1e,d5,ae,3d), r(27,39,2d,36),\
+    r(64,d9,0f,0a), r(21,a6,5c,68), r(d1,54,5b,9b), r(3a,2e,36,24),\
+    r(b1,67,0a,0c), r(0f,e7,57,93), r(d2,96,ee,b4), r(9e,91,9b,1b),\
+    r(4f,c5,c0,80), r(a2,20,dc,61), r(69,4b,77,5a), r(16,1a,12,1c),\
+    r(0a,ba,93,e2), r(e5,2a,a0,c0), r(43,e0,22,3c), r(1d,17,1b,12),\
+    r(0b,0d,09,0e), r(ad,c7,8b,f2), r(b9,a8,b6,2d), r(c8,a9,1e,14),\
+    r(85,19,f1,57), r(4c,07,75,af), r(bb,dd,99,ee), r(fd,60,7f,a3),\
+    r(9f,26,01,f7), r(bc,f5,72,5c), r(c5,3b,66,44), r(34,7e,fb,5b),\
+    r(76,29,43,8b), r(dc,c6,23,cb), r(68,fc,ed,b6), r(63,f1,e4,b8),\
+    r(ca,dc,31,d7), r(10,85,63,42), r(40,22,97,13), r(20,11,c6,84),\
+    r(7d,24,4a,85), r(f8,3d,bb,d2), r(11,32,f9,ae), r(6d,a1,29,c7),\
+    r(4b,2f,9e,1d), r(f3,30,b2,dc), r(ec,52,86,0d), r(d0,e3,c1,77),\
+    r(6c,16,b3,2b), r(99,b9,70,a9), r(fa,48,94,11), r(22,64,e9,47),\
+    r(c4,8c,fc,a8), r(1a,3f,f0,a0), r(d8,2c,7d,56), r(ef,90,33,22),\
+    r(c7,4e,49,87), r(c1,d1,38,d9), r(fe,a2,ca,8c), r(36,0b,d4,98),\
+    r(cf,81,f5,a6), r(28,de,7a,a5), r(26,8e,b7,da), r(a4,bf,ad,3f),\
+    r(e4,9d,3a,2c), r(0d,92,78,50), r(9b,cc,5f,6a), r(62,46,7e,54),\
+    r(c2,13,8d,f6), r(e8,b8,d8,90), r(5e,f7,39,2e), r(f5,af,c3,82),\
+    r(be,80,5d,9f), r(7c,93,d0,69), r(a9,2d,d5,6f), r(b3,12,25,cf),\
+    r(3b,99,ac,c8), r(a7,7d,18,10), r(6e,63,9c,e8), r(7b,bb,3b,db),\
+    r(09,78,26,cd), r(f4,18,59,6e), r(01,b7,9a,ec), r(a8,9a,4f,83),\
+    r(65,6e,95,e6), r(7e,e6,ff,aa), r(08,cf,bc,21), r(e6,e8,15,ef),\
+    r(d9,9b,e7,ba), r(ce,36,6f,4a), r(d4,09,9f,ea), r(d6,7c,b0,29),\
+    r(af,b2,a4,31), r(31,23,3f,2a), r(30,94,a5,c6), r(c0,66,a2,35),\
+    r(37,bc,4e,74), r(a6,ca,82,fc), r(b0,d0,90,e0), r(15,d8,a7,33),\
+    r(4a,98,04,f1), r(f7,da,ec,41), r(0e,50,cd,7f), r(2f,f6,91,17),\
+    r(8d,d6,4d,76), r(4d,b0,ef,43), r(54,4d,aa,cc), r(df,04,96,e4),\
+    r(e3,b5,d1,9e), r(1b,88,6a,4c), r(b8,1f,2c,c1), r(7f,51,65,46),\
+    r(04,ea,5e,9d), r(5d,35,8c,01), r(73,74,87,fa), r(2e,41,0b,fb),\
+    r(5a,1d,67,b3), r(52,d2,db,92), r(33,56,10,e9), r(13,47,d6,6d),\
+    r(8c,61,d7,9a), r(7a,0c,a1,37), r(8e,14,f8,59), r(89,3c,13,eb),\
+    r(ee,27,a9,ce), r(35,c9,61,b7), r(ed,e5,1c,e1), r(3c,b1,47,7a),\
+    r(59,df,d2,9c), r(3f,73,f2,55), r(79,ce,14,18), r(bf,37,c7,73),\
+    r(ea,cd,f7,53), r(5b,aa,fd,5f), r(14,6f,3d,df), r(86,db,44,78),\
+    r(81,f3,af,ca), r(3e,c4,68,b9), r(2c,34,24,38), r(5f,40,a3,c2),\
+    r(72,c3,1d,16), r(0c,25,e2,bc), r(8b,49,3c,28), r(41,95,0d,ff),\
+    r(71,01,a8,39), r(de,b3,0c,08), r(9c,e4,b4,d8), r(90,c1,56,64),\
+    r(61,84,cb,7b), r(70,b6,32,d5), r(74,5c,6c,48), r(42,57,b8,d0)
+
+// generate the required tables in the desired endian format
+
+#undef  r
+#define r   r0
+
+#if defined(ONE_TABLE)
+static const u_int32_t ft_tab[256] =
+    {   f_table };
+#elif defined(FOUR_TABLES)
+static const u_int32_t ft_tab[4][256] =
+{   {   f_table },
+#undef  r
+#define r   r1
+    {   f_table },
+#undef  r
+#define r   r2
+    {   f_table },
+#undef  r
+#define r   r3
+    {   f_table }
+};
+#endif
+
+#undef  r
+#define r   r0
+#if defined(ONE_TABLE)
+static const u_int32_t it_tab[256] =
+    {   i_table };
+#elif defined(FOUR_TABLES)
+static const u_int32_t it_tab[4][256] =
+{   {   i_table },
+#undef  r
+#define r   r1
+    {   i_table },
+#undef  r
+#define r   r2
+    {   i_table },
+#undef  r
+#define r   r3
+    {   i_table }
+};
+#endif
+
+#endif
+
+#if defined(FIXED_TABLES) && (defined(ONE_LR_TABLE) || defined(FOUR_LR_TABLES)) 
+
+//  data for inverse tables (last round)
+
+#define li_table    \
+    w(52), w(09), w(6a), w(d5), w(30), w(36), w(a5), w(38),\
+    w(bf), w(40), w(a3), w(9e), w(81), w(f3), w(d7), w(fb),\
+    w(7c), w(e3), w(39), w(82), w(9b), w(2f), w(ff), w(87),\
+    w(34), w(8e), w(43), w(44), w(c4), w(de), w(e9), w(cb),\
+    w(54), w(7b), w(94), w(32), w(a6), w(c2), w(23), w(3d),\
+    w(ee), w(4c), w(95), w(0b), w(42), w(fa), w(c3), w(4e),\
+    w(08), w(2e), w(a1), w(66), w(28), w(d9), w(24), w(b2),\
+    w(76), w(5b), w(a2), w(49), w(6d), w(8b), w(d1), w(25),\
+    w(72), w(f8), w(f6), w(64), w(86), w(68), w(98), w(16),\
+    w(d4), w(a4), w(5c), w(cc), w(5d), w(65), w(b6), w(92),\
+    w(6c), w(70), w(48), w(50), w(fd), w(ed), w(b9), w(da),\
+    w(5e), w(15), w(46), w(57), w(a7), w(8d), w(9d), w(84),\
+    w(90), w(d8), w(ab), w(00), w(8c), w(bc), w(d3), w(0a),\
+    w(f7), w(e4), w(58), w(05), w(b8), w(b3), w(45), w(06),\
+    w(d0), w(2c), w(1e), w(8f), w(ca), w(3f), w(0f), w(02),\
+    w(c1), w(af), w(bd), w(03), w(01), w(13), w(8a), w(6b),\
+    w(3a), w(91), w(11), w(41), w(4f), w(67), w(dc), w(ea),\
+    w(97), w(f2), w(cf), w(ce), w(f0), w(b4), w(e6), w(73),\
+    w(96), w(ac), w(74), w(22), w(e7), w(ad), w(35), w(85),\
+    w(e2), w(f9), w(37), w(e8), w(1c), w(75), w(df), w(6e),\
+    w(47), w(f1), w(1a), w(71), w(1d), w(29), w(c5), w(89),\
+    w(6f), w(b7), w(62), w(0e), w(aa), w(18), w(be), w(1b),\
+    w(fc), w(56), w(3e), w(4b), w(c6), w(d2), w(79), w(20),\
+    w(9a), w(db), w(c0), w(fe), w(78), w(cd), w(5a), w(f4),\
+    w(1f), w(dd), w(a8), w(33), w(88), w(07), w(c7), w(31),\
+    w(b1), w(12), w(10), w(59), w(27), w(80), w(ec), w(5f),\
+    w(60), w(51), w(7f), w(a9), w(19), w(b5), w(4a), w(0d),\
+    w(2d), w(e5), w(7a), w(9f), w(93), w(c9), w(9c), w(ef),\
+    w(a0), w(e0), w(3b), w(4d), w(ae), w(2a), w(f5), w(b0),\
+    w(c8), w(eb), w(bb), w(3c), w(83), w(53), w(99), w(61),\
+    w(17), w(2b), w(04), w(7e), w(ba), w(77), w(d6), w(26),\
+    w(e1), w(69), w(14), w(63), w(55), w(21), w(0c), w(7d),
+
+// generate the required tables in the desired endian format
+
+#undef  r
+#define r(p,q,r,s)  w0(q)
+#if defined(ONE_LR_TABLE)
+static const u_int32_t fl_tab[256] =
+    {   f_table     };
+#elif defined(FOUR_LR_TABLES)
+static const u_int32_t fl_tab[4][256] =
+{   {   f_table    },
+#undef  r
+#define r(p,q,r,s)   w1(q)
+    {   f_table    },
+#undef  r
+#define r(p,q,r,s)   w2(q)
+    {   f_table    },
+#undef  r
+#define r(p,q,r,s)   w3(q)
+    {   f_table    }
+};
+#endif
+
+#undef  w
+#define w   w0
+#if defined(ONE_LR_TABLE)
+static const u_int32_t il_tab[256] =
+    {   li_table    };
+#elif defined(FOUR_LR_TABLES)
+static const u_int32_t il_tab[4][256] =
+{   {   li_table    },
+#undef  w
+#define w   w1
+    {   li_table    },
+#undef  w
+#define w   w2
+    {   li_table    },
+#undef  w
+#define w   w3
+    {   li_table    }
+};
+#endif
+
+#endif
+
+#if defined(FIXED_TABLES) && (defined(ONE_IM_TABLE) || defined(FOUR_IM_TABLES)) 
+
+#define m_table \
+    r(00,00,00,00), r(0b,0d,09,0e), r(16,1a,12,1c), r(1d,17,1b,12),\
+    r(2c,34,24,38), r(27,39,2d,36), r(3a,2e,36,24), r(31,23,3f,2a),\
+    r(58,68,48,70), r(53,65,41,7e), r(4e,72,5a,6c), r(45,7f,53,62),\
+    r(74,5c,6c,48), r(7f,51,65,46), r(62,46,7e,54), r(69,4b,77,5a),\
+    r(b0,d0,90,e0), r(bb,dd,99,ee), r(a6,ca,82,fc), r(ad,c7,8b,f2),\
+    r(9c,e4,b4,d8), r(97,e9,bd,d6), r(8a,fe,a6,c4), r(81,f3,af,ca),\
+    r(e8,b8,d8,90), r(e3,b5,d1,9e), r(fe,a2,ca,8c), r(f5,af,c3,82),\
+    r(c4,8c,fc,a8), r(cf,81,f5,a6), r(d2,96,ee,b4), r(d9,9b,e7,ba),\
+    r(7b,bb,3b,db), r(70,b6,32,d5), r(6d,a1,29,c7), r(66,ac,20,c9),\
+    r(57,8f,1f,e3), r(5c,82,16,ed), r(41,95,0d,ff), r(4a,98,04,f1),\
+    r(23,d3,73,ab), r(28,de,7a,a5), r(35,c9,61,b7), r(3e,c4,68,b9),\
+    r(0f,e7,57,93), r(04,ea,5e,9d), r(19,fd,45,8f), r(12,f0,4c,81),\
+    r(cb,6b,ab,3b), r(c0,66,a2,35), r(dd,71,b9,27), r(d6,7c,b0,29),\
+    r(e7,5f,8f,03), r(ec,52,86,0d), r(f1,45,9d,1f), r(fa,48,94,11),\
+    r(93,03,e3,4b), r(98,0e,ea,45), r(85,19,f1,57), r(8e,14,f8,59),\
+    r(bf,37,c7,73), r(b4,3a,ce,7d), r(a9,2d,d5,6f), r(a2,20,dc,61),\
+    r(f6,6d,76,ad), r(fd,60,7f,a3), r(e0,77,64,b1), r(eb,7a,6d,bf),\
+    r(da,59,52,95), r(d1,54,5b,9b), r(cc,43,40,89), r(c7,4e,49,87),\
+    r(ae,05,3e,dd), r(a5,08,37,d3), r(b8,1f,2c,c1), r(b3,12,25,cf),\
+    r(82,31,1a,e5), r(89,3c,13,eb), r(94,2b,08,f9), r(9f,26,01,f7),\
+    r(46,bd,e6,4d), r(4d,b0,ef,43), r(50,a7,f4,51), r(5b,aa,fd,5f),\
+    r(6a,89,c2,75), r(61,84,cb,7b), r(7c,93,d0,69), r(77,9e,d9,67),\
+    r(1e,d5,ae,3d), r(15,d8,a7,33), r(08,cf,bc,21), r(03,c2,b5,2f),\
+    r(32,e1,8a,05), r(39,ec,83,0b), r(24,fb,98,19), r(2f,f6,91,17),\
+    r(8d,d6,4d,76), r(86,db,44,78), r(9b,cc,5f,6a), r(90,c1,56,64),\
+    r(a1,e2,69,4e), r(aa,ef,60,40), r(b7,f8,7b,52), r(bc,f5,72,5c),\
+    r(d5,be,05,06), r(de,b3,0c,08), r(c3,a4,17,1a), r(c8,a9,1e,14),\
+    r(f9,8a,21,3e), r(f2,87,28,30), r(ef,90,33,22), r(e4,9d,3a,2c),\
+    r(3d,06,dd,96), r(36,0b,d4,98), r(2b,1c,cf,8a), r(20,11,c6,84),\
+    r(11,32,f9,ae), r(1a,3f,f0,a0), r(07,28,eb,b2), r(0c,25,e2,bc),\
+    r(65,6e,95,e6), r(6e,63,9c,e8), r(73,74,87,fa), r(78,79,8e,f4),\
+    r(49,5a,b1,de), r(42,57,b8,d0), r(5f,40,a3,c2), r(54,4d,aa,cc),\
+    r(f7,da,ec,41), r(fc,d7,e5,4f), r(e1,c0,fe,5d), r(ea,cd,f7,53),\
+    r(db,ee,c8,79), r(d0,e3,c1,77), r(cd,f4,da,65), r(c6,f9,d3,6b),\
+    r(af,b2,a4,31), r(a4,bf,ad,3f), r(b9,a8,b6,2d), r(b2,a5,bf,23),\
+    r(83,86,80,09), r(88,8b,89,07), r(95,9c,92,15), r(9e,91,9b,1b),\
+    r(47,0a,7c,a1), r(4c,07,75,af), r(51,10,6e,bd), r(5a,1d,67,b3),\
+    r(6b,3e,58,99), r(60,33,51,97), r(7d,24,4a,85), r(76,29,43,8b),\
+    r(1f,62,34,d1), r(14,6f,3d,df), r(09,78,26,cd), r(02,75,2f,c3),\
+    r(33,56,10,e9), r(38,5b,19,e7), r(25,4c,02,f5), r(2e,41,0b,fb),\
+    r(8c,61,d7,9a), r(87,6c,de,94), r(9a,7b,c5,86), r(91,76,cc,88),\
+    r(a0,55,f3,a2), r(ab,58,fa,ac), r(b6,4f,e1,be), r(bd,42,e8,b0),\
+    r(d4,09,9f,ea), r(df,04,96,e4), r(c2,13,8d,f6), r(c9,1e,84,f8),\
+    r(f8,3d,bb,d2), r(f3,30,b2,dc), r(ee,27,a9,ce), r(e5,2a,a0,c0),\
+    r(3c,b1,47,7a), r(37,bc,4e,74), r(2a,ab,55,66), r(21,a6,5c,68),\
+    r(10,85,63,42), r(1b,88,6a,4c), r(06,9f,71,5e), r(0d,92,78,50),\
+    r(64,d9,0f,0a), r(6f,d4,06,04), r(72,c3,1d,16), r(79,ce,14,18),\
+    r(48,ed,2b,32), r(43,e0,22,3c), r(5e,f7,39,2e), r(55,fa,30,20),\
+    r(01,b7,9a,ec), r(0a,ba,93,e2), r(17,ad,88,f0), r(1c,a0,81,fe),\
+    r(2d,83,be,d4), r(26,8e,b7,da), r(3b,99,ac,c8), r(30,94,a5,c6),\
+    r(59,df,d2,9c), r(52,d2,db,92), r(4f,c5,c0,80), r(44,c8,c9,8e),\
+    r(75,eb,f6,a4), r(7e,e6,ff,aa), r(63,f1,e4,b8), r(68,fc,ed,b6),\
+    r(b1,67,0a,0c), r(ba,6a,03,02), r(a7,7d,18,10), r(ac,70,11,1e),\
+    r(9d,53,2e,34), r(96,5e,27,3a), r(8b,49,3c,28), r(80,44,35,26),\
+    r(e9,0f,42,7c), r(e2,02,4b,72), r(ff,15,50,60), r(f4,18,59,6e),\
+    r(c5,3b,66,44), r(ce,36,6f,4a), r(d3,21,74,58), r(d8,2c,7d,56),\
+    r(7a,0c,a1,37), r(71,01,a8,39), r(6c,16,b3,2b), r(67,1b,ba,25),\
+    r(56,38,85,0f), r(5d,35,8c,01), r(40,22,97,13), r(4b,2f,9e,1d),\
+    r(22,64,e9,47), r(29,69,e0,49), r(34,7e,fb,5b), r(3f,73,f2,55),\
+    r(0e,50,cd,7f), r(05,5d,c4,71), r(18,4a,df,63), r(13,47,d6,6d),\
+    r(ca,dc,31,d7), r(c1,d1,38,d9), r(dc,c6,23,cb), r(d7,cb,2a,c5),\
+    r(e6,e8,15,ef), r(ed,e5,1c,e1), r(f0,f2,07,f3), r(fb,ff,0e,fd),\
+    r(92,b4,79,a7), r(99,b9,70,a9), r(84,ae,6b,bb), r(8f,a3,62,b5),\
+    r(be,80,5d,9f), r(b5,8d,54,91), r(a8,9a,4f,83), r(a3,97,46,8d)
+
+#undef r
+#define r   r0
+
+#if defined(ONE_IM_TABLE)
+static const u_int32_t im_tab[256] =
+    {   m_table };
+#elif defined(FOUR_IM_TABLES)
+static const u_int32_t im_tab[4][256] =
+{   {   m_table },
+#undef  r
+#define r   r1
+    {   m_table },
+#undef  r
+#define r   r2
+    {   m_table },
+#undef  r
+#define r   r3
+    {   m_table }
+};
+#endif
+
+#endif
+
+#else
+
+static int tab_gen = 0;
+
+static unsigned char  s_box[256];            // the S box
+static unsigned char  inv_s_box[256];        // the inverse S box
+static u_int32_t  rcon_tab[AES_RC_LENGTH];   // table of round constants
+
+#if defined(ONE_TABLE)
+static u_int32_t  ft_tab[256];
+static u_int32_t  it_tab[256];
+#elif defined(FOUR_TABLES)
+static u_int32_t  ft_tab[4][256];
+static u_int32_t  it_tab[4][256];
+#endif
+
+#if defined(ONE_LR_TABLE)
+static u_int32_t  fl_tab[256];
+static u_int32_t  il_tab[256];
+#elif defined(FOUR_LR_TABLES)
+static u_int32_t  fl_tab[4][256];
+static u_int32_t  il_tab[4][256];
+#endif
+
+#if defined(ONE_IM_TABLE)
+static u_int32_t  im_tab[256];
+#elif defined(FOUR_IM_TABLES)
+static u_int32_t  im_tab[4][256];
+#endif
+
+// Generate the tables for the dynamic table option
+
+#if !defined(FF_TABLES)
+
+// It will generally be sensible to use tables to compute finite 
+// field multiplies and inverses but where memory is scarse this 
+// code might sometimes be better.
+
+// return 2 ^ (n - 1) where n is the bit number of the highest bit
+// set in x with x in the range 1 < x < 0x00000200.   This form is
+// used so that locals within FFinv can be bytes rather than words
+
+static unsigned char hibit(const u_int32_t x)
+{   unsigned char r = (unsigned char)((x >> 1) | (x >> 2));
+    
+    r |= (r >> 2);
+    r |= (r >> 4);
+    return (r + 1) >> 1;
+}
+
+// return the inverse of the finite field element x
+
+static unsigned char FFinv(const unsigned char x)
+{   unsigned char    p1 = x, p2 = 0x1b, n1 = hibit(x), n2 = 0x80, v1 = 1, v2 = 0;
+
+    if(x < 2) return x;
+
+    for(;;)
+    {
+        if(!n1) return v1;
+
+        while(n2 >= n1)
+        {   
+            n2 /= n1; p2 ^= p1 * n2; v2 ^= v1 * n2; n2 = hibit(p2);
+        }
+        
+        if(!n2) return v2;
+
+        while(n1 >= n2)
+        {   
+            n1 /= n2; p1 ^= p2 * n1; v1 ^= v2 * n1; n1 = hibit(p1);
+        }
+    }
+}
+
+// define the finite field multiplies required for Rijndael
+
+#define FFmul02(x)  ((((x) & 0x7f) << 1) ^ ((x) & 0x80 ? 0x1b : 0))
+#define FFmul03(x)  ((x) ^ FFmul02(x))
+#define FFmul09(x)  ((x) ^ FFmul02(FFmul02(FFmul02(x))))
+#define FFmul0b(x)  ((x) ^ FFmul02((x) ^ FFmul02(FFmul02(x))))
+#define FFmul0d(x)  ((x) ^ FFmul02(FFmul02((x) ^ FFmul02(x))))
+#define FFmul0e(x)  FFmul02((x) ^ FFmul02((x) ^ FFmul02(x)))
+
+#else
+
+#define FFinv(x)    ((x) ? pow[255 - log[x]]: 0)
+
+#define FFmul02(x) (x ? pow[log[x] + 0x19] : 0)
+#define FFmul03(x) (x ? pow[log[x] + 0x01] : 0)
+#define FFmul09(x) (x ? pow[log[x] + 0xc7] : 0)
+#define FFmul0b(x) (x ? pow[log[x] + 0x68] : 0)
+#define FFmul0d(x) (x ? pow[log[x] + 0xee] : 0)
+#define FFmul0e(x) (x ? pow[log[x] + 0xdf] : 0)
+
+#endif
+
+// The forward and inverse affine transformations used in the S-box
+
+#define fwd_affine(x) \
+    (w = (u_int32_t)x, w ^= (w<<1)^(w<<2)^(w<<3)^(w<<4), 0x63^(unsigned char)(w^(w>>8)))
+
+#define inv_affine(x) \
+    (w = (u_int32_t)x, w = (w<<1)^(w<<3)^(w<<6), 0x05^(unsigned char)(w^(w>>8)))
+
+static void gen_tabs(void)
+{   u_int32_t  i, w;
+
+#if defined(FF_TABLES)
+
+    unsigned char  pow[512], log[256];
+
+    // log and power tables for GF(2^8) finite field with
+    // 0x011b as modular polynomial - the simplest primitive
+    // root is 0x03, used here to generate the tables
+
+    i = 0; w = 1; 
+    do
+    {   
+        pow[i] = (unsigned char)w;
+        pow[i + 255] = (unsigned char)w;
+        log[w] = (unsigned char)i++;
+        w ^=  (w << 1) ^ (w & ff_hi ? ff_poly : 0);
+    }
+    while (w != 1);
+
+#endif
+
+    for(i = 0, w = 1; i < AES_RC_LENGTH; ++i)
+    {
+        rcon_tab[i] = bytes2word(w, 0, 0, 0);
+        w = (w << 1) ^ (w & ff_hi ? ff_poly : 0);
+    }
+
+    for(i = 0; i < 256; ++i)
+    {   unsigned char    b;
+
+        s_box[i] = b = fwd_affine(FFinv((unsigned char)i));
+
+        w = bytes2word(b, 0, 0, 0);
+#if defined(ONE_LR_TABLE)
+        fl_tab[i] = w;
+#elif defined(FOUR_LR_TABLES)
+        fl_tab[0][i] = w;
+        fl_tab[1][i] = upr(w,1);
+        fl_tab[2][i] = upr(w,2);
+        fl_tab[3][i] = upr(w,3);
+#endif
+        w = bytes2word(FFmul02(b), b, b, FFmul03(b));
+#if defined(ONE_TABLE)
+        ft_tab[i] = w;
+#elif defined(FOUR_TABLES)
+        ft_tab[0][i] = w;
+        ft_tab[1][i] = upr(w,1);
+        ft_tab[2][i] = upr(w,2);
+        ft_tab[3][i] = upr(w,3);
+#endif
+        inv_s_box[i] = b = FFinv(inv_affine((unsigned char)i));
+
+        w = bytes2word(b, 0, 0, 0);
+#if defined(ONE_LR_TABLE)
+        il_tab[i] = w;
+#elif defined(FOUR_LR_TABLES)
+        il_tab[0][i] = w;
+        il_tab[1][i] = upr(w,1);
+        il_tab[2][i] = upr(w,2);
+        il_tab[3][i] = upr(w,3);
+#endif
+        w = bytes2word(FFmul0e(b), FFmul09(b), FFmul0d(b), FFmul0b(b));
+#if defined(ONE_TABLE)
+        it_tab[i] = w;
+#elif defined(FOUR_TABLES)
+        it_tab[0][i] = w;
+        it_tab[1][i] = upr(w,1);
+        it_tab[2][i] = upr(w,2);
+        it_tab[3][i] = upr(w,3);
+#endif
+#if defined(ONE_IM_TABLE)
+        im_tab[b] = w;
+#elif defined(FOUR_IM_TABLES)
+        im_tab[0][b] = w;
+        im_tab[1][b] = upr(w,1);
+        im_tab[2][b] = upr(w,2);
+        im_tab[3][b] = upr(w,3);
+#endif
+
+    }
+}
+
+#endif
+
+#define no_table(x,box,vf,rf,c) bytes2word( \
+    box[bval(vf(x,0,c),rf(0,c))], \
+    box[bval(vf(x,1,c),rf(1,c))], \
+    box[bval(vf(x,2,c),rf(2,c))], \
+    box[bval(vf(x,3,c),rf(3,c))])
+
+#define one_table(x,op,tab,vf,rf,c) \
+ (     tab[bval(vf(x,0,c),rf(0,c))] \
+  ^ op(tab[bval(vf(x,1,c),rf(1,c))],1) \
+  ^ op(tab[bval(vf(x,2,c),rf(2,c))],2) \
+  ^ op(tab[bval(vf(x,3,c),rf(3,c))],3))
+
+#define four_tables(x,tab,vf,rf,c) \
+ (  tab[0][bval(vf(x,0,c),rf(0,c))] \
+  ^ tab[1][bval(vf(x,1,c),rf(1,c))] \
+  ^ tab[2][bval(vf(x,2,c),rf(2,c))] \
+  ^ tab[3][bval(vf(x,3,c),rf(3,c))])
+
+#define vf1(x,r,c)  (x)
+#define rf1(r,c)    (r)
+#define rf2(r,c)    ((r-c)&3)
+
+#if defined(FOUR_LR_TABLES)
+#define ls_box(x,c)     four_tables(x,fl_tab,vf1,rf2,c)
+#elif defined(ONE_LR_TABLE)
+#define ls_box(x,c)     one_table(x,upr,fl_tab,vf1,rf2,c)
+#else
+#define ls_box(x,c)     no_table(x,s_box,vf1,rf2,c)
+#endif
+
+#if defined(FOUR_IM_TABLES)
+#define inv_mcol(x)     four_tables(x,im_tab,vf1,rf1,0)
+#elif defined(ONE_IM_TABLE)
+#define inv_mcol(x)     one_table(x,upr,im_tab,vf1,rf1,0)
+#else
+#define inv_mcol(x) \
+    (f9 = (x),f2 = FFmulX(f9), f4 = FFmulX(f2), f8 = FFmulX(f4), f9 ^= f8, \
+    f2 ^= f4 ^ f8 ^ upr(f2 ^ f9,3) ^ upr(f4 ^ f9,2) ^ upr(f9,1))
+#endif
+
+// Subroutine to set the block size (if variable) in bytes, legal
+// values being 16, 24 and 32.
+
+#if defined(AES_BLOCK_SIZE)
+#define nc   (AES_BLOCK_SIZE / 4)
+#else
+#define nc   (cx->aes_Ncol)
+
+void aes_set_blk(aes_context *cx, int n_bytes)
+{
+#if !defined(FIXED_TABLES)
+    if(!tab_gen) { gen_tabs(); tab_gen = 1; }
+#endif
+
+    switch(n_bytes) {
+    case 32:        /* bytes */
+    case 256:       /* bits */
+        nc = 8;
+        break;
+    case 24:        /* bytes */
+    case 192:       /* bits */
+        nc = 6;
+        break;
+    case 16:        /* bytes */
+    case 128:       /* bits */
+    default:
+        nc = 4;
+        break;
+    }
+}
+
+#endif
+
+// Initialise the key schedule from the user supplied key. The key
+// length is now specified in bytes - 16, 24 or 32 as appropriate.
+// This corresponds to bit lengths of 128, 192 and 256 bits, and
+// to Nk values of 4, 6 and 8 respectively.
+
+#define mx(t,f) (*t++ = inv_mcol(*f),f++)
+#define cp(t,f) *t++ = *f++
+
+#if   AES_BLOCK_SIZE == 16
+#define cpy(d,s)    cp(d,s); cp(d,s); cp(d,s); cp(d,s)
+#define mix(d,s)    mx(d,s); mx(d,s); mx(d,s); mx(d,s)
+#elif AES_BLOCK_SIZE == 24
+#define cpy(d,s)    cp(d,s); cp(d,s); cp(d,s); cp(d,s); \
+                    cp(d,s); cp(d,s)
+#define mix(d,s)    mx(d,s); mx(d,s); mx(d,s); mx(d,s); \
+                    mx(d,s); mx(d,s)
+#elif AES_BLOCK_SIZE == 32
+#define cpy(d,s)    cp(d,s); cp(d,s); cp(d,s); cp(d,s); \
+                    cp(d,s); cp(d,s); cp(d,s); cp(d,s)
+#define mix(d,s)    mx(d,s); mx(d,s); mx(d,s); mx(d,s); \
+                    mx(d,s); mx(d,s); mx(d,s); mx(d,s)
+#else
+
+#define cpy(d,s) \
+switch(nc) \
+{   case 8: cp(d,s); cp(d,s); \
+    case 6: cp(d,s); cp(d,s); \
+    case 4: cp(d,s); cp(d,s); \
+            cp(d,s); cp(d,s); \
+}
+
+#define mix(d,s) \
+switch(nc) \
+{   case 8: mx(d,s); mx(d,s); \
+    case 6: mx(d,s); mx(d,s); \
+    case 4: mx(d,s); mx(d,s); \
+            mx(d,s); mx(d,s); \
+}
+
+#endif
+
+void aes_set_key(aes_context *cx, const unsigned char in_key[], int n_bytes, const int f)
+{   u_int32_t    *kf, *kt, rci;
+
+#if !defined(FIXED_TABLES)
+    if(!tab_gen) { gen_tabs(); tab_gen = 1; }
+#endif
+
+    switch(n_bytes) {
+    case 32:                    /* bytes */
+    case 256:                   /* bits */
+        cx->aes_Nkey = 8;
+        break;
+    case 24:                    /* bytes */
+    case 192:                   /* bits */
+        cx->aes_Nkey = 6;
+        break;
+    case 16:                    /* bytes */
+    case 128:                   /* bits */
+    default:
+        cx->aes_Nkey = 4;
+        break;
+    }
+
+    cx->aes_Nrnd = (cx->aes_Nkey > nc ? cx->aes_Nkey : nc) + 6; 
+
+    cx->aes_e_key[0] = const_word_in(in_key     );
+    cx->aes_e_key[1] = const_word_in(in_key +  4);
+    cx->aes_e_key[2] = const_word_in(in_key +  8);
+    cx->aes_e_key[3] = const_word_in(in_key + 12);
+
+    kf = cx->aes_e_key; 
+    kt = kf + nc * (cx->aes_Nrnd + 1) - cx->aes_Nkey; 
+    rci = 0;
+
+    switch(cx->aes_Nkey)
+    {
+    case 4: do
+            {   kf[4] = kf[0] ^ ls_box(kf[3],3) ^ rcon_tab[rci++];
+                kf[5] = kf[1] ^ kf[4];
+                kf[6] = kf[2] ^ kf[5];
+                kf[7] = kf[3] ^ kf[6];
+                kf += 4;
+            }
+            while(kf < kt);
+            break;
+
+    case 6: cx->aes_e_key[4] = const_word_in(in_key + 16);
+            cx->aes_e_key[5] = const_word_in(in_key + 20);
+            do
+            {   kf[ 6] = kf[0] ^ ls_box(kf[5],3) ^ rcon_tab[rci++];
+                kf[ 7] = kf[1] ^ kf[ 6];
+                kf[ 8] = kf[2] ^ kf[ 7];
+                kf[ 9] = kf[3] ^ kf[ 8];
+                kf[10] = kf[4] ^ kf[ 9];
+                kf[11] = kf[5] ^ kf[10];
+                kf += 6;
+            }
+            while(kf < kt);
+            break;
+
+    case 8: cx->aes_e_key[4] = const_word_in(in_key + 16);
+            cx->aes_e_key[5] = const_word_in(in_key + 20);
+            cx->aes_e_key[6] = const_word_in(in_key + 24);
+            cx->aes_e_key[7] = const_word_in(in_key + 28);
+            do
+            {   kf[ 8] = kf[0] ^ ls_box(kf[7],3) ^ rcon_tab[rci++];
+                kf[ 9] = kf[1] ^ kf[ 8];
+                kf[10] = kf[2] ^ kf[ 9];
+                kf[11] = kf[3] ^ kf[10];
+                kf[12] = kf[4] ^ ls_box(kf[11],0);
+                kf[13] = kf[5] ^ kf[12];
+                kf[14] = kf[6] ^ kf[13];
+                kf[15] = kf[7] ^ kf[14];
+                kf += 8;
+            }
+            while (kf < kt);
+            break;
+    }
+
+    if(!f)
+    {   u_int32_t    i;
+        
+        kt = cx->aes_d_key + nc * cx->aes_Nrnd;
+        kf = cx->aes_e_key;
+        
+        cpy(kt, kf); kt -= 2 * nc;
+
+        for(i = 1; i < cx->aes_Nrnd; ++i)
+        { 
+#if defined(ONE_TABLE) || defined(FOUR_TABLES)
+#if !defined(ONE_IM_TABLE) && !defined(FOUR_IM_TABLES)
+            u_int32_t    f2, f4, f8, f9;
+#endif
+            mix(kt, kf);
+#else
+            cpy(kt, kf);
+#endif
+            kt -= 2 * nc;
+        }
+        
+        cpy(kt, kf);
+    }
+}
+
+// y = output word, x = input word, r = row, c = column
+// for r = 0, 1, 2 and 3 = column accessed for row r
+
+#if defined(ARRAYS)
+#define s(x,c) x[c]
+#else
+#define s(x,c) x##c
+#endif
+
+// I am grateful to Frank Yellin for the following constructions
+// which, given the column (c) of the output state variable that
+// is being computed, return the input state variables which are
+// needed for each row (r) of the state
+
+// For the fixed block size options, compilers reduce these two 
+// expressions to fixed variable references. For variable block 
+// size code conditional clauses will sometimes be returned
+
+#define unused  77  // Sunset Strip
+
+#define fwd_var(x,r,c) \
+ ( r==0 ?			\
+    ( c==0 ? s(x,0) \
+    : c==1 ? s(x,1) \
+    : c==2 ? s(x,2) \
+    : c==3 ? s(x,3) \
+    : c==4 ? s(x,4) \
+    : c==5 ? s(x,5) \
+    : c==6 ? s(x,6) \
+    : s(x,7))		\
+ : r==1 ?			\
+    ( c==0 ? s(x,1) \
+    : c==1 ? s(x,2) \
+    : c==2 ? s(x,3) \
+    : c==3 ? nc==4 ? s(x,0) : s(x,4) \
+    : c==4 ? s(x,5) \
+    : c==5 ? nc==8 ? s(x,6) : s(x,0) \
+    : c==6 ? s(x,7) \
+    : s(x,0))		\
+ : r==2 ?			\
+    ( c==0 ? nc==8 ? s(x,3) : s(x,2) \
+    : c==1 ? nc==8 ? s(x,4) : s(x,3) \
+    : c==2 ? nc==4 ? s(x,0) : nc==8 ? s(x,5) : s(x,4) \
+    : c==3 ? nc==4 ? s(x,1) : nc==8 ? s(x,6) : s(x,5) \
+    : c==4 ? nc==8 ? s(x,7) : s(x,0) \
+    : c==5 ? nc==8 ? s(x,0) : s(x,1) \
+    : c==6 ? s(x,1) \
+    : s(x,2))		\
+ :					\
+    ( c==0 ? nc==8 ? s(x,4) : s(x,3) \
+    : c==1 ? nc==4 ? s(x,0) : nc==8 ? s(x,5) : s(x,4) \
+    : c==2 ? nc==4 ? s(x,1) : nc==8 ? s(x,6) : s(x,5) \
+    : c==3 ? nc==4 ? s(x,2) : nc==8 ? s(x,7) : s(x,0) \
+    : c==4 ? nc==8 ? s(x,0) : s(x,1) \
+    : c==5 ? nc==8 ? s(x,1) : s(x,2) \
+    : c==6 ? s(x,2) \
+    : s(x,3)))
+
+#define inv_var(x,r,c) \
+ ( r==0 ?			\
+    ( c==0 ? s(x,0) \
+    : c==1 ? s(x,1) \
+    : c==2 ? s(x,2) \
+    : c==3 ? s(x,3) \
+    : c==4 ? s(x,4) \
+    : c==5 ? s(x,5) \
+    : c==6 ? s(x,6) \
+    : s(x,7))		\
+ : r==1 ?			\
+    ( c==0 ? nc==4 ? s(x,3) : nc==8 ? s(x,7) : s(x,5) \
+    : c==1 ? s(x,0) \
+    : c==2 ? s(x,1) \
+    : c==3 ? s(x,2) \
+    : c==4 ? s(x,3) \
+    : c==5 ? s(x,4) \
+    : c==6 ? s(x,5) \
+    : s(x,6))		\
+ : r==2 ?			\
+    ( c==0 ? nc==4 ? s(x,2) : nc==8 ? s(x,5) : s(x,4) \
+    : c==1 ? nc==4 ? s(x,3) : nc==8 ? s(x,6) : s(x,5) \
+    : c==2 ? nc==8 ? s(x,7) : s(x,0) \
+    : c==3 ? nc==8 ? s(x,0) : s(x,1) \
+    : c==4 ? nc==8 ? s(x,1) : s(x,2) \
+    : c==5 ? nc==8 ? s(x,2) : s(x,3) \
+    : c==6 ? s(x,3) \
+    : s(x,4))		\
+ :					\
+    ( c==0 ? nc==4 ? s(x,1) : nc==8 ? s(x,4) : s(x,3) \
+    : c==1 ? nc==4 ? s(x,2) : nc==8 ? s(x,5) : s(x,4) \
+    : c==2 ? nc==4 ? s(x,3) : nc==8 ? s(x,6) : s(x,5) \
+    : c==3 ? nc==8 ? s(x,7) : s(x,0) \
+    : c==4 ? nc==8 ? s(x,0) : s(x,1) \
+    : c==5 ? nc==8 ? s(x,1) : s(x,2) \
+    : c==6 ? s(x,2) \
+    : s(x,3)))
+
+#define si(y,x,k,c) s(y,c) = const_word_in(x + 4 * c) ^ k[c]
+#define so(y,x,c)   word_out(y + 4 * c, s(x,c))
+
+#if defined(FOUR_TABLES)
+#define fwd_rnd(y,x,k,c)    s(y,c)= (k)[c] ^ four_tables(x,ft_tab,fwd_var,rf1,c)
+#define inv_rnd(y,x,k,c)    s(y,c)= (k)[c] ^ four_tables(x,it_tab,inv_var,rf1,c)
+#elif defined(ONE_TABLE)
+#define fwd_rnd(y,x,k,c)    s(y,c)= (k)[c] ^ one_table(x,upr,ft_tab,fwd_var,rf1,c)
+#define inv_rnd(y,x,k,c)    s(y,c)= (k)[c] ^ one_table(x,upr,it_tab,inv_var,rf1,c)
+#else
+#define fwd_rnd(y,x,k,c)    s(y,c) = fwd_mcol(no_table(x,s_box,fwd_var,rf1,c)) ^ (k)[c]
+#define inv_rnd(y,x,k,c)    s(y,c) = inv_mcol(no_table(x,inv_s_box,inv_var,rf1,c) ^ (k)[c])
+#endif
+
+#if defined(FOUR_LR_TABLES)
+#define fwd_lrnd(y,x,k,c)   s(y,c)= (k)[c] ^ four_tables(x,fl_tab,fwd_var,rf1,c)
+#define inv_lrnd(y,x,k,c)   s(y,c)= (k)[c] ^ four_tables(x,il_tab,inv_var,rf1,c)
+#elif defined(ONE_LR_TABLE)
+#define fwd_lrnd(y,x,k,c)   s(y,c)= (k)[c] ^ one_table(x,ups,fl_tab,fwd_var,rf1,c)
+#define inv_lrnd(y,x,k,c)   s(y,c)= (k)[c] ^ one_table(x,ups,il_tab,inv_var,rf1,c)
+#else
+#define fwd_lrnd(y,x,k,c)   s(y,c) = no_table(x,s_box,fwd_var,rf1,c) ^ (k)[c]
+#define inv_lrnd(y,x,k,c)   s(y,c) = no_table(x,inv_s_box,inv_var,rf1,c) ^ (k)[c]
+#endif
+
+#if AES_BLOCK_SIZE == 16
+
+#if defined(ARRAYS)
+#define locals(y,x)     x[4],y[4]
+#else
+#define locals(y,x)     x##0,x##1,x##2,x##3,y##0,y##1,y##2,y##3
+// the following defines prevent the compiler requiring the declaration
+// of generated but unused variables in the fwd_var and inv_var macros
+#define b04 unused
+#define b05 unused
+#define b06 unused
+#define b07 unused
+#define b14 unused
+#define b15 unused
+#define b16 unused
+#define b17 unused
+#endif
+#define l_copy(y, x)    s(y,0) = s(x,0); s(y,1) = s(x,1); \
+                        s(y,2) = s(x,2); s(y,3) = s(x,3);
+#define state_in(y,x,k) si(y,x,k,0); si(y,x,k,1); si(y,x,k,2); si(y,x,k,3)
+#define state_out(y,x)  so(y,x,0); so(y,x,1); so(y,x,2); so(y,x,3)
+#define round(rm,y,x,k) rm(y,x,k,0); rm(y,x,k,1); rm(y,x,k,2); rm(y,x,k,3)
+
+#elif AES_BLOCK_SIZE == 24
+
+#if defined(ARRAYS)
+#define locals(y,x)     x[6],y[6]
+#else
+#define locals(y,x)     x##0,x##1,x##2,x##3,x##4,x##5, \
+                        y##0,y##1,y##2,y##3,y##4,y##5
+#define b06 unused
+#define b07 unused
+#define b16 unused
+#define b17 unused
+#endif
+#define l_copy(y, x)    s(y,0) = s(x,0); s(y,1) = s(x,1); \
+                        s(y,2) = s(x,2); s(y,3) = s(x,3); \
+                        s(y,4) = s(x,4); s(y,5) = s(x,5);
+#define state_in(y,x,k) si(y,x,k,0); si(y,x,k,1); si(y,x,k,2); \
+                        si(y,x,k,3); si(y,x,k,4); si(y,x,k,5)
+#define state_out(y,x)  so(y,x,0); so(y,x,1); so(y,x,2); \
+                        so(y,x,3); so(y,x,4); so(y,x,5)
+#define round(rm,y,x,k) rm(y,x,k,0); rm(y,x,k,1); rm(y,x,k,2); \
+                        rm(y,x,k,3); rm(y,x,k,4); rm(y,x,k,5)
+#else
+
+#if defined(ARRAYS)
+#define locals(y,x)     x[8],y[8]
+#else
+#define locals(y,x)     x##0,x##1,x##2,x##3,x##4,x##5,x##6,x##7, \
+                        y##0,y##1,y##2,y##3,y##4,y##5,y##6,y##7
+#endif
+#define l_copy(y, x)    s(y,0) = s(x,0); s(y,1) = s(x,1); \
+                        s(y,2) = s(x,2); s(y,3) = s(x,3); \
+                        s(y,4) = s(x,4); s(y,5) = s(x,5); \
+                        s(y,6) = s(x,6); s(y,7) = s(x,7);
+
+#if AES_BLOCK_SIZE == 32
+
+#define state_in(y,x,k) si(y,x,k,0); si(y,x,k,1); si(y,x,k,2); si(y,x,k,3); \
+                        si(y,x,k,4); si(y,x,k,5); si(y,x,k,6); si(y,x,k,7)
+#define state_out(y,x)  so(y,x,0); so(y,x,1); so(y,x,2); so(y,x,3); \
+                        so(y,x,4); so(y,x,5); so(y,x,6); so(y,x,7)
+#define round(rm,y,x,k) rm(y,x,k,0); rm(y,x,k,1); rm(y,x,k,2); rm(y,x,k,3); \
+                        rm(y,x,k,4); rm(y,x,k,5); rm(y,x,k,6); rm(y,x,k,7)
+#else
+
+#define state_in(y,x,k) \
+switch(nc) \
+{   case 8: si(y,x,k,7); si(y,x,k,6); \
+    case 6: si(y,x,k,5); si(y,x,k,4); \
+    case 4: si(y,x,k,3); si(y,x,k,2); \
+            si(y,x,k,1); si(y,x,k,0); \
+}
+
+#define state_out(y,x) \
+switch(nc) \
+{   case 8: so(y,x,7); so(y,x,6); \
+    case 6: so(y,x,5); so(y,x,4); \
+    case 4: so(y,x,3); so(y,x,2); \
+            so(y,x,1); so(y,x,0); \
+}
+
+#if defined(FAST_VARIABLE)
+
+#define round(rm,y,x,k) \
+switch(nc) \
+{   case 8: rm(y,x,k,7); rm(y,x,k,6); \
+            rm(y,x,k,5); rm(y,x,k,4); \
+            rm(y,x,k,3); rm(y,x,k,2); \
+            rm(y,x,k,1); rm(y,x,k,0); \
+            break; \
+    case 6: rm(y,x,k,5); rm(y,x,k,4); \
+            rm(y,x,k,3); rm(y,x,k,2); \
+            rm(y,x,k,1); rm(y,x,k,0); \
+            break; \
+    case 4: rm(y,x,k,3); rm(y,x,k,2); \
+            rm(y,x,k,1); rm(y,x,k,0); \
+            break; \
+}
+#else
+
+#define round(rm,y,x,k) \
+switch(nc) \
+{   case 8: rm(y,x,k,7); rm(y,x,k,6); \
+    case 6: rm(y,x,k,5); rm(y,x,k,4); \
+    case 4: rm(y,x,k,3); rm(y,x,k,2); \
+            rm(y,x,k,1); rm(y,x,k,0); \
+}
+
+#endif
+
+#endif
+#endif
+
+void aes_encrypt(const aes_context *cx, const unsigned char in_blk[], unsigned char out_blk[])
+{   u_int32_t        locals(b0, b1);
+    const u_int32_t  *kp = cx->aes_e_key;
+
+#if !defined(ONE_TABLE) && !defined(FOUR_TABLES)
+    u_int32_t        f2;
+#endif
+
+    state_in(b0, in_blk, kp); kp += nc;
+
+#if defined(UNROLL)
+
+    switch(cx->aes_Nrnd)
+    {
+    case 14:    round(fwd_rnd,  b1, b0, kp         ); 
+                round(fwd_rnd,  b0, b1, kp + nc    ); kp += 2 * nc;
+    case 12:    round(fwd_rnd,  b1, b0, kp         ); 
+                round(fwd_rnd,  b0, b1, kp + nc    ); kp += 2 * nc;
+    case 10:    round(fwd_rnd,  b1, b0, kp         );             
+                round(fwd_rnd,  b0, b1, kp +     nc);
+                round(fwd_rnd,  b1, b0, kp + 2 * nc); 
+                round(fwd_rnd,  b0, b1, kp + 3 * nc);
+                round(fwd_rnd,  b1, b0, kp + 4 * nc); 
+                round(fwd_rnd,  b0, b1, kp + 5 * nc);
+                round(fwd_rnd,  b1, b0, kp + 6 * nc); 
+                round(fwd_rnd,  b0, b1, kp + 7 * nc);
+                round(fwd_rnd,  b1, b0, kp + 8 * nc);
+                round(fwd_lrnd, b0, b1, kp + 9 * nc);
+    }
+
+#elif defined(PARTIAL_UNROLL)
+    {   u_int32_t    rnd;
+
+        for(rnd = 0; rnd < (cx->aes_Nrnd >> 1) - 1; ++rnd)
+        {
+            round(fwd_rnd, b1, b0, kp); 
+            round(fwd_rnd, b0, b1, kp + nc); kp += 2 * nc;
+        }
+
+        round(fwd_rnd,  b1, b0, kp);
+        round(fwd_lrnd, b0, b1, kp + nc);
+    }
+#else
+    {   u_int32_t    rnd;
+
+        for(rnd = 0; rnd < cx->aes_Nrnd - 1; ++rnd)
+        {
+            round(fwd_rnd, b1, b0, kp); 
+            l_copy(b0, b1); kp += nc;
+        }
+
+        round(fwd_lrnd, b0, b1, kp);
+    }
+#endif
+
+    state_out(out_blk, b0);
+}
+
+void aes_decrypt(const aes_context *cx, const unsigned char in_blk[], unsigned char out_blk[])
+{   u_int32_t        locals(b0, b1);
+    const u_int32_t  *kp = cx->aes_d_key;
+
+#if !defined(ONE_TABLE) && !defined(FOUR_TABLES)
+    u_int32_t        f2, f4, f8, f9; 
+#endif
+
+    state_in(b0, in_blk, kp); kp += nc;
+
+#if defined(UNROLL)
+
+    switch(cx->aes_Nrnd)
+    {
+    case 14:    round(inv_rnd,  b1, b0, kp         );
+                round(inv_rnd,  b0, b1, kp + nc    ); kp += 2 * nc;
+    case 12:    round(inv_rnd,  b1, b0, kp         );
+                round(inv_rnd,  b0, b1, kp + nc    ); kp += 2 * nc;
+    case 10:    round(inv_rnd,  b1, b0, kp         );             
+                round(inv_rnd,  b0, b1, kp +     nc);
+                round(inv_rnd,  b1, b0, kp + 2 * nc); 
+                round(inv_rnd,  b0, b1, kp + 3 * nc);
+                round(inv_rnd,  b1, b0, kp + 4 * nc); 
+                round(inv_rnd,  b0, b1, kp + 5 * nc);
+                round(inv_rnd,  b1, b0, kp + 6 * nc); 
+                round(inv_rnd,  b0, b1, kp + 7 * nc);
+                round(inv_rnd,  b1, b0, kp + 8 * nc);
+                round(inv_lrnd, b0, b1, kp + 9 * nc);
+    }
+
+#elif defined(PARTIAL_UNROLL)
+    {   u_int32_t    rnd;
+
+        for(rnd = 0; rnd < (cx->aes_Nrnd >> 1) - 1; ++rnd)
+        {
+            round(inv_rnd, b1, b0, kp); 
+            round(inv_rnd, b0, b1, kp + nc); kp += 2 * nc;
+        }
+
+        round(inv_rnd,  b1, b0, kp);
+        round(inv_lrnd, b0, b1, kp + nc);
+    }
+#else
+    {   u_int32_t    rnd;
+
+        for(rnd = 0; rnd < cx->aes_Nrnd - 1; ++rnd)
+        {
+            round(inv_rnd, b1, b0, kp); 
+            l_copy(b0, b1); kp += nc;
+        }
+
+        round(inv_lrnd, b0, b1, kp);
+    }
+#endif
+
+    state_out(out_blk, b0);
+}
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/aes/aes_cbc.c     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,46 @@
+/*
+// I retain copyright in this code but I encourage its free use provided
+// that I don't carry any responsibility for the results. I am especially 
+// happy to see it used in free and open source software. If you do use 
+// it I would appreciate an acknowledgement of its origin in the code or
+// the product that results and I would also appreciate knowing a little
+// about the use to which it is being put. I am grateful to Frank Yellin
+// for some ideas that are used in this implementation.
+//
+// Dr B. R. Gladman <brg@gladman.uk.net> 6th April 2001.
+//
+// This is an implementation of the AES encryption algorithm (Rijndael)
+// designed by Joan Daemen and Vincent Rijmen. This version is designed
+// to provide both fixed and dynamic block and key lengths and can also 
+// run with either big or little endian internal byte order (see aes.h). 
+// It inputs block and key lengths in bytes with the legal values being 
+// 16, 24 and 32.
+*
+*/
+
+#ifdef __KERNEL__
+#include <linux/types.h>
+#else
+#include <sys/types.h>
+#endif
+#include "crypto/aes_cbc.h"
+#include "crypto/cbc_generic.h"
+
+/* returns bool success */
+int AES_set_key(aes_context *aes_ctx, const u_int8_t *key, int keysize) {
+	aes_set_key(aes_ctx, key, keysize, 0);
+	return 1;	
+}
+CBC_IMPL_BLK16(AES_cbc_encrypt, aes_context, u_int8_t *, aes_encrypt, aes_decrypt);
+
+
+/*
+ * $Log: aes_cbc.c,v $
+ * Revision 1.2  2004/07/10 07:48:40  mcr
+ * Moved from linux/crypto/ciphers/aes/aes_cbc.c,v
+ *
+ * Revision 1.1  2004/04/06 02:48:12  mcr
+ * 	pullup of AES cipher from alg-branch.
+ *
+ *
+ */
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/aes/aes_xcbc_mac.c     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,67 @@
+#ifdef __KERNEL__
+#include <linux/types.h>
+#include <linux/kernel.h>
+#define DEBUG(x) 
+#else
+#include <stdio.h>
+#include <sys/types.h>
+#define DEBUG(x) x
+#endif
+
+#include "crypto/aes.h"
+#include "crypto/aes_xcbc_mac.h"
+
+int AES_xcbc_mac_set_key(aes_context_mac *ctxm, const u_int8_t *key, int keylen)
+{
+	int ret=1;
+	aes_block kn[3] = { 
+		{ 0x01010101, 0x01010101, 0x01010101, 0x01010101 },
+		{ 0x02020202, 0x02020202, 0x02020202, 0x02020202 },
+		{ 0x03030303, 0x03030303, 0x03030303, 0x03030303 },
+	};
+	aes_set_key(&ctxm->ctx_k1, key, keylen, 0);
+	aes_encrypt(&ctxm->ctx_k1, (u_int8_t *) kn[0], (u_int8_t *) kn[0]);
+	aes_encrypt(&ctxm->ctx_k1, (u_int8_t *) kn[1], (u_int8_t *) ctxm->k2);
+	aes_encrypt(&ctxm->ctx_k1, (u_int8_t *) kn[2], (u_int8_t *) ctxm->k3);
+	aes_set_key(&ctxm->ctx_k1, (u_int8_t *) kn[0], 16, 0);
+	return ret;
+}
+static void do_pad_xor(u_int8_t *out, const u_int8_t *in, int len) {
+	int pos=0;
+	for (pos=1; pos <= 16; pos++, in++, out++) {
+		if (pos <= len)
+			*out ^= *in;
+		if (pos > len) {
+			DEBUG(printf("put 0x80 at pos=%d\n", pos));
+			*out ^= 0x80;
+			break;
+		}
+	}
+}
+static void xor_block(aes_block res, const aes_block op) {
+	res[0] ^= op[0];
+	res[1] ^= op[1];
+	res[2] ^= op[2];
+	res[3] ^= op[3];
+}
+int AES_xcbc_mac_hash(const aes_context_mac *ctxm, const u_int8_t * in, int ilen, u_int8_t hash[16]) {
+	int ret=ilen;
+	u_int32_t out[4] = { 0, 0, 0, 0 }; 
+	for (; ilen > 16 ; ilen-=16) {
+		xor_block(out, (const u_int32_t*) &in[0]);
+		aes_encrypt(&ctxm->ctx_k1, in, (u_int8_t *)&out[0]);
+		in+=16; 
+	}
+	do_pad_xor((u_int8_t *)&out, in, ilen);
+	if (ilen==16) {
+		DEBUG(printf("using k3\n"));
+		xor_block(out, ctxm->k3);
+	}
+	else 
+	{
+		DEBUG(printf("using k2\n"));
+		xor_block(out, ctxm->k2);
+	}
+	aes_encrypt(&ctxm->ctx_k1, (u_int8_t *)out, hash);
+	return ret;
+} 
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/aes/ipsec_alg_aes.c     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,296 @@
+/*
+ * ipsec_alg AES cipher stubs
+ *
+ * Author: JuanJo Ciarlante <jjo-ipsec@mendoza.gov.ar>
+ * 
+ * ipsec_alg_aes.c,v 1.1.2.1 2003/11/21 18:12:23 jjo Exp
+ * 
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ * 
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * Fixes by:
+ * 	PK:	Pawel Krawczyk <kravietz@aba.krakow.pl>
+ * Fixes list:
+ * 	PK:	make XCBC comply with latest draft (keylength)
+ *
+ */
+#ifndef AUTOCONF_INCLUDED
+#include <linux/config.h>
+#endif
+#include <linux/version.h>
+
+/*	
+ *	special case: ipsec core modular with this static algo inside:
+ *	must avoid MODULE magic for this file
+ */
+#if defined(CONFIG_KLIPS_MODULE) && defined(CONFIG_KLIPS_ENC_AES)
+#undef MODULE
+#endif
+
+#include <linux/module.h>
+#include <linux/init.h>
+
+#include <linux/kernel.h> /* printk() */
+#include <linux/errno.h>  /* error codes */
+#include <linux/types.h>  /* size_t */
+#include <linux/string.h>
+
+/* Check if __exit is defined, if not null it */
+#ifndef __exit
+#define __exit
+#endif
+
+/*	Low freeswan header coupling	*/
+#include "openswan/ipsec_alg.h"
+#include "crypto/aes_cbc.h"
+
+#define CONFIG_KLIPS_ENC_AES_MAC 1
+
+#define AES_CONTEXT_T aes_context
+static int debug_aes=0;
+static int test_aes=0;
+static int excl_aes=0;
+static int keyminbits=0;
+static int keymaxbits=0;
+#if defined(CONFIG_KLIPS_ENC_AES_MODULE)
+MODULE_AUTHOR("JuanJo Ciarlante <jjo-ipsec@mendoza.gov.ar>");
+#ifdef module_param
+module_param(debug_aes,int,0600)
+module_param(test_aes,int,0600)
+module_param(excl_aes,int,0600)
+module_param(keyminbits,int,0600)
+module_param(keymaxbits,int,0600)
+#else
+MODULE_PARM(debug_aes, "i");
+MODULE_PARM(test_aes, "i");
+MODULE_PARM(excl_aes, "i");
+MODULE_PARM(keyminbits, "i");
+MODULE_PARM(keymaxbits, "i");
+#endif
+#endif
+
+#if CONFIG_KLIPS_ENC_AES_MAC
+#include "crypto/aes_xcbc_mac.h"
+
+/*	
+ *	Not IANA number yet (draft-ietf-ipsec-ciph-aes-xcbc-mac-00.txt).
+ *	We use 9 for non-modular algorithm and none for modular, thus
+ *	forcing user to specify one on module load. -kravietz
+ */
+#ifdef MODULE
+static int auth_id=0;
+#else
+static int auth_id=9;
+#endif
+#ifdef module_param
+module_param(auth_id, int, 0600);
+#else
+MODULE_PARM(auth_id, "i");
+#endif
+#endif
+
+#define ESP_AES			12	/* truely _constant_  :)  */
+
+/* 128, 192 or 256 */
+#define ESP_AES_KEY_SZ_MIN	16 	/* 128 bit secret key */
+#define ESP_AES_KEY_SZ_MAX	32 	/* 256 bit secret key */
+#define ESP_AES_CBC_BLK_LEN	16	/* AES-CBC block size */
+
+/* Values according to draft-ietf-ipsec-ciph-aes-xcbc-mac-02.txt
+ * -kravietz
+ */
+#define ESP_AES_MAC_KEY_SZ	16	/* 128 bit MAC key */
+#define ESP_AES_MAC_BLK_LEN	16	/* 128 bit block */
+
+static int _aes_set_key(struct ipsec_alg_enc *alg,
+			__u8 * key_e, const __u8 * key,
+			size_t keysize)
+{
+	int ret;
+	AES_CONTEXT_T *ctx=(AES_CONTEXT_T*)key_e;
+	ret=AES_set_key(ctx, key, keysize)!=0? 0: -EINVAL;
+	if (debug_aes > 0)
+		printk(KERN_DEBUG "klips_debug:_aes_set_key:"
+				"ret=%d key_e=%p key=%p keysize=%ld\n",
+                                ret, key_e, key, (unsigned long int) keysize);
+	return ret;
+}
+
+static int _aes_cbc_encrypt(struct ipsec_alg_enc *alg, __u8 * key_e,
+			    __u8 * in, int ilen, const __u8 * iv,
+			    int encrypt)
+{
+	AES_CONTEXT_T *ctx=(AES_CONTEXT_T*)key_e;
+	if (debug_aes > 0)
+		printk(KERN_DEBUG "klips_debug:_aes_cbc_encrypt:"
+				"key_e=%p in=%p ilen=%d iv=%p encrypt=%d\n",
+				key_e, in, ilen, iv, encrypt);
+	return AES_cbc_encrypt(ctx, in, in, ilen, iv, encrypt);
+}
+#if CONFIG_KLIPS_ENC_AES_MAC
+static int _aes_mac_set_key(struct ipsec_alg_auth *alg, __u8 * key_a, const __u8 * key, int keylen) {
+	aes_context_mac *ctxm=(aes_context_mac *)key_a;
+	return AES_xcbc_mac_set_key(ctxm, key, keylen)? 0 : -EINVAL;
+}
+static int _aes_mac_hash(struct ipsec_alg_auth *alg, __u8 * key_a, const __u8 * dat, int len, __u8 * hash, int hashlen) {
+	int ret;
+	char hash_buf[16];
+	aes_context_mac *ctxm=(aes_context_mac *)key_a;
+	ret=AES_xcbc_mac_hash(ctxm, dat, len, hash_buf);
+	memcpy(hash, hash_buf, hashlen);
+	return ret;
+}
+static struct ipsec_alg_auth ipsec_alg_AES_MAC = {
+	ixt_common: { ixt_version:	IPSEC_ALG_VERSION,
+		      ixt_refcnt:	ATOMIC_INIT(0),
+		      ixt_name: 	"aes_mac",
+		      ixt_blocksize:	ESP_AES_MAC_BLK_LEN,
+		      ixt_support: {
+			ias_exttype:	IPSEC_ALG_TYPE_AUTH,
+			ias_id: 	0,
+			ias_keyminbits:	ESP_AES_MAC_KEY_SZ*8,
+			ias_keymaxbits:	ESP_AES_MAC_KEY_SZ*8,
+		},
+	},
+#if defined(CONFIG_KLIPS_ENC_AES_MODULE)
+	ixt_module:	THIS_MODULE,
+#endif
+	ixt_a_keylen:	ESP_AES_MAC_KEY_SZ,
+	ixt_a_ctx_size:	sizeof(aes_context_mac),
+	ixt_a_hmac_set_key:	_aes_mac_set_key,
+	ixt_a_hmac_hash:_aes_mac_hash,
+};
+#endif /* CONFIG_KLIPS_ENC_AES_MAC */
+static struct ipsec_alg_enc ipsec_alg_AES = {
+	ixt_common: { ixt_version:	IPSEC_ALG_VERSION,
+		      ixt_refcnt:	ATOMIC_INIT(0),
+		      ixt_name: 	"aes",
+		      ixt_blocksize:	ESP_AES_CBC_BLK_LEN, 
+		      ixt_support: {
+			ias_exttype:	IPSEC_ALG_TYPE_ENCRYPT,
+			ias_id: 	ESP_AES,
+			ias_keyminbits:	ESP_AES_KEY_SZ_MIN*8,
+			ias_keymaxbits:	ESP_AES_KEY_SZ_MAX*8,
+		},
+	},
+#if defined(CONFIG_KLIPS_ENC_AES_MODULE)
+	ixt_module:	THIS_MODULE,
+#endif
+	ixt_e_keylen:	ESP_AES_KEY_SZ_MAX,
+	ixt_e_ctx_size:	sizeof(AES_CONTEXT_T),
+	ixt_e_set_key:	_aes_set_key,
+	ixt_e_cbc_encrypt:_aes_cbc_encrypt,
+};
+
+#if defined(CONFIG_KLIPS_ENC_AES_MODULE)
+IPSEC_ALG_MODULE_INIT_MOD( ipsec_aes_init )
+#else
+IPSEC_ALG_MODULE_INIT_STATIC( ipsec_aes_init )
+#endif
+{
+	int ret, test_ret;
+
+	if (keyminbits)
+		ipsec_alg_AES.ixt_common.ixt_support.ias_keyminbits=keyminbits;
+	if (keymaxbits) {
+		ipsec_alg_AES.ixt_common.ixt_support.ias_keymaxbits=keymaxbits;
+		if (keymaxbits*8>ipsec_alg_AES.ixt_common.ixt_support.ias_keymaxbits)
+			ipsec_alg_AES.ixt_e_keylen=keymaxbits*8;
+	}
+	if (excl_aes) ipsec_alg_AES.ixt_common.ixt_state |= IPSEC_ALG_ST_EXCL;
+	ret=register_ipsec_alg_enc(&ipsec_alg_AES);
+	printk("ipsec_aes_init(alg_type=%d alg_id=%d name=%s): ret=%d\n", 
+			ipsec_alg_AES.ixt_common.ixt_support.ias_exttype, 
+			ipsec_alg_AES.ixt_common.ixt_support.ias_id, 
+			ipsec_alg_AES.ixt_common.ixt_name, 
+			ret);
+	if (ret==0 && test_aes) {
+		test_ret=ipsec_alg_test(
+				ipsec_alg_AES.ixt_common.ixt_support.ias_exttype ,
+				ipsec_alg_AES.ixt_common.ixt_support.ias_id, 
+				test_aes);
+		printk("ipsec_aes_init(alg_type=%d alg_id=%d): test_ret=%d\n", 
+				ipsec_alg_AES.ixt_common.ixt_support.ias_exttype , 
+				ipsec_alg_AES.ixt_common.ixt_support.ias_id, 
+				test_ret);
+	}
+#if CONFIG_KLIPS_ENC_AES_MAC
+	if (auth_id!=0){
+		int ret;
+		ipsec_alg_AES_MAC.ixt_common.ixt_support.ias_id=auth_id;
+		ret=register_ipsec_alg_auth(&ipsec_alg_AES_MAC);
+		printk("ipsec_aes_init(alg_type=%d alg_id=%d name=%s): ret=%d\n", 
+				ipsec_alg_AES_MAC.ixt_common.ixt_support.ias_exttype, 
+				ipsec_alg_AES_MAC.ixt_common.ixt_support.ias_id, 
+				ipsec_alg_AES_MAC.ixt_common.ixt_name, 
+				ret);
+		if (ret==0 && test_aes) {
+			test_ret=ipsec_alg_test(
+					ipsec_alg_AES_MAC.ixt_common.ixt_support.ias_exttype,
+					ipsec_alg_AES_MAC.ixt_common.ixt_support.ias_id, 
+					test_aes);
+			printk("ipsec_aes_init(alg_type=%d alg_id=%d): test_ret=%d\n", 
+					ipsec_alg_AES_MAC.ixt_common.ixt_support.ias_exttype, 
+					ipsec_alg_AES_MAC.ixt_common.ixt_support.ias_id, 
+					test_ret);
+		}
+	} else {
+		printk(KERN_DEBUG "klips_debug: experimental ipsec_alg_AES_MAC not registered [Ok] (auth_id=%d)\n", auth_id);
+	}
+#endif /* CONFIG_KLIPS_ENC_AES_MAC */
+	return ret;
+}
+
+#if defined(CONFIG_KLIPS_ENC_AES_MODULE)
+IPSEC_ALG_MODULE_EXIT_MOD( ipsec_aes_fini )
+#else
+IPSEC_ALG_MODULE_EXIT_STATIC( ipsec_aes_fini )
+#endif
+{
+#if CONFIG_KLIPS_ENC_AES_MAC
+	if (auth_id) unregister_ipsec_alg_auth(&ipsec_alg_AES_MAC);
+#endif /* CONFIG_KLIPS_ENC_AES_MAC */
+	unregister_ipsec_alg_enc(&ipsec_alg_AES);
+	return;
+}
+#ifdef MODULE_LICENSE
+MODULE_LICENSE("GPL");
+#endif
+
+#if 0  /* +NOT_YET */
+#ifndef MODULE
+/*
+ * 	This is intended for static module setups, currently
+ * 	doesn't work for modular ipsec.o with static algos inside
+ */
+static int setup_keybits(const char *str)
+{
+	unsigned aux;
+	char *end;
+
+	aux = simple_strtoul(str,&end,0);
+	if (aux != 128 && aux != 192 && aux != 256)
+		return 0;
+	keyminbits = aux;
+
+	if (*end == 0 || *end != ',')
+		return 1;
+	str=end+1;
+	aux = simple_strtoul(str, NULL, 0);
+	if (aux != 128 && aux != 192 && aux != 256)
+		return 0;
+	if (aux >= keyminbits)
+		keymaxbits = aux;
+	return 1;
+}
+__setup("ipsec_aes_keybits=", setup_keybits);
+#endif
+#endif
+
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/alg/Config.alg_aes.in     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,3 @@
+if [ "$CONFIG_IPSEC_ALG" = "y" ]; then
+  tristate '        AES encryption algorithm' CONFIG_IPSEC_ENC_AES
+fi
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/alg/Config.alg_cryptoapi.in     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,6 @@
+if [ "$CONFIG_IPSEC_ALG" = "y" ]; then
+  dep_tristate '        CRYPTOAPI ciphers support (needs cryptoapi patch)' CONFIG_IPSEC_ALG_CRYPTOAPI $CONFIG_CRYPTO
+  if [ "$CONFIG_IPSEC_ALG_CRYPTOAPI" != "n" ]; then
+    bool '          CRYPTOAPI proprietary ciphers ' CONFIG_IPSEC_ALG_NON_LIBRE
+  fi
+fi
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/alg/Config.in     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,3 @@
+#Placeholder
+source net/ipsec/alg/Config.alg_aes.in
+source net/ipsec/alg/Config.alg_cryptoapi.in
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/alg/Makefile     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,112 @@
+# Makefile,v 1.1.2.1 2003/11/21 18:12:23 jjo Exp
+ifeq ($(KLIPSMODULE),)
+FREESWANSRCDIR=.
+else
+FREESWANSRCDIR=../../../..
+endif
+ifeq ($(KLIPS_TOP),)
+KLIPS_TOP=../../..
+override EXTRA_CFLAGS += -I$(KLIPS_TOP)/include
+endif
+
+ifeq ($(CONFIG_IPSEC_DEBUG),y)
+override EXTRA_CFLAGS += -g
+endif
+
+# LIBCRYPTO normally comes as an argument from "parent" Makefile
+# (this applies both to FS' "make module" and eg. Linux' "make modules"
+# But make dep doest follow same evaluations, so we need this default:
+LIBCRYPTO=$(TOPDIR)/lib/libcrypto
+
+override EXTRA_CFLAGS += -I$(LIBCRYPTO)/include
+override EXTRA_CFLAGS += -Wall -Wpointer-arith -Wstrict-prototypes
+
+MOD_LIST_NAME := NET_MISC_MODULES
+
+#O_TARGET := static_init.o
+
+subdir-  := 
+subdir-n := 
+subdir-y :=
+subdir-m :=
+
+obj-y := static_init.o
+
+ARCH_ASM-y :=
+ARCH_ASM-$(CONFIG_M586)		:= i586
+ARCH_ASM-$(CONFIG_M586TSC)	:= i586
+ARCH_ASM-$(CONFIG_M586MMX)	:= i586
+ARCH_ASM-$(CONFIG_MK6)		:= i586
+ARCH_ASM-$(CONFIG_M686)		:= i686
+ARCH_ASM-$(CONFIG_MPENTIUMIII)	:= i686
+ARCH_ASM-$(CONFIG_MPENTIUM4)	:= i686
+ARCH_ASM-$(CONFIG_MK7)		:= i686
+ARCH_ASM-$(CONFIG_MCRUSOE)	:= i586
+ARCH_ASM-$(CONFIG_MWINCHIPC6)	:= i586
+ARCH_ASM-$(CONFIG_MWINCHIP2)	:= i586
+ARCH_ASM-$(CONFIG_MWINCHIP3D)	:= i586
+ARCH_ASM-$(CONFIG_USERMODE)	:= i586
+
+ARCH_ASM :=$(ARCH_ASM-y)
+ifdef NO_ASM
+ARCH_ASM :=
+endif
+
+# The algorithm makefiles may put dependences, short-circuit them
+null:
+
+makefiles=$(filter-out %.preipsec, $(wildcard Makefile.alg_*))
+ifneq ($(makefiles),)
+#include Makefile.alg_aes
+#include Makefile.alg_aes-opt
+include $(makefiles)
+endif
+
+# These rules translate from new to old makefile rules
+# Translate to Rules.make lists.
+multi-used      := $(filter $(list-multi), $(obj-y) $(obj-m))
+multi-objs      := $(foreach m, $(multi-used), $($(basename $(m))-objs))
+active-objs     := $(sort $(multi-objs) $(obj-y) $(obj-m))
+O_OBJS          := $(obj-y)
+M_OBJS          := $(obj-m)
+MIX_OBJS        := $(filter $(export-objs), $(active-objs))
+#OX_OBJS := $(export-objs)
+SUB_DIRS := $(subdir-y)
+ALL_SUB_DIRS := $(subdir-y) $(subdir-m)
+MOD_SUB_DIRS := $(subdir-m)
+
+
+static_init_mod.o: $(obj-y) 
+	rm -f $@
+	$(LD) $(LD_EXTRAFLAGS) $(obj-y) -r -o $@
+
+perlasm: ../../../crypto/ciphers/des/asm/perlasm
+	ln -sf $? $@
+
+$(obj-y) $(obj-m): $(TOPDIR)/include/linux/config.h $(TOPDIR)/include/linux/autoconf.h $(KLIPS_TOP)/include/freeswan/ipsec_alg.h
+$(alg_obj-y) $(alg_obj-m): perlasm $(TOPDIR)/include/linux/config.h $(TOPDIR)/include/linux/autoconf.h $(KLIPS_TOP)/include/freeswan/ipsec_alg.h
+
+
+all_alg_modules: perlasm $(ALG_MODULES)
+	@echo "ALG_MODULES=$(ALG_MODULES)"
+
+
+#
+# Construct alg. init. function: call ipsec_ALGO_init() for every static algo
+# Needed when there are static algos (with static or modular ipsec.o)
+#
+static_init.c: $(TOPDIR)/include/linux/autoconf.h Makefile $(makefiles) scripts/mk-static_init.c.sh
+	@echo "Re-creating $@"
+	$(SHELL) scripts/mk-static_init.c.sh $(static_init-func-y) > $@
+
+clean:
+	@for i in $(ALG_SUBDIRS);do test -d $$i && make -C $$i clean;done;exit 0
+	@find . -type l  -exec rm -f {} \;
+	-rm -f perlasm
+	-rm -rf $(ALG_SUBDIRS)
+	-rm -f *.o static_init.c
+
+ifdef TOPDIR
+include $(TOPDIR)/Rules.make
+endif
+
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/alg/Makefile.alg_aes     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,18 @@
+MOD_AES := ipsec_aes.o
+
+ALG_MODULES += $(MOD_AES)
+ALG_SUBDIRS += libaes
+
+obj-$(CONFIG_IPSEC_ALG_AES) += $(MOD_AES)
+static_init-func-$(CONFIG_IPSEC_ALG_AES)+= ipsec_aes_init
+alg_obj-$(CONFIG_IPSEC_ALG_AES) += ipsec_alg_aes.o
+
+AES_OBJS := ipsec_alg_aes.o $(LIBCRYPTO)/libaes/libaes.a 
+
+
+$(MOD_AES): $(AES_OBJS) 
+	$(LD) $(EXTRA_LDFLAGS) -r $(AES_OBJS) -o $@
+
+$(LIBCRYPTO)/libaes/libaes.a: 
+        $(MAKE) -C $(LIBCRYPTO)/libaes CC='$(CC)' 'ARCH_ASM=$(ARCH_ASM)' CFLAGS='$(CFLAGS) $(EXTRA_CFLAGS)' libaes.a
+
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/alg/Makefile.alg_cryptoapi     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,14 @@
+MOD_CRYPTOAPI := ipsec_cryptoapi.o
+
+ifneq ($(wildcard $(TOPDIR)/include/linux/crypto.h),)
+ALG_MODULES += $(MOD_CRYPTOAPI)
+obj-$(CONFIG_IPSEC_ALG_CRYPTOAPI) += $(MOD_CRYPTOAPI)
+static_init-func-$(CONFIG_IPSEC_ALG_CRYPTOAPI)+= ipsec_cryptoapi_init
+alg_obj-$(CONFIG_IPSEC_ALG_CRYPTOAPI) += ipsec_alg_cryptoapi.o
+else
+$(warning "Linux CryptoAPI (2.4.22+ or 2.6.x) not found, not building ipsec_cryptoapi.o")
+endif
+
+CRYPTOAPI_OBJS := ipsec_alg_cryptoapi.o 
+$(MOD_CRYPTOAPI): $(CRYPTOAPI_OBJS)
+	$(LD) -r $(CRYPTOAPI_OBJS) -o $@
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/alg/ipsec_alg_cryptoapi.c     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,442 @@
+/*
+ * ipsec_alg to linux cryptoapi GLUE
+ *
+ * Authors: CODE.ar TEAM
+ * 	Harpo MAxx <harpo@linuxmendoza.org.ar>
+ * 	JuanJo Ciarlante <jjo-ipsec@mendoza.gov.ar>
+ * 	Luciano Ruete <docemeses@softhome.net>
+ * 
+ * ipsec_alg_cryptoapi.c,v 1.1.2.1 2003/11/21 18:12:23 jjo Exp
+ * 
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ * 
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * Example usage:
+ *   modinfo -p ipsec_cryptoapi   (quite useful info, including supported algos)
+ *   modprobe ipsec_cryptoapi
+ *   modprobe ipsec_cryptoapi test=1
+ *   modprobe ipsec_cryptoapi excl=1                     (exclusive cipher/algo)
+ *   modprobe ipsec_cryptoapi noauto=1  aes=1 twofish=1  (only these ciphers)
+ *   modprobe ipsec_cryptoapi aes=128,128                (force these keylens)
+ *   modprobe ipsec_cryptoapi des_ede3=0                 (everything but 3DES)
+ */
+#ifndef AUTOCONF_INCLUDED
+#include <linux/config.h>
+#endif
+#include <linux/version.h>
+
+/*	
+ *	special case: ipsec core modular with this static algo inside:
+ *	must avoid MODULE magic for this file
+ */
+#if CONFIG_IPSEC_MODULE && CONFIG_IPSEC_ALG_CRYPTOAPI
+#undef MODULE
+#endif
+
+#include <linux/module.h>
+#include <linux/init.h>
+
+#include <linux/kernel.h> /* printk() */
+#include <linux/errno.h>  /* error codes */
+#include <linux/types.h>  /* size_t */
+#include <linux/string.h>
+
+/* Check if __exit is defined, if not null it */
+#ifndef __exit
+#define __exit
+#endif
+
+/* warn the innocent */
+#if !defined (CONFIG_CRYPTO) && !defined (CONFIG_CRYPTO_MODULE)
+#warning "No linux CryptoAPI found, install 2.4.22+ or 2.6.x"
+#define NO_CRYPTOAPI_SUPPORT
+#endif
+/*	Low freeswan header coupling	*/
+#include "openswan/ipsec_alg.h"
+
+#include <linux/crypto.h>
+#ifdef CRYPTO_API_VERSION_CODE
+#warning "Old CryptoAPI is not supported. Only linux-2.4.22+ or linux-2.6.x are supported"
+#define NO_CRYPTOAPI_SUPPORT
+#endif
+
+#ifdef NO_CRYPTOAPI_SUPPORT
+#warning "Building an unusable module :P"
+/* Catch old CryptoAPI by not allowing module to load */
+IPSEC_ALG_MODULE_INIT( ipsec_cryptoapi_init )
+{
+	printk(KERN_WARNING "ipsec_cryptoapi.o was not built on stock Linux CryptoAPI (2.4.22+ or 2.6.x), not loading.\n");
+	return -EINVAL;
+}
+#else
+#include <asm/scatterlist.h>
+#include <asm/pgtable.h>
+#include <linux/mm.h>
+
+#define CIPHERNAME_AES		"aes"
+#define CIPHERNAME_3DES		"des3_ede"
+#define CIPHERNAME_BLOWFISH	"blowfish"
+#define CIPHERNAME_CAST		"cast5"
+#define CIPHERNAME_SERPENT	"serpent"
+#define CIPHERNAME_TWOFISH	"twofish"
+
+#define ESP_3DES		3
+#define ESP_AES			12
+#define ESP_BLOWFISH		7	/* truely _constant_  :)  */
+#define ESP_CAST		6	/* quite constant :) */
+#define ESP_SERPENT		252	/* from ipsec drafts */
+#define ESP_TWOFISH		253	/* from ipsec drafts */
+
+#define AH_MD5			2
+#define AH_SHA			3
+#define DIGESTNAME_MD5		"md5"
+#define DIGESTNAME_SHA1		"sha1"
+
+MODULE_AUTHOR("Juanjo Ciarlante, Harpo MAxx, Luciano Ruete");
+static int debug=0;
+static int test=0;
+static int excl=0;
+static int noauto = 0;
+
+static int des_ede3[] = {-1, -1};
+static int aes[] = {-1, -1};
+static int blowfish[] = {-1, -1};
+static int cast[] = {-1, -1};
+static int serpent[] = {-1, -1};
+static int twofish[] = {-1, -1};
+
+#ifdef module_param
+module_param(debug,int,0600);
+module_param(test,int,0600);
+module_param(ebug,int,0600);
+
+module_param(noauto,int,0600);
+module_param(ebug,int,0600);
+
+module_param_array(des_ede3,int,NULL,0);
+module_param(aes,int,NULL,0);
+module_param(blowfish,int,NULL,0);
+module_param(cast,int,NULL,0);
+module_param(serpent,int,NULL,0);
+module_param(twofish,int,NULL,0);
+#else
+MODULE_PARM(debug, "i");
+MODULE_PARM(test, "i");
+MODULE_PARM(excl, "i");
+
+MODULE_PARM(noauto,"i");
+
+MODULE_PARM(des_ede3,"1-2i");
+MODULE_PARM(aes,"1-2i");
+MODULE_PARM(blowfish,"1-2i");
+MODULE_PARM(cast,"1-2i");
+MODULE_PARM(serpent,"1-2i");
+MODULE_PARM(twofish,"1-2i");
+#endif
+
+MODULE_PARM_DESC(noauto, "Dont try all known algos, just setup enabled ones");
+
+MODULE_PARM_DESC(des_ede3, "0: disable | 1: force_enable | min,max: dontuse");
+MODULE_PARM_DESC(aes, "0: disable | 1: force_enable | min,max: keybitlens");
+MODULE_PARM_DESC(blowfish, "0: disable | 1: force_enable | min,max: keybitlens");
+MODULE_PARM_DESC(cast, "0: disable | 1: force_enable | min,max: keybitlens");
+MODULE_PARM_DESC(serpent, "0: disable | 1: force_enable | min,max: keybitlens");
+MODULE_PARM_DESC(twofish, "0: disable | 1: force_enable | min,max: keybitlens");
+
+struct ipsec_alg_capi_cipher {
+	const char *ciphername;	/* cryptoapi's ciphername */
+	unsigned blocksize;
+	unsigned short minbits;
+	unsigned short maxbits;
+	int *parm;		/* lkm param for this cipher */
+	struct ipsec_alg_enc alg;	/* note it's not a pointer */
+};
+static struct ipsec_alg_capi_cipher alg_capi_carray[] = {
+	{ CIPHERNAME_AES ,     16, 128, 256, aes    , { ixt_alg_id: ESP_AES, }},
+	{ CIPHERNAME_TWOFISH , 16, 128, 256, twofish, { ixt_alg_id: ESP_TWOFISH, }},
+	{ CIPHERNAME_SERPENT , 16, 128, 256, serpent, { ixt_alg_id: ESP_SERPENT, }},
+	{ CIPHERNAME_CAST ,     8, 128, 128, cast   , { ixt_alg_id: ESP_CAST, }},
+	{ CIPHERNAME_BLOWFISH , 8,  96, 448, blowfish,{ ixt_alg_id: ESP_BLOWFISH, }},
+	{ CIPHERNAME_3DES ,     8, 192, 192, des_ede3,{ ixt_alg_id: ESP_3DES, }},
+	{ NULL, 0, 0, 0, NULL, {} }
+};
+#ifdef NOT_YET
+struct ipsec_alg_capi_digest {
+	const char *digestname;	/* cryptoapi's digestname */
+	struct digest_implementation *di;
+	struct ipsec_alg_auth alg;	/* note it's not a pointer */
+};
+static struct ipsec_alg_capi_cipher alg_capi_darray[] = {
+	{ DIGESTNAME_MD5,     NULL, { ixt_alg_id: AH_MD5, }},
+	{ DIGESTNAME_SHA1,    NULL, { ixt_alg_id: AH_SHA, }},
+	{ NULL, NULL, {} }
+};
+#endif
+/*
+ * 	"generic" linux cryptoapi setup_cipher() function
+ */
+int setup_cipher(const char *ciphername)
+{
+	return crypto_alg_available(ciphername, 0);
+}
+
+/*
+ * 	setups ipsec_alg_capi_cipher "hyper" struct components, calling
+ * 	register_ipsec_alg for cointaned ipsec_alg object
+ */
+static void _capi_destroy_key (struct ipsec_alg_enc *alg, __u8 *key_e);
+static __u8 * _capi_new_key (struct ipsec_alg_enc *alg, const __u8 *key, size_t keylen);
+static int _capi_cbc_encrypt(struct ipsec_alg_enc *alg, __u8 * key_e, __u8 * in, int ilen, const __u8 * iv, int encrypt);
+
+static int
+setup_ipsec_alg_capi_cipher(struct ipsec_alg_capi_cipher *cptr)
+{
+	int ret;
+	cptr->alg.ixt_version = IPSEC_ALG_VERSION;
+	cptr->alg.ixt_module = THIS_MODULE;
+	atomic_set (& cptr->alg.ixt_refcnt, 0);
+	strncpy (cptr->alg.ixt_name , cptr->ciphername, sizeof (cptr->alg.ixt_name));
+
+	cptr->alg.ixt_blocksize=cptr->blocksize;
+	cptr->alg.ixt_keyminbits=cptr->minbits;
+	cptr->alg.ixt_keymaxbits=cptr->maxbits;
+	cptr->alg.ixt_state = 0;
+	if (excl) cptr->alg.ixt_state |= IPSEC_ALG_ST_EXCL;
+	cptr->alg.ixt_e_keylen=cptr->alg.ixt_keymaxbits/8;
+	cptr->alg.ixt_e_ctx_size = 0;
+	cptr->alg.ixt_alg_type = IPSEC_ALG_TYPE_ENCRYPT;
+	cptr->alg.ixt_e_new_key = _capi_new_key;
+	cptr->alg.ixt_e_destroy_key = _capi_destroy_key;
+	cptr->alg.ixt_e_cbc_encrypt = _capi_cbc_encrypt;
+	cptr->alg.ixt_data = cptr;
+
+	ret=register_ipsec_alg_enc(&cptr->alg);
+	printk("setup_ipsec_alg_capi_cipher(): " 
+			"alg_type=%d alg_id=%d name=%s "
+			"keyminbits=%d keymaxbits=%d, ret=%d\n", 
+				cptr->alg.ixt_alg_type, 
+				cptr->alg.ixt_alg_id, 
+				cptr->alg.ixt_name, 
+				cptr->alg.ixt_keyminbits,
+				cptr->alg.ixt_keymaxbits,
+				ret);
+	return ret;
+}
+/*
+ * 	called in ipsec_sa_wipe() time, will destroy key contexts
+ * 	and do 1 unbind()
+ */
+static void 
+_capi_destroy_key (struct ipsec_alg_enc *alg, __u8 *key_e)
+{
+	struct crypto_tfm *tfm=(struct crypto_tfm*)key_e;
+	
+	if (debug > 0)
+		printk(KERN_DEBUG "klips_debug: _capi_destroy_key:"
+				"name=%s key_e=%p \n",
+				alg->ixt_name, key_e);
+	if (!key_e) {
+		printk(KERN_ERR "klips_debug: _capi_destroy_key:"
+				"name=%s NULL key_e!\n",
+				alg->ixt_name);
+		return;
+	}
+	crypto_free_tfm(tfm);
+}
+	
+/*
+ * 	create new key context, need alg->ixt_data to know which
+ * 	(of many) cipher inside this module is the target
+ */
+static __u8 *
+_capi_new_key (struct ipsec_alg_enc *alg, const __u8 *key, size_t keylen)
+{
+	struct ipsec_alg_capi_cipher *cptr;
+	struct crypto_tfm *tfm=NULL;
+
+	cptr = alg->ixt_data;
+	if (!cptr) {
+		printk(KERN_ERR "_capi_new_key(): "
+				"NULL ixt_data (?!) for \"%s\" algo\n" 
+				, alg->ixt_name);
+		goto err;
+	}
+	if (debug > 0)
+		printk(KERN_DEBUG "klips_debug:_capi_new_key:"
+				"name=%s cptr=%p key=%p keysize=%d\n",
+				alg->ixt_name, cptr, key, keylen);
+	
+	/*	
+	 *	alloc tfm
+	 */
+	tfm = crypto_alloc_tfm(cptr->ciphername, CRYPTO_TFM_MODE_CBC);
+	if (!tfm) {
+		printk(KERN_ERR "_capi_new_key(): "
+				"NULL tfm for \"%s\" cryptoapi (\"%s\") algo\n" 
+			, alg->ixt_name, cptr->ciphername);
+		goto err;
+	}
+	if (crypto_cipher_setkey(tfm, key, keylen) < 0) {
+		printk(KERN_ERR "_capi_new_key(): "
+				"failed new_key() for \"%s\" cryptoapi algo (keylen=%d)\n" 
+			, alg->ixt_name, keylen);
+		crypto_free_tfm(tfm);
+		tfm=NULL;
+	}
+err:
+	if (debug > 0)
+		printk(KERN_DEBUG "klips_debug:_capi_new_key:"
+				"name=%s key=%p keylen=%d tfm=%p\n",
+				alg->ixt_name, key, keylen, tfm);
+	return (__u8 *) tfm;
+}
+/*
+ * 	core encryption function: will use cx->ci to call actual cipher's
+ * 	cbc function
+ */
+static int 
+_capi_cbc_encrypt(struct ipsec_alg_enc *alg, __u8 * key_e, __u8 * in, int ilen, const __u8 * iv, int encrypt) {
+	int error =0;
+	struct crypto_tfm *tfm=(struct crypto_tfm *)key_e;
+	struct scatterlist sg = { 
+		.page = virt_to_page(in),
+		.offset = (unsigned long)(in) % PAGE_SIZE,
+		.length=ilen,
+	};
+	if (debug > 1)
+		printk(KERN_DEBUG "klips_debug:_capi_cbc_encrypt:"
+				"key_e=%p "
+				"in=%p out=%p ilen=%d iv=%p encrypt=%d\n"
+				, key_e
+				, in, in, ilen, iv, encrypt);
+	crypto_cipher_set_iv(tfm, iv, crypto_tfm_alg_ivsize(tfm));
+	if (encrypt)
+		error = crypto_cipher_encrypt (tfm, &sg, &sg, ilen);
+	else
+		error = crypto_cipher_decrypt (tfm, &sg, &sg, ilen);
+	if (debug > 1)
+		printk(KERN_DEBUG "klips_debug:_capi_cbc_encrypt:"
+				"error=%d\n"
+				, error);
+	return (error<0)? error : ilen;
+}
+/*
+ * 	main initialization loop: for each cipher in list, do
+ * 	1) setup cryptoapi cipher else continue
+ * 	2) register ipsec_alg object
+ */
+static int
+setup_cipher_list (struct ipsec_alg_capi_cipher* clist) 
+{
+	struct ipsec_alg_capi_cipher *cptr;
+	/* foreach cipher in list ... */
+	for (cptr=clist;cptr->ciphername;cptr++) {
+		/* 
+		 * see if cipher has been disabled (0) or
+		 * if noauto set and not enabled (1)
+		 */
+		if (cptr->parm[0] == 0 || (noauto && cptr->parm[0] < 0)) {
+			if (debug>0)
+				printk(KERN_INFO "setup_cipher_list(): "
+					"ciphername=%s skipped at user request: "
+					"noauto=%d parm[0]=%d parm[1]=%d\n"
+					, cptr->ciphername
+					, noauto
+					, cptr->parm[0]
+					, cptr->parm[1]);
+			continue;
+		}
+		/* 
+		 * 	use a local ci to avoid touching cptr->ci,
+		 * 	if register ipsec_alg success then bind cipher
+		 */
+		if( setup_cipher(cptr->ciphername) ) {
+			if (debug > 0)
+				printk(KERN_DEBUG "klips_debug:"
+						"setup_cipher_list():"
+						"ciphername=%s found\n"
+				, cptr->ciphername);
+			if (setup_ipsec_alg_capi_cipher(cptr) == 0) {
+				
+				
+			} else {
+				printk(KERN_ERR "klips_debug:"
+						"setup_cipher_list():"
+						"ciphername=%s failed ipsec_alg_register\n"
+				, cptr->ciphername);
+			}
+		} else {
+			if (debug>0)
+				printk(KERN_INFO "setup_cipher_list(): lookup for ciphername=%s: not found \n",
+				cptr->ciphername);
+		}
+	}
+	return 0;
+}
+/*
+ * 	deregister ipsec_alg objects and unbind ciphers
+ */
+static int
+unsetup_cipher_list (struct ipsec_alg_capi_cipher* clist) 
+{
+	struct ipsec_alg_capi_cipher *cptr;
+	/* foreach cipher in list ... */
+	for (cptr=clist;cptr->ciphername;cptr++) {
+		if (cptr->alg.ixt_state & IPSEC_ALG_ST_REGISTERED) {
+			unregister_ipsec_alg_enc(&cptr->alg);
+		}
+	}
+	return 0;
+}
+/*
+ * 	test loop for registered algos
+ */
+static int
+test_cipher_list (struct ipsec_alg_capi_cipher* clist) 
+{
+	int test_ret;
+	struct ipsec_alg_capi_cipher *cptr;
+	/* foreach cipher in list ... */
+	for (cptr=clist;cptr->ciphername;cptr++) {
+		if (cptr->alg.ixt_state & IPSEC_ALG_ST_REGISTERED) {
+			test_ret=ipsec_alg_test(
+					cptr->alg.ixt_alg_type,
+					cptr->alg.ixt_alg_id, 
+					test);
+			printk("test_cipher_list(alg_type=%d alg_id=%d): test_ret=%d\n", 
+					cptr->alg.ixt_alg_type, 
+					cptr->alg.ixt_alg_id, 
+					test_ret);
+		}
+	}
+	return 0;
+}
+
+IPSEC_ALG_MODULE_INIT( ipsec_cryptoapi_init )
+{
+	int ret, test_ret;
+	if ((ret=setup_cipher_list(alg_capi_carray)) < 0)
+		return  -EPROTONOSUPPORT;
+	if (ret==0 && test) {
+		test_ret=test_cipher_list(alg_capi_carray);
+	}
+	return ret;
+}
+IPSEC_ALG_MODULE_EXIT( ipsec_cryptoapi_fini )
+{
+	unsetup_cipher_list(alg_capi_carray);
+	return;
+}
+#ifdef MODULE_LICENSE
+MODULE_LICENSE("GPL");
+#endif
+
+EXPORT_NO_SYMBOLS;
+#endif /* NO_CRYPTOAPI_SUPPORT */
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/alg/scripts/mk-static_init.c.sh     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,18 @@
+#!/bin/sh
+cat << EOF
+#include <linux/kernel.h>
+#include <linux/list.h>
+#include "freeswan/ipsec_alg.h"
+$(for i in $*; do
+	test -z "$i" && continue
+	echo "extern int $i(void);"
+done)
+void ipsec_alg_static_init(void){ 
+	int __attribute__ ((unused)) err=0;
+$(for i in $*; do
+	test -z "$i" && continue
+	echo "	if ((err=$i()) < 0)"
+	echo "		printk(KERN_WARNING \"$i() returned %d\", err);"
+done)
+}
+EOF
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/anyaddr.c     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,148 @@
+/*
+ * special addresses
+ * Copyright (C) 2000  Henry Spencer.
+ * 
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Library General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
+ * 
+ * This library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
+ * License for more details.
+ *
+ * RCSID $Id: anyaddr.c,v 1.10.10.1 2006/11/24 05:55:46 paul Exp $
+ */
+#include "openswan.h"
+
+/* these are mostly fallbacks for the no-IPv6-support-in-library case */
+#ifndef IN6ADDR_ANY_INIT
+#define	IN6ADDR_ANY_INIT	{{{ 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 }}}
+#endif
+#ifndef IN6ADDR_LOOPBACK_INIT
+#define	IN6ADDR_LOOPBACK_INIT	{{{ 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1 }}}
+#endif
+
+static struct in6_addr v6any = IN6ADDR_ANY_INIT;
+static struct in6_addr v6loop = IN6ADDR_LOOPBACK_INIT;
+
+/*
+ - anyaddr - initialize to the any-address value
+ */
+err_t				/* NULL for success, else string literal */
+anyaddr(af, dst)
+int af;				/* address family */
+ip_address *dst;
+{
+	uint32_t v4any = htonl(INADDR_ANY);
+
+	switch (af) {
+	case AF_INET:
+		return initaddr((unsigned char *)&v4any, sizeof(v4any), af, dst);
+		break;
+	case AF_INET6:
+		return initaddr((unsigned char *)&v6any, sizeof(v6any), af, dst);
+		break;
+	default:
+		return "unknown address family in anyaddr/unspecaddr";
+		break;
+	}
+}
+
+/*
+ - unspecaddr - initialize to the unspecified-address value
+ */
+err_t				/* NULL for success, else string literal */
+unspecaddr(af, dst)
+int af;				/* address family */
+ip_address *dst;
+{
+	return anyaddr(af, dst);
+}
+
+/*
+ - loopbackaddr - initialize to the loopback-address value
+ */
+err_t				/* NULL for success, else string literal */
+loopbackaddr(af, dst)
+int af;				/* address family */
+ip_address *dst;
+{
+	uint32_t v4loop = htonl(INADDR_LOOPBACK);
+
+	switch (af) {
+	case AF_INET:
+		return initaddr((unsigned char *)&v4loop, sizeof(v4loop), af, dst);
+		break;
+	case AF_INET6:
+		return initaddr((unsigned char *)&v6loop, sizeof(v6loop), af, dst);
+		break;
+	default:
+		return "unknown address family in loopbackaddr";
+		break;
+	}
+}
+
+/*
+ - isanyaddr - test for the any-address value
+ */
+int
+isanyaddr(src)
+const ip_address *src;
+{
+	uint32_t v4any = htonl(INADDR_ANY);
+	int cmp;
+
+	switch (src->u.v4.sin_family) {
+	case AF_INET:
+		cmp = memcmp(&src->u.v4.sin_addr.s_addr, &v4any, sizeof(v4any));
+		break;
+	case AF_INET6:
+		cmp = memcmp(&src->u.v6.sin6_addr, &v6any, sizeof(v6any));
+		break;
+	case 0:
+		/* a zeroed structure is considered any address */
+		return 1;
+	default:
+		return 0;
+		break;
+	}
+
+	return (cmp == 0) ? 1 : 0;
+}
+
+/*
+ - isunspecaddr - test for the unspecified-address value
+ */
+int
+isunspecaddr(src)
+const ip_address *src;
+{
+	return isanyaddr(src);
+}
+
+/*
+ - isloopbackaddr - test for the loopback-address value
+ */
+int
+isloopbackaddr(src)
+const ip_address *src;
+{
+	uint32_t v4loop = htonl(INADDR_LOOPBACK);
+	int cmp;
+
+	switch (src->u.v4.sin_family) {
+	case AF_INET:
+		cmp = memcmp(&src->u.v4.sin_addr.s_addr, &v4loop, sizeof(v4loop));
+		break;
+	case AF_INET6:
+		cmp = memcmp(&src->u.v6.sin6_addr, &v6loop, sizeof(v6loop));
+		break;
+	default:
+		return 0;
+		break;
+	}
+
+	return (cmp == 0) ? 1 : 0;
+}
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/datatot.c     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,234 @@
+/*
+ * convert from binary data (e.g. key) to text form
+ * Copyright (C) 2000  Henry Spencer.
+ * 
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Library General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
+ * 
+ * This library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
+ * License for more details.
+ *
+ * RCSID $Id: datatot.c,v 1.7 2005/04/14 20:48:43 mcr Exp $
+ */
+#include "openswan.h"
+
+static void convert(const char *src, size_t nreal, int format, char *out);
+
+/*
+ - datatot - convert data bytes to text
+ */
+size_t				/* true length (with NUL) for success */
+datatot(src, srclen, format, dst, dstlen)
+const char *src;
+size_t srclen;
+int format;			/* character indicating what format */
+char *dst;			/* need not be valid if dstlen is 0 */
+size_t dstlen;
+{
+	size_t inblocksize;	/* process this many bytes at a time */
+	size_t outblocksize;	/* producing this many */
+	size_t breakevery;	/* add a _ every this many (0 means don't) */
+	size_t sincebreak;	/* output bytes since last _ */
+	char breakchar;		/* character used to break between groups */
+	char inblock[10];	/* enough for any format */
+	char outblock[10];	/* enough for any format */
+	char fake[1];		/* fake output area for dstlen == 0 */
+	size_t needed;		/* return value */
+	char *stop;		/* where the terminating NUL will go */
+	size_t ntodo;		/* remaining input */
+	size_t nreal;
+	char *out;
+	char *prefix;
+
+	breakevery = 0;
+	breakchar = '_';
+
+	switch (format) {
+	case 0:
+	case 'h':
+		format = 'x';
+		breakevery = 8;
+		/* FALLTHROUGH */
+	case 'x':
+		inblocksize = 1;
+		outblocksize = 2;
+		prefix = "0x";
+		break;
+	case ':':
+		format = 'x';
+		breakevery = 2;
+		breakchar = ':';
+		/* FALLTHROUGH */
+	case 16:
+		inblocksize = 1;
+		outblocksize = 2;
+		prefix = "";
+		format = 'x';
+		break;
+	case 's':
+		inblocksize = 3;
+		outblocksize = 4;
+		prefix = "0s";
+		break;
+	case 64:		/* beware, equals ' ' */
+		inblocksize = 3;
+		outblocksize = 4;
+		prefix = "";
+		format = 's';
+		break;
+	default:
+		return 0;
+		break;
+	}
+
+	user_assert(inblocksize < sizeof(inblock));
+	user_assert(outblocksize < sizeof(outblock));
+	user_assert(breakevery % outblocksize == 0);
+
+	if (srclen == 0)
+		return 0;
+	ntodo = srclen;
+
+	if (dstlen == 0) {	/* dispose of awkward special case */
+		dst = fake;
+		dstlen = 1;
+	}
+	stop = dst + dstlen - 1;
+
+	nreal = strlen(prefix);
+	needed = nreal;			/* for starters */
+	if (dstlen <= nreal) {		/* prefix won't fit */
+		strncpy(dst, prefix, dstlen - 1);
+		dst += dstlen - 1;
+	} else {
+		strcpy(dst, prefix);
+		dst += nreal;
+	}
+
+	user_assert(dst <= stop);
+	sincebreak = 0;
+
+	while (ntodo > 0) {
+		if (ntodo < inblocksize) {	/* incomplete input */
+			memset(inblock, 0, sizeof(inblock));
+			memcpy(inblock, src, ntodo);
+			src = inblock;
+			nreal = ntodo;
+			ntodo = inblocksize;
+		} else
+			nreal = inblocksize;
+		out = (outblocksize > stop - dst) ? outblock : dst;
+
+		convert(src, nreal, format, out);
+		needed += outblocksize;
+		sincebreak += outblocksize;
+		if (dst < stop) {
+			if (out != dst) {
+				user_assert(outblocksize > stop - dst);
+				memcpy(dst, out, stop - dst);
+				dst = stop;
+			} else
+				dst += outblocksize;
+		}
+
+		src += inblocksize;
+		ntodo -= inblocksize;
+		if (breakevery != 0 && sincebreak >= breakevery && ntodo > 0) {
+			if (dst < stop)
+				*dst++ = breakchar;
+			needed++;
+			sincebreak = 0;
+		}
+	}
+
+	user_assert(dst <= stop);
+	*dst++ = '\0';
+	needed++;
+
+	return needed;
+}
+
+/*
+ - convert - convert one input block to one output block
+ */
+static void
+convert(src, nreal, format, out)
+const char *src;
+size_t nreal;			/* how much of the input block is real */
+int format;
+char *out;
+{
+	static char hex[] = "0123456789abcdef";
+	static char base64[] =	"ABCDEFGHIJKLMNOPQRSTUVWXYZ"
+				"abcdefghijklmnopqrstuvwxyz"
+				"0123456789+/";
+	unsigned char c;
+	unsigned char c1, c2, c3;
+
+	user_assert(nreal > 0);
+	switch (format) {
+	case 'x':
+		user_assert(nreal == 1);
+		c = (unsigned char)*src;
+		*out++ = hex[c >> 4];
+		*out++ = hex[c & 0xf];
+		break;
+	case 's':
+		c1 = (unsigned char)*src++;
+		c2 = (unsigned char)*src++;
+		c3 = (unsigned char)*src++;
+		*out++ = base64[c1 >> 2];	/* top 6 bits of c1 */
+		c = (c1 & 0x3) << 4;		/* bottom 2 of c1... */
+		c |= c2 >> 4;			/* ...top 4 of c2 */
+		*out++ = base64[c];
+		if (nreal == 1)
+			*out++ = '=';
+		else {
+			c = (c2 & 0xf) << 2;	/* bottom 4 of c2... */
+			c |= c3 >> 6;		/* ...top 2 of c3 */
+			*out++ = base64[c];
+		}
+		if (nreal <= 2)
+			*out++ = '=';
+		else
+			*out++ = base64[c3 & 0x3f];	/* bottom 6 of c3 */
+		break;
+	default:
+		user_assert(nreal == 0);	/* unknown format */
+		break;
+	}
+}
+
+/*
+ - datatoa - convert data to ASCII
+ * backward-compatibility synonym for datatot
+ */
+size_t				/* true length (with NUL) for success */
+datatoa(src, srclen, format, dst, dstlen)
+const char *src;
+size_t srclen;
+int format;			/* character indicating what format */
+char *dst;			/* need not be valid if dstlen is 0 */
+size_t dstlen;
+{
+	return datatot(src, srclen, format, dst, dstlen);
+}
+
+/*
+ - bytestoa - convert data bytes to ASCII
+ * backward-compatibility synonym for datatot
+ */
+size_t				/* true length (with NUL) for success */
+bytestoa(src, srclen, format, dst, dstlen)
+const char *src;
+size_t srclen;
+int format;			/* character indicating what format */
+char *dst;			/* need not be valid if dstlen is 0 */
+size_t dstlen;
+{
+	return datatot(src, srclen, format, dst, dstlen);
+}
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/defconfig     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,148 @@
+
+#
+# RCSID $Id: defconfig,v 1.28.2.1 2006/10/11 18:14:33 paul Exp $
+#
+
+#
+# FreeS/WAN IPSec implementation, KLIPS kernel config defaults
+#
+
+#
+# First, lets override stuff already set or not in the kernel config.
+#
+# We can't even think about leaving this off...
+CONFIG_INET=y
+
+#
+# This must be on for subnet protection.
+CONFIG_IP_FORWARD=y
+
+# Shut off IPSEC masquerading if it has been enabled, since it will 
+# break the compile.  IPPROTO_ESP and IPPROTO_AH were included in 
+# net/ipv4/ip_masq.c when they should have gone into include/linux/in.h.
+CONFIG_IP_MASQUERADE_IPSEC=n
+
+#
+# Next, lets set the recommended FreeS/WAN configuration.
+#
+
+# To config as static (preferred), 'y'.  To config as module, 'm'.
+CONFIG_KLIPS=m
+
+# To do tunnel mode IPSec, this must be enabled.
+CONFIG_KLIPS_IPIP=y
+
+# To enable authentication, say 'y'.   (Highly recommended)
+CONFIG_KLIPS_AH=y
+
+# Authentication algorithm(s):
+CONFIG_KLIPS_AUTH_HMAC_MD5=y
+CONFIG_KLIPS_AUTH_HMAC_SHA1=y
+
+# To enable encryption, say 'y'.   (Highly recommended)
+CONFIG_KLIPS_ESP=y
+
+# modular algo extensions (and new ALGOs)
+CONFIG_KLIPS_ALG=y
+
+# Encryption algorithm(s):
+CONFIG_KLIPS_ENC_3DES=y
+CONFIG_KLIPS_ENC_AES=y
+# CONFIG_KLIPS_ENC_NULL=y
+
+# Use CryptoAPI for ALG? - by default, no.
+CONFIG_KLIPS_ENC_CRYPTOAPI=n
+
+# IP Compression: new, probably still has minor bugs.
+CONFIG_KLIPS_IPCOMP=y
+
+# To enable userspace-switchable KLIPS debugging, say 'y'.
+CONFIG_KLIPS_DEBUG=y
+
+# NAT Traversal
+CONFIG_IPSEC_NAT_TRAVERSAL=y
+
+#
+#
+# $Log: defconfig,v $
+# Revision 1.28.2.1  2006/10/11 18:14:33  paul
+# Add JuanJo Ciarlante's ESP_NULL patches for KLIPS, but leave it disabled
+# per default.
+#
+# Revision 1.28  2005/05/11 03:15:42  mcr
+# 	adjusted makefiles to sanely build modules properly.
+#
+# Revision 1.27  2005/03/20 03:00:05  mcr
+# 	default configuration should enable NAT_TRAVERSAL.
+#
+# Revision 1.26  2004/07/10 19:11:18  mcr
+# 	CONFIG_IPSEC -> CONFIG_KLIPS.
+#
+# Revision 1.25  2004/07/05 01:03:53  mcr
+# 	fix for adding cryptoapi code.
+# 	keep it off for now, since UMLs do not have it yet.
+#
+# Revision 1.24  2004/04/06 02:49:25  mcr
+# 	pullup of algo code from alg-branch.
+#
+# Revision 1.23.2.2  2004/04/05 04:30:46  mcr
+# 	patches for alg-branch to compile/work with 2.x openswan
+#
+# Revision 1.23.2.1  2003/12/22 15:25:52  jjo
+# . Merged algo-0.8.1-rc11-test1 into alg-branch
+#
+# Revision 1.23  2003/12/10 01:14:27  mcr
+# 	NAT-traversal patches to KLIPS.
+#
+# Revision 1.22  2003/02/24 19:37:27  mcr
+# 	changed default compilation mode to static.
+#
+# Revision 1.21  2002/04/24 07:36:27  mcr
+# Moved from ./klips/net/ipsec/defconfig,v
+#
+# Revision 1.20  2002/04/02 04:07:40  mcr
+# 	default build is now 'm'odule for KLIPS
+#
+# Revision 1.19  2002/03/08 18:57:17  rgb
+# Added a blank line at the beginning of the file to make it easier for
+# other projects to patch ./arch/i386/defconfig, for example
+# LIDS+grSecurity requested by Jason Pattie.
+#
+# Revision 1.18  2000/11/30 17:26:56  rgb
+# Cleaned out unused options and enabled ipcomp by default.
+#
+# Revision 1.17  2000/09/15 11:37:01  rgb
+# Merge in heavily modified Svenning Soerensen's <svenning@post5.tele.dk>
+# IPCOMP zlib deflate code.
+#
+# Revision 1.16  2000/09/08 19:12:55  rgb
+# Change references from DEBUG_IPSEC to CONFIG_IPSEC_DEBUG.
+#
+# Revision 1.15  2000/05/24 19:37:13  rgb
+# *** empty log message ***
+#
+# Revision 1.14  2000/05/11 21:14:57  henry
+# just commenting the FOOBAR=y lines out is not enough
+#
+# Revision 1.13  2000/05/10 20:17:58  rgb
+# Comment out netlink defaults, which are no longer needed.
+#
+# Revision 1.12  2000/05/10 19:13:38  rgb
+# Added configure option to shut off no eroute passthrough.
+#
+# Revision 1.11  2000/03/16 07:09:46  rgb
+# Hardcode PF_KEYv2 support.
+# Disable IPSEC_ICMP by default.
+# Remove DES config option from defaults file.
+#
+# Revision 1.10  2000/01/11 03:09:42  rgb
+# Added a default of 'y' to PF_KEYv2 keying I/F.
+#
+# Revision 1.9  1999/05/08 21:23:12  rgb
+# Added support for 2.2.x kernels.
+#
+# Revision 1.8  1999/04/06 04:54:25  rgb
+# Fix/Add RCSID Id: and Log: bits to make PHMDs happy.  This includes
+# patch shell fixes.
+#
+#
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/deflate.c     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,1351 @@
+/* deflate.c -- compress data using the deflation algorithm
+ * Copyright (C) 1995-2002 Jean-loup Gailly.
+ * For conditions of distribution and use, see copyright notice in zlib.h 
+ */
+
+/*
+ *  ALGORITHM
+ *
+ *      The "deflation" process depends on being able to identify portions
+ *      of the input text which are identical to earlier input (within a
+ *      sliding window trailing behind the input currently being processed).
+ *
+ *      The most straightforward technique turns out to be the fastest for
+ *      most input files: try all possible matches and select the longest.
+ *      The key feature of this algorithm is that insertions into the string
+ *      dictionary are very simple and thus fast, and deletions are avoided
+ *      completely. Insertions are performed at each input character, whereas
+ *      string matches are performed only when the previous match ends. So it
+ *      is preferable to spend more time in matches to allow very fast string
+ *      insertions and avoid deletions. The matching algorithm for small
+ *      strings is inspired from that of Rabin & Karp. A brute force approach
+ *      is used to find longer strings when a small match has been found.
+ *      A similar algorithm is used in comic (by Jan-Mark Wams) and freeze
+ *      (by Leonid Broukhis).
+ *         A previous version of this file used a more sophisticated algorithm
+ *      (by Fiala and Greene) which is guaranteed to run in linear amortized
+ *      time, but has a larger average cost, uses more memory and is patented.
+ *      However the F&G algorithm may be faster for some highly redundant
+ *      files if the parameter max_chain_length (described below) is too large.
+ *
+ *  ACKNOWLEDGEMENTS
+ *
+ *      The idea of lazy evaluation of matches is due to Jan-Mark Wams, and
+ *      I found it in 'freeze' written by Leonid Broukhis.
+ *      Thanks to many people for bug reports and testing.
+ *
+ *  REFERENCES
+ *
+ *      Deutsch, L.P.,"DEFLATE Compressed Data Format Specification".
+ *      Available in ftp://ds.internic.net/rfc/rfc1951.txt
+ *
+ *      A description of the Rabin and Karp algorithm is given in the book
+ *         "Algorithms" by R. Sedgewick, Addison-Wesley, p252.
+ *
+ *      Fiala,E.R., and Greene,D.H.
+ *         Data Compression with Finite Windows, Comm.ACM, 32,4 (1989) 490-595
+ *
+ */
+
+/* @(#) $Id: deflate.c,v 1.4 2004/07/10 07:48:37 mcr Exp $ */
+
+#include "deflate.h"
+
+local const char deflate_copyright[] =
+   " deflate 1.1.4 Copyright 1995-2002 Jean-loup Gailly ";
+/*
+  If you use the zlib library in a product, an acknowledgment is welcome
+  in the documentation of your product. If for some reason you cannot
+  include such an acknowledgment, I would appreciate that you keep this
+  copyright string in the executable of your product.
+ */
+
+/* ===========================================================================
+ *  Function prototypes.
+ */
+typedef enum {
+    need_more,      /* block not completed, need more input or more output */
+    block_done,     /* block flush performed */
+    finish_started, /* finish started, need only more output at next deflate */
+    finish_done     /* finish done, accept no more input or output */
+} block_state;
+
+typedef block_state (*compress_func) OF((deflate_state *s, int flush));
+/* Compression function. Returns the block state after the call. */
+
+local void fill_window    OF((deflate_state *s));
+local block_state deflate_stored OF((deflate_state *s, int flush));
+local block_state deflate_fast   OF((deflate_state *s, int flush));
+local block_state deflate_slow   OF((deflate_state *s, int flush));
+local void lm_init        OF((deflate_state *s));
+local void putShortMSB    OF((deflate_state *s, uInt b));
+local void flush_pending  OF((z_streamp strm));
+local int read_buf        OF((z_streamp strm, Bytef *buf, unsigned size));
+#ifdef ASMV
+      void match_init OF((void)); /* asm code initialization */
+      uInt longest_match  OF((deflate_state *s, IPos cur_match));
+#else
+local uInt longest_match  OF((deflate_state *s, IPos cur_match));
+#endif
+
+#ifdef DEBUG
+local  void check_match OF((deflate_state *s, IPos start, IPos match,
+                            int length));
+#endif
+
+/* ===========================================================================
+ * Local data
+ */
+
+#define NIL 0
+/* Tail of hash chains */
+
+#ifndef TOO_FAR
+#  define TOO_FAR 4096
+#endif
+/* Matches of length 3 are discarded if their distance exceeds TOO_FAR */
+
+#define MIN_LOOKAHEAD (MAX_MATCH+MIN_MATCH+1)
+/* Minimum amount of lookahead, except at the end of the input file.
+ * See deflate.c for comments about the MIN_MATCH+1.
+ */
+
+/* Values for max_lazy_match, good_match and max_chain_length, depending on
+ * the desired pack level (0..9). The values given below have been tuned to
+ * exclude worst case performance for pathological files. Better values may be
+ * found for specific files.
+ */
+typedef struct config_s {
+   ush good_length; /* reduce lazy search above this match length */
+   ush max_lazy;    /* do not perform lazy search above this match length */
+   ush nice_length; /* quit search above this match length */
+   ush max_chain;
+   compress_func func;
+} config;
+
+local const config configuration_table[10] = {
+/*      good lazy nice chain */
+/* 0 */ {0,    0,  0,    0, deflate_stored},  /* store only */
+/* 1 */ {4,    4,  8,    4, deflate_fast}, /* maximum speed, no lazy matches */
+/* 2 */ {4,    5, 16,    8, deflate_fast},
+/* 3 */ {4,    6, 32,   32, deflate_fast},
+
+/* 4 */ {4,    4, 16,   16, deflate_slow},  /* lazy matches */
+/* 5 */ {8,   16, 32,   32, deflate_slow},
+/* 6 */ {8,   16, 128, 128, deflate_slow},
+/* 7 */ {8,   32, 128, 256, deflate_slow},
+/* 8 */ {32, 128, 258, 1024, deflate_slow},
+/* 9 */ {32, 258, 258, 4096, deflate_slow}}; /* maximum compression */
+
+/* Note: the deflate() code requires max_lazy >= MIN_MATCH and max_chain >= 4
+ * For deflate_fast() (levels <= 3) good is ignored and lazy has a different
+ * meaning.
+ */
+
+#define EQUAL 0
+/* result of memcmp for equal strings */
+
+struct static_tree_desc_s {int dummy;}; /* for buggy compilers */
+
+/* ===========================================================================
+ * Update a hash value with the given input byte
+ * IN  assertion: all calls to to UPDATE_HASH are made with consecutive
+ *    input characters, so that a running hash key can be computed from the
+ *    previous key instead of complete recalculation each time.
+ */
+#define UPDATE_HASH(s,h,c) (h = (((h)<<s->hash_shift) ^ (c)) & s->hash_mask)
+
+
+/* ===========================================================================
+ * Insert string str in the dictionary and set match_head to the previous head
+ * of the hash chain (the most recent string with same hash key). Return
+ * the previous length of the hash chain.
+ * If this file is compiled with -DFASTEST, the compression level is forced
+ * to 1, and no hash chains are maintained.
+ * IN  assertion: all calls to to INSERT_STRING are made with consecutive
+ *    input characters and the first MIN_MATCH bytes of str are valid
+ *    (except for the last MIN_MATCH-1 bytes of the input file).
+ */
+#ifdef FASTEST
+#define INSERT_STRING(s, str, match_head) \
+   (UPDATE_HASH(s, s->ins_h, s->window[(str) + (MIN_MATCH-1)]), \
+    match_head = s->head[s->ins_h], \
+    s->head[s->ins_h] = (Pos)(str))
+#else
+#define INSERT_STRING(s, str, match_head) \
+   (UPDATE_HASH(s, s->ins_h, s->window[(str) + (MIN_MATCH-1)]), \
+    s->prev[(str) & s->w_mask] = match_head = s->head[s->ins_h], \
+    s->head[s->ins_h] = (Pos)(str))
+#endif
+
+/* ===========================================================================
+ * Initialize the hash table (avoiding 64K overflow for 16 bit systems).
+ * prev[] will be initialized on the fly.
+ */
+#define CLEAR_HASH(s) \
+    s->head[s->hash_size-1] = NIL; \
+    zmemzero((Bytef *)s->head, (unsigned)(s->hash_size-1)*sizeof(*s->head));
+
+/* ========================================================================= */
+int ZEXPORT deflateInit_(strm, level, version, stream_size)
+    z_streamp strm;
+    int level;
+    const char *version;
+    int stream_size;
+{
+    return deflateInit2_(strm, level, Z_DEFLATED, MAX_WBITS, DEF_MEM_LEVEL,
+			 Z_DEFAULT_STRATEGY, version, stream_size);
+    /* To do: ignore strm->next_in if we use it as window */
+}
+
+/* ========================================================================= */
+int ZEXPORT deflateInit2_(strm, level, method, windowBits, memLevel, strategy,
+		  version, stream_size)
+    z_streamp strm;
+    int  level;
+    int  method;
+    int  windowBits;
+    int  memLevel;
+    int  strategy;
+    const char *version;
+    int stream_size;
+{
+    deflate_state *s;
+    int noheader = 0;
+    static const char* my_version = ZLIB_VERSION;
+
+    ushf *overlay;
+    /* We overlay pending_buf and d_buf+l_buf. This works since the average
+     * output size for (length,distance) codes is <= 24 bits.
+     */
+
+    if (version == Z_NULL || version[0] != my_version[0] ||
+        stream_size != sizeof(z_stream)) {
+	return Z_VERSION_ERROR;
+    }
+    if (strm == Z_NULL) return Z_STREAM_ERROR;
+
+    strm->msg = Z_NULL;
+    if (strm->zalloc == Z_NULL) {
+      return Z_STREAM_ERROR;
+/*	strm->zalloc = zcalloc;
+	strm->opaque = (voidpf)0;*/
+    }
+    if (strm->zfree == Z_NULL) return Z_STREAM_ERROR; /* strm->zfree = zcfree; */
+
+    if (level == Z_DEFAULT_COMPRESSION) level = 6;
+#ifdef FASTEST
+    level = 1;
+#endif
+
+    if (windowBits < 0) { /* undocumented feature: suppress zlib header */
+        noheader = 1;
+        windowBits = -windowBits;
+    }
+    if (memLevel < 1 || memLevel > MAX_MEM_LEVEL || method != Z_DEFLATED ||
+        windowBits < 9 || windowBits > 15 || level < 0 || level > 9 ||
+	strategy < 0 || strategy > Z_HUFFMAN_ONLY) {
+        return Z_STREAM_ERROR;
+    }
+    s = (deflate_state *) ZALLOC(strm, 1, sizeof(deflate_state));
+    if (s == Z_NULL) return Z_MEM_ERROR;
+    strm->state = (struct internal_state FAR *)s;
+    s->strm = strm;
+
+    s->noheader = noheader;
+    s->w_bits = windowBits;
+    s->w_size = 1 << s->w_bits;
+    s->w_mask = s->w_size - 1;
+
+    s->hash_bits = memLevel + 7;
+    s->hash_size = 1 << s->hash_bits;
+    s->hash_mask = s->hash_size - 1;
+    s->hash_shift =  ((s->hash_bits+MIN_MATCH-1)/MIN_MATCH);
+
+    s->window = (Bytef *) ZALLOC(strm, s->w_size, 2*sizeof(Byte));
+    s->prev   = (Posf *)  ZALLOC(strm, s->w_size, sizeof(Pos));
+    s->head   = (Posf *)  ZALLOC(strm, s->hash_size, sizeof(Pos));
+
+    s->lit_bufsize = 1 << (memLevel + 6); /* 16K elements by default */
+
+    overlay = (ushf *) ZALLOC(strm, s->lit_bufsize, sizeof(ush)+2);
+    s->pending_buf = (uchf *) overlay;
+    s->pending_buf_size = (ulg)s->lit_bufsize * (sizeof(ush)+2L);
+
+    if (s->window == Z_NULL || s->prev == Z_NULL || s->head == Z_NULL ||
+        s->pending_buf == Z_NULL) {
+        strm->msg = ERR_MSG(Z_MEM_ERROR);
+        deflateEnd (strm);
+        return Z_MEM_ERROR;
+    }
+    s->d_buf = overlay + s->lit_bufsize/sizeof(ush);
+    s->l_buf = s->pending_buf + (1+sizeof(ush))*s->lit_bufsize;
+
+    s->level = level;
+    s->strategy = strategy;
+    s->method = (Byte)method;
+
+    return deflateReset(strm);
+}
+
+/* ========================================================================= */
+int ZEXPORT deflateSetDictionary (strm, dictionary, dictLength)
+    z_streamp strm;
+    const Bytef *dictionary;
+    uInt  dictLength;
+{
+    deflate_state *s;
+    uInt length = dictLength;
+    uInt n;
+    IPos hash_head = 0;
+
+    if (strm == Z_NULL || strm->state == Z_NULL || dictionary == Z_NULL ||
+        strm->state->status != INIT_STATE) return Z_STREAM_ERROR;
+
+    s = strm->state;
+    strm->adler = adler32(strm->adler, dictionary, dictLength);
+
+    if (length < MIN_MATCH) return Z_OK;
+    if (length > MAX_DIST(s)) {
+	length = MAX_DIST(s);
+#ifndef USE_DICT_HEAD
+	dictionary += dictLength - length; /* use the tail of the dictionary */
+#endif
+    }
+    zmemcpy(s->window, dictionary, length);
+    s->strstart = length;
+    s->block_start = (long)length;
+
+    /* Insert all strings in the hash table (except for the last two bytes).
+     * s->lookahead stays null, so s->ins_h will be recomputed at the next
+     * call of fill_window.
+     */
+    s->ins_h = s->window[0];
+    UPDATE_HASH(s, s->ins_h, s->window[1]);
+    for (n = 0; n <= length - MIN_MATCH; n++) {
+	INSERT_STRING(s, n, hash_head);
+    }
+    if (hash_head) hash_head = 0;  /* to make compiler happy */
+    return Z_OK;
+}
+
+/* ========================================================================= */
+int ZEXPORT deflateReset (strm)
+    z_streamp strm;
+{
+    deflate_state *s;
+    
+    if (strm == Z_NULL || strm->state == Z_NULL ||
+        strm->zalloc == Z_NULL || strm->zfree == Z_NULL) return Z_STREAM_ERROR;
+
+    strm->total_in = strm->total_out = 0;
+    strm->msg = Z_NULL; /* use zfree if we ever allocate msg dynamically */
+    strm->data_type = Z_UNKNOWN;
+
+    s = (deflate_state *)strm->state;
+    s->pending = 0;
+    s->pending_out = s->pending_buf;
+
+    if (s->noheader < 0) {
+        s->noheader = 0; /* was set to -1 by deflate(..., Z_FINISH); */
+    }
+    s->status = s->noheader ? BUSY_STATE : INIT_STATE;
+    strm->adler = 1;
+    s->last_flush = Z_NO_FLUSH;
+
+    _tr_init(s);
+    lm_init(s);
+
+    return Z_OK;
+}
+
+/* ========================================================================= */
+int ZEXPORT deflateParams(strm, level, strategy)
+    z_streamp strm;
+    int level;
+    int strategy;
+{
+    deflate_state *s;
+    compress_func func;
+    int err = Z_OK;
+
+    if (strm == Z_NULL || strm->state == Z_NULL) return Z_STREAM_ERROR;
+    s = strm->state;
+
+    if (level == Z_DEFAULT_COMPRESSION) {
+	level = 6;
+    }
+    if (level < 0 || level > 9 || strategy < 0 || strategy > Z_HUFFMAN_ONLY) {
+	return Z_STREAM_ERROR;
+    }
+    func = configuration_table[s->level].func;
+
+    if (func != configuration_table[level].func && strm->total_in != 0) {
+	/* Flush the last buffer: */
+	err = deflate(strm, Z_PARTIAL_FLUSH);
+    }
+    if (s->level != level) {
+	s->level = level;
+	s->max_lazy_match   = configuration_table[level].max_lazy;
+	s->good_match       = configuration_table[level].good_length;
+	s->nice_match       = configuration_table[level].nice_length;
+	s->max_chain_length = configuration_table[level].max_chain;
+    }
+    s->strategy = strategy;
+    return err;
+}
+
+/* =========================================================================
+ * Put a short in the pending buffer. The 16-bit value is put in MSB order.
+ * IN assertion: the stream state is correct and there is enough room in
+ * pending_buf.
+ */
+local void putShortMSB (s, b)
+    deflate_state *s;
+    uInt b;
+{
+    put_byte(s, (Byte)(b >> 8));
+    put_byte(s, (Byte)(b & 0xff));
+}   
+
+/* =========================================================================
+ * Flush as much pending output as possible. All deflate() output goes
+ * through this function so some applications may wish to modify it
+ * to avoid allocating a large strm->next_out buffer and copying into it.
+ * (See also read_buf()).
+ */
+local void flush_pending(strm)
+    z_streamp strm;
+{
+    unsigned len = strm->state->pending;
+
+    if (len > strm->avail_out) len = strm->avail_out;
+    if (len == 0) return;
+
+    zmemcpy(strm->next_out, strm->state->pending_out, len);
+    strm->next_out  += len;
+    strm->state->pending_out  += len;
+    strm->total_out += len;
+    strm->avail_out  -= len;
+    strm->state->pending -= len;
+    if (strm->state->pending == 0) {
+        strm->state->pending_out = strm->state->pending_buf;
+    }
+}
+
+/* ========================================================================= */
+int ZEXPORT deflate (strm, flush)
+    z_streamp strm;
+    int flush;
+{
+    int old_flush; /* value of flush param for previous deflate call */
+    deflate_state *s;
+
+    if (strm == Z_NULL || strm->state == Z_NULL ||
+	flush > Z_FINISH || flush < 0) {
+        return Z_STREAM_ERROR;
+    }
+    s = strm->state;
+
+    if (strm->next_out == Z_NULL ||
+        (strm->next_in == Z_NULL && strm->avail_in != 0) ||
+	(s->status == FINISH_STATE && flush != Z_FINISH)) {
+        ERR_RETURN(strm, Z_STREAM_ERROR);
+    }
+    if (strm->avail_out == 0) ERR_RETURN(strm, Z_BUF_ERROR);
+
+    s->strm = strm; /* just in case */
+    old_flush = s->last_flush;
+    s->last_flush = flush;
+
+    /* Write the zlib header */
+    if (s->status == INIT_STATE) {
+
+        uInt header = (Z_DEFLATED + ((s->w_bits-8)<<4)) << 8;
+        uInt level_flags = (s->level-1) >> 1;
+
+        if (level_flags > 3) level_flags = 3;
+        header |= (level_flags << 6);
+	if (s->strstart != 0) header |= PRESET_DICT;
+        header += 31 - (header % 31);
+
+        s->status = BUSY_STATE;
+        putShortMSB(s, header);
+
+	/* Save the adler32 of the preset dictionary: */
+	if (s->strstart != 0) {
+	    putShortMSB(s, (uInt)(strm->adler >> 16));
+	    putShortMSB(s, (uInt)(strm->adler & 0xffff));
+	}
+	strm->adler = 1L;
+    }
+
+    /* Flush as much pending output as possible */
+    if (s->pending != 0) {
+        flush_pending(strm);
+        if (strm->avail_out == 0) {
+	    /* Since avail_out is 0, deflate will be called again with
+	     * more output space, but possibly with both pending and
+	     * avail_in equal to zero. There won't be anything to do,
+	     * but this is not an error situation so make sure we
+	     * return OK instead of BUF_ERROR at next call of deflate:
+             */
+	    s->last_flush = -1;
+	    return Z_OK;
+	}
+
+    /* Make sure there is something to do and avoid duplicate consecutive
+     * flushes. For repeated and useless calls with Z_FINISH, we keep
+     * returning Z_STREAM_END instead of Z_BUFF_ERROR.
+     */
+    } else if (strm->avail_in == 0 && flush <= old_flush &&
+	       flush != Z_FINISH) {
+        ERR_RETURN(strm, Z_BUF_ERROR);
+    }
+
+    /* User must not provide more input after the first FINISH: */
+    if (s->status == FINISH_STATE && strm->avail_in != 0) {
+        ERR_RETURN(strm, Z_BUF_ERROR);
+    }
+
+    /* Start a new block or continue the current one.
+     */
+    if (strm->avail_in != 0 || s->lookahead != 0 ||
+        (flush != Z_NO_FLUSH && s->status != FINISH_STATE)) {
+        block_state bstate;
+
+	bstate = (*(configuration_table[s->level].func))(s, flush);
+
+        if (bstate == finish_started || bstate == finish_done) {
+            s->status = FINISH_STATE;
+        }
+        if (bstate == need_more || bstate == finish_started) {
+	    if (strm->avail_out == 0) {
+	        s->last_flush = -1; /* avoid BUF_ERROR next call, see above */
+	    }
+	    return Z_OK;
+	    /* If flush != Z_NO_FLUSH && avail_out == 0, the next call
+	     * of deflate should use the same flush parameter to make sure
+	     * that the flush is complete. So we don't have to output an
+	     * empty block here, this will be done at next call. This also
+	     * ensures that for a very small output buffer, we emit at most
+	     * one empty block.
+	     */
+	}
+        if (bstate == block_done) {
+            if (flush == Z_PARTIAL_FLUSH) {
+                _tr_align(s);
+            } else { /* FULL_FLUSH or SYNC_FLUSH */
+                _tr_stored_block(s, (char*)0, 0L, 0);
+                /* For a full flush, this empty block will be recognized
+                 * as a special marker by inflate_sync().
+                 */
+                if (flush == Z_FULL_FLUSH) {
+                    CLEAR_HASH(s);             /* forget history */
+                }
+            }
+            flush_pending(strm);
+	    if (strm->avail_out == 0) {
+	      s->last_flush = -1; /* avoid BUF_ERROR at next call, see above */
+	      return Z_OK;
+	    }
+        }
+    }
+    Assert(strm->avail_out > 0, "bug2");
+
+    if (flush != Z_FINISH) return Z_OK;
+    if (s->noheader) return Z_STREAM_END;
+
+    /* Write the zlib trailer (adler32) */
+    putShortMSB(s, (uInt)(strm->adler >> 16));
+    putShortMSB(s, (uInt)(strm->adler & 0xffff));
+    flush_pending(strm);
+    /* If avail_out is zero, the application will call deflate again
+     * to flush the rest.
+     */
+    s->noheader = -1; /* write the trailer only once! */
+    return s->pending != 0 ? Z_OK : Z_STREAM_END;
+}
+
+/* ========================================================================= */
+int ZEXPORT deflateEnd (strm)
+    z_streamp strm;
+{
+    int status;
+
+    if (strm == Z_NULL || strm->state == Z_NULL) return Z_STREAM_ERROR;
+
+    status = strm->state->status;
+    if (status != INIT_STATE && status != BUSY_STATE &&
+	status != FINISH_STATE) {
+      return Z_STREAM_ERROR;
+    }
+
+    /* Deallocate in reverse order of allocations: */
+    TRY_FREE(strm, strm->state->pending_buf);
+    TRY_FREE(strm, strm->state->head);
+    TRY_FREE(strm, strm->state->prev);
+    TRY_FREE(strm, strm->state->window);
+
+    ZFREE(strm, strm->state);
+    strm->state = Z_NULL;
+
+    return status == BUSY_STATE ? Z_DATA_ERROR : Z_OK;
+}
+
+/* =========================================================================
+ * Copy the source state to the destination state.
+ * To simplify the source, this is not supported for 16-bit MSDOS (which
+ * doesn't have enough memory anyway to duplicate compression states).
+ */
+int ZEXPORT deflateCopy (dest, source)
+    z_streamp dest;
+    z_streamp source;
+{
+#ifdef MAXSEG_64K
+    return Z_STREAM_ERROR;
+#else
+    deflate_state *ds;
+    deflate_state *ss;
+    ushf *overlay;
+
+
+    if (source == Z_NULL || dest == Z_NULL || source->state == Z_NULL) {
+        return Z_STREAM_ERROR;
+    }
+
+    ss = source->state;
+
+    *dest = *source;
+
+    ds = (deflate_state *) ZALLOC(dest, 1, sizeof(deflate_state));
+    if (ds == Z_NULL) return Z_MEM_ERROR;
+    dest->state = (struct internal_state FAR *) ds;
+    *ds = *ss;
+    ds->strm = dest;
+
+    ds->window = (Bytef *) ZALLOC(dest, ds->w_size, 2*sizeof(Byte));
+    ds->prev   = (Posf *)  ZALLOC(dest, ds->w_size, sizeof(Pos));
+    ds->head   = (Posf *)  ZALLOC(dest, ds->hash_size, sizeof(Pos));
+    overlay = (ushf *) ZALLOC(dest, ds->lit_bufsize, sizeof(ush)+2);
+    ds->pending_buf = (uchf *) overlay;
+
+    if (ds->window == Z_NULL || ds->prev == Z_NULL || ds->head == Z_NULL ||
+        ds->pending_buf == Z_NULL) {
+        deflateEnd (dest);
+        return Z_MEM_ERROR;
+    }
+    /* following zmemcpy do not work for 16-bit MSDOS */
+    zmemcpy(ds->window, ss->window, ds->w_size * 2 * sizeof(Byte));
+    zmemcpy(ds->prev, ss->prev, ds->w_size * sizeof(Pos));
+    zmemcpy(ds->head, ss->head, ds->hash_size * sizeof(Pos));
+    zmemcpy(ds->pending_buf, ss->pending_buf, (uInt)ds->pending_buf_size);
+
+    ds->pending_out = ds->pending_buf + (ss->pending_out - ss->pending_buf);
+    ds->d_buf = overlay + ds->lit_bufsize/sizeof(ush);
+    ds->l_buf = ds->pending_buf + (1+sizeof(ush))*ds->lit_bufsize;
+
+    ds->l_desc.dyn_tree = ds->dyn_ltree;
+    ds->d_desc.dyn_tree = ds->dyn_dtree;
+    ds->bl_desc.dyn_tree = ds->bl_tree;
+
+    return Z_OK;
+#endif
+}
+
+/* ===========================================================================
+ * Read a new buffer from the current input stream, update the adler32
+ * and total number of bytes read.  All deflate() input goes through
+ * this function so some applications may wish to modify it to avoid
+ * allocating a large strm->next_in buffer and copying from it.
+ * (See also flush_pending()).
+ */
+local int read_buf(strm, buf, size)
+    z_streamp strm;
+    Bytef *buf;
+    unsigned size;
+{
+    unsigned len = strm->avail_in;
+
+    if (len > size) len = size;
+    if (len == 0) return 0;
+
+    strm->avail_in  -= len;
+
+    if (!strm->state->noheader) {
+        strm->adler = adler32(strm->adler, strm->next_in, len);
+    }
+    zmemcpy(buf, strm->next_in, len);
+    strm->next_in  += len;
+    strm->total_in += len;
+
+    return (int)len;
+}
+
+/* ===========================================================================
+ * Initialize the "longest match" routines for a new zlib stream
+ */
+local void lm_init (s)
+    deflate_state *s;
+{
+    s->window_size = (ulg)2L*s->w_size;
+
+    CLEAR_HASH(s);
+
+    /* Set the default configuration parameters:
+     */
+    s->max_lazy_match   = configuration_table[s->level].max_lazy;
+    s->good_match       = configuration_table[s->level].good_length;
+    s->nice_match       = configuration_table[s->level].nice_length;
+    s->max_chain_length = configuration_table[s->level].max_chain;
+
+    s->strstart = 0;
+    s->block_start = 0L;
+    s->lookahead = 0;
+    s->match_length = s->prev_length = MIN_MATCH-1;
+    s->match_available = 0;
+    s->ins_h = 0;
+#ifdef ASMV
+    match_init(); /* initialize the asm code */
+#endif
+}
+
+/* ===========================================================================
+ * Set match_start to the longest match starting at the given string and
+ * return its length. Matches shorter or equal to prev_length are discarded,
+ * in which case the result is equal to prev_length and match_start is
+ * garbage.
+ * IN assertions: cur_match is the head of the hash chain for the current
+ *   string (strstart) and its distance is <= MAX_DIST, and prev_length >= 1
+ * OUT assertion: the match length is not greater than s->lookahead.
+ */
+#ifndef ASMV
+/* For 80x86 and 680x0, an optimized version will be provided in match.asm or
+ * match.S. The code will be functionally equivalent.
+ */
+#ifndef FASTEST
+local uInt longest_match(s, cur_match)
+    deflate_state *s;
+    IPos cur_match;                             /* current match */
+{
+    unsigned chain_length = s->max_chain_length;/* max hash chain length */
+    register Bytef *scan = s->window + s->strstart; /* current string */
+    register Bytef *match;                       /* matched string */
+    register int len;                           /* length of current match */
+    int best_len = s->prev_length;              /* best match length so far */
+    int nice_match = s->nice_match;             /* stop if match long enough */
+    IPos limit = s->strstart > (IPos)MAX_DIST(s) ?
+        s->strstart - (IPos)MAX_DIST(s) : NIL;
+    /* Stop when cur_match becomes <= limit. To simplify the code,
+     * we prevent matches with the string of window index 0.
+     */
+    Posf *prev = s->prev;
+    uInt wmask = s->w_mask;
+
+#ifdef UNALIGNED_OK
+    /* Compare two bytes at a time. Note: this is not always beneficial.
+     * Try with and without -DUNALIGNED_OK to check.
+     */
+    register Bytef *strend = s->window + s->strstart + MAX_MATCH - 1;
+    register ush scan_start = *(ushf*)scan;
+    register ush scan_end   = *(ushf*)(scan+best_len-1);
+#else
+    register Bytef *strend = s->window + s->strstart + MAX_MATCH;
+    register Byte scan_end1  = scan[best_len-1];
+    register Byte scan_end   = scan[best_len];
+#endif
+
+    /* The code is optimized for HASH_BITS >= 8 and MAX_MATCH-2 multiple of 16.
+     * It is easy to get rid of this optimization if necessary.
+     */
+    Assert(s->hash_bits >= 8 && MAX_MATCH == 258, "Code too clever");
+
+    /* Do not waste too much time if we already have a good match: */
+    if (s->prev_length >= s->good_match) {
+        chain_length >>= 2;
+    }
+    /* Do not look for matches beyond the end of the input. This is necessary
+     * to make deflate deterministic.
+     */
+    if ((uInt)nice_match > s->lookahead) nice_match = s->lookahead;
+
+    Assert((ulg)s->strstart <= s->window_size-MIN_LOOKAHEAD, "need lookahead");
+
+    do {
+        Assert(cur_match < s->strstart, "no future");
+        match = s->window + cur_match;
+
+        /* Skip to next match if the match length cannot increase
+         * or if the match length is less than 2:
+         */
+#if (defined(UNALIGNED_OK) && MAX_MATCH == 258)
+        /* This code assumes sizeof(unsigned short) == 2. Do not use
+         * UNALIGNED_OK if your compiler uses a different size.
+         */
+        if (*(ushf*)(match+best_len-1) != scan_end ||
+            *(ushf*)match != scan_start) continue;
+
+        /* It is not necessary to compare scan[2] and match[2] since they are
+         * always equal when the other bytes match, given that the hash keys
+         * are equal and that HASH_BITS >= 8. Compare 2 bytes at a time at
+         * strstart+3, +5, ... up to strstart+257. We check for insufficient
+         * lookahead only every 4th comparison; the 128th check will be made
+         * at strstart+257. If MAX_MATCH-2 is not a multiple of 8, it is
+         * necessary to put more guard bytes at the end of the window, or
+         * to check more often for insufficient lookahead.
+         */
+        Assert(scan[2] == match[2], "scan[2]?");
+        scan++, match++;
+        do {
+        } while (*(ushf*)(scan+=2) == *(ushf*)(match+=2) &&
+                 *(ushf*)(scan+=2) == *(ushf*)(match+=2) &&
+                 *(ushf*)(scan+=2) == *(ushf*)(match+=2) &&
+                 *(ushf*)(scan+=2) == *(ushf*)(match+=2) &&
+                 scan < strend);
+        /* The funny "do {}" generates better code on most compilers */
+
+        /* Here, scan <= window+strstart+257 */
+        Assert(scan <= s->window+(unsigned)(s->window_size-1), "wild scan");
+        if (*scan == *match) scan++;
+
+        len = (MAX_MATCH - 1) - (int)(strend-scan);
+        scan = strend - (MAX_MATCH-1);
+
+#else /* UNALIGNED_OK */
+
+        if (match[best_len]   != scan_end  ||
+            match[best_len-1] != scan_end1 ||
+            *match            != *scan     ||
+            *++match          != scan[1])      continue;
+
+        /* The check at best_len-1 can be removed because it will be made
+         * again later. (This heuristic is not always a win.)
+         * It is not necessary to compare scan[2] and match[2] since they
+         * are always equal when the other bytes match, given that
+         * the hash keys are equal and that HASH_BITS >= 8.
+         */
+        scan += 2, match++;
+        Assert(*scan == *match, "match[2]?");
+
+        /* We check for insufficient lookahead only every 8th comparison;
+         * the 256th check will be made at strstart+258.
+         */
+        do {
+        } while (*++scan == *++match && *++scan == *++match &&
+                 *++scan == *++match && *++scan == *++match &&
+                 *++scan == *++match && *++scan == *++match &&
+                 *++scan == *++match && *++scan == *++match &&
+                 scan < strend);
+
+        Assert(scan <= s->window+(unsigned)(s->window_size-1), "wild scan");
+
+        len = MAX_MATCH - (int)(strend - scan);
+        scan = strend - MAX_MATCH;
+
+#endif /* UNALIGNED_OK */
+
+        if (len > best_len) {
+            s->match_start = cur_match;
+            best_len = len;
+            if (len >= nice_match) break;
+#ifdef UNALIGNED_OK
+            scan_end = *(ushf*)(scan+best_len-1);
+#else
+            scan_end1  = scan[best_len-1];
+            scan_end   = scan[best_len];
+#endif
+        }
+    } while ((cur_match = prev[cur_match & wmask]) > limit
+             && --chain_length != 0);
+
+    if ((uInt)best_len <= s->lookahead) return (uInt)best_len;
+    return s->lookahead;
+}
+
+#else /* FASTEST */
+/* ---------------------------------------------------------------------------
+ * Optimized version for level == 1 only
+ */
+local uInt longest_match(s, cur_match)
+    deflate_state *s;
+    IPos cur_match;                             /* current match */
+{
+    register Bytef *scan = s->window + s->strstart; /* current string */
+    register Bytef *match;                       /* matched string */
+    register int len;                           /* length of current match */
+    register Bytef *strend = s->window + s->strstart + MAX_MATCH;
+
+    /* The code is optimized for HASH_BITS >= 8 and MAX_MATCH-2 multiple of 16.
+     * It is easy to get rid of this optimization if necessary.
+     */
+    Assert(s->hash_bits >= 8 && MAX_MATCH == 258, "Code too clever");
+
+    Assert((ulg)s->strstart <= s->window_size-MIN_LOOKAHEAD, "need lookahead");
+
+    Assert(cur_match < s->strstart, "no future");
+
+    match = s->window + cur_match;
+
+    /* Return failure if the match length is less than 2:
+     */
+    if (match[0] != scan[0] || match[1] != scan[1]) return MIN_MATCH-1;
+
+    /* The check at best_len-1 can be removed because it will be made
+     * again later. (This heuristic is not always a win.)
+     * It is not necessary to compare scan[2] and match[2] since they
+     * are always equal when the other bytes match, given that
+     * the hash keys are equal and that HASH_BITS >= 8.
+     */
+    scan += 2, match += 2;
+    Assert(*scan == *match, "match[2]?");
+
+    /* We check for insufficient lookahead only every 8th comparison;
+     * the 256th check will be made at strstart+258.
+     */
+    do {
+    } while (*++scan == *++match && *++scan == *++match &&
+	     *++scan == *++match && *++scan == *++match &&
+	     *++scan == *++match && *++scan == *++match &&
+	     *++scan == *++match && *++scan == *++match &&
+	     scan < strend);
+
+    Assert(scan <= s->window+(unsigned)(s->window_size-1), "wild scan");
+
+    len = MAX_MATCH - (int)(strend - scan);
+
+    if (len < MIN_MATCH) return MIN_MATCH - 1;
+
+    s->match_start = cur_match;
+    return len <= s->lookahead ? len : s->lookahead;
+}
+#endif /* FASTEST */
+#endif /* ASMV */
+
+#ifdef DEBUG
+/* ===========================================================================
+ * Check that the match at match_start is indeed a match.
+ */
+local void check_match(s, start, match, length)
+    deflate_state *s;
+    IPos start, match;
+    int length;
+{
+    /* check that the match is indeed a match */
+    if (zmemcmp(s->window + match,
+                s->window + start, length) != EQUAL) {
+        fprintf(stderr, " start %u, match %u, length %d\n",
+		start, match, length);
+        do {
+	    fprintf(stderr, "%c%c", s->window[match++], s->window[start++]);
+	} while (--length != 0);
+        z_error("invalid match");
+    }
+    if (z_verbose > 1) {
+        fprintf(stderr,"\\[%d,%d]", start-match, length);
+        do { putc(s->window[start++], stderr); } while (--length != 0);
+    }
+}
+#else
+#  define check_match(s, start, match, length)
+#endif
+
+/* ===========================================================================
+ * Fill the window when the lookahead becomes insufficient.
+ * Updates strstart and lookahead.
+ *
+ * IN assertion: lookahead < MIN_LOOKAHEAD
+ * OUT assertions: strstart <= window_size-MIN_LOOKAHEAD
+ *    At least one byte has been read, or avail_in == 0; reads are
+ *    performed for at least two bytes (required for the zip translate_eol
+ *    option -- not supported here).
+ */
+local void fill_window(s)
+    deflate_state *s;
+{
+    register unsigned n, m;
+    register Posf *p;
+    unsigned more;    /* Amount of free space at the end of the window. */
+    uInt wsize = s->w_size;
+
+    do {
+        more = (unsigned)(s->window_size -(ulg)s->lookahead -(ulg)s->strstart);
+
+        /* Deal with !@#$% 64K limit: */
+        if (more == 0 && s->strstart == 0 && s->lookahead == 0) {
+            more = wsize;
+
+        } else if (more == (unsigned)(-1)) {
+            /* Very unlikely, but possible on 16 bit machine if strstart == 0
+             * and lookahead == 1 (input done one byte at time)
+             */
+            more--;
+
+        /* If the window is almost full and there is insufficient lookahead,
+         * move the upper half to the lower one to make room in the upper half.
+         */
+        } else if (s->strstart >= wsize+MAX_DIST(s)) {
+
+            zmemcpy(s->window, s->window+wsize, (unsigned)wsize);
+            s->match_start -= wsize;
+            s->strstart    -= wsize; /* we now have strstart >= MAX_DIST */
+            s->block_start -= (long) wsize;
+
+            /* Slide the hash table (could be avoided with 32 bit values
+               at the expense of memory usage). We slide even when level == 0
+               to keep the hash table consistent if we switch back to level > 0
+               later. (Using level 0 permanently is not an optimal usage of
+               zlib, so we don't care about this pathological case.)
+             */
+	    n = s->hash_size;
+	    p = &s->head[n];
+	    do {
+		m = *--p;
+		*p = (Pos)(m >= wsize ? m-wsize : NIL);
+	    } while (--n);
+
+	    n = wsize;
+#ifndef FASTEST
+	    p = &s->prev[n];
+	    do {
+		m = *--p;
+		*p = (Pos)(m >= wsize ? m-wsize : NIL);
+		/* If n is not on any hash chain, prev[n] is garbage but
+		 * its value will never be used.
+		 */
+	    } while (--n);
+#endif
+            more += wsize;
+        }
+        if (s->strm->avail_in == 0) return;
+
+        /* If there was no sliding:
+         *    strstart <= WSIZE+MAX_DIST-1 && lookahead <= MIN_LOOKAHEAD - 1 &&
+         *    more == window_size - lookahead - strstart
+         * => more >= window_size - (MIN_LOOKAHEAD-1 + WSIZE + MAX_DIST-1)
+         * => more >= window_size - 2*WSIZE + 2
+         * In the BIG_MEM or MMAP case (not yet supported),
+         *   window_size == input_size + MIN_LOOKAHEAD  &&
+         *   strstart + s->lookahead <= input_size => more >= MIN_LOOKAHEAD.
+         * Otherwise, window_size == 2*WSIZE so more >= 2.
+         * If there was sliding, more >= WSIZE. So in all cases, more >= 2.
+         */
+        Assert(more >= 2, "more < 2");
+
+        n = read_buf(s->strm, s->window + s->strstart + s->lookahead, more);
+        s->lookahead += n;
+
+        /* Initialize the hash value now that we have some input: */
+        if (s->lookahead >= MIN_MATCH) {
+            s->ins_h = s->window[s->strstart];
+            UPDATE_HASH(s, s->ins_h, s->window[s->strstart+1]);
+#if MIN_MATCH != 3
+            Call UPDATE_HASH() MIN_MATCH-3 more times
+#endif
+        }
+        /* If the whole input has less than MIN_MATCH bytes, ins_h is garbage,
+         * but this is not important since only literal bytes will be emitted.
+         */
+
+    } while (s->lookahead < MIN_LOOKAHEAD && s->strm->avail_in != 0);
+}
+
+/* ===========================================================================
+ * Flush the current block, with given end-of-file flag.
+ * IN assertion: strstart is set to the end of the current match.
+ */
+#define FLUSH_BLOCK_ONLY(s, eof) { \
+   _tr_flush_block(s, (s->block_start >= 0L ? \
+                   (charf *)&s->window[(unsigned)s->block_start] : \
+                   (charf *)Z_NULL), \
+		(ulg)((long)s->strstart - s->block_start), \
+		(eof)); \
+   s->block_start = s->strstart; \
+   flush_pending(s->strm); \
+   Tracev((stderr,"[FLUSH]")); \
+}
+
+/* Same but force premature exit if necessary. */
+#define FLUSH_BLOCK(s, eof) { \
+   FLUSH_BLOCK_ONLY(s, eof); \
+   if (s->strm->avail_out == 0) return (eof) ? finish_started : need_more; \
+}
+
+/* ===========================================================================
+ * Copy without compression as much as possible from the input stream, return
+ * the current block state.
+ * This function does not insert new strings in the dictionary since
+ * uncompressible data is probably not useful. This function is used
+ * only for the level=0 compression option.
+ * NOTE: this function should be optimized to avoid extra copying from
+ * window to pending_buf.
+ */
+local block_state deflate_stored(s, flush)
+    deflate_state *s;
+    int flush;
+{
+    /* Stored blocks are limited to 0xffff bytes, pending_buf is limited
+     * to pending_buf_size, and each stored block has a 5 byte header:
+     */
+    ulg max_block_size = 0xffff;
+    ulg max_start;
+
+    if (max_block_size > s->pending_buf_size - 5) {
+        max_block_size = s->pending_buf_size - 5;
+    }
+
+    /* Copy as much as possible from input to output: */
+    for (;;) {
+        /* Fill the window as much as possible: */
+        if (s->lookahead <= 1) {
+
+            Assert(s->strstart < s->w_size+MAX_DIST(s) ||
+		   s->block_start >= (long)s->w_size, "slide too late");
+
+            fill_window(s);
+            if (s->lookahead == 0 && flush == Z_NO_FLUSH) return need_more;
+
+            if (s->lookahead == 0) break; /* flush the current block */
+        }
+	Assert(s->block_start >= 0L, "block gone");
+
+	s->strstart += s->lookahead;
+	s->lookahead = 0;
+
+	/* Emit a stored block if pending_buf will be full: */
+ 	max_start = s->block_start + max_block_size;
+        if (s->strstart == 0 || (ulg)s->strstart >= max_start) {
+	    /* strstart == 0 is possible when wraparound on 16-bit machine */
+	    s->lookahead = (uInt)(s->strstart - max_start);
+	    s->strstart = (uInt)max_start;
+            FLUSH_BLOCK(s, 0);
+	}
+	/* Flush if we may have to slide, otherwise block_start may become
+         * negative and the data will be gone:
+         */
+        if (s->strstart - (uInt)s->block_start >= MAX_DIST(s)) {
+            FLUSH_BLOCK(s, 0);
+	}
+    }
+    FLUSH_BLOCK(s, flush == Z_FINISH);
+    return flush == Z_FINISH ? finish_done : block_done;
+}
+
+/* ===========================================================================
+ * Compress as much as possible from the input stream, return the current
+ * block state.
+ * This function does not perform lazy evaluation of matches and inserts
+ * new strings in the dictionary only for unmatched strings or for short
+ * matches. It is used only for the fast compression options.
+ */
+local block_state deflate_fast(s, flush)
+    deflate_state *s;
+    int flush;
+{
+    IPos hash_head = NIL; /* head of the hash chain */
+    int bflush;           /* set if current block must be flushed */
+
+    for (;;) {
+        /* Make sure that we always have enough lookahead, except
+         * at the end of the input file. We need MAX_MATCH bytes
+         * for the next match, plus MIN_MATCH bytes to insert the
+         * string following the next match.
+         */
+        if (s->lookahead < MIN_LOOKAHEAD) {
+            fill_window(s);
+            if (s->lookahead < MIN_LOOKAHEAD && flush == Z_NO_FLUSH) {
+	        return need_more;
+	    }
+            if (s->lookahead == 0) break; /* flush the current block */
+        }
+
+        /* Insert the string window[strstart .. strstart+2] in the
+         * dictionary, and set hash_head to the head of the hash chain:
+         */
+        if (s->lookahead >= MIN_MATCH) {
+            INSERT_STRING(s, s->strstart, hash_head);
+        }
+
+        /* Find the longest match, discarding those <= prev_length.
+         * At this point we have always match_length < MIN_MATCH
+         */
+        if (hash_head != NIL && s->strstart - hash_head <= MAX_DIST(s)) {
+            /* To simplify the code, we prevent matches with the string
+             * of window index 0 (in particular we have to avoid a match
+             * of the string with itself at the start of the input file).
+             */
+            if (s->strategy != Z_HUFFMAN_ONLY) {
+                s->match_length = longest_match (s, hash_head);
+            }
+            /* longest_match() sets match_start */
+        }
+        if (s->match_length >= MIN_MATCH) {
+            check_match(s, s->strstart, s->match_start, s->match_length);
+
+            _tr_tally_dist(s, s->strstart - s->match_start,
+                           s->match_length - MIN_MATCH, bflush);
+
+            s->lookahead -= s->match_length;
+
+            /* Insert new strings in the hash table only if the match length
+             * is not too large. This saves time but degrades compression.
+             */
+#ifndef FASTEST
+            if (s->match_length <= s->max_insert_length &&
+                s->lookahead >= MIN_MATCH) {
+                s->match_length--; /* string at strstart already in hash table */
+                do {
+                    s->strstart++;
+                    INSERT_STRING(s, s->strstart, hash_head);
+                    /* strstart never exceeds WSIZE-MAX_MATCH, so there are
+                     * always MIN_MATCH bytes ahead.
+                     */
+                } while (--s->match_length != 0);
+                s->strstart++; 
+            } else
+#endif
+	    {
+                s->strstart += s->match_length;
+                s->match_length = 0;
+                s->ins_h = s->window[s->strstart];
+                UPDATE_HASH(s, s->ins_h, s->window[s->strstart+1]);
+#if MIN_MATCH != 3
+                Call UPDATE_HASH() MIN_MATCH-3 more times
+#endif
+                /* If lookahead < MIN_MATCH, ins_h is garbage, but it does not
+                 * matter since it will be recomputed at next deflate call.
+                 */
+            }
+        } else {
+            /* No match, output a literal byte */
+            Tracevv((stderr,"%c", s->window[s->strstart]));
+            _tr_tally_lit (s, s->window[s->strstart], bflush);
+            s->lookahead--;
+            s->strstart++; 
+        }
+        if (bflush) FLUSH_BLOCK(s, 0);
+    }
+    FLUSH_BLOCK(s, flush == Z_FINISH);
+    return flush == Z_FINISH ? finish_done : block_done;
+}
+
+/* ===========================================================================
+ * Same as above, but achieves better compression. We use a lazy
+ * evaluation for matches: a match is finally adopted only if there is
+ * no better match at the next window position.
+ */
+local block_state deflate_slow(s, flush)
+    deflate_state *s;
+    int flush;
+{
+    IPos hash_head = NIL;    /* head of hash chain */
+    int bflush;              /* set if current block must be flushed */
+
+    /* Process the input block. */
+    for (;;) {
+        /* Make sure that we always have enough lookahead, except
+         * at the end of the input file. We need MAX_MATCH bytes
+         * for the next match, plus MIN_MATCH bytes to insert the
+         * string following the next match.
+         */
+        if (s->lookahead < MIN_LOOKAHEAD) {
+            fill_window(s);
+            if (s->lookahead < MIN_LOOKAHEAD && flush == Z_NO_FLUSH) {
+	        return need_more;
+	    }
+            if (s->lookahead == 0) break; /* flush the current block */
+        }
+
+        /* Insert the string window[strstart .. strstart+2] in the
+         * dictionary, and set hash_head to the head of the hash chain:
+         */
+        if (s->lookahead >= MIN_MATCH) {
+            INSERT_STRING(s, s->strstart, hash_head);
+        }
+
+        /* Find the longest match, discarding those <= prev_length.
+         */
+        s->prev_length = s->match_length, s->prev_match = s->match_start;
+        s->match_length = MIN_MATCH-1;
+
+        if (hash_head != NIL && s->prev_length < s->max_lazy_match &&
+            s->strstart - hash_head <= MAX_DIST(s)) {
+            /* To simplify the code, we prevent matches with the string
+             * of window index 0 (in particular we have to avoid a match
+             * of the string with itself at the start of the input file).
+             */
+            if (s->strategy != Z_HUFFMAN_ONLY) {
+                s->match_length = longest_match (s, hash_head);
+            }
+            /* longest_match() sets match_start */
+
+            if (s->match_length <= 5 && (s->strategy == Z_FILTERED ||
+                 (s->match_length == MIN_MATCH &&
+                  s->strstart - s->match_start > TOO_FAR))) {
+
+                /* If prev_match is also MIN_MATCH, match_start is garbage
+                 * but we will ignore the current match anyway.
+                 */
+                s->match_length = MIN_MATCH-1;
+            }
+        }
+        /* If there was a match at the previous step and the current
+         * match is not better, output the previous match:
+         */
+        if (s->prev_length >= MIN_MATCH && s->match_length <= s->prev_length) {
+            uInt max_insert = s->strstart + s->lookahead - MIN_MATCH;
+            /* Do not insert strings in hash table beyond this. */
+
+            check_match(s, s->strstart-1, s->prev_match, s->prev_length);
+
+            _tr_tally_dist(s, s->strstart -1 - s->prev_match,
+			   s->prev_length - MIN_MATCH, bflush);
+
+            /* Insert in hash table all strings up to the end of the match.
+             * strstart-1 and strstart are already inserted. If there is not
+             * enough lookahead, the last two strings are not inserted in
+             * the hash table.
+             */
+            s->lookahead -= s->prev_length-1;
+            s->prev_length -= 2;
+            do {
+                if (++s->strstart <= max_insert) {
+                    INSERT_STRING(s, s->strstart, hash_head);
+                }
+            } while (--s->prev_length != 0);
+            s->match_available = 0;
+            s->match_length = MIN_MATCH-1;
+            s->strstart++;
+
+            if (bflush) FLUSH_BLOCK(s, 0);
+
+        } else if (s->match_available) {
+            /* If there was no match at the previous position, output a
+             * single literal. If there was a match but the current match
+             * is longer, truncate the previous match to a single literal.
+             */
+            Tracevv((stderr,"%c", s->window[s->strstart-1]));
+	    _tr_tally_lit(s, s->window[s->strstart-1], bflush);
+	    if (bflush) {
+                FLUSH_BLOCK_ONLY(s, 0);
+            }
+            s->strstart++;
+            s->lookahead--;
+            if (s->strm->avail_out == 0) return need_more;
+        } else {
+            /* There is no previous match to compare with, wait for
+             * the next step to decide.
+             */
+            s->match_available = 1;
+            s->strstart++;
+            s->lookahead--;
+        }
+    }
+    Assert (flush != Z_NO_FLUSH, "no flush?");
+    if (s->match_available) {
+        Tracevv((stderr,"%c", s->window[s->strstart-1]));
+        _tr_tally_lit(s, s->window[s->strstart-1], bflush);
+        s->match_available = 0;
+    }
+    FLUSH_BLOCK(s, flush == Z_FINISH);
+    return flush == Z_FINISH ? finish_done : block_done;
+}
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/deflate.h     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,318 @@
+/* deflate.h -- internal compression state
+ * Copyright (C) 1995-2002 Jean-loup Gailly
+ * For conditions of distribution and use, see copyright notice in zlib.h 
+ */
+
+/* WARNING: this file should *not* be used by applications. It is
+   part of the implementation of the compression library and is
+   subject to change. Applications should only use zlib.h.
+ */
+
+/* @(#) $Id: deflate.h,v 1.5 2004/07/10 07:48:38 mcr Exp $ */
+
+#ifndef _DEFLATE_H
+#define _DEFLATE_H
+
+#include "zlib/zutil.h"
+
+/* ===========================================================================
+ * Internal compression state.
+ */
+
+#define LENGTH_CODES 29
+/* number of length codes, not counting the special END_BLOCK code */
+
+#define LITERALS  256
+/* number of literal bytes 0..255 */
+
+#define L_CODES (LITERALS+1+LENGTH_CODES)
+/* number of Literal or Length codes, including the END_BLOCK code */
+
+#define D_CODES   30
+/* number of distance codes */
+
+#define BL_CODES  19
+/* number of codes used to transfer the bit lengths */
+
+#define HEAP_SIZE (2*L_CODES+1)
+/* maximum heap size */
+
+#define MAX_BITS 15
+/* All codes must not exceed MAX_BITS bits */
+
+#define INIT_STATE    42
+#define BUSY_STATE   113
+#define FINISH_STATE 666
+/* Stream status */
+
+
+/* Data structure describing a single value and its code string. */
+typedef struct ct_data_s {
+    union {
+        ush  freq;       /* frequency count */
+        ush  code;       /* bit string */
+    } fc;
+    union {
+        ush  dad;        /* father node in Huffman tree */
+        ush  len;        /* length of bit string */
+    } dl;
+} FAR ct_data;
+
+#define Freq fc.freq
+#define Code fc.code
+#define Dad  dl.dad
+#define Len  dl.len
+
+typedef struct static_tree_desc_s  static_tree_desc;
+
+typedef struct tree_desc_s {
+    ct_data *dyn_tree;           /* the dynamic tree */
+    int     max_code;            /* largest code with non zero frequency */
+    static_tree_desc *stat_desc; /* the corresponding static tree */
+} FAR tree_desc;
+
+typedef ush Pos;
+typedef Pos FAR Posf;
+typedef unsigned IPos;
+
+/* A Pos is an index in the character window. We use short instead of int to
+ * save space in the various tables. IPos is used only for parameter passing.
+ */
+
+typedef struct internal_state {
+    z_streamp strm;      /* pointer back to this zlib stream */
+    int   status;        /* as the name implies */
+    Bytef *pending_buf;  /* output still pending */
+    ulg   pending_buf_size; /* size of pending_buf */
+    Bytef *pending_out;  /* next pending byte to output to the stream */
+    int   pending;       /* nb of bytes in the pending buffer */
+    int   noheader;      /* suppress zlib header and adler32 */
+    Byte  data_type;     /* UNKNOWN, BINARY or ASCII */
+    Byte  method;        /* STORED (for zip only) or DEFLATED */
+    int   last_flush;    /* value of flush param for previous deflate call */
+
+                /* used by deflate.c: */
+
+    uInt  w_size;        /* LZ77 window size (32K by default) */
+    uInt  w_bits;        /* log2(w_size)  (8..16) */
+    uInt  w_mask;        /* w_size - 1 */
+
+    Bytef *window;
+    /* Sliding window. Input bytes are read into the second half of the window,
+     * and move to the first half later to keep a dictionary of at least wSize
+     * bytes. With this organization, matches are limited to a distance of
+     * wSize-MAX_MATCH bytes, but this ensures that IO is always
+     * performed with a length multiple of the block size. Also, it limits
+     * the window size to 64K, which is quite useful on MSDOS.
+     * To do: use the user input buffer as sliding window.
+     */
+
+    ulg window_size;
+    /* Actual size of window: 2*wSize, except when the user input buffer
+     * is directly used as sliding window.
+     */
+
+    Posf *prev;
+    /* Link to older string with same hash index. To limit the size of this
+     * array to 64K, this link is maintained only for the last 32K strings.
+     * An index in this array is thus a window index modulo 32K.
+     */
+
+    Posf *head; /* Heads of the hash chains or NIL. */
+
+    uInt  ins_h;          /* hash index of string to be inserted */
+    uInt  hash_size;      /* number of elements in hash table */
+    uInt  hash_bits;      /* log2(hash_size) */
+    uInt  hash_mask;      /* hash_size-1 */
+
+    uInt  hash_shift;
+    /* Number of bits by which ins_h must be shifted at each input
+     * step. It must be such that after MIN_MATCH steps, the oldest
+     * byte no longer takes part in the hash key, that is:
+     *   hash_shift * MIN_MATCH >= hash_bits
+     */
+
+    long block_start;
+    /* Window position at the beginning of the current output block. Gets
+     * negative when the window is moved backwards.
+     */
+
+    uInt match_length;           /* length of best match */
+    IPos prev_match;             /* previous match */
+    int match_available;         /* set if previous match exists */
+    uInt strstart;               /* start of string to insert */
+    uInt match_start;            /* start of matching string */
+    uInt lookahead;              /* number of valid bytes ahead in window */
+
+    uInt prev_length;
+    /* Length of the best match at previous step. Matches not greater than this
+     * are discarded. This is used in the lazy match evaluation.
+     */
+
+    uInt max_chain_length;
+    /* To speed up deflation, hash chains are never searched beyond this
+     * length.  A higher limit improves compression ratio but degrades the
+     * speed.
+     */
+
+    uInt max_lazy_match;
+    /* Attempt to find a better match only when the current match is strictly
+     * smaller than this value. This mechanism is used only for compression
+     * levels >= 4.
+     */
+#   define max_insert_length  max_lazy_match
+    /* Insert new strings in the hash table only if the match length is not
+     * greater than this length. This saves time but degrades compression.
+     * max_insert_length is used only for compression levels <= 3.
+     */
+
+    int level;    /* compression level (1..9) */
+    int strategy; /* favor or force Huffman coding*/
+
+    uInt good_match;
+    /* Use a faster search when the previous match is longer than this */
+
+    int nice_match; /* Stop searching when current match exceeds this */
+
+                /* used by trees.c: */
+    /* Didn't use ct_data typedef below to supress compiler warning */
+    struct ct_data_s dyn_ltree[HEAP_SIZE];   /* literal and length tree */
+    struct ct_data_s dyn_dtree[2*D_CODES+1]; /* distance tree */
+    struct ct_data_s bl_tree[2*BL_CODES+1];  /* Huffman tree for bit lengths */
+
+    struct tree_desc_s l_desc;               /* desc. for literal tree */
+    struct tree_desc_s d_desc;               /* desc. for distance tree */
+    struct tree_desc_s bl_desc;              /* desc. for bit length tree */
+
+    ush bl_count[MAX_BITS+1];
+    /* number of codes at each bit length for an optimal tree */
+
+    int heap[2*L_CODES+1];      /* heap used to build the Huffman trees */
+    int heap_len;               /* number of elements in the heap */
+    int heap_max;               /* element of largest frequency */
+    /* The sons of heap[n] are heap[2*n] and heap[2*n+1]. heap[0] is not used.
+     * The same heap array is used to build all trees.
+     */
+
+    uch depth[2*L_CODES+1];
+    /* Depth of each subtree used as tie breaker for trees of equal frequency
+     */
+
+    uchf *l_buf;          /* buffer for literals or lengths */
+
+    uInt  lit_bufsize;
+    /* Size of match buffer for literals/lengths.  There are 4 reasons for
+     * limiting lit_bufsize to 64K:
+     *   - frequencies can be kept in 16 bit counters
+     *   - if compression is not successful for the first block, all input
+     *     data is still in the window so we can still emit a stored block even
+     *     when input comes from standard input.  (This can also be done for
+     *     all blocks if lit_bufsize is not greater than 32K.)
+     *   - if compression is not successful for a file smaller than 64K, we can
+     *     even emit a stored file instead of a stored block (saving 5 bytes).
+     *     This is applicable only for zip (not gzip or zlib).
+     *   - creating new Huffman trees less frequently may not provide fast
+     *     adaptation to changes in the input data statistics. (Take for
+     *     example a binary file with poorly compressible code followed by
+     *     a highly compressible string table.) Smaller buffer sizes give
+     *     fast adaptation but have of course the overhead of transmitting
+     *     trees more frequently.
+     *   - I can't count above 4
+     */
+
+    uInt last_lit;      /* running index in l_buf */
+
+    ushf *d_buf;
+    /* Buffer for distances. To simplify the code, d_buf and l_buf have
+     * the same number of elements. To use different lengths, an extra flag
+     * array would be necessary.
+     */
+
+    ulg opt_len;        /* bit length of current block with optimal trees */
+    ulg static_len;     /* bit length of current block with static trees */
+    uInt matches;       /* number of string matches in current block */
+    int last_eob_len;   /* bit length of EOB code for last block */
+
+#ifdef DEBUG
+    ulg compressed_len; /* total bit length of compressed file mod 2^32 */
+    ulg bits_sent;      /* bit length of compressed data sent mod 2^32 */
+#endif
+
+    ush bi_buf;
+    /* Output buffer. bits are inserted starting at the bottom (least
+     * significant bits).
+     */
+    int bi_valid;
+    /* Number of valid bits in bi_buf.  All bits above the last valid bit
+     * are always zero.
+     */
+
+} FAR deflate_state;
+
+/* Output a byte on the stream.
+ * IN assertion: there is enough room in pending_buf.
+ */
+#define put_byte(s, c) {s->pending_buf[s->pending++] = (c);}
+
+
+#define MIN_LOOKAHEAD (MAX_MATCH+MIN_MATCH+1)
+/* Minimum amount of lookahead, except at the end of the input file.
+ * See deflate.c for comments about the MIN_MATCH+1.
+ */
+
+#define MAX_DIST(s)  ((s)->w_size-MIN_LOOKAHEAD)
+/* In order to simplify the code, particularly on 16 bit machines, match
+ * distances are limited to MAX_DIST instead of WSIZE.
+ */
+
+        /* in trees.c */
+void _tr_init         OF((deflate_state *s));
+int  _tr_tally        OF((deflate_state *s, unsigned dist, unsigned lc));
+void _tr_flush_block  OF((deflate_state *s, charf *buf, ulg stored_len,
+			  int eof));
+void _tr_align        OF((deflate_state *s));
+void _tr_stored_block OF((deflate_state *s, charf *buf, ulg stored_len,
+                          int eof));
+
+#define d_code(dist) \
+   ((dist) < 256 ? _dist_code[dist] : _dist_code[256+((dist)>>7)])
+/* Mapping from a distance to a distance code. dist is the distance - 1 and
+ * must not have side effects. _dist_code[256] and _dist_code[257] are never
+ * used.
+ */
+
+#ifndef DEBUG
+/* Inline versions of _tr_tally for speed: */
+
+#if defined(GEN_TREES_H) || !defined(STDC)
+  extern uch _length_code[];
+  extern uch _dist_code[];
+#else
+  extern const uch _length_code[];
+  extern const uch _dist_code[];
+#endif
+
+# define _tr_tally_lit(s, c, flush) \
+  { uch cc = (c); \
+    s->d_buf[s->last_lit] = 0; \
+    s->l_buf[s->last_lit++] = cc; \
+    s->dyn_ltree[cc].Freq++; \
+    flush = (s->last_lit == s->lit_bufsize-1); \
+   }
+# define _tr_tally_dist(s, distance, length, flush) \
+  { uch len = (length); \
+    ush dist = (distance); \
+    s->d_buf[s->last_lit] = dist; \
+    s->l_buf[s->last_lit++] = len; \
+    dist--; \
+    s->dyn_ltree[_length_code[len]+LITERALS+1].Freq++; \
+    s->dyn_dtree[d_code(dist)].Freq++; \
+    flush = (s->last_lit == s->lit_bufsize-1); \
+  }
+#else
+# define _tr_tally_lit(s, c, flush) flush = _tr_tally(s, 0, c)
+# define _tr_tally_dist(s, distance, length, flush) \
+              flush = _tr_tally(s, distance, length) 
+#endif
+
+#endif /* _DEFLATE_H */
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/des/COPYRIGHT     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,50 @@
+Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
+All rights reserved.
+
+This package is an DES implementation written by Eric Young (eay@cryptsoft.com).
+The implementation was written so as to conform with MIT's libdes.
+
+This library is free for commercial and non-commercial use as long as
+the following conditions are aheared to.  The following conditions
+apply to all code found in this distribution.
+
+Copyright remains Eric Young's, and as such any Copyright notices in
+the code are not to be removed.
+If this package is used in a product, Eric Young should be given attribution
+as the author of that the SSL library.  This can be in the form of a textual
+message at program startup or in documentation (online or textual) provided
+with the package.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+1. Redistributions of source code must retain the copyright
+   notice, this list of conditions and the following disclaimer.
+2. Redistributions in binary form must reproduce the above copyright
+   notice, this list of conditions and the following disclaimer in the
+   documentation and/or other materials provided with the distribution.
+3. All advertising materials mentioning features or use of this software
+   must display the following acknowledgement:
+   This product includes software developed by Eric Young (eay@cryptsoft.com)
+
+THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGE.
+
+The license and distribution terms for any publically available version or
+derivative of this code cannot be changed.  i.e. this code cannot simply be
+copied and put under another distrubution license
+[including the GNU Public License.]
+
+The reason behind this being stated in this direct manner is past
+experience in code simply being copied and the attribution removed
+from it and then being distributed as part of other packages. This
+implementation was a non-trivial and unpaid effort.
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/des/INSTALL     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,69 @@
+Check the CC and CFLAGS lines in the makefile
+
+If your C library does not support the times(3) function, change the
+#define TIMES to
+#undef TIMES in speed.c
+If it does, check the HZ value for the times(3) function.
+If your system does not define CLK_TCK it will be assumed to
+be 100.0.
+
+If possible use gcc v 2.7.?
+Turn on the maximum optimising (normally '-O3 -fomit-frame-pointer' for gcc)
+In recent times, some system compilers give better performace.
+
+type 'make'
+
+run './destest' to check things are ok.
+run './rpw' to check the tty code for reading passwords works.
+run './speed' to see how fast those optimisations make the library run :-)
+run './des_opts' to determin the best compile time options.
+
+The output from des_opts should be put in the makefile options and des_enc.c
+should be rebuilt.  For 64 bit computers, do not use the DES_PTR option.
+For the DEC Alpha, edit des.h and change DES_LONG to 'unsigned int'
+and then you can use the 'DES_PTR' option.
+
+The file options.txt has the options listed for best speed on quite a
+few systems.  Look and the options (UNROLL, PTR, RISC2 etc) and then
+turn on the relevent option in the Makefile
+
+There are some special Makefile targets that make life easier.
+make cc		- standard cc build
+make gcc	- standard gcc build
+make x86-elf	- x86 assembler (elf), linux-elf.
+make x86-out	- x86 assembler (a.out), FreeBSD
+make x86-solaris- x86 assembler
+make x86-bsdi	- x86 assembler (a.out with primative assembler).
+
+If at all possible use the assembler (for Windows NT/95, use
+asm/win32.obj to link with).  The x86 assembler is very very fast.
+
+A make install will by default install
+libdes.a      in /usr/local/lib/libdes.a
+des           in /usr/local/bin/des
+des_crypt.man in /usr/local/man/man3/des_crypt.3
+des.man       in /usr/local/man/man1/des.1
+des.h         in /usr/include/des.h
+
+des(1) should be compatible with sunOS's but I have been unable to
+test it.
+
+These routines should compile on MSDOS, most 32bit and 64bit version
+of Unix (BSD and SYSV) and VMS, without modification.
+The only problems should be #include files that are in the wrong places.
+
+These routines can be compiled under MSDOS.
+I have successfully encrypted files using des(1) under MSDOS and then
+decrypted the files on a SparcStation.
+I have been able to compile and test the routines with
+Microsoft C v 5.1 and Turbo C v 2.0.
+The code in this library is in no way optimised for the 16bit
+operation of MSDOS.
+
+When building for glibc, ignore all of the above and just unpack into
+glibc-1.??/des and then gmake as per normal.
+
+As a final note on performace.  Certain CPUs like sparcs and Alpha often give
+a %10 speed difference depending on the link order.  It is rather anoying
+when one program reports 'x' DES encrypts a second and another reports
+'x*0.9' the speed.
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/des/Makefile     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,63 @@
+# Makefile for KLIPS kernel code as a module    for 2.6 kernels
+#
+# Makefile for KLIPS kernel code as a module
+# Copyright (C) 1998, 1999, 2000,2001  Richard Guy Briggs.
+# Copyright (C) 2002-2004	Michael Richardson <mcr@freeswan.org>
+# 
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+# 
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+#
+# RCSID $Id: Makefile.fs2_6,v 1.2.2.1 2005/08/12 16:10:57 ken Exp $
+#
+# Note! Dependencies are done automagically by 'make dep', which also
+# removes any old dependencies. DON'T put your own dependencies here
+# unless it's something special (ie not a .c file).
+#
+
+obj-$(CONFIG_KLIPS_ENC_3DES) += ipsec_alg_3des.o
+obj-$(CONFIG_KLIPS_ENC_3DES) += cbc_enc.o
+obj-$(CONFIG_KLIPS_ENC_3DES) += ecb_enc.o
+obj-$(CONFIG_KLIPS_ENC_3DES) += set_key.o
+
+ifeq ($(strip ${SUBARCH}),)
+SUBARCH:=${ARCH}
+endif
+
+# the assembly version expects frame pointers, which are
+# optional in many kernel builds. If you want speed, you should
+# probably use cryptoapi code instead.
+USEASSEMBLY=${SUBARCH}${CONFIG_FRAME_POINTER}
+ifeq (${USEASSEMBLY},i386y)
+obj-$(CONFIG_KLIPS_ENC_3DES) += dx86unix.o
+else
+obj-$(CONFIG_KLIPS_ENC_3DES) += des_enc.o
+endif
+
+#
+# $Log: Makefile.fs2_6,v $
+# Revision 1.2.2.1  2005/08/12 16:10:57  ken
+# do not use assembly code with there are no frame pointers
+#
+# Revision 1.3  2005/08/12 14:13:59  mcr
+# 	do not use assembly code with there are no frame pointers,
+# 	as it does not have the right linkages.
+#
+# Revision 1.2  2005/04/29 05:13:07  mcr
+# 	3DES algorithm code.
+#
+# Revision 1.1  2004/08/17 03:27:30  mcr
+# 	klips 2.6 edits.
+#
+#
+# Local Variables:
+# compile-command: "(cd ../../.. && source umlsetup.sh && make -C ${POOLSPACE} module/ipsec.o)"
+# End Variables:
+#
+
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/des/README     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,54 @@
+
+		libdes, Version 4.01 10-Jan-97
+
+		Copyright (c) 1997, Eric Young
+			  All rights reserved.
+
+    This program is free software; you can redistribute it and/or modify
+    it under the terms specified in COPYRIGHT.
+    
+--
+The primary ftp site for this library is
+ftp://ftp.psy.uq.oz.au/pub/Crypto/DES/libdes-x.xx.tar.gz
+libdes is now also shipped with SSLeay.  Primary ftp site of
+ftp://ftp.psy.uq.oz.au/pub/Crypto/SSL/SSLeay-x.x.x.tar.gz
+
+The best way to build this library is to build it as part of SSLeay.
+
+This kit builds a DES encryption library and a DES encryption program.
+It supports ecb, cbc, ofb, cfb, triple ecb, triple cbc, triple ofb,
+triple cfb, desx, and MIT's pcbc encryption modes and also has a fast
+implementation of crypt(3).
+It contains support routines to read keys from a terminal,
+generate a random key, generate a key from an arbitrary length string,
+read/write encrypted data from/to a file descriptor.
+
+The implementation was written so as to conform with the manual entry
+for the des_crypt(3) library routines from MIT's project Athena.
+
+destest should be run after compilation to test the des routines.
+rpw should be run after compilation to test the read password routines.
+The des program is a replacement for the sun des command.  I believe it
+conforms to the sun version.
+
+The Imakefile is setup for use in the kerberos distribution.
+
+These routines are best compiled with gcc or any other good
+optimising compiler.
+Just turn you optimiser up to the highest settings and run destest
+after the build to make sure everything works.
+
+I believe these routines are close to the fastest and most portable DES
+routines that use small lookup tables (4.5k) that are publicly available.
+The fcrypt routine is faster than ufc's fcrypt (when compiling with
+gcc2 -O2) on the sparc 2 (1410 vs 1270) but is not so good on other machines
+(on a sun3/260 168 vs 336).  It is a function of CPU on chip cache size.
+[ 10-Jan-97 and a function of an incorrect speed testing program in
+  ufc which gave much better test figures that reality ].
+
+It is worth noting that on sparc and Alpha CPUs, performance of the DES
+library can vary by upto %10 due to the positioning of files after application
+linkage.
+
+Eric Young (eay@cryptsoft.com)
+
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/des/README.freeswan     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,33 @@
+The only changes the FreeS/WAN project has made to libdes-lite 4.04b are:
+
+We #ifdef-ed the declaration of DES_LONG in des.h, so it's more efficient
+on the Alpha, instead of just noting the issue in a comment. 
+
+We #ifdef-ed out the des_options() function in ecb_enc.c, because we don't
+use it, and its call to sprintf() can cause subtle difficulties when KLIPS
+is built as a module (depending on details of Linux configuration options).
+
+We changed some instances of CC=$(CC) in the Makefile to CC='$(CC)' to make
+it cope better with Linux kernel Makefile stupidities, and took out an
+explicit CC=gcc (unwise on systems with strange compilers).
+
+We deleted some references to <stdio.h> and <stdlib.h>, and a declaration
+of one function found only in the full libdes (not in libdes-lite), to
+avoid dragging in bits of stdio/stdlib unnecessarily.  (Our thanks to Hans
+Schultz for spotting this and pointing out the fixes.)
+
+We deleted a couple of .obj files in the asm subdirectory, which appear to
+have been included in the original library by accident. 
+
+We have added an include of our Makefile.inc file, to permit overriding
+things like choice of compiler (although the libdes Makefile would
+probably need some work to make this effective).
+
+
+
+Note that Eric Young is no longer at the email address listed in these
+files, and is (alas) no longer working on free crypto software. 
+
+
+
+This file is RCSID $Id: README.freeswan,v 1.12 2004/07/10 08:06:51 mcr Exp $
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/des/VERSION     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,406 @@
+Version 4.04
+	Fixed a few tests in destest.  Also added x86 assember for
+	des_ncbc_encrypt() which is the standard cbc mode function.
+	This makes a very very large performace difference.
+	Ariel Glenn ariel@columbia.edu reports that the terminal
+	'turn echo off' can return (errno == EINVAL) under solaris
+	when redirection is used.  So I now catch that as well as ENOTTY.
+
+
+Version 4.03
+	Left a static out of enc_write.c, which caused to buffer to be
+	continiously malloc()ed.  Does anyone use these functions?  I keep
+	on feeling like removing them since I only had these in there
+	for a version of kerberised login.  Anyway, this was pointed out
+	by Theo de Raadt <deraadt@cvs.openbsd.org>
+	The 'n' bit ofb code was wrong, it was not shifting the shift
+	register. It worked correctly for n == 64.  Thanks to
+	Gigi Ankeny <Gigi.Ankeny@Eng.Sun.COM> for pointing this one out.
+
+Version 4.02
+	I was doing 'if (memcmp(weak_keys[i],key,sizeof(key)) == 0)'
+	when checking for weak keys which is wrong :-(, pointed out by
+	Markus F.X.J. Oberhumer <markus.oberhumer@jk.uni-linz.ac.at>.
+
+Version 4.01
+	Even faster inner loop in the DES assembler for x86 and a modification
+	for IP/FP which is faster on x86.  Both of these changes are
+	from Svend Olaf Mikkelsen <svolaf@inet.uni-c.dk>.  His
+	changes make the assembler run %40 faster on a pentium.  This is just
+	a case of getting the instruction sequence 'just right'.
+	All credit to 'Svend' :-)
+	Quite a few special x86 'make' targets.
+	A libdes-l (lite) distribution.
+
+Version 4.00
+	After a bit of a pause, I'll up the major version number since this
+	is mostly a performace release.  I've added x86 assembler and
+	added more options for performance.  A %28 speedup for gcc 
+	on a pentium and the assembler is a %50 speedup.
+	MIPS CPU's, sparc and Alpha are the main CPU's with speedups.
+	Run des_opts to work out which options should be used.
+	DES_RISC1/DES_RISC2 use alternative inner loops which use
+	more registers but should give speedups on any CPU that does
+	dual issue (pentium).  DES_UNROLL unrolls the inner loop,
+	which costs in code size.
+
+Version 3.26
+	I've finally removed one of the shifts in D_ENCRYPT.  This
+	meant I've changed the des_SPtrans table (spr.h), the set_key()
+	function and some things in des_enc.c.  This has definitly
+	made things faster :-).  I've known about this one for some
+	time but I've been too lazy to follow it up :-).
+	Noticed that in the D_ENCRYPT() macro, we can just do L^=(..)^(..)^..
+	instead of L^=((..)|(..)|(..)..  This should save a register at
+	least.
+	Assember for x86.  The file to replace is des_enc.c, which is replaced
+	by one of the assembler files found in asm.  Look at des/asm/readme
+	for more info.
+
+	/* Modification to fcrypt so it can be compiled to support
+	HPUX 10.x's long password format, define -DLONGCRYPT to use this.
+	Thanks to Jens Kupferschmidt <bt1cu@hpboot.rz.uni-leipzig.de>. */
+
+	SIGWINCH case put in des_read_passwd() so the function does not
+	'exit' if this function is recieved.
+
+Version 3.25 17/07/96
+	Modified read_pwd.c so that stdin can be read if not a tty.
+	Thanks to Jeff Barber <jeffb@issl.atl.hp.com> for the patches.
+	des_init_random_number_generator() shortened due to VMS linker
+	limits.
+	Added RSA's DESX cbc mode.  It is a form of cbc encryption, with 2
+	8 byte quantites xored before and after encryption.
+	des_xcbc_encryption() - the name is funny to preserve the des_
+	prefix on all functions.
+
+Version 3.24 20/04/96
+	The DES_PTR macro option checked and used by SSLeay configuration
+
+Version 3.23 11/04/96
+	Added DES_LONG.  If defined to 'unsigned int' on the DEC Alpha,
+	it gives a %20 speedup :-)
+	Fixed the problem with des.pl under perl5.  The patches were
+	sent by Ed Kubaitis (ejk@uiuc.edu).
+	if fcrypt.c, changed values to handle illegal salt values the way
+	normal crypt() implementations do.  Some programs apparently use
+	them :-(. The patch was sent by Bjorn Gronvall <bg@sics.se>
+
+Version 3.22 29/11/95
+	Bug in des(1), an error with the uuencoding stuff when the
+	'data' is small, thanks to Geoff Keating <keagchon@mehta.anu.edu.au>
+	for the patch.
+
+Version 3.21 22/11/95
+	After some emailing back and forth with 
+	Colin Plumb <colin@nyx10.cs.du.edu>, I've tweaked a few things
+	and in a future version I will probably put in some of the
+	optimisation he suggested for use with the DES_USE_PTR option.
+	Extra routines from Mark Murray <mark@grondar.za> for use in
+	freeBSD.  They mostly involve random number generation for use
+	with kerberos.  They involve evil machine specific system calls
+	etc so I would normally suggest pushing this stuff into the
+	application and/or using RAND_seed()/RAND_bytes() if you are
+	using this DES library as part of SSLeay.
+	Redone the read_pw() function so that it is cleaner and
+	supports termios, thanks to Sameer Parekh <sameer@c2.org>
+	for the initial patches for this.
+	Renamed 3ecb_encrypt() to ecb3_encrypt().  This has been
+	 done just to make things more consistent.
+	I have also now added triple DES versions of cfb and ofb.
+
+Version 3.20
+	Damn, Damn, Damn, as pointed out by Mike_Spreitzer.PARC@xerox.com,
+	my des_random_seed() function was only copying 4 bytes of the
+	passed seed into the init structure.  It is now fixed to copy 8.
+	My own suggestion is to used something like MD5 :-)
+
+Version 3.19 
+	While looking at my code one day, I though, why do I keep on
+	calling des_encrypt(in,out,ks,enc) when every function that
+	calls it has in and out the same.  So I dropped the 'out'
+	parameter, people should not be using this function.
+
+Version 3.18 30/08/95
+	Fixed a few bit with the distribution and the filenames.
+	3.17 had been munged via a move to DOS and back again.
+	NO CODE CHANGES
+
+Version 3.17 14/07/95
+	Fixed ede3 cbc which I had broken in 3.16.  I have also
+	removed some unneeded variables in 7-8 of the routines.
+
+Version 3.16 26/06/95
+	Added des_encrypt2() which does not use IP/FP, used by triple
+	des routines.  Tweaked things a bit elsewhere. %13 speedup on
+	sparc and %6 on a R4400 for ede3 cbc mode.
+
+Version 3.15 06/06/95
+	Added des_ncbc_encrypt(), it is des_cbc mode except that it is
+	'normal' and copies the new iv value back over the top of the
+	passed parameter.
+	CHANGED des_ede3_cbc_encrypt() so that it too now overwrites
+	the iv.  THIS WILL BREAK EXISTING CODE, but since this function
+	only new, I feel I can change it, not so with des_cbc_encrypt :-(.
+	I need to update the documentation.
+
+Version 3.14 31/05/95
+	New release upon the world, as part of my SSL implementation.
+	New copyright and usage stuff.  Basically free for all to use
+	as long as you say it came from me :-)
+
+Version 3.13 31/05/95
+	A fix in speed.c, if HZ is not defined, I set it to 100.0
+	which is reasonable for most unixes except SunOS 4.x.
+	I now have a #ifdef sun but timing for SunOS 4.x looked very
+	good :-(.  At my last job where I used SunOS 4.x, it was
+	defined to be 60.0 (look at the old INSTALL documentation), at
+	the last release had it changed to 100.0 since I now work with
+	Solaris2 and SVR4 boxes.
+	Thanks to  Rory Chisholm <rchishol@math.ethz.ch> for pointing this
+	one out.
+
+Version 3.12 08/05/95
+	As pointed out by The Crypt Keeper <tck@bend.UCSD.EDU>,
+	my D_ENCRYPT macro in crypt() had an un-necessary variable.
+	It has been removed.
+
+Version 3.11 03/05/95
+	Added des_ede3_cbc_encrypt() which is cbc mode des with 3 keys
+	and one iv.  It is a standard and I needed it for my SSL code.
+	It makes more sense to use this for triple DES than
+	3cbc_encrypt().  I have also added (or should I say tested :-)
+	cfb64_encrypt() which is cfb64 but it will encrypt a partial
+	number of bytes - 3 bytes in 3 bytes out.  Again this is for
+	my SSL library, as a form of encryption to use with SSL
+	telnet.
+
+Version 3.10 22/03/95
+	Fixed a bug in 3cbc_encrypt() :-(.  When making repeated calls
+	to cbc3_encrypt, the 2 iv values that were being returned to
+	be used in the next call were reversed :-(.
+	Many thanks to Bill Wade <wade@Stoner.COM> for pointing out
+	this error.
+
+Version 3.09 01/02/95
+	Fixed des_random_key to far more random, it was rather feeble
+	with regards to picking the initial seed.  The problem was
+	pointed out by Olaf Kirch <okir@monad.swb.de>.
+
+Version 3.08 14/12/94
+	Added Makefile.PL so libdes can be built into perl5.
+	Changed des_locl.h so RAND is always defined.
+
+Version 3.07 05/12/94
+	Added GNUmake and stuff so the library can be build with
+	glibc.
+
+Version 3.06 30/08/94
+	Added rpc_enc.c which contains _des_crypt.  This is for use in
+	secure_rpc v 4.0
+	Finally fixed the cfb_enc problems.
+	Fixed a few parameter parsing bugs in des (-3 and -b), thanks
+	to Rob McMillan <R.McMillan@its.gu.edu.au>
+
+Version 3.05 21/04/94
+	for unsigned long l; gcc does not produce ((l>>34) == 0)
+	This causes bugs in cfb_enc.
+	Thanks to Hadmut Danisch <danisch@ira.uka.de>
+
+Version 3.04 20/04/94
+	Added a version number to des.c and libdes.a
+
+Version 3.03 12/01/94
+	Fixed a bug in non zero iv in 3cbc_enc.
+
+Version 3.02 29/10/93
+	I now work in a place where there are 6+ architectures and 14+
+	OS versions :-).
+	Fixed TERMIO definition so the most sys V boxes will work :-)
+
+Release upon comp.sources.misc
+Version 3.01 08/10/93
+	Added des_3cbc_encrypt()
+
+Version 3.00 07/10/93
+	Fixed up documentation.
+	quad_cksum definitely compatible with MIT's now.
+
+Version 2.30 24/08/93
+	Triple DES now defaults to triple cbc but can do triple ecb
+	 with the -b flag.
+	Fixed some MSDOS uuen/uudecoding problems, thanks to
+	Added prototypes.
+	
+Version 2.22 29/06/93
+	Fixed a bug in des_is_weak_key() which stopped it working :-(
+	thanks to engineering@MorningStar.Com.
+
+Version 2.21 03/06/93
+	des(1) with no arguments gives quite a bit of help.
+	Added -c (generate ckecksum) flag to des(1).
+	Added -3 (triple DES) flag to des(1).
+	Added cfb and ofb routines to the library.
+
+Version 2.20 11/03/93
+	Added -u (uuencode) flag to des(1).
+	I have been playing with byte order in quad_cksum to make it
+	 compatible with MIT's version.  All I can say is avid this
+	 function if possible since MIT's output is endian dependent.
+
+Version 2.12 14/10/92
+	Added MSDOS specific macro in ecb_encrypt which gives a %70
+	 speed up when the code is compiled with turbo C.
+
+Version 2.11 12/10/92
+	Speedup in set_key (recoding of PC-1)
+	 I now do it in 47 simple operations, down from 60.
+	 Thanks to John Fletcher (john_fletcher@lccmail.ocf.llnl.gov)
+	 for motivating me to look for a faster system :-)
+	 The speedup is probably less that 1% but it is still 13
+	 instructions less :-).
+
+Version 2.10 06/10/92
+	The code now works on the 64bit ETA10 and CRAY without modifications or
+	 #defines.  I believe the code should work on any machine that
+	 defines long, int or short to be 8 bytes long.
+	Thanks to Shabbir J. Safdar (shabby@mentor.cc.purdue.edu)
+	 for helping me fix the code to run on 64bit machines (he had
+	 access to an ETA10).
+	Thanks also to John Fletcher <john_fletcher@lccmail.ocf.llnl.gov>
+	 for testing the routines on a CRAY.
+	read_password.c has been renamed to read_passwd.c
+	string_to_key.c has been renamed to string2key.c
+
+Version 2.00 14/09/92
+	Made mods so that the library should work on 64bit CPU's.
+	Removed all my uchar and ulong defs.  To many different
+	 versions of unix define them in their header files in too many
+	 different combinations :-)
+	IRIX - Sillicon Graphics mods (mostly in read_password.c).
+	 Thanks to Andrew Daviel (advax@erich.triumf.ca)
+
+Version 1.99 26/08/92
+	Fixed a bug or 2 in enc_read.c
+	Fixed a bug in enc_write.c
+	Fixed a pseudo bug in fcrypt.c (very obscure).
+
+Version 1.98 31/07/92
+	Support for the ETA10.  This is a strange machine that defines
+	longs and ints as 8 bytes and shorts as 4 bytes.
+	Since I do evil things with long * that assume that they are 4
+	bytes.  Look in the Makefile for the option to compile for
+	this machine.  quad_cksum appears to have problems but I
+	will don't have the time to fix it right now, and this is not
+	a function that uses DES and so will not effect the main uses
+	of the library.
+
+Version 1.97 20/05/92 eay
+	Fixed the Imakefile and made some changes to des.h to fix some
+	problems when building this package with Kerberos v 4.
+
+Version 1.96 18/05/92 eay
+	Fixed a small bug in string_to_key() where problems could
+	occur if des_check_key was set to true and the string
+	generated a weak key.
+
+Patch2 posted to comp.sources.misc
+Version 1.95 13/05/92 eay
+	Added an alternative version of the D_ENCRYPT macro in
+	ecb_encrypt and fcrypt.  Depending on the compiler, one version or the
+	other will be faster.  This was inspired by 
+	Dana How <how@isl.stanford.edu>, and her pointers about doing the
+	*(ulong *)((uchar *)ptr+(value&0xfc))
+	vs
+	ptr[value&0x3f]
+	to stop the C compiler doing a <<2 to convert the long array index.
+
+Version 1.94 05/05/92 eay
+	Fixed an incompatibility between my string_to_key and the MIT
+	 version.  When the key is longer than 8 chars, I was wrapping
+	 with a different method.  To use the old version, define
+	 OLD_STR_TO_KEY in the makefile.  Thanks to
+	 viktor@newsu.shearson.com (Viktor Dukhovni).
+
+Version 1.93 28/04/92 eay
+	Fixed the VMS mods so that echo is now turned off in
+	 read_password.  Thanks again to brennan@coco.cchs.su.oz.AU.
+	MSDOS support added.  The routines can be compiled with
+	 Turbo C (v2.0) and MSC (v5.1).  Make sure MSDOS is defined.
+
+Patch1 posted to comp.sources.misc
+Version 1.92 13/04/92 eay
+	Changed D_ENCRYPT so that the rotation of R occurs outside of
+	 the loop.  This required rotating all the longs in sp.h (now
+	 called spr.h). Thanks to Richard Outerbridge <71755.204@CompuServe.COM>
+	speed.c has been changed so it will work without SIGALRM.  If
+	 times(3) is not present it will try to use ftime() instead.
+
+Version 1.91 08/04/92 eay
+	Added -E/-D options to des(1) so it can use string_to_key.
+	Added SVR4 mods suggested by witr@rwwa.COM
+	Added VMS mods suggested by brennan@coco.cchs.su.oz.AU.  If
+	anyone knows how to turn of tty echo in VMS please tell me or
+	implement it yourself :-).
+	Changed FILE *IN/*OUT to *DES_IN/*DES_OUT since it appears VMS
+	does not like IN/OUT being used.
+
+Libdes posted to comp.sources.misc
+Version 1.9 24/03/92 eay
+	Now contains a fast small crypt replacement.
+	Added des(1) command.
+	Added des_rw_mode so people can use cbc encryption with
+	enc_read and enc_write.
+
+Version 1.8 15/10/91 eay
+	Bug in cbc_cksum.
+	Many thanks to Keith Reynolds (keithr@sco.COM) for pointing this
+	one out.
+
+Version 1.7 24/09/91 eay
+	Fixed set_key :-)
+	set_key is 4 times faster and takes less space.
+	There are a few minor changes that could be made.
+
+Version 1.6 19/09/1991 eay
+	Finally go IP and FP finished.
+	Now I need to fix set_key.
+	This version is quite a bit faster that 1.51
+
+Version 1.52 15/06/1991 eay
+	20% speedup in ecb_encrypt by changing the E bit selection
+	to use 2 32bit words.  This also required modification of the
+	sp table.  There is still a way to speedup the IP and IP-1
+	(hints from outer@sq.com) still working on this one :-(.
+
+Version 1.51 07/06/1991 eay
+	Faster des_encrypt by loop unrolling
+	Fixed bug in quad_cksum.c (thanks to hughes@logos.ucs.indiana.edu)
+
+Version 1.50 28/05/1991 eay
+	Optimised the code a bit more for the sparc.  I have improved the
+	speed of the inner des_encrypt by speeding up the initial and
+	final permutations.
+
+Version 1.40 23/10/1990 eay
+	Fixed des_random_key, it did not produce a random key :-(
+
+Version 1.30  2/10/1990 eay
+	Have made des_quad_cksum the same as MIT's, the full package
+	should be compatible with MIT's
+	Have tested on a DECstation 3100
+	Still need to fix des_set_key (make it faster).
+	Does des_cbc_encrypts at 70.5k/sec on a 3100.
+
+Version 1.20 18/09/1990 eay
+	Fixed byte order dependencies.
+	Fixed (I hope) all the word alignment problems.
+	Speedup in des_ecb_encrypt.
+
+Version 1.10 11/09/1990 eay
+	Added des_enc_read and des_enc_write.
+	Still need to fix des_quad_cksum.
+	Still need to document des_enc_read and des_enc_write.
+
+Version 1.00 27/08/1990 eay
+
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/des/asm/des-586.pl     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,251 @@
+#!/usr/local/bin/perl
+#
+# The inner loop instruction sequence and the IP/FP modifications are from
+# Svend Olaf Mikkelsen <svolaf@inet.uni-c.dk>
+#
+
+push(@INC,"perlasm","../../perlasm");
+require "x86asm.pl";
+require "cbc.pl";
+require "desboth.pl";
+
+# base code is in microsft
+# op dest, source
+# format.
+#
+
+&asm_init($ARGV[0],"des-586.pl");
+
+$L="edi";
+$R="esi";
+
+&external_label("des_SPtrans");
+&des_encrypt("des_encrypt",1);
+&des_encrypt("des_encrypt2",0);
+&des_encrypt3("des_encrypt3",1);
+&des_encrypt3("des_decrypt3",0);
+&cbc("des_ncbc_encrypt","des_encrypt","des_encrypt",0,4,5,3,5,-1);
+&cbc("des_ede3_cbc_encrypt","des_encrypt3","des_decrypt3",0,6,7,3,4,5);
+
+&asm_finish();
+
+sub des_encrypt
+	{
+	local($name,$do_ip)=@_;
+
+	&function_begin_B($name,"EXTRN   _des_SPtrans:DWORD");
+
+	&push("esi");
+	&push("edi");
+
+	&comment("");
+	&comment("Load the 2 words");
+	$ks="ebp";
+
+	if ($do_ip)
+		{
+		&mov($R,&wparam(0));
+		 &xor(	"ecx",		"ecx"		);
+
+		&push("ebx");
+		&push("ebp");
+
+		&mov("eax",&DWP(0,$R,"",0));
+		 &mov("ebx",&wparam(2));	# get encrypt flag
+		&mov($L,&DWP(4,$R,"",0));
+		&comment("");
+		&comment("IP");
+		&IP_new("eax",$L,$R,3);
+		}
+	else
+		{
+		&mov("eax",&wparam(0));
+		 &xor(	"ecx",		"ecx"		);
+
+		&push("ebx");
+		&push("ebp");
+
+		&mov($R,&DWP(0,"eax","",0));
+		 &mov("ebx",&wparam(2));	# get encrypt flag
+		&rotl($R,3);
+		&mov($L,&DWP(4,"eax","",0));
+		&rotl($L,3);
+		}
+
+	&mov(	$ks,		&wparam(1)	);
+	&cmp("ebx","0");
+	&je(&label("start_decrypt"));
+
+	for ($i=0; $i<16; $i+=2)
+		{
+		&comment("");
+		&comment("Round $i");
+		&D_ENCRYPT($i,$L,$R,$i*2,$ks,"des_SPtrans","eax","ebx","ecx","edx");
+
+		&comment("");
+		&comment("Round ".sprintf("%d",$i+1));
+		&D_ENCRYPT($i+1,$R,$L,($i+1)*2,$ks,"des_SPtrans","eax","ebx","ecx","edx");
+		}
+	&jmp(&label("end"));
+
+	&set_label("start_decrypt");
+
+	for ($i=15; $i>0; $i-=2)
+		{
+		&comment("");
+		&comment("Round $i");
+		&D_ENCRYPT(15-$i,$L,$R,$i*2,$ks,"des_SPtrans","eax","ebx","ecx","edx");
+		&comment("");
+		&comment("Round ".sprintf("%d",$i-1));
+		&D_ENCRYPT(15-$i+1,$R,$L,($i-1)*2,$ks,"des_SPtrans","eax","ebx","ecx","edx");
+		}
+
+	&set_label("end");
+
+	if ($do_ip)
+		{
+		&comment("");
+		&comment("FP");
+		&mov("edx",&wparam(0));
+		&FP_new($L,$R,"eax",3);
+
+		&mov(&DWP(0,"edx","",0),"eax");
+		&mov(&DWP(4,"edx","",0),$R);
+		}
+	else
+		{
+		&comment("");
+		&comment("Fixup");
+		&rotr($L,3);		# r
+		 &mov("eax",&wparam(0));
+		&rotr($R,3);		# l
+		 &mov(&DWP(0,"eax","",0),$L);
+		 &mov(&DWP(4,"eax","",0),$R);
+		}
+
+	&pop("ebp");
+	&pop("ebx");
+	&pop("edi");
+	&pop("esi");
+	&ret();
+
+	&function_end_B($name);
+	}
+
+sub D_ENCRYPT
+	{
+	local($r,$L,$R,$S,$ks,$desSP,$u,$tmp1,$tmp2,$t)=@_;
+
+	 &mov(	$u,		&DWP(&n2a($S*4),$ks,"",0));
+	&xor(	$tmp1,		$tmp1);
+	 &mov(	$t,		&DWP(&n2a(($S+1)*4),$ks,"",0));
+	&xor(	$u,		$R);
+	 &xor(	$t,		$R);
+	&and(	$u,		"0xfcfcfcfc"	);
+	 &and(	$t,		"0xcfcfcfcf"	);
+	&movb(	&LB($tmp1),	&LB($u)	);
+	 &movb(	&LB($tmp2),	&HB($u)	);
+	&rotr(	$t,		4		);
+	&mov(	$ks,		&DWP("      $desSP",$tmp1,"",0));
+	 &movb(	&LB($tmp1),	&LB($t)	);
+	&xor(	$L,		$ks);
+	 &mov(	$ks,		&DWP("0x200+$desSP",$tmp2,"",0));
+	&xor(	$L,		$ks); ######
+	 &movb(	&LB($tmp2),	&HB($t)	);
+	&shr(	$u,		16);
+	 &mov(	$ks,		&DWP("0x100+$desSP",$tmp1,"",0));
+	&xor(	$L,		$ks); ######
+	 &movb(	&LB($tmp1),	&HB($u)	);
+	&shr(	$t,		16);
+	 &mov(	$ks,		&DWP("0x300+$desSP",$tmp2,"",0));
+	&xor(	$L,		$ks);
+	 &mov(	$ks,		&wparam(1)	);
+	&movb(	&LB($tmp2),	&HB($t)	);
+	 &and(	$u,		"0xff"	);
+	&and(	$t,		"0xff"	);
+	 &mov(	$tmp1,		&DWP("0x600+$desSP",$tmp1,"",0));
+	&xor(	$L,		$tmp1);
+	 &mov(	$tmp1,		&DWP("0x700+$desSP",$tmp2,"",0));
+	&xor(	$L,		$tmp1);
+	 &mov(	$tmp1,		&DWP("0x400+$desSP",$u,"",0));
+	&xor(	$L,		$tmp1);
+	 &mov(	$tmp1,		&DWP("0x500+$desSP",$t,"",0));
+	&xor(	$L,		$tmp1);
+	}
+
+sub n2a
+	{
+	sprintf("%d",$_[0]);
+	}
+
+# now has a side affect of rotating $a by $shift
+sub R_PERM_OP
+	{
+	local($a,$b,$tt,$shift,$mask,$last)=@_;
+
+	&rotl(	$a,		$shift		) if ($shift != 0);
+	&mov(	$tt,		$a		);
+	&xor(	$a,		$b		);
+	&and(	$a,		$mask		);
+	if (!$last eq $b)
+		{
+		&xor(	$b,		$a		);
+		&xor(	$tt,		$a		);
+		}
+	else
+		{
+		&xor(	$tt,		$a		);
+		&xor(	$b,		$a		);
+		}
+	&comment("");
+	}
+
+sub IP_new
+	{
+	local($l,$r,$tt,$lr)=@_;
+
+	&R_PERM_OP($l,$r,$tt, 4,"0xf0f0f0f0",$l);
+	&R_PERM_OP($r,$tt,$l,20,"0xfff0000f",$l);
+	&R_PERM_OP($l,$tt,$r,14,"0x33333333",$r);
+	&R_PERM_OP($tt,$r,$l,22,"0x03fc03fc",$r);
+	&R_PERM_OP($l,$r,$tt, 9,"0xaaaaaaaa",$r);
+	
+	if ($lr != 3)
+		{
+		if (($lr-3) < 0)
+			{ &rotr($tt,	3-$lr); }
+		else	{ &rotl($tt,	$lr-3); }
+		}
+	if ($lr != 2)
+		{
+		if (($lr-2) < 0)
+			{ &rotr($r,	2-$lr); }
+		else	{ &rotl($r,	$lr-2); }
+		}
+	}
+
+sub FP_new
+	{
+	local($l,$r,$tt,$lr)=@_;
+
+	if ($lr != 2)
+		{
+		if (($lr-2) < 0)
+			{ &rotl($r,	2-$lr); }
+		else	{ &rotr($r,	$lr-2); }
+		}
+	if ($lr != 3)
+		{
+		if (($lr-3) < 0)
+			{ &rotl($l,	3-$lr); }
+		else	{ &rotr($l,	$lr-3); }
+		}
+
+	&R_PERM_OP($l,$r,$tt, 0,"0xaaaaaaaa",$r);
+	&R_PERM_OP($tt,$r,$l,23,"0x03fc03fc",$r);
+	&R_PERM_OP($l,$r,$tt,10,"0x33333333",$l);
+	&R_PERM_OP($r,$tt,$l,18,"0xfff0000f",$l);
+	&R_PERM_OP($l,$tt,$r,12,"0xf0f0f0f0",$r);
+	&rotr($tt	, 4);
+	}
+
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/des/asm/des686.pl     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,230 @@
+#!/usr/local/bin/perl
+
+$prog="des686.pl";
+
+# base code is in microsft
+# op dest, source
+# format.
+#
+
+# WILL NOT WORK ANYMORE WITH desboth.pl
+require "desboth.pl";
+
+if (	($ARGV[0] eq "elf"))
+	{ require "x86unix.pl"; }
+elsif (	($ARGV[0] eq "a.out"))
+	{ $aout=1; require "x86unix.pl"; }
+elsif (	($ARGV[0] eq "sol"))
+	{ $sol=1; require "x86unix.pl"; }
+elsif ( ($ARGV[0] eq "cpp"))
+	{ $cpp=1; require "x86unix.pl"; }
+elsif (	($ARGV[0] eq "win32"))
+	{ require "x86ms.pl"; }
+else
+	{
+	print STDERR <<"EOF";
+Pick one target type from
+	elf	- linux, FreeBSD etc
+	a.out	- old linux
+	sol	- x86 solaris
+	cpp	- format so x86unix.cpp can be used
+	win32	- Windows 95/Windows NT
+EOF
+	exit(1);
+	}
+
+&comment("Don't even think of reading this code");
+&comment("It was automatically generated by $prog");
+&comment("Which is a perl program used to generate the x86 assember for");
+&comment("any of elf, a.out, Win32, or Solaris");
+&comment("It can be found in SSLeay 0.6.5+ or in libdes 3.26+");
+&comment("eric <eay\@cryptsoft.com>");
+&comment("");
+
+&file("dx86xxxx");
+
+$L="edi";
+$R="esi";
+
+&des_encrypt("des_encrypt",1);
+&des_encrypt("des_encrypt2",0);
+
+&des_encrypt3("des_encrypt3",1);
+&des_encrypt3("des_decrypt3",0);
+
+&file_end();
+
+sub des_encrypt
+	{
+	local($name,$do_ip)=@_;
+
+	&function_begin($name,"EXTRN   _des_SPtrans:DWORD");
+
+	&comment("");
+	&comment("Load the 2 words");
+	&mov("eax",&wparam(0));
+	&mov($L,&DWP(0,"eax","",0));
+	&mov($R,&DWP(4,"eax","",0));
+
+	$ksp=&wparam(1);
+
+	if ($do_ip)
+		{
+		&comment("");
+		&comment("IP");
+		&IP_new($L,$R,"eax");
+		}
+
+	&comment("");
+	&comment("fixup rotate");
+	&rotl($R,3);
+	&rotl($L,3);
+	&exch($L,$R);
+
+	&comment("");
+	&comment("load counter, key_schedule and enc flag");
+	&mov("eax",&wparam(2));	# get encrypt flag
+	&mov("ebp",&wparam(1));	# get ks
+	&cmp("eax","0");
+	&je(&label("start_decrypt"));
+
+	# encrypting part
+
+	for ($i=0; $i<16; $i+=2)
+		{
+		&comment("");
+		&comment("Round $i");
+		&D_ENCRYPT($L,$R,$i*2,"ebp","des_SPtrans","ecx","edx","eax","ebx");
+
+		&comment("");
+		&comment("Round ".sprintf("%d",$i+1));
+		&D_ENCRYPT($R,$L,($i+1)*2,"ebp","des_SPtrans","ecx","edx","eax","ebx");
+		}
+	&jmp(&label("end"));
+
+	&set_label("start_decrypt");
+
+	for ($i=15; $i>0; $i-=2)
+		{
+		&comment("");
+		&comment("Round $i");
+		&D_ENCRYPT($L,$R,$i*2,"ebp","des_SPtrans","ecx","edx","eax","ebx");
+		&comment("");
+		&comment("Round ".sprintf("%d",$i-1));
+		&D_ENCRYPT($R,$L,($i-1)*2,"ebp","des_SPtrans","ecx","edx","eax","ebx");
+		}
+
+	&set_label("end");
+
+	&comment("");
+	&comment("Fixup");
+	&rotr($L,3);		# r
+	&rotr($R,3);		# l
+
+	if ($do_ip)
+		{
+		&comment("");
+		&comment("FP");
+		&FP_new($R,$L,"eax");
+		}
+
+	&mov("eax",&wparam(0));
+	&mov(&DWP(0,"eax","",0),$L);
+	&mov(&DWP(4,"eax","",0),$R);
+
+	&function_end($name);
+	}
+
+
+# The logic is to load R into 2 registers and operate on both at the same time.
+# We also load the 2 R's into 2 more registers so we can do the 'move word down a byte'
+# while also masking the other copy and doing a lookup.  We then also accumulate the
+# L value in 2 registers then combine them at the end.
+sub D_ENCRYPT
+	{
+	local($L,$R,$S,$ks,$desSP,$u,$t,$tmp1,$tmp2,$tmp3)=@_;
+
+	&mov(	$u,		&DWP(&n2a($S*4),$ks,"",0));
+	&mov(	$t,		&DWP(&n2a(($S+1)*4),$ks,"",0));
+	&xor(	$u,		$R		);
+	&xor(	$t,		$R		);
+	&rotr(	$t,		4		);
+
+	# the numbers at the end of the line are origional instruction order
+	&mov(	$tmp2,		$u		);			# 1 2
+	&mov(	$tmp1,		$t		);			# 1 1
+	&and(	$tmp2,		"0xfc"		);			# 1 4
+	&and(	$tmp1,		"0xfc"		);			# 1 3
+	&shr(	$t,		8		);			# 1 5
+	&xor(	$L,		&DWP("0x100+$desSP",$tmp1,"",0));	# 1 7
+	&shr(	$u,		8		);			# 1 6
+	&mov(	$tmp1,		&DWP("      $desSP",$tmp2,"",0));	# 1 8
+
+	&mov(	$tmp2,		$u		);			# 2 2
+	&xor(	$L,		$tmp1		);			# 1 9
+	&and(	$tmp2,		"0xfc"		);			# 2 4
+	&mov(	$tmp1,		$t		);			# 2 1
+	&and(	$tmp1,		"0xfc"		);			# 2 3
+	&shr(	$t,		8		);			# 2 5
+	&xor(	$L,		&DWP("0x300+$desSP",$tmp1,"",0));	# 2 7
+	&shr(	$u,		8		);			# 2 6
+	&mov(	$tmp1,		&DWP("0x200+$desSP",$tmp2,"",0));	# 2 8
+	&mov(	$tmp2,		$u		);			# 3 2
+
+	&xor(	$L,		$tmp1		);			# 2 9
+	&and(	$tmp2,		"0xfc"		);			# 3 4
+
+	&mov(	$tmp1,		$t		);			# 3 1 
+	&shr(	$u,		8		);			# 3 6
+	&and(	$tmp1,		"0xfc"		);			# 3 3
+	&shr(	$t,		8		);			# 3 5
+	&xor(	$L,		&DWP("0x500+$desSP",$tmp1,"",0));	# 3 7
+	&mov(	$tmp1,		&DWP("0x400+$desSP",$tmp2,"",0));	# 3 8
+
+	&and(	$t,		"0xfc"		);			# 4 1
+	&xor(	$L,		$tmp1		);			# 3 9
+
+	&and(	$u,		"0xfc"		);			# 4 2
+	&xor(	$L,		&DWP("0x700+$desSP",$t,"",0));		# 4 3
+	&xor(	$L,		&DWP("0x600+$desSP",$u,"",0));		# 4 4
+	}
+
+sub PERM_OP
+	{
+	local($a,$b,$tt,$shift,$mask)=@_;
+
+	&mov(	$tt,		$a		);
+	&shr(	$tt,		$shift		);
+	&xor(	$tt,		$b		);
+	&and(	$tt,		$mask		);
+	&xor(	$b,		$tt		);
+	&shl(	$tt,		$shift		);
+	&xor(	$a,		$tt		);
+	}
+
+sub IP_new
+	{
+	local($l,$r,$tt)=@_;
+
+	&PERM_OP($r,$l,$tt, 4,"0x0f0f0f0f");
+	&PERM_OP($l,$r,$tt,16,"0x0000ffff");
+	&PERM_OP($r,$l,$tt, 2,"0x33333333");
+	&PERM_OP($l,$r,$tt, 8,"0x00ff00ff");
+	&PERM_OP($r,$l,$tt, 1,"0x55555555");
+	}
+
+sub FP_new
+	{
+	local($l,$r,$tt)=@_;
+
+	&PERM_OP($l,$r,$tt, 1,"0x55555555");
+        &PERM_OP($r,$l,$tt, 8,"0x00ff00ff");
+        &PERM_OP($l,$r,$tt, 2,"0x33333333");
+        &PERM_OP($r,$l,$tt,16,"0x0000ffff");
+        &PERM_OP($l,$r,$tt, 4,"0x0f0f0f0f");
+	}
+
+sub n2a
+	{
+	sprintf("%d",$_[0]);
+	}
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/des/asm/desboth.pl     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,79 @@
+#!/usr/local/bin/perl
+
+$L="edi";
+$R="esi";
+
+sub des_encrypt3
+	{
+	local($name,$enc)=@_;
+
+	&function_begin_B($name,"");
+	&push("ebx");
+	&mov("ebx",&wparam(0));
+
+	&push("ebp");
+	&push("esi");
+
+	&push("edi");
+
+	&comment("");
+	&comment("Load the data words");
+	&mov($L,&DWP(0,"ebx","",0));
+	&mov($R,&DWP(4,"ebx","",0));
+	&stack_push(3);
+
+	&comment("");
+	&comment("IP");
+	&IP_new($L,$R,"edx",0);
+
+	# put them back
+	
+	if ($enc)
+		{
+		&mov(&DWP(4,"ebx","",0),$R);
+		 &mov("eax",&wparam(1));
+		&mov(&DWP(0,"ebx","",0),"edx");
+		 &mov("edi",&wparam(2));
+		 &mov("esi",&wparam(3));
+		}
+	else
+		{
+		&mov(&DWP(4,"ebx","",0),$R);
+		 &mov("esi",&wparam(1));
+		&mov(&DWP(0,"ebx","",0),"edx");
+		 &mov("edi",&wparam(2));
+		 &mov("eax",&wparam(3));
+		}
+	&mov(&swtmp(2),	(($enc)?"1":"0"));
+	&mov(&swtmp(1),	"eax");
+	&mov(&swtmp(0),	"ebx");
+	&call("des_encrypt2");
+	&mov(&swtmp(2),	(($enc)?"0":"1"));
+	&mov(&swtmp(1),	"edi");
+	&mov(&swtmp(0),	"ebx");
+	&call("des_encrypt2");
+	&mov(&swtmp(2),	(($enc)?"1":"0"));
+	&mov(&swtmp(1),	"esi");
+	&mov(&swtmp(0),	"ebx");
+	&call("des_encrypt2");
+
+	&stack_pop(3);
+	&mov($L,&DWP(0,"ebx","",0));
+	&mov($R,&DWP(4,"ebx","",0));
+
+	&comment("");
+	&comment("FP");
+	&FP_new($L,$R,"eax",0);
+
+	&mov(&DWP(0,"ebx","",0),"eax");
+	&mov(&DWP(4,"ebx","",0),$R);
+
+	&pop("edi");
+	&pop("esi");
+	&pop("ebp");
+	&pop("ebx");
+	&ret();
+	&function_end_B($name);
+	}
+
+
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/des/asm/readme     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,131 @@
+First up, let me say I don't like writing in assembler.  It is not portable,
+dependant on the particular CPU architecture release and is generally a pig
+to debug and get right.  Having said that, the x86 architecture is probably
+the most important for speed due to number of boxes and since
+it appears to be the worst architecture to to get
+good C compilers for.  So due to this, I have lowered myself to do
+assembler for the inner DES routines in libdes :-).
+
+The file to implement in assembler is des_enc.c.  Replace the following
+4 functions
+des_encrypt(DES_LONG data[2],des_key_schedule ks, int encrypt);
+des_encrypt2(DES_LONG data[2],des_key_schedule ks, int encrypt);
+des_encrypt3(DES_LONG data[2],des_key_schedule ks1,ks2,ks3);
+des_decrypt3(DES_LONG data[2],des_key_schedule ks1,ks2,ks3);
+
+They encrypt/decrypt the 64 bits held in 'data' using
+the 'ks' key schedules.   The only difference between the 4 functions is that
+des_encrypt2() does not perform IP() or FP() on the data (this is an
+optimization for when doing triple DES and des_encrypt3() and des_decrypt3()
+perform triple des.  The triple DES routines are in here because it does
+make a big difference to have them located near the des_encrypt2 function
+at link time..
+
+Now as we all know, there are lots of different operating systems running on
+x86 boxes, and unfortunately they normally try to make sure their assembler
+formating is not the same as the other peoples.
+The 4 main formats I know of are
+Microsoft	Windows 95/Windows NT
+Elf		Includes Linux and FreeBSD(?).
+a.out		The older Linux.
+Solaris		Same as Elf but different comments :-(.
+
+Now I was not overly keen to write 4 different copies of the same code,
+so I wrote a few perl routines to output the correct assembler, given
+a target assembler type.  This code is ugly and is just a hack.
+The libraries are x86unix.pl and x86ms.pl.
+des586.pl, des686.pl and des-som[23].pl are the programs to actually
+generate the assembler.
+
+So to generate elf assembler
+perl des-som3.pl elf >dx86-elf.s
+For Windows 95/NT
+perl des-som2.pl win32 >win32.asm
+
+[ update 4 Jan 1996 ]
+I have added another way to do things.
+perl des-som3.pl cpp >dx86-cpp.s
+generates a file that will be included by dx86unix.cpp when it is compiled.
+To build for elf, a.out, solaris, bsdi etc,
+cc -E -DELF asm/dx86unix.cpp | as -o asm/dx86-elf.o
+cc -E -DSOL asm/dx86unix.cpp | as -o asm/dx86-sol.o
+cc -E -DOUT asm/dx86unix.cpp | as -o asm/dx86-out.o
+cc -E -DBSDI asm/dx86unix.cpp | as -o asm/dx86bsdi.o
+This was done to cut down the number of files in the distribution.
+
+Now the ugly part.  I acquired my copy of Intels
+"Optimization's For Intel's 32-Bit Processors" and found a few interesting
+things.  First, the aim of the exersize is to 'extract' one byte at a time
+from a word and do an array lookup.  This involves getting the byte from
+the 4 locations in the word and moving it to a new word and doing the lookup.
+The most obvious way to do this is
+xor	eax,	eax				# clear word
+movb	al,	cl				# get low byte
+xor	edi	DWORD PTR 0x100+des_SP[eax] 	# xor in word
+movb	al,	ch				# get next byte
+xor	edi	DWORD PTR 0x300+des_SP[eax] 	# xor in word
+shr	ecx	16
+which seems ok.  For the pentium, this system appears to be the best.
+One has to do instruction interleaving to keep both functional units
+operating, but it is basically very efficient.
+
+Now the crunch.  When a full register is used after a partial write, eg.
+mov	al,	cl
+xor	edi,	DWORD PTR 0x100+des_SP[eax]
+386	- 1 cycle stall
+486	- 1 cycle stall
+586	- 0 cycle stall
+686	- at least 7 cycle stall (page 22 of the above mentioned document).
+
+So the technique that produces the best results on a pentium, according to
+the documentation, will produce hideous results on a pentium pro.
+
+To get around this, des686.pl will generate code that is not as fast on
+a pentium, should be very good on a pentium pro.
+mov	eax,	ecx				# copy word 
+shr	ecx,	8				# line up next byte
+and	eax,	0fch				# mask byte
+xor	edi	DWORD PTR 0x100+des_SP[eax] 	# xor in array lookup
+mov	eax,	ecx				# get word
+shr	ecx	8				# line up next byte
+and	eax,	0fch				# mask byte
+xor	edi	DWORD PTR 0x300+des_SP[eax] 	# xor in array lookup
+
+Due to the execution units in the pentium, this actually works quite well.
+For a pentium pro it should be very good.  This is the type of output
+Visual C++ generates.
+
+There is a third option.  instead of using
+mov	al,	ch
+which is bad on the pentium pro, one may be able to use
+movzx	eax,	ch
+which may not incur the partial write penalty.  On the pentium,
+this instruction takes 4 cycles so is not worth using but on the
+pentium pro it appears it may be worth while.  I need access to one to
+experiment :-).
+
+eric (20 Oct 1996)
+
+22 Nov 1996 - I have asked people to run the 2 different version on pentium
+pros and it appears that the intel documentation is wrong.  The
+mov al,bh is still faster on a pentium pro, so just use the des586.pl
+install des686.pl
+
+3 Dec 1996 - I added des_encrypt3/des_decrypt3 because I have moved these
+functions into des_enc.c because it does make a massive performance
+difference on some boxes to have the functions code located close to
+the des_encrypt2() function.
+
+9 Jan 1997 - des-som2.pl is now the correct perl script to use for
+pentiums.  It contains an inner loop from
+Svend Olaf Mikkelsen <svolaf@inet.uni-c.dk> which does raw ecb DES calls at
+273,000 per second.  He had a previous version at 250,000 and the best
+I was able to get was 203,000.  The content has not changed, this is all
+due to instruction sequencing (and actual instructions choice) which is able
+to keep both functional units of the pentium going.
+We may have lost the ugly register usage restrictions when x86 went 32 bit
+but for the pentium it has been replaced by evil instruction ordering tricks.
+
+13 Jan 1997 - des-som3.pl, more optimizations from Svend Olaf.
+raw DES at 281,000 per second on a pentium 100.
+
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/des/cbc_enc.c     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,135 @@
+/* crypto/des/cbc_enc.c */
+/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include "des/des_locl.h"
+
+void des_cbc_encrypt(input, output, length, schedule, ivec, enc)
+des_cblock (*input);
+des_cblock (*output);
+long length;
+des_key_schedule schedule;
+des_cblock (*ivec);
+int enc;
+	{
+	register DES_LONG tin0,tin1;
+	register DES_LONG tout0,tout1,xor0,xor1;
+	register unsigned char *in,*out;
+	register long l=length;
+	DES_LONG tin[2];
+	unsigned char *iv;
+
+	in=(unsigned char *)input;
+	out=(unsigned char *)output;
+	iv=(unsigned char *)ivec;
+
+	if (enc)
+		{
+		c2l(iv,tout0);
+		c2l(iv,tout1);
+		for (l-=8; l>=0; l-=8)
+			{
+			c2l(in,tin0);
+			c2l(in,tin1);
+			tin0^=tout0; tin[0]=tin0;
+			tin1^=tout1; tin[1]=tin1;
+			des_encrypt((DES_LONG *)tin,schedule,DES_ENCRYPT);
+			tout0=tin[0]; l2c(tout0,out);
+			tout1=tin[1]; l2c(tout1,out);
+			}
+		if (l != -8)
+			{
+			c2ln(in,tin0,tin1,l+8);
+			tin0^=tout0; tin[0]=tin0;
+			tin1^=tout1; tin[1]=tin1;
+			des_encrypt((DES_LONG *)tin,schedule,DES_ENCRYPT);
+			tout0=tin[0]; l2c(tout0,out);
+			tout1=tin[1]; l2c(tout1,out);
+			}
+		}
+	else
+		{
+		c2l(iv,xor0);
+		c2l(iv,xor1);
+		for (l-=8; l>=0; l-=8)
+			{
+			c2l(in,tin0); tin[0]=tin0;
+			c2l(in,tin1); tin[1]=tin1;
+			des_encrypt((DES_LONG *)tin,schedule,DES_DECRYPT);
+			tout0=tin[0]^xor0;
+			tout1=tin[1]^xor1;
+			l2c(tout0,out);
+			l2c(tout1,out);
+			xor0=tin0;
+			xor1=tin1;
+			}
+		if (l != -8)
+			{
+			c2l(in,tin0); tin[0]=tin0;
+			c2l(in,tin1); tin[1]=tin1;
+			des_encrypt((DES_LONG *)tin,schedule,DES_DECRYPT);
+			tout0=tin[0]^xor0;
+			tout1=tin[1]^xor1;
+			l2cn(tout0,tout1,out,l+8);
+		/*	xor0=tin0;
+			xor1=tin1; */
+			}
+		}
+	tin0=tin1=tout0=tout1=xor0=xor1=0;
+	tin[0]=tin[1]=0;
+	}
+
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/des/des.doc     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,505 @@
+The DES library.
+
+Please note that this library was originally written to operate with
+eBones, a version of Kerberos that had had encryption removed when it left
+the USA and then put back in.  As such there are some routines that I will
+advise not using but they are still in the library for historical reasons.
+For all calls that have an 'input' and 'output' variables, they can be the
+same.
+
+This library requires the inclusion of 'des.h'.
+
+All of the encryption functions take what is called a des_key_schedule as an 
+argument.  A des_key_schedule is an expanded form of the des key.
+A des_key is 8 bytes of odd parity, the type used to hold the key is a
+des_cblock.  A des_cblock is an array of 8 bytes, often in this library
+description I will refer to input bytes when the function specifies
+des_cblock's as input or output, this just means that the variable should
+be a multiple of 8 bytes.
+
+The define DES_ENCRYPT is passed to specify encryption, DES_DECRYPT to
+specify decryption.  The functions and global variable are as follows:
+
+int des_check_key;
+	DES keys are supposed to be odd parity.  If this variable is set to
+	a non-zero value, des_set_key() will check that the key has odd
+	parity and is not one of the known weak DES keys.  By default this
+	variable is turned off;
+	
+void des_set_odd_parity(
+des_cblock *key );
+	This function takes a DES key (8 bytes) and sets the parity to odd.
+	
+int des_is_weak_key(
+des_cblock *key );
+	This function returns a non-zero value if the DES key passed is a
+	weak, DES key.  If it is a weak key, don't use it, try a different
+	one.  If you are using 'random' keys, the chances of hitting a weak
+	key are 1/2^52 so it is probably not worth checking for them.
+	
+int des_set_key(
+des_cblock *key,
+des_key_schedule schedule);
+	Des_set_key converts an 8 byte DES key into a des_key_schedule.
+	A des_key_schedule is an expanded form of the key which is used to
+	perform actual encryption.  It can be regenerated from the DES key
+	so it only needs to be kept when encryption or decryption is about
+	to occur.  Don't save or pass around des_key_schedule's since they
+	are CPU architecture dependent, DES keys are not.  If des_check_key
+	is non zero, zero is returned if the key has the wrong parity or
+	the key is a weak key, else 1 is returned.
+	
+int des_key_sched(
+des_cblock *key,
+des_key_schedule schedule);
+	An alternative name for des_set_key().
+
+int des_rw_mode;		/* defaults to DES_PCBC_MODE */
+	This flag holds either DES_CBC_MODE or DES_PCBC_MODE (default).
+	This specifies the function to use in the enc_read() and enc_write()
+	functions.
+
+void des_encrypt(
+unsigned long *data,
+des_key_schedule ks,
+int enc);
+	This is the DES encryption function that gets called by just about
+	every other DES routine in the library.  You should not use this
+	function except to implement 'modes' of DES.  I say this because the
+	functions that call this routine do the conversion from 'char *' to
+	long, and this needs to be done to make sure 'non-aligned' memory
+	access do not occur.  The characters are loaded 'little endian',
+	have a look at my source code for more details on how I use this
+	function.
+	Data is a pointer to 2 unsigned long's and ks is the
+	des_key_schedule to use.  enc, is non zero specifies encryption,
+	zero if decryption.
+
+void des_encrypt2(
+unsigned long *data,
+des_key_schedule ks,
+int enc);
+	This functions is the same as des_encrypt() except that the DES
+	initial permutation (IP) and final permutation (FP) have been left
+	out.  As for des_encrypt(), you should not use this function.
+	It is used by the routines in my library that implement triple DES.
+	IP() des_encrypt2() des_encrypt2() des_encrypt2() FP() is the same
+	as des_encrypt() des_encrypt() des_encrypt() except faster :-).
+
+void des_ecb_encrypt(
+des_cblock *input,
+des_cblock *output,
+des_key_schedule ks,
+int enc);
+	This is the basic Electronic Code Book form of DES, the most basic
+	form.  Input is encrypted into output using the key represented by
+	ks.  If enc is non zero (DES_ENCRYPT), encryption occurs, otherwise
+	decryption occurs.  Input is 8 bytes long and output is 8 bytes.
+	(the des_cblock structure is 8 chars).
+	
+void des_ecb3_encrypt(
+des_cblock *input,
+des_cblock *output,
+des_key_schedule ks1,
+des_key_schedule ks2,
+des_key_schedule ks3,
+int enc);
+	This is the 3 key EDE mode of ECB DES.  What this means is that 
+	the 8 bytes of input is encrypted with ks1, decrypted with ks2 and
+	then encrypted again with ks3, before being put into output;
+	C=E(ks3,D(ks2,E(ks1,M))).  There is a macro, des_ecb2_encrypt()
+	that only takes 2 des_key_schedules that implements,
+	C=E(ks1,D(ks2,E(ks1,M))) in that the final encrypt is done with ks1.
+	
+void des_cbc_encrypt(
+des_cblock *input,
+des_cblock *output,
+long length,
+des_key_schedule ks,
+des_cblock *ivec,
+int enc);
+	This routine implements DES in Cipher Block Chaining mode.
+	Input, which should be a multiple of 8 bytes is encrypted
+	(or decrypted) to output which will also be a multiple of 8 bytes.
+	The number of bytes is in length (and from what I've said above,
+	should be a multiple of 8).  If length is not a multiple of 8, I'm
+	not being held responsible :-).  ivec is the initialisation vector.
+	This function does not modify this variable.  To correctly implement
+	cbc mode, you need to do one of 2 things; copy the last 8 bytes of
+	cipher text for use as the next ivec in your application,
+	or use des_ncbc_encrypt(). 
+	Only this routine has this problem with updating the ivec, all
+	other routines that are implementing cbc mode update ivec.
+	
+void des_ncbc_encrypt(
+des_cblock *input,
+des_cblock *output,
+long length,
+des_key_schedule sk,
+des_cblock *ivec,
+int enc);
+	For historical reasons, des_cbc_encrypt() did not update the
+	ivec with the value requires so that subsequent calls to
+	des_cbc_encrypt() would 'chain'.  This was needed so that the same
+	'length' values would not need to be used when decrypting.
+	des_ncbc_encrypt() does the right thing.  It is the same as
+	des_cbc_encrypt accept that ivec is updates with the correct value
+	to pass in subsequent calls to des_ncbc_encrypt().  I advise using
+	des_ncbc_encrypt() instead of des_cbc_encrypt();
+
+void des_xcbc_encrypt(
+des_cblock *input,
+des_cblock *output,
+long length,
+des_key_schedule sk,
+des_cblock *ivec,
+des_cblock *inw,
+des_cblock *outw,
+int enc);
+	This is RSA's DESX mode of DES.  It uses inw and outw to
+	'whiten' the encryption.  inw and outw are secret (unlike the iv)
+	and are as such, part of the key.  So the key is sort of 24 bytes.
+	This is much better than cbc des.
+	
+void des_3cbc_encrypt(
+des_cblock *input,
+des_cblock *output,
+long length,
+des_key_schedule sk1,
+des_key_schedule sk2,
+des_cblock *ivec1,
+des_cblock *ivec2,
+int enc);
+	This function is flawed, do not use it.  I have left it in the
+	library because it is used in my des(1) program and will function
+	correctly when used by des(1).  If I removed the function, people
+	could end up unable to decrypt files.
+	This routine implements outer triple cbc encryption using 2 ks and
+	2 ivec's.  Use des_ede2_cbc_encrypt() instead.
+	
+void des_ede3_cbc_encrypt(
+des_cblock *input,
+des_cblock *output, 
+long length,
+des_key_schedule ks1,
+des_key_schedule ks2, 
+des_key_schedule ks3, 
+des_cblock *ivec,
+int enc);
+	This function implements inner triple CBC DES encryption with 3
+	keys.  What this means is that each 'DES' operation
+	inside the cbc mode is really an C=E(ks3,D(ks2,E(ks1,M))).
+	Again, this is cbc mode so an ivec is requires.
+	This mode is used by SSL.
+	There is also a des_ede2_cbc_encrypt() that only uses 2
+	des_key_schedule's, the first being reused for the final
+	encryption.  C=E(ks1,D(ks2,E(ks1,M))).  This form of triple DES
+	is used by the RSAref library.
+	
+void des_pcbc_encrypt(
+des_cblock *input,
+des_cblock *output,
+long length,
+des_key_schedule ks,
+des_cblock *ivec,
+int enc);
+	This is Propagating Cipher Block Chaining mode of DES.  It is used
+	by Kerberos v4.  It's parameters are the same as des_ncbc_encrypt().
+	
+void des_cfb_encrypt(
+unsigned char *in,
+unsigned char *out,
+int numbits,
+long length,
+des_key_schedule ks,
+des_cblock *ivec,
+int enc);
+	Cipher Feedback Back mode of DES.  This implementation 'feeds back'
+	in numbit blocks.  The input (and output) is in multiples of numbits
+	bits.  numbits should to be a multiple of 8 bits.  Length is the
+	number of bytes input.  If numbits is not a multiple of 8 bits,
+	the extra bits in the bytes will be considered padding.  So if
+	numbits is 12, for each 2 input bytes, the 4 high bits of the
+	second byte will be ignored.  So to encode 72 bits when using
+	a numbits of 12 take 12 bytes.  To encode 72 bits when using
+	numbits of 9 will take 16 bytes.  To encode 80 bits when using
+	numbits of 16 will take 10 bytes. etc, etc.  This padding will
+	apply to both input and output.
+
+	
+void des_cfb64_encrypt(
+unsigned char *in,
+unsigned char *out,
+long length,
+des_key_schedule ks,
+des_cblock *ivec,
+int *num,
+int enc);
+	This is one of the more useful functions in this DES library, it
+	implements CFB mode of DES with 64bit feedback.  Why is this
+	useful you ask?  Because this routine will allow you to encrypt an
+	arbitrary number of bytes, no 8 byte padding.  Each call to this
+	routine will encrypt the input bytes to output and then update ivec
+	and num.  num contains 'how far' we are though ivec.  If this does
+	not make much sense, read more about cfb mode of DES :-).
+	
+void des_ede3_cfb64_encrypt(
+unsigned char *in,
+unsigned char *out,
+long length,
+des_key_schedule ks1,
+des_key_schedule ks2,
+des_key_schedule ks3,
+des_cblock *ivec,
+int *num,
+int enc);
+	Same as des_cfb64_encrypt() accept that the DES operation is
+	triple DES.  As usual, there is a macro for
+	des_ede2_cfb64_encrypt() which reuses ks1.
+
+void des_ofb_encrypt(
+unsigned char *in,
+unsigned char *out,
+int numbits,
+long length,
+des_key_schedule ks,
+des_cblock *ivec);
+	This is a implementation of Output Feed Back mode of DES.  It is
+	the same as des_cfb_encrypt() in that numbits is the size of the
+	units dealt with during input and output (in bits).
+	
+void des_ofb64_encrypt(
+unsigned char *in,
+unsigned char *out,
+long length,
+des_key_schedule ks,
+des_cblock *ivec,
+int *num);
+	The same as des_cfb64_encrypt() except that it is Output Feed Back
+	mode.
+
+void des_ede3_ofb64_encrypt(
+unsigned char *in,
+unsigned char *out,
+long length,
+des_key_schedule ks1,
+des_key_schedule ks2,
+des_key_schedule ks3,
+des_cblock *ivec,
+int *num);
+	Same as des_ofb64_encrypt() accept that the DES operation is
+	triple DES.  As usual, there is a macro for
+	des_ede2_ofb64_encrypt() which reuses ks1.
+
+int des_read_pw_string(
+char *buf,
+int length,
+char *prompt,
+int verify);
+	This routine is used to get a password from the terminal with echo
+	turned off.  Buf is where the string will end up and length is the
+	size of buf.  Prompt is a string presented to the 'user' and if
+	verify is set, the key is asked for twice and unless the 2 copies
+	match, an error is returned.  A return code of -1 indicates a
+	system error, 1 failure due to use interaction, and 0 is success.
+
+unsigned long des_cbc_cksum(
+des_cblock *input,
+des_cblock *output,
+long length,
+des_key_schedule ks,
+des_cblock *ivec);
+	This function produces an 8 byte checksum from input that it puts in
+	output and returns the last 4 bytes as a long.  The checksum is
+	generated via cbc mode of DES in which only the last 8 byes are
+	kept.  I would recommend not using this function but instead using
+	the EVP_Digest routines, or at least using MD5 or SHA.  This
+	function is used by Kerberos v4 so that is why it stays in the
+	library.
+	
+char *des_fcrypt(
+const char *buf,
+const char *salt
+char *ret);
+	This is my fast version of the unix crypt(3) function.  This version
+	takes only a small amount of space relative to other fast
+	crypt() implementations.  This is different to the normal crypt
+	in that the third parameter is the buffer that the return value
+	is written into.  It needs to be at least 14 bytes long.  This
+	function is thread safe, unlike the normal crypt.
+
+char *crypt(
+const char *buf,
+const char *salt);
+	This function calls des_fcrypt() with a static array passed as the
+	third parameter.  This emulates the normal non-thread safe semantics
+	of crypt(3).
+
+void des_string_to_key(
+char *str,
+des_cblock *key);
+	This function takes str and converts it into a DES key.  I would
+	recommend using MD5 instead and use the first 8 bytes of output.
+	When I wrote the first version of these routines back in 1990, MD5
+	did not exist but I feel these routines are still sound.  This
+	routines is compatible with the one in MIT's libdes.
+	
+void des_string_to_2keys(
+char *str,
+des_cblock *key1,
+des_cblock *key2);
+	This function takes str and converts it into 2 DES keys.
+	I would recommend using MD5 and using the 16 bytes as the 2 keys.
+	I have nothing against these 2 'string_to_key' routines, it's just
+	that if you say that your encryption key is generated by using the
+	16 bytes of an MD5 hash, every-one knows how you generated your
+	keys.
+
+int des_read_password(
+des_cblock *key,
+char *prompt,
+int verify);
+	This routine combines des_read_pw_string() with des_string_to_key().
+
+int des_read_2passwords(
+des_cblock *key1,
+des_cblock *key2,
+char *prompt,
+int verify);
+	This routine combines des_read_pw_string() with des_string_to_2key().
+
+void des_random_seed(
+des_cblock key);
+	This routine sets a starting point for des_random_key().
+	
+void des_random_key(
+des_cblock ret);
+	This function return a random key.  Make sure to 'seed' the random
+	number generator (with des_random_seed()) before using this function.
+	I personally now use a MD5 based random number system.
+
+int des_enc_read(
+int fd,
+char *buf,
+int len,
+des_key_schedule ks,
+des_cblock *iv);
+	This function will write to a file descriptor the encrypted data
+	from buf.  This data will be preceded by a 4 byte 'byte count' and
+	will be padded out to 8 bytes.  The encryption is either CBC of
+	PCBC depending on the value of des_rw_mode.  If it is DES_PCBC_MODE,
+	pcbc is used, if DES_CBC_MODE, cbc is used.  The default is to use
+	DES_PCBC_MODE.
+
+int des_enc_write(
+int fd,
+char *buf,
+int len,
+des_key_schedule ks,
+des_cblock *iv);
+	This routines read stuff written by des_enc_read() and decrypts it.
+	I have used these routines quite a lot but I don't believe they are
+	suitable for non-blocking io.  If you are after a full
+	authentication/encryption over networks, have a look at SSL instead.
+
+unsigned long des_quad_cksum(
+des_cblock *input,
+des_cblock *output,
+long length,
+int out_count,
+des_cblock *seed);
+	This is a function from Kerberos v4 that is not anything to do with
+	DES but was needed.  It is a cksum that is quicker to generate than
+	des_cbc_cksum();  I personally would use MD5 routines now.
+=====
+Modes of DES
+Quite a bit of the following information has been taken from
+	AS 2805.5.2
+	Australian Standard
+	Electronic funds transfer - Requirements for interfaces,
+	Part 5.2: Modes of operation for an n-bit block cipher algorithm
+	Appendix A
+
+There are several different modes in which DES can be used, they are
+as follows.
+
+Electronic Codebook Mode (ECB) (des_ecb_encrypt())
+- 64 bits are enciphered at a time.
+- The order of the blocks can be rearranged without detection.
+- The same plaintext block always produces the same ciphertext block
+  (for the same key) making it vulnerable to a 'dictionary attack'.
+- An error will only affect one ciphertext block.
+
+Cipher Block Chaining Mode (CBC) (des_cbc_encrypt())
+- a multiple of 64 bits are enciphered at a time.
+- The CBC mode produces the same ciphertext whenever the same
+  plaintext is encrypted using the same key and starting variable.
+- The chaining operation makes the ciphertext blocks dependent on the
+  current and all preceding plaintext blocks and therefore blocks can not
+  be rearranged.
+- The use of different starting variables prevents the same plaintext
+  enciphering to the same ciphertext.
+- An error will affect the current and the following ciphertext blocks.
+
+Cipher Feedback Mode (CFB) (des_cfb_encrypt())
+- a number of bits (j) <= 64 are enciphered at a time.
+- The CFB mode produces the same ciphertext whenever the same
+  plaintext is encrypted using the same key and starting variable.
+- The chaining operation makes the ciphertext variables dependent on the
+  current and all preceding variables and therefore j-bit variables are
+  chained together and can not be rearranged.
+- The use of different starting variables prevents the same plaintext
+  enciphering to the same ciphertext.
+- The strength of the CFB mode depends on the size of k (maximal if
+  j == k).  In my implementation this is always the case.
+- Selection of a small value for j will require more cycles through
+  the encipherment algorithm per unit of plaintext and thus cause
+  greater processing overheads.
+- Only multiples of j bits can be enciphered.
+- An error will affect the current and the following ciphertext variables.
+
+Output Feedback Mode (OFB) (des_ofb_encrypt())
+- a number of bits (j) <= 64 are enciphered at a time.
+- The OFB mode produces the same ciphertext whenever the same
+  plaintext enciphered using the same key and starting variable.  More
+  over, in the OFB mode the same key stream is produced when the same
+  key and start variable are used.  Consequently, for security reasons
+  a specific start variable should be used only once for a given key.
+- The absence of chaining makes the OFB more vulnerable to specific attacks.
+- The use of different start variables values prevents the same
+  plaintext enciphering to the same ciphertext, by producing different
+  key streams.
+- Selection of a small value for j will require more cycles through
+  the encipherment algorithm per unit of plaintext and thus cause
+  greater processing overheads.
+- Only multiples of j bits can be enciphered.
+- OFB mode of operation does not extend ciphertext errors in the
+  resultant plaintext output.  Every bit error in the ciphertext causes
+  only one bit to be in error in the deciphered plaintext.
+- OFB mode is not self-synchronising.  If the two operation of
+  encipherment and decipherment get out of synchronism, the system needs
+  to be re-initialised.
+- Each re-initialisation should use a value of the start variable
+ different from the start variable values used before with the same
+ key.  The reason for this is that an identical bit stream would be
+ produced each time from the same parameters.  This would be
+ susceptible to a ' known plaintext' attack.
+
+Triple ECB Mode (des_ecb3_encrypt())
+- Encrypt with key1, decrypt with key2 and encrypt with key3 again.
+- As for ECB encryption but increases the key length to 168 bits.
+  There are theoretic attacks that can be used that make the effective
+  key length 112 bits, but this attack also requires 2^56 blocks of
+  memory, not very likely, even for the NSA.
+- If both keys are the same it is equivalent to encrypting once with
+  just one key.
+- If the first and last key are the same, the key length is 112 bits.
+  There are attacks that could reduce the key space to 55 bit's but it
+  requires 2^56 blocks of memory.
+- If all 3 keys are the same, this is effectively the same as normal
+  ecb mode.
+
+Triple CBC Mode (des_ede3_cbc_encrypt())
+- Encrypt with key1, decrypt with key2 and then encrypt with key3.
+- As for CBC encryption but increases the key length to 168 bits with
+  the same restrictions as for triple ecb mode.
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/des/des_enc.c     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,502 @@
+/* crypto/des/des_enc.c */
+/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include "des/des_locl.h"
+
+void des_encrypt(data, ks, enc)
+DES_LONG *data;
+des_key_schedule ks;
+int enc;
+	{
+	register DES_LONG l,r,t,u;
+#ifdef DES_PTR
+	register unsigned char *des_SP=(unsigned char *)des_SPtrans;
+#endif
+#ifndef DES_UNROLL
+	register int i;
+#endif
+	register DES_LONG *s;
+
+	r=data[0];
+	l=data[1];
+
+	IP(r,l);
+	/* Things have been modified so that the initial rotate is
+	 * done outside the loop.  This required the
+	 * des_SPtrans values in sp.h to be rotated 1 bit to the right.
+	 * One perl script later and things have a 5% speed up on a sparc2.
+	 * Thanks to Richard Outerbridge <71755.204@CompuServe.COM>
+	 * for pointing this out. */
+	/* clear the top bits on machines with 8byte longs */
+	/* shift left by 2 */
+	r=ROTATE(r,29)&0xffffffffL;
+	l=ROTATE(l,29)&0xffffffffL;
+
+	s=(DES_LONG *)ks;
+	/* I don't know if it is worth the effort of loop unrolling the
+	 * inner loop */
+	if (enc)
+		{
+#ifdef DES_UNROLL
+		D_ENCRYPT(l,r, 0); /*  1 */
+		D_ENCRYPT(r,l, 2); /*  2 */
+		D_ENCRYPT(l,r, 4); /*  3 */
+		D_ENCRYPT(r,l, 6); /*  4 */
+		D_ENCRYPT(l,r, 8); /*  5 */
+		D_ENCRYPT(r,l,10); /*  6 */
+		D_ENCRYPT(l,r,12); /*  7 */
+		D_ENCRYPT(r,l,14); /*  8 */
+		D_ENCRYPT(l,r,16); /*  9 */
+		D_ENCRYPT(r,l,18); /*  10 */
+		D_ENCRYPT(l,r,20); /*  11 */
+		D_ENCRYPT(r,l,22); /*  12 */
+		D_ENCRYPT(l,r,24); /*  13 */
+		D_ENCRYPT(r,l,26); /*  14 */
+		D_ENCRYPT(l,r,28); /*  15 */
+		D_ENCRYPT(r,l,30); /*  16 */
+#else
+		for (i=0; i<32; i+=8)
+			{
+			D_ENCRYPT(l,r,i+0); /*  1 */
+			D_ENCRYPT(r,l,i+2); /*  2 */
+			D_ENCRYPT(l,r,i+4); /*  3 */
+			D_ENCRYPT(r,l,i+6); /*  4 */
+			}
+#endif
+		}
+	else
+		{
+#ifdef DES_UNROLL
+		D_ENCRYPT(l,r,30); /* 16 */
+		D_ENCRYPT(r,l,28); /* 15 */
+		D_ENCRYPT(l,r,26); /* 14 */
+		D_ENCRYPT(r,l,24); /* 13 */
+		D_ENCRYPT(l,r,22); /* 12 */
+		D_ENCRYPT(r,l,20); /* 11 */
+		D_ENCRYPT(l,r,18); /* 10 */
+		D_ENCRYPT(r,l,16); /*  9 */
+		D_ENCRYPT(l,r,14); /*  8 */
+		D_ENCRYPT(r,l,12); /*  7 */
+		D_ENCRYPT(l,r,10); /*  6 */
+		D_ENCRYPT(r,l, 8); /*  5 */
+		D_ENCRYPT(l,r, 6); /*  4 */
+		D_ENCRYPT(r,l, 4); /*  3 */
+		D_ENCRYPT(l,r, 2); /*  2 */
+		D_ENCRYPT(r,l, 0); /*  1 */
+#else
+		for (i=30; i>0; i-=8)
+			{
+			D_ENCRYPT(l,r,i-0); /* 16 */
+			D_ENCRYPT(r,l,i-2); /* 15 */
+			D_ENCRYPT(l,r,i-4); /* 14 */
+			D_ENCRYPT(r,l,i-6); /* 13 */
+			}
+#endif
+		}
+
+	/* rotate and clear the top bits on machines with 8byte longs */
+	l=ROTATE(l,3)&0xffffffffL;
+	r=ROTATE(r,3)&0xffffffffL;
+
+	FP(r,l);
+	data[0]=l;
+	data[1]=r;
+	l=r=t=u=0;
+	}
+
+void des_encrypt2(data, ks, enc)
+DES_LONG *data;
+des_key_schedule ks;
+int enc;
+	{
+	register DES_LONG l,r,t,u;
+#ifdef DES_PTR
+	register unsigned char *des_SP=(unsigned char *)des_SPtrans;
+#endif
+#ifndef DES_UNROLL
+	register int i;
+#endif
+	register DES_LONG *s;
+
+	r=data[0];
+	l=data[1];
+
+	/* Things have been modified so that the initial rotate is
+	 * done outside the loop.  This required the
+	 * des_SPtrans values in sp.h to be rotated 1 bit to the right.
+	 * One perl script later and things have a 5% speed up on a sparc2.
+	 * Thanks to Richard Outerbridge <71755.204@CompuServe.COM>
+	 * for pointing this out. */
+	/* clear the top bits on machines with 8byte longs */
+	r=ROTATE(r,29)&0xffffffffL;
+	l=ROTATE(l,29)&0xffffffffL;
+
+	s=(DES_LONG *)ks;
+	/* I don't know if it is worth the effort of loop unrolling the
+	 * inner loop */
+	if (enc)
+		{
+#ifdef DES_UNROLL
+		D_ENCRYPT(l,r, 0); /*  1 */
+		D_ENCRYPT(r,l, 2); /*  2 */
+		D_ENCRYPT(l,r, 4); /*  3 */
+		D_ENCRYPT(r,l, 6); /*  4 */
+		D_ENCRYPT(l,r, 8); /*  5 */
+		D_ENCRYPT(r,l,10); /*  6 */
+		D_ENCRYPT(l,r,12); /*  7 */
+		D_ENCRYPT(r,l,14); /*  8 */
+		D_ENCRYPT(l,r,16); /*  9 */
+		D_ENCRYPT(r,l,18); /*  10 */
+		D_ENCRYPT(l,r,20); /*  11 */
+		D_ENCRYPT(r,l,22); /*  12 */
+		D_ENCRYPT(l,r,24); /*  13 */
+		D_ENCRYPT(r,l,26); /*  14 */
+		D_ENCRYPT(l,r,28); /*  15 */
+		D_ENCRYPT(r,l,30); /*  16 */
+#else
+		for (i=0; i<32; i+=8)
+			{
+			D_ENCRYPT(l,r,i+0); /*  1 */
+			D_ENCRYPT(r,l,i+2); /*  2 */
+			D_ENCRYPT(l,r,i+4); /*  3 */
+			D_ENCRYPT(r,l,i+6); /*  4 */
+			}
+#endif
+		}
+	else
+		{
+#ifdef DES_UNROLL
+		D_ENCRYPT(l,r,30); /* 16 */
+		D_ENCRYPT(r,l,28); /* 15 */
+		D_ENCRYPT(l,r,26); /* 14 */
+		D_ENCRYPT(r,l,24); /* 13 */
+		D_ENCRYPT(l,r,22); /* 12 */
+		D_ENCRYPT(r,l,20); /* 11 */
+		D_ENCRYPT(l,r,18); /* 10 */
+		D_ENCRYPT(r,l,16); /*  9 */
+		D_ENCRYPT(l,r,14); /*  8 */
+		D_ENCRYPT(r,l,12); /*  7 */
+		D_ENCRYPT(l,r,10); /*  6 */
+		D_ENCRYPT(r,l, 8); /*  5 */
+		D_ENCRYPT(l,r, 6); /*  4 */
+		D_ENCRYPT(r,l, 4); /*  3 */
+		D_ENCRYPT(l,r, 2); /*  2 */
+		D_ENCRYPT(r,l, 0); /*  1 */
+#else
+		for (i=30; i>0; i-=8)
+			{
+			D_ENCRYPT(l,r,i-0); /* 16 */
+			D_ENCRYPT(r,l,i-2); /* 15 */
+			D_ENCRYPT(l,r,i-4); /* 14 */
+			D_ENCRYPT(r,l,i-6); /* 13 */
+			}
+#endif
+		}
+	/* rotate and clear the top bits on machines with 8byte longs */
+	data[0]=ROTATE(l,3)&0xffffffffL;
+	data[1]=ROTATE(r,3)&0xffffffffL;
+	l=r=t=u=0;
+	}
+
+void des_encrypt3(data,ks1,ks2,ks3)
+DES_LONG *data;
+des_key_schedule ks1;
+des_key_schedule ks2;
+des_key_schedule ks3;
+	{
+	register DES_LONG l,r;
+
+	l=data[0];
+	r=data[1];
+	IP(l,r);
+	data[0]=l;
+	data[1]=r;
+	des_encrypt2((DES_LONG *)data,ks1,DES_ENCRYPT);
+	des_encrypt2((DES_LONG *)data,ks2,DES_DECRYPT);
+	des_encrypt2((DES_LONG *)data,ks3,DES_ENCRYPT);
+	l=data[0];
+	r=data[1];
+	FP(r,l);
+	data[0]=l;
+	data[1]=r;
+	}
+
+void des_decrypt3(data,ks1,ks2,ks3)
+DES_LONG *data;
+des_key_schedule ks1;
+des_key_schedule ks2;
+des_key_schedule ks3;
+	{
+	register DES_LONG l,r;
+
+	l=data[0];
+	r=data[1];
+	IP(l,r);
+	data[0]=l;
+	data[1]=r;
+	des_encrypt2((DES_LONG *)data,ks3,DES_DECRYPT);
+	des_encrypt2((DES_LONG *)data,ks2,DES_ENCRYPT);
+	des_encrypt2((DES_LONG *)data,ks1,DES_DECRYPT);
+	l=data[0];
+	r=data[1];
+	FP(r,l);
+	data[0]=l;
+	data[1]=r;
+	}
+
+#ifndef DES_DEFAULT_OPTIONS
+
+void des_ncbc_encrypt(input, output, length, schedule, ivec, enc)
+des_cblock (*input);
+des_cblock (*output);
+long length;
+des_key_schedule schedule;
+des_cblock (*ivec);
+int enc;
+	{
+	register DES_LONG tin0,tin1;
+	register DES_LONG tout0,tout1,xor0,xor1;
+	register unsigned char *in,*out;
+	register long l=length;
+	DES_LONG tin[2];
+	unsigned char *iv;
+
+	in=(unsigned char *)input;
+	out=(unsigned char *)output;
+	iv=(unsigned char *)ivec;
+
+	if (enc)
+		{
+		c2l(iv,tout0);
+		c2l(iv,tout1);
+		for (l-=8; l>=0; l-=8)
+			{
+			c2l(in,tin0);
+			c2l(in,tin1);
+			tin0^=tout0; tin[0]=tin0;
+			tin1^=tout1; tin[1]=tin1;
+			des_encrypt((DES_LONG *)tin,schedule,DES_ENCRYPT);
+			tout0=tin[0]; l2c(tout0,out);
+			tout1=tin[1]; l2c(tout1,out);
+			}
+		if (l != -8)
+			{
+			c2ln(in,tin0,tin1,l+8);
+			tin0^=tout0; tin[0]=tin0;
+			tin1^=tout1; tin[1]=tin1;
+			des_encrypt((DES_LONG *)tin,schedule,DES_ENCRYPT);
+			tout0=tin[0]; l2c(tout0,out);
+			tout1=tin[1]; l2c(tout1,out);
+			}
+		iv=(unsigned char *)ivec;
+		l2c(tout0,iv);
+		l2c(tout1,iv);
+		}
+	else
+		{
+		c2l(iv,xor0);
+		c2l(iv,xor1);
+		for (l-=8; l>=0; l-=8)
+			{
+			c2l(in,tin0); tin[0]=tin0;
+			c2l(in,tin1); tin[1]=tin1;
+			des_encrypt((DES_LONG *)tin,schedule,DES_DECRYPT);
+			tout0=tin[0]^xor0;
+			tout1=tin[1]^xor1;
+			l2c(tout0,out);
+			l2c(tout1,out);
+			xor0=tin0;
+			xor1=tin1;
+			}
+		if (l != -8)
+			{
+			c2l(in,tin0); tin[0]=tin0;
+			c2l(in,tin1); tin[1]=tin1;
+			des_encrypt((DES_LONG *)tin,schedule,DES_DECRYPT);
+			tout0=tin[0]^xor0;
+			tout1=tin[1]^xor1;
+			l2cn(tout0,tout1,out,l+8);
+			xor0=tin0;
+			xor1=tin1;
+			}
+
+		iv=(unsigned char *)ivec;
+		l2c(xor0,iv);
+		l2c(xor1,iv);
+		}
+	tin0=tin1=tout0=tout1=xor0=xor1=0;
+	tin[0]=tin[1]=0;
+	}
+
+void des_ede3_cbc_encrypt(input, output, length, ks1, ks2, ks3, ivec, enc)
+des_cblock (*input);
+des_cblock (*output);
+long length;
+des_key_schedule ks1;
+des_key_schedule ks2;
+des_key_schedule ks3;
+des_cblock (*ivec);
+int enc;
+	{
+	register DES_LONG tin0,tin1;
+	register DES_LONG tout0,tout1,xor0,xor1;
+	register unsigned char *in,*out;
+	register long l=length;
+	DES_LONG tin[2];
+	unsigned char *iv;
+
+	in=(unsigned char *)input;
+	out=(unsigned char *)output;
+	iv=(unsigned char *)ivec;
+
+	if (enc)
+		{
+		c2l(iv,tout0);
+		c2l(iv,tout1);
+		for (l-=8; l>=0; l-=8)
+			{
+			c2l(in,tin0);
+			c2l(in,tin1);
+			tin0^=tout0;
+			tin1^=tout1;
+
+			tin[0]=tin0;
+			tin[1]=tin1;
+			des_encrypt3((DES_LONG *)tin,ks1,ks2,ks3);
+			tout0=tin[0];
+			tout1=tin[1];
+
+			l2c(tout0,out);
+			l2c(tout1,out);
+			}
+		if (l != -8)
+			{
+			c2ln(in,tin0,tin1,l+8);
+			tin0^=tout0;
+			tin1^=tout1;
+
+			tin[0]=tin0;
+			tin[1]=tin1;
+			des_encrypt3((DES_LONG *)tin,ks1,ks2,ks3);
+			tout0=tin[0];
+			tout1=tin[1];
+
+			l2c(tout0,out);
+			l2c(tout1,out);
+			}
+		iv=(unsigned char *)ivec;
+		l2c(tout0,iv);
+		l2c(tout1,iv);
+		}
+	else
+		{
+		register DES_LONG t0,t1;
+
+		c2l(iv,xor0);
+		c2l(iv,xor1);
+		for (l-=8; l>=0; l-=8)
+			{
+			c2l(in,tin0);
+			c2l(in,tin1);
+
+			t0=tin0;
+			t1=tin1;
+
+			tin[0]=tin0;
+			tin[1]=tin1;
+			des_decrypt3((DES_LONG *)tin,ks1,ks2,ks3);
+			tout0=tin[0];
+			tout1=tin[1];
+
+			tout0^=xor0;
+			tout1^=xor1;
+			l2c(tout0,out);
+			l2c(tout1,out);
+			xor0=t0;
+			xor1=t1;
+			}
+		if (l != -8)
+			{
+			c2l(in,tin0);
+			c2l(in,tin1);
+			
+			t0=tin0;
+			t1=tin1;
+
+			tin[0]=tin0;
+			tin[1]=tin1;
+			des_decrypt3((DES_LONG *)tin,ks1,ks2,ks3);
+			tout0=tin[0];
+			tout1=tin[1];
+		
+			tout0^=xor0;
+			tout1^=xor1;
+			l2cn(tout0,tout1,out,l+8);
+			xor0=t0;
+			xor1=t1;
+			}
+
+		iv=(unsigned char *)ivec;
+		l2c(xor0,iv);
+		l2c(xor1,iv);
+		}
+	tin0=tin1=tout0=tout1=xor0=xor1=0;
+	tin[0]=tin[1]=0;
+	}
+
+#endif /* DES_DEFAULT_OPTIONS */
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/des/des_opts.c     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,620 @@
+/* crypto/des/des_opts.c */
+/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+/* define PART1, PART2, PART3 or PART4 to build only with a few of the options.
+ * This is for machines with 64k code segment size restrictions. */
+
+#ifndef MSDOS
+#define TIMES
+#endif
+
+#include <stdio.h>
+#ifndef MSDOS
+#include <unistd.h>
+#else
+#include <io.h>
+extern void exit();
+#endif
+#include <signal.h>
+#ifndef VMS
+#ifndef _IRIX
+#include <time.h>
+#endif
+#ifdef TIMES
+#include <sys/types.h>
+#include <sys/times.h>
+#endif
+#else /* VMS */
+#include <types.h>
+struct tms {
+	time_t tms_utime;
+	time_t tms_stime;
+	time_t tms_uchild;	/* I dunno...  */
+	time_t tms_uchildsys;	/* so these names are a guess :-) */
+	}
+#endif
+#ifndef TIMES
+#include <sys/timeb.h>
+#endif
+
+#ifdef sun
+#include <limits.h>
+#include <sys/param.h>
+#endif
+
+#include "des/des_locl.h"
+#include "des/spr.h"
+
+#define DES_DEFAULT_OPTIONS
+
+#if !defined(PART1) && !defined(PART2) && !defined(PART3) && !defined(PART4)
+#define PART1
+#define PART2
+#define PART3
+#define PART4
+#endif
+
+#ifdef PART1
+
+#undef DES_UNROLL
+#undef DES_RISC1
+#undef DES_RISC2
+#undef DES_PTR
+#undef D_ENCRYPT
+#define des_encrypt  des_encrypt_u4_cisc_idx
+#define des_encrypt2 des_encrypt2_u4_cisc_idx
+#define des_encrypt3 des_encrypt3_u4_cisc_idx
+#define des_decrypt3 des_decrypt3_u4_cisc_idx
+#undef HEADER_DES_LOCL_H
+#include "des_enc.c"
+
+#define DES_UNROLL
+#undef DES_RISC1
+#undef DES_RISC2
+#undef DES_PTR
+#undef D_ENCRYPT
+#undef des_encrypt
+#undef des_encrypt2
+#undef des_encrypt3
+#undef des_decrypt3
+#define des_encrypt  des_encrypt_u16_cisc_idx
+#define des_encrypt2 des_encrypt2_u16_cisc_idx
+#define des_encrypt3 des_encrypt3_u16_cisc_idx
+#define des_decrypt3 des_decrypt3_u16_cisc_idx
+#undef HEADER_DES_LOCL_H
+#include "des_enc.c"
+
+#undef DES_UNROLL
+#define DES_RISC1
+#undef DES_RISC2
+#undef DES_PTR
+#undef D_ENCRYPT
+#undef des_encrypt
+#undef des_encrypt2
+#undef des_encrypt3
+#undef des_decrypt3
+#define des_encrypt  des_encrypt_u4_risc1_idx
+#define des_encrypt2 des_encrypt2_u4_risc1_idx
+#define des_encrypt3 des_encrypt3_u4_risc1_idx
+#define des_decrypt3 des_decrypt3_u4_risc1_idx
+#undef HEADER_DES_LOCL_H
+#include "des_enc.c"
+
+#endif
+
+#ifdef PART2
+
+#undef DES_UNROLL
+#undef DES_RISC1
+#define DES_RISC2
+#undef DES_PTR
+#undef D_ENCRYPT
+#undef des_encrypt
+#undef des_encrypt2
+#undef des_encrypt3
+#undef des_decrypt3
+#define des_encrypt  des_encrypt_u4_risc2_idx
+#define des_encrypt2 des_encrypt2_u4_risc2_idx
+#define des_encrypt3 des_encrypt3_u4_risc2_idx
+#define des_decrypt3 des_decrypt3_u4_risc2_idx
+#undef HEADER_DES_LOCL_H
+#include "des_enc.c"
+
+#define DES_UNROLL
+#define DES_RISC1
+#undef DES_RISC2
+#undef DES_PTR
+#undef D_ENCRYPT
+#undef des_encrypt
+#undef des_encrypt2
+#undef des_encrypt3
+#undef des_decrypt3
+#define des_encrypt  des_encrypt_u16_risc1_idx
+#define des_encrypt2 des_encrypt2_u16_risc1_idx
+#define des_encrypt3 des_encrypt3_u16_risc1_idx
+#define des_decrypt3 des_decrypt3_u16_risc1_idx
+#undef HEADER_DES_LOCL_H
+#include "des_enc.c"
+
+#define DES_UNROLL
+#undef DES_RISC1
+#define DES_RISC2
+#undef DES_PTR
+#undef D_ENCRYPT
+#undef des_encrypt
+#undef des_encrypt2
+#undef des_encrypt3
+#undef des_decrypt3
+#define des_encrypt  des_encrypt_u16_risc2_idx
+#define des_encrypt2 des_encrypt2_u16_risc2_idx
+#define des_encrypt3 des_encrypt3_u16_risc2_idx
+#define des_decrypt3 des_decrypt3_u16_risc2_idx
+#undef HEADER_DES_LOCL_H
+#include "des_enc.c"
+
+#endif
+
+#ifdef PART3
+
+#undef DES_UNROLL
+#undef DES_RISC1
+#undef DES_RISC2
+#define DES_PTR
+#undef D_ENCRYPT
+#undef des_encrypt
+#undef des_encrypt2
+#undef des_encrypt3
+#undef des_decrypt3
+#define des_encrypt  des_encrypt_u4_cisc_ptr
+#define des_encrypt2 des_encrypt2_u4_cisc_ptr
+#define des_encrypt3 des_encrypt3_u4_cisc_ptr
+#define des_decrypt3 des_decrypt3_u4_cisc_ptr
+#undef HEADER_DES_LOCL_H
+#include "des_enc.c"
+
+#define DES_UNROLL
+#undef DES_RISC1
+#undef DES_RISC2
+#define DES_PTR
+#undef D_ENCRYPT
+#undef des_encrypt
+#undef des_encrypt2
+#undef des_encrypt3
+#undef des_decrypt3
+#define des_encrypt  des_encrypt_u16_cisc_ptr
+#define des_encrypt2 des_encrypt2_u16_cisc_ptr
+#define des_encrypt3 des_encrypt3_u16_cisc_ptr
+#define des_decrypt3 des_decrypt3_u16_cisc_ptr
+#undef HEADER_DES_LOCL_H
+#include "des_enc.c"
+
+#undef DES_UNROLL
+#define DES_RISC1
+#undef DES_RISC2
+#define DES_PTR
+#undef D_ENCRYPT
+#undef des_encrypt
+#undef des_encrypt2
+#undef des_encrypt3
+#undef des_decrypt3
+#define des_encrypt  des_encrypt_u4_risc1_ptr
+#define des_encrypt2 des_encrypt2_u4_risc1_ptr
+#define des_encrypt3 des_encrypt3_u4_risc1_ptr
+#define des_decrypt3 des_decrypt3_u4_risc1_ptr
+#undef HEADER_DES_LOCL_H
+#include "des_enc.c"
+
+#endif
+
+#ifdef PART4
+
+#undef DES_UNROLL
+#undef DES_RISC1
+#define DES_RISC2
+#define DES_PTR
+#undef D_ENCRYPT
+#undef des_encrypt
+#undef des_encrypt2
+#undef des_encrypt3
+#undef des_decrypt3
+#define des_encrypt  des_encrypt_u4_risc2_ptr
+#define des_encrypt2 des_encrypt2_u4_risc2_ptr
+#define des_encrypt3 des_encrypt3_u4_risc2_ptr
+#define des_decrypt3 des_decrypt3_u4_risc2_ptr
+#undef HEADER_DES_LOCL_H
+#include "des_enc.c"
+
+#define DES_UNROLL
+#define DES_RISC1
+#undef DES_RISC2
+#define DES_PTR
+#undef D_ENCRYPT
+#undef des_encrypt
+#undef des_encrypt2
+#undef des_encrypt3
+#undef des_decrypt3
+#define des_encrypt  des_encrypt_u16_risc1_ptr
+#define des_encrypt2 des_encrypt2_u16_risc1_ptr
+#define des_encrypt3 des_encrypt3_u16_risc1_ptr
+#define des_decrypt3 des_decrypt3_u16_risc1_ptr
+#undef HEADER_DES_LOCL_H
+#include "des_enc.c"
+
+#define DES_UNROLL
+#undef DES_RISC1
+#define DES_RISC2
+#define DES_PTR
+#undef D_ENCRYPT
+#undef des_encrypt
+#undef des_encrypt2
+#undef des_encrypt3
+#undef des_decrypt3
+#define des_encrypt  des_encrypt_u16_risc2_ptr
+#define des_encrypt2 des_encrypt2_u16_risc2_ptr
+#define des_encrypt3 des_encrypt3_u16_risc2_ptr
+#define des_decrypt3 des_decrypt3_u16_risc2_ptr
+#undef HEADER_DES_LOCL_H
+#include "des_enc.c"
+
+#endif
+
+/* The following if from times(3) man page.  It may need to be changed */
+#ifndef HZ
+# ifndef CLK_TCK
+#  ifndef _BSD_CLK_TCK_ /* FreeBSD fix */
+#   ifndef VMS
+#    define HZ	100.0
+#   else /* VMS */
+#    define HZ	100.0
+#   endif
+#  else /* _BSD_CLK_TCK_ */
+#   define HZ ((double)_BSD_CLK_TCK_)
+#  endif
+# else /* CLK_TCK */
+#  define HZ ((double)CLK_TCK)
+# endif
+#endif
+
+#define BUFSIZE	((long)1024)
+long run=0;
+
+#ifndef NOPROTO
+double Time_F(int s);
+#else
+double Time_F();
+#endif
+
+#ifdef SIGALRM
+#if defined(__STDC__) || defined(sgi)
+#define SIGRETTYPE void
+#else
+#define SIGRETTYPE int
+#endif
+
+#ifndef NOPROTO
+SIGRETTYPE sig_done(int sig);
+#else
+SIGRETTYPE sig_done();
+#endif
+
+SIGRETTYPE sig_done(sig)
+int sig;
+	{
+	signal(SIGALRM,sig_done);
+	run=0;
+#ifdef LINT
+	sig=sig;
+#endif
+	}
+#endif
+
+#define START	0
+#define STOP	1
+
+double Time_F(s)
+int s;
+	{
+	double ret;
+#ifdef TIMES
+	static struct tms tstart,tend;
+
+	if (s == START)
+		{
+		times(&tstart);
+		return(0);
+		}
+	else
+		{
+		times(&tend);
+		ret=((double)(tend.tms_utime-tstart.tms_utime))/HZ;
+		return((ret == 0.0)?1e-6:ret);
+		}
+#else /* !times() */
+	static struct timeb tstart,tend;
+	long i;
+
+	if (s == START)
+		{
+		ftime(&tstart);
+		return(0);
+		}
+	else
+		{
+		ftime(&tend);
+		i=(long)tend.millitm-(long)tstart.millitm;
+		ret=((double)(tend.time-tstart.time))+((double)i)/1000.0;
+		return((ret == 0.0)?1e-6:ret);
+		}
+#endif
+	}
+
+#ifdef SIGALRM
+#define print_name(name) fprintf(stderr,"Doing %s's for 10 seconds\n",name); alarm(10);
+#else
+#define print_name(name) fprintf(stderr,"Doing %s %ld times\n",name,cb);
+#endif
+	
+#define time_it(func,name,index) \
+	print_name(name); \
+	Time_F(START); \
+	for (count=0,run=1; COND(cb); count++) \
+		{ \
+		unsigned long d[2]; \
+		func(d,&(sch[0]),DES_ENCRYPT); \
+		} \
+	tm[index]=Time_F(STOP); \
+	fprintf(stderr,"%ld %s's in %.2f second\n",count,name,tm[index]); \
+	tm[index]=((double)COUNT(cb))/tm[index];
+
+#define print_it(name,index) \
+	fprintf(stderr,"%s bytes per sec = %12.2f (%5.1fuS)\n",name, \
+		tm[index]*8,1.0e6/tm[index]);
+
+int main(argc,argv)
+int argc;
+char **argv;
+	{
+	long count;
+	static unsigned char buf[BUFSIZE];
+	static des_cblock key ={0x12,0x34,0x56,0x78,0x9a,0xbc,0xde,0xf0};
+	static des_cblock key2={0x34,0x56,0x78,0x9a,0xbc,0xde,0xf0,0x12};
+	static des_cblock key3={0x56,0x78,0x9a,0xbc,0xde,0xf0,0x12,0x34};
+	des_key_schedule sch,sch2,sch3;
+	double d,tm[16],max=0;
+	int rank[16];
+	char *str[16];
+	int max_idx=0,i,num=0,j;
+#ifndef SIGALARM
+	long ca,cb,cc,cd,ce;
+#endif
+
+	for (i=0; i<12; i++)
+		{
+		tm[i]=0.0;
+		rank[i]=0;
+		}
+
+#ifndef TIMES
+	fprintf(stderr,"To get the most acurate results, try to run this\n");
+	fprintf(stderr,"program when this computer is idle.\n");
+#endif
+
+	des_set_key((C_Block *)key,sch);
+	des_set_key((C_Block *)key2,sch2);
+	des_set_key((C_Block *)key3,sch3);
+
+#ifndef SIGALRM
+	fprintf(stderr,"First we calculate the approximate speed ...\n");
+	des_set_key((C_Block *)key,sch);
+	count=10;
+	do	{
+		long i;
+		unsigned long data[2];
+
+		count*=2;
+		Time_F(START);
+		for (i=count; i; i--)
+			des_encrypt(data,&(sch[0]),DES_ENCRYPT);
+		d=Time_F(STOP);
+		} while (d < 3.0);
+	ca=count;
+	cb=count*3;
+	cc=count*3*8/BUFSIZE+1;
+	cd=count*8/BUFSIZE+1;
+
+	ce=count/20+1;
+#define COND(d) (count != (d))
+#define COUNT(d) (d)
+#else
+#define COND(c) (run)
+#define COUNT(d) (count)
+        signal(SIGALRM,sig_done);
+        alarm(10);
+#endif
+
+#ifdef PART1
+	time_it(des_encrypt_u4_cisc_idx,  "des_encrypt_u4_cisc_idx  ", 0);
+	time_it(des_encrypt_u16_cisc_idx, "des_encrypt_u16_cisc_idx ", 1);
+	time_it(des_encrypt_u4_risc1_idx, "des_encrypt_u4_risc1_idx ", 2);
+	num+=3;
+#endif
+#ifdef PART2
+	time_it(des_encrypt_u16_risc1_idx,"des_encrypt_u16_risc1_idx", 3);
+	time_it(des_encrypt_u4_risc2_idx, "des_encrypt_u4_risc2_idx ", 4);
+	time_it(des_encrypt_u16_risc2_idx,"des_encrypt_u16_risc2_idx", 5);
+	num+=3;
+#endif
+#ifdef PART3
+	time_it(des_encrypt_u4_cisc_ptr,  "des_encrypt_u4_cisc_ptr  ", 6);
+	time_it(des_encrypt_u16_cisc_ptr, "des_encrypt_u16_cisc_ptr ", 7);
+	time_it(des_encrypt_u4_risc1_ptr, "des_encrypt_u4_risc1_ptr ", 8);
+	num+=3;
+#endif
+#ifdef PART4
+	time_it(des_encrypt_u16_risc1_ptr,"des_encrypt_u16_risc1_ptr", 9);
+	time_it(des_encrypt_u4_risc2_ptr, "des_encrypt_u4_risc2_ptr ",10);
+	time_it(des_encrypt_u16_risc2_ptr,"des_encrypt_u16_risc2_ptr",11);
+	num+=3;
+#endif
+
+#ifdef PART1
+	str[0]=" 4  c i";
+	print_it("des_encrypt_u4_cisc_idx  ",0);
+	max=tm[0];
+	max_idx=0;
+	str[1]="16  c i";
+	print_it("des_encrypt_u16_cisc_idx ",1);
+	if (max < tm[1]) { max=tm[1]; max_idx=1; }
+	str[2]=" 4 r1 i";
+	print_it("des_encrypt_u4_risc1_idx ",2);
+	if (max < tm[2]) { max=tm[2]; max_idx=2; }
+#endif
+#ifdef PART2
+	str[3]="16 r1 i";
+	print_it("des_encrypt_u16_risc1_idx",3);
+	if (max < tm[3]) { max=tm[3]; max_idx=3; }
+	str[4]=" 4 r2 i";
+	print_it("des_encrypt_u4_risc2_idx ",4);
+	if (max < tm[4]) { max=tm[4]; max_idx=4; }
+	str[5]="16 r2 i";
+	print_it("des_encrypt_u16_risc2_idx",5);
+	if (max < tm[5]) { max=tm[5]; max_idx=5; }
+#endif
+#ifdef PART3
+	str[6]=" 4  c p";
+	print_it("des_encrypt_u4_cisc_ptr  ",6);
+	if (max < tm[6]) { max=tm[6]; max_idx=6; }
+	str[7]="16  c p";
+	print_it("des_encrypt_u16_cisc_ptr ",7);
+	if (max < tm[7]) { max=tm[7]; max_idx=7; }
+	str[8]=" 4 r1 p";
+	print_it("des_encrypt_u4_risc1_ptr ",8);
+	if (max < tm[8]) { max=tm[8]; max_idx=8; }
+#endif
+#ifdef PART4
+	str[9]="16 r1 p";
+	print_it("des_encrypt_u16_risc1_ptr",9);
+	if (max < tm[9]) { max=tm[9]; max_idx=9; }
+	str[10]=" 4 r2 p";
+	print_it("des_encrypt_u4_risc2_ptr ",10);
+	if (max < tm[10]) { max=tm[10]; max_idx=10; }
+	str[11]="16 r2 p";
+	print_it("des_encrypt_u16_risc2_ptr",11);
+	if (max < tm[11]) { max=tm[11]; max_idx=11; }
+#endif
+	printf("options    des ecb/s\n");
+	printf("%s %12.2f 100.0%%\n",str[max_idx],tm[max_idx]);
+	d=tm[max_idx];
+	tm[max_idx]= -2.0;
+	max= -1.0;
+	for (;;)
+		{
+		for (i=0; i<12; i++)
+			{
+			if (max < tm[i]) { max=tm[i]; j=i; }
+			}
+		if (max < 0.0) break;
+		printf("%s %12.2f  %4.1f%%\n",str[j],tm[j],tm[j]/d*100.0);
+		tm[j]= -2.0;
+		max= -1.0;
+		}
+
+	switch (max_idx)
+		{
+	case 0:
+		printf("-DDES_DEFAULT_OPTIONS\n");
+		break;
+	case 1:
+		printf("-DDES_UNROLL\n");
+		break;
+	case 2:
+		printf("-DDES_RISC1\n");
+		break;
+	case 3:
+		printf("-DDES_UNROLL -DDES_RISC1\n");
+		break;
+	case 4:
+		printf("-DDES_RISC2\n");
+		break;
+	case 5:
+		printf("-DDES_UNROLL -DDES_RISC2\n");
+		break;
+	case 6:
+		printf("-DDES_PTR\n");
+		break;
+	case 7:
+		printf("-DDES_UNROLL -DDES_PTR\n");
+		break;
+	case 8:
+		printf("-DDES_RISC1 -DDES_PTR\n");
+		break;
+	case 9:
+		printf("-DDES_UNROLL -DDES_RISC1 -DDES_PTR\n");
+		break;
+	case 10:
+		printf("-DDES_RISC2 -DDES_PTR\n");
+		break;
+	case 11:
+		printf("-DDES_UNROLL -DDES_RISC2 -DDES_PTR\n");
+		break;
+		}
+	exit(0);
+#if defined(LINT) || defined(MSDOS)
+	return(0);
+#endif
+	}
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/des/dx86unix.S     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,3160 @@
+/* 
+ * This file was originally generated by Michael Richardson <mcr@freeswan.org>
+ * via the perl scripts found in the ASM subdir. It remains copyright of
+ * Eric Young, see the file COPYRIGHT.
+ *
+ * This was last done on October 9, 2002.
+ *
+ * While this file does not need to go through cpp, we pass it through
+ * CPP by naming it dx86unix.S instead of dx86unix.s because there is
+ * a bug in Rules.make for .s builds - specifically it references EXTRA_CFLAGS
+ * which may contain stuff that AS doesn't understand instead of
+ * referencing EXTRA_AFLAGS.
+ */	 
+
+	.file	"dx86unix.S"
+	.version	"01.01"
+.text
+	.align 16 
+.globl des_encrypt
+	.type    des_encrypt , @function  
+des_encrypt:
+	pushl	%esi
+	pushl	%edi
+
+	 
+	movl	12(%esp),	%esi
+	xorl	%ecx,		%ecx
+	pushl	%ebx
+	pushl	%ebp
+	movl	(%esi),		%eax
+	movl	28(%esp),	%ebx
+	movl	4(%esi),	%edi
+
+	 
+	roll	$4,		%eax
+	movl	%eax,		%esi
+	xorl	%edi,		%eax
+	andl	$0xf0f0f0f0,	%eax
+	xorl	%eax,		%esi
+	xorl	%eax,		%edi
+
+	roll	$20,		%edi
+	movl	%edi,		%eax
+	xorl	%esi,		%edi
+	andl	$0xfff0000f,	%edi
+	xorl	%edi,		%eax
+	xorl	%edi,		%esi
+
+	roll	$14,		%eax
+	movl	%eax,		%edi
+	xorl	%esi,		%eax
+	andl	$0x33333333,	%eax
+	xorl	%eax,		%edi
+	xorl	%eax,		%esi
+
+	roll	$22,		%esi
+	movl	%esi,		%eax
+	xorl	%edi,		%esi
+	andl	$0x03fc03fc,	%esi
+	xorl	%esi,		%eax
+	xorl	%esi,		%edi
+
+	roll	$9,		%eax
+	movl	%eax,		%esi
+	xorl	%edi,		%eax
+	andl	$0xaaaaaaaa,	%eax
+	xorl	%eax,		%esi
+	xorl	%eax,		%edi
+
+.byte 209
+.byte 199		 
+	movl	24(%esp),	%ebp
+	cmpl	$0,		%ebx
+	je	.L000start_decrypt
+
+	 
+	movl	(%ebp),		%eax
+	xorl	%ebx,		%ebx
+	movl	4(%ebp),	%edx
+	xorl	%esi,		%eax
+	xorl	%esi,		%edx
+	andl	$0xfcfcfcfc,	%eax
+	andl	$0xcfcfcfcf,	%edx
+	movb	%al,		%bl
+	movb	%ah,		%cl
+	rorl	$4,		%edx
+	movl	      des_SPtrans(%ebx),%ebp
+	movb	%dl,		%bl
+	xorl	%ebp,		%edi
+	movl	0x200+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%edi
+	movb	%dh,		%cl
+	shrl	$16,		%eax
+	movl	0x100+des_SPtrans(%ebx),%ebp
+	xorl	%ebp,		%edi
+	movb	%ah,		%bl
+	shrl	$16,		%edx
+	movl	0x300+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%edi
+	movl	24(%esp),	%ebp
+	movb	%dh,		%cl
+	andl	$0xff,		%eax
+	andl	$0xff,		%edx
+	movl	0x600+des_SPtrans(%ebx),%ebx
+	xorl	%ebx,		%edi
+	movl	0x700+des_SPtrans(%ecx),%ebx
+	xorl	%ebx,		%edi
+	movl	0x400+des_SPtrans(%eax),%ebx
+	xorl	%ebx,		%edi
+	movl	0x500+des_SPtrans(%edx),%ebx
+	xorl	%ebx,		%edi
+
+	 
+	movl	8(%ebp),	%eax
+	xorl	%ebx,		%ebx
+	movl	12(%ebp),	%edx
+	xorl	%edi,		%eax
+	xorl	%edi,		%edx
+	andl	$0xfcfcfcfc,	%eax
+	andl	$0xcfcfcfcf,	%edx
+	movb	%al,		%bl
+	movb	%ah,		%cl
+	rorl	$4,		%edx
+	movl	      des_SPtrans(%ebx),%ebp
+	movb	%dl,		%bl
+	xorl	%ebp,		%esi
+	movl	0x200+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%esi
+	movb	%dh,		%cl
+	shrl	$16,		%eax
+	movl	0x100+des_SPtrans(%ebx),%ebp
+	xorl	%ebp,		%esi
+	movb	%ah,		%bl
+	shrl	$16,		%edx
+	movl	0x300+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%esi
+	movl	24(%esp),	%ebp
+	movb	%dh,		%cl
+	andl	$0xff,		%eax
+	andl	$0xff,		%edx
+	movl	0x600+des_SPtrans(%ebx),%ebx
+	xorl	%ebx,		%esi
+	movl	0x700+des_SPtrans(%ecx),%ebx
+	xorl	%ebx,		%esi
+	movl	0x400+des_SPtrans(%eax),%ebx
+	xorl	%ebx,		%esi
+	movl	0x500+des_SPtrans(%edx),%ebx
+	xorl	%ebx,		%esi
+
+	 
+	movl	16(%ebp),	%eax
+	xorl	%ebx,		%ebx
+	movl	20(%ebp),	%edx
+	xorl	%esi,		%eax
+	xorl	%esi,		%edx
+	andl	$0xfcfcfcfc,	%eax
+	andl	$0xcfcfcfcf,	%edx
+	movb	%al,		%bl
+	movb	%ah,		%cl
+	rorl	$4,		%edx
+	movl	      des_SPtrans(%ebx),%ebp
+	movb	%dl,		%bl
+	xorl	%ebp,		%edi
+	movl	0x200+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%edi
+	movb	%dh,		%cl
+	shrl	$16,		%eax
+	movl	0x100+des_SPtrans(%ebx),%ebp
+	xorl	%ebp,		%edi
+	movb	%ah,		%bl
+	shrl	$16,		%edx
+	movl	0x300+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%edi
+	movl	24(%esp),	%ebp
+	movb	%dh,		%cl
+	andl	$0xff,		%eax
+	andl	$0xff,		%edx
+	movl	0x600+des_SPtrans(%ebx),%ebx
+	xorl	%ebx,		%edi
+	movl	0x700+des_SPtrans(%ecx),%ebx
+	xorl	%ebx,		%edi
+	movl	0x400+des_SPtrans(%eax),%ebx
+	xorl	%ebx,		%edi
+	movl	0x500+des_SPtrans(%edx),%ebx
+	xorl	%ebx,		%edi
+
+	 
+	movl	24(%ebp),	%eax
+	xorl	%ebx,		%ebx
+	movl	28(%ebp),	%edx
+	xorl	%edi,		%eax
+	xorl	%edi,		%edx
+	andl	$0xfcfcfcfc,	%eax
+	andl	$0xcfcfcfcf,	%edx
+	movb	%al,		%bl
+	movb	%ah,		%cl
+	rorl	$4,		%edx
+	movl	      des_SPtrans(%ebx),%ebp
+	movb	%dl,		%bl
+	xorl	%ebp,		%esi
+	movl	0x200+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%esi
+	movb	%dh,		%cl
+	shrl	$16,		%eax
+	movl	0x100+des_SPtrans(%ebx),%ebp
+	xorl	%ebp,		%esi
+	movb	%ah,		%bl
+	shrl	$16,		%edx
+	movl	0x300+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%esi
+	movl	24(%esp),	%ebp
+	movb	%dh,		%cl
+	andl	$0xff,		%eax
+	andl	$0xff,		%edx
+	movl	0x600+des_SPtrans(%ebx),%ebx
+	xorl	%ebx,		%esi
+	movl	0x700+des_SPtrans(%ecx),%ebx
+	xorl	%ebx,		%esi
+	movl	0x400+des_SPtrans(%eax),%ebx
+	xorl	%ebx,		%esi
+	movl	0x500+des_SPtrans(%edx),%ebx
+	xorl	%ebx,		%esi
+
+	 
+	movl	32(%ebp),	%eax
+	xorl	%ebx,		%ebx
+	movl	36(%ebp),	%edx
+	xorl	%esi,		%eax
+	xorl	%esi,		%edx
+	andl	$0xfcfcfcfc,	%eax
+	andl	$0xcfcfcfcf,	%edx
+	movb	%al,		%bl
+	movb	%ah,		%cl
+	rorl	$4,		%edx
+	movl	      des_SPtrans(%ebx),%ebp
+	movb	%dl,		%bl
+	xorl	%ebp,		%edi
+	movl	0x200+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%edi
+	movb	%dh,		%cl
+	shrl	$16,		%eax
+	movl	0x100+des_SPtrans(%ebx),%ebp
+	xorl	%ebp,		%edi
+	movb	%ah,		%bl
+	shrl	$16,		%edx
+	movl	0x300+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%edi
+	movl	24(%esp),	%ebp
+	movb	%dh,		%cl
+	andl	$0xff,		%eax
+	andl	$0xff,		%edx
+	movl	0x600+des_SPtrans(%ebx),%ebx
+	xorl	%ebx,		%edi
+	movl	0x700+des_SPtrans(%ecx),%ebx
+	xorl	%ebx,		%edi
+	movl	0x400+des_SPtrans(%eax),%ebx
+	xorl	%ebx,		%edi
+	movl	0x500+des_SPtrans(%edx),%ebx
+	xorl	%ebx,		%edi
+
+	 
+	movl	40(%ebp),	%eax
+	xorl	%ebx,		%ebx
+	movl	44(%ebp),	%edx
+	xorl	%edi,		%eax
+	xorl	%edi,		%edx
+	andl	$0xfcfcfcfc,	%eax
+	andl	$0xcfcfcfcf,	%edx
+	movb	%al,		%bl
+	movb	%ah,		%cl
+	rorl	$4,		%edx
+	movl	      des_SPtrans(%ebx),%ebp
+	movb	%dl,		%bl
+	xorl	%ebp,		%esi
+	movl	0x200+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%esi
+	movb	%dh,		%cl
+	shrl	$16,		%eax
+	movl	0x100+des_SPtrans(%ebx),%ebp
+	xorl	%ebp,		%esi
+	movb	%ah,		%bl
+	shrl	$16,		%edx
+	movl	0x300+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%esi
+	movl	24(%esp),	%ebp
+	movb	%dh,		%cl
+	andl	$0xff,		%eax
+	andl	$0xff,		%edx
+	movl	0x600+des_SPtrans(%ebx),%ebx
+	xorl	%ebx,		%esi
+	movl	0x700+des_SPtrans(%ecx),%ebx
+	xorl	%ebx,		%esi
+	movl	0x400+des_SPtrans(%eax),%ebx
+	xorl	%ebx,		%esi
+	movl	0x500+des_SPtrans(%edx),%ebx
+	xorl	%ebx,		%esi
+
+	 
+	movl	48(%ebp),	%eax
+	xorl	%ebx,		%ebx
+	movl	52(%ebp),	%edx
+	xorl	%esi,		%eax
+	xorl	%esi,		%edx
+	andl	$0xfcfcfcfc,	%eax
+	andl	$0xcfcfcfcf,	%edx
+	movb	%al,		%bl
+	movb	%ah,		%cl
+	rorl	$4,		%edx
+	movl	      des_SPtrans(%ebx),%ebp
+	movb	%dl,		%bl
+	xorl	%ebp,		%edi
+	movl	0x200+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%edi
+	movb	%dh,		%cl
+	shrl	$16,		%eax
+	movl	0x100+des_SPtrans(%ebx),%ebp
+	xorl	%ebp,		%edi
+	movb	%ah,		%bl
+	shrl	$16,		%edx
+	movl	0x300+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%edi
+	movl	24(%esp),	%ebp
+	movb	%dh,		%cl
+	andl	$0xff,		%eax
+	andl	$0xff,		%edx
+	movl	0x600+des_SPtrans(%ebx),%ebx
+	xorl	%ebx,		%edi
+	movl	0x700+des_SPtrans(%ecx),%ebx
+	xorl	%ebx,		%edi
+	movl	0x400+des_SPtrans(%eax),%ebx
+	xorl	%ebx,		%edi
+	movl	0x500+des_SPtrans(%edx),%ebx
+	xorl	%ebx,		%edi
+
+	 
+	movl	56(%ebp),	%eax
+	xorl	%ebx,		%ebx
+	movl	60(%ebp),	%edx
+	xorl	%edi,		%eax
+	xorl	%edi,		%edx
+	andl	$0xfcfcfcfc,	%eax
+	andl	$0xcfcfcfcf,	%edx
+	movb	%al,		%bl
+	movb	%ah,		%cl
+	rorl	$4,		%edx
+	movl	      des_SPtrans(%ebx),%ebp
+	movb	%dl,		%bl
+	xorl	%ebp,		%esi
+	movl	0x200+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%esi
+	movb	%dh,		%cl
+	shrl	$16,		%eax
+	movl	0x100+des_SPtrans(%ebx),%ebp
+	xorl	%ebp,		%esi
+	movb	%ah,		%bl
+	shrl	$16,		%edx
+	movl	0x300+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%esi
+	movl	24(%esp),	%ebp
+	movb	%dh,		%cl
+	andl	$0xff,		%eax
+	andl	$0xff,		%edx
+	movl	0x600+des_SPtrans(%ebx),%ebx
+	xorl	%ebx,		%esi
+	movl	0x700+des_SPtrans(%ecx),%ebx
+	xorl	%ebx,		%esi
+	movl	0x400+des_SPtrans(%eax),%ebx
+	xorl	%ebx,		%esi
+	movl	0x500+des_SPtrans(%edx),%ebx
+	xorl	%ebx,		%esi
+
+	 
+	movl	64(%ebp),	%eax
+	xorl	%ebx,		%ebx
+	movl	68(%ebp),	%edx
+	xorl	%esi,		%eax
+	xorl	%esi,		%edx
+	andl	$0xfcfcfcfc,	%eax
+	andl	$0xcfcfcfcf,	%edx
+	movb	%al,		%bl
+	movb	%ah,		%cl
+	rorl	$4,		%edx
+	movl	      des_SPtrans(%ebx),%ebp
+	movb	%dl,		%bl
+	xorl	%ebp,		%edi
+	movl	0x200+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%edi
+	movb	%dh,		%cl
+	shrl	$16,		%eax
+	movl	0x100+des_SPtrans(%ebx),%ebp
+	xorl	%ebp,		%edi
+	movb	%ah,		%bl
+	shrl	$16,		%edx
+	movl	0x300+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%edi
+	movl	24(%esp),	%ebp
+	movb	%dh,		%cl
+	andl	$0xff,		%eax
+	andl	$0xff,		%edx
+	movl	0x600+des_SPtrans(%ebx),%ebx
+	xorl	%ebx,		%edi
+	movl	0x700+des_SPtrans(%ecx),%ebx
+	xorl	%ebx,		%edi
+	movl	0x400+des_SPtrans(%eax),%ebx
+	xorl	%ebx,		%edi
+	movl	0x500+des_SPtrans(%edx),%ebx
+	xorl	%ebx,		%edi
+
+	 
+	movl	72(%ebp),	%eax
+	xorl	%ebx,		%ebx
+	movl	76(%ebp),	%edx
+	xorl	%edi,		%eax
+	xorl	%edi,		%edx
+	andl	$0xfcfcfcfc,	%eax
+	andl	$0xcfcfcfcf,	%edx
+	movb	%al,		%bl
+	movb	%ah,		%cl
+	rorl	$4,		%edx
+	movl	      des_SPtrans(%ebx),%ebp
+	movb	%dl,		%bl
+	xorl	%ebp,		%esi
+	movl	0x200+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%esi
+	movb	%dh,		%cl
+	shrl	$16,		%eax
+	movl	0x100+des_SPtrans(%ebx),%ebp
+	xorl	%ebp,		%esi
+	movb	%ah,		%bl
+	shrl	$16,		%edx
+	movl	0x300+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%esi
+	movl	24(%esp),	%ebp
+	movb	%dh,		%cl
+	andl	$0xff,		%eax
+	andl	$0xff,		%edx
+	movl	0x600+des_SPtrans(%ebx),%ebx
+	xorl	%ebx,		%esi
+	movl	0x700+des_SPtrans(%ecx),%ebx
+	xorl	%ebx,		%esi
+	movl	0x400+des_SPtrans(%eax),%ebx
+	xorl	%ebx,		%esi
+	movl	0x500+des_SPtrans(%edx),%ebx
+	xorl	%ebx,		%esi
+
+	 
+	movl	80(%ebp),	%eax
+	xorl	%ebx,		%ebx
+	movl	84(%ebp),	%edx
+	xorl	%esi,		%eax
+	xorl	%esi,		%edx
+	andl	$0xfcfcfcfc,	%eax
+	andl	$0xcfcfcfcf,	%edx
+	movb	%al,		%bl
+	movb	%ah,		%cl
+	rorl	$4,		%edx
+	movl	      des_SPtrans(%ebx),%ebp
+	movb	%dl,		%bl
+	xorl	%ebp,		%edi
+	movl	0x200+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%edi
+	movb	%dh,		%cl
+	shrl	$16,		%eax
+	movl	0x100+des_SPtrans(%ebx),%ebp
+	xorl	%ebp,		%edi
+	movb	%ah,		%bl
+	shrl	$16,		%edx
+	movl	0x300+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%edi
+	movl	24(%esp),	%ebp
+	movb	%dh,		%cl
+	andl	$0xff,		%eax
+	andl	$0xff,		%edx
+	movl	0x600+des_SPtrans(%ebx),%ebx
+	xorl	%ebx,		%edi
+	movl	0x700+des_SPtrans(%ecx),%ebx
+	xorl	%ebx,		%edi
+	movl	0x400+des_SPtrans(%eax),%ebx
+	xorl	%ebx,		%edi
+	movl	0x500+des_SPtrans(%edx),%ebx
+	xorl	%ebx,		%edi
+
+	 
+	movl	88(%ebp),	%eax
+	xorl	%ebx,		%ebx
+	movl	92(%ebp),	%edx
+	xorl	%edi,		%eax
+	xorl	%edi,		%edx
+	andl	$0xfcfcfcfc,	%eax
+	andl	$0xcfcfcfcf,	%edx
+	movb	%al,		%bl
+	movb	%ah,		%cl
+	rorl	$4,		%edx
+	movl	      des_SPtrans(%ebx),%ebp
+	movb	%dl,		%bl
+	xorl	%ebp,		%esi
+	movl	0x200+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%esi
+	movb	%dh,		%cl
+	shrl	$16,		%eax
+	movl	0x100+des_SPtrans(%ebx),%ebp
+	xorl	%ebp,		%esi
+	movb	%ah,		%bl
+	shrl	$16,		%edx
+	movl	0x300+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%esi
+	movl	24(%esp),	%ebp
+	movb	%dh,		%cl
+	andl	$0xff,		%eax
+	andl	$0xff,		%edx
+	movl	0x600+des_SPtrans(%ebx),%ebx
+	xorl	%ebx,		%esi
+	movl	0x700+des_SPtrans(%ecx),%ebx
+	xorl	%ebx,		%esi
+	movl	0x400+des_SPtrans(%eax),%ebx
+	xorl	%ebx,		%esi
+	movl	0x500+des_SPtrans(%edx),%ebx
+	xorl	%ebx,		%esi
+
+	 
+	movl	96(%ebp),	%eax
+	xorl	%ebx,		%ebx
+	movl	100(%ebp),	%edx
+	xorl	%esi,		%eax
+	xorl	%esi,		%edx
+	andl	$0xfcfcfcfc,	%eax
+	andl	$0xcfcfcfcf,	%edx
+	movb	%al,		%bl
+	movb	%ah,		%cl
+	rorl	$4,		%edx
+	movl	      des_SPtrans(%ebx),%ebp
+	movb	%dl,		%bl
+	xorl	%ebp,		%edi
+	movl	0x200+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%edi
+	movb	%dh,		%cl
+	shrl	$16,		%eax
+	movl	0x100+des_SPtrans(%ebx),%ebp
+	xorl	%ebp,		%edi
+	movb	%ah,		%bl
+	shrl	$16,		%edx
+	movl	0x300+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%edi
+	movl	24(%esp),	%ebp
+	movb	%dh,		%cl
+	andl	$0xff,		%eax
+	andl	$0xff,		%edx
+	movl	0x600+des_SPtrans(%ebx),%ebx
+	xorl	%ebx,		%edi
+	movl	0x700+des_SPtrans(%ecx),%ebx
+	xorl	%ebx,		%edi
+	movl	0x400+des_SPtrans(%eax),%ebx
+	xorl	%ebx,		%edi
+	movl	0x500+des_SPtrans(%edx),%ebx
+	xorl	%ebx,		%edi
+
+	 
+	movl	104(%ebp),	%eax
+	xorl	%ebx,		%ebx
+	movl	108(%ebp),	%edx
+	xorl	%edi,		%eax
+	xorl	%edi,		%edx
+	andl	$0xfcfcfcfc,	%eax
+	andl	$0xcfcfcfcf,	%edx
+	movb	%al,		%bl
+	movb	%ah,		%cl
+	rorl	$4,		%edx
+	movl	      des_SPtrans(%ebx),%ebp
+	movb	%dl,		%bl
+	xorl	%ebp,		%esi
+	movl	0x200+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%esi
+	movb	%dh,		%cl
+	shrl	$16,		%eax
+	movl	0x100+des_SPtrans(%ebx),%ebp
+	xorl	%ebp,		%esi
+	movb	%ah,		%bl
+	shrl	$16,		%edx
+	movl	0x300+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%esi
+	movl	24(%esp),	%ebp
+	movb	%dh,		%cl
+	andl	$0xff,		%eax
+	andl	$0xff,		%edx
+	movl	0x600+des_SPtrans(%ebx),%ebx
+	xorl	%ebx,		%esi
+	movl	0x700+des_SPtrans(%ecx),%ebx
+	xorl	%ebx,		%esi
+	movl	0x400+des_SPtrans(%eax),%ebx
+	xorl	%ebx,		%esi
+	movl	0x500+des_SPtrans(%edx),%ebx
+	xorl	%ebx,		%esi
+
+	 
+	movl	112(%ebp),	%eax
+	xorl	%ebx,		%ebx
+	movl	116(%ebp),	%edx
+	xorl	%esi,		%eax
+	xorl	%esi,		%edx
+	andl	$0xfcfcfcfc,	%eax
+	andl	$0xcfcfcfcf,	%edx
+	movb	%al,		%bl
+	movb	%ah,		%cl
+	rorl	$4,		%edx
+	movl	      des_SPtrans(%ebx),%ebp
+	movb	%dl,		%bl
+	xorl	%ebp,		%edi
+	movl	0x200+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%edi
+	movb	%dh,		%cl
+	shrl	$16,		%eax
+	movl	0x100+des_SPtrans(%ebx),%ebp
+	xorl	%ebp,		%edi
+	movb	%ah,		%bl
+	shrl	$16,		%edx
+	movl	0x300+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%edi
+	movl	24(%esp),	%ebp
+	movb	%dh,		%cl
+	andl	$0xff,		%eax
+	andl	$0xff,		%edx
+	movl	0x600+des_SPtrans(%ebx),%ebx
+	xorl	%ebx,		%edi
+	movl	0x700+des_SPtrans(%ecx),%ebx
+	xorl	%ebx,		%edi
+	movl	0x400+des_SPtrans(%eax),%ebx
+	xorl	%ebx,		%edi
+	movl	0x500+des_SPtrans(%edx),%ebx
+	xorl	%ebx,		%edi
+
+	 
+	movl	120(%ebp),	%eax
+	xorl	%ebx,		%ebx
+	movl	124(%ebp),	%edx
+	xorl	%edi,		%eax
+	xorl	%edi,		%edx
+	andl	$0xfcfcfcfc,	%eax
+	andl	$0xcfcfcfcf,	%edx
+	movb	%al,		%bl
+	movb	%ah,		%cl
+	rorl	$4,		%edx
+	movl	      des_SPtrans(%ebx),%ebp
+	movb	%dl,		%bl
+	xorl	%ebp,		%esi
+	movl	0x200+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%esi
+	movb	%dh,		%cl
+	shrl	$16,		%eax
+	movl	0x100+des_SPtrans(%ebx),%ebp
+	xorl	%ebp,		%esi
+	movb	%ah,		%bl
+	shrl	$16,		%edx
+	movl	0x300+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%esi
+	movl	24(%esp),	%ebp
+	movb	%dh,		%cl
+	andl	$0xff,		%eax
+	andl	$0xff,		%edx
+	movl	0x600+des_SPtrans(%ebx),%ebx
+	xorl	%ebx,		%esi
+	movl	0x700+des_SPtrans(%ecx),%ebx
+	xorl	%ebx,		%esi
+	movl	0x400+des_SPtrans(%eax),%ebx
+	xorl	%ebx,		%esi
+	movl	0x500+des_SPtrans(%edx),%ebx
+	xorl	%ebx,		%esi
+	jmp	.L001end
+.L000start_decrypt:
+
+	 
+	movl	120(%ebp),	%eax
+	xorl	%ebx,		%ebx
+	movl	124(%ebp),	%edx
+	xorl	%esi,		%eax
+	xorl	%esi,		%edx
+	andl	$0xfcfcfcfc,	%eax
+	andl	$0xcfcfcfcf,	%edx
+	movb	%al,		%bl
+	movb	%ah,		%cl
+	rorl	$4,		%edx
+	movl	      des_SPtrans(%ebx),%ebp
+	movb	%dl,		%bl
+	xorl	%ebp,		%edi
+	movl	0x200+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%edi
+	movb	%dh,		%cl
+	shrl	$16,		%eax
+	movl	0x100+des_SPtrans(%ebx),%ebp
+	xorl	%ebp,		%edi
+	movb	%ah,		%bl
+	shrl	$16,		%edx
+	movl	0x300+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%edi
+	movl	24(%esp),	%ebp
+	movb	%dh,		%cl
+	andl	$0xff,		%eax
+	andl	$0xff,		%edx
+	movl	0x600+des_SPtrans(%ebx),%ebx
+	xorl	%ebx,		%edi
+	movl	0x700+des_SPtrans(%ecx),%ebx
+	xorl	%ebx,		%edi
+	movl	0x400+des_SPtrans(%eax),%ebx
+	xorl	%ebx,		%edi
+	movl	0x500+des_SPtrans(%edx),%ebx
+	xorl	%ebx,		%edi
+
+	 
+	movl	112(%ebp),	%eax
+	xorl	%ebx,		%ebx
+	movl	116(%ebp),	%edx
+	xorl	%edi,		%eax
+	xorl	%edi,		%edx
+	andl	$0xfcfcfcfc,	%eax
+	andl	$0xcfcfcfcf,	%edx
+	movb	%al,		%bl
+	movb	%ah,		%cl
+	rorl	$4,		%edx
+	movl	      des_SPtrans(%ebx),%ebp
+	movb	%dl,		%bl
+	xorl	%ebp,		%esi
+	movl	0x200+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%esi
+	movb	%dh,		%cl
+	shrl	$16,		%eax
+	movl	0x100+des_SPtrans(%ebx),%ebp
+	xorl	%ebp,		%esi
+	movb	%ah,		%bl
+	shrl	$16,		%edx
+	movl	0x300+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%esi
+	movl	24(%esp),	%ebp
+	movb	%dh,		%cl
+	andl	$0xff,		%eax
+	andl	$0xff,		%edx
+	movl	0x600+des_SPtrans(%ebx),%ebx
+	xorl	%ebx,		%esi
+	movl	0x700+des_SPtrans(%ecx),%ebx
+	xorl	%ebx,		%esi
+	movl	0x400+des_SPtrans(%eax),%ebx
+	xorl	%ebx,		%esi
+	movl	0x500+des_SPtrans(%edx),%ebx
+	xorl	%ebx,		%esi
+
+	 
+	movl	104(%ebp),	%eax
+	xorl	%ebx,		%ebx
+	movl	108(%ebp),	%edx
+	xorl	%esi,		%eax
+	xorl	%esi,		%edx
+	andl	$0xfcfcfcfc,	%eax
+	andl	$0xcfcfcfcf,	%edx
+	movb	%al,		%bl
+	movb	%ah,		%cl
+	rorl	$4,		%edx
+	movl	      des_SPtrans(%ebx),%ebp
+	movb	%dl,		%bl
+	xorl	%ebp,		%edi
+	movl	0x200+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%edi
+	movb	%dh,		%cl
+	shrl	$16,		%eax
+	movl	0x100+des_SPtrans(%ebx),%ebp
+	xorl	%ebp,		%edi
+	movb	%ah,		%bl
+	shrl	$16,		%edx
+	movl	0x300+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%edi
+	movl	24(%esp),	%ebp
+	movb	%dh,		%cl
+	andl	$0xff,		%eax
+	andl	$0xff,		%edx
+	movl	0x600+des_SPtrans(%ebx),%ebx
+	xorl	%ebx,		%edi
+	movl	0x700+des_SPtrans(%ecx),%ebx
+	xorl	%ebx,		%edi
+	movl	0x400+des_SPtrans(%eax),%ebx
+	xorl	%ebx,		%edi
+	movl	0x500+des_SPtrans(%edx),%ebx
+	xorl	%ebx,		%edi
+
+	 
+	movl	96(%ebp),	%eax
+	xorl	%ebx,		%ebx
+	movl	100(%ebp),	%edx
+	xorl	%edi,		%eax
+	xorl	%edi,		%edx
+	andl	$0xfcfcfcfc,	%eax
+	andl	$0xcfcfcfcf,	%edx
+	movb	%al,		%bl
+	movb	%ah,		%cl
+	rorl	$4,		%edx
+	movl	      des_SPtrans(%ebx),%ebp
+	movb	%dl,		%bl
+	xorl	%ebp,		%esi
+	movl	0x200+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%esi
+	movb	%dh,		%cl
+	shrl	$16,		%eax
+	movl	0x100+des_SPtrans(%ebx),%ebp
+	xorl	%ebp,		%esi
+	movb	%ah,		%bl
+	shrl	$16,		%edx
+	movl	0x300+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%esi
+	movl	24(%esp),	%ebp
+	movb	%dh,		%cl
+	andl	$0xff,		%eax
+	andl	$0xff,		%edx
+	movl	0x600+des_SPtrans(%ebx),%ebx
+	xorl	%ebx,		%esi
+	movl	0x700+des_SPtrans(%ecx),%ebx
+	xorl	%ebx,		%esi
+	movl	0x400+des_SPtrans(%eax),%ebx
+	xorl	%ebx,		%esi
+	movl	0x500+des_SPtrans(%edx),%ebx
+	xorl	%ebx,		%esi
+
+	 
+	movl	88(%ebp),	%eax
+	xorl	%ebx,		%ebx
+	movl	92(%ebp),	%edx
+	xorl	%esi,		%eax
+	xorl	%esi,		%edx
+	andl	$0xfcfcfcfc,	%eax
+	andl	$0xcfcfcfcf,	%edx
+	movb	%al,		%bl
+	movb	%ah,		%cl
+	rorl	$4,		%edx
+	movl	      des_SPtrans(%ebx),%ebp
+	movb	%dl,		%bl
+	xorl	%ebp,		%edi
+	movl	0x200+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%edi
+	movb	%dh,		%cl
+	shrl	$16,		%eax
+	movl	0x100+des_SPtrans(%ebx),%ebp
+	xorl	%ebp,		%edi
+	movb	%ah,		%bl
+	shrl	$16,		%edx
+	movl	0x300+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%edi
+	movl	24(%esp),	%ebp
+	movb	%dh,		%cl
+	andl	$0xff,		%eax
+	andl	$0xff,		%edx
+	movl	0x600+des_SPtrans(%ebx),%ebx
+	xorl	%ebx,		%edi
+	movl	0x700+des_SPtrans(%ecx),%ebx
+	xorl	%ebx,		%edi
+	movl	0x400+des_SPtrans(%eax),%ebx
+	xorl	%ebx,		%edi
+	movl	0x500+des_SPtrans(%edx),%ebx
+	xorl	%ebx,		%edi
+
+	 
+	movl	80(%ebp),	%eax
+	xorl	%ebx,		%ebx
+	movl	84(%ebp),	%edx
+	xorl	%edi,		%eax
+	xorl	%edi,		%edx
+	andl	$0xfcfcfcfc,	%eax
+	andl	$0xcfcfcfcf,	%edx
+	movb	%al,		%bl
+	movb	%ah,		%cl
+	rorl	$4,		%edx
+	movl	      des_SPtrans(%ebx),%ebp
+	movb	%dl,		%bl
+	xorl	%ebp,		%esi
+	movl	0x200+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%esi
+	movb	%dh,		%cl
+	shrl	$16,		%eax
+	movl	0x100+des_SPtrans(%ebx),%ebp
+	xorl	%ebp,		%esi
+	movb	%ah,		%bl
+	shrl	$16,		%edx
+	movl	0x300+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%esi
+	movl	24(%esp),	%ebp
+	movb	%dh,		%cl
+	andl	$0xff,		%eax
+	andl	$0xff,		%edx
+	movl	0x600+des_SPtrans(%ebx),%ebx
+	xorl	%ebx,		%esi
+	movl	0x700+des_SPtrans(%ecx),%ebx
+	xorl	%ebx,		%esi
+	movl	0x400+des_SPtrans(%eax),%ebx
+	xorl	%ebx,		%esi
+	movl	0x500+des_SPtrans(%edx),%ebx
+	xorl	%ebx,		%esi
+
+	 
+	movl	72(%ebp),	%eax
+	xorl	%ebx,		%ebx
+	movl	76(%ebp),	%edx
+	xorl	%esi,		%eax
+	xorl	%esi,		%edx
+	andl	$0xfcfcfcfc,	%eax
+	andl	$0xcfcfcfcf,	%edx
+	movb	%al,		%bl
+	movb	%ah,		%cl
+	rorl	$4,		%edx
+	movl	      des_SPtrans(%ebx),%ebp
+	movb	%dl,		%bl
+	xorl	%ebp,		%edi
+	movl	0x200+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%edi
+	movb	%dh,		%cl
+	shrl	$16,		%eax
+	movl	0x100+des_SPtrans(%ebx),%ebp
+	xorl	%ebp,		%edi
+	movb	%ah,		%bl
+	shrl	$16,		%edx
+	movl	0x300+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%edi
+	movl	24(%esp),	%ebp
+	movb	%dh,		%cl
+	andl	$0xff,		%eax
+	andl	$0xff,		%edx
+	movl	0x600+des_SPtrans(%ebx),%ebx
+	xorl	%ebx,		%edi
+	movl	0x700+des_SPtrans(%ecx),%ebx
+	xorl	%ebx,		%edi
+	movl	0x400+des_SPtrans(%eax),%ebx
+	xorl	%ebx,		%edi
+	movl	0x500+des_SPtrans(%edx),%ebx
+	xorl	%ebx,		%edi
+
+	 
+	movl	64(%ebp),	%eax
+	xorl	%ebx,		%ebx
+	movl	68(%ebp),	%edx
+	xorl	%edi,		%eax
+	xorl	%edi,		%edx
+	andl	$0xfcfcfcfc,	%eax
+	andl	$0xcfcfcfcf,	%edx
+	movb	%al,		%bl
+	movb	%ah,		%cl
+	rorl	$4,		%edx
+	movl	      des_SPtrans(%ebx),%ebp
+	movb	%dl,		%bl
+	xorl	%ebp,		%esi
+	movl	0x200+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%esi
+	movb	%dh,		%cl
+	shrl	$16,		%eax
+	movl	0x100+des_SPtrans(%ebx),%ebp
+	xorl	%ebp,		%esi
+	movb	%ah,		%bl
+	shrl	$16,		%edx
+	movl	0x300+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%esi
+	movl	24(%esp),	%ebp
+	movb	%dh,		%cl
+	andl	$0xff,		%eax
+	andl	$0xff,		%edx
+	movl	0x600+des_SPtrans(%ebx),%ebx
+	xorl	%ebx,		%esi
+	movl	0x700+des_SPtrans(%ecx),%ebx
+	xorl	%ebx,		%esi
+	movl	0x400+des_SPtrans(%eax),%ebx
+	xorl	%ebx,		%esi
+	movl	0x500+des_SPtrans(%edx),%ebx
+	xorl	%ebx,		%esi
+
+	 
+	movl	56(%ebp),	%eax
+	xorl	%ebx,		%ebx
+	movl	60(%ebp),	%edx
+	xorl	%esi,		%eax
+	xorl	%esi,		%edx
+	andl	$0xfcfcfcfc,	%eax
+	andl	$0xcfcfcfcf,	%edx
+	movb	%al,		%bl
+	movb	%ah,		%cl
+	rorl	$4,		%edx
+	movl	      des_SPtrans(%ebx),%ebp
+	movb	%dl,		%bl
+	xorl	%ebp,		%edi
+	movl	0x200+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%edi
+	movb	%dh,		%cl
+	shrl	$16,		%eax
+	movl	0x100+des_SPtrans(%ebx),%ebp
+	xorl	%ebp,		%edi
+	movb	%ah,		%bl
+	shrl	$16,		%edx
+	movl	0x300+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%edi
+	movl	24(%esp),	%ebp
+	movb	%dh,		%cl
+	andl	$0xff,		%eax
+	andl	$0xff,		%edx
+	movl	0x600+des_SPtrans(%ebx),%ebx
+	xorl	%ebx,		%edi
+	movl	0x700+des_SPtrans(%ecx),%ebx
+	xorl	%ebx,		%edi
+	movl	0x400+des_SPtrans(%eax),%ebx
+	xorl	%ebx,		%edi
+	movl	0x500+des_SPtrans(%edx),%ebx
+	xorl	%ebx,		%edi
+
+	 
+	movl	48(%ebp),	%eax
+	xorl	%ebx,		%ebx
+	movl	52(%ebp),	%edx
+	xorl	%edi,		%eax
+	xorl	%edi,		%edx
+	andl	$0xfcfcfcfc,	%eax
+	andl	$0xcfcfcfcf,	%edx
+	movb	%al,		%bl
+	movb	%ah,		%cl
+	rorl	$4,		%edx
+	movl	      des_SPtrans(%ebx),%ebp
+	movb	%dl,		%bl
+	xorl	%ebp,		%esi
+	movl	0x200+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%esi
+	movb	%dh,		%cl
+	shrl	$16,		%eax
+	movl	0x100+des_SPtrans(%ebx),%ebp
+	xorl	%ebp,		%esi
+	movb	%ah,		%bl
+	shrl	$16,		%edx
+	movl	0x300+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%esi
+	movl	24(%esp),	%ebp
+	movb	%dh,		%cl
+	andl	$0xff,		%eax
+	andl	$0xff,		%edx
+	movl	0x600+des_SPtrans(%ebx),%ebx
+	xorl	%ebx,		%esi
+	movl	0x700+des_SPtrans(%ecx),%ebx
+	xorl	%ebx,		%esi
+	movl	0x400+des_SPtrans(%eax),%ebx
+	xorl	%ebx,		%esi
+	movl	0x500+des_SPtrans(%edx),%ebx
+	xorl	%ebx,		%esi
+
+	 
+	movl	40(%ebp),	%eax
+	xorl	%ebx,		%ebx
+	movl	44(%ebp),	%edx
+	xorl	%esi,		%eax
+	xorl	%esi,		%edx
+	andl	$0xfcfcfcfc,	%eax
+	andl	$0xcfcfcfcf,	%edx
+	movb	%al,		%bl
+	movb	%ah,		%cl
+	rorl	$4,		%edx
+	movl	      des_SPtrans(%ebx),%ebp
+	movb	%dl,		%bl
+	xorl	%ebp,		%edi
+	movl	0x200+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%edi
+	movb	%dh,		%cl
+	shrl	$16,		%eax
+	movl	0x100+des_SPtrans(%ebx),%ebp
+	xorl	%ebp,		%edi
+	movb	%ah,		%bl
+	shrl	$16,		%edx
+	movl	0x300+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%edi
+	movl	24(%esp),	%ebp
+	movb	%dh,		%cl
+	andl	$0xff,		%eax
+	andl	$0xff,		%edx
+	movl	0x600+des_SPtrans(%ebx),%ebx
+	xorl	%ebx,		%edi
+	movl	0x700+des_SPtrans(%ecx),%ebx
+	xorl	%ebx,		%edi
+	movl	0x400+des_SPtrans(%eax),%ebx
+	xorl	%ebx,		%edi
+	movl	0x500+des_SPtrans(%edx),%ebx
+	xorl	%ebx,		%edi
+
+	 
+	movl	32(%ebp),	%eax
+	xorl	%ebx,		%ebx
+	movl	36(%ebp),	%edx
+	xorl	%edi,		%eax
+	xorl	%edi,		%edx
+	andl	$0xfcfcfcfc,	%eax
+	andl	$0xcfcfcfcf,	%edx
+	movb	%al,		%bl
+	movb	%ah,		%cl
+	rorl	$4,		%edx
+	movl	      des_SPtrans(%ebx),%ebp
+	movb	%dl,		%bl
+	xorl	%ebp,		%esi
+	movl	0x200+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%esi
+	movb	%dh,		%cl
+	shrl	$16,		%eax
+	movl	0x100+des_SPtrans(%ebx),%ebp
+	xorl	%ebp,		%esi
+	movb	%ah,		%bl
+	shrl	$16,		%edx
+	movl	0x300+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%esi
+	movl	24(%esp),	%ebp
+	movb	%dh,		%cl
+	andl	$0xff,		%eax
+	andl	$0xff,		%edx
+	movl	0x600+des_SPtrans(%ebx),%ebx
+	xorl	%ebx,		%esi
+	movl	0x700+des_SPtrans(%ecx),%ebx
+	xorl	%ebx,		%esi
+	movl	0x400+des_SPtrans(%eax),%ebx
+	xorl	%ebx,		%esi
+	movl	0x500+des_SPtrans(%edx),%ebx
+	xorl	%ebx,		%esi
+
+	 
+	movl	24(%ebp),	%eax
+	xorl	%ebx,		%ebx
+	movl	28(%ebp),	%edx
+	xorl	%esi,		%eax
+	xorl	%esi,		%edx
+	andl	$0xfcfcfcfc,	%eax
+	andl	$0xcfcfcfcf,	%edx
+	movb	%al,		%bl
+	movb	%ah,		%cl
+	rorl	$4,		%edx
+	movl	      des_SPtrans(%ebx),%ebp
+	movb	%dl,		%bl
+	xorl	%ebp,		%edi
+	movl	0x200+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%edi
+	movb	%dh,		%cl
+	shrl	$16,		%eax
+	movl	0x100+des_SPtrans(%ebx),%ebp
+	xorl	%ebp,		%edi
+	movb	%ah,		%bl
+	shrl	$16,		%edx
+	movl	0x300+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%edi
+	movl	24(%esp),	%ebp
+	movb	%dh,		%cl
+	andl	$0xff,		%eax
+	andl	$0xff,		%edx
+	movl	0x600+des_SPtrans(%ebx),%ebx
+	xorl	%ebx,		%edi
+	movl	0x700+des_SPtrans(%ecx),%ebx
+	xorl	%ebx,		%edi
+	movl	0x400+des_SPtrans(%eax),%ebx
+	xorl	%ebx,		%edi
+	movl	0x500+des_SPtrans(%edx),%ebx
+	xorl	%ebx,		%edi
+
+	 
+	movl	16(%ebp),	%eax
+	xorl	%ebx,		%ebx
+	movl	20(%ebp),	%edx
+	xorl	%edi,		%eax
+	xorl	%edi,		%edx
+	andl	$0xfcfcfcfc,	%eax
+	andl	$0xcfcfcfcf,	%edx
+	movb	%al,		%bl
+	movb	%ah,		%cl
+	rorl	$4,		%edx
+	movl	      des_SPtrans(%ebx),%ebp
+	movb	%dl,		%bl
+	xorl	%ebp,		%esi
+	movl	0x200+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%esi
+	movb	%dh,		%cl
+	shrl	$16,		%eax
+	movl	0x100+des_SPtrans(%ebx),%ebp
+	xorl	%ebp,		%esi
+	movb	%ah,		%bl
+	shrl	$16,		%edx
+	movl	0x300+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%esi
+	movl	24(%esp),	%ebp
+	movb	%dh,		%cl
+	andl	$0xff,		%eax
+	andl	$0xff,		%edx
+	movl	0x600+des_SPtrans(%ebx),%ebx
+	xorl	%ebx,		%esi
+	movl	0x700+des_SPtrans(%ecx),%ebx
+	xorl	%ebx,		%esi
+	movl	0x400+des_SPtrans(%eax),%ebx
+	xorl	%ebx,		%esi
+	movl	0x500+des_SPtrans(%edx),%ebx
+	xorl	%ebx,		%esi
+
+	 
+	movl	8(%ebp),	%eax
+	xorl	%ebx,		%ebx
+	movl	12(%ebp),	%edx
+	xorl	%esi,		%eax
+	xorl	%esi,		%edx
+	andl	$0xfcfcfcfc,	%eax
+	andl	$0xcfcfcfcf,	%edx
+	movb	%al,		%bl
+	movb	%ah,		%cl
+	rorl	$4,		%edx
+	movl	      des_SPtrans(%ebx),%ebp
+	movb	%dl,		%bl
+	xorl	%ebp,		%edi
+	movl	0x200+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%edi
+	movb	%dh,		%cl
+	shrl	$16,		%eax
+	movl	0x100+des_SPtrans(%ebx),%ebp
+	xorl	%ebp,		%edi
+	movb	%ah,		%bl
+	shrl	$16,		%edx
+	movl	0x300+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%edi
+	movl	24(%esp),	%ebp
+	movb	%dh,		%cl
+	andl	$0xff,		%eax
+	andl	$0xff,		%edx
+	movl	0x600+des_SPtrans(%ebx),%ebx
+	xorl	%ebx,		%edi
+	movl	0x700+des_SPtrans(%ecx),%ebx
+	xorl	%ebx,		%edi
+	movl	0x400+des_SPtrans(%eax),%ebx
+	xorl	%ebx,		%edi
+	movl	0x500+des_SPtrans(%edx),%ebx
+	xorl	%ebx,		%edi
+
+	 
+	movl	(%ebp),		%eax
+	xorl	%ebx,		%ebx
+	movl	4(%ebp),	%edx
+	xorl	%edi,		%eax
+	xorl	%edi,		%edx
+	andl	$0xfcfcfcfc,	%eax
+	andl	$0xcfcfcfcf,	%edx
+	movb	%al,		%bl
+	movb	%ah,		%cl
+	rorl	$4,		%edx
+	movl	      des_SPtrans(%ebx),%ebp
+	movb	%dl,		%bl
+	xorl	%ebp,		%esi
+	movl	0x200+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%esi
+	movb	%dh,		%cl
+	shrl	$16,		%eax
+	movl	0x100+des_SPtrans(%ebx),%ebp
+	xorl	%ebp,		%esi
+	movb	%ah,		%bl
+	shrl	$16,		%edx
+	movl	0x300+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%esi
+	movl	24(%esp),	%ebp
+	movb	%dh,		%cl
+	andl	$0xff,		%eax
+	andl	$0xff,		%edx
+	movl	0x600+des_SPtrans(%ebx),%ebx
+	xorl	%ebx,		%esi
+	movl	0x700+des_SPtrans(%ecx),%ebx
+	xorl	%ebx,		%esi
+	movl	0x400+des_SPtrans(%eax),%ebx
+	xorl	%ebx,		%esi
+	movl	0x500+des_SPtrans(%edx),%ebx
+	xorl	%ebx,		%esi
+.L001end:
+
+	 
+	movl	20(%esp),	%edx
+.byte 209
+.byte 206		 
+	movl	%edi,		%eax
+	xorl	%esi,		%edi
+	andl	$0xaaaaaaaa,	%edi
+	xorl	%edi,		%eax
+	xorl	%edi,		%esi
+
+	roll	$23,		%eax
+	movl	%eax,		%edi
+	xorl	%esi,		%eax
+	andl	$0x03fc03fc,	%eax
+	xorl	%eax,		%edi
+	xorl	%eax,		%esi
+
+	roll	$10,		%edi
+	movl	%edi,		%eax
+	xorl	%esi,		%edi
+	andl	$0x33333333,	%edi
+	xorl	%edi,		%eax
+	xorl	%edi,		%esi
+
+	roll	$18,		%esi
+	movl	%esi,		%edi
+	xorl	%eax,		%esi
+	andl	$0xfff0000f,	%esi
+	xorl	%esi,		%edi
+	xorl	%esi,		%eax
+
+	roll	$12,		%edi
+	movl	%edi,		%esi
+	xorl	%eax,		%edi
+	andl	$0xf0f0f0f0,	%edi
+	xorl	%edi,		%esi
+	xorl	%edi,		%eax
+
+	rorl	$4,		%eax
+	movl	%eax,		(%edx)
+	movl	%esi,		4(%edx)
+	popl	%ebp
+	popl	%ebx
+	popl	%edi
+	popl	%esi
+	ret
+.des_encrypt_end:
+	.size    des_encrypt , .des_encrypt_end-des_encrypt  
+.ident	"desasm.pl"
+.text
+	.align 16 
+.globl des_encrypt2
+	.type    des_encrypt2 , @function  
+des_encrypt2:
+	pushl	%esi
+	pushl	%edi
+
+	 
+	movl	12(%esp),	%eax
+	xorl	%ecx,		%ecx
+	pushl	%ebx
+	pushl	%ebp
+	movl	(%eax),		%esi
+	movl	28(%esp),	%ebx
+	roll	$3,		%esi
+	movl	4(%eax),	%edi
+	roll	$3,		%edi
+	movl	24(%esp),	%ebp
+	cmpl	$0,		%ebx
+	je	.L002start_decrypt
+
+	 
+	movl	(%ebp),		%eax
+	xorl	%ebx,		%ebx
+	movl	4(%ebp),	%edx
+	xorl	%esi,		%eax
+	xorl	%esi,		%edx
+	andl	$0xfcfcfcfc,	%eax
+	andl	$0xcfcfcfcf,	%edx
+	movb	%al,		%bl
+	movb	%ah,		%cl
+	rorl	$4,		%edx
+	movl	      des_SPtrans(%ebx),%ebp
+	movb	%dl,		%bl
+	xorl	%ebp,		%edi
+	movl	0x200+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%edi
+	movb	%dh,		%cl
+	shrl	$16,		%eax
+	movl	0x100+des_SPtrans(%ebx),%ebp
+	xorl	%ebp,		%edi
+	movb	%ah,		%bl
+	shrl	$16,		%edx
+	movl	0x300+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%edi
+	movl	24(%esp),	%ebp
+	movb	%dh,		%cl
+	andl	$0xff,		%eax
+	andl	$0xff,		%edx
+	movl	0x600+des_SPtrans(%ebx),%ebx
+	xorl	%ebx,		%edi
+	movl	0x700+des_SPtrans(%ecx),%ebx
+	xorl	%ebx,		%edi
+	movl	0x400+des_SPtrans(%eax),%ebx
+	xorl	%ebx,		%edi
+	movl	0x500+des_SPtrans(%edx),%ebx
+	xorl	%ebx,		%edi
+
+	 
+	movl	8(%ebp),	%eax
+	xorl	%ebx,		%ebx
+	movl	12(%ebp),	%edx
+	xorl	%edi,		%eax
+	xorl	%edi,		%edx
+	andl	$0xfcfcfcfc,	%eax
+	andl	$0xcfcfcfcf,	%edx
+	movb	%al,		%bl
+	movb	%ah,		%cl
+	rorl	$4,		%edx
+	movl	      des_SPtrans(%ebx),%ebp
+	movb	%dl,		%bl
+	xorl	%ebp,		%esi
+	movl	0x200+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%esi
+	movb	%dh,		%cl
+	shrl	$16,		%eax
+	movl	0x100+des_SPtrans(%ebx),%ebp
+	xorl	%ebp,		%esi
+	movb	%ah,		%bl
+	shrl	$16,		%edx
+	movl	0x300+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%esi
+	movl	24(%esp),	%ebp
+	movb	%dh,		%cl
+	andl	$0xff,		%eax
+	andl	$0xff,		%edx
+	movl	0x600+des_SPtrans(%ebx),%ebx
+	xorl	%ebx,		%esi
+	movl	0x700+des_SPtrans(%ecx),%ebx
+	xorl	%ebx,		%esi
+	movl	0x400+des_SPtrans(%eax),%ebx
+	xorl	%ebx,		%esi
+	movl	0x500+des_SPtrans(%edx),%ebx
+	xorl	%ebx,		%esi
+
+	 
+	movl	16(%ebp),	%eax
+	xorl	%ebx,		%ebx
+	movl	20(%ebp),	%edx
+	xorl	%esi,		%eax
+	xorl	%esi,		%edx
+	andl	$0xfcfcfcfc,	%eax
+	andl	$0xcfcfcfcf,	%edx
+	movb	%al,		%bl
+	movb	%ah,		%cl
+	rorl	$4,		%edx
+	movl	      des_SPtrans(%ebx),%ebp
+	movb	%dl,		%bl
+	xorl	%ebp,		%edi
+	movl	0x200+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%edi
+	movb	%dh,		%cl
+	shrl	$16,		%eax
+	movl	0x100+des_SPtrans(%ebx),%ebp
+	xorl	%ebp,		%edi
+	movb	%ah,		%bl
+	shrl	$16,		%edx
+	movl	0x300+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%edi
+	movl	24(%esp),	%ebp
+	movb	%dh,		%cl
+	andl	$0xff,		%eax
+	andl	$0xff,		%edx
+	movl	0x600+des_SPtrans(%ebx),%ebx
+	xorl	%ebx,		%edi
+	movl	0x700+des_SPtrans(%ecx),%ebx
+	xorl	%ebx,		%edi
+	movl	0x400+des_SPtrans(%eax),%ebx
+	xorl	%ebx,		%edi
+	movl	0x500+des_SPtrans(%edx),%ebx
+	xorl	%ebx,		%edi
+
+	 
+	movl	24(%ebp),	%eax
+	xorl	%ebx,		%ebx
+	movl	28(%ebp),	%edx
+	xorl	%edi,		%eax
+	xorl	%edi,		%edx
+	andl	$0xfcfcfcfc,	%eax
+	andl	$0xcfcfcfcf,	%edx
+	movb	%al,		%bl
+	movb	%ah,		%cl
+	rorl	$4,		%edx
+	movl	      des_SPtrans(%ebx),%ebp
+	movb	%dl,		%bl
+	xorl	%ebp,		%esi
+	movl	0x200+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%esi
+	movb	%dh,		%cl
+	shrl	$16,		%eax
+	movl	0x100+des_SPtrans(%ebx),%ebp
+	xorl	%ebp,		%esi
+	movb	%ah,		%bl
+	shrl	$16,		%edx
+	movl	0x300+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%esi
+	movl	24(%esp),	%ebp
+	movb	%dh,		%cl
+	andl	$0xff,		%eax
+	andl	$0xff,		%edx
+	movl	0x600+des_SPtrans(%ebx),%ebx
+	xorl	%ebx,		%esi
+	movl	0x700+des_SPtrans(%ecx),%ebx
+	xorl	%ebx,		%esi
+	movl	0x400+des_SPtrans(%eax),%ebx
+	xorl	%ebx,		%esi
+	movl	0x500+des_SPtrans(%edx),%ebx
+	xorl	%ebx,		%esi
+
+	 
+	movl	32(%ebp),	%eax
+	xorl	%ebx,		%ebx
+	movl	36(%ebp),	%edx
+	xorl	%esi,		%eax
+	xorl	%esi,		%edx
+	andl	$0xfcfcfcfc,	%eax
+	andl	$0xcfcfcfcf,	%edx
+	movb	%al,		%bl
+	movb	%ah,		%cl
+	rorl	$4,		%edx
+	movl	      des_SPtrans(%ebx),%ebp
+	movb	%dl,		%bl
+	xorl	%ebp,		%edi
+	movl	0x200+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%edi
+	movb	%dh,		%cl
+	shrl	$16,		%eax
+	movl	0x100+des_SPtrans(%ebx),%ebp
+	xorl	%ebp,		%edi
+	movb	%ah,		%bl
+	shrl	$16,		%edx
+	movl	0x300+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%edi
+	movl	24(%esp),	%ebp
+	movb	%dh,		%cl
+	andl	$0xff,		%eax
+	andl	$0xff,		%edx
+	movl	0x600+des_SPtrans(%ebx),%ebx
+	xorl	%ebx,		%edi
+	movl	0x700+des_SPtrans(%ecx),%ebx
+	xorl	%ebx,		%edi
+	movl	0x400+des_SPtrans(%eax),%ebx
+	xorl	%ebx,		%edi
+	movl	0x500+des_SPtrans(%edx),%ebx
+	xorl	%ebx,		%edi
+
+	 
+	movl	40(%ebp),	%eax
+	xorl	%ebx,		%ebx
+	movl	44(%ebp),	%edx
+	xorl	%edi,		%eax
+	xorl	%edi,		%edx
+	andl	$0xfcfcfcfc,	%eax
+	andl	$0xcfcfcfcf,	%edx
+	movb	%al,		%bl
+	movb	%ah,		%cl
+	rorl	$4,		%edx
+	movl	      des_SPtrans(%ebx),%ebp
+	movb	%dl,		%bl
+	xorl	%ebp,		%esi
+	movl	0x200+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%esi
+	movb	%dh,		%cl
+	shrl	$16,		%eax
+	movl	0x100+des_SPtrans(%ebx),%ebp
+	xorl	%ebp,		%esi
+	movb	%ah,		%bl
+	shrl	$16,		%edx
+	movl	0x300+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%esi
+	movl	24(%esp),	%ebp
+	movb	%dh,		%cl
+	andl	$0xff,		%eax
+	andl	$0xff,		%edx
+	movl	0x600+des_SPtrans(%ebx),%ebx
+	xorl	%ebx,		%esi
+	movl	0x700+des_SPtrans(%ecx),%ebx
+	xorl	%ebx,		%esi
+	movl	0x400+des_SPtrans(%eax),%ebx
+	xorl	%ebx,		%esi
+	movl	0x500+des_SPtrans(%edx),%ebx
+	xorl	%ebx,		%esi
+
+	 
+	movl	48(%ebp),	%eax
+	xorl	%ebx,		%ebx
+	movl	52(%ebp),	%edx
+	xorl	%esi,		%eax
+	xorl	%esi,		%edx
+	andl	$0xfcfcfcfc,	%eax
+	andl	$0xcfcfcfcf,	%edx
+	movb	%al,		%bl
+	movb	%ah,		%cl
+	rorl	$4,		%edx
+	movl	      des_SPtrans(%ebx),%ebp
+	movb	%dl,		%bl
+	xorl	%ebp,		%edi
+	movl	0x200+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%edi
+	movb	%dh,		%cl
+	shrl	$16,		%eax
+	movl	0x100+des_SPtrans(%ebx),%ebp
+	xorl	%ebp,		%edi
+	movb	%ah,		%bl
+	shrl	$16,		%edx
+	movl	0x300+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%edi
+	movl	24(%esp),	%ebp
+	movb	%dh,		%cl
+	andl	$0xff,		%eax
+	andl	$0xff,		%edx
+	movl	0x600+des_SPtrans(%ebx),%ebx
+	xorl	%ebx,		%edi
+	movl	0x700+des_SPtrans(%ecx),%ebx
+	xorl	%ebx,		%edi
+	movl	0x400+des_SPtrans(%eax),%ebx
+	xorl	%ebx,		%edi
+	movl	0x500+des_SPtrans(%edx),%ebx
+	xorl	%ebx,		%edi
+
+	 
+	movl	56(%ebp),	%eax
+	xorl	%ebx,		%ebx
+	movl	60(%ebp),	%edx
+	xorl	%edi,		%eax
+	xorl	%edi,		%edx
+	andl	$0xfcfcfcfc,	%eax
+	andl	$0xcfcfcfcf,	%edx
+	movb	%al,		%bl
+	movb	%ah,		%cl
+	rorl	$4,		%edx
+	movl	      des_SPtrans(%ebx),%ebp
+	movb	%dl,		%bl
+	xorl	%ebp,		%esi
+	movl	0x200+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%esi
+	movb	%dh,		%cl
+	shrl	$16,		%eax
+	movl	0x100+des_SPtrans(%ebx),%ebp
+	xorl	%ebp,		%esi
+	movb	%ah,		%bl
+	shrl	$16,		%edx
+	movl	0x300+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%esi
+	movl	24(%esp),	%ebp
+	movb	%dh,		%cl
+	andl	$0xff,		%eax
+	andl	$0xff,		%edx
+	movl	0x600+des_SPtrans(%ebx),%ebx
+	xorl	%ebx,		%esi
+	movl	0x700+des_SPtrans(%ecx),%ebx
+	xorl	%ebx,		%esi
+	movl	0x400+des_SPtrans(%eax),%ebx
+	xorl	%ebx,		%esi
+	movl	0x500+des_SPtrans(%edx),%ebx
+	xorl	%ebx,		%esi
+
+	 
+	movl	64(%ebp),	%eax
+	xorl	%ebx,		%ebx
+	movl	68(%ebp),	%edx
+	xorl	%esi,		%eax
+	xorl	%esi,		%edx
+	andl	$0xfcfcfcfc,	%eax
+	andl	$0xcfcfcfcf,	%edx
+	movb	%al,		%bl
+	movb	%ah,		%cl
+	rorl	$4,		%edx
+	movl	      des_SPtrans(%ebx),%ebp
+	movb	%dl,		%bl
+	xorl	%ebp,		%edi
+	movl	0x200+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%edi
+	movb	%dh,		%cl
+	shrl	$16,		%eax
+	movl	0x100+des_SPtrans(%ebx),%ebp
+	xorl	%ebp,		%edi
+	movb	%ah,		%bl
+	shrl	$16,		%edx
+	movl	0x300+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%edi
+	movl	24(%esp),	%ebp
+	movb	%dh,		%cl
+	andl	$0xff,		%eax
+	andl	$0xff,		%edx
+	movl	0x600+des_SPtrans(%ebx),%ebx
+	xorl	%ebx,		%edi
+	movl	0x700+des_SPtrans(%ecx),%ebx
+	xorl	%ebx,		%edi
+	movl	0x400+des_SPtrans(%eax),%ebx
+	xorl	%ebx,		%edi
+	movl	0x500+des_SPtrans(%edx),%ebx
+	xorl	%ebx,		%edi
+
+	 
+	movl	72(%ebp),	%eax
+	xorl	%ebx,		%ebx
+	movl	76(%ebp),	%edx
+	xorl	%edi,		%eax
+	xorl	%edi,		%edx
+	andl	$0xfcfcfcfc,	%eax
+	andl	$0xcfcfcfcf,	%edx
+	movb	%al,		%bl
+	movb	%ah,		%cl
+	rorl	$4,		%edx
+	movl	      des_SPtrans(%ebx),%ebp
+	movb	%dl,		%bl
+	xorl	%ebp,		%esi
+	movl	0x200+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%esi
+	movb	%dh,		%cl
+	shrl	$16,		%eax
+	movl	0x100+des_SPtrans(%ebx),%ebp
+	xorl	%ebp,		%esi
+	movb	%ah,		%bl
+	shrl	$16,		%edx
+	movl	0x300+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%esi
+	movl	24(%esp),	%ebp
+	movb	%dh,		%cl
+	andl	$0xff,		%eax
+	andl	$0xff,		%edx
+	movl	0x600+des_SPtrans(%ebx),%ebx
+	xorl	%ebx,		%esi
+	movl	0x700+des_SPtrans(%ecx),%ebx
+	xorl	%ebx,		%esi
+	movl	0x400+des_SPtrans(%eax),%ebx
+	xorl	%ebx,		%esi
+	movl	0x500+des_SPtrans(%edx),%ebx
+	xorl	%ebx,		%esi
+
+	 
+	movl	80(%ebp),	%eax
+	xorl	%ebx,		%ebx
+	movl	84(%ebp),	%edx
+	xorl	%esi,		%eax
+	xorl	%esi,		%edx
+	andl	$0xfcfcfcfc,	%eax
+	andl	$0xcfcfcfcf,	%edx
+	movb	%al,		%bl
+	movb	%ah,		%cl
+	rorl	$4,		%edx
+	movl	      des_SPtrans(%ebx),%ebp
+	movb	%dl,		%bl
+	xorl	%ebp,		%edi
+	movl	0x200+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%edi
+	movb	%dh,		%cl
+	shrl	$16,		%eax
+	movl	0x100+des_SPtrans(%ebx),%ebp
+	xorl	%ebp,		%edi
+	movb	%ah,		%bl
+	shrl	$16,		%edx
+	movl	0x300+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%edi
+	movl	24(%esp),	%ebp
+	movb	%dh,		%cl
+	andl	$0xff,		%eax
+	andl	$0xff,		%edx
+	movl	0x600+des_SPtrans(%ebx),%ebx
+	xorl	%ebx,		%edi
+	movl	0x700+des_SPtrans(%ecx),%ebx
+	xorl	%ebx,		%edi
+	movl	0x400+des_SPtrans(%eax),%ebx
+	xorl	%ebx,		%edi
+	movl	0x500+des_SPtrans(%edx),%ebx
+	xorl	%ebx,		%edi
+
+	 
+	movl	88(%ebp),	%eax
+	xorl	%ebx,		%ebx
+	movl	92(%ebp),	%edx
+	xorl	%edi,		%eax
+	xorl	%edi,		%edx
+	andl	$0xfcfcfcfc,	%eax
+	andl	$0xcfcfcfcf,	%edx
+	movb	%al,		%bl
+	movb	%ah,		%cl
+	rorl	$4,		%edx
+	movl	      des_SPtrans(%ebx),%ebp
+	movb	%dl,		%bl
+	xorl	%ebp,		%esi
+	movl	0x200+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%esi
+	movb	%dh,		%cl
+	shrl	$16,		%eax
+	movl	0x100+des_SPtrans(%ebx),%ebp
+	xorl	%ebp,		%esi
+	movb	%ah,		%bl
+	shrl	$16,		%edx
+	movl	0x300+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%esi
+	movl	24(%esp),	%ebp
+	movb	%dh,		%cl
+	andl	$0xff,		%eax
+	andl	$0xff,		%edx
+	movl	0x600+des_SPtrans(%ebx),%ebx
+	xorl	%ebx,		%esi
+	movl	0x700+des_SPtrans(%ecx),%ebx
+	xorl	%ebx,		%esi
+	movl	0x400+des_SPtrans(%eax),%ebx
+	xorl	%ebx,		%esi
+	movl	0x500+des_SPtrans(%edx),%ebx
+	xorl	%ebx,		%esi
+
+	 
+	movl	96(%ebp),	%eax
+	xorl	%ebx,		%ebx
+	movl	100(%ebp),	%edx
+	xorl	%esi,		%eax
+	xorl	%esi,		%edx
+	andl	$0xfcfcfcfc,	%eax
+	andl	$0xcfcfcfcf,	%edx
+	movb	%al,		%bl
+	movb	%ah,		%cl
+	rorl	$4,		%edx
+	movl	      des_SPtrans(%ebx),%ebp
+	movb	%dl,		%bl
+	xorl	%ebp,		%edi
+	movl	0x200+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%edi
+	movb	%dh,		%cl
+	shrl	$16,		%eax
+	movl	0x100+des_SPtrans(%ebx),%ebp
+	xorl	%ebp,		%edi
+	movb	%ah,		%bl
+	shrl	$16,		%edx
+	movl	0x300+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%edi
+	movl	24(%esp),	%ebp
+	movb	%dh,		%cl
+	andl	$0xff,		%eax
+	andl	$0xff,		%edx
+	movl	0x600+des_SPtrans(%ebx),%ebx
+	xorl	%ebx,		%edi
+	movl	0x700+des_SPtrans(%ecx),%ebx
+	xorl	%ebx,		%edi
+	movl	0x400+des_SPtrans(%eax),%ebx
+	xorl	%ebx,		%edi
+	movl	0x500+des_SPtrans(%edx),%ebx
+	xorl	%ebx,		%edi
+
+	 
+	movl	104(%ebp),	%eax
+	xorl	%ebx,		%ebx
+	movl	108(%ebp),	%edx
+	xorl	%edi,		%eax
+	xorl	%edi,		%edx
+	andl	$0xfcfcfcfc,	%eax
+	andl	$0xcfcfcfcf,	%edx
+	movb	%al,		%bl
+	movb	%ah,		%cl
+	rorl	$4,		%edx
+	movl	      des_SPtrans(%ebx),%ebp
+	movb	%dl,		%bl
+	xorl	%ebp,		%esi
+	movl	0x200+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%esi
+	movb	%dh,		%cl
+	shrl	$16,		%eax
+	movl	0x100+des_SPtrans(%ebx),%ebp
+	xorl	%ebp,		%esi
+	movb	%ah,		%bl
+	shrl	$16,		%edx
+	movl	0x300+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%esi
+	movl	24(%esp),	%ebp
+	movb	%dh,		%cl
+	andl	$0xff,		%eax
+	andl	$0xff,		%edx
+	movl	0x600+des_SPtrans(%ebx),%ebx
+	xorl	%ebx,		%esi
+	movl	0x700+des_SPtrans(%ecx),%ebx
+	xorl	%ebx,		%esi
+	movl	0x400+des_SPtrans(%eax),%ebx
+	xorl	%ebx,		%esi
+	movl	0x500+des_SPtrans(%edx),%ebx
+	xorl	%ebx,		%esi
+
+	 
+	movl	112(%ebp),	%eax
+	xorl	%ebx,		%ebx
+	movl	116(%ebp),	%edx
+	xorl	%esi,		%eax
+	xorl	%esi,		%edx
+	andl	$0xfcfcfcfc,	%eax
+	andl	$0xcfcfcfcf,	%edx
+	movb	%al,		%bl
+	movb	%ah,		%cl
+	rorl	$4,		%edx
+	movl	      des_SPtrans(%ebx),%ebp
+	movb	%dl,		%bl
+	xorl	%ebp,		%edi
+	movl	0x200+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%edi
+	movb	%dh,		%cl
+	shrl	$16,		%eax
+	movl	0x100+des_SPtrans(%ebx),%ebp
+	xorl	%ebp,		%edi
+	movb	%ah,		%bl
+	shrl	$16,		%edx
+	movl	0x300+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%edi
+	movl	24(%esp),	%ebp
+	movb	%dh,		%cl
+	andl	$0xff,		%eax
+	andl	$0xff,		%edx
+	movl	0x600+des_SPtrans(%ebx),%ebx
+	xorl	%ebx,		%edi
+	movl	0x700+des_SPtrans(%ecx),%ebx
+	xorl	%ebx,		%edi
+	movl	0x400+des_SPtrans(%eax),%ebx
+	xorl	%ebx,		%edi
+	movl	0x500+des_SPtrans(%edx),%ebx
+	xorl	%ebx,		%edi
+
+	 
+	movl	120(%ebp),	%eax
+	xorl	%ebx,		%ebx
+	movl	124(%ebp),	%edx
+	xorl	%edi,		%eax
+	xorl	%edi,		%edx
+	andl	$0xfcfcfcfc,	%eax
+	andl	$0xcfcfcfcf,	%edx
+	movb	%al,		%bl
+	movb	%ah,		%cl
+	rorl	$4,		%edx
+	movl	      des_SPtrans(%ebx),%ebp
+	movb	%dl,		%bl
+	xorl	%ebp,		%esi
+	movl	0x200+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%esi
+	movb	%dh,		%cl
+	shrl	$16,		%eax
+	movl	0x100+des_SPtrans(%ebx),%ebp
+	xorl	%ebp,		%esi
+	movb	%ah,		%bl
+	shrl	$16,		%edx
+	movl	0x300+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%esi
+	movl	24(%esp),	%ebp
+	movb	%dh,		%cl
+	andl	$0xff,		%eax
+	andl	$0xff,		%edx
+	movl	0x600+des_SPtrans(%ebx),%ebx
+	xorl	%ebx,		%esi
+	movl	0x700+des_SPtrans(%ecx),%ebx
+	xorl	%ebx,		%esi
+	movl	0x400+des_SPtrans(%eax),%ebx
+	xorl	%ebx,		%esi
+	movl	0x500+des_SPtrans(%edx),%ebx
+	xorl	%ebx,		%esi
+	jmp	.L003end
+.L002start_decrypt:
+
+	 
+	movl	120(%ebp),	%eax
+	xorl	%ebx,		%ebx
+	movl	124(%ebp),	%edx
+	xorl	%esi,		%eax
+	xorl	%esi,		%edx
+	andl	$0xfcfcfcfc,	%eax
+	andl	$0xcfcfcfcf,	%edx
+	movb	%al,		%bl
+	movb	%ah,		%cl
+	rorl	$4,		%edx
+	movl	      des_SPtrans(%ebx),%ebp
+	movb	%dl,		%bl
+	xorl	%ebp,		%edi
+	movl	0x200+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%edi
+	movb	%dh,		%cl
+	shrl	$16,		%eax
+	movl	0x100+des_SPtrans(%ebx),%ebp
+	xorl	%ebp,		%edi
+	movb	%ah,		%bl
+	shrl	$16,		%edx
+	movl	0x300+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%edi
+	movl	24(%esp),	%ebp
+	movb	%dh,		%cl
+	andl	$0xff,		%eax
+	andl	$0xff,		%edx
+	movl	0x600+des_SPtrans(%ebx),%ebx
+	xorl	%ebx,		%edi
+	movl	0x700+des_SPtrans(%ecx),%ebx
+	xorl	%ebx,		%edi
+	movl	0x400+des_SPtrans(%eax),%ebx
+	xorl	%ebx,		%edi
+	movl	0x500+des_SPtrans(%edx),%ebx
+	xorl	%ebx,		%edi
+
+	 
+	movl	112(%ebp),	%eax
+	xorl	%ebx,		%ebx
+	movl	116(%ebp),	%edx
+	xorl	%edi,		%eax
+	xorl	%edi,		%edx
+	andl	$0xfcfcfcfc,	%eax
+	andl	$0xcfcfcfcf,	%edx
+	movb	%al,		%bl
+	movb	%ah,		%cl
+	rorl	$4,		%edx
+	movl	      des_SPtrans(%ebx),%ebp
+	movb	%dl,		%bl
+	xorl	%ebp,		%esi
+	movl	0x200+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%esi
+	movb	%dh,		%cl
+	shrl	$16,		%eax
+	movl	0x100+des_SPtrans(%ebx),%ebp
+	xorl	%ebp,		%esi
+	movb	%ah,		%bl
+	shrl	$16,		%edx
+	movl	0x300+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%esi
+	movl	24(%esp),	%ebp
+	movb	%dh,		%cl
+	andl	$0xff,		%eax
+	andl	$0xff,		%edx
+	movl	0x600+des_SPtrans(%ebx),%ebx
+	xorl	%ebx,		%esi
+	movl	0x700+des_SPtrans(%ecx),%ebx
+	xorl	%ebx,		%esi
+	movl	0x400+des_SPtrans(%eax),%ebx
+	xorl	%ebx,		%esi
+	movl	0x500+des_SPtrans(%edx),%ebx
+	xorl	%ebx,		%esi
+
+	 
+	movl	104(%ebp),	%eax
+	xorl	%ebx,		%ebx
+	movl	108(%ebp),	%edx
+	xorl	%esi,		%eax
+	xorl	%esi,		%edx
+	andl	$0xfcfcfcfc,	%eax
+	andl	$0xcfcfcfcf,	%edx
+	movb	%al,		%bl
+	movb	%ah,		%cl
+	rorl	$4,		%edx
+	movl	      des_SPtrans(%ebx),%ebp
+	movb	%dl,		%bl
+	xorl	%ebp,		%edi
+	movl	0x200+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%edi
+	movb	%dh,		%cl
+	shrl	$16,		%eax
+	movl	0x100+des_SPtrans(%ebx),%ebp
+	xorl	%ebp,		%edi
+	movb	%ah,		%bl
+	shrl	$16,		%edx
+	movl	0x300+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%edi
+	movl	24(%esp),	%ebp
+	movb	%dh,		%cl
+	andl	$0xff,		%eax
+	andl	$0xff,		%edx
+	movl	0x600+des_SPtrans(%ebx),%ebx
+	xorl	%ebx,		%edi
+	movl	0x700+des_SPtrans(%ecx),%ebx
+	xorl	%ebx,		%edi
+	movl	0x400+des_SPtrans(%eax),%ebx
+	xorl	%ebx,		%edi
+	movl	0x500+des_SPtrans(%edx),%ebx
+	xorl	%ebx,		%edi
+
+	 
+	movl	96(%ebp),	%eax
+	xorl	%ebx,		%ebx
+	movl	100(%ebp),	%edx
+	xorl	%edi,		%eax
+	xorl	%edi,		%edx
+	andl	$0xfcfcfcfc,	%eax
+	andl	$0xcfcfcfcf,	%edx
+	movb	%al,		%bl
+	movb	%ah,		%cl
+	rorl	$4,		%edx
+	movl	      des_SPtrans(%ebx),%ebp
+	movb	%dl,		%bl
+	xorl	%ebp,		%esi
+	movl	0x200+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%esi
+	movb	%dh,		%cl
+	shrl	$16,		%eax
+	movl	0x100+des_SPtrans(%ebx),%ebp
+	xorl	%ebp,		%esi
+	movb	%ah,		%bl
+	shrl	$16,		%edx
+	movl	0x300+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%esi
+	movl	24(%esp),	%ebp
+	movb	%dh,		%cl
+	andl	$0xff,		%eax
+	andl	$0xff,		%edx
+	movl	0x600+des_SPtrans(%ebx),%ebx
+	xorl	%ebx,		%esi
+	movl	0x700+des_SPtrans(%ecx),%ebx
+	xorl	%ebx,		%esi
+	movl	0x400+des_SPtrans(%eax),%ebx
+	xorl	%ebx,		%esi
+	movl	0x500+des_SPtrans(%edx),%ebx
+	xorl	%ebx,		%esi
+
+	 
+	movl	88(%ebp),	%eax
+	xorl	%ebx,		%ebx
+	movl	92(%ebp),	%edx
+	xorl	%esi,		%eax
+	xorl	%esi,		%edx
+	andl	$0xfcfcfcfc,	%eax
+	andl	$0xcfcfcfcf,	%edx
+	movb	%al,		%bl
+	movb	%ah,		%cl
+	rorl	$4,		%edx
+	movl	      des_SPtrans(%ebx),%ebp
+	movb	%dl,		%bl
+	xorl	%ebp,		%edi
+	movl	0x200+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%edi
+	movb	%dh,		%cl
+	shrl	$16,		%eax
+	movl	0x100+des_SPtrans(%ebx),%ebp
+	xorl	%ebp,		%edi
+	movb	%ah,		%bl
+	shrl	$16,		%edx
+	movl	0x300+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%edi
+	movl	24(%esp),	%ebp
+	movb	%dh,		%cl
+	andl	$0xff,		%eax
+	andl	$0xff,		%edx
+	movl	0x600+des_SPtrans(%ebx),%ebx
+	xorl	%ebx,		%edi
+	movl	0x700+des_SPtrans(%ecx),%ebx
+	xorl	%ebx,		%edi
+	movl	0x400+des_SPtrans(%eax),%ebx
+	xorl	%ebx,		%edi
+	movl	0x500+des_SPtrans(%edx),%ebx
+	xorl	%ebx,		%edi
+
+	 
+	movl	80(%ebp),	%eax
+	xorl	%ebx,		%ebx
+	movl	84(%ebp),	%edx
+	xorl	%edi,		%eax
+	xorl	%edi,		%edx
+	andl	$0xfcfcfcfc,	%eax
+	andl	$0xcfcfcfcf,	%edx
+	movb	%al,		%bl
+	movb	%ah,		%cl
+	rorl	$4,		%edx
+	movl	      des_SPtrans(%ebx),%ebp
+	movb	%dl,		%bl
+	xorl	%ebp,		%esi
+	movl	0x200+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%esi
+	movb	%dh,		%cl
+	shrl	$16,		%eax
+	movl	0x100+des_SPtrans(%ebx),%ebp
+	xorl	%ebp,		%esi
+	movb	%ah,		%bl
+	shrl	$16,		%edx
+	movl	0x300+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%esi
+	movl	24(%esp),	%ebp
+	movb	%dh,		%cl
+	andl	$0xff,		%eax
+	andl	$0xff,		%edx
+	movl	0x600+des_SPtrans(%ebx),%ebx
+	xorl	%ebx,		%esi
+	movl	0x700+des_SPtrans(%ecx),%ebx
+	xorl	%ebx,		%esi
+	movl	0x400+des_SPtrans(%eax),%ebx
+	xorl	%ebx,		%esi
+	movl	0x500+des_SPtrans(%edx),%ebx
+	xorl	%ebx,		%esi
+
+	 
+	movl	72(%ebp),	%eax
+	xorl	%ebx,		%ebx
+	movl	76(%ebp),	%edx
+	xorl	%esi,		%eax
+	xorl	%esi,		%edx
+	andl	$0xfcfcfcfc,	%eax
+	andl	$0xcfcfcfcf,	%edx
+	movb	%al,		%bl
+	movb	%ah,		%cl
+	rorl	$4,		%edx
+	movl	      des_SPtrans(%ebx),%ebp
+	movb	%dl,		%bl
+	xorl	%ebp,		%edi
+	movl	0x200+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%edi
+	movb	%dh,		%cl
+	shrl	$16,		%eax
+	movl	0x100+des_SPtrans(%ebx),%ebp
+	xorl	%ebp,		%edi
+	movb	%ah,		%bl
+	shrl	$16,		%edx
+	movl	0x300+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%edi
+	movl	24(%esp),	%ebp
+	movb	%dh,		%cl
+	andl	$0xff,		%eax
+	andl	$0xff,		%edx
+	movl	0x600+des_SPtrans(%ebx),%ebx
+	xorl	%ebx,		%edi
+	movl	0x700+des_SPtrans(%ecx),%ebx
+	xorl	%ebx,		%edi
+	movl	0x400+des_SPtrans(%eax),%ebx
+	xorl	%ebx,		%edi
+	movl	0x500+des_SPtrans(%edx),%ebx
+	xorl	%ebx,		%edi
+
+	 
+	movl	64(%ebp),	%eax
+	xorl	%ebx,		%ebx
+	movl	68(%ebp),	%edx
+	xorl	%edi,		%eax
+	xorl	%edi,		%edx
+	andl	$0xfcfcfcfc,	%eax
+	andl	$0xcfcfcfcf,	%edx
+	movb	%al,		%bl
+	movb	%ah,		%cl
+	rorl	$4,		%edx
+	movl	      des_SPtrans(%ebx),%ebp
+	movb	%dl,		%bl
+	xorl	%ebp,		%esi
+	movl	0x200+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%esi
+	movb	%dh,		%cl
+	shrl	$16,		%eax
+	movl	0x100+des_SPtrans(%ebx),%ebp
+	xorl	%ebp,		%esi
+	movb	%ah,		%bl
+	shrl	$16,		%edx
+	movl	0x300+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%esi
+	movl	24(%esp),	%ebp
+	movb	%dh,		%cl
+	andl	$0xff,		%eax
+	andl	$0xff,		%edx
+	movl	0x600+des_SPtrans(%ebx),%ebx
+	xorl	%ebx,		%esi
+	movl	0x700+des_SPtrans(%ecx),%ebx
+	xorl	%ebx,		%esi
+	movl	0x400+des_SPtrans(%eax),%ebx
+	xorl	%ebx,		%esi
+	movl	0x500+des_SPtrans(%edx),%ebx
+	xorl	%ebx,		%esi
+
+	 
+	movl	56(%ebp),	%eax
+	xorl	%ebx,		%ebx
+	movl	60(%ebp),	%edx
+	xorl	%esi,		%eax
+	xorl	%esi,		%edx
+	andl	$0xfcfcfcfc,	%eax
+	andl	$0xcfcfcfcf,	%edx
+	movb	%al,		%bl
+	movb	%ah,		%cl
+	rorl	$4,		%edx
+	movl	      des_SPtrans(%ebx),%ebp
+	movb	%dl,		%bl
+	xorl	%ebp,		%edi
+	movl	0x200+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%edi
+	movb	%dh,		%cl
+	shrl	$16,		%eax
+	movl	0x100+des_SPtrans(%ebx),%ebp
+	xorl	%ebp,		%edi
+	movb	%ah,		%bl
+	shrl	$16,		%edx
+	movl	0x300+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%edi
+	movl	24(%esp),	%ebp
+	movb	%dh,		%cl
+	andl	$0xff,		%eax
+	andl	$0xff,		%edx
+	movl	0x600+des_SPtrans(%ebx),%ebx
+	xorl	%ebx,		%edi
+	movl	0x700+des_SPtrans(%ecx),%ebx
+	xorl	%ebx,		%edi
+	movl	0x400+des_SPtrans(%eax),%ebx
+	xorl	%ebx,		%edi
+	movl	0x500+des_SPtrans(%edx),%ebx
+	xorl	%ebx,		%edi
+
+	 
+	movl	48(%ebp),	%eax
+	xorl	%ebx,		%ebx
+	movl	52(%ebp),	%edx
+	xorl	%edi,		%eax
+	xorl	%edi,		%edx
+	andl	$0xfcfcfcfc,	%eax
+	andl	$0xcfcfcfcf,	%edx
+	movb	%al,		%bl
+	movb	%ah,		%cl
+	rorl	$4,		%edx
+	movl	      des_SPtrans(%ebx),%ebp
+	movb	%dl,		%bl
+	xorl	%ebp,		%esi
+	movl	0x200+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%esi
+	movb	%dh,		%cl
+	shrl	$16,		%eax
+	movl	0x100+des_SPtrans(%ebx),%ebp
+	xorl	%ebp,		%esi
+	movb	%ah,		%bl
+	shrl	$16,		%edx
+	movl	0x300+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%esi
+	movl	24(%esp),	%ebp
+	movb	%dh,		%cl
+	andl	$0xff,		%eax
+	andl	$0xff,		%edx
+	movl	0x600+des_SPtrans(%ebx),%ebx
+	xorl	%ebx,		%esi
+	movl	0x700+des_SPtrans(%ecx),%ebx
+	xorl	%ebx,		%esi
+	movl	0x400+des_SPtrans(%eax),%ebx
+	xorl	%ebx,		%esi
+	movl	0x500+des_SPtrans(%edx),%ebx
+	xorl	%ebx,		%esi
+
+	 
+	movl	40(%ebp),	%eax
+	xorl	%ebx,		%ebx
+	movl	44(%ebp),	%edx
+	xorl	%esi,		%eax
+	xorl	%esi,		%edx
+	andl	$0xfcfcfcfc,	%eax
+	andl	$0xcfcfcfcf,	%edx
+	movb	%al,		%bl
+	movb	%ah,		%cl
+	rorl	$4,		%edx
+	movl	      des_SPtrans(%ebx),%ebp
+	movb	%dl,		%bl
+	xorl	%ebp,		%edi
+	movl	0x200+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%edi
+	movb	%dh,		%cl
+	shrl	$16,		%eax
+	movl	0x100+des_SPtrans(%ebx),%ebp
+	xorl	%ebp,		%edi
+	movb	%ah,		%bl
+	shrl	$16,		%edx
+	movl	0x300+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%edi
+	movl	24(%esp),	%ebp
+	movb	%dh,		%cl
+	andl	$0xff,		%eax
+	andl	$0xff,		%edx
+	movl	0x600+des_SPtrans(%ebx),%ebx
+	xorl	%ebx,		%edi
+	movl	0x700+des_SPtrans(%ecx),%ebx
+	xorl	%ebx,		%edi
+	movl	0x400+des_SPtrans(%eax),%ebx
+	xorl	%ebx,		%edi
+	movl	0x500+des_SPtrans(%edx),%ebx
+	xorl	%ebx,		%edi
+
+	 
+	movl	32(%ebp),	%eax
+	xorl	%ebx,		%ebx
+	movl	36(%ebp),	%edx
+	xorl	%edi,		%eax
+	xorl	%edi,		%edx
+	andl	$0xfcfcfcfc,	%eax
+	andl	$0xcfcfcfcf,	%edx
+	movb	%al,		%bl
+	movb	%ah,		%cl
+	rorl	$4,		%edx
+	movl	      des_SPtrans(%ebx),%ebp
+	movb	%dl,		%bl
+	xorl	%ebp,		%esi
+	movl	0x200+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%esi
+	movb	%dh,		%cl
+	shrl	$16,		%eax
+	movl	0x100+des_SPtrans(%ebx),%ebp
+	xorl	%ebp,		%esi
+	movb	%ah,		%bl
+	shrl	$16,		%edx
+	movl	0x300+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%esi
+	movl	24(%esp),	%ebp
+	movb	%dh,		%cl
+	andl	$0xff,		%eax
+	andl	$0xff,		%edx
+	movl	0x600+des_SPtrans(%ebx),%ebx
+	xorl	%ebx,		%esi
+	movl	0x700+des_SPtrans(%ecx),%ebx
+	xorl	%ebx,		%esi
+	movl	0x400+des_SPtrans(%eax),%ebx
+	xorl	%ebx,		%esi
+	movl	0x500+des_SPtrans(%edx),%ebx
+	xorl	%ebx,		%esi
+
+	 
+	movl	24(%ebp),	%eax
+	xorl	%ebx,		%ebx
+	movl	28(%ebp),	%edx
+	xorl	%esi,		%eax
+	xorl	%esi,		%edx
+	andl	$0xfcfcfcfc,	%eax
+	andl	$0xcfcfcfcf,	%edx
+	movb	%al,		%bl
+	movb	%ah,		%cl
+	rorl	$4,		%edx
+	movl	      des_SPtrans(%ebx),%ebp
+	movb	%dl,		%bl
+	xorl	%ebp,		%edi
+	movl	0x200+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%edi
+	movb	%dh,		%cl
+	shrl	$16,		%eax
+	movl	0x100+des_SPtrans(%ebx),%ebp
+	xorl	%ebp,		%edi
+	movb	%ah,		%bl
+	shrl	$16,		%edx
+	movl	0x300+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%edi
+	movl	24(%esp),	%ebp
+	movb	%dh,		%cl
+	andl	$0xff,		%eax
+	andl	$0xff,		%edx
+	movl	0x600+des_SPtrans(%ebx),%ebx
+	xorl	%ebx,		%edi
+	movl	0x700+des_SPtrans(%ecx),%ebx
+	xorl	%ebx,		%edi
+	movl	0x400+des_SPtrans(%eax),%ebx
+	xorl	%ebx,		%edi
+	movl	0x500+des_SPtrans(%edx),%ebx
+	xorl	%ebx,		%edi
+
+	 
+	movl	16(%ebp),	%eax
+	xorl	%ebx,		%ebx
+	movl	20(%ebp),	%edx
+	xorl	%edi,		%eax
+	xorl	%edi,		%edx
+	andl	$0xfcfcfcfc,	%eax
+	andl	$0xcfcfcfcf,	%edx
+	movb	%al,		%bl
+	movb	%ah,		%cl
+	rorl	$4,		%edx
+	movl	      des_SPtrans(%ebx),%ebp
+	movb	%dl,		%bl
+	xorl	%ebp,		%esi
+	movl	0x200+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%esi
+	movb	%dh,		%cl
+	shrl	$16,		%eax
+	movl	0x100+des_SPtrans(%ebx),%ebp
+	xorl	%ebp,		%esi
+	movb	%ah,		%bl
+	shrl	$16,		%edx
+	movl	0x300+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%esi
+	movl	24(%esp),	%ebp
+	movb	%dh,		%cl
+	andl	$0xff,		%eax
+	andl	$0xff,		%edx
+	movl	0x600+des_SPtrans(%ebx),%ebx
+	xorl	%ebx,		%esi
+	movl	0x700+des_SPtrans(%ecx),%ebx
+	xorl	%ebx,		%esi
+	movl	0x400+des_SPtrans(%eax),%ebx
+	xorl	%ebx,		%esi
+	movl	0x500+des_SPtrans(%edx),%ebx
+	xorl	%ebx,		%esi
+
+	 
+	movl	8(%ebp),	%eax
+	xorl	%ebx,		%ebx
+	movl	12(%ebp),	%edx
+	xorl	%esi,		%eax
+	xorl	%esi,		%edx
+	andl	$0xfcfcfcfc,	%eax
+	andl	$0xcfcfcfcf,	%edx
+	movb	%al,		%bl
+	movb	%ah,		%cl
+	rorl	$4,		%edx
+	movl	      des_SPtrans(%ebx),%ebp
+	movb	%dl,		%bl
+	xorl	%ebp,		%edi
+	movl	0x200+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%edi
+	movb	%dh,		%cl
+	shrl	$16,		%eax
+	movl	0x100+des_SPtrans(%ebx),%ebp
+	xorl	%ebp,		%edi
+	movb	%ah,		%bl
+	shrl	$16,		%edx
+	movl	0x300+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%edi
+	movl	24(%esp),	%ebp
+	movb	%dh,		%cl
+	andl	$0xff,		%eax
+	andl	$0xff,		%edx
+	movl	0x600+des_SPtrans(%ebx),%ebx
+	xorl	%ebx,		%edi
+	movl	0x700+des_SPtrans(%ecx),%ebx
+	xorl	%ebx,		%edi
+	movl	0x400+des_SPtrans(%eax),%ebx
+	xorl	%ebx,		%edi
+	movl	0x500+des_SPtrans(%edx),%ebx
+	xorl	%ebx,		%edi
+
+	 
+	movl	(%ebp),		%eax
+	xorl	%ebx,		%ebx
+	movl	4(%ebp),	%edx
+	xorl	%edi,		%eax
+	xorl	%edi,		%edx
+	andl	$0xfcfcfcfc,	%eax
+	andl	$0xcfcfcfcf,	%edx
+	movb	%al,		%bl
+	movb	%ah,		%cl
+	rorl	$4,		%edx
+	movl	      des_SPtrans(%ebx),%ebp
+	movb	%dl,		%bl
+	xorl	%ebp,		%esi
+	movl	0x200+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%esi
+	movb	%dh,		%cl
+	shrl	$16,		%eax
+	movl	0x100+des_SPtrans(%ebx),%ebp
+	xorl	%ebp,		%esi
+	movb	%ah,		%bl
+	shrl	$16,		%edx
+	movl	0x300+des_SPtrans(%ecx),%ebp
+	xorl	%ebp,		%esi
+	movl	24(%esp),	%ebp
+	movb	%dh,		%cl
+	andl	$0xff,		%eax
+	andl	$0xff,		%edx
+	movl	0x600+des_SPtrans(%ebx),%ebx
+	xorl	%ebx,		%esi
+	movl	0x700+des_SPtrans(%ecx),%ebx
+	xorl	%ebx,		%esi
+	movl	0x400+des_SPtrans(%eax),%ebx
+	xorl	%ebx,		%esi
+	movl	0x500+des_SPtrans(%edx),%ebx
+	xorl	%ebx,		%esi
+.L003end:
+
+	 
+	rorl	$3,		%edi
+	movl	20(%esp),	%eax
+	rorl	$3,		%esi
+	movl	%edi,		(%eax)
+	movl	%esi,		4(%eax)
+	popl	%ebp
+	popl	%ebx
+	popl	%edi
+	popl	%esi
+	ret
+.des_encrypt2_end:
+	.size    des_encrypt2 , .des_encrypt2_end-des_encrypt2  
+.ident	"desasm.pl"
+.text
+	.align 16 
+.globl des_encrypt3
+	.type    des_encrypt3 , @function  
+des_encrypt3:
+	pushl	%ebx
+	movl	8(%esp),	%ebx
+	pushl	%ebp
+	pushl	%esi
+	pushl	%edi
+
+	 
+	movl	(%ebx),		%edi
+	movl	4(%ebx),	%esi
+	subl	$12,		%esp
+
+	 
+	roll	$4,		%edi
+	movl	%edi,		%edx
+	xorl	%esi,		%edi
+	andl	$0xf0f0f0f0,	%edi
+	xorl	%edi,		%edx
+	xorl	%edi,		%esi
+
+	roll	$20,		%esi
+	movl	%esi,		%edi
+	xorl	%edx,		%esi
+	andl	$0xfff0000f,	%esi
+	xorl	%esi,		%edi
+	xorl	%esi,		%edx
+
+	roll	$14,		%edi
+	movl	%edi,		%esi
+	xorl	%edx,		%edi
+	andl	$0x33333333,	%edi
+	xorl	%edi,		%esi
+	xorl	%edi,		%edx
+
+	roll	$22,		%edx
+	movl	%edx,		%edi
+	xorl	%esi,		%edx
+	andl	$0x03fc03fc,	%edx
+	xorl	%edx,		%edi
+	xorl	%edx,		%esi
+
+	roll	$9,		%edi
+	movl	%edi,		%edx
+	xorl	%esi,		%edi
+	andl	$0xaaaaaaaa,	%edi
+	xorl	%edi,		%edx
+	xorl	%edi,		%esi
+
+	rorl	$3,		%edx
+	rorl	$2,		%esi
+	movl	%esi,		4(%ebx)
+	movl	36(%esp),	%eax
+	movl	%edx,		(%ebx)
+	movl	40(%esp),	%edi
+	movl	44(%esp),	%esi
+	movl	$1,		8(%esp)
+	movl	%eax,		4(%esp)
+	movl	%ebx,		(%esp)
+	call	des_encrypt2
+	movl	$0,		8(%esp)
+	movl	%edi,		4(%esp)
+	movl	%ebx,		(%esp)
+	call	des_encrypt2
+	movl	$1,		8(%esp)
+	movl	%esi,		4(%esp)
+	movl	%ebx,		(%esp)
+	call	des_encrypt2
+	addl	$12,		%esp
+	movl	(%ebx),		%edi
+	movl	4(%ebx),	%esi
+
+	 
+	roll	$2,		%esi
+	roll	$3,		%edi
+	movl	%edi,		%eax
+	xorl	%esi,		%edi
+	andl	$0xaaaaaaaa,	%edi
+	xorl	%edi,		%eax
+	xorl	%edi,		%esi
+
+	roll	$23,		%eax
+	movl	%eax,		%edi
+	xorl	%esi,		%eax
+	andl	$0x03fc03fc,	%eax
+	xorl	%eax,		%edi
+	xorl	%eax,		%esi
+
+	roll	$10,		%edi
+	movl	%edi,		%eax
+	xorl	%esi,		%edi
+	andl	$0x33333333,	%edi
+	xorl	%edi,		%eax
+	xorl	%edi,		%esi
+
+	roll	$18,		%esi
+	movl	%esi,		%edi
+	xorl	%eax,		%esi
+	andl	$0xfff0000f,	%esi
+	xorl	%esi,		%edi
+	xorl	%esi,		%eax
+
+	roll	$12,		%edi
+	movl	%edi,		%esi
+	xorl	%eax,		%edi
+	andl	$0xf0f0f0f0,	%edi
+	xorl	%edi,		%esi
+	xorl	%edi,		%eax
+
+	rorl	$4,		%eax
+	movl	%eax,		(%ebx)
+	movl	%esi,		4(%ebx)
+	popl	%edi
+	popl	%esi
+	popl	%ebp
+	popl	%ebx
+	ret
+.des_encrypt3_end:
+	.size    des_encrypt3 , .des_encrypt3_end-des_encrypt3  
+.ident	"desasm.pl"
+.text
+	.align 16 
+.globl des_decrypt3
+	.type    des_decrypt3 , @function  
+des_decrypt3:
+	pushl	%ebx
+	movl	8(%esp),	%ebx
+	pushl	%ebp
+	pushl	%esi
+	pushl	%edi
+
+	 
+	movl	(%ebx),		%edi
+	movl	4(%ebx),	%esi
+	subl	$12,		%esp
+
+	 
+	roll	$4,		%edi
+	movl	%edi,		%edx
+	xorl	%esi,		%edi
+	andl	$0xf0f0f0f0,	%edi
+	xorl	%edi,		%edx
+	xorl	%edi,		%esi
+
+	roll	$20,		%esi
+	movl	%esi,		%edi
+	xorl	%edx,		%esi
+	andl	$0xfff0000f,	%esi
+	xorl	%esi,		%edi
+	xorl	%esi,		%edx
+
+	roll	$14,		%edi
+	movl	%edi,		%esi
+	xorl	%edx,		%edi
+	andl	$0x33333333,	%edi
+	xorl	%edi,		%esi
+	xorl	%edi,		%edx
+
+	roll	$22,		%edx
+	movl	%edx,		%edi
+	xorl	%esi,		%edx
+	andl	$0x03fc03fc,	%edx
+	xorl	%edx,		%edi
+	xorl	%edx,		%esi
+
+	roll	$9,		%edi
+	movl	%edi,		%edx
+	xorl	%esi,		%edi
+	andl	$0xaaaaaaaa,	%edi
+	xorl	%edi,		%edx
+	xorl	%edi,		%esi
+
+	rorl	$3,		%edx
+	rorl	$2,		%esi
+	movl	%esi,		4(%ebx)
+	movl	36(%esp),	%esi
+	movl	%edx,		(%ebx)
+	movl	40(%esp),	%edi
+	movl	44(%esp),	%eax
+	movl	$0,		8(%esp)
+	movl	%eax,		4(%esp)
+	movl	%ebx,		(%esp)
+	call	des_encrypt2
+	movl	$1,		8(%esp)
+	movl	%edi,		4(%esp)
+	movl	%ebx,		(%esp)
+	call	des_encrypt2
+	movl	$0,		8(%esp)
+	movl	%esi,		4(%esp)
+	movl	%ebx,		(%esp)
+	call	des_encrypt2
+	addl	$12,		%esp
+	movl	(%ebx),		%edi
+	movl	4(%ebx),	%esi
+
+	 
+	roll	$2,		%esi
+	roll	$3,		%edi
+	movl	%edi,		%eax
+	xorl	%esi,		%edi
+	andl	$0xaaaaaaaa,	%edi
+	xorl	%edi,		%eax
+	xorl	%edi,		%esi
+
+	roll	$23,		%eax
+	movl	%eax,		%edi
+	xorl	%esi,		%eax
+	andl	$0x03fc03fc,	%eax
+	xorl	%eax,		%edi
+	xorl	%eax,		%esi
+
+	roll	$10,		%edi
+	movl	%edi,		%eax
+	xorl	%esi,		%edi
+	andl	$0x33333333,	%edi
+	xorl	%edi,		%eax
+	xorl	%edi,		%esi
+
+	roll	$18,		%esi
+	movl	%esi,		%edi
+	xorl	%eax,		%esi
+	andl	$0xfff0000f,	%esi
+	xorl	%esi,		%edi
+	xorl	%esi,		%eax
+
+	roll	$12,		%edi
+	movl	%edi,		%esi
+	xorl	%eax,		%edi
+	andl	$0xf0f0f0f0,	%edi
+	xorl	%edi,		%esi
+	xorl	%edi,		%eax
+
+	rorl	$4,		%eax
+	movl	%eax,		(%ebx)
+	movl	%esi,		4(%ebx)
+	popl	%edi
+	popl	%esi
+	popl	%ebp
+	popl	%ebx
+	ret
+.des_decrypt3_end:
+	.size    des_decrypt3 , .des_decrypt3_end-des_decrypt3  
+.ident	"desasm.pl"
+.text
+	.align 16 
+.globl des_ncbc_encrypt
+	.type    des_ncbc_encrypt , @function  
+des_ncbc_encrypt:
+
+	pushl	%ebp
+	pushl	%ebx
+	pushl	%esi
+	pushl	%edi
+	movl	28(%esp),	%ebp
+	 
+	movl	36(%esp),	%ebx
+	movl	(%ebx),		%esi
+	movl	4(%ebx),	%edi
+	pushl	%edi
+	pushl	%esi
+	pushl	%edi
+	pushl	%esi
+	movl	%esp,		%ebx
+	movl	36(%esp),	%esi
+	movl	40(%esp),	%edi
+	 
+	movl	56(%esp),	%ecx
+	 
+	pushl	%ecx
+	 
+	movl	52(%esp),	%eax
+	pushl	%eax
+	pushl	%ebx
+	cmpl	$0,		%ecx
+	jz	.L004decrypt
+	andl	$4294967288,	%ebp
+	movl	12(%esp),	%eax
+	movl	16(%esp),	%ebx
+	jz	.L005encrypt_finish
+.L006encrypt_loop:
+	movl	(%esi),		%ecx
+	movl	4(%esi),	%edx
+	xorl	%ecx,		%eax
+	xorl	%edx,		%ebx
+	movl	%eax,		12(%esp)
+	movl	%ebx,		16(%esp)
+	call	des_encrypt
+	movl	12(%esp),	%eax
+	movl	16(%esp),	%ebx
+	movl	%eax,		(%edi)
+	movl	%ebx,		4(%edi)
+	addl	$8,		%esi
+	addl	$8,		%edi
+	subl	$8,		%ebp
+	jnz	.L006encrypt_loop
+.L005encrypt_finish:
+	movl	56(%esp),	%ebp
+	andl	$7,		%ebp
+	jz	.L007finish
+	xorl	%ecx,		%ecx
+	xorl	%edx,		%edx
+	movl	.L008cbc_enc_jmp_table(,%ebp,4),%ebp
+	jmp	*%ebp
+.L009ej7:
+	movb	6(%esi),	%dh
+	sall	$8,		%edx
+.L010ej6:
+	movb	5(%esi),	%dh
+.L011ej5:
+	movb	4(%esi),	%dl
+.L012ej4:
+	movl	(%esi),		%ecx
+	jmp	.L013ejend
+.L014ej3:
+	movb	2(%esi),	%ch
+	sall	$8,		%ecx
+.L015ej2:
+	movb	1(%esi),	%ch
+.L016ej1:
+	movb	(%esi),		%cl
+.L013ejend:
+	xorl	%ecx,		%eax
+	xorl	%edx,		%ebx
+	movl	%eax,		12(%esp)
+	movl	%ebx,		16(%esp)
+	call	des_encrypt
+	movl	12(%esp),	%eax
+	movl	16(%esp),	%ebx
+	movl	%eax,		(%edi)
+	movl	%ebx,		4(%edi)
+	jmp	.L007finish
+.align 16 
+.L004decrypt:
+	andl	$4294967288,	%ebp
+	movl	20(%esp),	%eax
+	movl	24(%esp),	%ebx
+	jz	.L017decrypt_finish
+.L018decrypt_loop:
+	movl	(%esi),		%eax
+	movl	4(%esi),	%ebx
+	movl	%eax,		12(%esp)
+	movl	%ebx,		16(%esp)
+	call	des_encrypt
+	movl	12(%esp),	%eax
+	movl	16(%esp),	%ebx
+	movl	20(%esp),	%ecx
+	movl	24(%esp),	%edx
+	xorl	%eax,		%ecx
+	xorl	%ebx,		%edx
+	movl	(%esi),		%eax
+	movl	4(%esi),	%ebx
+	movl	%ecx,		(%edi)
+	movl	%edx,		4(%edi)
+	movl	%eax,		20(%esp)
+	movl	%ebx,		24(%esp)
+	addl	$8,		%esi
+	addl	$8,		%edi
+	subl	$8,		%ebp
+	jnz	.L018decrypt_loop
+.L017decrypt_finish:
+	movl	56(%esp),	%ebp
+	andl	$7,		%ebp
+	jz	.L007finish
+	movl	(%esi),		%eax
+	movl	4(%esi),	%ebx
+	movl	%eax,		12(%esp)
+	movl	%ebx,		16(%esp)
+	call	des_encrypt
+	movl	12(%esp),	%eax
+	movl	16(%esp),	%ebx
+	movl	20(%esp),	%ecx
+	movl	24(%esp),	%edx
+	xorl	%eax,		%ecx
+	xorl	%ebx,		%edx
+	movl	(%esi),		%eax
+	movl	4(%esi),	%ebx
+.L019dj7:
+	rorl	$16,		%edx
+	movb	%dl,		6(%edi)
+	shrl	$16,		%edx
+.L020dj6:
+	movb	%dh,		5(%edi)
+.L021dj5:
+	movb	%dl,		4(%edi)
+.L022dj4:
+	movl	%ecx,		(%edi)
+	jmp	.L023djend
+.L024dj3:
+	rorl	$16,		%ecx
+	movb	%cl,		2(%edi)
+	sall	$16,		%ecx
+.L025dj2:
+	movb	%ch,		1(%esi)
+.L026dj1:
+	movb	%cl,		(%esi)
+.L023djend:
+	jmp	.L007finish
+.align 16 
+.L007finish:
+	movl	64(%esp),	%ecx
+	addl	$28,		%esp
+	movl	%eax,		(%ecx)
+	movl	%ebx,		4(%ecx)
+	popl	%edi
+	popl	%esi
+	popl	%ebx
+	popl	%ebp
+	ret
+.align 16 
+.L008cbc_enc_jmp_table:
+	.long 0
+	.long .L016ej1
+	.long .L015ej2
+	.long .L014ej3
+	.long .L012ej4
+	.long .L011ej5
+	.long .L010ej6
+	.long .L009ej7
+.align 16 
+.L027cbc_dec_jmp_table:
+	.long 0
+	.long .L026dj1
+	.long .L025dj2
+	.long .L024dj3
+	.long .L022dj4
+	.long .L021dj5
+	.long .L020dj6
+	.long .L019dj7
+.des_ncbc_encrypt_end:
+	.size    des_ncbc_encrypt , .des_ncbc_encrypt_end-des_ncbc_encrypt  
+.ident	"desasm.pl"
+.text
+	.align 16 
+.globl des_ede3_cbc_encrypt
+	.type    des_ede3_cbc_encrypt , @function  
+des_ede3_cbc_encrypt:
+
+	pushl	%ebp
+	pushl	%ebx
+	pushl	%esi
+	pushl	%edi
+	movl	28(%esp),	%ebp
+	 
+	movl	44(%esp),	%ebx
+	movl	(%ebx),		%esi
+	movl	4(%ebx),	%edi
+	pushl	%edi
+	pushl	%esi
+	pushl	%edi
+	pushl	%esi
+	movl	%esp,		%ebx
+	movl	36(%esp),	%esi
+	movl	40(%esp),	%edi
+	 
+	movl	64(%esp),	%ecx
+	 
+	movl	56(%esp),	%eax
+	pushl	%eax
+	 
+	movl	56(%esp),	%eax
+	pushl	%eax
+	 
+	movl	56(%esp),	%eax
+	pushl	%eax
+	pushl	%ebx
+	cmpl	$0,		%ecx
+	jz	.L028decrypt
+	andl	$4294967288,	%ebp
+	movl	16(%esp),	%eax
+	movl	20(%esp),	%ebx
+	jz	.L029encrypt_finish
+.L030encrypt_loop:
+	movl	(%esi),		%ecx
+	movl	4(%esi),	%edx
+	xorl	%ecx,		%eax
+	xorl	%edx,		%ebx
+	movl	%eax,		16(%esp)
+	movl	%ebx,		20(%esp)
+	call	des_encrypt3
+	movl	16(%esp),	%eax
+	movl	20(%esp),	%ebx
+	movl	%eax,		(%edi)
+	movl	%ebx,		4(%edi)
+	addl	$8,		%esi
+	addl	$8,		%edi
+	subl	$8,		%ebp
+	jnz	.L030encrypt_loop
+.L029encrypt_finish:
+	movl	60(%esp),	%ebp
+	andl	$7,		%ebp
+	jz	.L031finish
+	xorl	%ecx,		%ecx
+	xorl	%edx,		%edx
+	movl	.L032cbc_enc_jmp_table(,%ebp,4),%ebp
+	jmp	*%ebp
+.L033ej7:
+	movb	6(%esi),	%dh
+	sall	$8,		%edx
+.L034ej6:
+	movb	5(%esi),	%dh
+.L035ej5:
+	movb	4(%esi),	%dl
+.L036ej4:
+	movl	(%esi),		%ecx
+	jmp	.L037ejend
+.L038ej3:
+	movb	2(%esi),	%ch
+	sall	$8,		%ecx
+.L039ej2:
+	movb	1(%esi),	%ch
+.L040ej1:
+	movb	(%esi),		%cl
+.L037ejend:
+	xorl	%ecx,		%eax
+	xorl	%edx,		%ebx
+	movl	%eax,		16(%esp)
+	movl	%ebx,		20(%esp)
+	call	des_encrypt3
+	movl	16(%esp),	%eax
+	movl	20(%esp),	%ebx
+	movl	%eax,		(%edi)
+	movl	%ebx,		4(%edi)
+	jmp	.L031finish
+.align 16 
+.L028decrypt:
+	andl	$4294967288,	%ebp
+	movl	24(%esp),	%eax
+	movl	28(%esp),	%ebx
+	jz	.L041decrypt_finish
+.L042decrypt_loop:
+	movl	(%esi),		%eax
+	movl	4(%esi),	%ebx
+	movl	%eax,		16(%esp)
+	movl	%ebx,		20(%esp)
+	call	des_decrypt3
+	movl	16(%esp),	%eax
+	movl	20(%esp),	%ebx
+	movl	24(%esp),	%ecx
+	movl	28(%esp),	%edx
+	xorl	%eax,		%ecx
+	xorl	%ebx,		%edx
+	movl	(%esi),		%eax
+	movl	4(%esi),	%ebx
+	movl	%ecx,		(%edi)
+	movl	%edx,		4(%edi)
+	movl	%eax,		24(%esp)
+	movl	%ebx,		28(%esp)
+	addl	$8,		%esi
+	addl	$8,		%edi
+	subl	$8,		%ebp
+	jnz	.L042decrypt_loop
+.L041decrypt_finish:
+	movl	60(%esp),	%ebp
+	andl	$7,		%ebp
+	jz	.L031finish
+	movl	(%esi),		%eax
+	movl	4(%esi),	%ebx
+	movl	%eax,		16(%esp)
+	movl	%ebx,		20(%esp)
+	call	des_decrypt3
+	movl	16(%esp),	%eax
+	movl	20(%esp),	%ebx
+	movl	24(%esp),	%ecx
+	movl	28(%esp),	%edx
+	xorl	%eax,		%ecx
+	xorl	%ebx,		%edx
+	movl	(%esi),		%eax
+	movl	4(%esi),	%ebx
+.L043dj7:
+	rorl	$16,		%edx
+	movb	%dl,		6(%edi)
+	shrl	$16,		%edx
+.L044dj6:
+	movb	%dh,		5(%edi)
+.L045dj5:
+	movb	%dl,		4(%edi)
+.L046dj4:
+	movl	%ecx,		(%edi)
+	jmp	.L047djend
+.L048dj3:
+	rorl	$16,		%ecx
+	movb	%cl,		2(%edi)
+	sall	$16,		%ecx
+.L049dj2:
+	movb	%ch,		1(%esi)
+.L050dj1:
+	movb	%cl,		(%esi)
+.L047djend:
+	jmp	.L031finish
+.align 16 
+.L031finish:
+	movl	76(%esp),	%ecx
+	addl	$32,		%esp
+	movl	%eax,		(%ecx)
+	movl	%ebx,		4(%ecx)
+	popl	%edi
+	popl	%esi
+	popl	%ebx
+	popl	%ebp
+	ret
+.align 16 
+.L032cbc_enc_jmp_table:
+	.long 0
+	.long .L040ej1
+	.long .L039ej2
+	.long .L038ej3
+	.long .L036ej4
+	.long .L035ej5
+	.long .L034ej6
+	.long .L033ej7
+.align 16 
+.L051cbc_dec_jmp_table:
+	.long 0
+	.long .L050dj1
+	.long .L049dj2
+	.long .L048dj3
+	.long .L046dj4
+	.long .L045dj5
+	.long .L044dj6
+	.long .L043dj7
+.des_ede3_cbc_encrypt_end:
+	.size    des_ede3_cbc_encrypt , .des_ede3_cbc_encrypt_end-des_ede3_cbc_encrypt  
+.ident	"desasm.pl"
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/des/ecb_enc.c     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,128 @@
+/* crypto/des/ecb_enc.c */
+/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include "des/des_locl.h"
+#include "des/spr.h"
+
+char *libdes_version="libdes v 3.24 - 20-Apr-1996 - eay";
+char *DES_version="DES part of SSLeay 0.8.2b 08-Jan-1998";
+
+/* RCSID $Id: ecb_enc.c,v 1.8 2004/08/04 15:57:22 mcr Exp $ */
+/* This function ifdef'ed out for FreeS/WAN project. */
+#ifdef notdef
+char *des_options()
+	{
+	static int init=1;
+	static char buf[32];
+
+	if (init)
+		{
+		char *ptr,*unroll,*risc,*size;
+
+		init=0;
+#ifdef DES_PTR
+		ptr="ptr";
+#else
+		ptr="idx";
+#endif
+#if defined(DES_RISC1) || defined(DES_RISC2)
+#ifdef DES_RISC1
+		risc="risc1";
+#endif
+#ifdef DES_RISC2
+		risc="risc2";
+#endif
+#else
+		risc="cisc";
+#endif
+#ifdef DES_UNROLL
+		unroll="16";
+#else
+		unroll="4";
+#endif
+		if (sizeof(DES_LONG) != sizeof(long))
+			size="int";
+		else
+			size="long";
+		sprintf(buf,"des(%s,%s,%s,%s)",ptr,risc,unroll,size);
+		}
+	return(buf);
+	}
+#endif
+		
+
+void des_ecb_encrypt(input, output, ks, enc)
+des_cblock (*input);
+des_cblock (*output);
+des_key_schedule ks;
+int enc;
+	{
+	register DES_LONG l;
+	register unsigned char *in,*out;
+	DES_LONG ll[2];
+
+	in=(unsigned char *)input;
+	out=(unsigned char *)output;
+	c2l(in,l); ll[0]=l;
+	c2l(in,l); ll[1]=l;
+	des_encrypt(ll,ks,enc);
+	l=ll[0]; l2c(l,out);
+	l=ll[1]; l2c(l,out);
+	l=ll[0]=ll[1]=0;
+	}
+
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/des/ipsec_alg_3des.c     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,181 @@
+/*
+ * ipsec_alg 3DES cipher stubs
+ *
+ * Copyright (C) 2005 Michael Richardson <mcr@xelerance.com> 
+ *
+ * Adapted from ipsec_alg_aes.c by JuanJo Ciarlante <jjo-ipsec@mendoza.gov.ar>
+ * 
+ * ipsec_alg_aes.c,v 1.1.2.1 2003/11/21 18:12:23 jjo Exp
+ * 
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ * 
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ */
+#ifndef AUTOCONF_INCLUDED
+#include <linux/config.h>
+#endif
+#include <linux/version.h>
+
+/*	
+ *	special case: ipsec core modular with this static algo inside:
+ *	must avoid MODULE magic for this file
+ */
+#if defined(CONFIG_KLIPS_MODULE) && defined(CONFIG_KLIPS_ENC_3DES)
+#undef MODULE
+#endif
+
+#include <linux/module.h>
+#include <linux/init.h>
+
+#include <linux/kernel.h> /* printk() */
+#include <linux/errno.h>  /* error codes */
+#include <linux/types.h>  /* size_t */
+#include <linux/string.h>
+
+/*	Low freeswan header coupling	*/
+#include "openswan/ipsec_xform.h"
+#include "openswan/ipsec_alg.h"
+#include "crypto/des.h"
+#include "openswan/ipsec_alg_3des.h"
+
+#define AES_CONTEXT_T aes_context
+static int debug_3des=0;
+static int test_3des=0;
+static int excl_3des=0;
+
+#if defined(CONFIG_KLIPS_ENC_3DES_MODULE)
+MODULE_AUTHOR("Michael Richardson <mcr@xelerance.com>");
+#ifdef module_param
+module_param(debug_3des,int,0600)
+module_param(test_des,int,0600)
+module_param(excl_des,int,0600)
+#else
+MODULE_PARM(debug_3des, "i");
+MODULE_PARM(test_des, "i");
+MODULE_PARM(excl_des, "i");
+#endif
+#endif
+
+#define ESP_AES_MAC_KEY_SZ	16	/* 128 bit MAC key */
+#define ESP_AES_MAC_BLK_LEN	16	/* 128 bit block */
+
+static int _3des_set_key(struct ipsec_alg_enc *alg,
+			 __u8 * key_e, const __u8 * key,
+			 size_t keysize)
+{
+	int ret = 0;
+	TripleDES_context *ctx = (TripleDES_context*)key_e;
+
+	if(keysize != 192/8) {
+	  return EINVAL;
+	}
+	
+	des_set_key((des_cblock *)(key + DES_KEY_SZ*0), ctx->s1);
+	des_set_key((des_cblock *)(key + DES_KEY_SZ*1), ctx->s2);
+	des_set_key((des_cblock *)(key + DES_KEY_SZ*2), ctx->s3);
+	
+	if (debug_3des > 0)
+		printk(KERN_DEBUG "klips_debug:_3des_set_key:"
+				"ret=%d key_e=%p key=%p keysize=%ld\n",
+                                ret, key_e, key, (unsigned long int) keysize);
+	return ret;
+}
+
+static int _3des_cbc_encrypt(struct ipsec_alg_enc *alg,
+			     __u8 * key_e,
+			     __u8 * in,
+			     int ilen, const __u8 * iv,
+			     int encrypt)
+{
+	TripleDES_context *ctx=(TripleDES_context*)key_e;
+	des_cblock miv;
+
+	memcpy(&miv, iv, sizeof(miv));
+
+	if (debug_3des > 0)
+		printk(KERN_DEBUG "klips_debug:_aes_cbc_encrypt:"
+				"key_e=%p in=%p ilen=%d iv=%p encrypt=%d\n",
+				key_e, in, ilen, iv, encrypt);
+
+	des_ede3_cbc_encrypt((des_cblock *)in,
+			     (des_cblock *)in,
+			     ilen,
+			     ctx->s1,
+			     ctx->s2,
+			     ctx->s3,
+			     &miv, encrypt);
+	return 1;
+}
+
+static struct ipsec_alg_enc ipsec_alg_3DES = {
+	ixt_common: {	ixt_version:	IPSEC_ALG_VERSION,
+			ixt_refcnt:	ATOMIC_INIT(0),
+			ixt_name: 	"3des",
+			ixt_blocksize:	ESP_3DES_CBC_BLK_LEN, 
+			ixt_support: {
+			  ias_exttype:	  IPSEC_ALG_TYPE_ENCRYPT,
+			  ias_id: 	  ESP_3DES,
+			  ias_keyminbits: ESP_3DES_KEY_SZ*8,
+			  ias_keymaxbits: ESP_3DES_KEY_SZ*8,
+		},
+	},
+#if defined(MODULE_KLIPS_ENC_3DES_MODULE)
+	ixt_module:	THIS_MODULE,
+#endif
+	ixt_e_keylen:	ESP_3DES_KEY_SZ*8,
+	ixt_e_ctx_size:	sizeof(TripleDES_context),
+	ixt_e_set_key:	_3des_set_key,
+	ixt_e_cbc_encrypt:_3des_cbc_encrypt,
+};
+
+#if defined(CONFIG_KLIPS_ENC_3DES_MODULE)
+IPSEC_ALG_MODULE_INIT_MOD( ipsec_3des_init )
+#else
+IPSEC_ALG_MODULE_INIT_STATIC( ipsec_3des_init )
+#endif
+{
+	int ret, test_ret;
+
+	if (excl_3des) ipsec_alg_3DES.ixt_common.ixt_state |= IPSEC_ALG_ST_EXCL;
+	ret=register_ipsec_alg_enc(&ipsec_alg_3DES);
+	printk("ipsec_3des_init(alg_type=%d alg_id=%d name=%s): ret=%d\n", 
+			ipsec_alg_3DES.ixt_common.ixt_support.ias_exttype, 
+			ipsec_alg_3DES.ixt_common.ixt_support.ias_id, 
+			ipsec_alg_3DES.ixt_common.ixt_name, 
+			ret);
+	if (ret==0 && test_3des) {
+		test_ret=ipsec_alg_test(
+				ipsec_alg_3DES.ixt_common.ixt_support.ias_exttype,
+				ipsec_alg_3DES.ixt_common.ixt_support.ias_id, 
+				test_3des);
+		printk("ipsec_aes_init(alg_type=%d alg_id=%d): test_ret=%d\n", 
+				ipsec_alg_3DES.ixt_common.ixt_support.ias_exttype, 
+				ipsec_alg_3DES.ixt_common.ixt_support.ias_id, 
+				test_ret);
+	}
+	return ret;
+}
+
+#if defined(CONFIG_KLIPS_ENC_3DES_MODULE)
+IPSEC_ALG_MODULE_EXIT_MOD( ipsec_3des_fini )
+#else
+IPSEC_ALG_MODULE_EXIT_STATIC( ipsec_3des_fini )
+#endif
+{
+	unregister_ipsec_alg_enc(&ipsec_alg_3DES);
+	return;
+}
+
+/* Dual, because 3des code is 4-clause BSD licensed */
+#ifdef MODULE_LICENSE
+MODULE_LICENSE("Dual BSD/GPL");
+#endif
+
+
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/des/set_key.c     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,246 @@
+/* crypto/des/set_key.c */
+/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+/* set_key.c v 1.4 eay 24/9/91
+ * 1.4 Speed up by 400% :-)
+ * 1.3 added register declarations.
+ * 1.2 unrolled make_key_sched a bit more
+ * 1.1 added norm_expand_bits
+ * 1.0 First working version
+ */
+#include "des/des_locl.h"
+#include "des/podd.h"
+#include "des/sk.h"
+
+#ifndef NOPROTO
+static int check_parity(des_cblock (*key));
+#else
+static int check_parity();
+#endif
+
+int des_check_key=0;
+
+void des_set_odd_parity(key)
+des_cblock (*key);
+	{
+	int i;
+
+	for (i=0; i<DES_KEY_SZ; i++)
+		(*key)[i]=odd_parity[(*key)[i]];
+	}
+
+static int check_parity(key)
+des_cblock (*key);
+	{
+	int i;
+
+	for (i=0; i<DES_KEY_SZ; i++)
+		{
+		if ((*key)[i] != odd_parity[(*key)[i]])
+			return(0);
+		}
+	return(1);
+	}
+
+/* Weak and semi week keys as take from
+ * %A D.W. Davies
+ * %A W.L. Price
+ * %T Security for Computer Networks
+ * %I John Wiley & Sons
+ * %D 1984
+ * Many thanks to smb@ulysses.att.com (Steven Bellovin) for the reference
+ * (and actual cblock values).
+ */
+#define NUM_WEAK_KEY	16
+static des_cblock weak_keys[NUM_WEAK_KEY]={
+	/* weak keys */
+	{0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01},
+	{0xFE,0xFE,0xFE,0xFE,0xFE,0xFE,0xFE,0xFE},
+	{0x1F,0x1F,0x1F,0x1F,0x1F,0x1F,0x1F,0x1F},
+	{0xE0,0xE0,0xE0,0xE0,0xE0,0xE0,0xE0,0xE0},
+	/* semi-weak keys */
+	{0x01,0xFE,0x01,0xFE,0x01,0xFE,0x01,0xFE},
+	{0xFE,0x01,0xFE,0x01,0xFE,0x01,0xFE,0x01},
+	{0x1F,0xE0,0x1F,0xE0,0x0E,0xF1,0x0E,0xF1},
+	{0xE0,0x1F,0xE0,0x1F,0xF1,0x0E,0xF1,0x0E},
+	{0x01,0xE0,0x01,0xE0,0x01,0xF1,0x01,0xF1},
+	{0xE0,0x01,0xE0,0x01,0xF1,0x01,0xF1,0x01},
+	{0x1F,0xFE,0x1F,0xFE,0x0E,0xFE,0x0E,0xFE},
+	{0xFE,0x1F,0xFE,0x1F,0xFE,0x0E,0xFE,0x0E},
+	{0x01,0x1F,0x01,0x1F,0x01,0x0E,0x01,0x0E},
+	{0x1F,0x01,0x1F,0x01,0x0E,0x01,0x0E,0x01},
+	{0xE0,0xFE,0xE0,0xFE,0xF1,0xFE,0xF1,0xFE},
+	{0xFE,0xE0,0xFE,0xE0,0xFE,0xF1,0xFE,0xF1}};
+
+int des_is_weak_key(key)
+des_cblock (*key);
+	{
+	int i;
+
+	for (i=0; i<NUM_WEAK_KEY; i++)
+		/* Added == 0 to comparision, I obviously don't run
+		 * this section very often :-(, thanks to
+		 * engineering@MorningStar.Com for the fix
+		 * eay 93/06/29
+		 * Another problem, I was comparing only the first 4
+		 * bytes, 97/03/18 */
+		if (memcmp(weak_keys[i],key,sizeof(des_cblock)) == 0) return(1);
+	return(0);
+	}
+
+/* NOW DEFINED IN des_local.h
+ * See ecb_encrypt.c for a pseudo description of these macros. 
+ * #define PERM_OP(a,b,t,n,m) ((t)=((((a)>>(n))^(b))&(m)),\
+ * 	(b)^=(t),\
+ * 	(a)=((a)^((t)<<(n))))
+ */
+
+#define HPERM_OP(a,t,n,m) ((t)=((((a)<<(16-(n)))^(a))&(m)),\
+	(a)=(a)^(t)^(t>>(16-(n))))
+
+/* return 0 if key parity is odd (correct),
+ * return -1 if key parity error,
+ * return -2 if illegal weak key.
+ */
+int des_set_key(key, schedule)
+des_cblock (*key);
+des_key_schedule schedule;
+	{
+	static int shifts2[16]={0,0,1,1,1,1,1,1,0,1,1,1,1,1,1,0};
+	register DES_LONG c,d,t,s,t2;
+	register unsigned char *in;
+	register DES_LONG *k;
+	register int i;
+
+	if (des_check_key)
+		{
+		if (!check_parity(key))
+			return(-1);
+
+		if (des_is_weak_key(key))
+			return(-2);
+		}
+
+	k=(DES_LONG *)schedule;
+	in=(unsigned char *)key;
+
+	c2l(in,c);
+	c2l(in,d);
+
+	/* do PC1 in 60 simple operations */ 
+/*	PERM_OP(d,c,t,4,0x0f0f0f0fL);
+	HPERM_OP(c,t,-2, 0xcccc0000L);
+	HPERM_OP(c,t,-1, 0xaaaa0000L);
+	HPERM_OP(c,t, 8, 0x00ff0000L);
+	HPERM_OP(c,t,-1, 0xaaaa0000L);
+	HPERM_OP(d,t,-8, 0xff000000L);
+	HPERM_OP(d,t, 8, 0x00ff0000L);
+	HPERM_OP(d,t, 2, 0x33330000L);
+	d=((d&0x00aa00aaL)<<7L)|((d&0x55005500L)>>7L)|(d&0xaa55aa55L);
+	d=(d>>8)|((c&0xf0000000L)>>4);
+	c&=0x0fffffffL; */
+
+	/* I now do it in 47 simple operations :-)
+	 * Thanks to John Fletcher (john_fletcher@lccmail.ocf.llnl.gov)
+	 * for the inspiration. :-) */
+	PERM_OP (d,c,t,4,0x0f0f0f0fL);
+	HPERM_OP(c,t,-2,0xcccc0000L);
+	HPERM_OP(d,t,-2,0xcccc0000L);
+	PERM_OP (d,c,t,1,0x55555555L);
+	PERM_OP (c,d,t,8,0x00ff00ffL);
+	PERM_OP (d,c,t,1,0x55555555L);
+	d=	(((d&0x000000ffL)<<16L)| (d&0x0000ff00L)     |
+		 ((d&0x00ff0000L)>>16L)|((c&0xf0000000L)>>4L));
+	c&=0x0fffffffL;
+
+	for (i=0; i<ITERATIONS; i++)
+		{
+		if (shifts2[i])
+			{ c=((c>>2L)|(c<<26L)); d=((d>>2L)|(d<<26L)); }
+		else
+			{ c=((c>>1L)|(c<<27L)); d=((d>>1L)|(d<<27L)); }
+		c&=0x0fffffffL;
+		d&=0x0fffffffL;
+		/* could be a few less shifts but I am to lazy at this
+		 * point in time to investigate */
+		s=	des_skb[0][ (c    )&0x3f                ]|
+			des_skb[1][((c>> 6)&0x03)|((c>> 7L)&0x3c)]|
+			des_skb[2][((c>>13)&0x0f)|((c>>14L)&0x30)]|
+			des_skb[3][((c>>20)&0x01)|((c>>21L)&0x06) |
+						  ((c>>22L)&0x38)];
+		t=	des_skb[4][ (d    )&0x3f                ]|
+			des_skb[5][((d>> 7L)&0x03)|((d>> 8L)&0x3c)]|
+			des_skb[6][ (d>>15L)&0x3f                ]|
+			des_skb[7][((d>>21L)&0x0f)|((d>>22L)&0x30)];
+
+		/* table contained 0213 4657 */
+		t2=((t<<16L)|(s&0x0000ffffL))&0xffffffffL;
+		*(k++)=ROTATE(t2,30)&0xffffffffL;
+
+		t2=((s>>16L)|(t&0xffff0000L));
+		*(k++)=ROTATE(t2,26)&0xffffffffL;
+		}
+	return(0);
+	}
+
+int des_key_sched(key, schedule)
+des_cblock (*key);
+des_key_schedule schedule;
+	{
+	return(des_set_key(key,schedule));
+	}
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/goodmask.c     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,100 @@
+/*
+ * minor utilities for subnet-mask manipulation
+ * Copyright (C) 1998, 1999  Henry Spencer.
+ * 
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Library General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
+ * 
+ * This library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
+ * License for more details.
+ *
+ * RCSID $Id: goodmask.c,v 1.12 2004/07/10 07:43:47 mcr Exp $
+ */
+#include "openswan.h"
+
+#ifndef ABITS
+#define	ABITS	32	/* bits in an IPv4 address */
+#endif
+
+/*
+ - goodmask - is this a good (^1*0*$) subnet mask?
+ * You are not expected to understand this.  See Henry S. Warren Jr, 
+ * "Functions realizable with word-parallel logical and two's-complement
+ * addition instructions", CACM 20.6 (June 1977), p.439.
+ */
+int				/* predicate */
+goodmask(mask)
+struct in_addr mask;
+{
+	unsigned long x = ntohl(mask.s_addr);
+	/* clear rightmost contiguous string of 1-bits */
+#	define	CRCS1B(x)	(((x|(x-1))+1)&x)
+#	define	TOPBIT		(1UL << 31)
+
+	/* either zero, or has one string of 1-bits which is left-justified */
+	if (x == 0 || (CRCS1B(x) == 0 && (x&TOPBIT)))
+		return 1;
+	return 0;
+}
+
+/*
+ - masktobits - how many bits in this mask?
+ * The algorithm is essentially a binary search, but highly optimized
+ * for this particular task.
+ */
+int				/* -1 means !goodmask() */
+masktobits(mask)
+struct in_addr mask;
+{
+	unsigned long m = ntohl(mask.s_addr);
+	int masklen;
+
+	if (!goodmask(mask))
+		return -1;
+
+	if (m&0x00000001UL)
+		return 32;
+	masklen = 0;
+	if (m&(0x0000ffffUL<<1)) {	/* <<1 for 1-origin numbering */
+		masklen |= 0x10;
+		m <<= 16;
+	}
+	if (m&(0x00ff0000UL<<1)) {
+		masklen |= 0x08;
+		m <<= 8;
+	}
+	if (m&(0x0f000000UL<<1)) {
+		masklen |= 0x04;
+		m <<= 4;
+	}
+	if (m&(0x30000000UL<<1)) {
+		masklen |= 0x02;
+		m <<= 2;
+	}
+	if (m&(0x40000000UL<<1))
+		masklen |= 0x01;
+
+	return masklen;
+}
+
+/*
+ - bitstomask - return a mask with this many high bits on
+ */
+struct in_addr
+bitstomask(n)
+int n;
+{
+	struct in_addr result;
+
+	if (n > 0 && n <= ABITS)
+		result.s_addr = htonl(~((1UL << (ABITS - n)) - 1));
+	else if (n == 0)
+		result.s_addr = 0;
+	else
+		result.s_addr = 0;	/* best error report we can do */
+	return result;
+}
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/infblock.c     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,403 @@
+/* infblock.c -- interpret and process block types to last block
+ * Copyright (C) 1995-2002 Mark Adler
+ * For conditions of distribution and use, see copyright notice in zlib.h 
+ */
+
+#include <zlib/zutil.h>
+#include "infblock.h"
+#include "inftrees.h"
+#include "infcodes.h"
+#include "infutil.h"
+
+struct inflate_codes_state {int dummy;}; /* for buggy compilers */
+
+/* simplify the use of the inflate_huft type with some defines */
+#define exop word.what.Exop
+#define bits word.what.Bits
+
+/* Table for deflate from PKZIP's appnote.txt. */
+local const uInt border[] = { /* Order of the bit length code lengths */
+        16, 17, 18, 0, 8, 7, 9, 6, 10, 5, 11, 4, 12, 3, 13, 2, 14, 1, 15};
+
+/*
+   Notes beyond the 1.93a appnote.txt:
+
+   1. Distance pointers never point before the beginning of the output
+      stream.
+   2. Distance pointers can point back across blocks, up to 32k away.
+   3. There is an implied maximum of 7 bits for the bit length table and
+      15 bits for the actual data.
+   4. If only one code exists, then it is encoded using one bit.  (Zero
+      would be more efficient, but perhaps a little confusing.)  If two
+      codes exist, they are coded using one bit each (0 and 1).
+   5. There is no way of sending zero distance codes--a dummy must be
+      sent if there are none.  (History: a pre 2.0 version of PKZIP would
+      store blocks with no distance codes, but this was discovered to be
+      too harsh a criterion.)  Valid only for 1.93a.  2.04c does allow
+      zero distance codes, which is sent as one code of zero bits in
+      length.
+   6. There are up to 286 literal/length codes.  Code 256 represents the
+      end-of-block.  Note however that the static length tree defines
+      288 codes just to fill out the Huffman codes.  Codes 286 and 287
+      cannot be used though, since there is no length base or extra bits
+      defined for them.  Similarily, there are up to 30 distance codes.
+      However, static trees define 32 codes (all 5 bits) to fill out the
+      Huffman codes, but the last two had better not show up in the data.
+   7. Unzip can check dynamic Huffman blocks for complete code sets.
+      The exception is that a single code would not be complete (see #4).
+   8. The five bits following the block type is really the number of
+      literal codes sent minus 257.
+   9. Length codes 8,16,16 are interpreted as 13 length codes of 8 bits
+      (1+6+6).  Therefore, to output three times the length, you output
+      three codes (1+1+1), whereas to output four times the same length,
+      you only need two codes (1+3).  Hmm.
+  10. In the tree reconstruction algorithm, Code = Code + Increment
+      only if BitLength(i) is not zero.  (Pretty obvious.)
+  11. Correction: 4 Bits: # of Bit Length codes - 4     (4 - 19)
+  12. Note: length code 284 can represent 227-258, but length code 285
+      really is 258.  The last length deserves its own, short code
+      since it gets used a lot in very redundant files.  The length
+      258 is special since 258 - 3 (the min match length) is 255.
+  13. The literal/length and distance code bit lengths are read as a
+      single stream of lengths.  It is possible (and advantageous) for
+      a repeat code (16, 17, or 18) to go across the boundary between
+      the two sets of lengths.
+ */
+
+
+void inflate_blocks_reset(s, z, c)
+inflate_blocks_statef *s;
+z_streamp z;
+uLongf *c;
+{
+  if (c != Z_NULL)
+    *c = s->check;
+  if (s->mode == BTREE || s->mode == DTREE)
+    ZFREE(z, s->sub.trees.blens);
+  if (s->mode == CODES)
+    inflate_codes_free(s->sub.decode.codes, z);
+  s->mode = TYPE;
+  s->bitk = 0;
+  s->bitb = 0;
+  s->read = s->write = s->window;
+  if (s->checkfn != Z_NULL)
+    z->adler = s->check = (*s->checkfn)(0L, (const Bytef *)Z_NULL, 0);
+  Tracev((stderr, "inflate:   blocks reset\n"));
+}
+
+
+inflate_blocks_statef *inflate_blocks_new(z, c, w)
+z_streamp z;
+check_func c;
+uInt w;
+{
+  inflate_blocks_statef *s;
+
+  if ((s = (inflate_blocks_statef *)ZALLOC
+       (z,1,sizeof(struct inflate_blocks_state))) == Z_NULL)
+    return s;
+  if ((s->hufts =
+       (inflate_huft *)ZALLOC(z, sizeof(inflate_huft), MANY)) == Z_NULL)
+  {
+    ZFREE(z, s);
+    return Z_NULL;
+  }
+  if ((s->window = (Bytef *)ZALLOC(z, 1, w)) == Z_NULL)
+  {
+    ZFREE(z, s->hufts);
+    ZFREE(z, s);
+    return Z_NULL;
+  }
+  s->end = s->window + w;
+  s->checkfn = c;
+  s->mode = TYPE;
+  Tracev((stderr, "inflate:   blocks allocated\n"));
+  inflate_blocks_reset(s, z, Z_NULL);
+  return s;
+}
+
+
+int inflate_blocks(s, z, r)
+inflate_blocks_statef *s;
+z_streamp z;
+int r;
+{
+  uInt t;               /* temporary storage */
+  uLong b;              /* bit buffer */
+  uInt k;               /* bits in bit buffer */
+  Bytef *p;             /* input data pointer */
+  uInt n;               /* bytes available there */
+  Bytef *q;             /* output window write pointer */
+  uInt m;               /* bytes to end of window or read pointer */
+
+  /* copy input/output information to locals (UPDATE macro restores) */
+  LOAD
+
+  /* process input based on current state */
+  while (1) switch (s->mode)
+  {
+    case TYPE:
+      NEEDBITS(3)
+      t = (uInt)b & 7;
+      s->last = t & 1;
+      switch (t >> 1)
+      {
+        case 0:                         /* stored */
+          Tracev((stderr, "inflate:     stored block%s\n",
+                 s->last ? " (last)" : ""));
+          DUMPBITS(3)
+          t = k & 7;                    /* go to byte boundary */
+          DUMPBITS(t)
+          s->mode = LENS;               /* get length of stored block */
+          break;
+        case 1:                         /* fixed */
+          Tracev((stderr, "inflate:     fixed codes block%s\n",
+                 s->last ? " (last)" : ""));
+          {
+            uInt bl, bd;
+            inflate_huft *tl, *td;
+
+            inflate_trees_fixed(&bl, &bd, &tl, &td, z);
+            s->sub.decode.codes = inflate_codes_new(bl, bd, tl, td, z);
+            if (s->sub.decode.codes == Z_NULL)
+            {
+              r = Z_MEM_ERROR;
+              LEAVE
+            }
+          }
+          DUMPBITS(3)
+          s->mode = CODES;
+          break;
+        case 2:                         /* dynamic */
+          Tracev((stderr, "inflate:     dynamic codes block%s\n",
+                 s->last ? " (last)" : ""));
+          DUMPBITS(3)
+          s->mode = TABLE;
+          break;
+        case 3:                         /* illegal */
+          DUMPBITS(3)
+          s->mode = BAD;
+          z->msg = (char*)"invalid block type";
+          r = Z_DATA_ERROR;
+          LEAVE
+      }
+      break;
+    case LENS:
+      NEEDBITS(32)
+      if ((((~b) >> 16) & 0xffff) != (b & 0xffff))
+      {
+        s->mode = BAD;
+        z->msg = (char*)"invalid stored block lengths";
+        r = Z_DATA_ERROR;
+        LEAVE
+      }
+      s->sub.left = (uInt)b & 0xffff;
+      b = k = 0;                      /* dump bits */
+      Tracev((stderr, "inflate:       stored length %u\n", s->sub.left));
+      s->mode = s->sub.left ? STORED : (s->last ? DRY : TYPE);
+      break;
+    case STORED:
+      if (n == 0)
+        LEAVE
+      NEEDOUT
+      t = s->sub.left;
+      if (t > n) t = n;
+      if (t > m) t = m;
+      zmemcpy(q, p, t);
+      p += t;  n -= t;
+      q += t;  m -= t;
+      if ((s->sub.left -= t) != 0)
+        break;
+      Tracev((stderr, "inflate:       stored end, %lu total out\n",
+              z->total_out + (q >= s->read ? q - s->read :
+              (s->end - s->read) + (q - s->window))));
+      s->mode = s->last ? DRY : TYPE;
+      break;
+    case TABLE:
+      NEEDBITS(14)
+      s->sub.trees.table = t = (uInt)b & 0x3fff;
+#ifndef PKZIP_BUG_WORKAROUND
+      if ((t & 0x1f) > 29 || ((t >> 5) & 0x1f) > 29)
+      {
+        s->mode = BAD;
+        z->msg = (char*)"too many length or distance symbols";
+        r = Z_DATA_ERROR;
+        LEAVE
+      }
+#endif
+      t = 258 + (t & 0x1f) + ((t >> 5) & 0x1f);
+      if ((s->sub.trees.blens = (uIntf*)ZALLOC(z, t, sizeof(uInt))) == Z_NULL)
+      {
+        r = Z_MEM_ERROR;
+        LEAVE
+      }
+      DUMPBITS(14)
+      s->sub.trees.index = 0;
+      Tracev((stderr, "inflate:       table sizes ok\n"));
+      s->mode = BTREE;
+    case BTREE:
+      while (s->sub.trees.index < 4 + (s->sub.trees.table >> 10))
+      {
+        NEEDBITS(3)
+        s->sub.trees.blens[border[s->sub.trees.index++]] = (uInt)b & 7;
+        DUMPBITS(3)
+      }
+      while (s->sub.trees.index < 19)
+        s->sub.trees.blens[border[s->sub.trees.index++]] = 0;
+      s->sub.trees.bb = 7;
+      t = inflate_trees_bits(s->sub.trees.blens, &s->sub.trees.bb,
+                             &s->sub.trees.tb, s->hufts, z);
+      if (t != Z_OK)
+      {
+        r = t;
+        if (r == Z_DATA_ERROR)
+        {
+          ZFREE(z, s->sub.trees.blens);
+          s->mode = BAD;
+        }
+        LEAVE
+      }
+      s->sub.trees.index = 0;
+      Tracev((stderr, "inflate:       bits tree ok\n"));
+      s->mode = DTREE;
+    case DTREE:
+      while (t = s->sub.trees.table,
+             s->sub.trees.index < 258 + (t & 0x1f) + ((t >> 5) & 0x1f))
+      {
+        inflate_huft *h;
+        uInt i, j, c;
+
+        t = s->sub.trees.bb;
+        NEEDBITS(t)
+        h = s->sub.trees.tb + ((uInt)b & inflate_mask[t]);
+        t = h->bits;
+        c = h->base;
+        if (c < 16)
+        {
+          DUMPBITS(t)
+          s->sub.trees.blens[s->sub.trees.index++] = c;
+        }
+        else /* c == 16..18 */
+        {
+          i = c == 18 ? 7 : c - 14;
+          j = c == 18 ? 11 : 3;
+          NEEDBITS(t + i)
+          DUMPBITS(t)
+          j += (uInt)b & inflate_mask[i];
+          DUMPBITS(i)
+          i = s->sub.trees.index;
+          t = s->sub.trees.table;
+          if (i + j > 258 + (t & 0x1f) + ((t >> 5) & 0x1f) ||
+              (c == 16 && i < 1))
+          {
+            ZFREE(z, s->sub.trees.blens);
+            s->mode = BAD;
+            z->msg = (char*)"invalid bit length repeat";
+            r = Z_DATA_ERROR;
+            LEAVE
+          }
+          c = c == 16 ? s->sub.trees.blens[i - 1] : 0;
+          do {
+            s->sub.trees.blens[i++] = c;
+          } while (--j);
+          s->sub.trees.index = i;
+        }
+      }
+      s->sub.trees.tb = Z_NULL;
+      {
+        uInt bl, bd;
+        inflate_huft *tl, *td;
+        inflate_codes_statef *c;
+
+        bl = 9;         /* must be <= 9 for lookahead assumptions */
+        bd = 6;         /* must be <= 9 for lookahead assumptions */
+        t = s->sub.trees.table;
+        t = inflate_trees_dynamic(257 + (t & 0x1f), 1 + ((t >> 5) & 0x1f),
+                                  s->sub.trees.blens, &bl, &bd, &tl, &td,
+                                  s->hufts, z);
+        if (t != Z_OK)
+        {
+          if (t == (uInt)Z_DATA_ERROR)
+          {
+            ZFREE(z, s->sub.trees.blens);
+            s->mode = BAD;
+          }
+          r = t;
+          LEAVE
+        }
+        Tracev((stderr, "inflate:       trees ok\n"));
+        if ((c = inflate_codes_new(bl, bd, tl, td, z)) == Z_NULL)
+        {
+          r = Z_MEM_ERROR;
+          LEAVE
+        }
+        s->sub.decode.codes = c;
+      }
+      ZFREE(z, s->sub.trees.blens);
+      s->mode = CODES;
+    case CODES:
+      UPDATE
+      if ((r = inflate_codes(s, z, r)) != Z_STREAM_END)
+        return inflate_flush(s, z, r);
+      r = Z_OK;
+      inflate_codes_free(s->sub.decode.codes, z);
+      LOAD
+      Tracev((stderr, "inflate:       codes end, %lu total out\n",
+              z->total_out + (q >= s->read ? q - s->read :
+              (s->end - s->read) + (q - s->window))));
+      if (!s->last)
+      {
+        s->mode = TYPE;
+        break;
+      }
+      s->mode = DRY;
+    case DRY:
+      FLUSH
+      if (s->read != s->write)
+        LEAVE
+      s->mode = DONE;
+    case DONE:
+      r = Z_STREAM_END;
+      LEAVE
+    case BAD:
+      r = Z_DATA_ERROR;
+      LEAVE
+    default:
+      r = Z_STREAM_ERROR;
+      LEAVE
+  }
+}
+
+
+int inflate_blocks_free(s, z)
+inflate_blocks_statef *s;
+z_streamp z;
+{
+  inflate_blocks_reset(s, z, Z_NULL);
+  ZFREE(z, s->window);
+  ZFREE(z, s->hufts);
+  ZFREE(z, s);
+  Tracev((stderr, "inflate:   blocks freed\n"));
+  return Z_OK;
+}
+
+
+void inflate_set_dictionary(s, d, n)
+inflate_blocks_statef *s;
+const Bytef *d;
+uInt  n;
+{
+  zmemcpy(s->window, d, n);
+  s->read = s->write = s->window + n;
+}
+
+
+/* Returns true if inflate is currently at the end of a block generated
+ * by Z_SYNC_FLUSH or Z_FULL_FLUSH. 
+ * IN assertion: s != Z_NULL
+ */
+int inflate_blocks_sync_point(s)
+inflate_blocks_statef *s;
+{
+  return s->mode == LENS;
+}
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/infblock.h     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,39 @@
+/* infblock.h -- header to use infblock.c
+ * Copyright (C) 1995-2002 Mark Adler
+ * For conditions of distribution and use, see copyright notice in zlib.h 
+ */
+
+/* WARNING: this file should *not* be used by applications. It is
+   part of the implementation of the compression library and is
+   subject to change. Applications should only use zlib.h.
+ */
+
+struct inflate_blocks_state;
+typedef struct inflate_blocks_state FAR inflate_blocks_statef;
+
+extern inflate_blocks_statef * inflate_blocks_new OF((
+    z_streamp z,
+    check_func c,               /* check function */
+    uInt w));                   /* window size */
+
+extern int inflate_blocks OF((
+    inflate_blocks_statef *,
+    z_streamp ,
+    int));                      /* initial return code */
+
+extern void inflate_blocks_reset OF((
+    inflate_blocks_statef *,
+    z_streamp ,
+    uLongf *));                  /* check value on output */
+
+extern int inflate_blocks_free OF((
+    inflate_blocks_statef *,
+    z_streamp));
+
+extern void inflate_set_dictionary OF((
+    inflate_blocks_statef *s,
+    const Bytef *d,  /* dictionary */
+    uInt  n));       /* dictionary length */
+
+extern int inflate_blocks_sync_point OF((
+    inflate_blocks_statef *s));
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/infcodes.c     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,251 @@
+/* infcodes.c -- process literals and length/distance pairs
+ * Copyright (C) 1995-2002 Mark Adler
+ * For conditions of distribution and use, see copyright notice in zlib.h 
+ */
+
+#include <zlib/zutil.h>
+#include "inftrees.h"
+#include "infblock.h"
+#include "infcodes.h"
+#include "infutil.h"
+#include "inffast.h"
+
+/* simplify the use of the inflate_huft type with some defines */
+#define exop word.what.Exop
+#define bits word.what.Bits
+
+typedef enum {        /* waiting for "i:"=input, "o:"=output, "x:"=nothing */
+      START,    /* x: set up for LEN */
+      LEN,      /* i: get length/literal/eob next */
+      LENEXT,   /* i: getting length extra (have base) */
+      DIST,     /* i: get distance next */
+      DISTEXT,  /* i: getting distance extra */
+      COPY,     /* o: copying bytes in window, waiting for space */
+      LIT,      /* o: got literal, waiting for output space */
+      WASH,     /* o: got eob, possibly still output waiting */
+      END,      /* x: got eob and all data flushed */
+      BADCODE}  /* x: got error */
+inflate_codes_mode;
+
+/* inflate codes private state */
+struct inflate_codes_state {
+
+  /* mode */
+  inflate_codes_mode mode;      /* current inflate_codes mode */
+
+  /* mode dependent information */
+  uInt len;
+  union {
+    struct {
+      inflate_huft *tree;       /* pointer into tree */
+      uInt need;                /* bits needed */
+    } code;             /* if LEN or DIST, where in tree */
+    uInt lit;           /* if LIT, literal */
+    struct {
+      uInt get;                 /* bits to get for extra */
+      uInt dist;                /* distance back to copy from */
+    } copy;             /* if EXT or COPY, where and how much */
+  } sub;                /* submode */
+
+  /* mode independent information */
+  Byte lbits;           /* ltree bits decoded per branch */
+  Byte dbits;           /* dtree bits decoder per branch */
+  inflate_huft *ltree;          /* literal/length/eob tree */
+  inflate_huft *dtree;          /* distance tree */
+
+};
+
+
+inflate_codes_statef *inflate_codes_new(bl, bd, tl, td, z)
+uInt bl, bd;
+inflate_huft *tl;
+inflate_huft *td; /* need separate declaration for Borland C++ */
+z_streamp z;
+{
+  inflate_codes_statef *c;
+
+  if ((c = (inflate_codes_statef *)
+       ZALLOC(z,1,sizeof(struct inflate_codes_state))) != Z_NULL)
+  {
+    c->mode = START;
+    c->lbits = (Byte)bl;
+    c->dbits = (Byte)bd;
+    c->ltree = tl;
+    c->dtree = td;
+    Tracev((stderr, "inflate:       codes new\n"));
+  }
+  return c;
+}
+
+
+int inflate_codes(s, z, r)
+inflate_blocks_statef *s;
+z_streamp z;
+int r;
+{
+  uInt j;               /* temporary storage */
+  inflate_huft *t;      /* temporary pointer */
+  uInt e;               /* extra bits or operation */
+  uLong b;              /* bit buffer */
+  uInt k;               /* bits in bit buffer */
+  Bytef *p;             /* input data pointer */
+  uInt n;               /* bytes available there */
+  Bytef *q;             /* output window write pointer */
+  uInt m;               /* bytes to end of window or read pointer */
+  Bytef *f;             /* pointer to copy strings from */
+  inflate_codes_statef *c = s->sub.decode.codes;  /* codes state */
+
+  /* copy input/output information to locals (UPDATE macro restores) */
+  LOAD
+
+  /* process input and output based on current state */
+  while (1) switch (c->mode)
+  {             /* waiting for "i:"=input, "o:"=output, "x:"=nothing */
+    case START:         /* x: set up for LEN */
+#ifndef SLOW
+      if (m >= 258 && n >= 10)
+      {
+        UPDATE
+        r = inflate_fast(c->lbits, c->dbits, c->ltree, c->dtree, s, z);
+        LOAD
+        if (r != Z_OK)
+        {
+          c->mode = r == Z_STREAM_END ? WASH : BADCODE;
+          break;
+        }
+      }
+#endif /* !SLOW */
+      c->sub.code.need = c->lbits;
+      c->sub.code.tree = c->ltree;
+      c->mode = LEN;
+    case LEN:           /* i: get length/literal/eob next */
+      j = c->sub.code.need;
+      NEEDBITS(j)
+      t = c->sub.code.tree + ((uInt)b & inflate_mask[j]);
+      DUMPBITS(t->bits)
+      e = (uInt)(t->exop);
+      if (e == 0)               /* literal */
+      {
+        c->sub.lit = t->base;
+        Tracevv((stderr, t->base >= 0x20 && t->base < 0x7f ?
+                 "inflate:         literal '%c'\n" :
+                 "inflate:         literal 0x%02x\n", t->base));
+        c->mode = LIT;
+        break;
+      }
+      if (e & 16)               /* length */
+      {
+        c->sub.copy.get = e & 15;
+        c->len = t->base;
+        c->mode = LENEXT;
+        break;
+      }
+      if ((e & 64) == 0)        /* next table */
+      {
+        c->sub.code.need = e;
+        c->sub.code.tree = t + t->base;
+        break;
+      }
+      if (e & 32)               /* end of block */
+      {
+        Tracevv((stderr, "inflate:         end of block\n"));
+        c->mode = WASH;
+        break;
+      }
+      c->mode = BADCODE;        /* invalid code */
+      z->msg = (char*)"invalid literal/length code";
+      r = Z_DATA_ERROR;
+      LEAVE
+    case LENEXT:        /* i: getting length extra (have base) */
+      j = c->sub.copy.get;
+      NEEDBITS(j)
+      c->len += (uInt)b & inflate_mask[j];
+      DUMPBITS(j)
+      c->sub.code.need = c->dbits;
+      c->sub.code.tree = c->dtree;
+      Tracevv((stderr, "inflate:         length %u\n", c->len));
+      c->mode = DIST;
+    case DIST:          /* i: get distance next */
+      j = c->sub.code.need;
+      NEEDBITS(j)
+      t = c->sub.code.tree + ((uInt)b & inflate_mask[j]);
+      DUMPBITS(t->bits)
+      e = (uInt)(t->exop);
+      if (e & 16)               /* distance */
+      {
+        c->sub.copy.get = e & 15;
+        c->sub.copy.dist = t->base;
+        c->mode = DISTEXT;
+        break;
+      }
+      if ((e & 64) == 0)        /* next table */
+      {
+        c->sub.code.need = e;
+        c->sub.code.tree = t + t->base;
+        break;
+      }
+      c->mode = BADCODE;        /* invalid code */
+      z->msg = (char*)"invalid distance code";
+      r = Z_DATA_ERROR;
+      LEAVE
+    case DISTEXT:       /* i: getting distance extra */
+      j = c->sub.copy.get;
+      NEEDBITS(j)
+      c->sub.copy.dist += (uInt)b & inflate_mask[j];
+      DUMPBITS(j)
+      Tracevv((stderr, "inflate:         distance %u\n", c->sub.copy.dist));
+      c->mode = COPY;
+    case COPY:          /* o: copying bytes in window, waiting for space */
+      f = q - c->sub.copy.dist;
+      while (f < s->window)             /* modulo window size-"while" instead */
+        f += s->end - s->window;        /* of "if" handles invalid distances */
+      while (c->len)
+      {
+        NEEDOUT
+        OUTBYTE(*f++)
+        if (f == s->end)
+          f = s->window;
+        c->len--;
+      }
+      c->mode = START;
+      break;
+    case LIT:           /* o: got literal, waiting for output space */
+      NEEDOUT
+      OUTBYTE(c->sub.lit)
+      c->mode = START;
+      break;
+    case WASH:          /* o: got eob, possibly more output */
+      if (k > 7)        /* return unused byte, if any */
+      {
+        Assert(k < 16, "inflate_codes grabbed too many bytes")
+        k -= 8;
+        n++;
+        p--;            /* can always return one */
+      }
+      FLUSH
+      if (s->read != s->write)
+        LEAVE
+      c->mode = END;
+    case END:
+      r = Z_STREAM_END;
+      LEAVE
+    case BADCODE:       /* x: got error */
+      r = Z_DATA_ERROR;
+      LEAVE
+    default:
+      r = Z_STREAM_ERROR;
+      LEAVE
+  }
+#ifdef NEED_DUMMY_RETURN
+  return Z_STREAM_ERROR;  /* Some dumb compilers complain without this */
+#endif
+}
+
+
+void inflate_codes_free(c, z)
+inflate_codes_statef *c;
+z_streamp z;
+{
+  ZFREE(z, c);
+  Tracev((stderr, "inflate:       codes free\n"));
+}
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/infcodes.h     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,31 @@
+/* infcodes.h -- header to use infcodes.c
+ * Copyright (C) 1995-2002 Mark Adler
+ * For conditions of distribution and use, see copyright notice in zlib.h 
+ */
+
+/* WARNING: this file should *not* be used by applications. It is
+   part of the implementation of the compression library and is
+   subject to change. Applications should only use zlib.h.
+ */
+
+#ifndef _INFCODES_H
+#define _INFCODES_H
+
+struct inflate_codes_state;
+typedef struct inflate_codes_state FAR inflate_codes_statef;
+
+extern inflate_codes_statef *inflate_codes_new OF((
+    uInt, uInt,
+    inflate_huft *, inflate_huft *,
+    z_streamp ));
+
+extern int inflate_codes OF((
+    inflate_blocks_statef *,
+    z_streamp ,
+    int));
+
+extern void inflate_codes_free OF((
+    inflate_codes_statef *,
+    z_streamp ));
+
+#endif /* _INFCODES_H */
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/inffast.c     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,183 @@
+/* inffast.c -- process literals and length/distance pairs fast
+ * Copyright (C) 1995-2002 Mark Adler
+ * For conditions of distribution and use, see copyright notice in zlib.h 
+ */
+
+#include <zlib/zutil.h>
+#include "inftrees.h"
+#include "infblock.h"
+#include "infcodes.h"
+#include "infutil.h"
+#include "inffast.h"
+
+struct inflate_codes_state {int dummy;}; /* for buggy compilers */
+
+/* simplify the use of the inflate_huft type with some defines */
+#define exop word.what.Exop
+#define bits word.what.Bits
+
+/* macros for bit input with no checking and for returning unused bytes */
+#define GRABBITS(j) {while(k<(j)){b|=((uLong)NEXTBYTE)<<k;k+=8;}}
+#define UNGRAB {c=z->avail_in-n;c=(k>>3)<c?k>>3:c;n+=c;p-=c;k-=c<<3;}
+
+/* Called with number of bytes left to write in window at least 258
+   (the maximum string length) and number of input bytes available
+   at least ten.  The ten bytes are six bytes for the longest length/
+   distance pair plus four bytes for overloading the bit buffer. */
+
+int inflate_fast(bl, bd, tl, td, s, z)
+uInt bl, bd;
+inflate_huft *tl;
+inflate_huft *td; /* need separate declaration for Borland C++ */
+inflate_blocks_statef *s;
+z_streamp z;
+{
+  inflate_huft *t;      /* temporary pointer */
+  uInt e;               /* extra bits or operation */
+  uLong b;              /* bit buffer */
+  uInt k;               /* bits in bit buffer */
+  Bytef *p;             /* input data pointer */
+  uInt n;               /* bytes available there */
+  Bytef *q;             /* output window write pointer */
+  uInt m;               /* bytes to end of window or read pointer */
+  uInt ml;              /* mask for literal/length tree */
+  uInt md;              /* mask for distance tree */
+  uInt c;               /* bytes to copy */
+  uInt d;               /* distance back to copy from */
+  Bytef *r;             /* copy source pointer */
+
+  /* load input, output, bit values */
+  LOAD
+
+  /* initialize masks */
+  ml = inflate_mask[bl];
+  md = inflate_mask[bd];
+
+  /* do until not enough input or output space for fast loop */
+  do {                          /* assume called with m >= 258 && n >= 10 */
+    /* get literal/length code */
+    GRABBITS(20)                /* max bits for literal/length code */
+    if ((e = (t = tl + ((uInt)b & ml))->exop) == 0)
+    {
+      DUMPBITS(t->bits)
+      Tracevv((stderr, t->base >= 0x20 && t->base < 0x7f ?
+                "inflate:         * literal '%c'\n" :
+                "inflate:         * literal 0x%02x\n", t->base));
+      *q++ = (Byte)t->base;
+      m--;
+      continue;
+    }
+    do {
+      DUMPBITS(t->bits)
+      if (e & 16)
+      {
+        /* get extra bits for length */
+        e &= 15;
+        c = t->base + ((uInt)b & inflate_mask[e]);
+        DUMPBITS(e)
+        Tracevv((stderr, "inflate:         * length %u\n", c));
+
+        /* decode distance base of block to copy */
+        GRABBITS(15);           /* max bits for distance code */
+        e = (t = td + ((uInt)b & md))->exop;
+        do {
+          DUMPBITS(t->bits)
+          if (e & 16)
+          {
+            /* get extra bits to add to distance base */
+            e &= 15;
+            GRABBITS(e)         /* get extra bits (up to 13) */
+            d = t->base + ((uInt)b & inflate_mask[e]);
+            DUMPBITS(e)
+            Tracevv((stderr, "inflate:         * distance %u\n", d));
+
+            /* do the copy */
+            m -= c;
+            r = q - d;
+            if (r < s->window)                  /* wrap if needed */
+            {
+              do {
+                r += s->end - s->window;        /* force pointer in window */
+              } while (r < s->window);          /* covers invalid distances */
+              e = s->end - r;
+              if (c > e)
+              {
+                c -= e;                         /* wrapped copy */
+                do {
+                    *q++ = *r++;
+                } while (--e);
+                r = s->window;
+                do {
+                    *q++ = *r++;
+                } while (--c);
+              }
+              else                              /* normal copy */
+              {
+                *q++ = *r++;  c--;
+                *q++ = *r++;  c--;
+                do {
+                    *q++ = *r++;
+                } while (--c);
+              }
+            }
+            else                                /* normal copy */
+            {
+              *q++ = *r++;  c--;
+              *q++ = *r++;  c--;
+              do {
+                *q++ = *r++;
+              } while (--c);
+            }
+            break;
+          }
+          else if ((e & 64) == 0)
+          {
+            t += t->base;
+            e = (t += ((uInt)b & inflate_mask[e]))->exop;
+          }
+          else
+          {
+            z->msg = (char*)"invalid distance code";
+            UNGRAB
+            UPDATE
+            return Z_DATA_ERROR;
+          }
+        } while (1);
+        break;
+      }
+      if ((e & 64) == 0)
+      {
+        t += t->base;
+        if ((e = (t += ((uInt)b & inflate_mask[e]))->exop) == 0)
+        {
+          DUMPBITS(t->bits)
+          Tracevv((stderr, t->base >= 0x20 && t->base < 0x7f ?
+                    "inflate:         * literal '%c'\n" :
+                    "inflate:         * literal 0x%02x\n", t->base));
+          *q++ = (Byte)t->base;
+          m--;
+          break;
+        }
+      }
+      else if (e & 32)
+      {
+        Tracevv((stderr, "inflate:         * end of block\n"));
+        UNGRAB
+        UPDATE
+        return Z_STREAM_END;
+      }
+      else
+      {
+        z->msg = (char*)"invalid literal/length code";
+        UNGRAB
+        UPDATE
+        return Z_DATA_ERROR;
+      }
+    } while (1);
+  } while (m >= 258 && n >= 10);
+
+  /* not enough input or output--restore pointers and return */
+  UNGRAB
+  UPDATE
+  return Z_OK;
+}
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/inffast.h     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,22 @@
+/* inffast.h -- header to use inffast.c
+ * Copyright (C) 1995-2002 Mark Adler
+ * For conditions of distribution and use, see copyright notice in zlib.h 
+ */
+
+/* WARNING: this file should *not* be used by applications. It is
+   part of the implementation of the compression library and is
+   subject to change. Applications should only use zlib.h.
+ */
+
+#ifndef _INFFAST_H
+#define _INFFAST_H
+
+extern int inflate_fast OF((
+    uInt,
+    uInt,
+    inflate_huft *,
+    inflate_huft *,
+    inflate_blocks_statef *,
+    z_streamp ));
+
+#endif /* _INFFAST_H */
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/inffixed.h     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,151 @@
+/* inffixed.h -- table for decoding fixed codes
+ * Generated automatically by the maketree.c program
+ */
+
+/* WARNING: this file should *not* be used by applications. It is
+   part of the implementation of the compression library and is
+   subject to change. Applications should only use zlib.h.
+ */
+
+local uInt fixed_bl = 9;
+local uInt fixed_bd = 5;
+local inflate_huft fixed_tl[] = {
+    {{{96,7}},256}, {{{0,8}},80}, {{{0,8}},16}, {{{84,8}},115},
+    {{{82,7}},31}, {{{0,8}},112}, {{{0,8}},48}, {{{0,9}},192},
+    {{{80,7}},10}, {{{0,8}},96}, {{{0,8}},32}, {{{0,9}},160},
+    {{{0,8}},0}, {{{0,8}},128}, {{{0,8}},64}, {{{0,9}},224},
+    {{{80,7}},6}, {{{0,8}},88}, {{{0,8}},24}, {{{0,9}},144},
+    {{{83,7}},59}, {{{0,8}},120}, {{{0,8}},56}, {{{0,9}},208},
+    {{{81,7}},17}, {{{0,8}},104}, {{{0,8}},40}, {{{0,9}},176},
+    {{{0,8}},8}, {{{0,8}},136}, {{{0,8}},72}, {{{0,9}},240},
+    {{{80,7}},4}, {{{0,8}},84}, {{{0,8}},20}, {{{85,8}},227},
+    {{{83,7}},43}, {{{0,8}},116}, {{{0,8}},52}, {{{0,9}},200},
+    {{{81,7}},13}, {{{0,8}},100}, {{{0,8}},36}, {{{0,9}},168},
+    {{{0,8}},4}, {{{0,8}},132}, {{{0,8}},68}, {{{0,9}},232},
+    {{{80,7}},8}, {{{0,8}},92}, {{{0,8}},28}, {{{0,9}},152},
+    {{{84,7}},83}, {{{0,8}},124}, {{{0,8}},60}, {{{0,9}},216},
+    {{{82,7}},23}, {{{0,8}},108}, {{{0,8}},44}, {{{0,9}},184},
+    {{{0,8}},12}, {{{0,8}},140}, {{{0,8}},76}, {{{0,9}},248},
+    {{{80,7}},3}, {{{0,8}},82}, {{{0,8}},18}, {{{85,8}},163},
+    {{{83,7}},35}, {{{0,8}},114}, {{{0,8}},50}, {{{0,9}},196},
+    {{{81,7}},11}, {{{0,8}},98}, {{{0,8}},34}, {{{0,9}},164},
+    {{{0,8}},2}, {{{0,8}},130}, {{{0,8}},66}, {{{0,9}},228},
+    {{{80,7}},7}, {{{0,8}},90}, {{{0,8}},26}, {{{0,9}},148},
+    {{{84,7}},67}, {{{0,8}},122}, {{{0,8}},58}, {{{0,9}},212},
+    {{{82,7}},19}, {{{0,8}},106}, {{{0,8}},42}, {{{0,9}},180},
+    {{{0,8}},10}, {{{0,8}},138}, {{{0,8}},74}, {{{0,9}},244},
+    {{{80,7}},5}, {{{0,8}},86}, {{{0,8}},22}, {{{192,8}},0},
+    {{{83,7}},51}, {{{0,8}},118}, {{{0,8}},54}, {{{0,9}},204},
+    {{{81,7}},15}, {{{0,8}},102}, {{{0,8}},38}, {{{0,9}},172},
+    {{{0,8}},6}, {{{0,8}},134}, {{{0,8}},70}, {{{0,9}},236},
+    {{{80,7}},9}, {{{0,8}},94}, {{{0,8}},30}, {{{0,9}},156},
+    {{{84,7}},99}, {{{0,8}},126}, {{{0,8}},62}, {{{0,9}},220},
+    {{{82,7}},27}, {{{0,8}},110}, {{{0,8}},46}, {{{0,9}},188},
+    {{{0,8}},14}, {{{0,8}},142}, {{{0,8}},78}, {{{0,9}},252},
+    {{{96,7}},256}, {{{0,8}},81}, {{{0,8}},17}, {{{85,8}},131},
+    {{{82,7}},31}, {{{0,8}},113}, {{{0,8}},49}, {{{0,9}},194},
+    {{{80,7}},10}, {{{0,8}},97}, {{{0,8}},33}, {{{0,9}},162},
+    {{{0,8}},1}, {{{0,8}},129}, {{{0,8}},65}, {{{0,9}},226},
+    {{{80,7}},6}, {{{0,8}},89}, {{{0,8}},25}, {{{0,9}},146},
+    {{{83,7}},59}, {{{0,8}},121}, {{{0,8}},57}, {{{0,9}},210},
+    {{{81,7}},17}, {{{0,8}},105}, {{{0,8}},41}, {{{0,9}},178},
+    {{{0,8}},9}, {{{0,8}},137}, {{{0,8}},73}, {{{0,9}},242},
+    {{{80,7}},4}, {{{0,8}},85}, {{{0,8}},21}, {{{80,8}},258},
+    {{{83,7}},43}, {{{0,8}},117}, {{{0,8}},53}, {{{0,9}},202},
+    {{{81,7}},13}, {{{0,8}},101}, {{{0,8}},37}, {{{0,9}},170},
+    {{{0,8}},5}, {{{0,8}},133}, {{{0,8}},69}, {{{0,9}},234},
+    {{{80,7}},8}, {{{0,8}},93}, {{{0,8}},29}, {{{0,9}},154},
+    {{{84,7}},83}, {{{0,8}},125}, {{{0,8}},61}, {{{0,9}},218},
+    {{{82,7}},23}, {{{0,8}},109}, {{{0,8}},45}, {{{0,9}},186},
+    {{{0,8}},13}, {{{0,8}},141}, {{{0,8}},77}, {{{0,9}},250},
+    {{{80,7}},3}, {{{0,8}},83}, {{{0,8}},19}, {{{85,8}},195},
+    {{{83,7}},35}, {{{0,8}},115}, {{{0,8}},51}, {{{0,9}},198},
+    {{{81,7}},11}, {{{0,8}},99}, {{{0,8}},35}, {{{0,9}},166},
+    {{{0,8}},3}, {{{0,8}},131}, {{{0,8}},67}, {{{0,9}},230},
+    {{{80,7}},7}, {{{0,8}},91}, {{{0,8}},27}, {{{0,9}},150},
+    {{{84,7}},67}, {{{0,8}},123}, {{{0,8}},59}, {{{0,9}},214},
+    {{{82,7}},19}, {{{0,8}},107}, {{{0,8}},43}, {{{0,9}},182},
+    {{{0,8}},11}, {{{0,8}},139}, {{{0,8}},75}, {{{0,9}},246},
+    {{{80,7}},5}, {{{0,8}},87}, {{{0,8}},23}, {{{192,8}},0},
+    {{{83,7}},51}, {{{0,8}},119}, {{{0,8}},55}, {{{0,9}},206},
+    {{{81,7}},15}, {{{0,8}},103}, {{{0,8}},39}, {{{0,9}},174},
+    {{{0,8}},7}, {{{0,8}},135}, {{{0,8}},71}, {{{0,9}},238},
+    {{{80,7}},9}, {{{0,8}},95}, {{{0,8}},31}, {{{0,9}},158},
+    {{{84,7}},99}, {{{0,8}},127}, {{{0,8}},63}, {{{0,9}},222},
+    {{{82,7}},27}, {{{0,8}},111}, {{{0,8}},47}, {{{0,9}},190},
+    {{{0,8}},15}, {{{0,8}},143}, {{{0,8}},79}, {{{0,9}},254},
+    {{{96,7}},256}, {{{0,8}},80}, {{{0,8}},16}, {{{84,8}},115},
+    {{{82,7}},31}, {{{0,8}},112}, {{{0,8}},48}, {{{0,9}},193},
+    {{{80,7}},10}, {{{0,8}},96}, {{{0,8}},32}, {{{0,9}},161},
+    {{{0,8}},0}, {{{0,8}},128}, {{{0,8}},64}, {{{0,9}},225},
+    {{{80,7}},6}, {{{0,8}},88}, {{{0,8}},24}, {{{0,9}},145},
+    {{{83,7}},59}, {{{0,8}},120}, {{{0,8}},56}, {{{0,9}},209},
+    {{{81,7}},17}, {{{0,8}},104}, {{{0,8}},40}, {{{0,9}},177},
+    {{{0,8}},8}, {{{0,8}},136}, {{{0,8}},72}, {{{0,9}},241},
+    {{{80,7}},4}, {{{0,8}},84}, {{{0,8}},20}, {{{85,8}},227},
+    {{{83,7}},43}, {{{0,8}},116}, {{{0,8}},52}, {{{0,9}},201},
+    {{{81,7}},13}, {{{0,8}},100}, {{{0,8}},36}, {{{0,9}},169},
+    {{{0,8}},4}, {{{0,8}},132}, {{{0,8}},68}, {{{0,9}},233},
+    {{{80,7}},8}, {{{0,8}},92}, {{{0,8}},28}, {{{0,9}},153},
+    {{{84,7}},83}, {{{0,8}},124}, {{{0,8}},60}, {{{0,9}},217},
+    {{{82,7}},23}, {{{0,8}},108}, {{{0,8}},44}, {{{0,9}},185},
+    {{{0,8}},12}, {{{0,8}},140}, {{{0,8}},76}, {{{0,9}},249},
+    {{{80,7}},3}, {{{0,8}},82}, {{{0,8}},18}, {{{85,8}},163},
+    {{{83,7}},35}, {{{0,8}},114}, {{{0,8}},50}, {{{0,9}},197},
+    {{{81,7}},11}, {{{0,8}},98}, {{{0,8}},34}, {{{0,9}},165},
+    {{{0,8}},2}, {{{0,8}},130}, {{{0,8}},66}, {{{0,9}},229},
+    {{{80,7}},7}, {{{0,8}},90}, {{{0,8}},26}, {{{0,9}},149},
+    {{{84,7}},67}, {{{0,8}},122}, {{{0,8}},58}, {{{0,9}},213},
+    {{{82,7}},19}, {{{0,8}},106}, {{{0,8}},42}, {{{0,9}},181},
+    {{{0,8}},10}, {{{0,8}},138}, {{{0,8}},74}, {{{0,9}},245},
+    {{{80,7}},5}, {{{0,8}},86}, {{{0,8}},22}, {{{192,8}},0},
+    {{{83,7}},51}, {{{0,8}},118}, {{{0,8}},54}, {{{0,9}},205},
+    {{{81,7}},15}, {{{0,8}},102}, {{{0,8}},38}, {{{0,9}},173},
+    {{{0,8}},6}, {{{0,8}},134}, {{{0,8}},70}, {{{0,9}},237},
+    {{{80,7}},9}, {{{0,8}},94}, {{{0,8}},30}, {{{0,9}},157},
+    {{{84,7}},99}, {{{0,8}},126}, {{{0,8}},62}, {{{0,9}},221},
+    {{{82,7}},27}, {{{0,8}},110}, {{{0,8}},46}, {{{0,9}},189},
+    {{{0,8}},14}, {{{0,8}},142}, {{{0,8}},78}, {{{0,9}},253},
+    {{{96,7}},256}, {{{0,8}},81}, {{{0,8}},17}, {{{85,8}},131},
+    {{{82,7}},31}, {{{0,8}},113}, {{{0,8}},49}, {{{0,9}},195},
+    {{{80,7}},10}, {{{0,8}},97}, {{{0,8}},33}, {{{0,9}},163},
+    {{{0,8}},1}, {{{0,8}},129}, {{{0,8}},65}, {{{0,9}},227},
+    {{{80,7}},6}, {{{0,8}},89}, {{{0,8}},25}, {{{0,9}},147},
+    {{{83,7}},59}, {{{0,8}},121}, {{{0,8}},57}, {{{0,9}},211},
+    {{{81,7}},17}, {{{0,8}},105}, {{{0,8}},41}, {{{0,9}},179},
+    {{{0,8}},9}, {{{0,8}},137}, {{{0,8}},73}, {{{0,9}},243},
+    {{{80,7}},4}, {{{0,8}},85}, {{{0,8}},21}, {{{80,8}},258},
+    {{{83,7}},43}, {{{0,8}},117}, {{{0,8}},53}, {{{0,9}},203},
+    {{{81,7}},13}, {{{0,8}},101}, {{{0,8}},37}, {{{0,9}},171},
+    {{{0,8}},5}, {{{0,8}},133}, {{{0,8}},69}, {{{0,9}},235},
+    {{{80,7}},8}, {{{0,8}},93}, {{{0,8}},29}, {{{0,9}},155},
+    {{{84,7}},83}, {{{0,8}},125}, {{{0,8}},61}, {{{0,9}},219},
+    {{{82,7}},23}, {{{0,8}},109}, {{{0,8}},45}, {{{0,9}},187},
+    {{{0,8}},13}, {{{0,8}},141}, {{{0,8}},77}, {{{0,9}},251},
+    {{{80,7}},3}, {{{0,8}},83}, {{{0,8}},19}, {{{85,8}},195},
+    {{{83,7}},35}, {{{0,8}},115}, {{{0,8}},51}, {{{0,9}},199},
+    {{{81,7}},11}, {{{0,8}},99}, {{{0,8}},35}, {{{0,9}},167},
+    {{{0,8}},3}, {{{0,8}},131}, {{{0,8}},67}, {{{0,9}},231},
+    {{{80,7}},7}, {{{0,8}},91}, {{{0,8}},27}, {{{0,9}},151},
+    {{{84,7}},67}, {{{0,8}},123}, {{{0,8}},59}, {{{0,9}},215},
+    {{{82,7}},19}, {{{0,8}},107}, {{{0,8}},43}, {{{0,9}},183},
+    {{{0,8}},11}, {{{0,8}},139}, {{{0,8}},75}, {{{0,9}},247},
+    {{{80,7}},5}, {{{0,8}},87}, {{{0,8}},23}, {{{192,8}},0},
+    {{{83,7}},51}, {{{0,8}},119}, {{{0,8}},55}, {{{0,9}},207},
+    {{{81,7}},15}, {{{0,8}},103}, {{{0,8}},39}, {{{0,9}},175},
+    {{{0,8}},7}, {{{0,8}},135}, {{{0,8}},71}, {{{0,9}},239},
+    {{{80,7}},9}, {{{0,8}},95}, {{{0,8}},31}, {{{0,9}},159},
+    {{{84,7}},99}, {{{0,8}},127}, {{{0,8}},63}, {{{0,9}},223},
+    {{{82,7}},27}, {{{0,8}},111}, {{{0,8}},47}, {{{0,9}},191},
+    {{{0,8}},15}, {{{0,8}},143}, {{{0,8}},79}, {{{0,9}},255}
+  };
+local inflate_huft fixed_td[] = {
+    {{{80,5}},1}, {{{87,5}},257}, {{{83,5}},17}, {{{91,5}},4097},
+    {{{81,5}},5}, {{{89,5}},1025}, {{{85,5}},65}, {{{93,5}},16385},
+    {{{80,5}},3}, {{{88,5}},513}, {{{84,5}},33}, {{{92,5}},8193},
+    {{{82,5}},9}, {{{90,5}},2049}, {{{86,5}},129}, {{{192,5}},24577},
+    {{{80,5}},2}, {{{87,5}},385}, {{{83,5}},25}, {{{91,5}},6145},
+    {{{81,5}},7}, {{{89,5}},1537}, {{{85,5}},97}, {{{93,5}},24577},
+    {{{80,5}},4}, {{{88,5}},769}, {{{84,5}},49}, {{{92,5}},12289},
+    {{{82,5}},13}, {{{90,5}},3073}, {{{86,5}},193}, {{{192,5}},24577}
+  };
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/inflate.c     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,368 @@
+/* inflate.c -- zlib interface to inflate modules
+ * Copyright (C) 1995-2002 Mark Adler
+ * For conditions of distribution and use, see copyright notice in zlib.h 
+ */
+
+#include <zlib/zutil.h>
+#include "infblock.h"
+
+struct inflate_blocks_state {int dummy;}; /* for buggy compilers */
+
+typedef enum {
+      METHOD,   /* waiting for method byte */
+      FLAG,     /* waiting for flag byte */
+      DICT4,    /* four dictionary check bytes to go */
+      DICT3,    /* three dictionary check bytes to go */
+      DICT2,    /* two dictionary check bytes to go */
+      DICT1,    /* one dictionary check byte to go */
+      DICT0,    /* waiting for inflateSetDictionary */
+      BLOCKS,   /* decompressing blocks */
+      CHECK4,   /* four check bytes to go */
+      CHECK3,   /* three check bytes to go */
+      CHECK2,   /* two check bytes to go */
+      CHECK1,   /* one check byte to go */
+      DONE,     /* finished check, done */
+      BAD}      /* got an error--stay here */
+inflate_mode;
+
+/* inflate private state */
+struct internal_state {
+
+  /* mode */
+  inflate_mode  mode;   /* current inflate mode */
+
+  /* mode dependent information */
+  union {
+    uInt method;        /* if FLAGS, method byte */
+    struct {
+      uLong was;                /* computed check value */
+      uLong need;               /* stream check value */
+    } check;            /* if CHECK, check values to compare */
+    uInt marker;        /* if BAD, inflateSync's marker bytes count */
+  } sub;        /* submode */
+
+  /* mode independent information */
+  int  nowrap;          /* flag for no wrapper */
+  uInt wbits;           /* log2(window size)  (8..15, defaults to 15) */
+  inflate_blocks_statef 
+    *blocks;            /* current inflate_blocks state */
+
+};
+
+
+int ZEXPORT inflateReset(z)
+z_streamp z;
+{
+  if (z == Z_NULL || z->state == Z_NULL)
+    return Z_STREAM_ERROR;
+  z->total_in = z->total_out = 0;
+  z->msg = Z_NULL;
+  z->state->mode = z->state->nowrap ? BLOCKS : METHOD;
+  inflate_blocks_reset(z->state->blocks, z, Z_NULL);
+  Tracev((stderr, "inflate: reset\n"));
+  return Z_OK;
+}
+
+
+int ZEXPORT inflateEnd(z)
+z_streamp z;
+{
+  if (z == Z_NULL || z->state == Z_NULL || z->zfree == Z_NULL)
+    return Z_STREAM_ERROR;
+  if (z->state->blocks != Z_NULL)
+    inflate_blocks_free(z->state->blocks, z);
+  ZFREE(z, z->state);
+  z->state = Z_NULL;
+  Tracev((stderr, "inflate: end\n"));
+  return Z_OK;
+}
+
+
+int ZEXPORT inflateInit2_(z, w, version, stream_size)
+z_streamp z;
+int w;
+const char *version;
+int stream_size;
+{
+  if (version == Z_NULL || version[0] != ZLIB_VERSION[0] ||
+      stream_size != sizeof(z_stream))
+      return Z_VERSION_ERROR;
+
+  /* initialize state */
+  if (z == Z_NULL)
+    return Z_STREAM_ERROR;
+  z->msg = Z_NULL;
+  if (z->zalloc == Z_NULL)
+  {
+    return Z_STREAM_ERROR;
+/*    z->zalloc = zcalloc;
+    z->opaque = (voidpf)0;
+*/
+  }
+  if (z->zfree == Z_NULL) return Z_STREAM_ERROR; /* z->zfree = zcfree; */
+  if ((z->state = (struct internal_state FAR *)
+       ZALLOC(z,1,sizeof(struct internal_state))) == Z_NULL)
+    return Z_MEM_ERROR;
+  z->state->blocks = Z_NULL;
+
+  /* handle undocumented nowrap option (no zlib header or check) */
+  z->state->nowrap = 0;
+  if (w < 0)
+  {
+    w = - w;
+    z->state->nowrap = 1;
+  }
+
+  /* set window size */
+  if (w < 8 || w > 15)
+  {
+    inflateEnd(z);
+    return Z_STREAM_ERROR;
+  }
+  z->state->wbits = (uInt)w;
+
+  /* create inflate_blocks state */
+  if ((z->state->blocks =
+      inflate_blocks_new(z, z->state->nowrap ? Z_NULL : adler32, (uInt)1 << w))
+      == Z_NULL)
+  {
+    inflateEnd(z);
+    return Z_MEM_ERROR;
+  }
+  Tracev((stderr, "inflate: allocated\n"));
+
+  /* reset state */
+  inflateReset(z);
+  return Z_OK;
+}
+
+
+int ZEXPORT inflateInit_(z, version, stream_size)
+z_streamp z;
+const char *version;
+int stream_size;
+{
+  return inflateInit2_(z, DEF_WBITS, version, stream_size);
+}
+
+
+#define NEEDBYTE {if(z->avail_in==0)return r;r=f;}
+#define NEXTBYTE (z->avail_in--,z->total_in++,*z->next_in++)
+
+int ZEXPORT inflate(z, f)
+z_streamp z;
+int f;
+{
+  int r;
+  uInt b;
+
+  if (z == Z_NULL || z->state == Z_NULL || z->next_in == Z_NULL)
+    return Z_STREAM_ERROR;
+  f = f == Z_FINISH ? Z_BUF_ERROR : Z_OK;
+  r = Z_BUF_ERROR;
+  while (1) switch (z->state->mode)
+  {
+    case METHOD:
+      NEEDBYTE
+      if (((z->state->sub.method = NEXTBYTE) & 0xf) != Z_DEFLATED)
+      {
+        z->state->mode = BAD;
+        z->msg = (char*)"unknown compression method";
+        z->state->sub.marker = 5;       /* can't try inflateSync */
+        break;
+      }
+      if ((z->state->sub.method >> 4) + 8 > z->state->wbits)
+      {
+        z->state->mode = BAD;
+        z->msg = (char*)"invalid window size";
+        z->state->sub.marker = 5;       /* can't try inflateSync */
+        break;
+      }
+      z->state->mode = FLAG;
+    case FLAG:
+      NEEDBYTE
+      b = NEXTBYTE;
+      if (((z->state->sub.method << 8) + b) % 31)
+      {
+        z->state->mode = BAD;
+        z->msg = (char*)"incorrect header check";
+        z->state->sub.marker = 5;       /* can't try inflateSync */
+        break;
+      }
+      Tracev((stderr, "inflate: zlib header ok\n"));
+      if (!(b & PRESET_DICT))
+      {
+        z->state->mode = BLOCKS;
+        break;
+      }
+      z->state->mode = DICT4;
+    case DICT4:
+      NEEDBYTE
+      z->state->sub.check.need = (uLong)NEXTBYTE << 24;
+      z->state->mode = DICT3;
+    case DICT3:
+      NEEDBYTE
+      z->state->sub.check.need += (uLong)NEXTBYTE << 16;
+      z->state->mode = DICT2;
+    case DICT2:
+      NEEDBYTE
+      z->state->sub.check.need += (uLong)NEXTBYTE << 8;
+      z->state->mode = DICT1;
+    case DICT1:
+      NEEDBYTE
+      z->state->sub.check.need += (uLong)NEXTBYTE;
+      z->adler = z->state->sub.check.need;
+      z->state->mode = DICT0;
+      return Z_NEED_DICT;
+    case DICT0:
+      z->state->mode = BAD;
+      z->msg = (char*)"need dictionary";
+      z->state->sub.marker = 0;       /* can try inflateSync */
+      return Z_STREAM_ERROR;
+    case BLOCKS:
+      r = inflate_blocks(z->state->blocks, z, r);
+      if (r == Z_DATA_ERROR)
+      {
+        z->state->mode = BAD;
+        z->state->sub.marker = 0;       /* can try inflateSync */
+        break;
+      }
+      if (r == Z_OK)
+        r = f;
+      if (r != Z_STREAM_END)
+        return r;
+      r = f;
+      inflate_blocks_reset(z->state->blocks, z, &z->state->sub.check.was);
+      if (z->state->nowrap)
+      {
+        z->state->mode = DONE;
+        break;
+      }
+      z->state->mode = CHECK4;
+    case CHECK4:
+      NEEDBYTE
+      z->state->sub.check.need = (uLong)NEXTBYTE << 24;
+      z->state->mode = CHECK3;
+    case CHECK3:
+      NEEDBYTE
+      z->state->sub.check.need += (uLong)NEXTBYTE << 16;
+      z->state->mode = CHECK2;
+    case CHECK2:
+      NEEDBYTE
+      z->state->sub.check.need += (uLong)NEXTBYTE << 8;
+      z->state->mode = CHECK1;
+    case CHECK1:
+      NEEDBYTE
+      z->state->sub.check.need += (uLong)NEXTBYTE;
+
+      if (z->state->sub.check.was != z->state->sub.check.need)
+      {
+        z->state->mode = BAD;
+        z->msg = (char*)"incorrect data check";
+        z->state->sub.marker = 5;       /* can't try inflateSync */
+        break;
+      }
+      Tracev((stderr, "inflate: zlib check ok\n"));
+      z->state->mode = DONE;
+    case DONE:
+      return Z_STREAM_END;
+    case BAD:
+      return Z_DATA_ERROR;
+    default:
+      return Z_STREAM_ERROR;
+  }
+#ifdef NEED_DUMMY_RETURN
+  return Z_STREAM_ERROR;  /* Some dumb compilers complain without this */
+#endif
+}
+
+
+int ZEXPORT inflateSetDictionary(z, dictionary, dictLength)
+z_streamp z;
+const Bytef *dictionary;
+uInt  dictLength;
+{
+  uInt length = dictLength;
+
+  if (z == Z_NULL || z->state == Z_NULL || z->state->mode != DICT0)
+    return Z_STREAM_ERROR;
+
+  if (adler32(1L, dictionary, dictLength) != z->adler) return Z_DATA_ERROR;
+  z->adler = 1L;
+
+  if (length >= ((uInt)1<<z->state->wbits))
+  {
+    length = (1<<z->state->wbits)-1;
+    dictionary += dictLength - length;
+  }
+  inflate_set_dictionary(z->state->blocks, dictionary, length);
+  z->state->mode = BLOCKS;
+  return Z_OK;
+}
+
+
+int ZEXPORT inflateSync(z)
+z_streamp z;
+{
+  uInt n;       /* number of bytes to look at */
+  Bytef *p;     /* pointer to bytes */
+  uInt m;       /* number of marker bytes found in a row */
+  uLong r, w;   /* temporaries to save total_in and total_out */
+
+  /* set up */
+  if (z == Z_NULL || z->state == Z_NULL)
+    return Z_STREAM_ERROR;
+  if (z->state->mode != BAD)
+  {
+    z->state->mode = BAD;
+    z->state->sub.marker = 0;
+  }
+  if ((n = z->avail_in) == 0)
+    return Z_BUF_ERROR;
+  p = z->next_in;
+  m = z->state->sub.marker;
+
+  /* search */
+  while (n && m < 4)
+  {
+    static const Byte mark[4] = {0, 0, 0xff, 0xff};
+    if (*p == mark[m])
+      m++;
+    else if (*p)
+      m = 0;
+    else
+      m = 4 - m;
+    p++, n--;
+  }
+
+  /* restore */
+  z->total_in += p - z->next_in;
+  z->next_in = p;
+  z->avail_in = n;
+  z->state->sub.marker = m;
+
+  /* return no joy or set up to restart on a new block */
+  if (m != 4)
+    return Z_DATA_ERROR;
+  r = z->total_in;  w = z->total_out;
+  inflateReset(z);
+  z->total_in = r;  z->total_out = w;
+  z->state->mode = BLOCKS;
+  return Z_OK;
+}
+
+
+/* Returns true if inflate is currently at the end of a block generated
+ * by Z_SYNC_FLUSH or Z_FULL_FLUSH. This function is used by one PPP
+ * implementation to provide an additional safety check. PPP uses Z_SYNC_FLUSH
+ * but removes the length bytes of the resulting empty stored block. When
+ * decompressing, PPP checks that at the end of input packet, inflate is
+ * waiting for these length bytes.
+ */
+int ZEXPORT inflateSyncPoint(z)
+z_streamp z;
+{
+  if (z == Z_NULL || z->state == Z_NULL || z->state->blocks == Z_NULL)
+    return Z_STREAM_ERROR;
+  return inflate_blocks_sync_point(z->state->blocks);
+}
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/inftrees.c     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,454 @@
+/* inftrees.c -- generate Huffman trees for efficient decoding
+ * Copyright (C) 1995-2002 Mark Adler
+ * For conditions of distribution and use, see copyright notice in zlib.h 
+ */
+
+#include <zlib/zutil.h>
+#include "inftrees.h"
+
+#if !defined(BUILDFIXED) && !defined(STDC)
+#  define BUILDFIXED   /* non ANSI compilers may not accept inffixed.h */
+#endif
+
+local const char inflate_copyright[] =
+   " inflate 1.1.4 Copyright 1995-2002 Mark Adler ";
+/*
+  If you use the zlib library in a product, an acknowledgment is welcome
+  in the documentation of your product. If for some reason you cannot
+  include such an acknowledgment, I would appreciate that you keep this
+  copyright string in the executable of your product.
+ */
+struct internal_state  {int dummy;}; /* for buggy compilers */
+
+/* simplify the use of the inflate_huft type with some defines */
+#define exop word.what.Exop
+#define bits word.what.Bits
+
+
+local int huft_build OF((
+    uIntf *,            /* code lengths in bits */
+    uInt,               /* number of codes */
+    uInt,               /* number of "simple" codes */
+    const uIntf *,      /* list of base values for non-simple codes */
+    const uIntf *,      /* list of extra bits for non-simple codes */
+    inflate_huft * FAR*,/* result: starting table */
+    uIntf *,            /* maximum lookup bits (returns actual) */
+    inflate_huft *,     /* space for trees */
+    uInt *,             /* hufts used in space */
+    uIntf * ));         /* space for values */
+
+/* Tables for deflate from PKZIP's appnote.txt. */
+local const uInt cplens[31] = { /* Copy lengths for literal codes 257..285 */
+        3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 15, 17, 19, 23, 27, 31,
+        35, 43, 51, 59, 67, 83, 99, 115, 131, 163, 195, 227, 258, 0, 0};
+        /* see note #13 above about 258 */
+local const uInt cplext[31] = { /* Extra bits for literal codes 257..285 */
+        0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 2, 2, 2, 2,
+        3, 3, 3, 3, 4, 4, 4, 4, 5, 5, 5, 5, 0, 112, 112}; /* 112==invalid */
+local const uInt cpdist[30] = { /* Copy offsets for distance codes 0..29 */
+        1, 2, 3, 4, 5, 7, 9, 13, 17, 25, 33, 49, 65, 97, 129, 193,
+        257, 385, 513, 769, 1025, 1537, 2049, 3073, 4097, 6145,
+        8193, 12289, 16385, 24577};
+local const uInt cpdext[30] = { /* Extra bits for distance codes */
+        0, 0, 0, 0, 1, 1, 2, 2, 3, 3, 4, 4, 5, 5, 6, 6,
+        7, 7, 8, 8, 9, 9, 10, 10, 11, 11,
+        12, 12, 13, 13};
+
+/*
+   Huffman code decoding is performed using a multi-level table lookup.
+   The fastest way to decode is to simply build a lookup table whose
+   size is determined by the longest code.  However, the time it takes
+   to build this table can also be a factor if the data being decoded
+   is not very long.  The most common codes are necessarily the
+   shortest codes, so those codes dominate the decoding time, and hence
+   the speed.  The idea is you can have a shorter table that decodes the
+   shorter, more probable codes, and then point to subsidiary tables for
+   the longer codes.  The time it costs to decode the longer codes is
+   then traded against the time it takes to make longer tables.
+
+   This results of this trade are in the variables lbits and dbits
+   below.  lbits is the number of bits the first level table for literal/
+   length codes can decode in one step, and dbits is the same thing for
+   the distance codes.  Subsequent tables are also less than or equal to
+   those sizes.  These values may be adjusted either when all of the
+   codes are shorter than that, in which case the longest code length in
+   bits is used, or when the shortest code is *longer* than the requested
+   table size, in which case the length of the shortest code in bits is
+   used.
+
+   There are two different values for the two tables, since they code a
+   different number of possibilities each.  The literal/length table
+   codes 286 possible values, or in a flat code, a little over eight
+   bits.  The distance table codes 30 possible values, or a little less
+   than five bits, flat.  The optimum values for speed end up being
+   about one bit more than those, so lbits is 8+1 and dbits is 5+1.
+   The optimum values may differ though from machine to machine, and
+   possibly even between compilers.  Your mileage may vary.
+ */
+
+
+/* If BMAX needs to be larger than 16, then h and x[] should be uLong. */
+#define BMAX 15         /* maximum bit length of any code */
+
+local int huft_build(b, n, s, d, e, t, m, hp, hn, v)
+uIntf *b;               /* code lengths in bits (all assumed <= BMAX) */
+uInt n;                 /* number of codes (assumed <= 288) */
+uInt s;                 /* number of simple-valued codes (0..s-1) */
+const uIntf *d;         /* list of base values for non-simple codes */
+const uIntf *e;         /* list of extra bits for non-simple codes */
+inflate_huft * FAR *t;  /* result: starting table */
+uIntf *m;               /* maximum lookup bits, returns actual */
+inflate_huft *hp;       /* space for trees */
+uInt *hn;               /* hufts used in space */
+uIntf *v;               /* working area: values in order of bit length */
+/* Given a list of code lengths and a maximum table size, make a set of
+   tables to decode that set of codes.  Return Z_OK on success, Z_BUF_ERROR
+   if the given code set is incomplete (the tables are still built in this
+   case), or Z_DATA_ERROR if the input is invalid. */
+{
+
+  uInt a;                       /* counter for codes of length k */
+  uInt c[BMAX+1];               /* bit length count table */
+  uInt f;                       /* i repeats in table every f entries */
+  int g;                        /* maximum code length */
+  int h;                        /* table level */
+  register uInt i;              /* counter, current code */
+  register uInt j;              /* counter */
+  register int k;               /* number of bits in current code */
+  int l;                        /* bits per table (returned in m) */
+  uInt mask;                    /* (1 << w) - 1, to avoid cc -O bug on HP */
+  register uIntf *p;            /* pointer into c[], b[], or v[] */
+  inflate_huft *q;              /* points to current table */
+  struct inflate_huft_s r;      /* table entry for structure assignment */
+  inflate_huft *u[BMAX];        /* table stack */
+  register int w;               /* bits before this table == (l * h) */
+  uInt x[BMAX+1];               /* bit offsets, then code stack */
+  uIntf *xp;                    /* pointer into x */
+  int y;                        /* number of dummy codes added */
+  uInt z;                       /* number of entries in current table */
+
+
+  /* Generate counts for each bit length */
+  p = c;
+#define C0 *p++ = 0;
+#define C2 C0 C0 C0 C0
+#define C4 C2 C2 C2 C2
+  C4                            /* clear c[]--assume BMAX+1 is 16 */
+  p = b;  i = n;
+  do {
+    c[*p++]++;                  /* assume all entries <= BMAX */
+  } while (--i);
+  if (c[0] == n)                /* null input--all zero length codes */
+  {
+    *t = (inflate_huft *)Z_NULL;
+    *m = 0;
+    return Z_OK;
+  }
+
+
+  /* Find minimum and maximum length, bound *m by those */
+  l = *m;
+  for (j = 1; j <= BMAX; j++)
+    if (c[j])
+      break;
+  k = j;                        /* minimum code length */
+  if ((uInt)l < j)
+    l = j;
+  for (i = BMAX; i; i--)
+    if (c[i])
+      break;
+  g = i;                        /* maximum code length */
+  if ((uInt)l > i)
+    l = i;
+  *m = l;
+
+
+  /* Adjust last length count to fill out codes, if needed */
+  for (y = 1 << j; j < i; j++, y <<= 1)
+    if ((y -= c[j]) < 0)
+      return Z_DATA_ERROR;
+  if ((y -= c[i]) < 0)
+    return Z_DATA_ERROR;
+  c[i] += y;
+
+
+  /* Generate starting offsets into the value table for each length */
+  x[1] = j = 0;
+  p = c + 1;  xp = x + 2;
+  while (--i) {                 /* note that i == g from above */
+    *xp++ = (j += *p++);
+  }
+
+
+  /* Make a table of values in order of bit lengths */
+  p = b;  i = 0;
+  do {
+    if ((j = *p++) != 0)
+      v[x[j]++] = i;
+  } while (++i < n);
+  n = x[g];                     /* set n to length of v */
+
+
+  /* Generate the Huffman codes and for each, make the table entries */
+  x[0] = i = 0;                 /* first Huffman code is zero */
+  p = v;                        /* grab values in bit order */
+  h = -1;                       /* no tables yet--level -1 */
+  w = -l;                       /* bits decoded == (l * h) */
+  u[0] = (inflate_huft *)Z_NULL;        /* just to keep compilers happy */
+  q = (inflate_huft *)Z_NULL;   /* ditto */
+  z = 0;                        /* ditto */
+
+  /* go through the bit lengths (k already is bits in shortest code) */
+  for (; k <= g; k++)
+  {
+    a = c[k];
+    while (a--)
+    {
+      /* here i is the Huffman code of length k bits for value *p */
+      /* make tables up to required level */
+      while (k > w + l)
+      {
+        h++;
+        w += l;                 /* previous table always l bits */
+
+        /* compute minimum size table less than or equal to l bits */
+        z = g - w;
+        z = z > (uInt)l ? l : z;        /* table size upper limit */
+        if ((f = 1 << (j = k - w)) > a + 1)     /* try a k-w bit table */
+        {                       /* too few codes for k-w bit table */
+          f -= a + 1;           /* deduct codes from patterns left */
+          xp = c + k;
+          if (j < z)
+            while (++j < z)     /* try smaller tables up to z bits */
+            {
+              if ((f <<= 1) <= *++xp)
+                break;          /* enough codes to use up j bits */
+              f -= *xp;         /* else deduct codes from patterns */
+            }
+        }
+        z = 1 << j;             /* table entries for j-bit table */
+
+        /* allocate new table */
+        if (*hn + z > MANY)     /* (note: doesn't matter for fixed) */
+          return Z_DATA_ERROR;  /* overflow of MANY */
+        u[h] = q = hp + *hn;
+        *hn += z;
+
+        /* connect to last table, if there is one */
+        if (h)
+        {
+          x[h] = i;             /* save pattern for backing up */
+          r.bits = (Byte)l;     /* bits to dump before this table */
+          r.exop = (Byte)j;     /* bits in this table */
+          j = i >> (w - l);
+          r.base = (uInt)(q - u[h-1] - j);   /* offset to this table */
+          u[h-1][j] = r;        /* connect to last table */
+        }
+        else
+          *t = q;               /* first table is returned result */
+      }
+
+      /* set up table entry in r */
+      r.bits = (Byte)(k - w);
+      if (p >= v + n)
+        r.exop = 128 + 64;      /* out of values--invalid code */
+      else if (*p < s)
+      {
+        r.exop = (Byte)(*p < 256 ? 0 : 32 + 64);     /* 256 is end-of-block */
+        r.base = *p++;          /* simple code is just the value */
+      }
+      else
+      {
+        r.exop = (Byte)(e[*p - s] + 16 + 64);/* non-simple--look up in lists */
+        r.base = d[*p++ - s];
+      }
+
+      /* fill code-like entries with r */
+      f = 1 << (k - w);
+      for (j = i >> w; j < z; j += f)
+        q[j] = r;
+
+      /* backwards increment the k-bit code i */
+      for (j = 1 << (k - 1); i & j; j >>= 1)
+        i ^= j;
+      i ^= j;
+
+      /* backup over finished tables */
+      mask = (1 << w) - 1;      /* needed on HP, cc -O bug */
+      while ((i & mask) != x[h])
+      {
+        h--;                    /* don't need to update q */
+        w -= l;
+        mask = (1 << w) - 1;
+      }
+    }
+  }
+
+
+  /* Return Z_BUF_ERROR if we were given an incomplete table */
+  return y != 0 && g != 1 ? Z_BUF_ERROR : Z_OK;
+}
+
+
+int inflate_trees_bits(c, bb, tb, hp, z)
+uIntf *c;               /* 19 code lengths */
+uIntf *bb;              /* bits tree desired/actual depth */
+inflate_huft * FAR *tb; /* bits tree result */
+inflate_huft *hp;       /* space for trees */
+z_streamp z;            /* for messages */
+{
+  int r;
+  uInt hn = 0;          /* hufts used in space */
+  uIntf *v;             /* work area for huft_build */
+
+  if ((v = (uIntf*)ZALLOC(z, 19, sizeof(uInt))) == Z_NULL)
+    return Z_MEM_ERROR;
+  r = huft_build(c, 19, 19, (uIntf*)Z_NULL, (uIntf*)Z_NULL,
+                 tb, bb, hp, &hn, v);
+  if (r == Z_DATA_ERROR)
+    z->msg = (char*)"oversubscribed dynamic bit lengths tree";
+  else if (r == Z_BUF_ERROR || *bb == 0)
+  {
+    z->msg = (char*)"incomplete dynamic bit lengths tree";
+    r = Z_DATA_ERROR;
+  }
+  ZFREE(z, v);
+  return r;
+}
+
+
+int inflate_trees_dynamic(nl, nd, c, bl, bd, tl, td, hp, z)
+uInt nl;                /* number of literal/length codes */
+uInt nd;                /* number of distance codes */
+uIntf *c;               /* that many (total) code lengths */
+uIntf *bl;              /* literal desired/actual bit depth */
+uIntf *bd;              /* distance desired/actual bit depth */
+inflate_huft * FAR *tl; /* literal/length tree result */
+inflate_huft * FAR *td; /* distance tree result */
+inflate_huft *hp;       /* space for trees */
+z_streamp z;            /* for messages */
+{
+  int r;
+  uInt hn = 0;          /* hufts used in space */
+  uIntf *v;             /* work area for huft_build */
+
+  /* allocate work area */
+  if ((v = (uIntf*)ZALLOC(z, 288, sizeof(uInt))) == Z_NULL)
+    return Z_MEM_ERROR;
+
+  /* build literal/length tree */
+  r = huft_build(c, nl, 257, cplens, cplext, tl, bl, hp, &hn, v);
+  if (r != Z_OK || *bl == 0)
+  {
+    if (r == Z_DATA_ERROR)
+      z->msg = (char*)"oversubscribed literal/length tree";
+    else if (r != Z_MEM_ERROR)
+    {
+      z->msg = (char*)"incomplete literal/length tree";
+      r = Z_DATA_ERROR;
+    }
+    ZFREE(z, v);
+    return r;
+  }
+
+  /* build distance tree */
+  r = huft_build(c + nl, nd, 0, cpdist, cpdext, td, bd, hp, &hn, v);
+  if (r != Z_OK || (*bd == 0 && nl > 257))
+  {
+    if (r == Z_DATA_ERROR)
+      z->msg = (char*)"oversubscribed distance tree";
+    else if (r == Z_BUF_ERROR) {
+#ifdef PKZIP_BUG_WORKAROUND
+      r = Z_OK;
+    }
+#else
+      z->msg = (char*)"incomplete distance tree";
+      r = Z_DATA_ERROR;
+    }
+    else if (r != Z_MEM_ERROR)
+    {
+      z->msg = (char*)"empty distance tree with lengths";
+      r = Z_DATA_ERROR;
+    }
+    ZFREE(z, v);
+    return r;
+#endif
+  }
+
+  /* done */
+  ZFREE(z, v);
+  return Z_OK;
+}
+
+
+/* build fixed tables only once--keep them here */
+#ifdef BUILDFIXED
+local int fixed_built = 0;
+#define FIXEDH 544      /* number of hufts used by fixed tables */
+local inflate_huft fixed_mem[FIXEDH];
+local uInt fixed_bl;
+local uInt fixed_bd;
+local inflate_huft *fixed_tl;
+local inflate_huft *fixed_td;
+#else
+#include "inffixed.h"
+#endif
+
+
+int inflate_trees_fixed(bl, bd, tl, td, z)
+uIntf *bl;               /* literal desired/actual bit depth */
+uIntf *bd;               /* distance desired/actual bit depth */
+inflate_huft * FAR *tl;  /* literal/length tree result */
+inflate_huft * FAR *td;  /* distance tree result */
+z_streamp z;             /* for memory allocation */
+{
+#ifdef BUILDFIXED
+  /* build fixed tables if not already */
+  if (!fixed_built)
+  {
+    int k;              /* temporary variable */
+    uInt f = 0;         /* number of hufts used in fixed_mem */
+    uIntf *c;           /* length list for huft_build */
+    uIntf *v;           /* work area for huft_build */
+
+    /* allocate memory */
+    if ((c = (uIntf*)ZALLOC(z, 288, sizeof(uInt))) == Z_NULL)
+      return Z_MEM_ERROR;
+    if ((v = (uIntf*)ZALLOC(z, 288, sizeof(uInt))) == Z_NULL)
+    {
+      ZFREE(z, c);
+      return Z_MEM_ERROR;
+    }
+
+    /* literal table */
+    for (k = 0; k < 144; k++)
+      c[k] = 8;
+    for (; k < 256; k++)
+      c[k] = 9;
+    for (; k < 280; k++)
+      c[k] = 7;
+    for (; k < 288; k++)
+      c[k] = 8;
+    fixed_bl = 9;
+    huft_build(c, 288, 257, cplens, cplext, &fixed_tl, &fixed_bl,
+               fixed_mem, &f, v);
+
+    /* distance table */
+    for (k = 0; k < 30; k++)
+      c[k] = 5;
+    fixed_bd = 5;
+    huft_build(c, 30, 0, cpdist, cpdext, &fixed_td, &fixed_bd,
+               fixed_mem, &f, v);
+
+    /* done */
+    ZFREE(z, v);
+    ZFREE(z, c);
+    fixed_built = 1;
+  }
+#endif
+  *bl = fixed_bl;
+  *bd = fixed_bd;
+  *tl = fixed_tl;
+  *td = fixed_td;
+  return Z_OK;
+}
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/inftrees.h     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,63 @@
+/* inftrees.h -- header to use inftrees.c
+ * Copyright (C) 1995-2002 Mark Adler
+ * For conditions of distribution and use, see copyright notice in zlib.h 
+ */
+
+/* WARNING: this file should *not* be used by applications. It is
+   part of the implementation of the compression library and is
+   subject to change. Applications should only use zlib.h.
+ */
+
+/* Huffman code lookup table entry--this entry is four bytes for machines
+   that have 16-bit pointers (e.g. PC's in the small or medium model). */
+
+#ifndef _INFTREES_H
+#define _INFTREES_H
+
+typedef struct inflate_huft_s FAR inflate_huft;
+
+struct inflate_huft_s {
+  union {
+    struct {
+      Byte Exop;        /* number of extra bits or operation */
+      Byte Bits;        /* number of bits in this code or subcode */
+    } what;
+    uInt pad;           /* pad structure to a power of 2 (4 bytes for */
+  } word;               /*  16-bit, 8 bytes for 32-bit int's) */
+  uInt base;            /* literal, length base, distance base,
+                           or table offset */
+};
+
+/* Maximum size of dynamic tree.  The maximum found in a long but non-
+   exhaustive search was 1004 huft structures (850 for length/literals
+   and 154 for distances, the latter actually the result of an
+   exhaustive search).  The actual maximum is not known, but the
+   value below is more than safe. */
+#define MANY 1440
+
+extern int inflate_trees_bits OF((
+    uIntf *,                    /* 19 code lengths */
+    uIntf *,                    /* bits tree desired/actual depth */
+    inflate_huft * FAR *,       /* bits tree result */
+    inflate_huft *,             /* space for trees */
+    z_streamp));                /* for messages */
+
+extern int inflate_trees_dynamic OF((
+    uInt,                       /* number of literal/length codes */
+    uInt,                       /* number of distance codes */
+    uIntf *,                    /* that many (total) code lengths */
+    uIntf *,                    /* literal desired/actual bit depth */
+    uIntf *,                    /* distance desired/actual bit depth */
+    inflate_huft * FAR *,       /* literal/length tree result */
+    inflate_huft * FAR *,       /* distance tree result */
+    inflate_huft *,             /* space for trees */
+    z_streamp));                /* for messages */
+
+extern int inflate_trees_fixed OF((
+    uIntf *,                    /* literal desired/actual bit depth */
+    uIntf *,                    /* distance desired/actual bit depth */
+    inflate_huft * FAR *,       /* literal/length tree result */
+    inflate_huft * FAR *,       /* distance tree result */
+    z_streamp));                /* for memory allocation */
+
+#endif /* _INFTREES_H */
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/infutil.c     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,87 @@
+/* inflate_util.c -- data and routines common to blocks and codes
+ * Copyright (C) 1995-2002 Mark Adler
+ * For conditions of distribution and use, see copyright notice in zlib.h 
+ */
+
+#include <zlib/zutil.h>
+#include "infblock.h"
+#include "inftrees.h"
+#include "infcodes.h"
+#include "infutil.h"
+
+struct inflate_codes_state {int dummy;}; /* for buggy compilers */
+
+/* And'ing with mask[n] masks the lower n bits */
+uInt inflate_mask[17] = {
+    0x0000,
+    0x0001, 0x0003, 0x0007, 0x000f, 0x001f, 0x003f, 0x007f, 0x00ff,
+    0x01ff, 0x03ff, 0x07ff, 0x0fff, 0x1fff, 0x3fff, 0x7fff, 0xffff
+};
+
+
+/* copy as much as possible from the sliding window to the output area */
+int inflate_flush(s, z, r)
+inflate_blocks_statef *s;
+z_streamp z;
+int r;
+{
+  uInt n;
+  Bytef *p;
+  Bytef *q;
+
+  /* local copies of source and destination pointers */
+  p = z->next_out;
+  q = s->read;
+
+  /* compute number of bytes to copy as far as end of window */
+  n = (uInt)((q <= s->write ? s->write : s->end) - q);
+  if (n > z->avail_out) n = z->avail_out;
+  if (n && r == Z_BUF_ERROR) r = Z_OK;
+
+  /* update counters */
+  z->avail_out -= n;
+  z->total_out += n;
+
+  /* update check information */
+  if (s->checkfn != Z_NULL)
+    z->adler = s->check = (*s->checkfn)(s->check, q, n);
+
+  /* copy as far as end of window */
+  zmemcpy(p, q, n);
+  p += n;
+  q += n;
+
+  /* see if more to copy at beginning of window */
+  if (q == s->end)
+  {
+    /* wrap pointers */
+    q = s->window;
+    if (s->write == s->end)
+      s->write = s->window;
+
+    /* compute bytes to copy */
+    n = (uInt)(s->write - q);
+    if (n > z->avail_out) n = z->avail_out;
+    if (n && r == Z_BUF_ERROR) r = Z_OK;
+
+    /* update counters */
+    z->avail_out -= n;
+    z->total_out += n;
+
+    /* update check information */
+    if (s->checkfn != Z_NULL)
+      z->adler = s->check = (*s->checkfn)(s->check, q, n);
+
+    /* copy */
+    zmemcpy(p, q, n);
+    p += n;
+    q += n;
+  }
+
+  /* update pointers */
+  z->next_out = p;
+  s->read = q;
+
+  /* done */
+  return r;
+}
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/infutil.h     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,98 @@
+/* infutil.h -- types and macros common to blocks and codes
+ * Copyright (C) 1995-2002 Mark Adler
+ * For conditions of distribution and use, see copyright notice in zlib.h 
+ */
+
+/* WARNING: this file should *not* be used by applications. It is
+   part of the implementation of the compression library and is
+   subject to change. Applications should only use zlib.h.
+ */
+
+#ifndef _INFUTIL_H
+#define _INFUTIL_H
+
+typedef enum {
+      TYPE,     /* get type bits (3, including end bit) */
+      LENS,     /* get lengths for stored */
+      STORED,   /* processing stored block */
+      TABLE,    /* get table lengths */
+      BTREE,    /* get bit lengths tree for a dynamic block */
+      DTREE,    /* get length, distance trees for a dynamic block */
+      CODES,    /* processing fixed or dynamic block */
+      DRY,      /* output remaining window bytes */
+      DONE,     /* finished last block, done */
+      BAD}      /* got a data error--stuck here */
+inflate_block_mode;
+
+/* inflate blocks semi-private state */
+struct inflate_blocks_state {
+
+  /* mode */
+  inflate_block_mode  mode;     /* current inflate_block mode */
+
+  /* mode dependent information */
+  union {
+    uInt left;          /* if STORED, bytes left to copy */
+    struct {
+      uInt table;               /* table lengths (14 bits) */
+      uInt index;               /* index into blens (or border) */
+      uIntf *blens;             /* bit lengths of codes */
+      uInt bb;                  /* bit length tree depth */
+      inflate_huft *tb;         /* bit length decoding tree */
+    } trees;            /* if DTREE, decoding info for trees */
+    struct {
+      inflate_codes_statef 
+         *codes;
+    } decode;           /* if CODES, current state */
+  } sub;                /* submode */
+  uInt last;            /* true if this block is the last block */
+
+  /* mode independent information */
+  uInt bitk;            /* bits in bit buffer */
+  uLong bitb;           /* bit buffer */
+  inflate_huft *hufts;  /* single malloc for tree space */
+  Bytef *window;        /* sliding window */
+  Bytef *end;           /* one byte after sliding window */
+  Bytef *read;          /* window read pointer */
+  Bytef *write;         /* window write pointer */
+  check_func checkfn;   /* check function */
+  uLong check;          /* check on output */
+
+};
+
+
+/* defines for inflate input/output */
+/*   update pointers and return */
+#define UPDBITS {s->bitb=b;s->bitk=k;}
+#define UPDIN {z->avail_in=n;z->total_in+=p-z->next_in;z->next_in=p;}
+#define UPDOUT {s->write=q;}
+#define UPDATE {UPDBITS UPDIN UPDOUT}
+#define LEAVE {UPDATE return inflate_flush(s,z,r);}
+/*   get bytes and bits */
+#define LOADIN {p=z->next_in;n=z->avail_in;b=s->bitb;k=s->bitk;}
+#define NEEDBYTE {if(n)r=Z_OK;else LEAVE}
+#define NEXTBYTE (n--,*p++)
+#define NEEDBITS(j) {while(k<(j)){NEEDBYTE;b|=((uLong)NEXTBYTE)<<k;k+=8;}}
+#define DUMPBITS(j) {b>>=(j);k-=(j);}
+/*   output bytes */
+#define WAVAIL (uInt)(q<s->read?s->read-q-1:s->end-q)
+#define LOADOUT {q=s->write;m=(uInt)WAVAIL;}
+#define WRAP {if(q==s->end&&s->read!=s->window){q=s->window;m=(uInt)WAVAIL;}}
+#define FLUSH {UPDOUT r=inflate_flush(s,z,r); LOADOUT}
+#define NEEDOUT {if(m==0){WRAP if(m==0){FLUSH WRAP if(m==0) LEAVE}}r=Z_OK;}
+#define OUTBYTE(a) {*q++=(Byte)(a);m--;}
+/*   load local pointers */
+#define LOAD {LOADIN LOADOUT}
+
+/* masks for lower bits (size given to avoid silly warnings with Visual C++) */
+extern uInt inflate_mask[17];
+
+/* copy as much as possible from the sliding window to the output area */
+extern int inflate_flush OF((
+    inflate_blocks_statef *,
+    z_streamp ,
+    int));
+
+struct internal_state      {int dummy;}; /* for buggy compilers */
+
+#endif /* _INFUTIL_H */
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/initaddr.c     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,50 @@
+/*
+ * initialize address structure
+ * Copyright (C) 2000  Henry Spencer.
+ * 
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Library General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
+ * 
+ * This library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
+ * License for more details.
+ *
+ * RCSID $Id: initaddr.c,v 1.6 2004/07/10 07:43:47 mcr Exp $
+ */
+#include "openswan.h"
+
+/*
+ - initaddr - initialize ip_address from bytes
+ */
+err_t				/* NULL for success, else string literal */
+initaddr(src, srclen, af, dst)
+const unsigned char *src;
+size_t srclen;
+int af;				/* address family */
+ip_address *dst;
+{
+	switch (af) {
+	case AF_INET:
+		if (srclen != 4)
+			return "IPv4 address must be exactly 4 bytes";
+		dst->u.v4.sin_family = af;
+		dst->u.v4.sin_port = 0;		/* unused */
+		memcpy((char *)&dst->u.v4.sin_addr.s_addr, src, srclen);
+		break;
+	case AF_INET6:
+		if (srclen != 16)
+			return "IPv6 address must be exactly 16 bytes";
+		dst->u.v6.sin6_family = af;
+		dst->u.v6.sin6_flowinfo = 0;		/* unused */
+		dst->u.v6.sin6_port = 0;		/* unused */
+		memcpy((char *)&dst->u.v6.sin6_addr, src, srclen);
+		break;
+	default:
+		return "unknown address family in initaddr";
+		break;
+	}
+	return NULL;
+}
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/ipcomp.c     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,701 @@
+/*
+ * IPCOMP zlib interface code.
+ * Copyright (C) 2000  Svenning Soerensen <svenning@post5.tele.dk>
+ * Copyright (C) 2000, 2001  Richard Guy Briggs <rgb@conscoop.ottawa.on.ca>
+ * 
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ * 
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+char ipcomp_c_version[] = "RCSID $Id: ipcomp.c,v 1.41.2.5 2006/10/06 21:39:26 paul Exp $";
+
+/* SSS */
+
+#ifndef AUTOCONF_INCLUDED
+#include <linux/config.h>
+#endif
+#include <linux/version.h>
+
+#define __NO_VERSION__
+#include <linux/module.h>
+#include <linux/kernel.h> /* printk() */
+
+#include "openswan/ipsec_param.h"
+
+#ifdef MALLOC_SLAB
+# include <linux/slab.h> /* kmalloc() */
+#else /* MALLOC_SLAB */
+# include <linux/malloc.h> /* kmalloc() */
+#endif /* MALLOC_SLAB */
+#include <linux/errno.h>  /* error codes */
+#include <linux/types.h>
+#include <linux/netdevice.h>
+#include <linux/ip.h>
+#include <linux/skbuff.h>
+
+#include <linux/netdevice.h>   /* struct device, and other headers */
+#include <linux/etherdevice.h> /* eth_type_trans */
+#include <linux/ip.h>          /* struct iphdr */
+#include <linux/skbuff.h>
+#include <asm/uaccess.h>
+#include <asm/checksum.h>
+
+#include <openswan.h>
+
+#include <net/ip.h>
+
+#include "openswan/radij.h"
+#include "openswan/ipsec_encap.h"
+#include "openswan/ipsec_sa.h"
+
+#include "openswan/ipsec_xform.h"
+#include "openswan/ipsec_tunnel.h"
+#include "openswan/ipsec_rcv.h" /* sysctl_ipsec_inbound_policy_check */
+#include "openswan/ipsec_proto.h"
+#include "openswan/ipcomp.h"
+#include "zlib/zlib.h"
+#include "zlib/zutil.h"
+
+#include <pfkeyv2.h> /* SADB_X_CALG_DEFLATE */
+
+#ifdef CONFIG_KLIPS_DEBUG
+int sysctl_ipsec_debug_ipcomp = 0;
+#endif /* CONFIG_KLIPS_DEBUG */
+
+static
+struct sk_buff *skb_copy_ipcomp(struct sk_buff *skb, int data_growth, int gfp_mask);
+
+static
+voidpf my_zcalloc(voidpf opaque, uInt items, uInt size)
+{
+	return (voidpf) kmalloc(items*size, GFP_ATOMIC);
+}
+
+static
+void my_zfree(voidpf opaque, voidpf address)
+{
+	kfree(address);
+}
+
+/* 
+ * We use this function because sometimes we want to pass a negative offset
+ * into skb_put(), this does not work on 64bit platforms because long to
+ * unsigned int casting.
+ */
+static inline unsigned char *
+safe_skb_put(struct sk_buff *skb, int extend)
+{
+        unsigned char *ptr;
+
+        if (extend>0) {
+                // increase the size of the packet
+                ptr = skb_put(skb, extend);
+        } else {
+                // shrink the size of the packet
+                ptr = skb->tail;
+                skb_trim (skb, skb->len + extend);
+        }
+
+        return ptr;
+}
+
+struct sk_buff *skb_compress(struct sk_buff *skb, struct ipsec_sa *ips, unsigned int *flags)
+{
+	struct iphdr *iph;
+	unsigned int iphlen, pyldsz, cpyldsz;
+	unsigned char *buffer;
+	z_stream zs;
+	int zresult;
+	
+	KLIPS_PRINT(sysctl_ipsec_debug_ipcomp,
+		    "klips_debug:skb_compress: .\n");
+
+	if(skb == NULL) {
+		KLIPS_PRINT(sysctl_ipsec_debug_ipcomp,
+			    "klips_debug:skb_compress: "
+			    "passed in NULL skb, returning ERROR.\n");
+		if(flags != NULL) {
+			*flags |= IPCOMP_PARMERROR;
+		}
+		return skb;
+	}
+
+	if(ips == NULL) {
+		KLIPS_PRINT(sysctl_ipsec_debug_ipcomp,
+			    "klips_debug:skb_compress: "
+			    "passed in NULL ipsec_sa needed for cpi, returning ERROR.\n");
+		if(flags) {
+			*flags |= IPCOMP_PARMERROR;
+		}
+		return skb;
+	}
+
+	if (flags == NULL) {
+		KLIPS_PRINT(sysctl_ipsec_debug_ipcomp,
+			    "klips_debug:skb_compress: "
+			    "passed in NULL flags, returning ERROR.\n");
+		ipsec_kfree_skb(skb);
+		return NULL;
+	}
+	
+#ifdef NET_21
+	iph = skb->nh.iph;
+#else /* NET_21 */
+	iph = skb->ip_hdr;
+#endif /* NET_21 */
+
+	switch (iph->protocol) {
+	case IPPROTO_COMP:
+	case IPPROTO_AH:
+	case IPPROTO_ESP:
+		KLIPS_PRINT(sysctl_ipsec_debug_ipcomp,
+			    "klips_debug:skb_compress: "
+			    "skipping compression of packet with ip protocol %d.\n",
+			    iph->protocol);
+		*flags |= IPCOMP_UNCOMPRESSABLE;
+		return skb;
+	}
+	
+	/* Don't compress packets already fragmented */
+	if (iph->frag_off & __constant_htons(IP_MF | IP_OFFSET)) {
+		KLIPS_PRINT(sysctl_ipsec_debug_ipcomp,
+			    "klips_debug:skb_compress: "
+			    "skipping compression of fragmented packet.\n");
+		*flags |= IPCOMP_UNCOMPRESSABLE;
+		return skb;
+	}
+	
+	iphlen = iph->ihl << 2;
+	pyldsz = ntohs(iph->tot_len) - iphlen;
+
+	/* Don't compress less than 90 bytes (rfc 2394) */
+	if (pyldsz < 90) {
+		KLIPS_PRINT(sysctl_ipsec_debug_ipcomp,
+			    "klips_debug:skb_compress: "
+			    "skipping compression of tiny packet, len=%d.\n",
+			    pyldsz);
+		*flags |= IPCOMP_UNCOMPRESSABLE;
+		return skb;
+	}
+	
+	/* Adaptive decision */
+	if (ips->ips_comp_adapt_skip) {
+		KLIPS_PRINT(sysctl_ipsec_debug_ipcomp,
+			    "klips_debug:skb_compress: "
+			    "skipping compression: ips_comp_adapt_skip=%d.\n",
+			    ips->ips_comp_adapt_skip);
+		ips->ips_comp_adapt_skip--;
+		*flags |= IPCOMP_UNCOMPRESSABLE;
+		return skb;
+	}
+
+	zs.zalloc = my_zcalloc;
+	zs.zfree = my_zfree;
+	zs.opaque = 0;
+	
+	/* We want to use deflateInit2 because we don't want the adler
+	   header. */
+	zresult = deflateInit2(&zs, Z_DEFAULT_COMPRESSION, Z_DEFLATED, -11,
+			       DEF_MEM_LEVEL,  Z_DEFAULT_STRATEGY);
+	if (zresult != Z_OK) {
+		KLIPS_PRINT(sysctl_ipsec_debug_ipcomp,
+			    "klips_error:skb_compress: "
+			    "deflateInit2() returned error %d (%s), "
+			    "skipping compression.\n",
+			    zresult,
+			    zs.msg ? zs.msg : zError(zresult));
+		*flags |= IPCOMP_COMPRESSIONERROR;
+		return skb;
+	}
+	
+
+	/* Max output size. Result should be max this size.
+	 * Implementation specific tweak:
+	 * If it's not at least 32 bytes and 6.25% smaller than
+	 * the original packet, it's probably not worth wasting
+	 * the receiver's CPU cycles decompressing it.
+	 * Your mileage may vary.
+	 */
+	cpyldsz = pyldsz - sizeof(struct ipcomphdr) - (pyldsz <= 512 ? 32 : pyldsz >> 4);
+
+	buffer = kmalloc(cpyldsz, GFP_ATOMIC);
+	if (!buffer) {
+		KLIPS_PRINT(sysctl_ipsec_debug_ipcomp,
+			    "klips_error:skb_compress: "
+			    "unable to kmalloc(%d, GFP_ATOMIC), "
+			    "skipping compression.\n",
+			    cpyldsz);
+		*flags |= IPCOMP_COMPRESSIONERROR;
+		deflateEnd(&zs);
+		return skb;
+	}
+	
+#ifdef CONFIG_KLIPS_DEBUG
+	if(sysctl_ipsec_debug_ipcomp && sysctl_ipsec_debug_verbose) {
+		__u8 *c;
+
+		c = (__u8*)iph + iphlen;
+		ipsec_dmp_block("compress before", c, pyldsz);
+	}
+#endif /* CONFIG_KLIPS_DEBUG */
+
+	zs.next_in = (char *) iph + iphlen; /* start of payload */
+	zs.avail_in = pyldsz;
+	zs.next_out = buffer;     /* start of compressed payload */
+	zs.avail_out = cpyldsz;
+	
+	/* Finish compression in one step */
+	zresult = deflate(&zs, Z_FINISH);
+
+	/* Free all dynamically allocated buffers */
+	deflateEnd(&zs);
+	if (zresult != Z_STREAM_END) {
+		*flags |= IPCOMP_UNCOMPRESSABLE;
+		kfree(buffer);
+
+		/* Adjust adaptive counters */
+		if (++(ips->ips_comp_adapt_tries) == IPCOMP_ADAPT_INITIAL_TRIES) {
+			KLIPS_PRINT(sysctl_ipsec_debug_ipcomp,
+				    "klips_debug:skb_compress: "
+				    "first %d packets didn't compress, "
+				    "skipping next %d\n",
+				    IPCOMP_ADAPT_INITIAL_TRIES,
+				    IPCOMP_ADAPT_INITIAL_SKIP);
+			ips->ips_comp_adapt_skip = IPCOMP_ADAPT_INITIAL_SKIP;
+		}
+		else if (ips->ips_comp_adapt_tries == IPCOMP_ADAPT_INITIAL_TRIES + IPCOMP_ADAPT_SUBSEQ_TRIES) {
+			KLIPS_PRINT(sysctl_ipsec_debug_ipcomp,
+				    "klips_debug:skb_compress: "
+				    "next %d packets didn't compress, "
+				    "skipping next %d\n",
+				    IPCOMP_ADAPT_SUBSEQ_TRIES,
+				    IPCOMP_ADAPT_SUBSEQ_SKIP);
+			ips->ips_comp_adapt_skip = IPCOMP_ADAPT_SUBSEQ_SKIP;
+			ips->ips_comp_adapt_tries = IPCOMP_ADAPT_INITIAL_TRIES;
+		}
+
+		return skb;
+	}
+	
+	/* resulting compressed size */
+	cpyldsz -= zs.avail_out;
+	
+	/* Insert IPCOMP header */
+	((struct ipcomphdr*) ((char*) iph + iphlen))->ipcomp_nh = iph->protocol;
+	((struct ipcomphdr*) ((char*) iph + iphlen))->ipcomp_flags = 0;
+	/* use the bottom 16 bits of the spi for the cpi.  The top 16 bits are
+	   for internal reference only. */
+	((struct ipcomphdr*) (((char*)iph) + iphlen))->ipcomp_cpi = htons((__u16)(ntohl(ips->ips_said.spi) & 0x0000ffff));
+	KLIPS_PRINT(sysctl_ipsec_debug_ipcomp,
+		    "klips_debug:skb_compress: "
+		    "spi=%08x, spi&0xffff=%04x, cpi=%04x, payload size: raw=%d, comp=%d.\n",
+		    ntohl(ips->ips_said.spi),
+		    ntohl(ips->ips_said.spi) & 0x0000ffff,
+		    ntohs(((struct ipcomphdr*)(((char*)iph)+iphlen))->ipcomp_cpi),
+		    pyldsz,
+		    cpyldsz);
+	
+	/* Update IP header */
+	iph->protocol = IPPROTO_COMP;
+	iph->tot_len = htons(iphlen + sizeof(struct ipcomphdr) + cpyldsz);
+#if 1 /* XXX checksum is done by ipsec_tunnel ? */
+	iph->check = 0;
+	iph->check = ip_fast_csum((char *) iph, iph->ihl);
+#endif
+	
+	/* Copy compressed payload */
+	memcpy((char *) iph + iphlen + sizeof(struct ipcomphdr),
+	       buffer,
+	       cpyldsz);
+	kfree(buffer);
+	
+	/* Update skb length/tail by "unputting" the shrinkage */
+        safe_skb_put (skb, cpyldsz + sizeof(struct ipcomphdr) - pyldsz);
+
+#ifdef CONFIG_KLIPS_DEBUG
+	if(sysctl_ipsec_debug_ipcomp && sysctl_ipsec_debug_verbose) {
+		__u8 *c;
+		
+		c = (__u8*)iph + iphlen + sizeof(struct ipcomphdr);
+		ipsec_dmp_block("compress result", c, cpyldsz);
+	}
+#endif /* CONFIG_KLIPS_DEBUG */
+	
+	ips->ips_comp_adapt_skip = 0;
+	ips->ips_comp_adapt_tries = 0;
+	
+	return skb;
+}
+
+struct sk_buff *skb_decompress(struct sk_buff *skb, struct ipsec_sa *ips, unsigned int *flags)
+{
+	struct sk_buff *nskb = NULL;
+
+	/* original ip header */
+	struct iphdr *oiph, *iph;
+	unsigned int iphlen, pyldsz, cpyldsz;
+	z_stream zs;
+	int zresult;
+
+	KLIPS_PRINT(sysctl_ipsec_debug_ipcomp,
+		    "klips_debug:skb_decompress: .\n");
+
+	if(!skb) {
+		KLIPS_PRINT(sysctl_ipsec_debug_ipcomp,
+			    "klips_error:skb_decompress: "
+			    "passed in NULL skb, returning ERROR.\n");
+		if (flags) *flags |= IPCOMP_PARMERROR;
+		return skb;
+	}
+
+	if(!ips && sysctl_ipsec_inbound_policy_check) {
+		KLIPS_PRINT(sysctl_ipsec_debug_ipcomp,
+			    "klips_error:skb_decompress: "
+			    "passed in NULL ipsec_sa needed for comp alg, returning ERROR.\n");
+		if (flags) *flags |= IPCOMP_PARMERROR;
+		return skb;
+	}
+
+	if (!flags) {
+		KLIPS_PRINT(sysctl_ipsec_debug_ipcomp,
+			    "klips_error:skb_decompress: "
+			    "passed in NULL flags, returning ERROR.\n");
+		ipsec_kfree_skb(skb);
+		return NULL;
+	}
+	
+#ifdef NET_21
+	oiph = skb->nh.iph;
+#else /* NET_21 */
+	oiph = skb->ip_hdr;
+#endif /* NET_21 */
+	
+	iphlen = oiph->ihl << 2;
+	
+	if (oiph->protocol != IPPROTO_COMP) {
+		KLIPS_PRINT(sysctl_ipsec_debug_ipcomp,
+			    "klips_error:skb_decompress: "
+			    "called with non-IPCOMP packet (protocol=%d),"
+			    "skipping decompression.\n",
+			    oiph->protocol);
+		*flags |= IPCOMP_PARMERROR;
+		return skb;
+	}
+	
+	if ( (((struct ipcomphdr*)((char*) oiph + iphlen))->ipcomp_flags != 0)
+	     || ((((struct ipcomphdr*) ((char*) oiph + iphlen))->ipcomp_cpi
+		!= htons(SADB_X_CALG_DEFLATE))
+		 && sysctl_ipsec_inbound_policy_check
+		 && (!ips || (ips && (ips->ips_encalg != SADB_X_CALG_DEFLATE)))) ) {
+		KLIPS_PRINT(sysctl_ipsec_debug_ipcomp,
+			    "klips_error:skb_decompress: "
+			    "called with incompatible IPCOMP packet (flags=%d, "
+			    "cpi=%d), ips-compalg=%d, skipping decompression.\n",
+			    ntohs(((struct ipcomphdr*) ((char*) oiph + iphlen))->ipcomp_flags),
+			    ntohs(((struct ipcomphdr*) ((char*) oiph + iphlen))->ipcomp_cpi),
+			    ips ? ips->ips_encalg : 0);
+		*flags |= IPCOMP_PARMERROR;
+		
+		return skb;
+	}
+	
+	if (ntohs(oiph->frag_off) & ~0x4000) {
+		KLIPS_PRINT(sysctl_ipsec_debug_ipcomp,
+			    "klips_error:skb_decompress: "
+			    "called with fragmented IPCOMP packet, "
+			    "skipping decompression.\n");
+		*flags |= IPCOMP_PARMERROR;
+		return skb;
+	}
+	
+	/* original compressed payload size */
+	cpyldsz = ntohs(oiph->tot_len) - iphlen - sizeof(struct ipcomphdr);
+
+	zs.zalloc = my_zcalloc;
+	zs.zfree = my_zfree;
+	zs.opaque = 0;
+	
+	zs.next_in = (char *) oiph + iphlen + sizeof(struct ipcomphdr);
+	zs.avail_in = cpyldsz;
+	
+	/* Maybe we should be a bit conservative about memory
+	   requirements and use inflateInit2 */
+	/* Beware, that this might make us unable to decompress packets
+	   from other implementations - HINT: check PGPnet source code */
+	/* We want to use inflateInit2 because we don't want the adler
+	   header. */
+	zresult = inflateInit2(&zs, -15); 
+	if (zresult != Z_OK) {
+		KLIPS_PRINT(sysctl_ipsec_debug_ipcomp,
+			    "klips_error:skb_decompress: "
+			    "inflateInit2() returned error %d (%s), "
+			    "skipping decompression.\n",
+			    zresult,
+			    zs.msg ? zs.msg : zError(zresult));
+		*flags |= IPCOMP_DECOMPRESSIONERROR;
+
+		return skb;
+	}
+	
+	/* We have no way of knowing the exact length of the resulting
+	   decompressed output before we have actually done the decompression.
+	   For now, we guess that the packet will not be bigger than the
+	   attached ipsec device's mtu or 16260, whichever is biggest.
+	   This may be wrong, since the sender's mtu may be bigger yet.
+	   XXX This must be dealt with later XXX
+	*/
+	
+	/* max payload size */
+	pyldsz = skb->dev ? (skb->dev->mtu < 16260 ? 16260 : skb->dev->mtu)
+			  : (65520 - iphlen);
+	KLIPS_PRINT(sysctl_ipsec_debug_ipcomp,
+		    "klips_debug:skb_decompress: "
+		    "max payload size: %d\n", pyldsz);
+	
+	while (pyldsz > (cpyldsz + sizeof(struct ipcomphdr)) && 
+	       (nskb = skb_copy_ipcomp(skb,
+				       pyldsz - cpyldsz - sizeof(struct ipcomphdr),
+				       GFP_ATOMIC)) == NULL) {
+		KLIPS_PRINT(sysctl_ipsec_debug_ipcomp,
+			    "klips_error:skb_decompress: "
+			    "unable to skb_copy_ipcomp(skb, %d, GFP_ATOMIC), "
+			    "trying with less payload size.\n",
+			    (int)(pyldsz - cpyldsz - sizeof(struct ipcomphdr)));
+		pyldsz >>=1;
+	}
+	
+	if (!nskb) {
+		KLIPS_PRINT(sysctl_ipsec_debug_ipcomp,
+			    "klips_error:skb_decompress: "
+			    "unable to allocate memory, dropping packet.\n");
+		*flags |= IPCOMP_DECOMPRESSIONERROR;
+		inflateEnd(&zs);
+
+		return skb;
+	}
+	
+#ifdef CONFIG_KLIPS_DEBUG
+	if(sysctl_ipsec_debug_ipcomp && sysctl_ipsec_debug_verbose) {
+		__u8 *c;
+		
+		c = (__u8*)oiph + iphlen + sizeof(struct ipcomphdr);
+		ipsec_dmp_block("decompress before", c, cpyldsz);
+	}
+#endif /* CONFIG_KLIPS_DEBUG */
+
+#ifdef NET_21
+	iph = nskb->nh.iph;
+#else /* NET_21 */
+	iph = nskb->ip_hdr;
+#endif /* NET_21 */
+	zs.next_out = (char *)iph + iphlen;
+	zs.avail_out = pyldsz;
+
+	zresult = inflate(&zs, Z_SYNC_FLUSH);
+
+	/* work around a bug in zlib, which sometimes wants to taste an extra
+	 * byte when being used in the (undocumented) raw deflate mode.
+	 */
+	if (zresult == Z_OK && !zs.avail_in && zs.avail_out) {
+		__u8 zerostuff = 0;
+		
+		zs.next_in = &zerostuff;
+		zs.avail_in = 1;
+		zresult = inflate(&zs, Z_FINISH);
+	}
+
+	inflateEnd(&zs);
+	if (zresult != Z_STREAM_END) {
+		KLIPS_PRINT(sysctl_ipsec_debug_ipcomp,
+			    "klips_error:skb_decompress: "
+			    "inflate() returned error %d (%s), "
+			    "skipping decompression.\n",
+			    zresult,
+			    zs.msg ? zs.msg : zError(zresult));
+		*flags |= IPCOMP_DECOMPRESSIONERROR;
+		ipsec_kfree_skb(nskb);
+
+		return skb;
+	}
+	
+	/* Update IP header */
+	/* resulting decompressed size */
+	pyldsz -= zs.avail_out;
+	iph->tot_len = htons(iphlen + pyldsz);
+	iph->protocol = ((struct ipcomphdr*) ((char*) oiph + iphlen))->ipcomp_nh;
+	KLIPS_PRINT(sysctl_ipsec_debug_ipcomp,
+		    "klips_debug:skb_decompress: "
+		    "spi=%08x, spi&0xffff=%04x, cpi=%04x, payload size: comp=%d, raw=%d, nh=%d.\n",
+		    ips ? ntohl(ips->ips_said.spi) : 0,
+		    ips ? ntohl(ips->ips_said.spi) & 0x0000ffff : 0,
+		    ntohs(((struct ipcomphdr*)(((char*)oiph)+iphlen))->ipcomp_cpi),
+		    cpyldsz,
+		    pyldsz,
+		    iph->protocol);
+	
+#if 1 /* XXX checksum is done by ipsec_rcv ? */
+	iph->check = 0;
+	iph->check = ip_fast_csum((char*) iph, iph->ihl);
+#endif
+	
+	/* Update skb length/tail by "unputting" the unused data area */
+	safe_skb_put(nskb, -zs.avail_out);
+	
+	ipsec_kfree_skb(skb);
+	
+	if (iph->protocol == IPPROTO_COMP)
+	{
+#ifdef CONFIG_KLIPS_DEBUG
+		if(sysctl_ipsec_debug_ipcomp)
+		KLIPS_PRINT(sysctl_ipsec_debug_ipcomp,
+			    "klips_debug:skb_decompress: "
+			    "Eh? inner packet is also compressed, dropping.\n");
+#endif /* CONFIG_KLIPS_DEBUG */
+		
+		ipsec_kfree_skb(nskb);
+		return NULL;
+	}
+	
+#ifdef CONFIG_KLIPS_DEBUG
+	if(sysctl_ipsec_debug_ipcomp && sysctl_ipsec_debug_verbose) {
+		__u8 *c;
+		
+		c = (__u8*)iph + iphlen;
+		ipsec_dmp_block("decompress result", c, pyldsz);
+	}
+#endif /* CONFIG_KLIPS_DEBUG */
+	
+	return nskb;
+}
+
+
+/* this is derived from skb_copy() in linux 2.2.14 */
+/* May be incompatible with other kernel versions!! */
+static
+struct sk_buff *skb_copy_ipcomp(struct sk_buff *skb, int data_growth, int gfp_mask)
+{
+        struct sk_buff *n;
+	struct iphdr *iph;
+        unsigned long offset;
+        unsigned int iphlen;
+	
+	if(!skb) {
+		KLIPS_PRINT(sysctl_ipsec_debug_ipcomp,
+			    "klips_debug:skb_copy_ipcomp: "
+			    "passed in NULL skb, returning NULL.\n");
+		return NULL;
+	}
+
+        /*
+         *      Allocate the copy buffer
+         */
+	
+#ifdef NET_21
+	iph = skb->nh.iph;
+#else /* NET_21 */
+	iph = skb->ip_hdr;
+#endif /* NET_21 */
+        if (!iph) return NULL;
+        iphlen = iph->ihl << 2;
+	
+        n=alloc_skb(skb->end - skb->head + data_growth, gfp_mask);
+        if(n==NULL)
+                return NULL;
+	
+        /*
+         *      Shift between the two data areas in bytes
+         */
+	
+        offset=n->head-skb->head;
+
+        /* Set the data pointer */
+        skb_reserve(n,skb->data-skb->head);
+        /* Set the tail pointer and length */
+        safe_skb_put(n,skb->len+data_growth);
+        /* Copy the bytes up to and including the ip header */
+        memcpy(n->head,
+	       skb->head,
+	       ((char *)iph - (char *)skb->head) + iphlen);
+#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,14)
+        n->list=NULL;
+#endif
+	n->next=NULL;
+	n->prev=NULL;
+        n->sk=NULL;
+        n->dev=skb->dev;
+	if (skb->h.raw)
+		n->h.raw=skb->h.raw+offset;
+	else
+		n->h.raw=NULL;
+        n->protocol=skb->protocol;
+#ifdef NET_21
+        n->csum = 0;
+        n->priority=skb->priority;
+        n->dst=dst_clone(skb->dst);
+        n->nh.raw=skb->nh.raw+offset;
+#ifndef NETDEV_23
+        n->is_clone=0;
+#endif /* NETDEV_23 */
+        atomic_set(&n->users, 1);
+        n->destructor = NULL;
+#ifdef HAVE_SOCK_SECURITY
+        n->security=skb->security;
+#endif
+        memcpy(n->cb, skb->cb, sizeof(skb->cb));
+#ifdef CONFIG_IP_FIREWALL
+        n->fwmark = skb->fwmark;
+#endif
+#else /* NET_21 */
+	n->link3=NULL;
+	n->when=skb->when;
+	n->ip_hdr=(struct iphdr *)(((char *)skb->ip_hdr)+offset);
+	n->saddr=skb->saddr;
+	n->daddr=skb->daddr;
+	n->raddr=skb->raddr;
+	n->seq=skb->seq;
+	n->end_seq=skb->end_seq;
+	n->ack_seq=skb->ack_seq;
+	n->acked=skb->acked;
+	n->free=1;
+	n->arp=skb->arp;
+	n->tries=0;
+	n->lock=0;
+	n->users=0;
+	memcpy(n->proto_priv, skb->proto_priv, sizeof(skb->proto_priv));
+#endif /* NET_21 */
+	if (skb->mac.raw)
+		n->mac.raw=skb->mac.raw+offset;
+	else
+		n->mac.raw=NULL;
+#ifndef NETDEV_23
+	n->used=skb->used;
+#endif /* !NETDEV_23 */
+        n->pkt_type=skb->pkt_type;
+#ifndef NETDEV_23
+	n->pkt_bridged=skb->pkt_bridged;
+#endif /* NETDEV_23 */
+	n->ip_summed=0;
+#ifdef HAVE_TSTAMP
+        n->tstamp = skb->tstamp;
+#else
+        n->stamp=skb->stamp;
+#endif
+#ifndef NETDEV_23 /* this seems to have been removed in 2.4 */
+#if defined(CONFIG_SHAPER) || defined(CONFIG_SHAPER_MODULE)
+        n->shapelatency=skb->shapelatency;       /* Latency on frame */
+        n->shapeclock=skb->shapeclock;           /* Time it should go out */
+        n->shapelen=skb->shapelen;               /* Frame length in clocks */
+        n->shapestamp=skb->shapestamp;           /* Stamp for shaper    */
+        n->shapepend=skb->shapepend;             /* Pending */
+#endif /* defined(CONFIG_SHAPER) || defined(CONFIG_SHAPER_MODULE) */
+#endif /* NETDEV_23 */
+
+        return n;
+}
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/ipsec_ah.c     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,407 @@
+/*
+ * processing code for AH
+ * Copyright (C) 2003-2004   Michael Richardson <mcr@xelerance.com>
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+char ipsec_ah_c_version[] = "RCSID $Id: ipsec_ah.c,v 1.12.2.2 2006/10/06 21:39:26 paul Exp $";
+#ifndef AUTOCONF_INCLUDED
+#include <linux/config.h>
+#endif
+#include <linux/version.h>
+
+#define __NO_VERSION__
+#include <linux/module.h>
+#include <linux/kernel.h> /* printk() */
+
+#include "openswan/ipsec_param.h"
+
+#ifdef MALLOC_SLAB
+# include <linux/slab.h> /* kmalloc() */
+#else /* MALLOC_SLAB */
+# include <linux/malloc.h> /* kmalloc() */
+#endif /* MALLOC_SLAB */
+#include <linux/errno.h>  /* error codes */
+#include <linux/types.h>  /* size_t */
+#include <linux/interrupt.h> /* mark_bh */
+
+#include <linux/netdevice.h>	/* struct device, and other headers */
+#include <linux/etherdevice.h>	/* eth_type_trans */
+#include <linux/ip.h>		/* struct iphdr */
+#include <linux/skbuff.h>
+#include <openswan.h>
+#ifdef SPINLOCK
+# ifdef SPINLOCK_23
+#  include <linux/spinlock.h> /* *lock* */
+# else /* SPINLOCK_23 */
+#  include <asm/spinlock.h> /* *lock* */
+# endif /* SPINLOCK_23 */
+#endif /* SPINLOCK */
+
+#include <net/ip.h>
+#include <net/protocol.h>
+
+#include "openswan/radij.h"
+#include "openswan/ipsec_encap.h"
+#include "openswan/ipsec_sa.h"
+
+#include "openswan/ipsec_radij.h"
+#include "openswan/ipsec_xform.h"
+#include "openswan/ipsec_tunnel.h" 
+#include "openswan/ipsec_rcv.h"
+#include "openswan/ipsec_xmit.h"
+
+#include "openswan/ipsec_auth.h"
+#include "openswan/ipsec_ah.h"
+#include "openswan/ipsec_proto.h"
+
+__u32 zeroes[AH_AMAX];
+
+enum ipsec_rcv_value
+ipsec_rcv_ah_checks(struct ipsec_rcv_state *irs,
+		    struct sk_buff *skb)
+{
+	int ahminlen;
+
+	ahminlen = irs->hard_header_len + sizeof(struct iphdr);
+
+	/* take care not to deref this pointer until we check the minlen though */
+	irs->protostuff.ahstuff.ahp = (struct ahhdr *)skb->h.raw;
+
+	if((skb->len < ahminlen+sizeof(struct ahhdr)) ||
+	   (skb->len < ahminlen+(irs->protostuff.ahstuff.ahp->ah_hl << 2))) {
+		KLIPS_PRINT(debug_rcv & DB_RX_INAU,
+			    "klips_debug:ipsec_rcv: "
+			    "runt ah packet of skb->len=%d received from %s, dropped.\n",
+			    skb->len,
+			    irs->ipsaddr_txt);
+		if(irs->stats) {
+			irs->stats->rx_errors++;
+		}
+		return IPSEC_RCV_BADLEN;
+	}
+
+	irs->said.spi = irs->protostuff.ahstuff.ahp->ah_spi;
+
+	/* XXX we only support the one 12-byte authenticator for now */
+	if(irs->protostuff.ahstuff.ahp->ah_hl != ((AHHMAC_HASHLEN+AHHMAC_RPLLEN) >> 2)) {
+		KLIPS_PRINT(debug_rcv & DB_RX_INAU,
+			    "klips_debug:ipsec_rcv: "
+			    "bad authenticator length %ld, expected %lu from %s.\n",
+			    (long)(irs->protostuff.ahstuff.ahp->ah_hl << 2),
+			    (unsigned long) sizeof(struct ahhdr),
+			    irs->ipsaddr_txt);
+		if(irs->stats) {
+			irs->stats->rx_errors++;
+		}
+		return IPSEC_RCV_BADLEN;
+	}
+
+	return IPSEC_RCV_OK;
+}
+
+
+enum ipsec_rcv_value
+ipsec_rcv_ah_setup_auth(struct ipsec_rcv_state *irs,
+			struct sk_buff *skb,
+			__u32          *replay,
+			unsigned char **authenticator)
+{
+	struct ahhdr *ahp = irs->protostuff.ahstuff.ahp;
+
+	*replay = ntohl(ahp->ah_rpl);
+	*authenticator = ahp->ah_data;
+
+	return IPSEC_RCV_OK;
+}
+
+enum ipsec_rcv_value
+ipsec_rcv_ah_authcalc(struct ipsec_rcv_state *irs,
+		      struct sk_buff *skb)
+{
+	struct auth_alg *aa;
+	struct ahhdr *ahp = irs->protostuff.ahstuff.ahp;
+	union {
+		MD5_CTX		md5;
+		SHA1_CTX	sha1;
+	} tctx;
+	struct iphdr ipo;
+	int ahhlen;
+
+	aa = irs->authfuncs;
+
+	/* copy the initialized keying material */
+	memcpy(&tctx, irs->ictx, irs->ictx_len);
+
+	ipo = *irs->ipp;
+	ipo.tos = 0;	/* mutable RFC 2402 3.3.3.1.1.1 */
+	ipo.frag_off = 0;
+	ipo.ttl = 0;
+	ipo.check = 0;
+
+
+	/* do the sanitized header */
+	(*aa->update)((void*)&tctx, (caddr_t)&ipo, sizeof(struct iphdr));
+
+	/* XXX we didn't do the options here! */
+
+	/* now do the AH header itself */
+	ahhlen = AH_BASIC_LEN + (ahp->ah_hl << 2);
+	(*aa->update)((void*)&tctx, (caddr_t)ahp,  ahhlen - AHHMAC_HASHLEN);
+
+	/* now, do some zeroes */
+	(*aa->update)((void*)&tctx, (caddr_t)zeroes,  AHHMAC_HASHLEN);
+
+	/* finally, do the packet contents themselves */
+	(*aa->update)((void*)&tctx,
+		      (caddr_t)skb->h.raw + ahhlen,
+		      skb->len - ahhlen);
+
+	(*aa->final)(irs->hash, (void *)&tctx);
+
+	memcpy(&tctx, irs->octx, irs->octx_len);
+
+	(*aa->update)((void *)&tctx, irs->hash, aa->hashlen);
+	(*aa->final)(irs->hash, (void *)&tctx);
+
+	return IPSEC_RCV_OK;
+}
+
+enum ipsec_rcv_value
+ipsec_rcv_ah_decap(struct ipsec_rcv_state *irs)
+{
+	struct ahhdr *ahp = irs->protostuff.ahstuff.ahp;
+	struct sk_buff *skb;
+	int ahhlen;
+
+	skb=irs->skb;
+
+	ahhlen = AH_BASIC_LEN + (ahp->ah_hl << 2);
+
+	irs->ipp->tot_len = htons(ntohs(irs->ipp->tot_len) - ahhlen);
+	irs->next_header  = ahp->ah_nh;
+
+	/*
+	 * move the IP header forward by the size of the AH header, which
+	 * will remove the the AH header from the packet.
+	 */
+	memmove((void *)(skb->nh.raw + ahhlen),
+		(void *)(skb->nh.raw), irs->iphlen);
+
+	ipsec_rcv_dmp("ah postmove", skb->data, skb->len);
+
+	/* skb_pull below, will move up by ahhlen */
+
+	/* XXX not clear how this can happen, as the message indicates */
+	if(skb->len < ahhlen) {
+		printk(KERN_WARNING
+		       "klips_error:ipsec_rcv: "
+		       "tried to skb_pull ahhlen=%d, %d available.  This should never happen, please report.\n",
+		       ahhlen,
+		       (int)(skb->len));
+		return IPSEC_RCV_DECAPFAIL;
+	}
+	skb_pull(skb, ahhlen);
+
+	skb->nh.raw = skb->nh.raw + ahhlen;
+	irs->ipp = skb->nh.iph;
+
+	ipsec_rcv_dmp("ah postpull", (void *)skb->nh.iph, skb->len);
+
+	return IPSEC_RCV_OK;
+}
+
+enum ipsec_xmit_value
+ipsec_xmit_ah_setup(struct ipsec_xmit_state *ixs)
+{
+  struct iphdr ipo;
+  struct ahhdr *ahp;
+  __u8 hash[AH_AMAX];
+  union {
+#ifdef CONFIG_KLIPS_AUTH_HMAC_MD5
+    MD5_CTX md5;
+#endif /* CONFIG_KLIPS_AUTH_HMAC_MD5 */
+#ifdef CONFIG_KLIPS_AUTH_HMAC_SHA1
+    SHA1_CTX sha1;
+#endif /* CONFIG_KLIPS_AUTH_HMAC_SHA1 */
+  } tctx;
+  unsigned char *dat = (unsigned char *)ixs->iph;
+
+  ahp = (struct ahhdr *)(dat + ixs->iphlen);
+  ahp->ah_spi = ixs->ipsp->ips_said.spi;
+  ahp->ah_rpl = htonl(++(ixs->ipsp->ips_replaywin_lastseq));
+  ahp->ah_rv = 0;
+  ahp->ah_nh = ixs->iph->protocol;
+  ahp->ah_hl = (sizeof(struct ahhdr) >> 2) - sizeof(__u64)/sizeof(__u32);
+  ixs->iph->protocol = IPPROTO_AH;
+  ipsec_xmit_dmp("ahp", (char*)ahp, sizeof(*ahp));
+  
+  ipo = *ixs->iph;
+  ipo.tos = 0;
+  ipo.frag_off = 0;
+  ipo.ttl = 0;
+  ipo.check = 0;
+  ipsec_xmit_dmp("ipo", (char*)&ipo, sizeof(ipo));
+  
+  switch(ixs->ipsp->ips_authalg) {
+#ifdef CONFIG_KLIPS_AUTH_HMAC_MD5
+  case AH_MD5:
+    tctx.md5 = ((struct md5_ctx*)(ixs->ipsp->ips_key_a))->ictx;
+    ipsec_xmit_dmp("ictx", (char*)&tctx.md5, sizeof(tctx.md5));
+    osMD5Update(&tctx.md5, (unsigned char *)&ipo, sizeof (struct iphdr));
+    ipsec_xmit_dmp("ictx+ipo", (char*)&tctx.md5, sizeof(tctx.md5));
+    osMD5Update(&tctx.md5, (unsigned char *)ahp,
+	      sizeof(struct ahhdr) - sizeof(ahp->ah_data));
+    ipsec_xmit_dmp("ictx+ahp", (char*)&tctx.md5, sizeof(tctx.md5));
+    osMD5Update(&tctx.md5, (unsigned char *)zeroes, AHHMAC_HASHLEN);
+    ipsec_xmit_dmp("ictx+zeroes", (char*)&tctx.md5, sizeof(tctx.md5));
+    osMD5Update(&tctx.md5,  dat + ixs->iphlen + sizeof(struct ahhdr),
+	      ixs->skb->len - ixs->iphlen - sizeof(struct ahhdr));
+    ipsec_xmit_dmp("ictx+dat", (char*)&tctx.md5, sizeof(tctx.md5));
+    osMD5Final(hash, &tctx.md5);
+    ipsec_xmit_dmp("ictx hash", (char*)&hash, sizeof(hash));
+    tctx.md5 = ((struct md5_ctx*)(ixs->ipsp->ips_key_a))->octx;
+    ipsec_xmit_dmp("octx", (char*)&tctx.md5, sizeof(tctx.md5));
+    osMD5Update(&tctx.md5, hash, AHMD596_ALEN);
+    ipsec_xmit_dmp("octx+hash", (char*)&tctx.md5, sizeof(tctx.md5));
+    osMD5Final(hash, &tctx.md5);
+    ipsec_xmit_dmp("octx hash", (char*)&hash, sizeof(hash));
+    
+    memcpy(ahp->ah_data, hash, AHHMAC_HASHLEN);
+    
+    /* paranoid */
+    memset((caddr_t)&tctx.md5, 0, sizeof(tctx.md5));
+    memset((caddr_t)hash, 0, sizeof(*hash));
+    break;
+#endif /* CONFIG_KLIPS_AUTH_HMAC_MD5 */
+#ifdef CONFIG_KLIPS_AUTH_HMAC_SHA1
+  case AH_SHA:
+    tctx.sha1 = ((struct sha1_ctx*)(ixs->ipsp->ips_key_a))->ictx;
+    SHA1Update(&tctx.sha1, (unsigned char *)&ipo, sizeof (struct iphdr));
+    SHA1Update(&tctx.sha1, (unsigned char *)ahp, sizeof(struct ahhdr) - sizeof(ahp->ah_data));
+    SHA1Update(&tctx.sha1, (unsigned char *)zeroes, AHHMAC_HASHLEN);
+    SHA1Update(&tctx.sha1, dat + ixs->iphlen + sizeof(struct ahhdr),
+	       ixs->skb->len - ixs->iphlen - sizeof(struct ahhdr));
+    SHA1Final(hash, &tctx.sha1);
+    tctx.sha1 = ((struct sha1_ctx*)(ixs->ipsp->ips_key_a))->octx;
+    SHA1Update(&tctx.sha1, hash, AHSHA196_ALEN);
+    SHA1Final(hash, &tctx.sha1);
+    
+    memcpy(ahp->ah_data, hash, AHHMAC_HASHLEN);
+    
+    /* paranoid */
+    memset((caddr_t)&tctx.sha1, 0, sizeof(tctx.sha1));
+    memset((caddr_t)hash, 0, sizeof(*hash));
+    break;
+#endif /* CONFIG_KLIPS_AUTH_HMAC_SHA1 */
+  default:
+    ixs->stats->tx_errors++;
+    return IPSEC_XMIT_AH_BADALG;
+  }
+#ifdef NET_21
+  ixs->skb->h.raw = (unsigned char*)ahp;
+#endif /* NET_21 */
+
+  return IPSEC_XMIT_OK;
+}
+
+struct xform_functions ah_xform_funcs[]={
+	{	rcv_checks:         ipsec_rcv_ah_checks,
+		rcv_setup_auth:     ipsec_rcv_ah_setup_auth,
+		rcv_calc_auth:      ipsec_rcv_ah_authcalc,
+		rcv_decrypt:        ipsec_rcv_ah_decap,
+
+		xmit_setup:         ipsec_xmit_ah_setup,
+		xmit_headroom:      sizeof(struct ahhdr),
+		xmit_needtailroom:  0,
+	},
+};
+
+
+#ifdef NET_26
+struct inet_protocol ah_protocol = {
+  .handler = ipsec_rcv,
+  .no_policy = 1,
+};
+#else
+struct inet_protocol ah_protocol =
+{
+	ipsec_rcv,				/* AH handler */
+	NULL,				/* TUNNEL error control */
+#ifdef NETDEV_25
+	1,				/* no policy */
+#else
+	0,				/* next */
+	IPPROTO_AH,			/* protocol ID */
+	0,				/* copy */
+	NULL,				/* data */
+	"AH"				/* name */
+#endif
+};
+#endif /* NET_26 */
+
+/*
+ * $Log: ipsec_ah.c,v $
+ * Revision 1.12.2.2  2006/10/06 21:39:26  paul
+ * Fix for 2.6.18+ only include linux/config.h if AUTOCONF_INCLUDED is not
+ * set. This is defined through autoconf.h which is included through the
+ * linux kernel build macros.
+ *
+ * Revision 1.12.2.1  2006/02/15 05:35:14  paul
+ * Patch by  David McCullough <davidm@snapgear.com>
+ * If you setup a tunnel without ESP it doesn't work.  It used to work in
+ * an older openswan version but stopped when klips was modified to deal
+ * with the pulled IP header on the received SKB's.
+ *
+ * The code in ipsec_ah.c still thinks the IP header is there and runs the
+ * hash on the incorrect data.
+ *
+ * Revision 1.12  2005/04/29 05:10:22  mcr
+ * 	removed from extraenous includes to make unit testing easier.
+ *
+ * Revision 1.11  2005/04/15 19:50:55  mcr
+ * 	adjustments to use proper skb fields for data.
+ *
+ * Revision 1.10  2004/09/14 00:22:57  mcr
+ * 	adjustment of MD5* functions.
+ *
+ * Revision 1.9  2004/09/13 02:22:47  mcr
+ * 	#define inet_protocol if necessary.
+ *
+ * Revision 1.8  2004/09/06 18:35:48  mcr
+ * 	2.6.8.1 gets rid of inet_protocol->net_protocol compatibility,
+ * 	so adjust for that.
+ *
+ * Revision 1.7  2004/08/22 05:00:48  mcr
+ * 	if we choose to compile the file, we want the contents,
+ * 	so don't pull any punches.
+ *
+ * Revision 1.6  2004/08/17 03:27:23  mcr
+ * 	klips 2.6 edits.
+ *
+ * Revision 1.5  2004/08/14 03:28:24  mcr
+ * 	fixed log comment to remove warning about embedded comment.
+ *
+ * Revision 1.4  2004/08/04 15:57:07  mcr
+ * 	moved des .h files to include/des/ *
+ * 	included 2.6 protocol specific things
+ * 	started at NAT-T support, but it will require a kernel patch.
+ *
+ * Revision 1.3  2004/07/10 19:11:18  mcr
+ * 	CONFIG_IPSEC -> CONFIG_KLIPS.
+ *
+ * Revision 1.2  2004/04/06 02:49:25  mcr
+ * 	pullup of algo code from alg-branch.
+ *
+ *
+ *
+ */
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/ipsec_alg.c     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,1057 @@
+/*
+ * Modular extensions service and registration functions
+ *
+ * Author: JuanJo Ciarlante <jjo-ipsec@mendoza.gov.ar>
+ * 
+ * Version: 0.8.1
+ *
+ * ipsec_alg.c,v 1.1.2.1 2003/11/21 18:12:23 jjo Exp
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ * 
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ */
+#define __NO_VERSION__
+
+#if defined (MODULE)
+#include <linux/module.h>
+#endif
+
+#include <linux/kernel.h> /* printk() */
+
+#include <linux/netdevice.h>   /* struct device, and other headers */
+#include <linux/etherdevice.h> /* eth_type_trans */
+#include <linux/ip.h>          /* struct iphdr */
+#include <linux/skbuff.h>
+#include <linux/socket.h>
+#include <linux/in.h>
+#include <linux/types.h>
+#include <linux/string.h>	/* memcmp() */
+#include <linux/random.h>	/* get_random_bytes() */
+#include <linux/errno.h>  /* error codes */
+#ifdef SPINLOCK
+# ifdef SPINLOCK_23
+#  include <linux/spinlock.h> /* *lock* */
+# else /* SPINLOCK_23 */
+#  include <asm/spinlock.h> /* *lock* */
+# endif /* SPINLOCK_23 */
+#endif /* SPINLOCK */
+
+#include "openswan/ipsec_param.h"
+#include <openswan.h>
+#include "openswan/ipsec_sa.h"
+#include "openswan/radij.h"
+#include "openswan/ipsec_encap.h"
+#include "openswan/ipsec_radij.h"
+#include "openswan/ipsec_xform.h"
+#include "openswan/ipsec_tunnel.h"
+#include "openswan/ipsec_rcv.h"
+#if defined(CONFIG_KLIPS_ESP) || defined(CONFIG_KLIPS_AH)
+# include "openswan/ipsec_ah.h"
+#endif /* defined(CONFIG_KLIPS_ESP) || defined(CONFIG_KLIPS_AH) */
+#ifdef CONFIG_KLIPS_ESP
+# include "openswan/ipsec_esp.h"
+#endif /* !CONFIG_KLIPS_ESP */
+#ifdef CONFIG_KLIPS_IPCOMP
+# include "openswan/ipcomp.h"
+#endif /* CONFIG_KLIPS_COMP */
+
+#include <pfkeyv2.h>
+#include <pfkey.h>
+
+#include "openswan/ipsec_alg.h"
+#include "openswan/ipsec_proto.h"
+
+#if SADB_EALG_MAX < 255
+#warning Compiling with limited ESP support ( SADB_EALG_MAX < 256 )
+#endif
+
+static rwlock_t ipsec_alg_lock = RW_LOCK_UNLOCKED;
+#define IPSEC_ALG_HASHSZ	16	/* must be power of 2, even 2^0=1 */
+static struct list_head ipsec_alg_hash_table[IPSEC_ALG_HASHSZ];
+
+/*	Old gcc's will fail here 	*/
+#define barf_out(fmt, args...)  do { struct ipsec_alg *ixtc = (struct ipsec_alg *)ixt; printk(KERN_ERR "%s: (%s) " fmt, __FUNCTION__, ixtc->ixt_name , ## args) \
+	; goto out; } while(0)
+
+#ifdef NET_26
+/* 
+ * 	Must be already protected by lock 
+ */
+static void __ipsec_alg_usage_inc(struct ipsec_alg *ixt)
+{
+#ifdef MODULE
+	if (ixt->ixt_module)
+		try_module_get(ixt->ixt_module);
+#endif
+	atomic_inc(&ixt->ixt_refcnt);
+}
+static void __ipsec_alg_usage_dec(struct ipsec_alg *ixt) {
+	atomic_dec(&ixt->ixt_refcnt);
+#ifdef MODULE
+	if (ixt->ixt_module)
+		module_put(ixt->ixt_module);
+#endif
+}
+
+#else
+
+/* 
+ * 	Must be already protected by lock 
+ */
+static void __ipsec_alg_usage_inc(struct ipsec_alg *ixt) {
+#ifdef MODULE
+	if (ixt->ixt_module) {
+		__MOD_INC_USE_COUNT(ixt->ixt_module);
+	}
+#endif
+	atomic_inc(&ixt->ixt_refcnt);
+}
+static void __ipsec_alg_usage_dec(struct ipsec_alg *ixt) {
+	atomic_dec(&ixt->ixt_refcnt);
+#ifdef MODULE
+	if (ixt->ixt_module)
+		__MOD_DEC_USE_COUNT(ixt->ixt_module);
+#endif
+}
+#endif
+
+/*
+ * 	simple hash function, optimized for 0-hash (1 list) special
+ * 	case
+ */
+#if IPSEC_ALG_HASHSZ > 1
+static inline unsigned ipsec_alg_hashfn(int alg_type, int alg_id) {
+	return ((alg_type^alg_id)&(IPSEC_ALG_HASHSZ-1));
+}
+#else
+#define ipsec_alg_hashfn(x,y) (0)
+#endif
+
+/*****************************************************************
+ *
+ * 	INTERNAL table handling: insert, delete, find
+ *
+ *****************************************************************/
+
+/*	
+ *	hash table initialization, called from ipsec_alg_init()
+ */
+static void ipsec_alg_hash_init(void) {
+	struct list_head *head = ipsec_alg_hash_table;
+	int i = IPSEC_ALG_HASHSZ;
+	do {
+		INIT_LIST_HEAD(head);
+		head++;
+		i--;
+	} while (i);
+}
+/*
+ * 	hash list lookup by {alg_type, alg_id} and table head,
+ * 	must be already protected by lock
+ */
+static struct ipsec_alg *__ipsec_alg_find(unsigned alg_type, unsigned alg_id, struct list_head * head) {
+	struct list_head *p;
+	struct ipsec_alg *ixt=NULL;
+	for (p=head->next; p!=head; p=p->next) {
+		ixt = list_entry(p, struct ipsec_alg, ixt_list);
+		if (ixt->ixt_alg_type == alg_type && ixt->ixt_alg_id==alg_id) {
+			goto out;
+		}
+	}
+	ixt=NULL;
+out:
+	return ixt;
+}
+/*
+ * 	inserts (in front) a new entry in hash table, 
+ * 	called from ipsec_alg_register() when new algorithm is registered.
+ */
+static int ipsec_alg_insert(struct ipsec_alg *ixt) {
+	int ret=-EINVAL;
+	unsigned hashval=ipsec_alg_hashfn(ixt->ixt_alg_type, ixt->ixt_alg_id);
+	struct list_head *head= ipsec_alg_hash_table + hashval;
+	struct ipsec_alg *ixt_cur;
+
+	/* 	new element must be virgin ... */
+	if (ixt->ixt_list.next != &ixt->ixt_list || 
+		ixt->ixt_list.prev != &ixt->ixt_list) {
+		printk(KERN_ERR "ipsec_alg_insert: ixt object \"%s\" "
+				"list head not initialized\n",
+				ixt->ixt_name);
+		return ret;
+	}
+	write_lock_bh(&ipsec_alg_lock);
+
+	ixt_cur = __ipsec_alg_find(ixt->ixt_alg_type, ixt->ixt_alg_id, head);
+
+	/* if previous (current) ipsec_alg found check excl flag of _anyone_ */
+	if (ixt_cur
+	    && ((ixt->ixt_state|ixt_cur->ixt_state) & IPSEC_ALG_ST_EXCL)) {
+	  barf_out("ipsec_alg for alg_type=%d, alg_id=%d already exist. "
+		   "Not loaded (ret=%d).\n",
+		   ixt->ixt_alg_type,
+		   ixt->ixt_alg_id, ret=-EEXIST);
+	}
+	list_add(&ixt->ixt_list, head);
+	ixt->ixt_state |= IPSEC_ALG_ST_REGISTERED;
+	ret=0;
+out:
+	write_unlock_bh(&ipsec_alg_lock);
+	return ret;
+}
+
+/*
+ * 	deletes an existing entry in hash table, 
+ * 	called from ipsec_alg_unregister() when algorithm is unregistered.
+ */
+static int ipsec_alg_delete(struct ipsec_alg *ixt) {
+	write_lock_bh(&ipsec_alg_lock);
+	list_del(&ixt->ixt_list);
+	write_unlock_bh(&ipsec_alg_lock);
+	return 0;
+}
+
+/*
+ * 	here @user context (read-only when @kernel bh context) 
+ * 	-> no bh disabling
+ *
+ * 	called from ipsec_sa_init() -> ipsec_alg_sa_init()
+ */
+static struct ipsec_alg *ipsec_alg_get(int alg_type, int alg_id)
+{
+	unsigned hashval=ipsec_alg_hashfn(alg_type, alg_id);
+	struct list_head *head= ipsec_alg_hash_table + hashval;
+	struct ipsec_alg *ixt;
+
+	read_lock(&ipsec_alg_lock);
+	ixt=__ipsec_alg_find(alg_type, alg_id, head);
+	if (ixt) __ipsec_alg_usage_inc(ixt);
+	read_unlock(&ipsec_alg_lock);
+
+	return ixt;
+}
+
+static void ipsec_alg_put(struct ipsec_alg *ixt) {
+	__ipsec_alg_usage_dec((struct ipsec_alg *)ixt);
+}
+
+/*****************************************************************
+ *
+ * 	INTERFACE for ENC services: key creation, encrypt function
+ *
+ *****************************************************************/
+
+/*
+ * 	main encrypt service entry point
+ * 	called from ipsec_rcv() with encrypt=IPSEC_ALG_DECRYPT and
+ * 	ipsec_tunnel_start_xmit with encrypt=IPSEC_ALG_ENCRYPT
+ */
+int ipsec_alg_esp_encrypt(struct ipsec_sa *sa_p, __u8 * idat,
+			  int ilen, const __u8 * iv, int encrypt)
+{
+	int ret;
+	struct ipsec_alg_enc *ixt_e=sa_p->ips_alg_enc;
+#ifdef CONFIG_KLIPS_DEBUG
+	int debug_flag = (encrypt==IPSEC_ALG_ENCRYPT ?
+			  debug_tunnel : debug_rcv);
+#endif
+
+	KLIPS_PRINT(debug_flag,
+		    "klips_debug:ipsec_alg_esp_encrypt: "
+		    "entering with encalg=%d, ixt_e=%p\n",
+		    sa_p->ips_encalg, ixt_e);
+	if (ixt_e == NULL) {
+#ifdef CONFIG_KLIPS_DEBUG
+	  KLIPS_ERROR(debug_flag,
+		      "klips_debug:ipsec_alg_esp_encrypt: "
+		      "NULL ipsec_alg_enc object\n");
+#endif
+		return -1;
+	}
+	KLIPS_PRINT(debug_flag,
+		    "klips_debug:ipsec_alg_esp_encrypt: "
+		    "calling cbc_encrypt encalg=%d "
+		    "ips_key_e=%p idat=%p ilen=%d iv=%p, encrypt=%d\n",
+			sa_p->ips_encalg, 
+			sa_p->ips_key_e, idat, ilen, iv, encrypt);
+	ret=ixt_e->ixt_e_cbc_encrypt(ixt_e, sa_p->ips_key_e, idat,
+				     ilen, iv, encrypt);
+	KLIPS_PRINT(debug_flag,
+		    "klips_debug:ipsec_alg_esp_encrypt: "
+		    "returned ret=%d\n",
+		    ret);
+	return ret;
+}
+
+/*
+ * 	encryption key context creation function
+ * 	called from pfkey_v2_parser.c:pfkey_ips_init() 
+ */
+int ipsec_alg_enc_key_create(struct ipsec_sa *sa_p) {
+	int ret=-EINVAL;
+	int keyminbits, keymaxbits;
+	caddr_t ekp;
+	struct ipsec_alg_enc *ixt_e=sa_p->ips_alg_enc;
+
+	KLIPS_PRINT(debug_pfkey,
+		    "klips_debug:ipsec_alg_enc_key_create: "
+		    "entering with encalg=%d ixt_e=%p\n",
+		    sa_p->ips_encalg, ixt_e);
+	if (!ixt_e) {
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:ipsec_alg_enc_key_create: "
+			    "NULL ipsec_alg_enc object\n");
+		return -EPROTO;
+	}
+
+	/* 
+	 * grRRR... DES 7bits jurassic stuff ... f*ckk --jjo 
+	 */
+	switch(ixt_e->ixt_common.ixt_support.ias_id) {
+		case ESP_3DES:
+			keyminbits=keymaxbits=192;break;
+		case ESP_DES:
+			keyminbits=keymaxbits=64;break;
+		default:
+			keyminbits=ixt_e->ixt_common.ixt_support.ias_keyminbits;
+			keymaxbits=ixt_e->ixt_common.ixt_support.ias_keymaxbits;
+	}
+	if(sa_p->ips_key_bits_e<keyminbits || 
+			sa_p->ips_key_bits_e>keymaxbits) {
+		KLIPS_PRINT(debug_pfkey,
+				"klips_debug:ipsec_alg_enc_key_create: "
+				"incorrect encryption key size for id=%d: %d bits -- "
+				"must be between %d,%d bits\n" /*octets (bytes)\n"*/,
+				ixt_e->ixt_common.ixt_support.ias_id,
+				sa_p->ips_key_bits_e, keyminbits, keymaxbits);
+		ret=-EINVAL;
+		goto ixt_out;
+	}
+	/* save encryption key pointer */
+	ekp = sa_p->ips_key_e;
+
+
+	if (ixt_e->ixt_e_new_key) {
+		sa_p->ips_key_e = ixt_e->ixt_e_new_key(ixt_e,
+				ekp, sa_p->ips_key_bits_e/8);
+		ret =  (sa_p->ips_key_e)? 0 : -EINVAL;
+	} else {
+		if((sa_p->ips_key_e = (caddr_t)
+		    kmalloc((sa_p->ips_key_e_size = ixt_e->ixt_e_ctx_size),
+			    GFP_ATOMIC)) == NULL) {
+			ret=-ENOMEM;
+			goto ixt_out;
+		}
+		/* zero-out key_e */
+		memset(sa_p->ips_key_e, 0, sa_p->ips_key_e_size);
+
+		/* I cast here to allow more decoupling in alg module */
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:ipsec_alg_enc_key_create: about to call:"
+				    "set_key(key_e=%p, ekp=%p, key_size=%d)\n",
+				    (caddr_t)sa_p->ips_key_e, ekp, sa_p->ips_key_bits_e/8);
+		ret = ixt_e->ixt_e_set_key(ixt_e, (caddr_t)sa_p->ips_key_e, ekp, sa_p->ips_key_bits_e/8);
+	}
+	/* paranoid */
+	memset(ekp, 0, sa_p->ips_key_bits_e/8);
+	kfree(ekp);
+ixt_out:
+	return ret;
+}
+
+/***************************************************************
+ *
+ * 	INTERFACE for AUTH services: key creation, hash functions
+ *
+ ***************************************************************/
+
+/*
+ * 	auth key context creation function
+ * 	called from pfkey_v2_parser.c:pfkey_ips_init() 
+ */
+int ipsec_alg_auth_key_create(struct ipsec_sa *sa_p) {
+	int ret=-EINVAL;
+	struct ipsec_alg_auth *ixt_a=sa_p->ips_alg_auth;
+	int keyminbits, keymaxbits;
+	unsigned char *akp;
+	unsigned int aks;
+	KLIPS_PRINT(debug_pfkey,
+		    "klips_debug:ipsec_alg_auth_key_create: "
+		    "entering with authalg=%d ixt_a=%p\n",
+		    sa_p->ips_authalg, ixt_a);
+	if (!ixt_a) {
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:ipsec_alg_auth_key_create: "
+			    "NULL ipsec_alg_auth object\n");
+		return -EPROTO;
+	}
+	keyminbits=ixt_a->ixt_common.ixt_support.ias_keyminbits;
+	keymaxbits=ixt_a->ixt_common.ixt_support.ias_keymaxbits;
+	if(sa_p->ips_key_bits_a<keyminbits || sa_p->ips_key_bits_a>keymaxbits) {
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:ipsec_alg_auth_key_create: incorrect auth"
+			    "key size: %d bits -- must be between %d,%d bits\n"/*octets (bytes)\n"*/,
+			    sa_p->ips_key_bits_a, keyminbits, keymaxbits);
+		ret=-EINVAL;
+		goto ixt_out;
+	}
+	/* save auth key pointer */
+	sa_p->ips_auth_bits = ixt_a->ixt_a_keylen * 8; /* XXX XXX */
+	akp = sa_p->ips_key_a;
+	aks = sa_p->ips_key_a_size;
+
+	/* will hold: 2 ctx and a blocksize buffer: kb */
+	sa_p->ips_key_a_size = ixt_a->ixt_a_ctx_size;
+	if((sa_p->ips_key_a = 
+		(caddr_t) kmalloc(sa_p->ips_key_a_size, GFP_ATOMIC)) == NULL) {
+		ret=-ENOMEM;
+		goto ixt_out;
+	}
+	ixt_a->ixt_a_hmac_set_key(ixt_a, sa_p->ips_key_a, akp, sa_p->ips_key_bits_a/8); /* XXX XXX */
+	ret=0;
+	memset(akp, 0, aks);
+	kfree(akp);
+			
+ixt_out:
+	return ret;
+}
+
+
+int ipsec_alg_sa_esp_hash(const struct ipsec_sa *sa_p, const __u8 *espp,
+			  int len, __u8 *hash, int hashlen)
+{
+	struct ipsec_alg_auth *ixt_a=sa_p->ips_alg_auth;
+	if (!ixt_a) {
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:ipsec_sa_esp_hash: "
+			    "NULL ipsec_alg_auth object\n");
+		return -EPROTO;
+	}
+	KLIPS_PRINT(debug_tunnel|debug_rcv,
+			"klips_debug:ipsec_sa_esp_hash: "
+			"hashing %p (%d bytes) to %p (%d bytes)\n",
+			espp, len,
+			hash, hashlen);
+	ixt_a->ixt_a_hmac_hash(ixt_a,
+			sa_p->ips_key_a, 
+			espp, len,
+			hash, hashlen);
+	return 0;
+}
+
+/***************************************************************
+ *
+ * 	INTERFACE for module loading,testing, and unloading
+ *
+ ***************************************************************/
+
+/* validation for registering (enc) module */
+static int check_enc(struct ipsec_alg_enc *ixt)
+{
+	int ret=-EINVAL;
+	if (ixt->ixt_common.ixt_blocksize==0) /*  || ixt->ixt_common.ixt_blocksize%2) need for ESP_NULL */
+		barf_out(KERN_ERR "invalid blocksize=%d\n", ixt->ixt_common.ixt_blocksize);
+	if (ixt->ixt_common.ixt_support.ias_keyminbits==0
+	    && ixt->ixt_common.ixt_support.ias_keymaxbits==0
+	    && ixt->ixt_e_keylen==0)
+		goto zero_key_ok;
+	
+	if (ixt->ixt_common.ixt_support.ias_keyminbits==0)
+		barf_out(KERN_ERR "invalid keyminbits=%d\n", ixt->ixt_common.ixt_support.ias_keyminbits);
+	
+	if (ixt->ixt_common.ixt_support.ias_keymaxbits==0)
+		barf_out(KERN_ERR "invalid keymaxbits=%d\n", ixt->ixt_common.ixt_support.ias_keymaxbits);
+	
+	if (ixt->ixt_e_keylen==0)
+		barf_out(KERN_ERR "invalid keysize=%d\n", ixt->ixt_e_keylen);
+	
+zero_key_ok:
+	if (ixt->ixt_e_ctx_size==0 && ixt->ixt_e_new_key == NULL)
+		barf_out(KERN_ERR "invalid key_e_size=%d and ixt_e_new_key=NULL\n", ixt->ixt_e_ctx_size);
+	if (ixt->ixt_e_cbc_encrypt==NULL)
+		barf_out(KERN_ERR "e_cbc_encrypt() must be not NULL\n");
+	ret=0;
+out:
+	return ret;
+}
+
+/* validation for registering (auth) module */
+static int check_auth(struct ipsec_alg_auth *ixt)
+{
+	int ret=-EINVAL;
+	if (ixt->ixt_common.ixt_support.ias_id==0 || ixt->ixt_common.ixt_support.ias_id > SADB_AALG_MAX)
+		barf_out("invalid alg_id=%d > %d (SADB_AALG_MAX)\n",
+			 ixt->ixt_common.ixt_support.ias_id, SADB_AALG_MAX);
+
+	if (ixt->ixt_common.ixt_blocksize==0
+	    || ixt->ixt_common.ixt_blocksize%2)
+		barf_out(KERN_ERR "invalid blocksize=%d\n",
+			 ixt->ixt_common.ixt_blocksize);
+
+	if (ixt->ixt_common.ixt_blocksize>AH_BLKLEN_MAX)
+		barf_out(KERN_ERR "sorry blocksize=%d > %d. "
+			"Please increase AH_BLKLEN_MAX and recompile\n", 
+			ixt->ixt_common.ixt_blocksize,
+			AH_BLKLEN_MAX);
+	if (ixt->ixt_common.ixt_support.ias_keyminbits==0 && ixt->ixt_common.ixt_support.ias_keymaxbits==0 && ixt->ixt_a_keylen==0)
+		goto zero_key_ok;
+	if (ixt->ixt_common.ixt_support.ias_keyminbits==0)
+		barf_out(KERN_ERR "invalid keyminbits=%d\n", ixt->ixt_common.ixt_support.ias_keyminbits);
+	if (ixt->ixt_common.ixt_support.ias_keymaxbits==0)
+		barf_out(KERN_ERR "invalid keymaxbits=%d\n", ixt->ixt_common.ixt_support.ias_keymaxbits);
+	if (ixt->ixt_common.ixt_support.ias_keymaxbits!=ixt->ixt_common.ixt_support.ias_keyminbits)
+		barf_out(KERN_ERR "keymaxbits must equal keyminbits (not sure).\n");
+	if (ixt->ixt_a_keylen==0)
+		barf_out(KERN_ERR "invalid keysize=%d\n", ixt->ixt_a_keylen);
+zero_key_ok:
+	if (ixt->ixt_a_ctx_size==0)
+		barf_out(KERN_ERR "invalid a_ctx_size=%d\n", ixt->ixt_a_ctx_size);
+	if (ixt->ixt_a_hmac_set_key==NULL)
+		barf_out(KERN_ERR "a_hmac_set_key() must be not NULL\n");
+	if (ixt->ixt_a_hmac_hash==NULL)
+		barf_out(KERN_ERR "a_hmac_hash() must be not NULL\n");
+	ret=0;
+out:
+	return ret;
+}
+
+/* 
+ * Generic (enc, auth) registration entry point 
+ */
+int register_ipsec_alg(struct ipsec_alg *ixt)
+{
+	int ret=-EINVAL;
+	/*	Validation 	*/
+	if (ixt==NULL)
+		barf_out("NULL ipsec_alg object passed\n");
+	if ((ixt->ixt_version&0xffffff00) != (IPSEC_ALG_VERSION&0xffffff00))
+		barf_out("incorrect version: %d.%d.%d-%d, "
+			"must be %d.%d.%d[-%d]\n",
+				IPSEC_ALG_VERSION_QUAD(ixt->ixt_version), 
+				IPSEC_ALG_VERSION_QUAD(IPSEC_ALG_VERSION));
+
+	switch(ixt->ixt_alg_type) {
+		case IPSEC_ALG_TYPE_AUTH:
+			if ((ret=check_auth((struct ipsec_alg_auth *)ixt)<0))
+				goto out;
+			break;
+		case IPSEC_ALG_TYPE_ENCRYPT: 
+			if ((ret=check_enc((struct ipsec_alg_enc *)ixt)<0))
+				goto out;
+ 			/* 
+			 * Adapted two lines below: 
+			 * 	ivlen == 0 is possible (NULL enc has blocksize==1)
+			 *
+			 * fixed NULL support by David De Reu <DeReu@tComLabs.com>
+ 			 */
+			if (ixt->ixt_support.ias_ivlen == 0
+			    && ixt->ixt_blocksize > 1) {
+				ixt->ixt_support.ias_ivlen = ixt->ixt_blocksize*8;
+			}
+			break;
+		default:
+			barf_out("alg_type=%d not supported\n", ixt->ixt_alg_type);
+	}
+	INIT_LIST_HEAD(&ixt->ixt_list);
+	ret = ipsec_alg_insert(ixt);
+	if (ret<0) 
+		barf_out(KERN_WARNING "ipsec_alg for alg_id=%d failed."
+				"Not loaded (ret=%d).\n",
+				ixt->ixt_support.ias_id, ret);
+
+
+	ret = pfkey_list_insert_supported((struct ipsec_alg_supported *)&ixt->ixt_support
+					  , &(pfkey_supported_list[SADB_SATYPE_ESP]));
+
+	if (ret==0) {
+		ixt->ixt_state |= IPSEC_ALG_ST_SUPP;
+		/*	send register event to userspace	*/
+		pfkey_register_reply(SADB_SATYPE_ESP, NULL);
+	} else
+		printk(KERN_ERR "pfkey_list_insert_supported returned %d. "
+				"Loading anyway.\n", ret);
+	ret=0;
+out:
+	return ret;
+}
+
+/* 
+ * 	unregister ipsec_alg object from own tables, if 
+ * 	success => calls pfkey_list_remove_supported()
+ */
+int unregister_ipsec_alg(struct ipsec_alg *ixt) {
+	int ret= -EINVAL;
+	switch(ixt->ixt_alg_type) {
+		case IPSEC_ALG_TYPE_AUTH:
+		case IPSEC_ALG_TYPE_ENCRYPT: 
+			break;
+		default:
+			/*	this is not a typo :) */
+			barf_out("frog found in list (\"%s\"): ixt_p=NULL\n", 
+				ixt->ixt_name);
+	}
+
+	ret=ipsec_alg_delete(ixt);
+	if (ixt->ixt_state&IPSEC_ALG_ST_SUPP) {
+		ixt->ixt_state &= ~IPSEC_ALG_ST_SUPP;
+		pfkey_list_remove_supported((struct ipsec_alg_supported *)&ixt->ixt_support
+					    , &(pfkey_supported_list[SADB_SATYPE_ESP]));
+
+		/*	send register event to userspace	*/
+		pfkey_register_reply(SADB_SATYPE_ESP, NULL);
+	}
+
+out:
+	return ret;
+}
+
+/*
+ * 	Must be called from user context
+ * 	used at module load type for testing algo implementation
+ */
+static int ipsec_alg_test_encrypt(int enc_alg, int test) {
+	int ret;
+	caddr_t buf = NULL;
+	int iv_size, keysize, key_e_size;
+	struct ipsec_alg_enc *ixt_e;
+	void *tmp_key_e = NULL;
+	#define BUFSZ	1024
+	#define MARGIN	0
+	#define test_enc   (buf+MARGIN)
+	#define test_dec   (test_enc+BUFSZ+MARGIN)
+	#define test_tmp   (test_dec+BUFSZ+MARGIN)
+	#define test_key_e (test_tmp+BUFSZ+MARGIN)
+	#define test_iv    (test_key_e+key_e_size+MARGIN)
+	#define test_key   (test_iv+iv_size+MARGIN)
+	#define test_size  (BUFSZ*3+key_e_size+iv_size+keysize+MARGIN*7)
+	ixt_e=(struct ipsec_alg_enc *)ipsec_alg_get(IPSEC_ALG_TYPE_ENCRYPT, enc_alg);
+	if (ixt_e==NULL) {
+		KLIPS_PRINT(1, 
+			    "klips_debug: ipsec_alg_test_encrypt: "
+			    "encalg=%d object not found\n",
+			    enc_alg);
+		ret=-EINVAL;
+		goto out;
+	}
+	iv_size=ixt_e->ixt_common.ixt_support.ias_ivlen / 8;
+	key_e_size=ixt_e->ixt_e_ctx_size;
+	keysize=ixt_e->ixt_e_keylen;
+	KLIPS_PRINT(1, 
+		    "klips_debug: ipsec_alg_test_encrypt: "
+		    "enc_alg=%d blocksize=%d key_e_size=%d keysize=%d\n",
+		    enc_alg, iv_size, key_e_size, keysize);
+	if ((buf=kmalloc (test_size, GFP_KERNEL)) == NULL) {
+		ret= -ENOMEM;
+		goto out;
+	}
+	get_random_bytes(test_key, keysize);
+	get_random_bytes(test_iv, iv_size);
+	if (ixt_e->ixt_e_new_key) {
+		tmp_key_e = ixt_e->ixt_e_new_key(ixt_e, test_key, keysize);
+		ret = tmp_key_e ? 0 : -EINVAL;
+	} else {
+		tmp_key_e = test_key_e;
+		ret = ixt_e->ixt_e_set_key(ixt_e, test_key_e, test_key, keysize);
+	}
+	if (ret < 0)
+		goto out;
+	get_random_bytes(test_enc, BUFSZ);
+	memcpy(test_tmp, test_enc, BUFSZ);
+	ret=ixt_e->ixt_e_cbc_encrypt(ixt_e, tmp_key_e, test_enc, BUFSZ, test_iv, 1);
+	printk(KERN_INFO
+		    "klips_info: ipsec_alg_test_encrypt: "
+		    "cbc_encrypt=1 ret=%d\n", 
+		    	ret);
+	ret=memcmp(test_enc, test_tmp, BUFSZ);
+	printk(KERN_INFO
+		    "klips_info: ipsec_alg_test_encrypt: "
+		    "memcmp(enc, tmp) ret=%d: %s\n", ret,
+			ret!=0? "OK. (encr->DIFFers)" : "FAIL! (encr->SAME)" );
+	memcpy(test_dec, test_enc, BUFSZ);
+	ret=ixt_e->ixt_e_cbc_encrypt(ixt_e, tmp_key_e, test_dec, BUFSZ, test_iv, 0);
+	printk(KERN_INFO
+		    "klips_info: ipsec_alg_test_encrypt: "
+		    "cbc_encrypt=0 ret=%d\n", ret);
+	ret=memcmp(test_dec, test_tmp, BUFSZ);
+	printk(KERN_INFO
+		    "klips_info: ipsec_alg_test_encrypt: "
+		    "memcmp(dec,tmp) ret=%d: %s\n", ret,
+			ret==0? "OK. (encr->decr->SAME)" : "FAIL! (encr->decr->DIFFers)" );
+	{
+		/*	Shamelessly taken from drivers/md sources  O:)  */
+		unsigned long now;
+		int i, count, max=0;
+		int encrypt, speed;
+		for (encrypt=0; encrypt <2;encrypt ++) {
+			for (i = 0; i < 5; i++) {
+				now = jiffies;
+				count = 0;
+				while (jiffies == now) {
+					mb();
+					ixt_e->ixt_e_cbc_encrypt(ixt_e, 
+							tmp_key_e, test_tmp, 
+							BUFSZ, test_iv, encrypt);
+					mb();
+					count++;
+					mb();
+				}
+				if (count > max)
+					max = count;
+			}
+			speed = max * (HZ * BUFSZ / 1024);
+			printk(KERN_INFO
+				    "klips_info: ipsec_alg_test_encrypt: "
+				    "%s %s speed=%d KB/s\n", 
+				    ixt_e->ixt_common.ixt_name,
+				    encrypt? "encrypt": "decrypt", speed);
+		}
+	}
+out:
+	if (tmp_key_e && ixt_e->ixt_e_destroy_key) ixt_e->ixt_e_destroy_key(ixt_e, tmp_key_e);
+	if (buf) kfree(buf);
+	if (ixt_e) ipsec_alg_put((struct ipsec_alg *)ixt_e);
+	return ret;
+	#undef test_enc  
+	#undef test_dec  
+	#undef test_tmp  
+	#undef test_key_e
+	#undef test_iv   
+	#undef test_key  
+	#undef test_size 
+}
+
+/*
+ * 	Must be called from user context
+ * 	used at module load type for testing algo implementation
+ */
+static int ipsec_alg_test_auth(int auth_alg, int test) {
+	int ret;
+	caddr_t buf = NULL;
+	int blocksize, keysize, key_a_size;
+	struct ipsec_alg_auth *ixt_a;
+	#define BUFSZ	1024
+	#define MARGIN	0
+	#define test_auth  (buf+MARGIN)
+	#define test_key_a (test_auth+BUFSZ+MARGIN)
+	#define test_key   (test_key_a+key_a_size+MARGIN)
+	#define test_hash  (test_key+keysize+MARGIN)
+	#define test_size  (BUFSZ+key_a_size+keysize+AHHMAC_HASHLEN+MARGIN*4)
+	ixt_a=(struct ipsec_alg_auth *)ipsec_alg_get(IPSEC_ALG_TYPE_AUTH, auth_alg);
+	if (ixt_a==NULL) {
+		KLIPS_PRINT(1, 
+			    "klips_debug: ipsec_alg_test_auth: "
+			    "encalg=%d object not found\n",
+			    auth_alg);
+		ret=-EINVAL;
+		goto out;
+	}
+	blocksize=ixt_a->ixt_common.ixt_blocksize;
+	key_a_size=ixt_a->ixt_a_ctx_size;
+	keysize=ixt_a->ixt_a_keylen;
+	KLIPS_PRINT(1, 
+		    "klips_debug: ipsec_alg_test_auth: "
+		    "auth_alg=%d blocksize=%d key_a_size=%d keysize=%d\n",
+		    auth_alg, blocksize, key_a_size, keysize);
+	if ((buf=kmalloc (test_size, GFP_KERNEL)) == NULL) {
+		ret= -ENOMEM;
+		goto out;
+	}
+	get_random_bytes(test_key, keysize);
+	ret = ixt_a->ixt_a_hmac_set_key(ixt_a, test_key_a, test_key, keysize);
+	if (ret < 0 )
+		goto out;
+	get_random_bytes(test_auth, BUFSZ);
+	ret=ixt_a->ixt_a_hmac_hash(ixt_a, test_key_a, test_auth, BUFSZ, test_hash, AHHMAC_HASHLEN);
+	printk(KERN_INFO
+		    "klips_info: ipsec_alg_test_auth: "
+		    "ret=%d\n", ret);
+	{
+		/*	Shamelessly taken from drivers/md sources  O:)  */
+		unsigned long now;
+		int i, count, max=0;
+		int speed;
+		for (i = 0; i < 5; i++) {
+			now = jiffies;
+			count = 0;
+			while (jiffies == now) {
+				mb();
+				ixt_a->ixt_a_hmac_hash(ixt_a, test_key_a, test_auth, BUFSZ, test_hash, AHHMAC_HASHLEN);
+				mb();
+				count++;
+				mb();
+			}
+			if (count > max)
+				max = count;
+		}
+		speed = max * (HZ * BUFSZ / 1024);
+		printk(KERN_INFO
+				"klips_info: ipsec_alg_test_auth: "
+				"%s hash speed=%d KB/s\n", 
+				ixt_a->ixt_common.ixt_name,
+				speed);
+	}
+out:
+	if (buf) kfree(buf);
+	if (ixt_a) ipsec_alg_put((struct ipsec_alg *)ixt_a);
+	return ret;
+	#undef test_auth 
+	#undef test_key_a
+	#undef test_key  
+	#undef test_hash 
+	#undef test_size 
+}
+
+int ipsec_alg_test(unsigned alg_type, unsigned alg_id, int test) {
+	switch(alg_type) {
+		case IPSEC_ALG_TYPE_ENCRYPT:
+			return ipsec_alg_test_encrypt(alg_id, test);
+			break;
+		case IPSEC_ALG_TYPE_AUTH:
+			return ipsec_alg_test_auth(alg_id, test);
+			break;
+	}
+	printk(KERN_ERR "klips_info: ipsec_alg_test() called incorrectly: "
+			"alg_type=%d alg_id=%d\n",
+			alg_type, alg_id);
+	return -EINVAL;
+}
+
+int ipsec_alg_init(void) {
+	KLIPS_PRINT(1, "klips_info:ipsec_alg_init: "
+			"KLIPS alg v=%d.%d.%d-%d (EALG_MAX=%d, AALG_MAX=%d)\n",
+			IPSEC_ALG_VERSION_QUAD(IPSEC_ALG_VERSION),
+			SADB_EALG_MAX, SADB_AALG_MAX);
+	/*	Initialize tables */
+	write_lock_bh(&ipsec_alg_lock);
+	ipsec_alg_hash_init();
+	write_unlock_bh(&ipsec_alg_lock);
+
+	/*	Initialize static algos 	*/
+	KLIPS_PRINT(1, "klips_info:ipsec_alg_init: "
+		"calling ipsec_alg_static_init()\n");
+
+	/* If we are suppose to use our AES, and don't have
+	 * CryptoAPI enabled...
+	 */
+#if defined(CONFIG_KLIPS_ENC_AES) && CONFIG_KLIPS_ENC_AES && !defined(CONFIG_KLIPS_ENC_AES_MODULE) 
+#if defined(CONFIG_KLIPS_ENC_CRYPTOAPI) && CONFIG_KLIPS_ENC_CRYPTOAPI
+#warning "Using built-in AES rather than CryptoAPI AES"
+#endif	
+	{
+		extern int ipsec_aes_init(void);
+		ipsec_aes_init();
+	}
+#endif
+
+#if defined(CONFIG_KLIPS_ENC_3DES) && CONFIG_KLIPS_ENC_3DES && !defined(CONFIG_KLIPS_ENC_3DES_MODULE) 
+#if defined(CONFIG_KLIPS_ENC_CRYPTOAPI) && CONFIG_KLIPS_ENC_CRYPTOAPI
+#warning "Using built-in 3des rather than CryptoAPI 3des"
+#endif	
+	{
+		extern int ipsec_3des_init(void);
+		ipsec_3des_init();
+	}
+#endif
+#if defined(CONFIG_KLIPS_ENC_NULL) && CONFIG_KLIPS_ENC_NULL && !defined(CONFIG_KLIPS_ENC_NULL_MODULE) 
+#if defined(CONFIG_KLIPS_ENC_CRYPTOAPI) && CONFIG_KLIPS_ENC_CRYPTOAPI
+#warning "Using built-in null cipher rather than CryptoAPI null cipher"
+#endif	
+#warning "Building with null cipher (ESP_NULL), blame on you :-)"
+	{
+		extern int ipsec_null_init(void);
+		ipsec_null_init();
+	}
+#endif
+
+
+	/* If we are doing CryptoAPI, then init */
+#if defined(CONFIG_KLIPS_ENC_CRYPTOAPI) && CONFIG_KLIPS_ENC_CRYPTOAPI && !defined(CONFIG_KLIPS_ENC_CRYPTOAPI_MODULE)
+	{
+                extern int ipsec_cryptoapi_init(void);
+                ipsec_cryptoapi_init();
+        }
+#endif
+
+
+	return 0;
+}
+
+/**********************************************
+ *
+ * 	INTERFACE for ipsec_sa init and wipe
+ *
+ **********************************************/
+
+/*	
+ *	Called from pluto -> pfkey_v2_parser.c:pfkey_ipsec_sa_init()	
+ */
+int ipsec_alg_sa_init(struct ipsec_sa *sa_p) {
+	struct ipsec_alg_enc *ixt_e;
+	struct ipsec_alg_auth *ixt_a;
+
+	/*	Only ESP for now ... */
+	if (sa_p->ips_said.proto != IPPROTO_ESP)
+		return -EPROTONOSUPPORT;
+
+	KLIPS_PRINT(debug_pfkey, "klips_debug: ipsec_alg_sa_init() :"
+			"entering for encalg=%d, authalg=%d\n",
+			    sa_p->ips_encalg, sa_p->ips_authalg);
+
+	if ((ixt_e=(struct ipsec_alg_enc *)
+		ipsec_alg_get(IPSEC_ALG_TYPE_ENCRYPT, sa_p->ips_encalg))) {
+		KLIPS_PRINT(debug_pfkey,
+		    "klips_debug: ipsec_alg_sa_init() :"
+		    "found ipsec_alg (ixt_e=%p) for encalg=%d\n",
+		    ixt_e, sa_p->ips_encalg);
+		sa_p->ips_alg_enc=ixt_e;
+	}
+
+	if ((ixt_a=(struct ipsec_alg_auth *)
+		ipsec_alg_get(IPSEC_ALG_TYPE_AUTH, sa_p->ips_authalg))) {
+		KLIPS_PRINT(debug_pfkey,
+		    "klips_debug: ipsec_alg_sa_init() :"
+		    "found ipsec_alg (ixt_a=%p) for auth=%d\n",
+		    ixt_a, sa_p->ips_authalg);
+		sa_p->ips_alg_auth=ixt_a;
+	}
+	return 0;
+}
+
+/*	
+ *	Called from pluto -> ipsec_sa.c:ipsec_sa_delchain()
+ */
+int ipsec_alg_sa_wipe(struct ipsec_sa *sa_p) {
+	struct ipsec_alg *ixt;
+	if ((ixt=(struct ipsec_alg *)sa_p->ips_alg_enc)) {
+		KLIPS_PRINT(debug_pfkey, "klips_debug: ipsec_alg_sa_wipe() :"
+				"unlinking for encalg=%d\n",
+				ixt->ixt_support.ias_id);
+		ipsec_alg_put(ixt);
+	}
+	if ((ixt=(struct ipsec_alg *)sa_p->ips_alg_auth)) {
+		KLIPS_PRINT(debug_pfkey, "klips_debug: ipsec_alg_sa_wipe() :"
+				"unlinking for authalg=%d\n",
+				ixt->ixt_support.ias_id);
+		ipsec_alg_put(ixt);
+	}
+	return 0;
+}
+
+IPSEC_PROCFS_DEBUG_NO_STATIC
+int
+ipsec_xform_get_info(char *buffer,
+		     char **start,
+		     off_t offset,
+		     int length     IPSEC_PROC_LAST_ARG)
+{
+	int len = 0;
+	off_t begin = 0;
+	int i;
+	struct list_head *head;
+	struct ipsec_alg *ixt;
+
+	KLIPS_PRINT(debug_tunnel & DB_TN_PROCFS,
+		    "klips_debug:ipsec_tncfg_get_info: "
+		    "buffer=0p%p, *start=0p%p, offset=%d, length=%d\n",
+		    buffer,
+		    *start,
+		    (int)offset,
+		    length);
+
+	for(i = 0, head = ipsec_alg_hash_table;
+	    i<IPSEC_ALG_HASHSZ;
+	    i++, head++)
+	{
+		struct list_head *p;
+		for (p=head->next; p!=head; p=p->next)
+		{
+			ixt = list_entry(p, struct ipsec_alg, ixt_list);
+			len += ipsec_snprintf(buffer+len, length-len,
+					      "VERSION=%d TYPE=%d ID=%d NAME=%s REFCNT=%d ",
+					      ixt->ixt_version, ixt->ixt_alg_type, ixt->ixt_support.ias_id,
+					      ixt->ixt_name, ixt->ixt_refcnt);
+
+			len += ipsec_snprintf(buffer+len, length-len,
+					      "STATE=%08x BLOCKSIZE=%d IVLEN=%d KEYMINBITS=%d KEYMAXBITS=%d ",
+					      ixt->ixt_state, ixt->ixt_blocksize,
+					      ixt->ixt_support.ias_ivlen, ixt->ixt_support.ias_keyminbits, ixt->ixt_support.ias_keymaxbits);
+
+			len += ipsec_snprintf(buffer+len, length-len,
+					      "IVLEN=%d KEYMINBITS=%d KEYMAXBITS=%d ",
+					      ixt->ixt_support.ias_ivlen, ixt->ixt_support.ias_keyminbits, ixt->ixt_support.ias_keymaxbits);
+
+			switch(ixt->ixt_alg_type)
+			{
+			case IPSEC_ALG_TYPE_AUTH:
+			{
+				struct ipsec_alg_auth *auth = (struct ipsec_alg_auth *)ixt;
+
+				len += ipsec_snprintf(buffer+len, length-len,
+						      "KEYLEN=%d CTXSIZE=%d AUTHLEN=%d ",
+						      auth->ixt_a_keylen, auth->ixt_a_ctx_size,
+						      auth->ixt_a_authlen);
+				break;
+			}
+			case IPSEC_ALG_TYPE_ENCRYPT:
+			{
+				struct ipsec_alg_enc *enc = (struct ipsec_alg_enc *)ixt;
+				len += ipsec_snprintf(buffer+len, length-len,
+						      "KEYLEN=%d CTXSIZE=%d ",
+						      enc->ixt_e_keylen, enc->ixt_e_ctx_size);
+
+				break;
+			}
+			}
+
+			len += ipsec_snprintf(buffer+len, length-len, "\n");
+		}
+	} 
+
+	*start = buffer + (offset - begin);	/* Start of wanted data */
+	len -= (offset - begin);			/* Start slop */
+	if (len > length)
+		len = length;
+	return len;
+}
+
+
+/*
+ * 	As the author of this module, I ONLY ALLOW using it from
+ * 	GPL (or same LICENSE TERMS as kernel source) modules.
+ *
+ * 	In respect to hardware crypto engines this means:
+ * 	* Closed-source device drivers ARE NOT ALLOWED to use 
+ * 	  this interface.
+ * 	* Closed-source VHDL/Verilog firmware running on 
+ * 	  the crypto hardware device IS ALLOWED to use this interface
+ * 	  via a GPL (or same LICENSE TERMS as kernel source) device driver.
+ * 	--Juan Jose Ciarlante 20/03/2002 (thanks RGB for the correct wording)
+ */
+
+/*	
+ *	These symbols can only be used from GPL modules	
+ *	for now, I'm disabling this because it creates false
+ *	symbol problems for old modutils.
+ */
+
+#ifdef CONFIG_MODULES
+#ifndef NET_26
+#if 0
+#ifndef EXPORT_SYMBOL_GPL 
+#undef EXPORT_SYMBOL_GPL
+#define EXPORT_SYMBOL_GPL EXPORT_SYMBOL
+#endif 
+#endif
+EXPORT_SYMBOL(register_ipsec_alg);
+EXPORT_SYMBOL(unregister_ipsec_alg);
+EXPORT_SYMBOL(ipsec_alg_test);
+#endif
+#endif
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/ipsec_alg_cryptoapi.c     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,455 @@
+/*
+ * ipsec_alg to linux cryptoapi GLUE
+ *
+ * Authors: CODE.ar TEAM
+ * 	Harpo MAxx <harpo@linuxmendoza.org.ar>
+ * 	JuanJo Ciarlante <jjo-ipsec@mendoza.gov.ar>
+ * 	Luciano Ruete <docemeses@softhome.net>
+ * 
+ * ipsec_alg_cryptoapi.c,v 1.1.2.1 2003/11/21 18:12:23 jjo Exp
+ * 
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ * 
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * Example usage:
+ *   modinfo -p ipsec_cryptoapi   (quite useful info, including supported algos)
+ *   modprobe ipsec_cryptoapi
+ *   modprobe ipsec_cryptoapi test=1
+ *   modprobe ipsec_cryptoapi excl=1                     (exclusive cipher/algo)
+ *   modprobe ipsec_cryptoapi noauto=1  aes=1 twofish=1  (only these ciphers)
+ *   modprobe ipsec_cryptoapi aes=128,128                (force these keylens)
+ *   modprobe ipsec_cryptoapi des_ede3=0                 (everything but 3DES)
+ */
+#ifndef AUTOCONF_INCLUDED
+#include <linux/config.h>
+#endif
+#include <linux/version.h>
+
+/*	
+ *	special case: ipsec core modular with this static algo inside:
+ *	must avoid MODULE magic for this file
+ */
+#if defined(CONFIG_KLIPS_MODULE) && defined(CONFIG_KLIPS_ENC_CRYPTOAPI)
+#undef MODULE
+#endif
+
+#include <linux/module.h>
+#include <linux/init.h>
+
+#include <linux/kernel.h> /* printk() */
+#include <linux/errno.h>  /* error codes */
+#include <linux/types.h>  /* size_t */
+#include <linux/string.h>
+
+/* Check if __exit is defined, if not null it */
+#ifndef __exit
+#define __exit
+#endif
+
+/* warn the innocent */
+#if !defined (CONFIG_CRYPTO) && !defined (CONFIG_CRYPTO_MODULE)
+#warning "No linux CryptoAPI found, install 2.4.22+ or 2.6.x"
+#define NO_CRYPTOAPI_SUPPORT
+#endif
+
+#include "openswan.h"
+#include "openswan/ipsec_alg.h"
+#include "openswan/ipsec_policy.h"
+
+#include <linux/crypto.h>
+#ifdef CRYPTO_API_VERSION_CODE
+#warning "Old CryptoAPI is not supported. Only linux-2.4.22+ or linux-2.6.x are supported"
+#define NO_CRYPTOAPI_SUPPORT
+#endif
+
+#ifdef NO_CRYPTOAPI_SUPPORT
+#warning "Building an unusable module :P"
+/* Catch old CryptoAPI by not allowing module to load */
+IPSEC_ALG_MODULE_INIT_STATIC( ipsec_cryptoapi_init )
+{
+	printk(KERN_WARNING "ipsec_cryptoapi.o was not built on stock Linux CryptoAPI (2.4.22+ or 2.6.x), not loading.\n");
+	return -EINVAL;
+}
+#else
+#include <asm/scatterlist.h>
+#include <asm/pgtable.h>
+#include <linux/mm.h>
+
+#define CIPHERNAME_AES		"aes"
+#define CIPHERNAME_1DES		"des"
+#define CIPHERNAME_3DES		"des3_ede"
+#define CIPHERNAME_BLOWFISH	"blowfish"
+#define CIPHERNAME_CAST		"cast5"
+#define CIPHERNAME_SERPENT	"serpent"
+#define CIPHERNAME_TWOFISH	"twofish"
+
+#define ESP_SERPENT		252	/* from ipsec drafts */
+#define ESP_TWOFISH		253	/* from ipsec drafts */
+
+#define DIGESTNAME_MD5		"md5"
+#define DIGESTNAME_SHA1		"sha1"
+
+MODULE_AUTHOR("Juanjo Ciarlante, Harpo MAxx, Luciano Ruete");
+static int debug_crypto=0;
+static int test_crypto=0;
+static int excl_crypto=0;
+
+static int noauto = 0;
+
+#ifdef module_param
+module_param(debug_crypto,int,0600)
+module_param(test_crypto,int,0600)
+module_param(excl_crypto,int,0600)
+
+module_param(noauto,int,0600)
+#else
+MODULE_PARM(debug_crypto, "i");
+MODULE_PARM(test_crypto, "i");
+MODULE_PARM(excl_crypto, "i");
+
+MODULE_PARM(noauto,"i");
+#endif
+MODULE_PARM_DESC(noauto, "Dont try all known algos, just setup enabled ones");
+
+#ifdef CONFIG_KLIPS_ENC_1DES
+static int des_ede1[] = {-1, -1};
+#endif
+static int des_ede3[] = {-1, -1};
+static int aes[] = {-1, -1};
+static int blowfish[] = {-1, -1};
+static int cast[] = {-1, -1};
+static int serpent[] = {-1, -1};
+static int twofish[] = {-1, -1};
+
+#ifdef CONFIG_KLIPS_ENC_1DES
+#ifdef module_param
+module_param_array(des_ede1,int,NULL,0)
+#else
+MODULE_PARM(des_ede1,"1-2i");
+#endif
+#endif
+#ifdef module_param
+module_param_array(des_ede3,int,NULL,0)
+module_param_array(aes,int,NULL,0)
+module_param_array(blowfish,int,NULL,0)
+module_param_array(cast,int,NULL,0)
+module_param_array(serpent,int,NULL,0)
+module_param_array(twofish,int,NULL,0)
+#else
+MODULE_PARM(des_ede3,"1-2i");
+MODULE_PARM(aes,"1-2i");
+MODULE_PARM(blowfish,"1-2i");
+MODULE_PARM(cast,"1-2i");
+MODULE_PARM(serpent,"1-2i");
+MODULE_PARM(twofish,"1-2i");
+#endif
+MODULE_PARM_DESC(des_ede1, "0: disable | 1: force_enable | min,max: dontuse");
+MODULE_PARM_DESC(des_ede3, "0: disable | 1: force_enable | min,max: dontuse");
+MODULE_PARM_DESC(aes, "0: disable | 1: force_enable | min,max: keybitlens");
+MODULE_PARM_DESC(blowfish, "0: disable | 1: force_enable | min,max: keybitlens");
+MODULE_PARM_DESC(cast, "0: disable | 1: force_enable | min,max: keybitlens");
+MODULE_PARM_DESC(serpent, "0: disable | 1: force_enable | min,max: keybitlens");
+MODULE_PARM_DESC(twofish, "0: disable | 1: force_enable | min,max: keybitlens");
+
+struct ipsec_alg_capi_cipher {
+	const char *ciphername;	/* cryptoapi's ciphername */
+	unsigned blocksize;
+	unsigned short minbits;
+	unsigned short maxbits;
+	int *parm;		/* lkm param for this cipher */
+	struct ipsec_alg_enc alg;	/* note it's not a pointer */
+};
+
+static struct ipsec_alg_capi_cipher alg_capi_carray[] = {
+  { CIPHERNAME_AES,     16, 128, 256, aes,      { ixt_common:{ ixt_support:{ ias_id: ESP_AES}}}},
+  { CIPHERNAME_TWOFISH, 16, 128, 256, twofish,  { ixt_common:{ ixt_support:{ ias_id: ESP_TWOFISH,}}}},
+  { CIPHERNAME_SERPENT, 16, 128, 256, serpent,  { ixt_common:{ ixt_support:{ ias_id: ESP_SERPENT,}}}},
+  { CIPHERNAME_CAST,     8, 128, 128, cast   ,  { ixt_common:{ ixt_support:{ ias_id: ESP_CAST,}}}},
+  { CIPHERNAME_BLOWFISH, 8,  96, 448, blowfish, { ixt_common:{ ixt_support:{ ias_id: ESP_BLOWFISH,}}}},
+  { CIPHERNAME_3DES,     8, 192, 192, des_ede3, { ixt_common:{ ixt_support:{ ias_id: ESP_3DES,}}}},
+#ifdef CONFIG_KLIPS_ENC_1DES
+  { CIPHERNAME_1DES,     8,  64,  64, des_ede1, { ixt_common:{ ixt_support:{ ias_id: ESP_DES,}}}},
+#endif
+  { NULL, 0, 0, 0, NULL, {} }
+};
+
+#ifdef NOT_YET
+struct ipsec_alg_capi_digest {
+	const char *digestname;	/* cryptoapi's digestname */
+	struct digest_implementation *di;
+	struct ipsec_alg_auth alg;	/* note it's not a pointer */
+};
+static struct ipsec_alg_capi_cipher alg_capi_darray[] = {
+	{ DIGESTNAME_MD5,     NULL, { ixt_alg_id: AH_MD5, }},
+	{ DIGESTNAME_SHA1,    NULL, { ixt_alg_id: AH_SHA, }},
+	{ NULL, NULL, {} }
+};
+#endif
+/*
+ * 	"generic" linux cryptoapi setup_cipher() function
+ */
+int setup_cipher(const char *ciphername)
+{
+	return crypto_alg_available(ciphername, 0);
+}
+
+/*
+ * 	setups ipsec_alg_capi_cipher "hyper" struct components, calling
+ * 	register_ipsec_alg for cointaned ipsec_alg object
+ */
+static void _capi_destroy_key (struct ipsec_alg_enc *alg, __u8 *key_e);
+static __u8 * _capi_new_key (struct ipsec_alg_enc *alg, const __u8 *key, size_t keylen);
+static int _capi_cbc_encrypt(struct ipsec_alg_enc *alg, __u8 * key_e, __u8 * in, int ilen, const __u8 * iv, int encrypt);
+
+static int
+setup_ipsec_alg_capi_cipher(struct ipsec_alg_capi_cipher *cptr)
+{
+	int ret;
+	cptr->alg.ixt_common.ixt_version = IPSEC_ALG_VERSION;
+	cptr->alg.ixt_common.ixt_module  = THIS_MODULE;
+	atomic_set (& cptr->alg.ixt_common.ixt_refcnt, 0);
+	strncpy (cptr->alg.ixt_common.ixt_name , cptr->ciphername, sizeof (cptr->alg.ixt_common.ixt_name));
+
+	cptr->alg.ixt_common.ixt_blocksize=cptr->blocksize;
+	cptr->alg.ixt_common.ixt_support.ias_keyminbits=cptr->minbits;
+	cptr->alg.ixt_common.ixt_support.ias_keymaxbits=cptr->maxbits;
+	cptr->alg.ixt_common.ixt_state = 0;
+	if (excl_crypto) cptr->alg.ixt_common.ixt_state |= IPSEC_ALG_ST_EXCL;
+	cptr->alg.ixt_e_keylen=cptr->alg.ixt_common.ixt_support.ias_keymaxbits/8;
+	cptr->alg.ixt_e_ctx_size = 0;
+	cptr->alg.ixt_common.ixt_support.ias_exttype = IPSEC_ALG_TYPE_ENCRYPT;
+	cptr->alg.ixt_e_new_key = _capi_new_key;
+	cptr->alg.ixt_e_destroy_key = _capi_destroy_key;
+	cptr->alg.ixt_e_cbc_encrypt = _capi_cbc_encrypt;
+	cptr->alg.ixt_common.ixt_data = cptr;
+
+	ret=register_ipsec_alg_enc(&cptr->alg);
+	printk(KERN_INFO "KLIPS cryptoapi interface: " 
+			"alg_type=%d alg_id=%d name=%s "
+			"keyminbits=%d keymaxbits=%d, %s(%d)\n", 
+				cptr->alg.ixt_common.ixt_support.ias_exttype, 
+				cptr->alg.ixt_common.ixt_support.ias_id, 
+				cptr->alg.ixt_common.ixt_name, 
+				cptr->alg.ixt_common.ixt_support.ias_keyminbits,
+				cptr->alg.ixt_common.ixt_support.ias_keymaxbits,
+	       ret ? "not found" : "found", ret);
+	return ret;
+}
+/*
+ * 	called in ipsec_sa_wipe() time, will destroy key contexts
+ * 	and do 1 unbind()
+ */
+static void 
+_capi_destroy_key (struct ipsec_alg_enc *alg, __u8 *key_e)
+{
+	struct crypto_tfm *tfm=(struct crypto_tfm*)key_e;
+	
+	if (debug_crypto > 0)
+		printk(KERN_DEBUG "klips_debug: _capi_destroy_key:"
+				"name=%s key_e=%p \n",
+				alg->ixt_common.ixt_name, key_e);
+	if (!key_e) {
+		printk(KERN_ERR "klips_debug: _capi_destroy_key:"
+				"name=%s NULL key_e!\n",
+				alg->ixt_common.ixt_name);
+		return;
+	}
+	crypto_free_tfm(tfm);
+}
+	
+/*
+ * 	create new key context, need alg->ixt_data to know which
+ * 	(of many) cipher inside this module is the target
+ */
+static __u8 *
+_capi_new_key (struct ipsec_alg_enc *alg, const __u8 *key, size_t keylen)
+{
+	struct ipsec_alg_capi_cipher *cptr;
+	struct crypto_tfm *tfm=NULL;
+
+	cptr = alg->ixt_common.ixt_data;
+	if (!cptr) {
+		printk(KERN_ERR "_capi_new_key(): "
+				"NULL ixt_data (?!) for \"%s\" algo\n" 
+				, alg->ixt_common.ixt_name);
+		goto err;
+	}
+	if (debug_crypto > 0)
+		printk(KERN_DEBUG "klips_debug:_capi_new_key:"
+				"name=%s cptr=%p key=%p keysize=%d\n",
+				alg->ixt_common.ixt_name, cptr, key, keylen);
+	
+	/*	
+	 *	alloc tfm
+	 */
+	tfm = crypto_alloc_tfm(cptr->ciphername, CRYPTO_TFM_MODE_CBC);
+	if (!tfm) {
+		printk(KERN_ERR "_capi_new_key(): "
+				"NULL tfm for \"%s\" cryptoapi (\"%s\") algo\n" 
+			, alg->ixt_common.ixt_name, cptr->ciphername);
+		goto err;
+	}
+	if (crypto_cipher_setkey(tfm, key, keylen) < 0) {
+		printk(KERN_ERR "_capi_new_key(): "
+				"failed new_key() for \"%s\" cryptoapi algo (keylen=%d)\n" 
+			, alg->ixt_common.ixt_name, keylen);
+		crypto_free_tfm(tfm);
+		tfm=NULL;
+	}
+err:
+	if (debug_crypto > 0)
+		printk(KERN_DEBUG "klips_debug:_capi_new_key:"
+				"name=%s key=%p keylen=%d tfm=%p\n",
+				alg->ixt_common.ixt_name, key, keylen, tfm);
+	return (__u8 *) tfm;
+}
+/*
+ * 	core encryption function: will use cx->ci to call actual cipher's
+ * 	cbc function
+ */
+static int 
+_capi_cbc_encrypt(struct ipsec_alg_enc *alg, __u8 * key_e, __u8 * in, int ilen, const __u8 * iv, int encrypt) {
+	int error =0;
+	struct crypto_tfm *tfm=(struct crypto_tfm *)key_e;
+	struct scatterlist sg = { 
+		.page = virt_to_page(in),
+		.offset = (unsigned long)(in) % PAGE_SIZE,
+		.length=ilen,
+	};
+	if (debug_crypto > 1)
+		printk(KERN_DEBUG "klips_debug:_capi_cbc_encrypt:"
+				"key_e=%p "
+				"in=%p out=%p ilen=%d iv=%p encrypt=%d\n"
+				, key_e
+				, in, in, ilen, iv, encrypt);
+	crypto_cipher_set_iv(tfm, iv, crypto_tfm_alg_ivsize(tfm));
+	if (encrypt)
+		error = crypto_cipher_encrypt (tfm, &sg, &sg, ilen);
+	else
+		error = crypto_cipher_decrypt (tfm, &sg, &sg, ilen);
+	if (debug_crypto > 1)
+		printk(KERN_DEBUG "klips_debug:_capi_cbc_encrypt:"
+				"error=%d\n"
+				, error);
+	return (error<0)? error : ilen;
+}
+/*
+ * 	main initialization loop: for each cipher in list, do
+ * 	1) setup cryptoapi cipher else continue
+ * 	2) register ipsec_alg object
+ */
+static int
+setup_cipher_list (struct ipsec_alg_capi_cipher* clist) 
+{
+	struct ipsec_alg_capi_cipher *cptr;
+	/* foreach cipher in list ... */
+	for (cptr=clist;cptr->ciphername;cptr++) {
+		/* 
+		 * see if cipher has been disabled (0) or
+		 * if noauto set and not enabled (1)
+		 */
+		if (cptr->parm[0] == 0 || (noauto && cptr->parm[0] < 0)) {
+			if (debug_crypto>0)
+				printk(KERN_INFO "setup_cipher_list(): "
+					"ciphername=%s skipped at user request: "
+					"noauto=%d parm[0]=%d parm[1]=%d\n"
+					, cptr->ciphername
+					, noauto
+					, cptr->parm[0]
+					, cptr->parm[1]);
+			continue;
+		}
+		/* 
+		 * 	use a local ci to avoid touching cptr->ci,
+		 * 	if register ipsec_alg success then bind cipher
+		 */
+		if(cptr->alg.ixt_common.ixt_support.ias_name == NULL) {
+		  cptr->alg.ixt_common.ixt_support.ias_name = cptr->ciphername;
+		}
+
+		if( setup_cipher(cptr->ciphername) ) {
+			if (debug_crypto > 0)
+				printk(KERN_DEBUG "klips_debug:"
+						"setup_cipher_list():"
+						"ciphername=%s found\n"
+				, cptr->ciphername);
+
+			if (setup_ipsec_alg_capi_cipher(cptr) != 0) {
+				printk(KERN_ERR "klips_debug:"
+				       "setup_cipher_list():"
+				       "ciphername=%s failed ipsec_alg_register\n"
+				       , cptr->ciphername);
+			}
+		} else {
+			printk(KERN_INFO "KLIPS: lookup for ciphername=%s: not found \n",
+			       cptr->ciphername);
+		}
+	}
+	return 0;
+}
+/*
+ * 	deregister ipsec_alg objects and unbind ciphers
+ */
+static int
+unsetup_cipher_list (struct ipsec_alg_capi_cipher* clist) 
+{
+	struct ipsec_alg_capi_cipher *cptr;
+	/* foreach cipher in list ... */
+	for (cptr=clist;cptr->ciphername;cptr++) {
+		if (cptr->alg.ixt_common.ixt_state & IPSEC_ALG_ST_REGISTERED) {
+			unregister_ipsec_alg_enc(&cptr->alg);
+		}
+	}
+	return 0;
+}
+/*
+ * 	test loop for registered algos
+ */
+static int
+test_cipher_list (struct ipsec_alg_capi_cipher* clist) 
+{
+	int test_ret;
+	struct ipsec_alg_capi_cipher *cptr;
+	/* foreach cipher in list ... */
+	for (cptr=clist;cptr->ciphername;cptr++) {
+		if (cptr->alg.ixt_common.ixt_state & IPSEC_ALG_ST_REGISTERED) {
+			test_ret=ipsec_alg_test(
+					cptr->alg.ixt_common.ixt_support.ias_exttype,
+					cptr->alg.ixt_common.ixt_support.ias_id, 
+					test_crypto);
+			printk("test_cipher_list(alg_type=%d alg_id=%d): test_ret=%d\n", 
+			       cptr->alg.ixt_common.ixt_support.ias_exttype, 
+			       cptr->alg.ixt_common.ixt_support.ias_id,
+			       test_ret);
+		}
+	}
+	return 0;
+}
+
+IPSEC_ALG_MODULE_INIT_STATIC( ipsec_cryptoapi_init )
+{
+	int ret, test_ret;
+	if ((ret=setup_cipher_list(alg_capi_carray)) < 0)
+		return  -EPROTONOSUPPORT;
+	if (ret==0 && test_crypto) {
+		test_ret=test_cipher_list(alg_capi_carray);
+	}
+	return ret;
+}
+IPSEC_ALG_MODULE_EXIT_STATIC( ipsec_cryptoapi_fini )
+{
+	unsetup_cipher_list(alg_capi_carray);
+	return;
+}
+#ifdef MODULE_LICENSE
+MODULE_LICENSE("GPL");
+#endif
+
+#endif /* NO_CRYPTOAPI_SUPPORT */
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/ipsec_esp.c     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,607 @@
+/*
+ * processing code for ESP
+ * Copyright (C) 2003 Michael Richardson <mcr@sandelman.ottawa.on.ca>
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+char ipsec_esp_c_version[] = "RCSID $Id: ipsec_esp.c,v 1.13.2.6 2006/10/06 21:39:26 paul Exp $";
+#ifndef AUTOCONF_INCLUDED
+#include <linux/config.h>
+#endif
+#include <linux/version.h>
+
+#define __NO_VERSION__
+#include <linux/module.h>
+#include <linux/kernel.h> /* printk() */
+
+#include "openswan/ipsec_param.h"
+
+#ifdef MALLOC_SLAB
+# include <linux/slab.h> /* kmalloc() */
+#else /* MALLOC_SLAB */
+# include <linux/malloc.h> /* kmalloc() */
+#endif /* MALLOC_SLAB */
+#include <linux/errno.h>  /* error codes */
+#include <linux/types.h>  /* size_t */
+#include <linux/interrupt.h> /* mark_bh */
+
+#include <linux/netdevice.h>	/* struct device, and other headers */
+#include <linux/etherdevice.h>	/* eth_type_trans */
+#include <linux/ip.h>		/* struct iphdr */
+#include <linux/skbuff.h>
+#include <openswan.h>
+#ifdef SPINLOCK
+# ifdef SPINLOCK_23
+#  include <linux/spinlock.h> /* *lock* */
+# else /* SPINLOCK_23 */
+#  include <asm/spinlock.h> /* *lock* */
+# endif /* SPINLOCK_23 */
+#endif /* SPINLOCK */
+
+#include <net/ip.h>
+#include <net/protocol.h>
+
+#include "openswan/radij.h"
+#include "openswan/ipsec_encap.h"
+#include "openswan/ipsec_sa.h"
+
+#include "openswan/ipsec_radij.h"
+#include "openswan/ipsec_xform.h"
+#include "openswan/ipsec_tunnel.h"
+#include "openswan/ipsec_rcv.h"
+#include "openswan/ipsec_xmit.h"
+
+#include "openswan/ipsec_auth.h"
+
+#ifdef CONFIG_KLIPS_ESP
+#include "openswan/ipsec_esp.h"
+#endif /* CONFIG_KLIPS_ESP */
+
+#include "openswan/ipsec_proto.h"
+#include "openswan/ipsec_alg.h"
+
+#ifdef CONFIG_KLIPS_DEBUG
+#define ESP_DMP(_x,_y,_z) if(debug_rcv && sysctl_ipsec_debug_verbose) ipsec_dmp_block(_x,_y,_z)
+#else
+#define ESP_DMP(_x,_y,_z)
+#endif
+
+#ifdef CONFIG_KLIPS_ESP
+enum ipsec_rcv_value
+ipsec_rcv_esp_checks(struct ipsec_rcv_state *irs,
+		     struct sk_buff *skb)
+{
+	__u8 proto;
+	int len;	/* packet length */
+
+	len = skb->len;
+	proto = irs->ipp->protocol;
+
+	/* XXX this will need to be 8 for IPv6 */
+	if ((proto == IPPROTO_ESP) && ((len - irs->iphlen) % 4)) {
+		printk("klips_error:ipsec_rcv: "
+		       "got packet with content length = %d from %s -- should be on 4 octet boundary, packet dropped\n",
+		       len - irs->iphlen,
+		       irs->ipsaddr_txt);
+		if(irs->stats) {
+			irs->stats->rx_errors++;
+		}
+		return IPSEC_RCV_BADLEN;
+	}
+
+	if(skb->len < (irs->hard_header_len + sizeof(struct iphdr) + sizeof(struct esphdr))) {
+		KLIPS_PRINT(debug_rcv & DB_RX_INAU,
+			    "klips_debug:ipsec_rcv: "
+			    "runt esp packet of skb->len=%d received from %s, dropped.\n",
+			    skb->len,
+			    irs->ipsaddr_txt);
+		if(irs->stats) {
+			irs->stats->rx_errors++;
+		}
+		return IPSEC_RCV_BADLEN;
+	}
+
+	irs->protostuff.espstuff.espp = (struct esphdr *)skb->h.raw;
+	irs->said.spi = irs->protostuff.espstuff.espp->esp_spi;
+
+	return IPSEC_RCV_OK;
+}
+
+enum ipsec_rcv_value
+ipsec_rcv_esp_decrypt_setup(struct ipsec_rcv_state *irs,
+			    struct sk_buff *skb,
+			    __u32          *replay,
+			    unsigned char **authenticator)
+{
+	struct esphdr *espp = irs->protostuff.espstuff.espp;
+	//unsigned char *idat = (unsigned char *)espp;
+
+	KLIPS_PRINT(debug_rcv,
+		    "klips_debug:ipsec_rcv: "
+		    "packet from %s received with seq=%d (iv)=0x%08x%08x iplen=%d esplen=%d sa=%s\n",
+		    irs->ipsaddr_txt,
+		    (__u32)ntohl(espp->esp_rpl),
+		    (__u32)ntohl(*((__u32 *)(espp->esp_iv)    )),
+		    (__u32)ntohl(*((__u32 *)(espp->esp_iv) + 1)),
+		    irs->len,
+		    irs->ilen,
+		    irs->sa_len ? irs->sa : " (error)");
+
+	*replay = ntohl(espp->esp_rpl);
+	*authenticator = &(skb->h.raw[irs->ilen]);
+
+	return IPSEC_RCV_OK;
+}
+
+enum ipsec_rcv_value
+ipsec_rcv_esp_authcalc(struct ipsec_rcv_state *irs,
+		       struct sk_buff *skb)
+{
+	struct auth_alg *aa;
+	struct esphdr *espp = irs->protostuff.espstuff.espp;
+	union {
+		MD5_CTX		md5;
+		SHA1_CTX	sha1;
+	} tctx;
+
+	if (irs->ipsp->ips_alg_auth) {
+		KLIPS_PRINT(debug_rcv,
+				"klips_debug:ipsec_rcv: "
+				"ipsec_alg hashing proto=%d... ",
+				irs->said.proto);
+		if(irs->said.proto == IPPROTO_ESP) {
+			ipsec_alg_sa_esp_hash(irs->ipsp,
+					(caddr_t)espp, irs->ilen,
+					irs->hash, AHHMAC_HASHLEN);
+			return IPSEC_RCV_OK;
+		}
+		return IPSEC_RCV_BADPROTO;
+	}
+	aa = irs->authfuncs;
+
+	/* copy the initialized keying material */
+	memcpy(&tctx, irs->ictx, irs->ictx_len);
+
+#ifdef HASH_DEBUG
+	ESP_DMP("ictx", irs->ictx, irs->ictx_len);
+
+	ESP_DMP("mac_esp", (caddr_t)espp, irs->ilen);
+#endif
+	(*aa->update)((void *)&tctx, (caddr_t)espp, irs->ilen);
+
+	(*aa->final)(irs->hash, (void *)&tctx);
+
+#ifdef HASH_DEBUG
+	ESP_DMP("hash1", irs->hash, aa->hashlen);
+#endif
+
+	memcpy(&tctx, irs->octx, irs->octx_len);
+
+#ifdef HASH_DEBUG
+	ESP_DMP("octx", irs->octx, irs->octx_len);
+#endif
+
+	(*aa->update)((void *)&tctx, irs->hash, aa->hashlen);
+	(*aa->final)(irs->hash, (void *)&tctx);
+
+	return IPSEC_RCV_OK;
+}
+
+
+enum ipsec_rcv_value
+ipsec_rcv_esp_decrypt(struct ipsec_rcv_state *irs)
+{
+	struct ipsec_sa *ipsp = irs->ipsp;
+	struct esphdr *espp = irs->protostuff.espstuff.espp;
+	int i;
+	int pad = 0, padlen;
+	int badpad = 0;
+	int esphlen = 0;
+	__u8 *idat;	/* pointer to content to be decrypted/authenticated */
+	int encaplen = 0;
+	struct sk_buff *skb;
+	struct ipsec_alg_enc *ixt_e=NULL;
+
+	skb=irs->skb;
+
+	idat = skb->h.raw;
+
+	/* encaplen is the distance between the end of the IP
+	 * header and the beginning of the ESP header.
+	 * on ESP headers it is zero, but on UDP-encap ESP
+	 * it includes the space for the UDP header.
+	 *
+	 * Note: UDP-encap code has already moved the
+	 *       skb->data forward to accomodate this.
+	 */
+	encaplen = idat - (skb->nh.raw + irs->iphlen);
+
+	ixt_e=ipsp->ips_alg_enc;
+	esphlen = ESP_HEADER_LEN + ixt_e->ixt_common.ixt_support.ias_ivlen/8;
+	KLIPS_PRINT(debug_rcv,
+		    "klips_debug:ipsec_rcv: "
+		    "encalg=%d esphlen=%d\n",
+		    ipsp->ips_encalg, esphlen);
+
+	idat += esphlen;
+	irs->ilen -= esphlen;
+
+	if (ipsec_alg_esp_encrypt(ipsp, 
+				  idat, irs->ilen, espp->esp_iv, 
+				  IPSEC_ALG_DECRYPT) <= 0) {
+#ifdef CONFIG_KLIPS_DEBUG
+		KLIPS_ERROR(debug_rcv, "klips_error:ipsec_rcv: "
+			    "got packet with esplen = %d "
+			    "from %s -- should be on "
+			    "ENC(%d) octet boundary, "
+			    "packet dropped\n",
+			    irs->ilen,
+			    irs->ipsaddr_txt,
+			    ipsp->ips_encalg);
+#endif
+		if(irs->stats) {
+			irs->stats->rx_errors++;
+		}
+		return IPSEC_RCV_BAD_DECRYPT;
+	} 
+
+	ESP_DMP("postdecrypt", idat, irs->ilen);
+
+	irs->next_header = idat[irs->ilen - 1];
+	padlen = idat[irs->ilen - 2];
+	pad = padlen + 2 + irs->authlen;
+
+	KLIPS_PRINT(debug_rcv & DB_RX_IPAD,
+		    "klips_debug:ipsec_rcv: "
+		    "padlen=%d, contents: 0x<offset>: 0x<value> 0x<value> ...\n",
+		    padlen);
+
+	for (i = 1; i <= padlen; i++) {
+		if((i % 16) == 1) {
+			KLIPS_PRINT(debug_rcv & DB_RX_IPAD,
+				    "klips_debug:           %02x:",
+				    i - 1);
+		}
+		KLIPS_PRINTMORE(debug_rcv & DB_RX_IPAD,
+				" %02x",
+				idat[irs->ilen - 2 - padlen + i - 1]);
+		if(i != idat[irs->ilen - 2 - padlen + i - 1]) {
+			badpad = 1;
+		}
+		if((i % 16) == 0) {
+			KLIPS_PRINTMORE(debug_rcv & DB_RX_IPAD,
+					"\n");
+		}
+	}
+	if((i % 16) != 1) {
+		KLIPS_PRINTMORE(debug_rcv & DB_RX_IPAD,
+						"\n");
+	}
+	if(badpad) {
+		KLIPS_PRINT(debug_rcv & DB_RX_IPAD,
+			    "klips_debug:ipsec_rcv: "
+			    "warning, decrypted packet from %s has bad padding\n",
+			    irs->ipsaddr_txt);
+		KLIPS_PRINT(debug_rcv & DB_RX_IPAD,
+			    "klips_debug:ipsec_rcv: "
+			    "...may be bad decryption -- not dropped\n");
+		ipsp->ips_errs.ips_encpad_errs += 1;
+	}
+
+	KLIPS_PRINT(debug_rcv & DB_RX_IPAD,
+		    "klips_debug:ipsec_rcv: "
+		    "packet decrypted from %s: next_header = %d, padding = %d\n",
+		    irs->ipsaddr_txt,
+		    irs->next_header,
+		    pad - 2 - irs->authlen);
+
+	irs->ipp->tot_len = htons(ntohs(irs->ipp->tot_len) - (esphlen + pad));
+
+	/*
+	 * move the IP header forward by the size of the ESP header, which
+	 * will remove the the ESP header from the packet.
+	 *
+	 * XXX this is really unnecessary, since odds we are in tunnel
+	 *     mode, and we will be *removing* this IP header.
+	 *
+	 */
+	memmove((void *)(idat - irs->iphlen),
+		(void *)(skb->nh.raw), irs->iphlen);
+
+	ESP_DMP("esp postmove", (idat - irs->iphlen),
+		irs->iphlen + irs->ilen);
+
+	/* skb_pull below, will move up by esphlen */
+
+	/* XXX not clear how this can happen, as the message indicates */
+	if(skb->len < esphlen) {
+		printk(KERN_WARNING
+		       "klips_error:ipsec_rcv: "
+		       "tried to skb_pull esphlen=%d, %d available.  This should never happen, please report.\n",
+		       esphlen, (int)(skb->len));
+		return IPSEC_RCV_ESP_DECAPFAIL;
+	}
+	skb_pull(skb, esphlen);
+	skb->nh.raw = idat - irs->iphlen;
+	irs->ipp = skb->nh.iph;
+
+	ESP_DMP("esp postpull", skb->data, skb->len);
+
+	/* now, trip off the padding from the end */
+	KLIPS_PRINT(debug_rcv & DB_RX_PKTRX,
+		    "klips_debug:ipsec_rcv: "
+		    "trimming to %d.\n",
+		    irs->len - esphlen - pad);
+	if(pad + esphlen <= irs->len) {
+		skb_trim(skb, irs->len - esphlen - pad);
+	} else {
+		KLIPS_PRINT(debug_rcv & DB_RX_PKTRX,
+			    "klips_debug:ipsec_rcv: "
+			    "bogus packet, size is zero or negative, dropping.\n");
+		return IPSEC_RCV_DECAPFAIL;
+	}
+
+	return IPSEC_RCV_OK;
+}
+
+/*
+ *
+ */
+enum ipsec_xmit_value
+ipsec_xmit_esp_setup(struct ipsec_xmit_state *ixs)
+{
+#ifdef CONFIG_KLIPS_ENC_3DES
+  __u32 iv[2];
+#endif
+  struct esphdr *espp;
+  int ilen = 0;
+  int padlen = 0, i;
+  unsigned char *dat;
+  unsigned char *idat, *pad;
+  __u8 hash[AH_AMAX];
+  union {
+#ifdef CONFIG_KLIPS_AUTH_HMAC_MD5
+    MD5_CTX md5;
+#endif /* CONFIG_KLIPS_AUTH_HMAC_MD5 */
+#ifdef CONFIG_KLIPS_AUTH_HMAC_SHA1
+    SHA1_CTX sha1;
+#endif /* CONFIG_KLIPS_AUTH_HMAC_SHA1 */
+  } tctx;
+
+  dat = (unsigned char *)ixs->iph;
+
+  espp = (struct esphdr *)(dat + ixs->iphlen);
+  espp->esp_spi = ixs->ipsp->ips_said.spi;
+  espp->esp_rpl = htonl(++(ixs->ipsp->ips_replaywin_lastseq));
+  
+  switch(ixs->ipsp->ips_encalg) {
+#if defined(CONFIG_KLIPS_ENC_3DES)
+#ifdef CONFIG_KLIPS_ENC_3DES
+  case ESP_3DES:
+#endif /* CONFIG_KLIPS_ENC_3DES */
+    iv[0] = *((__u32*)&(espp->esp_iv)    ) =
+      ((__u32*)(ixs->ipsp->ips_iv))[0];
+    iv[1] = *((__u32*)&(espp->esp_iv) + 1) =
+      ((__u32*)(ixs->ipsp->ips_iv))[1];
+    break;
+#endif /* defined(CONFIG_KLIPS_ENC_3DES) */
+  default:
+    ixs->stats->tx_errors++;
+    return IPSEC_XMIT_ESP_BADALG;
+  }
+		
+  idat = dat + ixs->iphlen + sizeof(struct esphdr);
+  ilen = ixs->skb->len - (ixs->iphlen + sizeof(struct esphdr) + ixs->authlen);
+  
+  /* Self-describing padding */
+  pad = &dat[ixs->skb->len - ixs->tailroom];
+  padlen = ixs->tailroom - 2 - ixs->authlen;
+  for (i = 0; i < padlen; i++) {
+    pad[i] = i + 1; 
+  }
+  dat[ixs->skb->len - ixs->authlen - 2] = padlen;
+  
+  dat[ixs->skb->len - ixs->authlen - 1] = ixs->iph->protocol;
+  ixs->iph->protocol = IPPROTO_ESP;
+  
+  switch(ixs->ipsp->ips_encalg) {
+#ifdef CONFIG_KLIPS_ENC_3DES
+  case ESP_3DES:
+    des_ede3_cbc_encrypt((des_cblock *)idat,
+			 (des_cblock *)idat,
+			 ilen,
+			 ((struct des_eks *)(ixs->ipsp->ips_key_e))[0].ks,
+			 ((struct des_eks *)(ixs->ipsp->ips_key_e))[1].ks,
+			 ((struct des_eks *)(ixs->ipsp->ips_key_e))[2].ks,
+			 (des_cblock *)iv, 1);
+    break;
+#endif /* CONFIG_KLIPS_ENC_3DES */
+  default:
+    ixs->stats->tx_errors++;
+    return IPSEC_XMIT_ESP_BADALG;
+  }
+  
+  switch(ixs->ipsp->ips_encalg) {
+#if defined(CONFIG_KLIPS_ENC_3DES)
+#ifdef CONFIG_KLIPS_ENC_3DES
+  case ESP_3DES:
+#endif /* CONFIG_KLIPS_ENC_3DES */
+    /* XXX update IV with the last 8 octets of the encryption */
+#if KLIPS_IMPAIRMENT_ESPIV_CBC_ATTACK
+    ((__u32*)(ixs->ipsp->ips_iv))[0] =
+      ((__u32 *)(idat))[(ilen >> 2) - 2];
+    ((__u32*)(ixs->ipsp->ips_iv))[1] =
+      ((__u32 *)(idat))[(ilen >> 2) - 1];
+#else /* KLIPS_IMPAIRMENT_ESPIV_CBC_ATTACK */
+    prng_bytes(&ipsec_prng, (char *)ixs->ipsp->ips_iv, EMT_ESPDES_IV_SZ); 
+#endif /* KLIPS_IMPAIRMENT_ESPIV_CBC_ATTACK */
+    break;
+#endif /* defined(CONFIG_KLIPS_ENC_3DES) */
+  default:
+    ixs->stats->tx_errors++;
+    return IPSEC_XMIT_ESP_BADALG;
+  }
+  
+  switch(ixs->ipsp->ips_authalg) {
+#ifdef CONFIG_KLIPS_AUTH_HMAC_MD5
+  case AH_MD5:
+    ipsec_xmit_dmp("espp", (char*)espp, ixs->skb->len - ixs->iphlen - ixs->authlen);
+    tctx.md5 = ((struct md5_ctx*)(ixs->ipsp->ips_key_a))->ictx;
+    ipsec_xmit_dmp("ictx", (char*)&tctx.md5, sizeof(tctx.md5));
+    osMD5Update(&tctx.md5, (caddr_t)espp, ixs->skb->len - ixs->iphlen - ixs->authlen);
+    ipsec_xmit_dmp("ictx+dat", (char*)&tctx.md5, sizeof(tctx.md5));
+    osMD5Final(hash, &tctx.md5);
+    ipsec_xmit_dmp("ictx hash", (char*)&hash, sizeof(hash));
+    tctx.md5 = ((struct md5_ctx*)(ixs->ipsp->ips_key_a))->octx;
+    ipsec_xmit_dmp("octx", (char*)&tctx.md5, sizeof(tctx.md5));
+    osMD5Update(&tctx.md5, hash, AHMD596_ALEN);
+    ipsec_xmit_dmp("octx+hash", (char*)&tctx.md5, sizeof(tctx.md5));
+    osMD5Final(hash, &tctx.md5);
+    ipsec_xmit_dmp("octx hash", (char*)&hash, sizeof(hash));
+    memcpy(&(dat[ixs->skb->len - ixs->authlen]), hash, ixs->authlen);
+    
+    /* paranoid */
+    memset((caddr_t)&tctx.md5, 0, sizeof(tctx.md5));
+    memset((caddr_t)hash, 0, sizeof(*hash));
+    break;
+#endif /* CONFIG_KLIPS_AUTH_HMAC_MD5 */
+#ifdef CONFIG_KLIPS_AUTH_HMAC_SHA1
+  case AH_SHA:
+    tctx.sha1 = ((struct sha1_ctx*)(ixs->ipsp->ips_key_a))->ictx;
+    SHA1Update(&tctx.sha1, (caddr_t)espp, ixs->skb->len - ixs->iphlen - ixs->authlen);
+    SHA1Final(hash, &tctx.sha1);
+    tctx.sha1 = ((struct sha1_ctx*)(ixs->ipsp->ips_key_a))->octx;
+    SHA1Update(&tctx.sha1, hash, AHSHA196_ALEN);
+    SHA1Final(hash, &tctx.sha1);
+    memcpy(&(dat[ixs->skb->len - ixs->authlen]), hash, ixs->authlen);
+    
+    /* paranoid */
+    memset((caddr_t)&tctx.sha1, 0, sizeof(tctx.sha1));
+    memset((caddr_t)hash, 0, sizeof(*hash));
+    break;
+#endif /* CONFIG_KLIPS_AUTH_HMAC_SHA1 */
+  case AH_NONE:
+    break;
+  default:
+    ixs->stats->tx_errors++;
+    return IPSEC_XMIT_AH_BADALG;
+  }
+
+  ixs->skb->h.raw = (unsigned char*)espp;
+
+  return IPSEC_XMIT_OK;
+}
+
+
+struct xform_functions esp_xform_funcs[]={
+	{	rcv_checks:         ipsec_rcv_esp_checks,
+		rcv_setup_auth:     ipsec_rcv_esp_decrypt_setup,
+		rcv_calc_auth:      ipsec_rcv_esp_authcalc,
+		rcv_decrypt:        ipsec_rcv_esp_decrypt,
+
+		xmit_setup:         ipsec_xmit_esp_setup,
+		xmit_headroom:      sizeof(struct esphdr),
+		xmit_needtailroom:  1,
+	},
+};
+
+#ifdef NET_26
+struct inet_protocol esp_protocol = {
+  .handler = ipsec_rcv,
+  .no_policy = 1,
+};
+#else
+struct inet_protocol esp_protocol =
+{
+	ipsec_rcv,			/* ESP handler		*/
+	NULL,				/* TUNNEL error control */
+#ifdef NETDEV_25
+	1,				/* no policy */
+#else
+	0,				/* next */
+	IPPROTO_ESP,			/* protocol ID */
+	0,				/* copy */
+	NULL,				/* data */
+	"ESP"				/* name */
+#endif
+};
+#endif /* NET_26 */
+
+#endif /* !CONFIG_KLIPS_ESP */
+
+
+/*
+ * $Log: ipsec_esp.c,v $
+ * Revision 1.13.2.6  2006/10/06 21:39:26  paul
+ * Fix for 2.6.18+ only include linux/config.h if AUTOCONF_INCLUDED is not
+ * set. This is defined through autoconf.h which is included through the
+ * linux kernel build macros.
+ *
+ * Revision 1.13.2.5  2006/08/24 03:02:01  paul
+ * Compile fixes for when CONFIG_KLIPS_DEBUG is not set. (bug #642)
+ *
+ * Revision 1.13.2.4  2006/05/06 03:07:38  ken
+ * Pull in proper padsize->tailroom fix from #public
+ * Need to do correct math on padlen since padsize is not equal to tailroom
+ *
+ * Revision 1.13.2.3  2006/05/05 03:58:04  ken
+ * ixs->padsize becomes ixs->tailroom
+ *
+ * Revision 1.13.2.2  2006/05/01 14:36:03  mcr
+ * use KLIPS_ERROR for fatal things.
+ *
+ * Revision 1.13.2.1  2006/04/20 16:33:06  mcr
+ * remove all of CONFIG_KLIPS_ALG --- one can no longer build without it.
+ * Fix in-kernel module compilation. Sub-makefiles do not work.
+ *
+ * Revision 1.13  2005/05/21 03:19:57  mcr
+ * 	hash ctx is not really that interesting most of the time.
+ *
+ * Revision 1.12  2005/05/11 01:28:49  mcr
+ * 	removed "poor-man"s OOP in favour of proper C structures.
+ *
+ * Revision 1.11  2005/04/29 05:10:22  mcr
+ * 	removed from extraenous includes to make unit testing easier.
+ *
+ * Revision 1.10  2005/04/17 04:36:14  mcr
+ * 	code now deals with ESP and UDP-ESP code.
+ *
+ * Revision 1.9  2005/04/15 19:52:30  mcr
+ * 	adjustments to use proper skb fields for data.
+ *
+ * Revision 1.8  2004/09/14 00:22:57  mcr
+ * 	adjustment of MD5* functions.
+ *
+ * Revision 1.7  2004/09/13 02:23:01  mcr
+ * 	#define inet_protocol if necessary.
+ *
+ * Revision 1.6  2004/09/06 18:35:49  mcr
+ * 	2.6.8.1 gets rid of inet_protocol->net_protocol compatibility,
+ * 	so adjust for that.
+ *
+ * Revision 1.5  2004/08/17 03:27:23  mcr
+ * 	klips 2.6 edits.
+ *
+ * Revision 1.4  2004/08/04 15:57:07  mcr
+ * 	moved des .h files to include/des/ *
+ * 	included 2.6 protocol specific things
+ * 	started at NAT-T support, but it will require a kernel patch.
+ *
+ * Revision 1.3  2004/07/10 19:11:18  mcr
+ * 	CONFIG_IPSEC -> CONFIG_KLIPS.
+ *
+ * Revision 1.2  2004/04/06 02:49:25  mcr
+ * 	pullup of algo code from alg-branch.
+ *
+ *
+ *
+ */
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/ipsec_init.c     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,614 @@
+/*
+ * @(#) Initialization code.
+ * Copyright (C) 1996, 1997   John Ioannidis.
+ * Copyright (C) 1998 - 2002  Richard Guy Briggs <rgb@freeswan.org>
+ *               2001 - 2004  Michael Richardson <mcr@xelerance.com>
+ * 
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ * 
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * /proc system code was split out into ipsec_proc.c after rev. 1.70.
+ *
+ */
+
+char ipsec_init_c_version[] = "RCSID $Id: ipsec_init.c,v 1.104.2.4 2006/10/06 21:39:26 paul Exp $";
+
+#ifndef AUTOCONF_INCLUDED
+#include <linux/config.h>
+#endif
+#include <linux/version.h>
+#include <linux/module.h>
+#include <linux/kernel.h> /* printk() */
+
+#include "openswan/ipsec_param.h"
+
+#ifdef MALLOC_SLAB
+# include <linux/slab.h> /* kmalloc() */
+#else /* MALLOC_SLAB */
+# include <linux/malloc.h> /* kmalloc() */
+#endif /* MALLOC_SLAB */
+#include <linux/errno.h>  /* error codes */
+#include <linux/types.h>  /* size_t */
+#include <linux/interrupt.h> /* mark_bh */
+
+#include <linux/netdevice.h>   /* struct device, and other headers */
+#include <linux/etherdevice.h> /* eth_type_trans */
+#include <linux/ip.h>          /* struct iphdr */
+#include <linux/in.h>          /* struct sockaddr_in */
+#include <linux/skbuff.h>
+#include <linux/random.h>       /* get_random_bytes() */
+#include <net/protocol.h>
+
+#include <openswan.h>
+
+#ifdef SPINLOCK
+# ifdef SPINLOCK_23
+#  include <linux/spinlock.h> /* *lock* */
+# else /* 23_SPINLOCK */
+#  include <asm/spinlock.h> /* *lock* */
+# endif /* 23_SPINLOCK */
+#endif /* SPINLOCK */
+
+#include <net/ip.h>
+
+#ifdef CONFIG_PROC_FS
+# include <linux/proc_fs.h>
+#endif /* CONFIG_PROC_FS */
+
+#ifdef NETLINK_SOCK
+# include <linux/netlink.h>
+#else
+# include <net/netlink.h>
+#endif
+
+#include "openswan/radij.h"
+
+#include "openswan/ipsec_life.h"
+#include "openswan/ipsec_stats.h"
+#include "openswan/ipsec_sa.h"
+
+#include "openswan/ipsec_encap.h"
+#include "openswan/ipsec_radij.h"
+#include "openswan/ipsec_xform.h"
+#include "openswan/ipsec_tunnel.h"
+
+#include "openswan/ipsec_rcv.h"
+#include "openswan/ipsec_ah.h"
+#include "openswan/ipsec_esp.h"
+
+#ifdef CONFIG_KLIPS_IPCOMP
+# include "openswan/ipcomp.h"
+#endif /* CONFIG_KLIPS_IPCOMP */
+
+#include "openswan/ipsec_proto.h"
+#include "openswan/ipsec_alg.h"
+
+#include <pfkeyv2.h>
+#include <pfkey.h>
+
+#if defined(NET_26) && defined(CONFIG_IPSEC_NAT_TRAVERSAL)
+#include <net/xfrmudp.h>
+#endif
+
+#if defined(NET_26) && defined(CONFIG_IPSEC_NAT_TRAVERSAL) && !defined(HAVE_XFRM4_UDP_REGISTER)
+#warning "You are trying to build KLIPS2.6 with NAT-T support, but you did not"
+#error   "properly apply the NAT-T patch to your 2.6 kernel source tree."
+#endif
+
+#if !defined(CONFIG_KLIPS_ESP) && !defined(CONFIG_KLIPS_AH)
+#error "kernel configuration must include ESP or AH"
+#endif
+
+/*
+ * seems to be present in 2.4.10 (Linus), but also in some RH and other
+ * distro kernels of a lower number.
+ */
+#ifdef MODULE_LICENSE
+MODULE_LICENSE("GPL");
+#endif
+
+#ifdef CONFIG_KLIPS_DEBUG
+int debug_eroute = 0;
+int debug_spi = 0;
+int debug_netlink = 0;
+#endif /* CONFIG_KLIPS_DEBUG */
+
+struct prng ipsec_prng;
+
+
+#if defined(NET_26) && defined(CONFIG_IPSEC_NAT_TRAVERSAL)
+xfrm4_rcv_encap_t klips_old_encap = NULL;
+#endif
+
+extern int ipsec_device_event(struct notifier_block *dnot, unsigned long event, void *ptr);
+/*
+ * the following structure is required so that we receive
+ * event notifications when network devices are enabled and
+ * disabled (ifconfig up and down).
+ */
+static struct notifier_block ipsec_dev_notifier={
+	ipsec_device_event,
+	NULL,
+	0
+};
+
+#ifdef CONFIG_SYSCTL
+extern int ipsec_sysctl_register(void);
+extern void ipsec_sysctl_unregister(void);
+#endif
+
+#if defined(NET_26) || defined(IPSKB_XFRM_TUNNEL_SIZE)
+static inline int
+openswan_inet_add_protocol(struct inet_protocol *prot, unsigned protocol)
+{
+	return inet_add_protocol(prot, protocol);
+}
+
+static inline int
+openswan_inet_del_protocol(struct inet_protocol *prot, unsigned protocol)
+{
+	return inet_del_protocol(prot, protocol);
+}
+
+#else
+static inline int
+openswan_inet_add_protocol(struct inet_protocol *prot, unsigned protocol)
+{
+	inet_add_protocol(prot);
+	return 0;
+}
+
+static inline int
+openswan_inet_del_protocol(struct inet_protocol *prot, unsigned protocol)
+{
+	inet_del_protocol(prot);
+	return 0;
+}
+
+#endif
+
+/* void */
+int
+ipsec_klips_init(void)
+{
+	int error = 0;
+	unsigned char seed[256];
+#ifdef CONFIG_KLIPS_ENC_3DES
+	extern int des_check_key;
+
+	/* turn off checking of keys */
+	des_check_key=0;
+#endif /* CONFIG_KLIPS_ENC_3DES */
+
+	KLIPS_PRINT(1, "klips_info:ipsec_init: "
+		    "KLIPS startup, Openswan KLIPS IPsec stack version: %s\n",
+		    ipsec_version_code());
+
+	error |= ipsec_proc_init();
+
+#ifdef SPINLOCK
+	ipsec_sadb.sadb_lock = SPIN_LOCK_UNLOCKED;
+#else /* SPINLOCK */
+	ipsec_sadb.sadb_lock = 0;
+#endif /* SPINLOCK */
+
+#ifndef SPINLOCK
+	tdb_lock.lock = 0;
+	eroute_lock.lock = 0;
+#endif /* !SPINLOCK */
+
+	error |= ipsec_sadb_init();
+	error |= ipsec_radijinit();
+
+	error |= pfkey_init();
+
+	error |= register_netdevice_notifier(&ipsec_dev_notifier);
+
+#ifdef CONFIG_KLIPS_ESP
+	openswan_inet_add_protocol(&esp_protocol, IPPROTO_ESP);
+#endif /* CONFIG_KLIPS_ESP */
+
+#ifdef CONFIG_KLIPS_AH
+	openswan_inet_add_protocol(&ah_protocol, IPPROTO_AH);
+#endif /* CONFIG_KLIPS_AH */
+
+/* we never actually link IPCOMP to the stack */
+#ifdef IPCOMP_USED_ALONE
+#ifdef CONFIG_KLIPS_IPCOMP
+ 	openswan_inet_add_protocol(&comp_protocol, IPPROTO_COMP);
+#endif /* CONFIG_KLIPS_IPCOMP */
+#endif
+
+	error |= ipsec_tunnel_init_devices();
+
+#if defined(NET_26) && defined(CONFIG_IPSEC_NAT_TRAVERSAL)
+	/* register our ESP-UDP handler */
+	if(udp4_register_esp_rcvencap(klips26_rcv_encap
+				      , &klips_old_encap)!=0) {
+	   printk(KERN_ERR "KLIPS: can not register klips_rcv_encap function\n");
+	}
+#endif	
+
+
+#ifdef CONFIG_SYSCTL
+        error |= ipsec_sysctl_register();
+#endif                                                                          
+
+	ipsec_alg_init();
+
+	get_random_bytes((void *)seed, sizeof(seed));
+	prng_init(&ipsec_prng, seed, sizeof(seed));
+
+	return error;
+}	
+
+
+/* void */
+int
+ipsec_cleanup(void)
+{
+	int error = 0;
+
+#ifdef CONFIG_SYSCTL
+        ipsec_sysctl_unregister();
+#endif                                                                          
+#if defined(NET_26) && defined(CONFIG_IPSEC_NAT_TRAVERSAL)
+	if(udp4_unregister_esp_rcvencap(klips_old_encap) < 0) {
+		printk(KERN_ERR "KLIPS: can not unregister klips_rcv_encap function\n");
+	}
+#endif
+
+	KLIPS_PRINT(debug_netlink, /* debug_tunnel & DB_TN_INIT, */
+		    "klips_debug:ipsec_cleanup: "
+		    "calling ipsec_tunnel_cleanup_devices.\n");
+	error |= ipsec_tunnel_cleanup_devices();
+
+	KLIPS_PRINT(debug_netlink, "called ipsec_tunnel_cleanup_devices");
+
+/* we never actually link IPCOMP to the stack */
+#ifdef IPCOMP_USED_ALONE
+#ifdef CONFIG_KLIPS_IPCOMP
+ 	if (openswan_inet_del_protocol(&comp_protocol, IPPROTO_COMP) < 0)
+		printk(KERN_INFO "klips_debug:ipsec_cleanup: "
+		       "comp close: can't remove protocol\n");
+#endif /* CONFIG_KLIPS_IPCOMP */
+#endif /* IPCOMP_USED_ALONE */
+
+#ifdef CONFIG_KLIPS_AH
+ 	if (openswan_inet_del_protocol(&ah_protocol, IPPROTO_AH) < 0)
+		printk(KERN_INFO "klips_debug:ipsec_cleanup: "
+		       "ah close: can't remove protocol\n");
+#endif /* CONFIG_KLIPS_AH */
+
+#ifdef CONFIG_KLIPS_ESP
+ 	if (openswan_inet_del_protocol(&esp_protocol, IPPROTO_ESP) < 0)
+		printk(KERN_INFO "klips_debug:ipsec_cleanup: "
+		       "esp close: can't remove protocol\n");
+#endif /* CONFIG_KLIPS_ESP */
+
+	error |= unregister_netdevice_notifier(&ipsec_dev_notifier);
+
+	KLIPS_PRINT(debug_netlink, /* debug_tunnel & DB_TN_INIT, */
+		    "klips_debug:ipsec_cleanup: "
+		    "calling ipsec_sadb_cleanup.\n");
+	error |= ipsec_sadb_cleanup(0);
+	error |= ipsec_sadb_free();
+
+	KLIPS_PRINT(debug_netlink, /* debug_tunnel & DB_TN_INIT, */
+		    "klips_debug:ipsec_cleanup: "
+		    "calling ipsec_radijcleanup.\n");
+	error |= ipsec_radijcleanup();
+	
+	KLIPS_PRINT(debug_pfkey, /* debug_tunnel & DB_TN_INIT, */
+		    "klips_debug:ipsec_cleanup: "
+		    "calling pfkey_cleanup.\n");
+	error |= pfkey_cleanup();
+
+	ipsec_proc_cleanup();
+
+	prng_final(&ipsec_prng);
+
+	return error;
+}
+
+#ifdef MODULE
+int
+init_module(void)
+{
+	int error = 0;
+
+	error |= ipsec_klips_init();
+
+	return error;
+}
+
+void
+cleanup_module(void)
+{
+	KLIPS_PRINT(debug_netlink, /* debug_tunnel & DB_TN_INIT, */
+		    "klips_debug:cleanup_module: "
+		    "calling ipsec_cleanup.\n");
+
+	ipsec_cleanup();
+
+	KLIPS_PRINT(1, "klips_info:cleanup_module: "
+		    "ipsec module unloaded.\n");
+}
+#endif /* MODULE */
+
+/*
+ * $Log: ipsec_init.c,v $
+ * Revision 1.104.2.4  2006/10/06 21:39:26  paul
+ * Fix for 2.6.18+ only include linux/config.h if AUTOCONF_INCLUDED is not
+ * set. This is defined through autoconf.h which is included through the
+ * linux kernel build macros.
+ *
+ * Revision 1.104.2.3  2006/07/31 15:25:20  paul
+ * Check for NETKEY backport in Debian using IPSKB_XFRM_TUNNEL_SIZE to
+ * determine wether inet_add_protocol needs the protocol argument.
+ *
+ * Revision 1.104.2.2  2006/04/20 16:33:06  mcr
+ * remove all of CONFIG_KLIPS_ALG --- one can no longer build without it.
+ * Fix in-kernel module compilation. Sub-makefiles do not work.
+ *
+ * Revision 1.104.2.1  2005/08/12 01:18:20  ken
+ * Warn people who don't have NAT-T patch applied, but try and compile NAT-T code
+ *
+ * Revision 1.105  2005/08/12 00:56:33  mcr
+ * 	add warning for people who didn't apply nat-t patch.
+ *
+ * Revision 1.104  2005/07/08 15:51:41  mcr
+ * 	removed duplicate NAT-T code.
+ * 	if CONFIG_IPSEC_NAT_TRAVERSAL isn't defined, then there is no issue.
+ *
+ * Revision 1.103  2005/07/08 03:02:05  paul
+ * Fixed garbled define that accidentally got commited to the real tree.
+ *
+ * Revision 1.102  2005/07/08 02:56:37  paul
+ * gcc4 fixes that were not commited because vault was down
+ *
+ * Revision 1.101  2005/04/29 05:10:22  mcr
+ * 	removed from extraenous includes to make unit testing easier.
+ *
+ * Revision 1.100  2005/04/10 22:56:09  mcr
+ * 	change to udp.c registration API.
+ *
+ * Revision 1.99  2005/04/08 18:26:13  mcr
+ * 	register with udp.c, the klips26 encap receive function
+ *
+ * Revision 1.98  2004/09/13 02:23:18  mcr
+ * 	#define inet_protocol if necessary.
+ *
+ * Revision 1.97  2004/09/06 18:35:49  mcr
+ * 	2.6.8.1 gets rid of inet_protocol->net_protocol compatibility,
+ * 	so adjust for that.
+ *
+ * Revision 1.96  2004/08/17 03:27:23  mcr
+ * 	klips 2.6 edits.
+ *
+ * Revision 1.95  2004/08/03 18:19:08  mcr
+ * 	in 2.6, use "net_device" instead of #define device->net_device.
+ * 	this probably breaks 2.0 compiles.
+ *
+ * Revision 1.94  2004/07/10 19:11:18  mcr
+ * 	CONFIG_IPSEC -> CONFIG_KLIPS.
+ *
+ * Revision 1.93  2004/04/06 02:49:26  mcr
+ * 	pullup of algo code from alg-branch.
+ *
+ * Revision 1.92  2004/03/30 15:30:39  ken
+ * Proper Capitalization
+ *
+ * Revision 1.91  2004/03/22 01:51:51  ken
+ * We are open
+ *
+ * Revision 1.90.4.2  2004/04/05 04:30:46  mcr
+ * 	patches for alg-branch to compile/work with 2.x openswan
+ *
+ * Revision 1.90.4.1  2003/12/22 15:25:52  jjo
+ *      Merged algo-0.8.1-rc11-test1 into alg-branch
+ *
+ * Revision 1.90  2003/10/31 02:27:55  mcr
+ * 	pulled up port-selector patches and sa_id elimination.
+ *
+ * Revision 1.89.4.1  2003/10/29 01:30:41  mcr
+ * 	elimited "struct sa_id".
+ *
+ * Revision 1.89  2003/07/31 22:47:16  mcr
+ * 	preliminary (untested by FS-team) 2.5 patches.
+ *
+ * Revision 1.88  2003/06/22 20:05:36  mcr
+ * 	clarified why IPCOMP was not being registered, and put a new
+ * 	#ifdef in rather than #if 0.
+ *
+ * Revision 1.87  2002/09/20 15:40:51  rgb
+ * Added a lock to the global ipsec_sadb struct for future use.
+ * Split ipsec_sadb_cleanup from new funciton ipsec_sadb_free to avoid problem
+ * of freeing newly created structures when clearing the reftable upon startup
+ * to start from a known state.
+ *
+ * Revision 1.86  2002/08/15 18:39:15  rgb
+ * Move ipsec_prng outside debug code.
+ *
+ * Revision 1.85  2002/05/14 02:35:29  rgb
+ * Change reference to tdb to ipsa.
+ *
+ * Revision 1.84  2002/04/24 07:55:32  mcr
+ * 	#include patches and Makefiles for post-reorg compilation.
+ *
+ * Revision 1.83  2002/04/24 07:36:28  mcr
+ * Moved from ./klips/net/ipsec/ipsec_init.c,v
+ *
+ * Revision 1.82  2002/04/20 00:12:25  rgb
+ * Added esp IV CBC attack fix, disabled.
+ *
+ * Revision 1.81  2002/04/09 16:13:32  mcr
+ * 	switch license to straight GPL.
+ *
+ * Revision 1.80  2002/03/24 07:34:08  rgb
+ * Sanity check for at least one of AH or ESP configured.
+ *
+ * Revision 1.79  2002/02/05 22:55:15  mcr
+ * 	added MODULE_LICENSE declaration.
+ * 	This macro does not appear in all kernel versions (see comment).
+ *
+ * Revision 1.78  2002/01/29 17:17:55  mcr
+ * 	moved include of ipsec_param.h to after include of linux/kernel.h
+ * 	otherwise, it seems that some option that is set in ipsec_param.h
+ * 	screws up something subtle in the include path to kernel.h, and
+ * 	it complains on the snprintf() prototype.
+ *
+ * Revision 1.77  2002/01/29 04:00:51  mcr
+ * 	more excise of kversions.h header.
+ *
+ * Revision 1.76  2002/01/29 02:13:17  mcr
+ * 	introduction of ipsec_kversion.h means that include of
+ * 	ipsec_param.h must preceed any decisions about what files to
+ * 	include to deal with differences in kernel source.
+ *
+ * Revision 1.75  2001/11/26 09:23:48  rgb
+ * Merge MCR's ipsec_sa, eroute, proc and struct lifetime changes.
+ *
+ * Revision 1.74  2001/11/22 05:44:11  henry
+ * new version stuff
+ *
+ * Revision 1.71.2.2  2001/10/22 20:51:00  mcr
+ * 	explicitely set des_check_key.
+ *
+ * Revision 1.71.2.1  2001/09/25 02:19:39  mcr
+ * 	/proc manipulation code moved to new ipsec_proc.c
+ *
+ * Revision 1.73  2001/11/06 19:47:17  rgb
+ * Changed lifetime_packets to uint32 from uint64.
+ *
+ * Revision 1.72  2001/10/18 04:45:19  rgb
+ * 2.4.9 kernel deprecates linux/malloc.h in favour of linux/slab.h,
+ * lib/freeswan.h version macros moved to lib/kversions.h.
+ * Other compiler directive cleanups.
+ *
+ * Revision 1.71  2001/09/20 15:32:45  rgb
+ * Minor pfkey lifetime fixes.
+ *
+ * Revision 1.70  2001/07/06 19:51:21  rgb
+ * Added inbound policy checking code for IPIP SAs.
+ *
+ * Revision 1.69  2001/06/14 19:33:26  rgb
+ * Silence startup message for console, but allow it to be logged.
+ * Update copyright date.
+ *
+ * Revision 1.68  2001/05/29 05:14:36  rgb
+ * Added PMTU to /proc/net/ipsec_tncfg output.  See 'man 5 ipsec_tncfg'.
+ *
+ * Revision 1.67  2001/05/04 16:34:52  rgb
+ * Rremove erroneous checking of return codes for proc_net_* in 2.4.
+ *
+ * Revision 1.66  2001/05/03 19:40:34  rgb
+ * Check error return codes in startup and shutdown.
+ *
+ * Revision 1.65  2001/02/28 05:03:27  rgb
+ * Clean up and rationalise startup messages.
+ *
+ * Revision 1.64  2001/02/27 22:24:53  rgb
+ * Re-formatting debug output (line-splitting, joining, 1arg/line).
+ * Check for satoa() return codes.
+ *
+ * Revision 1.63  2000/11/29 20:14:06  rgb
+ * Add src= to the output of /proc/net/ipsec_spi and delete dst from IPIP.
+ *
+ * Revision 1.62  2000/11/06 04:31:24  rgb
+ * Ditched spin_lock_irqsave in favour of spin_lock_bh.
+ * Fixed longlong for pre-2.4 kernels (Svenning).
+ * Add Svenning's adaptive content compression.
+ * Disabled registration of ipcomp handler.
+ *
+ * Revision 1.61  2000/10/11 13:37:54  rgb
+ * #ifdef out debug print that causes proc/net/ipsec_version to oops.
+ *
+ * Revision 1.60  2000/09/20 03:59:01  rgb
+ * Change static info functions to DEBUG_NO_STATIC to reveal function names
+ * in oopsen.
+ *
+ * Revision 1.59  2000/09/16 01:06:26  rgb
+ * Added cast of var to silence compiler warning about long fed to int
+ * format.
+ *
+ * Revision 1.58  2000/09/15 11:37:01  rgb
+ * Merge in heavily modified Svenning Soerensen's <svenning@post5.tele.dk>
+ * IPCOMP zlib deflate code.
+ *
+ * Revision 1.57  2000/09/12 03:21:50  rgb
+ * Moved radij_c_version printing to ipsec_version_get_info().
+ * Reformatted ipsec_version_get_info().
+ * Added sysctl_{,un}register() calls.
+ *
+ * Revision 1.56  2000/09/08 19:16:50  rgb
+ * Change references from DEBUG_IPSEC to CONFIG_IPSEC_DEBUG.
+ * Removed all references to CONFIG_IPSEC_PFKEYv2.
+ *
+ * Revision 1.55  2000/08/30 05:19:03  rgb
+ * Cleaned up no longer used spi_next, netlink register/unregister, other
+ * minor cleanup.
+ * Removed cruft replaced by TDB_XFORM_NAME.
+ * Removed all the rest of the references to tdb_spi, tdb_proto, tdb_dst.
+ * Moved debug version strings to printk when /proc/net/ipsec_version is
+ * called.
+ *
+ * Revision 1.54  2000/08/20 18:31:05  rgb
+ * Changed cosmetic alignment in spi_info.
+ * Changed addtime and usetime to use actual value which is relative
+ * anyways, as intended. (Momchil)
+ *
+ * Revision 1.53  2000/08/18 17:37:03  rgb
+ * Added an (int) cast to shut up the compiler...
+ *
+ * Revision 1.52  2000/08/01 14:51:50  rgb
+ * Removed _all_ remaining traces of DES.
+ *
+ * Revision 1.51  2000/07/25 20:41:22  rgb
+ * Removed duplicate parameter in spi_getinfo.
+ *
+ * Revision 1.50  2000/07/17 03:21:45  rgb
+ * Removed /proc/net/ipsec_spinew.
+ *
+ * Revision 1.49  2000/06/28 05:46:51  rgb
+ * Renamed ivlen to iv_bits for consistency.
+ * Changed output of add and use times to be relative to now.
+ *
+ * Revision 1.48  2000/05/11 18:26:10  rgb
+ * Commented out calls to netlink_attach/detach to avoid activating netlink
+ * in the kenrel config.
+ *
+ * Revision 1.47  2000/05/10 22:35:26  rgb
+ * Comment out most of the startup version information.
+ *
+ * Revision 1.46  2000/03/22 16:15:36  rgb
+ * Fixed renaming of dev_get (MB).
+ *
+ * Revision 1.45  2000/03/16 06:40:48  rgb
+ * Hardcode PF_KEYv2 support.
+ *
+ * Revision 1.44  2000/01/22 23:19:20  rgb
+ * Simplified code to use existing macro TDB_XFORM_NAME().
+ *
+ * Revision 1.43  2000/01/21 06:14:04  rgb
+ * Print individual stats only if non-zero.
+ * Removed 'bits' from each keylength for brevity.
+ * Shortened lifetimes legend for brevity.
+ * Changed wording from 'last_used' to the clearer 'idle'.
+ *
+ * Revision 1.42  1999/12/31 14:57:19  rgb
+ * MB fix for new dummy-less proc_get_info in 2.3.35.
+ *
+ *
+ * Local variables:
+ * c-file-style: "linux"
+ * End:
+ *
+ */
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/ipsec_ipcomp.c     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,256 @@
+/*
+ * processing code for IPCOMP
+ * Copyright (C) 2003 Michael Richardson <mcr@sandelman.ottawa.on.ca>
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+char ipsec_ipcomp_c_version[] = "RCSID $Id: ipsec_ipcomp.c,v 1.5.2.2 2006/10/06 21:39:26 paul Exp $";
+#ifndef AUTOCONF_INCLUDED
+#include <linux/config.h>
+#endif
+#include <linux/version.h>
+
+#define __NO_VERSION__
+#include <linux/module.h>
+#include <linux/kernel.h> /* printk() */
+
+#include "openswan/ipsec_param.h"
+
+#ifdef MALLOC_SLAB
+# include <linux/slab.h> /* kmalloc() */
+#else /* MALLOC_SLAB */
+# include <linux/malloc.h> /* kmalloc() */
+#endif /* MALLOC_SLAB */
+#include <linux/errno.h>  /* error codes */
+#include <linux/types.h>  /* size_t */
+#include <linux/interrupt.h> /* mark_bh */
+
+#include <linux/netdevice.h>	/* struct device, and other headers */
+#include <linux/etherdevice.h>	/* eth_type_trans */
+#include <linux/ip.h>		/* struct iphdr */
+#include <linux/skbuff.h>
+#include <openswan.h>
+#ifdef SPINLOCK
+# ifdef SPINLOCK_23
+#  include <linux/spinlock.h> /* *lock* */
+# else /* SPINLOCK_23 */
+#  include <asm/spinlock.h> /* *lock* */
+# endif /* SPINLOCK_23 */
+#endif /* SPINLOCK */
+
+#include <net/ip.h>
+
+#include "openswan/radij.h"
+#include "openswan/ipsec_encap.h"
+#include "openswan/ipsec_sa.h"
+
+#include "openswan/ipsec_radij.h"
+#include "openswan/ipsec_xform.h"
+#include "openswan/ipsec_tunnel.h"
+#include "openswan/ipsec_rcv.h"
+#include "openswan/ipsec_xmit.h"
+
+#include "openswan/ipsec_auth.h"
+
+#ifdef CONFIG_KLIPS_IPCOMP
+#include "openswan/ipsec_ipcomp.h"
+#endif /* CONFIG_KLIPS_IPCOMP */
+
+#include "openswan/ipsec_proto.h"
+
+#ifdef CONFIG_KLIPS_DEBUG
+int debug_ipcomp = 0;
+#endif /* CONFIG_KLIPS_DEBUG */
+
+
+#ifdef CONFIG_KLIPS_IPCOMP
+enum ipsec_rcv_value
+ipsec_rcv_ipcomp_checks(struct ipsec_rcv_state *irs,
+			struct sk_buff *skb)
+{
+	int ipcompminlen;
+
+	ipcompminlen = sizeof(struct iphdr);
+
+	if(skb->len < (ipcompminlen + sizeof(struct ipcomphdr))) {
+		KLIPS_PRINT(debug_rcv & DB_RX_INAU,
+			    "klips_debug:ipsec_rcv: "
+			    "runt comp packet of skb->len=%d received from %s, dropped.\n",
+			    skb->len,
+			    irs->ipsaddr_txt);
+		if(irs->stats) {
+			irs->stats->rx_errors++;
+		}
+		return IPSEC_RCV_BADLEN;
+	}
+
+	irs->protostuff.ipcompstuff.compp = (struct ipcomphdr *)skb->h.raw;
+	irs->said.spi = htonl((__u32)ntohs(irs->protostuff.ipcompstuff.compp->ipcomp_cpi));
+	return IPSEC_RCV_OK;
+}
+
+enum ipsec_rcv_value
+ipsec_rcv_ipcomp_decomp(struct ipsec_rcv_state *irs)
+{
+	unsigned int flags = 0;
+	struct ipsec_sa *ipsp = irs->ipsp;
+	struct sk_buff *skb;
+
+	skb=irs->skb;
+
+	ipsec_xmit_dmp("ipcomp", skb->h.raw, skb->len);
+
+	if(ipsp == NULL) {
+		return IPSEC_RCV_SAIDNOTFOUND;
+	}
+
+	if(sysctl_ipsec_inbound_policy_check &&
+	   ((((ntohl(ipsp->ips_said.spi) & 0x0000ffff) != ntohl(irs->said.spi)) &&
+	     (ipsp->ips_encalg != ntohl(irs->said.spi))   /* this is a workaround for peer non-compliance with rfc2393 */
+		    ))) {
+		char sa2[SATOT_BUF];
+		size_t sa_len2 = 0;
+
+		sa_len2 = satot(&ipsp->ips_said, 0, sa2, sizeof(sa2));
+
+		KLIPS_PRINT(debug_rcv,
+			    "klips_debug:ipsec_rcv: "
+			    "Incoming packet with SA(IPCA):%s does not match policy SA(IPCA):%s cpi=%04x cpi->spi=%08x spi=%08x, spi->cpi=%04x for SA grouping, dropped.\n",
+			    irs->sa_len ? irs->sa : " (error)",
+			    ipsp != NULL ? (sa_len2 ? sa2 : " (error)") : "NULL",
+			    ntohs(irs->protostuff.ipcompstuff.compp->ipcomp_cpi),
+			    (__u32)ntohl(irs->said.spi),
+			    ipsp != NULL ? (__u32)ntohl((ipsp->ips_said.spi)) : 0,
+			    ipsp != NULL ? (__u16)(ntohl(ipsp->ips_said.spi) & 0x0000ffff) : 0);
+		if(irs->stats) {
+			irs->stats->rx_dropped++;
+		}
+		return IPSEC_RCV_SAIDNOTFOUND;
+	}
+
+	ipsp->ips_comp_ratio_cbytes += ntohs(irs->ipp->tot_len);
+	irs->next_header = irs->protostuff.ipcompstuff.compp->ipcomp_nh;
+
+	skb = skb_decompress(skb, ipsp, &flags);
+	if (!skb || flags) {
+		spin_unlock(&tdb_lock);
+		KLIPS_PRINT(debug_rcv,
+			    "klips_debug:ipsec_rcv: "
+			    "skb_decompress() returned error flags=%x, dropped.\n",
+			    flags);
+		if (irs->stats) {
+			if (flags)
+				irs->stats->rx_errors++;
+			else
+				irs->stats->rx_dropped++;
+		}
+		return IPSEC_RCV_IPCOMPFAILED;
+	}
+
+	/* make sure we update the pointer */
+	irs->skb = skb;
+	
+#ifdef NET_21
+	irs->ipp = skb->nh.iph;
+#else /* NET_21 */
+	irs->ipp = skb->ip_hdr;
+#endif /* NET_21 */
+
+	ipsp->ips_comp_ratio_dbytes += ntohs(irs->ipp->tot_len);
+
+	KLIPS_PRINT(debug_rcv,
+		    "klips_debug:ipsec_rcv: "
+		    "packet decompressed SA(IPCA):%s cpi->spi=%08x spi=%08x, spi->cpi=%04x, nh=%d.\n",
+		    irs->sa_len ? irs->sa : " (error)",
+		    (__u32)ntohl(irs->said.spi),
+		    ipsp != NULL ? (__u32)ntohl((ipsp->ips_said.spi)) : 0,
+		    ipsp != NULL ? (__u16)(ntohl(ipsp->ips_said.spi) & 0x0000ffff) : 0,
+		    irs->next_header);
+	KLIPS_IP_PRINT(debug_rcv & DB_RX_PKTRX, irs->ipp);
+
+	return IPSEC_RCV_OK;
+}
+
+enum ipsec_xmit_value
+ipsec_xmit_ipcomp_setup(struct ipsec_xmit_state *ixs)
+{
+  unsigned int flags = 0;
+#ifdef CONFIG_KLIPS_DEBUG
+  unsigned int old_tot_len = ntohs(ixs->iph->tot_len);
+#endif /* CONFIG_KLIPS_DEBUG */
+
+  ixs->ipsp->ips_comp_ratio_dbytes += ntohs(ixs->iph->tot_len);
+
+  ixs->skb = skb_compress(ixs->skb, ixs->ipsp, &flags);
+
+#ifdef NET_21
+  ixs->iph = ixs->skb->nh.iph;
+#else /* NET_21 */
+  ixs->iph = ixs->skb->ip_hdr;
+#endif /* NET_21 */
+  
+  ixs->ipsp->ips_comp_ratio_cbytes += ntohs(ixs->iph->tot_len);
+  
+#ifdef CONFIG_KLIPS_DEBUG
+  if (debug_tunnel & DB_TN_CROUT)
+    {
+      if (old_tot_len > ntohs(ixs->iph->tot_len))
+	KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
+		    "klips_debug:ipsec_xmit_encap_once: "
+		    "packet shrunk from %d to %d bytes after compression, cpi=%04x (should be from spi=%08x, spi&0xffff=%04x.\n",
+		    old_tot_len, ntohs(ixs->iph->tot_len),
+		    ntohs(((struct ipcomphdr*)(((char*)ixs->iph) + ((ixs->iph->ihl) << 2)))->ipcomp_cpi),
+		    ntohl(ixs->ipsp->ips_said.spi),
+		    (__u16)(ntohl(ixs->ipsp->ips_said.spi) & 0x0000ffff));
+      else
+	KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
+		    "klips_debug:ipsec_xmit_encap_once: "
+		    "packet did not compress (flags = %d).\n",
+		    flags);
+    }
+#endif /* CONFIG_KLIPS_DEBUG */
+
+  return IPSEC_XMIT_OK;
+}
+
+struct xform_functions ipcomp_xform_funcs[]={
+	{rcv_checks:  ipsec_rcv_ipcomp_checks,
+	 rcv_decrypt: ipsec_rcv_ipcomp_decomp,
+	 xmit_setup:  ipsec_xmit_ipcomp_setup,
+	 xmit_headroom: 0,
+	 xmit_needtailroom: 0,
+	},
+};
+
+#if 0
+/* We probably don't want to install a pure IPCOMP protocol handler, but
+   only want to handle IPCOMP if it is encapsulated inside an ESP payload
+   (which is already handled) */
+#ifdef CONFIG_KLIPS_IPCOMP
+struct inet_protocol comp_protocol =
+{
+	ipsec_rcv,			/* COMP handler		*/
+	NULL,				/* COMP error control	*/
+#ifdef NETDEV_25
+	1,				/* no policy */
+#else
+	0,				/* next */
+	IPPROTO_COMP,			/* protocol ID */
+	0,				/* copy */
+	NULL,				/* data */
+	"COMP"				/* name */
+#endif
+};
+#endif /* CONFIG_KLIPS_IPCOMP */
+#endif
+
+#endif /* CONFIG_KLIPS_IPCOMP */
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/ipsec_ipip.c     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,122 @@
+/*
+ * processing code for IPIP
+ * Copyright (C) 2003 Michael Richardson <mcr@sandelman.ottawa.on.ca>
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+char ipsec_ipip_c_version[] = "RCSID $Id: ipsec_ipip.c,v 1.3.2.3 2006/10/06 21:39:26 paul Exp $";
+#ifndef AUTOCONF_INCLUDED
+#include <linux/config.h>
+#endif
+#include <linux/version.h>
+
+#define __NO_VERSION__
+#include <linux/module.h>
+#include <linux/kernel.h> /* printk() */
+
+#include "openswan/ipsec_param.h"
+
+#ifdef MALLOC_SLAB
+# include <linux/slab.h> /* kmalloc() */
+#else /* MALLOC_SLAB */
+# include <linux/malloc.h> /* kmalloc() */
+#endif /* MALLOC_SLAB */
+#include <linux/errno.h>  /* error codes */
+#include <linux/types.h>  /* size_t */
+#include <linux/interrupt.h> /* mark_bh */
+
+#include <linux/netdevice.h>	/* struct device, and other headers */
+#include <linux/etherdevice.h>	/* eth_type_trans */
+#include <linux/ip.h>		/* struct iphdr */
+#include <linux/skbuff.h>
+#include <openswan.h>
+#ifdef SPINLOCK
+# ifdef SPINLOCK_23
+#  include <linux/spinlock.h> /* *lock* */
+# else /* SPINLOCK_23 */
+#  include <asm/spinlock.h> /* *lock* */
+# endif /* SPINLOCK_23 */
+#endif /* SPINLOCK */
+
+#include <net/ip.h>
+
+#include "openswan/radij.h"
+#include "openswan/ipsec_encap.h"
+#include "openswan/ipsec_sa.h"
+
+#include "openswan/ipsec_radij.h"
+#include "openswan/ipsec_xform.h"
+#include "openswan/ipsec_tunnel.h"
+#include "openswan/ipsec_rcv.h"
+#include "openswan/ipsec_xmit.h"
+
+#include "openswan/ipsec_auth.h"
+#include "openswan/ipsec_ipip.h"
+#include "openswan/ipsec_param.h"
+
+#include "openswan/ipsec_proto.h"
+
+enum ipsec_xmit_value
+ipsec_xmit_ipip_setup(struct ipsec_xmit_state *ixs)
+{
+  ixs->iph->version  = 4;
+
+  switch(sysctl_ipsec_tos) {
+  case 0:
+#ifdef NET_21
+    ixs->iph->tos = ixs->skb->nh.iph->tos;
+#else /* NET_21 */
+    ixs->iph->tos = ixs->skb->ip_hdr->tos;
+#endif /* NET_21 */
+    break;
+  case 1:
+    ixs->iph->tos = 0;
+    break;
+  default:
+    break;
+  }
+  ixs->iph->ttl      = SYSCTL_IPSEC_DEFAULT_TTL;
+  ixs->iph->frag_off = 0;
+  ixs->iph->saddr    = ((struct sockaddr_in*)(ixs->ipsp->ips_addr_s))->sin_addr.s_addr;
+  ixs->iph->daddr    = ((struct sockaddr_in*)(ixs->ipsp->ips_addr_d))->sin_addr.s_addr;
+  ixs->iph->protocol = IPPROTO_IPIP;
+  ixs->iph->ihl      = sizeof(struct iphdr) >> 2;
+  
+  KLIPS_IP_SELECT_IDENT(ixs->iph, ixs->skb);
+  
+  ixs->newdst = (__u32)ixs->iph->daddr;
+  ixs->newsrc = (__u32)ixs->iph->saddr;
+  
+#ifdef NET_21
+  ixs->skb->h.ipiph = ixs->skb->nh.iph;
+#endif /* NET_21 */
+  return IPSEC_XMIT_OK;
+}
+
+struct xform_functions ipip_xform_funcs[]={
+  {	rcv_checks:         NULL,
+	rcv_setup_auth:     NULL,
+	rcv_calc_auth:      NULL,
+	rcv_decrypt:        NULL,
+
+	xmit_setup:         ipsec_xmit_ipip_setup,
+	xmit_headroom:      sizeof(struct iphdr),
+	xmit_needtailroom:  0,
+  },
+};
+
+
+
+
+
+
+
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/ipsec_kern24.c     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,74 @@
+/*
+ * Copyright 2005 (C) Michael Richardson <mcr@xelerance.com>
+ *
+ * This is a file of functions which are present in 2.6 kernels,
+ * but are not available by default in the 2.4 series.
+ *
+ * As such this code is usually from the Linux kernel, and is covered by
+ * GPL.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ * 
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id: ipsec_kern24.c,v 1.2 2005/05/20 03:19:18 mcr Exp $
+ *
+ */
+
+#include <linux/kernel.h>
+#include <linux/mm.h>
+#include <linux/spinlock.h>
+
+/*
+ * printk rate limiting, lifted from the networking subsystem.
+ *
+ * This enforces a rate limit: not more than one kernel message
+ * every printk_ratelimit_jiffies to make a denial-of-service
+ * attack impossible.
+ */
+static spinlock_t ratelimit_lock = SPIN_LOCK_UNLOCKED;
+
+int __printk_ratelimit(int ratelimit_jiffies, int ratelimit_burst)
+{
+	static unsigned long toks = 10*5*HZ;
+	static unsigned long last_msg;
+	static int missed;
+	unsigned long flags;
+	unsigned long now = jiffies;
+
+	spin_lock_irqsave(&ratelimit_lock, flags);
+	toks += now - last_msg;
+	last_msg = now;
+	if (toks > (ratelimit_burst * ratelimit_jiffies))
+		toks = ratelimit_burst * ratelimit_jiffies;
+	if (toks >= ratelimit_jiffies) {
+		int lost = missed;
+		missed = 0;
+		toks -= ratelimit_jiffies;
+		spin_unlock_irqrestore(&ratelimit_lock, flags);
+		if (lost)
+			printk(KERN_WARNING "printk: %d messages suppressed.\n", lost);
+		return 1;
+	}
+	missed++;
+	spin_unlock_irqrestore(&ratelimit_lock, flags);
+	return 0;
+}
+
+/* minimum time in jiffies between messages */
+int printk_ratelimit_jiffies = 5*HZ;
+
+/* number of messages we send before ratelimiting */
+int printk_ratelimit_burst = 10;
+
+int printk_ratelimit(void)
+{
+	return __printk_ratelimit(printk_ratelimit_jiffies,
+				printk_ratelimit_burst);
+}
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/ipsec_life.c     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,273 @@
+/*
+ * @(#) lifetime structure utilities
+ *
+ * Copyright (C) 2001  Richard Guy Briggs  <rgb@freeswan.org>
+ *                 and Michael Richardson  <mcr@freeswan.org>
+ * 
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ * 
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: ipsec_life.c,v 1.13.10.1 2006/10/06 21:39:26 paul Exp $
+ *
+ */
+
+/* 
+ * This provides series of utility functions for dealing with lifetime
+ * structures.
+ *
+ * ipsec_check_lifetime - returns -1    hard lifetime exceeded
+ *                                 0    soft lifetime exceeded
+ *                                 1    everything is okay
+ *                        based upon whether or not the count exceeds hard/soft
+ *
+ */
+
+#define __NO_VERSION__
+#include <linux/module.h>
+#ifndef AUTOCONF_INCLUDED
+#include <linux/config.h>
+#endif	/* for CONFIG_IP_FORWARD */
+#include <linux/version.h>
+#include <linux/kernel.h> /* printk() */
+
+#include "openswan/ipsec_param.h"
+
+#include <linux/netdevice.h>   /* struct device, struct net_device_stats and other headers */
+#include <linux/etherdevice.h> /* eth_type_trans */
+#include <linux/skbuff.h>
+#include <openswan.h>
+
+#include "openswan/radij.h"
+#include "openswan/ipsec_life.h"
+#include "openswan/ipsec_xform.h"
+#include "openswan/ipsec_eroute.h"
+#include "openswan/ipsec_encap.h"
+#include "openswan/ipsec_radij.h"
+
+#include "openswan/ipsec_sa.h"
+#include "openswan/ipsec_tunnel.h"
+#include "openswan/ipsec_ipe4.h"
+#include "openswan/ipsec_ah.h"
+#include "openswan/ipsec_esp.h"
+
+#ifdef CONFIG_KLIPS_IPCOMP
+#include "openswan/ipcomp.h"
+#endif /* CONFIG_KLIPS_IPCOMP */
+
+#include <pfkeyv2.h>
+#include <pfkey.h>
+
+#include "openswan/ipsec_proto.h"
+
+
+enum ipsec_life_alive
+ipsec_lifetime_check(struct ipsec_lifetime64 *il64,
+		     const char *lifename,
+		     const char *saname,
+		     enum ipsec_life_type ilt,
+		     enum ipsec_direction idir,
+		     struct ipsec_sa *ips)
+{
+	__u64 count;
+	const char *dir;
+
+	if(saname == NULL) {
+		saname = "unknown-SA";
+	}
+
+	if(idir == ipsec_incoming) {
+		dir = "incoming";
+	} else {
+		dir = "outgoing";
+	}
+		
+
+	if(ilt == ipsec_life_timebased) {
+		count = jiffies/HZ - il64->ipl_count;
+	} else {
+		count = il64->ipl_count;
+	}
+
+	if(il64->ipl_hard &&
+	   (count > il64->ipl_hard)) {
+		KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
+			    "klips_debug:ipsec_lifetime_check: "
+			    "hard %s lifetime of SA:<%s%s%s> %s has been reached, SA expired, "
+			    "%s packet dropped.\n",
+			    lifename,
+			    IPS_XFORM_NAME(ips),
+			    saname,
+			    dir);
+
+		pfkey_expire(ips, 1);
+		return ipsec_life_harddied;
+	}
+
+	if(il64->ipl_soft &&
+	   (count > il64->ipl_soft)) {
+		KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
+			    "klips_debug:ipsec_lifetime_check: "
+			    "soft %s lifetime of SA:<%s%s%s> %s has been reached, SA expiring, "
+			    "soft expire message sent up, %s packet still processed.\n",
+			    lifename,
+			    IPS_XFORM_NAME(ips),
+			    saname,
+			    dir);
+
+		if(ips->ips_state != SADB_SASTATE_DYING) {
+			pfkey_expire(ips, 0);
+		}
+		ips->ips_state = SADB_SASTATE_DYING;
+
+		return ipsec_life_softdied;
+	}
+	return ipsec_life_okay;
+}
+
+
+/*
+ * This function takes a buffer (with length), a lifetime name and type,
+ * and formats a string to represent the current values of the lifetime.
+ * 
+ * It returns the number of bytes that the format took (or would take,
+ * if the buffer were large enough: snprintf semantics).
+ * This is used in /proc routines and in debug output.
+ */
+int
+ipsec_lifetime_format(char *buffer,
+		      int   buflen,
+		      char *lifename,
+		      enum ipsec_life_type timebaselife,
+		      struct ipsec_lifetime64 *lifetime)
+{
+	int len = 0;
+	__u64 count;
+
+	if(timebaselife == ipsec_life_timebased) {
+		count = jiffies/HZ - lifetime->ipl_count;
+	} else {
+		count = lifetime->ipl_count;
+	}
+
+	if(lifetime->ipl_count > 1 || 
+	   lifetime->ipl_soft      ||
+	   lifetime->ipl_hard) {
+#if (LINUX_VERSION_CODE >= KERNEL_VERSION(2,3,0)) 
+		len = ipsec_snprintf(buffer, buflen,
+			       "%s(%Lu,%Lu,%Lu)",
+			       lifename,
+			       count,
+			       lifetime->ipl_soft,
+			       lifetime->ipl_hard);
+#else /* XXX high 32 bits are not displayed */
+		len = ipsec_snprintf(buffer, buflen,
+				"%s(%lu,%lu,%lu)",
+				lifename,
+				(unsigned long)count,
+				(unsigned long)lifetime->ipl_soft,
+				(unsigned long)lifetime->ipl_hard);
+#endif
+	}
+
+	return len;
+}
+
+void
+ipsec_lifetime_update_hard(struct ipsec_lifetime64 *lifetime,
+			  __u64 newvalue)
+{
+	if(newvalue &&
+	   (!lifetime->ipl_hard ||
+	    (newvalue < lifetime->ipl_hard))) {
+		lifetime->ipl_hard = newvalue;
+
+		if(!lifetime->ipl_soft &&
+		   (lifetime->ipl_hard < lifetime->ipl_soft)) {
+			lifetime->ipl_soft = lifetime->ipl_hard;
+		}
+	}
+}	
+
+void
+ipsec_lifetime_update_soft(struct ipsec_lifetime64 *lifetime,
+			  __u64 newvalue)
+{
+	if(newvalue &&
+	   (!lifetime->ipl_soft ||
+	    (newvalue < lifetime->ipl_soft))) {
+		lifetime->ipl_soft = newvalue;
+
+		if(lifetime->ipl_hard &&
+		   (lifetime->ipl_hard < lifetime->ipl_soft)) {
+			lifetime->ipl_soft = lifetime->ipl_hard;
+		}
+	}
+}
+
+	
+/*
+ * $Log: ipsec_life.c,v $
+ * Revision 1.13.10.1  2006/10/06 21:39:26  paul
+ * Fix for 2.6.18+ only include linux/config.h if AUTOCONF_INCLUDED is not
+ * set. This is defined through autoconf.h which is included through the
+ * linux kernel build macros.
+ *
+ * Revision 1.13  2004/07/10 19:11:18  mcr
+ * 	CONFIG_IPSEC -> CONFIG_KLIPS.
+ *
+ * Revision 1.12  2004/04/23 20:44:35  ken
+ * Update comments
+ *
+ * Revision 1.11  2004/04/06 02:49:26  mcr
+ * 	pullup of algo code from alg-branch.
+ *
+ * Revision 1.10  2004/03/30 11:03:10  paul
+ * two more occurances of snprintf, found by Sam from a users oops msg.
+ *
+ * Revision 1.9  2003/10/31 02:27:55  mcr
+ * 	pulled up port-selector patches and sa_id elimination.
+ *
+ * Revision 1.8.4.1  2003/10/29 01:30:41  mcr
+ * 	elimited "struct sa_id".
+ *
+ * Revision 1.8  2003/02/06 02:00:10  rgb
+ * Fixed incorrect debugging text label
+ *
+ * Revision 1.7  2002/05/23 07:16:26  rgb
+ * Fixed absolute/relative reference to lifetime count printout.
+ *
+ * Revision 1.6  2002/04/24 07:55:32  mcr
+ * 	#include patches and Makefiles for post-reorg compilation.
+ *
+ * Revision 1.5  2002/04/24 07:36:28  mcr
+ * Moved from ./klips/net/ipsec/ipsec_life.c,v
+ *
+ * Revision 1.4  2002/01/29 17:17:55  mcr
+ * 	moved include of ipsec_param.h to after include of linux/kernel.h
+ * 	otherwise, it seems that some option that is set in ipsec_param.h
+ * 	screws up something subtle in the include path to kernel.h, and
+ * 	it complains on the snprintf() prototype.
+ *
+ * Revision 1.3  2002/01/29 02:13:17  mcr
+ * 	introduction of ipsec_kversion.h means that include of
+ * 	ipsec_param.h must preceed any decisions about what files to
+ * 	include to deal with differences in kernel source.
+ *
+ * Revision 1.2  2001/11/26 09:16:14  rgb
+ * Merge MCR's ipsec_sa, eroute, proc and struct lifetime changes.
+ *
+ * Revision 1.1.2.1  2001/09/25 02:25:57  mcr
+ * 	lifetime structure created and common functions created.
+ *
+ * Local variables:
+ * c-file-style: "linux"
+ * End:
+ *
+ */
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/ipsec_mast.c     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,1099 @@
+/*
+ * IPSEC MAST code.
+ * Copyright (C) 1996, 1997  John Ioannidis.
+ * Copyright (C) 1998, 1999, 2000, 2001, 2002  Richard Guy Briggs.
+ * 
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ * 
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+char ipsec_mast_c_version[] = "RCSID $Id: ipsec_mast.c,v 1.7.2.1 2006/10/06 21:39:26 paul Exp $";
+
+#define __NO_VERSION__
+#include <linux/module.h>
+#ifndef AUTOCONF_INCLUDED
+#include <linux/config.h>
+#endif	/* for CONFIG_IP_FORWARD */
+#include <linux/version.h>
+#include <linux/kernel.h> /* printk() */
+
+#include "freeswan/ipsec_param.h"
+
+#ifdef MALLOC_SLAB
+# include <linux/slab.h> /* kmalloc() */
+#else /* MALLOC_SLAB */
+# include <linux/malloc.h> /* kmalloc() */
+#endif /* MALLOC_SLAB */
+#include <linux/errno.h>  /* error codes */
+#include <linux/types.h>  /* size_t */
+#include <linux/interrupt.h> /* mark_bh */
+
+#include <linux/netdevice.h>   /* struct device, struct net_device_stats, dev_queue_xmit() and other headers */
+#include <linux/etherdevice.h> /* eth_type_trans */
+#include <linux/ip.h>          /* struct iphdr */
+#include <linux/tcp.h>         /* struct tcphdr */
+#include <linux/udp.h>         /* struct udphdr */
+#include <linux/skbuff.h>
+#include <freeswan.h>
+#include <linux/in6.h>
+#include <net/dst.h>
+#undef dev_kfree_skb
+#define dev_kfree_skb(a,b) kfree_skb(a)
+#define PHYSDEV_TYPE
+#include <net/icmp.h>		/* icmp_send() */
+#include <net/ip.h>
+#include <linux/netfilter_ipv4.h>
+
+#include <linux/if_arp.h>
+
+#include "freeswan/radij.h"
+#include "freeswan/ipsec_life.h"
+#include "freeswan/ipsec_xform.h"
+#include "freeswan/ipsec_eroute.h"
+#include "freeswan/ipsec_encap.h"
+#include "freeswan/ipsec_radij.h"
+#include "freeswan/ipsec_sa.h"
+#include "freeswan/ipsec_tunnel.h"
+#include "freeswan/ipsec_mast.h"
+#include "freeswan/ipsec_ipe4.h"
+#include "freeswan/ipsec_ah.h"
+#include "freeswan/ipsec_esp.h"
+
+#include <pfkeyv2.h>
+#include <pfkey.h>
+
+#include "freeswan/ipsec_proto.h"
+
+int ipsec_maxdevice_count = -1;
+
+DEBUG_NO_STATIC int
+ipsec_mast_open(struct net_device *dev)
+{
+	struct ipsecpriv *prv = dev->priv;
+	
+	/*
+	 * Can't open until attached.
+	 */
+
+	KLIPS_PRINT(debug_mast & DB_MAST_INIT,
+		    "klips_debug:ipsec_mast_open: "
+		    "dev = %s, prv->dev = %s\n",
+		    dev->name, prv->dev?prv->dev->name:"NONE");
+
+	if (prv->dev == NULL)
+		return -ENODEV;
+	
+	KLIPS_INC_USE;
+	return 0;
+}
+
+DEBUG_NO_STATIC int
+ipsec_mast_close(struct net_device *dev)
+{
+	KLIPS_DEC_USE;
+	return 0;
+}
+
+static inline int ipsec_mast_xmit2(struct sk_buff *skb)
+{
+	return ip_send(skb);
+}
+
+enum ipsec_xmit_value
+ipsec_mast_send(struct ipsec_xmit_state*ixs)
+{
+	/* new route/dst cache code from James Morris */
+	ixs->skb->dev = ixs->physdev;
+	/*skb_orphan(ixs->skb);*/
+	if((ixs->error = ip_route_output(&ixs->route,
+				    ixs->skb->nh.iph->daddr,
+				    ixs->pass ? 0 : ixs->skb->nh.iph->saddr,
+				    RT_TOS(ixs->skb->nh.iph->tos),
+				    ixs->physdev->iflink /* rgb: should this be 0? */))) {
+		ixs->stats->tx_errors++;
+		KLIPS_PRINT(debug_mast & DB_MAST_XMIT,
+			    "klips_debug:ipsec_xmit_send: "
+			    "ip_route_output failed with error code %d, rt->u.dst.dev=%s, dropped\n",
+			    ixs->error,
+			    ixs->route->u.dst.dev->name);
+		return IPSEC_XMIT_ROUTEERR;
+	}
+	if(ixs->dev == ixs->route->u.dst.dev) {
+		ip_rt_put(ixs->route);
+		/* This is recursion, drop it. */
+		ixs->stats->tx_errors++;
+		KLIPS_PRINT(debug_mast & DB_MAST_XMIT,
+			    "klips_debug:ipsec_xmit_send: "
+			    "suspect recursion, dev=rt->u.dst.dev=%s, dropped\n",
+			    ixs->dev->name);
+		return IPSEC_XMIT_RECURSDETECT;
+	}
+	dst_release(ixs->skb->dst);
+	ixs->skb->dst = &ixs->route->u.dst;
+	ixs->stats->tx_bytes += ixs->skb->len;
+	if(ixs->skb->len < ixs->skb->nh.raw - ixs->skb->data) {
+		ixs->stats->tx_errors++;
+		printk(KERN_WARNING
+		       "klips_error:ipsec_xmit_send: "
+		       "tried to __skb_pull nh-data=%ld, %d available.  This should never happen, please report.\n",
+		       (unsigned long)(ixs->skb->nh.raw - ixs->skb->data),
+		       ixs->skb->len);
+		return IPSEC_XMIT_PUSHPULLERR;
+	}
+	__skb_pull(ixs->skb, ixs->skb->nh.raw - ixs->skb->data);
+#ifdef SKB_RESET_NFCT
+	nf_conntrack_put(ixs->skb->nfct);
+	ixs->skb->nfct = NULL;
+#ifdef CONFIG_NETFILTER_DEBUG
+	ixs->skb->nf_debug = 0;
+#endif /* CONFIG_NETFILTER_DEBUG */
+#endif /* SKB_RESET_NFCT */
+	KLIPS_PRINT(debug_mast & DB_MAST_XMIT,
+		    "klips_debug:ipsec_xmit_send: "
+		    "...done, calling ip_send() on device:%s\n",
+		    ixs->skb->dev ? ixs->skb->dev->name : "NULL");
+	KLIPS_IP_PRINT(debug_mast & DB_MAST_XMIT, ixs->skb->nh.iph);
+	{
+		int err;
+
+		err = NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, ixs->skb, NULL, ixs->route->u.dst.dev,
+			      ipsec_mast_xmit2);
+		if(err != NET_XMIT_SUCCESS && err != NET_XMIT_CN) {
+			if(net_ratelimit())
+				printk(KERN_ERR
+				       "klips_error:ipsec_xmit_send: "
+				       "ip_send() failed, err=%d\n", 
+				       -err);
+			ixs->stats->tx_errors++;
+			ixs->stats->tx_aborted_errors++;
+			ixs->skb = NULL;
+			return IPSEC_XMIT_IPSENDFAILURE;
+		}
+	}
+	ixs->stats->tx_packets++;
+
+	ixs->skb = NULL;
+	
+	return IPSEC_XMIT_OK;
+}
+
+void
+ipsec_mast_cleanup(struct ipsec_xmit_state*ixs)
+{
+#if defined(HAS_NETIF_QUEUE) || defined (HAVE_NETIF_QUEUE)
+	netif_wake_queue(ixs->dev);
+#else /* defined(HAS_NETIF_QUEUE) || defined (HAVE_NETIF_QUEUE) */
+	ixs->dev->tbusy = 0;
+#endif /* defined(HAS_NETIF_QUEUE) || defined (HAVE_NETIF_QUEUE) */
+	if(ixs->saved_header) {
+		kfree(ixs->saved_header);
+	}
+	if(ixs->skb) {
+		dev_kfree_skb(ixs->skb, FREE_WRITE);
+	}
+	if(ixs->oskb) {
+		dev_kfree_skb(ixs->oskb, FREE_WRITE);
+	}
+	if (ixs->ips.ips_ident_s.data) {
+		kfree(ixs->ips.ips_ident_s.data);
+	}
+	if (ixs->ips.ips_ident_d.data) {
+		kfree(ixs->ips.ips_ident_d.data);
+	}
+}
+
+#if 0
+/*
+ *	This function assumes it is being called from dev_queue_xmit()
+ *	and that skb is filled properly by that function.
+ */
+int
+ipsec_mast_start_xmit(struct sk_buff *skb, struct net_device *dev, IPsecSAref_t SAref)
+{
+	struct ipsec_xmit_state ixs_mem;
+	struct ipsec_xmit_state *ixs = &ixs_mem;
+	enum ipsec_xmit_value stat = IPSEC_XMIT_OK;
+
+	/* dev could be a mast device, but should be optional, I think... */
+	/* SAref is also optional, but one of the two must be present. */
+	/* I wonder if it could accept no device or saref and guess? */
+
+/*	ipsec_xmit_sanity_check_dev(ixs); */
+
+	ipsec_xmit_sanity_check_skb(ixs);
+
+	ipsec_xmit_adjust_hard_header(ixs);
+
+	stat = ipsec_xmit_encap_bundle(ixs);
+	if(stat != IPSEC_XMIT_OK) {
+		/* SA processing failed */
+	}
+
+	ipsec_xmit_hard_header_restore();
+}
+#endif
+
+DEBUG_NO_STATIC struct net_device_stats *
+ipsec_mast_get_stats(struct net_device *dev)
+{
+	return &(((struct ipsecpriv *)(dev->priv))->mystats);
+}
+
+/*
+ * Revectored calls.
+ * For each of these calls, a field exists in our private structure.
+ */
+
+DEBUG_NO_STATIC int
+ipsec_mast_hard_header(struct sk_buff *skb, struct net_device *dev,
+	unsigned short type, void *daddr, void *saddr, unsigned len)
+{
+	struct ipsecpriv *prv = dev->priv;
+	struct net_device *tmp;
+	int ret;
+	struct net_device_stats *stats;	/* This device's statistics */
+	
+	if(skb == NULL) {
+		KLIPS_PRINT(debug_mast & DB_MAST_REVEC,
+			    "klips_debug:ipsec_mast_hard_header: "
+			    "no skb...\n");
+		return -ENODATA;
+	}
+
+	if(dev == NULL) {
+		KLIPS_PRINT(debug_mast & DB_MAST_REVEC,
+			    "klips_debug:ipsec_mast_hard_header: "
+			    "no device...\n");
+		return -ENODEV;
+	}
+
+	KLIPS_PRINT(debug_mast & DB_MAST_REVEC,
+		    "klips_debug:ipsec_mast_hard_header: "
+		    "skb->dev=%s dev=%s.\n",
+		    skb->dev ? skb->dev->name : "NULL",
+		    dev->name);
+	
+	if(prv == NULL) {
+		KLIPS_PRINT(debug_mast & DB_MAST_REVEC,
+			    "klips_debug:ipsec_mast_hard_header: "
+			    "no private space associated with dev=%s\n",
+			    dev->name ? dev->name : "NULL");
+		return -ENODEV;
+	}
+
+	stats = (struct net_device_stats *) &(prv->mystats);
+
+	if(prv->dev == NULL) {
+		KLIPS_PRINT(debug_mast & DB_MAST_REVEC,
+			    "klips_debug:ipsec_mast_hard_header: "
+			    "no physical device associated with dev=%s\n",
+			    dev->name ? dev->name : "NULL");
+		stats->tx_dropped++;
+		return -ENODEV;
+	}
+
+	/* check if we have to send a IPv6 packet. It might be a Router
+	   Solicitation, where the building of the packet happens in
+	   reverse order:
+	   1. ll hdr,
+	   2. IPv6 hdr,
+	   3. ICMPv6 hdr
+	   -> skb->nh.raw is still uninitialized when this function is
+	   called!!  If this is no IPv6 packet, we can print debugging
+	   messages, otherwise we skip all debugging messages and just
+	   build the ll header */
+	if(type != ETH_P_IPV6) {
+		/* execute this only, if we don't have to build the
+		   header for a IPv6 packet */
+		if(!prv->hard_header) {
+			KLIPS_PRINT(debug_mast & DB_MAST_REVEC,
+				    "klips_debug:ipsec_mast_hard_header: "
+				    "physical device has been detached, packet dropped 0p%p->0p%p len=%d type=%d dev=%s->NULL ",
+				    saddr,
+				    daddr,
+				    len,
+				    type,
+				    dev->name);
+			KLIPS_PRINTMORE(debug_mast & DB_MAST_REVEC,
+					"ip=%08x->%08x\n",
+					(__u32)ntohl(skb->nh.iph->saddr),
+					(__u32)ntohl(skb->nh.iph->daddr) );
+			stats->tx_dropped++;
+			return -ENODEV;
+		}
+		
+#define da ((struct net_device *)(prv->dev))->dev_addr
+		KLIPS_PRINT(debug_mast & DB_MAST_REVEC,
+			    "klips_debug:ipsec_mast_hard_header: "
+			    "Revectored 0p%p->0p%p len=%d type=%d dev=%s->%s dev_addr=%02x:%02x:%02x:%02x:%02x:%02x ",
+			    saddr,
+			    daddr,
+			    len,
+			    type,
+			    dev->name,
+			    prv->dev->name,
+			    da[0], da[1], da[2], da[3], da[4], da[5]);
+		KLIPS_PRINTMORE(debug_mast & DB_MAST_REVEC,
+			    "ip=%08x->%08x\n",
+			    (__u32)ntohl(skb->nh.iph->saddr),
+			    (__u32)ntohl(skb->nh.iph->daddr) );
+	} else {
+		KLIPS_PRINT(debug_mast,
+			    "klips_debug:ipsec_mast_hard_header: "
+			    "is IPv6 packet, skip debugging messages, only revector and build linklocal header.\n");
+	}                                                                       
+	tmp = skb->dev;
+	skb->dev = prv->dev;
+	ret = prv->hard_header(skb, prv->dev, type, (void *)daddr, (void *)saddr, len);
+	skb->dev = tmp;
+	return ret;
+}
+
+DEBUG_NO_STATIC int
+ipsec_mast_rebuild_header(struct sk_buff *skb)
+{
+	struct ipsecpriv *prv = skb->dev->priv;
+	struct net_device *tmp;
+	int ret;
+	struct net_device_stats *stats;	/* This device's statistics */
+	
+	if(skb->dev == NULL) {
+		KLIPS_PRINT(debug_mast & DB_MAST_REVEC,
+			    "klips_debug:ipsec_mast_rebuild_header: "
+			    "no device...");
+		return -ENODEV;
+	}
+
+	if(prv == NULL) {
+		KLIPS_PRINT(debug_mast & DB_MAST_REVEC,
+			    "klips_debug:ipsec_mast_rebuild_header: "
+			    "no private space associated with dev=%s",
+			    skb->dev->name ? skb->dev->name : "NULL");
+		return -ENODEV;
+	}
+
+	stats = (struct net_device_stats *) &(prv->mystats);
+
+	if(prv->dev == NULL) {
+		KLIPS_PRINT(debug_mast & DB_MAST_REVEC,
+			    "klips_debug:ipsec_mast_rebuild_header: "
+			    "no physical device associated with dev=%s",
+			    skb->dev->name ? skb->dev->name : "NULL");
+		stats->tx_dropped++;
+		return -ENODEV;
+	}
+
+	if(!prv->rebuild_header) {
+		KLIPS_PRINT(debug_mast & DB_MAST_REVEC,
+			    "klips_debug:ipsec_mast_rebuild_header: "
+			    "physical device has been detached, packet dropped skb->dev=%s->NULL ",
+			    skb->dev->name);
+		KLIPS_PRINT(debug_mast & DB_MAST_REVEC,
+			    "ip=%08x->%08x\n",
+			    (__u32)ntohl(skb->nh.iph->saddr),
+			    (__u32)ntohl(skb->nh.iph->daddr) );
+		stats->tx_dropped++;
+		return -ENODEV;
+	}
+
+	KLIPS_PRINT(debug_mast & DB_MAST_REVEC,
+		    "klips_debug:ipsec_mast: "
+		    "Revectored rebuild_header dev=%s->%s ",
+		    skb->dev->name, prv->dev->name);
+	KLIPS_PRINT(debug_mast & DB_MAST_REVEC,
+		    "ip=%08x->%08x\n",
+		    (__u32)ntohl(skb->nh.iph->saddr),
+		    (__u32)ntohl(skb->nh.iph->daddr) );
+	tmp = skb->dev;
+	skb->dev = prv->dev;
+	
+	ret = prv->rebuild_header(skb);
+	skb->dev = tmp;
+	return ret;
+}
+
+DEBUG_NO_STATIC int
+ipsec_mast_set_mac_address(struct net_device *dev, void *addr)
+{
+	struct ipsecpriv *prv = dev->priv;
+	
+	struct net_device_stats *stats;	/* This device's statistics */
+	
+	if(dev == NULL) {
+		KLIPS_PRINT(debug_mast & DB_MAST_REVEC,
+			    "klips_debug:ipsec_mast_set_mac_address: "
+			    "no device...");
+		return -ENODEV;
+	}
+
+	if(prv == NULL) {
+		KLIPS_PRINT(debug_mast & DB_MAST_REVEC,
+			    "klips_debug:ipsec_mast_set_mac_address: "
+			    "no private space associated with dev=%s",
+			    dev->name ? dev->name : "NULL");
+		return -ENODEV;
+	}
+
+	stats = (struct net_device_stats *) &(prv->mystats);
+
+	if(prv->dev == NULL) {
+		KLIPS_PRINT(debug_mast & DB_MAST_REVEC,
+			    "klips_debug:ipsec_mast_set_mac_address: "
+			    "no physical device associated with dev=%s",
+			    dev->name ? dev->name : "NULL");
+		stats->tx_dropped++;
+		return -ENODEV;
+	}
+
+	if(!prv->set_mac_address) {
+		KLIPS_PRINT(debug_mast & DB_MAST_REVEC,
+			    "klips_debug:ipsec_mast_set_mac_address: "
+			    "physical device has been detached, cannot set - skb->dev=%s->NULL\n",
+			    dev->name);
+		return -ENODEV;
+	}
+
+	KLIPS_PRINT(debug_mast & DB_MAST_REVEC,
+		    "klips_debug:ipsec_mast_set_mac_address: "
+		    "Revectored dev=%s->%s addr=0p%p\n",
+		    dev->name, prv->dev->name, addr);
+	return prv->set_mac_address(prv->dev, addr);
+
+}
+
+DEBUG_NO_STATIC void
+ipsec_mast_cache_update(struct hh_cache *hh, struct net_device *dev, unsigned char *  haddr)
+{
+	struct ipsecpriv *prv = dev->priv;
+	
+	struct net_device_stats *stats;	/* This device's statistics */
+	
+	if(dev == NULL) {
+		KLIPS_PRINT(debug_mast & DB_MAST_REVEC,
+			    "klips_debug:ipsec_mast_cache_update: "
+			    "no device...");
+		return;
+	}
+
+	if(prv == NULL) {
+		KLIPS_PRINT(debug_mast & DB_MAST_REVEC,
+			    "klips_debug:ipsec_mast_cache_update: "
+			    "no private space associated with dev=%s",
+			    dev->name ? dev->name : "NULL");
+		return;
+	}
+
+	stats = (struct net_device_stats *) &(prv->mystats);
+
+	if(prv->dev == NULL) {
+		KLIPS_PRINT(debug_mast & DB_MAST_REVEC,
+			    "klips_debug:ipsec_mast_cache_update: "
+			    "no physical device associated with dev=%s",
+			    dev->name ? dev->name : "NULL");
+		stats->tx_dropped++;
+		return;
+	}
+
+	if(!prv->header_cache_update) {
+		KLIPS_PRINT(debug_mast & DB_MAST_REVEC,
+			    "klips_debug:ipsec_mast_cache_update: "
+			    "physical device has been detached, cannot set - skb->dev=%s->NULL\n",
+			    dev->name);
+		return;
+	}
+
+	KLIPS_PRINT(debug_mast & DB_MAST_REVEC,
+		    "klips_debug:ipsec_mast: "
+		    "Revectored cache_update\n");
+	prv->header_cache_update(hh, prv->dev, haddr);
+	return;
+}
+
+DEBUG_NO_STATIC int
+ipsec_mast_neigh_setup(struct neighbour *n)
+{
+	KLIPS_PRINT(debug_mast & DB_MAST_REVEC,
+		    "klips_debug:ipsec_mast_neigh_setup:\n");
+
+        if (n->nud_state == NUD_NONE) {
+                n->ops = &arp_broken_ops;
+                n->output = n->ops->output;
+        }
+        return 0;
+}
+
+DEBUG_NO_STATIC int
+ipsec_mast_neigh_setup_dev(struct net_device *dev, struct neigh_parms *p)
+{
+	KLIPS_PRINT(debug_mast & DB_MAST_REVEC,
+		    "klips_debug:ipsec_mast_neigh_setup_dev: "
+		    "setting up %s\n",
+		    dev ? dev->name : "NULL");
+
+        if (p->tbl->family == AF_INET) {
+                p->neigh_setup = ipsec_mast_neigh_setup;
+                p->ucast_probes = 0;
+                p->mcast_probes = 0;
+        }
+        return 0;
+}
+
+/*
+ * We call the attach routine to attach another device.
+ */
+
+DEBUG_NO_STATIC int
+ipsec_mast_attach(struct net_device *dev, struct net_device *physdev)
+{
+        int i;
+	struct ipsecpriv *prv = dev->priv;
+
+	if(dev == NULL) {
+		KLIPS_PRINT(debug_mast & DB_MAST_REVEC,
+			    "klips_debug:ipsec_mast_attach: "
+			    "no device...");
+		return -ENODEV;
+	}
+
+	if(prv == NULL) {
+		KLIPS_PRINT(debug_mast & DB_MAST_REVEC,
+			    "klips_debug:ipsec_mast_attach: "
+			    "no private space associated with dev=%s",
+			    dev->name ? dev->name : "NULL");
+		return -ENODATA;
+	}
+
+	prv->dev = physdev;
+	prv->hard_start_xmit = physdev->hard_start_xmit;
+	prv->get_stats = physdev->get_stats;
+
+	if (physdev->hard_header) {
+		prv->hard_header = physdev->hard_header;
+		dev->hard_header = ipsec_mast_hard_header;
+	} else
+		dev->hard_header = NULL;
+	
+	if (physdev->rebuild_header) {
+		prv->rebuild_header = physdev->rebuild_header;
+		dev->rebuild_header = ipsec_mast_rebuild_header;
+	} else
+		dev->rebuild_header = NULL;
+	
+	if (physdev->set_mac_address) {
+		prv->set_mac_address = physdev->set_mac_address;
+		dev->set_mac_address = ipsec_mast_set_mac_address;
+	} else
+		dev->set_mac_address = NULL;
+	
+	if (physdev->header_cache_update) {
+		prv->header_cache_update = physdev->header_cache_update;
+		dev->header_cache_update = ipsec_mast_cache_update;
+	} else
+		dev->header_cache_update = NULL;
+
+	dev->hard_header_len = physdev->hard_header_len;
+
+/*	prv->neigh_setup        = physdev->neigh_setup; */
+	dev->neigh_setup        = ipsec_mast_neigh_setup_dev;
+	dev->mtu = 16260; /* 0xfff0; */ /* dev->mtu; */
+	prv->mtu = physdev->mtu;
+
+#ifdef PHYSDEV_TYPE
+	dev->type = physdev->type; /* ARPHRD_MAST; */
+#endif /*  PHYSDEV_TYPE */
+
+	dev->addr_len = physdev->addr_len;
+	for (i=0; i<dev->addr_len; i++) {
+		dev->dev_addr[i] = physdev->dev_addr[i];
+	}
+#ifdef CONFIG_KLIPS_DEBUG
+	if(debug_mast & DB_MAST_INIT) {
+		printk(KERN_INFO "klips_debug:ipsec_mast_attach: "
+		       "physical device %s being attached has HW address: %2x",
+		       physdev->name, physdev->dev_addr[0]);
+		for (i=1; i < physdev->addr_len; i++) {
+			printk(":%02x", physdev->dev_addr[i]);
+		}
+		printk("\n");
+	}
+#endif /* CONFIG_KLIPS_DEBUG */
+
+	return 0;
+}
+
+/*
+ * We call the detach routine to detach the ipsec mast from another device.
+ */
+
+DEBUG_NO_STATIC int
+ipsec_mast_detach(struct net_device *dev)
+{
+        int i;
+	struct ipsecpriv *prv = dev->priv;
+
+	if(dev == NULL) {
+		KLIPS_PRINT(debug_mast & DB_MAST_REVEC,
+			    "klips_debug:ipsec_mast_detach: "
+			    "no device...");
+		return -ENODEV;
+	}
+
+	if(prv == NULL) {
+		KLIPS_PRINT(debug_mast & DB_MAST_REVEC,
+			    "klips_debug:ipsec_mast_detach: "
+			    "no private space associated with dev=%s",
+			    dev->name ? dev->name : "NULL");
+		return -ENODATA;
+	}
+
+	KLIPS_PRINT(debug_mast & DB_MAST_INIT,
+		    "klips_debug:ipsec_mast_detach: "
+		    "physical device %s being detached from virtual device %s\n",
+		    prv->dev ? prv->dev->name : "NULL",
+		    dev->name);
+
+	prv->dev = NULL;
+	prv->hard_start_xmit = NULL;
+	prv->get_stats = NULL;
+
+	prv->hard_header = NULL;
+#ifdef DETACH_AND_DOWN
+	dev->hard_header = NULL;
+#endif /* DETACH_AND_DOWN */
+	
+	prv->rebuild_header = NULL;
+#ifdef DETACH_AND_DOWN
+	dev->rebuild_header = NULL;
+#endif /* DETACH_AND_DOWN */
+	
+	prv->set_mac_address = NULL;
+#ifdef DETACH_AND_DOWN
+	dev->set_mac_address = NULL;
+#endif /* DETACH_AND_DOWN */
+	
+	prv->header_cache_update = NULL;
+#ifdef DETACH_AND_DOWN
+	dev->header_cache_update = NULL;
+#endif /* DETACH_AND_DOWN */
+
+#ifdef DETACH_AND_DOWN
+	dev->neigh_setup        = NULL;
+#endif /* DETACH_AND_DOWN */
+
+	dev->hard_header_len = 0;
+#ifdef DETACH_AND_DOWN
+	dev->mtu = 0;
+#endif /* DETACH_AND_DOWN */
+	prv->mtu = 0;
+	for (i=0; i<MAX_ADDR_LEN; i++) {
+		dev->dev_addr[i] = 0;
+	}
+	dev->addr_len = 0;
+#ifdef PHYSDEV_TYPE
+	dev->type = ARPHRD_VOID; /* ARPHRD_MAST; */
+#endif /*  PHYSDEV_TYPE */
+	
+	return 0;
+}
+
+/*
+ * We call the clear routine to detach all ipsec masts from other devices.
+ */
+DEBUG_NO_STATIC int
+ipsec_mast_clear(void)
+{
+	int i;
+	struct net_device *ipsecdev = NULL, *prvdev;
+	struct ipsecpriv *prv;
+	char name[9];
+	int ret;
+
+	KLIPS_PRINT(debug_mast & DB_MAST_INIT,
+		    "klips_debug:ipsec_mast_clear: .\n");
+
+	for(i = 0; i < IPSEC_NUM_IF; i++) {
+		sprintf(name, IPSEC_DEV_FORMAT, i);
+		if((ipsecdev = ipsec_dev_get(name)) != NULL) {
+			if((prv = (struct ipsecpriv *)(ipsecdev->priv))) {
+				prvdev = (struct net_device *)(prv->dev);
+				if(prvdev) {
+					KLIPS_PRINT(debug_mast & DB_MAST_INIT,
+						    "klips_debug:ipsec_mast_clear: "
+						    "physical device for device %s is %s\n",
+						    name, prvdev->name);
+					if((ret = ipsec_mast_detach(ipsecdev))) {
+						KLIPS_PRINT(debug_mast & DB_MAST_INIT,
+							    "klips_debug:ipsec_mast_clear: "
+							    "error %d detatching device %s from device %s.\n",
+							    ret, name, prvdev->name);
+						return ret;
+					}
+				}
+			}
+		}
+	}
+	return 0;
+}
+
+DEBUG_NO_STATIC int
+ipsec_mast_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
+{
+	struct ipsecmastconf *cf = (struct ipsecmastconf *)&ifr->ifr_data;
+	struct ipsecpriv *prv = dev->priv;
+	struct net_device *them; /* physical device */
+#ifdef CONFIG_IP_ALIAS
+	char *colon;
+	char realphysname[IFNAMSIZ];
+#endif /* CONFIG_IP_ALIAS */
+	
+	if(dev == NULL) {
+		KLIPS_PRINT(debug_mast & DB_MAST_INIT,
+			    "klips_debug:ipsec_mast_ioctl: "
+			    "device not supplied.\n");
+		return -ENODEV;
+	}
+
+	KLIPS_PRINT(debug_mast & DB_MAST_INIT,
+		    "klips_debug:ipsec_mast_ioctl: "
+		    "tncfg service call #%d for dev=%s\n",
+		    cmd,
+		    dev->name ? dev->name : "NULL");
+	switch (cmd) {
+	/* attach a virtual ipsec? device to a physical device */
+	case IPSEC_SET_DEV:
+		KLIPS_PRINT(debug_mast & DB_MAST_INIT,
+			    "klips_debug:ipsec_mast_ioctl: "
+			    "calling ipsec_mast_attatch...\n");
+#ifdef CONFIG_IP_ALIAS
+		/* If this is an IP alias interface, get its real physical name */
+		strncpy(realphysname, cf->cf_name, IFNAMSIZ);
+		realphysname[IFNAMSIZ-1] = 0;
+		colon = strchr(realphysname, ':');
+		if (colon) *colon = 0;
+		them = ipsec_dev_get(realphysname);
+#else /* CONFIG_IP_ALIAS */
+		them = ipsec_dev_get(cf->cf_name);
+#endif /* CONFIG_IP_ALIAS */
+
+		if (them == NULL) {
+			KLIPS_PRINT(debug_mast & DB_MAST_INIT,
+				    "klips_debug:ipsec_mast_ioctl: "
+				    "physical device %s requested is null\n",
+				    cf->cf_name);
+			return -ENXIO;
+		}
+		
+#if 0
+		if (them->flags & IFF_UP) {
+			KLIPS_PRINT(debug_mast & DB_MAST_INIT,
+				    "klips_debug:ipsec_mast_ioctl: "
+				    "physical device %s requested is not up.\n",
+				    cf->cf_name);
+			return -ENXIO;
+		}
+#endif
+		
+		if (prv && prv->dev) {
+			KLIPS_PRINT(debug_mast & DB_MAST_INIT,
+				    "klips_debug:ipsec_mast_ioctl: "
+				    "virtual device is already connected to %s.\n",
+				    prv->dev->name ? prv->dev->name : "NULL");
+			return -EBUSY;
+		}
+		return ipsec_mast_attach(dev, them);
+
+	case IPSEC_DEL_DEV:
+		KLIPS_PRINT(debug_mast & DB_MAST_INIT,
+			    "klips_debug:ipsec_mast_ioctl: "
+			    "calling ipsec_mast_detatch.\n");
+		if (! prv->dev) {
+			KLIPS_PRINT(debug_mast & DB_MAST_INIT,
+				    "klips_debug:ipsec_mast_ioctl: "
+				    "physical device not connected.\n");
+			return -ENODEV;
+		}
+		return ipsec_mast_detach(dev);
+	       
+	case IPSEC_CLR_DEV:
+		KLIPS_PRINT(debug_mast & DB_MAST_INIT,
+			    "klips_debug:ipsec_mast_ioctl: "
+			    "calling ipsec_mast_clear.\n");
+		return ipsec_mast_clear();
+
+	default:
+		KLIPS_PRINT(debug_mast & DB_MAST_INIT,
+			    "klips_debug:ipsec_mast_ioctl: "
+			    "unknown command %d.\n",
+			    cmd);
+		return -EOPNOTSUPP;
+	}
+}
+
+int
+ipsec_mast_device_event(struct notifier_block *unused, unsigned long event, void *ptr)
+{
+	struct net_device *dev = ptr;
+	struct net_device *ipsec_dev;
+	struct ipsecpriv *priv;
+	char name[9];
+	int i;
+
+	if (dev == NULL) {
+		KLIPS_PRINT(debug_mast & DB_MAST_INIT,
+			    "klips_debug:ipsec_mast_device_event: "
+			    "dev=NULL for event type %ld.\n",
+			    event);
+		return(NOTIFY_DONE);
+	}
+
+	/* check for loopback devices */
+	if (dev && (dev->flags & IFF_LOOPBACK)) {
+		return(NOTIFY_DONE);
+	}
+
+	switch (event) {
+	case NETDEV_DOWN:
+		/* look very carefully at the scope of these compiler
+		   directives before changing anything... -- RGB */
+
+	case NETDEV_UNREGISTER:
+		switch (event) {
+		case NETDEV_DOWN:
+			KLIPS_PRINT(debug_mast & DB_MAST_INIT,
+				    "klips_debug:ipsec_mast_device_event: "
+				    "NETDEV_DOWN dev=%s flags=%x\n",
+				    dev->name,
+				    dev->flags);
+			if(strncmp(dev->name, "ipsec", strlen("ipsec")) == 0) {
+				printk(KERN_CRIT "IPSEC EVENT: KLIPS device %s shut down.\n",
+				       dev->name);
+			}
+			break;
+		case NETDEV_UNREGISTER:
+			KLIPS_PRINT(debug_mast & DB_MAST_INIT,
+				    "klips_debug:ipsec_mast_device_event: "
+				    "NETDEV_UNREGISTER dev=%s flags=%x\n",
+				    dev->name,
+				    dev->flags);
+			break;
+		}
+		
+		/* find the attached physical device and detach it. */
+		for(i = 0; i < IPSEC_NUM_IF; i++) {
+			sprintf(name, IPSEC_DEV_FORMAT, i);
+			ipsec_dev = ipsec_dev_get(name);
+			if(ipsec_dev) {
+				priv = (struct ipsecpriv *)(ipsec_dev->priv);
+				if(priv) {
+					;
+					if(((struct net_device *)(priv->dev)) == dev) {
+						/* dev_close(ipsec_dev); */
+						/* return */ ipsec_mast_detach(ipsec_dev);
+						KLIPS_PRINT(debug_mast & DB_MAST_INIT,
+							    "klips_debug:ipsec_mast_device_event: "
+							    "device '%s' has been detached.\n",
+							    ipsec_dev->name);
+						break;
+					}
+				} else {
+					KLIPS_PRINT(debug_mast & DB_MAST_INIT,
+						    "klips_debug:ipsec_mast_device_event: "
+						    "device '%s' has no private data space!\n",
+						    ipsec_dev->name);
+				}
+			}
+		}
+		break;
+	case NETDEV_UP:
+		KLIPS_PRINT(debug_mast & DB_MAST_INIT,
+			    "klips_debug:ipsec_mast_device_event: "
+			    "NETDEV_UP dev=%s\n",
+			    dev->name);
+		break;
+	case NETDEV_REBOOT:
+		KLIPS_PRINT(debug_mast & DB_MAST_INIT,
+			    "klips_debug:ipsec_mast_device_event: "
+			    "NETDEV_REBOOT dev=%s\n",
+			    dev->name);
+		break;
+	case NETDEV_CHANGE:
+		KLIPS_PRINT(debug_mast & DB_MAST_INIT,
+			    "klips_debug:ipsec_mast_device_event: "
+			    "NETDEV_CHANGE dev=%s flags=%x\n",
+			    dev->name,
+			    dev->flags);
+		break;
+	case NETDEV_REGISTER:
+		KLIPS_PRINT(debug_mast & DB_MAST_INIT,
+			    "klips_debug:ipsec_mast_device_event: "
+			    "NETDEV_REGISTER dev=%s\n",
+			    dev->name);
+		break;
+	case NETDEV_CHANGEMTU:
+		KLIPS_PRINT(debug_mast & DB_MAST_INIT,
+			    "klips_debug:ipsec_mast_device_event: "
+			    "NETDEV_CHANGEMTU dev=%s to mtu=%d\n",
+			    dev->name,
+			    dev->mtu);
+		break;
+	case NETDEV_CHANGEADDR:
+		KLIPS_PRINT(debug_mast & DB_MAST_INIT,
+			    "klips_debug:ipsec_mast_device_event: "
+			    "NETDEV_CHANGEADDR dev=%s\n",
+			    dev->name);
+		break;
+	case NETDEV_GOING_DOWN:
+		KLIPS_PRINT(debug_mast & DB_MAST_INIT,
+			    "klips_debug:ipsec_mast_device_event: "
+			    "NETDEV_GOING_DOWN dev=%s\n",
+			    dev->name);
+		break;
+	case NETDEV_CHANGENAME:
+		KLIPS_PRINT(debug_mast & DB_MAST_INIT,
+			    "klips_debug:ipsec_mast_device_event: "
+			    "NETDEV_CHANGENAME dev=%s\n",
+			    dev->name);
+		break;
+	default:
+		KLIPS_PRINT(debug_mast & DB_MAST_INIT,
+			    "klips_debug:ipsec_mast_device_event: "
+			    "event type %ld unrecognised for dev=%s\n",
+			    event,
+			    dev->name);
+		break;
+	}
+	return NOTIFY_DONE;
+}
+
+/*
+ *	Called when an ipsec mast device is initialized.
+ *	The ipsec mast device structure is passed to us.
+ */
+ 
+int
+ipsec_mast_init(struct net_device *dev)
+{
+	int i;
+
+	KLIPS_PRINT(debug_mast,
+		    "klips_debug:ipsec_mast_init: "
+		    "allocating %lu bytes initialising device: %s\n",
+		    (unsigned long) sizeof(struct ipsecpriv),
+		    dev->name ? dev->name : "NULL");
+
+	/* Add our mast functions to the device */
+	dev->open		= ipsec_mast_open;
+	dev->stop		= ipsec_mast_close;
+	dev->hard_start_xmit	= ipsec_mast_start_xmit;
+	dev->get_stats		= ipsec_mast_get_stats;
+
+	dev->priv = kmalloc(sizeof(struct ipsecpriv), GFP_KERNEL);
+	if (dev->priv == NULL)
+		return -ENOMEM;
+	memset((caddr_t)(dev->priv), 0, sizeof(struct ipsecpriv));
+
+	for(i = 0; i < sizeof(zeroes); i++) {
+		((__u8*)(zeroes))[i] = 0;
+	}
+	
+	dev->set_multicast_list = NULL;
+	dev->do_ioctl		= ipsec_mast_ioctl;
+	dev->hard_header	= NULL;
+	dev->rebuild_header 	= NULL;
+	dev->set_mac_address 	= NULL;
+	dev->header_cache_update= NULL;
+	dev->neigh_setup        = ipsec_mast_neigh_setup_dev;
+	dev->hard_header_len 	= 0;
+	dev->mtu		= 0;
+	dev->addr_len		= 0;
+	dev->type		= ARPHRD_VOID; /* ARPHRD_MAST; */ /* ARPHRD_ETHER; */
+	dev->tx_queue_len	= 10;		/* Small queue */
+	memset((caddr_t)(dev->broadcast),0xFF, ETH_ALEN);	/* what if this is not attached to ethernet? */
+
+	/* New-style flags. */
+	dev->flags		= IFF_NOARP /* 0 */ /* Petr Novak */;
+	dev_init_buffers(dev);
+
+	/* We're done.  Have I forgotten anything? */
+	return 0;
+}
+
+/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
+/*  Module specific interface (but it links with the rest of IPSEC)  */
+/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
+
+int
+ipsec_mast_probe(struct net_device *dev)
+{
+	ipsec_mast_init(dev); 
+	return 0;
+}
+
+int 
+ipsec_mast_init_devices(void)
+{
+	return 0;
+}
+
+/* void */
+int
+ipsec_mast_cleanup_devices(void)
+{
+	int error = 0;
+	int i;
+	char name[10];
+	struct net_device *dev_mast;
+	
+	for(i = 0; i < ipsec_mastdevice_count; i++) {
+		sprintf(name, MAST_DEV_FORMAT, i);
+		if((dev_mast = ipsec_dev_get(name)) == NULL) {
+			break;
+		}
+		unregister_netdev(dev_mast);
+		kfree(dev_mast->priv);
+		dev_mast->priv=NULL;
+	}
+	return error;
+}
+
+/*
+ * $Log: ipsec_mast.c,v $
+ * Revision 1.7.2.1  2006/10/06 21:39:26  paul
+ * Fix for 2.6.18+ only include linux/config.h if AUTOCONF_INCLUDED is not
+ * set. This is defined through autoconf.h which is included through the
+ * linux kernel build macros.
+ *
+ * Revision 1.7  2005/04/29 05:10:22  mcr
+ * 	removed from extraenous includes to make unit testing easier.
+ *
+ * Revision 1.6  2004/12/03 21:25:57  mcr
+ * 	compile time fixes for running on 2.6.
+ * 	still experimental.
+ *
+ * Revision 1.5  2004/08/03 18:19:08  mcr
+ * 	in 2.6, use "net_device" instead of #define device->net_device.
+ * 	this probably breaks 2.0 compiles.
+ *
+ * Revision 1.4  2004/07/10 19:11:18  mcr
+ * 	CONFIG_IPSEC -> CONFIG_KLIPS.
+ *
+ * Revision 1.3  2003/10/31 02:27:55  mcr
+ * 	pulled up port-selector patches and sa_id elimination.
+ *
+ * Revision 1.2.4.1  2003/10/29 01:30:41  mcr
+ * 	elimited "struct sa_id".
+ *
+ * Revision 1.2  2003/06/22 20:06:17  mcr
+ * 	refactored mast code still had lots of ipsecX junk in it.
+ *
+ * Revision 1.1  2003/02/12 19:31:12  rgb
+ * Refactored from ipsec_tunnel.c
+ *
+ */
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/ipsec_md5c.c     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,453 @@
+/*
+ * RCSID $Id: ipsec_md5c.c,v 1.10 2005/04/15 01:25:57 mcr Exp $
+ */
+
+/*
+ * The rest of the code is derived from MD5C.C by RSADSI. Minor cosmetic
+ * changes to accomodate it in the kernel by ji.
+ */
+
+#include <asm/byteorder.h>
+#include <linux/string.h>
+
+#include "openswan/ipsec_md5h.h"
+
+/* MD5C.C - RSA Data Security, Inc., MD5 message-digest algorithm
+ */
+
+/* Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All
+rights reserved.
+
+License to copy and use this software is granted provided that it
+is identified as the "RSA Data Security, Inc. MD5 Message-Digest
+Algorithm" in all material mentioning or referencing this software
+or this function.
+
+License is also granted to make and use derivative works provided
+that such works are identified as "derived from the RSA Data
+Security, Inc. MD5 Message-Digest Algorithm" in all material
+mentioning or referencing the derived work.
+
+RSA Data Security, Inc. makes no representations concerning either
+the merchantability of this software or the suitability of this
+software for any particular purpose. It is provided "as is"
+without express or implied warranty of any kind.
+
+These notices must be retained in any copies of any part of this
+documentation and/or software.
+ */
+
+/*
+ * Additions by JI
+ * 
+ * HAVEMEMCOPY is defined if mem* routines are available
+ *
+ * HAVEHTON is defined if htons() and htonl() can be used
+ * for big/little endian conversions
+ *
+ */
+
+#define HAVEMEMCOPY
+#ifdef __LITTLE_ENDIAN
+#define LITTLENDIAN
+#endif
+#ifdef __BIG_ENDIAN
+#define BIGENDIAN
+#endif
+
+/* Constants for MD5Transform routine.
+ */
+
+#define S11 7
+#define S12 12
+#define S13 17
+#define S14 22
+#define S21 5
+#define S22 9
+#define S23 14
+#define S24 20
+#define S31 4
+#define S32 11
+#define S33 16
+#define S34 23
+#define S41 6
+#define S42 10
+#define S43 15
+#define S44 21
+
+static void MD5Transform PROTO_LIST ((UINT4 [4], unsigned char [64]));
+
+#ifdef LITTLEENDIAN
+#define Encode MD5_memcpy
+#define Decode MD5_memcpy
+#else
+static void Encode PROTO_LIST
+  ((unsigned char *, UINT4 *, unsigned int));
+static void Decode PROTO_LIST
+  ((UINT4 *, unsigned char *, unsigned int));
+#endif
+
+#ifdef HAVEMEMCOPY
+/* no need to include <memory.h> here; <linux/string.h> defines these */
+#define MD5_memcpy	memcpy
+#define MD5_memset	memset
+#else
+#ifdef HAVEBCOPY
+#define MD5_memcpy(_a,_b,_c) bcopy((_b),(_a),(_c))
+#define MD5_memset(_a,_b,_c) bzero((_a),(_c))
+#else
+static void MD5_memcpy PROTO_LIST ((POINTER, POINTER, unsigned int));
+static void MD5_memset PROTO_LIST ((POINTER, int, unsigned int));
+#endif
+#endif
+static unsigned char PADDING[64] = {
+  0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
+};
+
+/* F, G, H and I are basic MD5 functions.
+ */
+#define F(x, y, z) (((x) & (y)) | ((~x) & (z)))
+#define G(x, y, z) (((x) & (z)) | ((y) & (~z)))
+#define H(x, y, z) ((x) ^ (y) ^ (z))
+#define I(x, y, z) ((y) ^ ((x) | (~z)))
+
+/* ROTATE_LEFT rotates x left n bits.
+ */
+#define ROTATE_LEFT(x, n) (((x) << (n)) | ((x) >> (32-(n))))
+
+/* FF, GG, HH, and II transformations for rounds 1, 2, 3, and 4.
+Rotation is separate from addition to prevent recomputation.
+ */
+#define FF(a, b, c, d, x, s, ac) { \
+ (a) += F ((b), (c), (d)) + (x) + (UINT4)(ac); \
+ (a) = ROTATE_LEFT ((a), (s)); \
+ (a) += (b); \
+  }
+#define GG(a, b, c, d, x, s, ac) { \
+ (a) += G ((b), (c), (d)) + (x) + (UINT4)(ac); \
+ (a) = ROTATE_LEFT ((a), (s)); \
+ (a) += (b); \
+  }
+#define HH(a, b, c, d, x, s, ac) { \
+ (a) += H ((b), (c), (d)) + (x) + (UINT4)(ac); \
+ (a) = ROTATE_LEFT ((a), (s)); \
+ (a) += (b); \
+  }
+#define II(a, b, c, d, x, s, ac) { \
+ (a) += I ((b), (c), (d)) + (x) + (UINT4)(ac); \
+ (a) = ROTATE_LEFT ((a), (s)); \
+ (a) += (b); \
+  }
+
+/*
+ * MD5 initialization. Begins an MD5 operation, writing a new context.
+ */
+void osMD5Init(void *vcontext)
+{
+  MD5_CTX *context = vcontext;                                     
+
+  context->count[0] = context->count[1] = 0;
+  /* Load magic initialization constants.*/
+  context->state[0] = 0x67452301;
+  context->state[1] = 0xefcdab89;
+  context->state[2] = 0x98badcfe;
+  context->state[3] = 0x10325476;
+}
+
+/* MD5 block update operation. Continues an MD5 message-digest
+  operation, processing another message block, and updating the
+  context.
+ */
+void osMD5Update (vcontext, input, inputLen)
+     void *vcontext;
+     unsigned char *input;                                /* input block */
+     __u32 inputLen;                     /* length of input block */
+{
+  MD5_CTX *context = vcontext;                                     
+  __u32 i;
+  unsigned int index, partLen;
+
+  /* Compute number of bytes mod 64 */
+  index = (unsigned int)((context->count[0] >> 3) & 0x3F);
+
+  /* Update number of bits */
+  if ((context->count[0] += ((UINT4)inputLen << 3))
+   < ((UINT4)inputLen << 3))
+ context->count[1]++;
+  context->count[1] += ((UINT4)inputLen >> 29);
+
+  partLen = 64 - index;
+
+  /* Transform as many times as possible.
+*/
+  if (inputLen >= partLen) {
+ MD5_memcpy
+   ((POINTER)&context->buffer[index], (POINTER)input, partLen);
+ MD5Transform (context->state, context->buffer);
+
+ for (i = partLen; i + 63 < inputLen; i += 64)
+   MD5Transform (context->state, &input[i]);
+
+ index = 0;
+  }
+  else
+ i = 0;
+
+  /* Buffer remaining input */
+  MD5_memcpy
+ ((POINTER)&context->buffer[index], (POINTER)&input[i],
+  inputLen-i);
+}
+
+/* MD5 finalization. Ends an MD5 message-digest operation, writing the
+  the message digest and zeroizing the context.
+ */
+void osMD5Final (digest, vcontext)
+unsigned char digest[16];                         /* message digest */
+void *vcontext;                                       /* context */
+{
+  MD5_CTX *context = vcontext;                                     
+  unsigned char bits[8];
+  unsigned int index, padLen;
+
+  /* Save number of bits */
+  Encode (bits, context->count, 8);
+
+  /* Pad out to 56 mod 64.
+*/
+  index = (unsigned int)((context->count[0] >> 3) & 0x3f);
+  padLen = (index < 56) ? (56 - index) : (120 - index);
+  osMD5Update (context, PADDING, padLen);
+
+  /* Append length (before padding) */
+  osMD5Update (context, bits, 8);
+
+  if (digest != NULL)			/* Bill Simpson's padding */
+  {
+	  /* store state in digest */
+	  Encode (digest, context->state, 16);
+
+	  /* Zeroize sensitive information.
+	   */
+	  MD5_memset ((POINTER)context, 0, sizeof (*context));
+  }
+}
+
+/* MD5 basic transformation. Transforms state based on block.
+ */
+static void MD5Transform (state, block)
+UINT4 state[4];
+unsigned char block[64];
+{
+  UINT4 a = state[0], b = state[1], c = state[2], d = state[3], x[16];
+
+  Decode (x, block, 64);
+
+  /* Round 1 */
+  FF (a, b, c, d, x[ 0], S11, 0xd76aa478); /* 1 */
+  FF (d, a, b, c, x[ 1], S12, 0xe8c7b756); /* 2 */
+  FF (c, d, a, b, x[ 2], S13, 0x242070db); /* 3 */
+  FF (b, c, d, a, x[ 3], S14, 0xc1bdceee); /* 4 */
+  FF (a, b, c, d, x[ 4], S11, 0xf57c0faf); /* 5 */
+  FF (d, a, b, c, x[ 5], S12, 0x4787c62a); /* 6 */
+  FF (c, d, a, b, x[ 6], S13, 0xa8304613); /* 7 */
+  FF (b, c, d, a, x[ 7], S14, 0xfd469501); /* 8 */
+  FF (a, b, c, d, x[ 8], S11, 0x698098d8); /* 9 */
+  FF (d, a, b, c, x[ 9], S12, 0x8b44f7af); /* 10 */
+  FF (c, d, a, b, x[10], S13, 0xffff5bb1); /* 11 */
+  FF (b, c, d, a, x[11], S14, 0x895cd7be); /* 12 */
+  FF (a, b, c, d, x[12], S11, 0x6b901122); /* 13 */
+  FF (d, a, b, c, x[13], S12, 0xfd987193); /* 14 */
+  FF (c, d, a, b, x[14], S13, 0xa679438e); /* 15 */
+  FF (b, c, d, a, x[15], S14, 0x49b40821); /* 16 */
+
+ /* Round 2 */
+  GG (a, b, c, d, x[ 1], S21, 0xf61e2562); /* 17 */
+  GG (d, a, b, c, x[ 6], S22, 0xc040b340); /* 18 */
+  GG (c, d, a, b, x[11], S23, 0x265e5a51); /* 19 */
+  GG (b, c, d, a, x[ 0], S24, 0xe9b6c7aa); /* 20 */
+  GG (a, b, c, d, x[ 5], S21, 0xd62f105d); /* 21 */
+  GG (d, a, b, c, x[10], S22,  0x2441453); /* 22 */
+  GG (c, d, a, b, x[15], S23, 0xd8a1e681); /* 23 */
+  GG (b, c, d, a, x[ 4], S24, 0xe7d3fbc8); /* 24 */
+  GG (a, b, c, d, x[ 9], S21, 0x21e1cde6); /* 25 */
+  GG (d, a, b, c, x[14], S22, 0xc33707d6); /* 26 */
+  GG (c, d, a, b, x[ 3], S23, 0xf4d50d87); /* 27 */
+  GG (b, c, d, a, x[ 8], S24, 0x455a14ed); /* 28 */
+  GG (a, b, c, d, x[13], S21, 0xa9e3e905); /* 29 */
+  GG (d, a, b, c, x[ 2], S22, 0xfcefa3f8); /* 30 */
+  GG (c, d, a, b, x[ 7], S23, 0x676f02d9); /* 31 */
+  GG (b, c, d, a, x[12], S24, 0x8d2a4c8a); /* 32 */
+
+  /* Round 3 */
+  HH (a, b, c, d, x[ 5], S31, 0xfffa3942); /* 33 */
+  HH (d, a, b, c, x[ 8], S32, 0x8771f681); /* 34 */
+  HH (c, d, a, b, x[11], S33, 0x6d9d6122); /* 35 */
+  HH (b, c, d, a, x[14], S34, 0xfde5380c); /* 36 */
+  HH (a, b, c, d, x[ 1], S31, 0xa4beea44); /* 37 */
+  HH (d, a, b, c, x[ 4], S32, 0x4bdecfa9); /* 38 */
+  HH (c, d, a, b, x[ 7], S33, 0xf6bb4b60); /* 39 */
+  HH (b, c, d, a, x[10], S34, 0xbebfbc70); /* 40 */
+  HH (a, b, c, d, x[13], S31, 0x289b7ec6); /* 41 */
+  HH (d, a, b, c, x[ 0], S32, 0xeaa127fa); /* 42 */
+  HH (c, d, a, b, x[ 3], S33, 0xd4ef3085); /* 43 */
+  HH (b, c, d, a, x[ 6], S34,  0x4881d05); /* 44 */
+  HH (a, b, c, d, x[ 9], S31, 0xd9d4d039); /* 45 */
+  HH (d, a, b, c, x[12], S32, 0xe6db99e5); /* 46 */
+  HH (c, d, a, b, x[15], S33, 0x1fa27cf8); /* 47 */
+  HH (b, c, d, a, x[ 2], S34, 0xc4ac5665); /* 48 */
+
+  /* Round 4 */
+  II (a, b, c, d, x[ 0], S41, 0xf4292244); /* 49 */
+  II (d, a, b, c, x[ 7], S42, 0x432aff97); /* 50 */
+  II (c, d, a, b, x[14], S43, 0xab9423a7); /* 51 */
+  II (b, c, d, a, x[ 5], S44, 0xfc93a039); /* 52 */
+  II (a, b, c, d, x[12], S41, 0x655b59c3); /* 53 */
+  II (d, a, b, c, x[ 3], S42, 0x8f0ccc92); /* 54 */
+  II (c, d, a, b, x[10], S43, 0xffeff47d); /* 55 */
+  II (b, c, d, a, x[ 1], S44, 0x85845dd1); /* 56 */
+  II (a, b, c, d, x[ 8], S41, 0x6fa87e4f); /* 57 */
+  II (d, a, b, c, x[15], S42, 0xfe2ce6e0); /* 58 */
+  II (c, d, a, b, x[ 6], S43, 0xa3014314); /* 59 */
+  II (b, c, d, a, x[13], S44, 0x4e0811a1); /* 60 */
+  II (a, b, c, d, x[ 4], S41, 0xf7537e82); /* 61 */
+  II (d, a, b, c, x[11], S42, 0xbd3af235); /* 62 */
+  II (c, d, a, b, x[ 2], S43, 0x2ad7d2bb); /* 63 */
+  II (b, c, d, a, x[ 9], S44, 0xeb86d391); /* 64 */
+
+  state[0] += a;
+  state[1] += b;
+  state[2] += c;
+  state[3] += d;
+
+  /* Zeroize sensitive information.
+*/
+  MD5_memset ((POINTER)x, 0, sizeof (x));
+}
+
+#ifndef LITTLEENDIAN
+
+/* Encodes input (UINT4) into output (unsigned char). Assumes len is
+  a multiple of 4.
+ */
+static void Encode (output, input, len)
+unsigned char *output;
+UINT4 *input;
+unsigned int len;
+{
+  unsigned int i, j;
+
+  for (i = 0, j = 0; j < len; i++, j += 4) {
+ output[j] = (unsigned char)(input[i] & 0xff);
+ output[j+1] = (unsigned char)((input[i] >> 8) & 0xff);
+ output[j+2] = (unsigned char)((input[i] >> 16) & 0xff);
+ output[j+3] = (unsigned char)((input[i] >> 24) & 0xff);
+  }
+}
+
+/* Decodes input (unsigned char) into output (UINT4). Assumes len is
+  a multiple of 4.
+ */
+static void Decode (output, input, len)
+UINT4 *output;
+unsigned char *input;
+unsigned int len;
+{
+  unsigned int i, j;
+
+  for (i = 0, j = 0; j < len; i++, j += 4)
+ output[i] = ((UINT4)input[j]) | (((UINT4)input[j+1]) << 8) |
+   (((UINT4)input[j+2]) << 16) | (((UINT4)input[j+3]) << 24);
+}
+
+#endif
+
+#ifndef HAVEMEMCOPY
+#ifndef HAVEBCOPY
+/* Note: Replace "for loop" with standard memcpy if possible.
+ */
+
+static void MD5_memcpy (output, input, len)
+POINTER output;
+POINTER input;
+unsigned int len;
+{
+  unsigned int i;
+
+  for (i = 0; i < len; i++)
+
+ output[i] = input[i];
+}
+
+/* Note: Replace "for loop" with standard memset if possible.
+ */
+
+static void MD5_memset (output, value, len)
+POINTER output;
+int value;
+unsigned int len;
+{
+  unsigned int i;
+
+  for (i = 0; i < len; i++)
+ ((char *)output)[i] = (char)value;
+}
+#endif
+#endif
+
+/*
+ * $Log: ipsec_md5c.c,v $
+ * Revision 1.10  2005/04/15 01:25:57  mcr
+ * 	minor fix to comments.
+ *
+ * Revision 1.9  2004/09/08 17:21:36  ken
+ * Rename MD5* -> osMD5 functions to prevent clashes with other symbols exported by kernel modules (CIFS in 2.6 initiated this)
+ *
+ * Revision 1.8  2004/04/06 02:49:26  mcr
+ * 	pullup of algo code from alg-branch.
+ *
+ * Revision 1.7  2002/09/10 01:45:14  mcr
+ * 	changed type of MD5_CTX and SHA1_CTX to void * so that
+ * 	the function prototypes would match, and could be placed
+ * 	into a pointer to a function.
+ *
+ * Revision 1.6  2002/04/24 07:55:32  mcr
+ * 	#include patches and Makefiles for post-reorg compilation.
+ *
+ * Revision 1.5  2002/04/24 07:36:28  mcr
+ * Moved from ./klips/net/ipsec/ipsec_md5c.c,v
+ *
+ * Revision 1.4  1999/12/13 13:59:12  rgb
+ * Quick fix to argument size to Update bugs.
+ *
+ * Revision 1.3  1999/05/21 18:09:28  henry
+ * unnecessary <memory.h> include causes trouble in 2.2
+ *
+ * Revision 1.2  1999/04/06 04:54:26  rgb
+ * Fix/Add RCSID Id: and Log: bits to make PHMDs happy.  This includes
+ * patch shell fixes.
+ *
+ * Revision 1.1  1998/06/18 21:27:48  henry
+ * move sources from klips/src to klips/net/ipsec, to keep stupid
+ * kernel-build scripts happier in the presence of symlinks
+ *
+ * Revision 1.2  1998/04/23 20:54:02  rgb
+ * Fixed md5 and sha1 include file nesting issues, to be cleaned up when
+ * verified.
+ *
+ * Revision 1.1  1998/04/09 03:06:08  henry
+ * sources moved up from linux/net/ipsec
+ *
+ * Revision 1.1.1.1  1998/04/08 05:35:04  henry
+ * RGB's ipsec-0.8pre2.tar.gz ipsec-0.8
+ *
+ * Revision 0.3  1996/11/20 14:48:53  ji
+ * Release update only.
+ *
+ * Revision 0.2  1996/11/02 00:18:33  ji
+ * First limited release.
+ *
+ *
+ */
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/ipsec_proc.c     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,1186 @@
+/*
+ * @(#) /proc file system interface code.
+ *
+ * Copyright (C) 1996, 1997  John Ioannidis.
+ * Copyright (C) 1998, 1999, 2000, 2001  Richard Guy Briggs <rgb@freeswan.org>
+ *                                 2001  Michael Richardson <mcr@freeswan.org>
+ * 
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ * 
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * Split out from ipsec_init.c version 1.70.
+ */
+
+char ipsec_proc_c_version[] = "RCSID $Id: ipsec_proc.c,v 1.39.2.4 2006/11/15 22:21:39 paul Exp $";
+
+
+#ifndef AUTOCONF_INCLUDED
+#include <linux/config.h>
+#endif
+#include <linux/version.h>
+#define __NO_VERSION__
+#include <linux/module.h>
+#include <linux/kernel.h> /* printk() */
+
+#include "openswan/ipsec_kversion.h"
+#include "openswan/ipsec_param.h"
+
+#ifdef MALLOC_SLAB
+# include <linux/slab.h> /* kmalloc() */
+#else /* MALLOC_SLAB */
+# include <linux/malloc.h> /* kmalloc() */
+#endif /* MALLOC_SLAB */
+#include <linux/errno.h>  /* error codes */
+#include <linux/types.h>  /* size_t */
+#include <linux/interrupt.h> /* mark_bh */
+
+#include <linux/netdevice.h>   /* struct device, and other headers */
+#include <linux/etherdevice.h> /* eth_type_trans */
+#include <linux/ip.h>          /* struct iphdr */
+#include <linux/in.h>          /* struct sockaddr_in */
+#include <linux/skbuff.h>
+#include <asm/uaccess.h>       /* copy_from_user */
+#include <openswan.h>
+#ifdef SPINLOCK
+#ifdef SPINLOCK_23
+#include <linux/spinlock.h> /* *lock* */
+#else /* SPINLOCK_23 */
+#include <asm/spinlock.h> /* *lock* */
+#endif /* SPINLOCK_23 */
+#endif /* SPINLOCK */
+
+#include <net/ip.h>
+#ifdef CONFIG_PROC_FS
+#include <linux/proc_fs.h>
+#endif /* CONFIG_PROC_FS */
+#ifdef NETLINK_SOCK
+#include <linux/netlink.h>
+#else
+#include <net/netlink.h>
+#endif
+
+#include "openswan/radij.h"
+
+#include "openswan/ipsec_life.h"
+#include "openswan/ipsec_stats.h"
+#include "openswan/ipsec_sa.h"
+
+#include "openswan/ipsec_encap.h"
+#include "openswan/ipsec_radij.h"
+#include "openswan/ipsec_xform.h"
+#include "openswan/ipsec_tunnel.h"
+#include "openswan/ipsec_xmit.h"
+
+#include "openswan/ipsec_rcv.h"
+#include "openswan/ipsec_ah.h"
+#include "openswan/ipsec_esp.h"
+#include "openswan/ipsec_kern24.h"
+
+#ifdef CONFIG_KLIPS_IPCOMP
+#include "openswan/ipcomp.h"
+#endif /* CONFIG_KLIPS_IPCOMP */
+
+#include "openswan/ipsec_proto.h"
+
+#include <pfkeyv2.h>
+#include <pfkey.h>
+
+#ifdef CONFIG_PROC_FS
+
+#ifdef IPSEC_PROC_SUBDIRS
+static struct proc_dir_entry *proc_net_ipsec_dir = NULL;
+static struct proc_dir_entry *proc_eroute_dir    = NULL;
+static struct proc_dir_entry *proc_spi_dir       = NULL;
+static struct proc_dir_entry *proc_spigrp_dir    = NULL;
+static struct proc_dir_entry *proc_birth_dir     = NULL;
+static struct proc_dir_entry *proc_stats_dir     = NULL;
+#endif
+
+struct ipsec_birth_reply ipsec_ipv4_birth_packet;
+struct ipsec_birth_reply ipsec_ipv6_birth_packet;
+
+#ifdef CONFIG_KLIPS_DEBUG
+int debug_esp = 0;
+int debug_ah = 0;
+#endif /* CONFIG_KLIPS_DEBUG */
+
+#define DECREMENT_UNSIGNED(X, amount) ((amount < (X)) ? (X)-amount : 0)
+
+extern int ipsec_xform_get_info(char *buffer, char **start,
+				off_t offset, int length IPSEC_PROC_LAST_ARG);
+
+
+IPSEC_PROCFS_DEBUG_NO_STATIC
+int
+ipsec_eroute_get_info(char *buffer, 
+		      char **start, 
+		      off_t offset, 
+		      int length        IPSEC_PROC_LAST_ARG)
+{
+	struct wsbuf w = {buffer, length, offset, 0, 0};
+
+#ifdef CONFIG_KLIPS_DEBUG
+	if (debug_radij & DB_RJ_DUMPTREES)
+	  rj_dumptrees();			/* XXXXXXXXX */
+#endif /* CONFIG_KLIPS_DEBUG */
+
+	KLIPS_PRINT(debug_tunnel & DB_TN_PROCFS,
+		    "klips_debug:ipsec_eroute_get_info: "
+		    "buffer=0p%p, *start=0p%p, offset=%d, length=%d\n",
+		    buffer,
+		    *start,
+		    (int)offset,
+		    length);
+
+	spin_lock_bh(&eroute_lock);
+
+	rj_walktree(rnh, ipsec_rj_walker_procprint, &w);
+/*	rj_walktree(mask_rjhead, ipsec_rj_walker_procprint, &w); */
+
+	spin_unlock_bh(&eroute_lock);
+
+	*start = buffer + (offset - w.begin);	/* Start of wanted data */
+	return w.len - (offset - w.begin);
+}
+
+IPSEC_PROCFS_DEBUG_NO_STATIC
+int
+ipsec_spi_get_info(char *buffer,
+		   char **start,
+		   off_t offset,
+		   int length    IPSEC_PROC_LAST_ARG)
+{
+	const int max_content = length > 0? length-1 : 0;
+	int len = 0;
+	off_t begin = 0;
+	int i;
+	struct ipsec_sa *sa_p;
+	char sa[SATOT_BUF];
+	char buf_s[SUBNETTOA_BUF];
+	char buf_d[SUBNETTOA_BUF];
+	size_t sa_len;
+
+	KLIPS_PRINT(debug_tunnel & DB_TN_PROCFS,
+		    "klips_debug:ipsec_spi_get_info: "
+		    "buffer=0p%p, *start=0p%p, offset=%d, length=%d\n",
+		    buffer,
+		    *start,
+		    (int)offset,
+		    length);
+	
+	spin_lock_bh(&tdb_lock);
+
+	for (i = 0; i < SADB_HASHMOD; i++) {
+		for (sa_p = ipsec_sadb_hash[i];
+		     sa_p;
+		     sa_p = sa_p->ips_hnext) {
+			atomic_inc(&sa_p->ips_refcount);
+			sa_len = satot(&sa_p->ips_said, 'x', sa, sizeof(sa));
+			len += ipsec_snprintf(buffer+len, length-len, "%s ",
+				       sa_len ? sa : " (error)");
+
+			len += ipsec_snprintf(buffer+len, length-len, "%s%s%s",
+				       IPS_XFORM_NAME(sa_p));
+
+			len += ipsec_snprintf(buffer+len, length-len, ": dir=%s",
+				       (sa_p->ips_flags & EMT_INBOUND) ?
+				       "in " : "out");
+
+			if(sa_p->ips_addr_s) {
+				addrtoa(((struct sockaddr_in*)(sa_p->ips_addr_s))->sin_addr,
+					0, buf_s, sizeof(buf_s));
+				len += ipsec_snprintf(buffer+len, length-len, " src=%s",
+					       buf_s);
+			}
+
+			if((sa_p->ips_said.proto == IPPROTO_IPIP)
+			   && (sa_p->ips_flags & SADB_X_SAFLAGS_INFLOW)) {
+				subnettoa(sa_p->ips_flow_s.u.v4.sin_addr,
+					  sa_p->ips_mask_s.u.v4.sin_addr,
+					  0,
+					  buf_s,
+					  sizeof(buf_s));
+
+				subnettoa(sa_p->ips_flow_d.u.v4.sin_addr,
+					  sa_p->ips_mask_d.u.v4.sin_addr,
+					  0,
+					  buf_d,
+					  sizeof(buf_d));
+
+				len += ipsec_snprintf(buffer+len, length-len, " policy=%s->%s",
+					       buf_s, buf_d);
+			}
+			
+			if(sa_p->ips_iv_bits) {
+				int j;
+				len += ipsec_snprintf(buffer+len, length-len, " iv_bits=%dbits iv=0x",
+					       sa_p->ips_iv_bits);
+
+				for(j = 0; j < sa_p->ips_iv_bits / 8; j++) {
+					len += ipsec_snprintf(buffer+len, length-len, "%02x",
+						       (__u32)((__u8*)(sa_p->ips_iv))[j]);
+				}
+			}
+
+			if(sa_p->ips_encalg || sa_p->ips_authalg) {
+				if(sa_p->ips_replaywin) {
+					len += ipsec_snprintf(buffer+len, length-len, " ooowin=%d",
+						       sa_p->ips_replaywin);
+				}
+				if(sa_p->ips_errs.ips_replaywin_errs) {
+					len += ipsec_snprintf(buffer+len, length-len, " ooo_errs=%d",
+						       sa_p->ips_errs.ips_replaywin_errs);
+				}
+				if(sa_p->ips_replaywin_lastseq) {
+                                       len += ipsec_snprintf(buffer+len, length-len, " seq=%d",
+						      sa_p->ips_replaywin_lastseq);
+				}
+				if(sa_p->ips_replaywin_bitmap) {
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,3,0)
+					len += ipsec_snprintf(buffer+len, length-len, " bit=0x%Lx",
+						       sa_p->ips_replaywin_bitmap);
+#else
+					len += ipsec_snprintf(buffer+len, length-len, " bit=0x%x%08x",
+						       (__u32)(sa_p->ips_replaywin_bitmap >> 32),
+						       (__u32)sa_p->ips_replaywin_bitmap);
+#endif
+				}
+				if(sa_p->ips_replaywin_maxdiff) {
+					len += ipsec_snprintf(buffer+len, length-len, " max_seq_diff=%d",
+						       sa_p->ips_replaywin_maxdiff);
+				}
+			}
+			if(sa_p->ips_flags & ~EMT_INBOUND) {
+				len += ipsec_snprintf(buffer+len, length-len, " flags=0x%x",
+					       sa_p->ips_flags & ~EMT_INBOUND);
+				len += ipsec_snprintf(buffer+len, length-len, "<");
+				/* flag printing goes here */
+				len += ipsec_snprintf(buffer+len, length-len, ">");
+			}
+			if(sa_p->ips_auth_bits) {
+				len += ipsec_snprintf(buffer+len, length-len, " alen=%d",
+					       sa_p->ips_auth_bits);
+			}
+			if(sa_p->ips_key_bits_a) {
+				len += ipsec_snprintf(buffer+len, length-len, " aklen=%d",
+					       sa_p->ips_key_bits_a);
+			}
+			if(sa_p->ips_errs.ips_auth_errs) {
+				len += ipsec_snprintf(buffer+len, length-len, " auth_errs=%d",
+					       sa_p->ips_errs.ips_auth_errs);
+			}
+			if(sa_p->ips_key_bits_e) {
+				len += ipsec_snprintf(buffer+len, length-len, " eklen=%d",
+					       sa_p->ips_key_bits_e);
+			}
+			if(sa_p->ips_errs.ips_encsize_errs) {
+				len += ipsec_snprintf(buffer+len, length-len, " encr_size_errs=%d",
+					       sa_p->ips_errs.ips_encsize_errs);
+			}
+			if(sa_p->ips_errs.ips_encpad_errs) {
+				len += ipsec_snprintf(buffer+len, length-len, " encr_pad_errs=%d",
+					       sa_p->ips_errs.ips_encpad_errs);
+			}
+			
+			len += ipsec_snprintf(buffer+len, length-len, " life(c,s,h)=");
+
+			len += ipsec_lifetime_format(buffer + len,
+						     length - len,
+						     "alloc", 
+						     ipsec_life_countbased,
+						     &sa_p->ips_life.ipl_allocations);
+
+			len += ipsec_lifetime_format(buffer + len,
+						     length - len,
+						     "bytes",
+						     ipsec_life_countbased,
+						     &sa_p->ips_life.ipl_bytes);
+
+			len += ipsec_lifetime_format(buffer + len,
+						     length - len,
+						     "addtime",
+						     ipsec_life_timebased,
+						     &sa_p->ips_life.ipl_addtime);
+
+			len += ipsec_lifetime_format(buffer + len,
+						     length - len,
+						     "usetime",
+						     ipsec_life_timebased,
+						     &sa_p->ips_life.ipl_usetime);
+			
+			len += ipsec_lifetime_format(buffer + len,
+						     length - len,
+						     "packets",
+						     ipsec_life_countbased,
+						     &sa_p->ips_life.ipl_packets);
+			
+			if(sa_p->ips_life.ipl_usetime.ipl_last) { /* XXX-MCR should be last? */
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,3,0)
+				len += ipsec_snprintf(buffer+len, length-len, " idle=%Ld",
+					       jiffies / HZ - sa_p->ips_life.ipl_usetime.ipl_last);
+#else
+				len += ipsec_snprintf(buffer+len, length-len, " idle=%lu",
+					       jiffies / HZ - (unsigned long)sa_p->ips_life.ipl_usetime.ipl_last);
+#endif
+			}
+
+#ifdef CONFIG_KLIPS_IPCOMP
+			if(sa_p->ips_said.proto == IPPROTO_COMP &&
+			   (sa_p->ips_comp_ratio_dbytes ||
+			    sa_p->ips_comp_ratio_cbytes)) {
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,3,0)
+				len += ipsec_snprintf(buffer+len, length-len, " ratio=%Ld:%Ld",
+					       sa_p->ips_comp_ratio_dbytes,
+					       sa_p->ips_comp_ratio_cbytes);
+#else
+				len += ipsec_snprintf(buffer+len, length-len, " ratio=%lu:%lu",
+					       (unsigned long)sa_p->ips_comp_ratio_dbytes,
+					       (unsigned long)sa_p->ips_comp_ratio_cbytes);
+#endif
+			}
+#endif /* CONFIG_KLIPS_IPCOMP */
+
+#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
+			{
+				char *natttype_name;
+
+				switch(sa_p->ips_natt_type)
+				{
+				case 0:
+					natttype_name="none";
+					break;
+				case ESPINUDP_WITH_NON_IKE:
+					natttype_name="nonike";
+					break;
+				case ESPINUDP_WITH_NON_ESP:
+					natttype_name="nonesp";
+					break;
+				default:
+					natttype_name = "unknown";
+					break;
+				}
+
+				len += ipsec_snprintf(buffer + len, length-len, " natencap=%s",
+					       natttype_name);
+				
+				len += ipsec_snprintf(buffer + len, length-len, " natsport=%d",
+					       sa_p->ips_natt_sport);
+				
+				len += ipsec_snprintf(buffer + len,length-len, " natdport=%d",
+					       sa_p->ips_natt_dport);
+			}
+#else
+			len += ipsec_snprintf(buffer + len, length-len, " natencap=na");
+#endif /* CONFIG_IPSEC_NAT_TRAVERSAL */
+				
+			len += ipsec_snprintf(buffer + len,length-len, " refcount=%d",
+				       atomic_read(&sa_p->ips_refcount));
+
+			len += ipsec_snprintf(buffer+len, length-len, " ref=%d",
+				       sa_p->ips_ref);
+#ifdef CONFIG_KLIPS_DEBUG
+			if(debug_xform) {
+			len += ipsec_snprintf(buffer+len, length-len, " reftable=%lu refentry=%lu",
+				       (unsigned long)IPsecSAref2table(sa_p->ips_ref),
+				       (unsigned long)IPsecSAref2entry(sa_p->ips_ref));
+			}
+#endif /* CONFIG_KLIPS_DEBUG */
+
+			len += ipsec_snprintf(buffer+len, length-len, "\n");
+
+                        atomic_dec(&sa_p->ips_refcount);   
+                       
+                        if (len >= max_content) {
+                               /* we've done all that can fit -- stop loops */
+                               len = max_content;      /* truncate crap */
+                                goto done_spi_i;
+                        } else {
+                               const off_t pos = begin + len;  /* file position of end of what we've generated */
+
+                               if (pos <= offset) {
+                                       /* all is before first interesting character:
+                                        * discard, but note where we are.
+                                        */
+                                       len = 0;
+                                       begin = pos;
+                               }
+                        }
+                }
+        }
+
+done_spi_i:	
+	spin_unlock_bh(&tdb_lock);
+
+	*start = buffer + (offset - begin);	/* Start of wanted data */
+	return len - (offset - begin);
+}
+
+IPSEC_PROCFS_DEBUG_NO_STATIC
+int
+ipsec_spigrp_get_info(char *buffer,
+		      char **start,
+		      off_t offset,
+		      int length     IPSEC_PROC_LAST_ARG)
+{
+	/* Limit of useful snprintf output */
+	const int max_content = length > 0? length-1 : 0; 
+
+	int len = 0;
+	off_t begin = 0;
+	int i;
+	struct ipsec_sa *sa_p, *sa_p2;
+	char sa[SATOT_BUF];
+	size_t sa_len;
+
+	KLIPS_PRINT(debug_tunnel & DB_TN_PROCFS,
+		    "klips_debug:ipsec_spigrp_get_info: "
+		    "buffer=0p%p, *start=0p%p, offset=%d, length=%d\n",
+		    buffer,
+		    *start,
+		    (int)offset,
+		    length);
+
+	spin_lock_bh(&tdb_lock);
+	
+	for (i = 0; i < SADB_HASHMOD; i++) {
+		for (sa_p = ipsec_sadb_hash[i];
+		     sa_p != NULL;
+		     sa_p = sa_p->ips_hnext)
+		{
+			atomic_inc(&sa_p->ips_refcount);
+			if(sa_p->ips_inext == NULL) {
+				sa_p2 = sa_p;
+				while(sa_p2 != NULL) {
+					atomic_inc(&sa_p2->ips_refcount);
+					sa_len = satot(&sa_p2->ips_said,
+						       'x', sa, sizeof(sa));
+					
+					len += ipsec_snprintf(buffer+len, length-len, "%s ",
+						       sa_len ? sa : " (error)");
+					atomic_dec(&sa_p2->ips_refcount);
+					sa_p2 = sa_p2->ips_onext;
+				}
+				len += ipsec_snprintf(buffer+len, length-len, "\n");
+                       }
+
+                       atomic_dec(&sa_p->ips_refcount);
+                                        
+                       if (len >= max_content) {
+                               /* we've done all that can fit -- stop loops */
+                               len = max_content;      /* truncate crap */
+                               goto done_spigrp_i;
+                       } else {
+                               const off_t pos = begin + len;
+
+                               if (pos <= offset) {
+                                       /* all is before first interesting character:
+                                        * discard, but note where we are.
+                                        */
+                                        len = 0;
+                                        begin = pos;
+                               }
+                       }
+		}
+	}
+
+done_spigrp_i:	
+	spin_unlock_bh(&tdb_lock);
+
+	*start = buffer + (offset - begin);	/* Start of wanted data */
+	return len - (offset - begin);
+}
+
+
+IPSEC_PROCFS_DEBUG_NO_STATIC
+int
+ipsec_tncfg_get_info(char *buffer,
+		     char **start,
+		     off_t offset,
+		     int length     IPSEC_PROC_LAST_ARG)
+{
+	/* limit of useful snprintf output */ 
+	const int max_content = length > 0? length-1 : 0;
+	int len = 0;
+	off_t begin = 0;
+	int i;
+	char name[9];
+	struct net_device *dev, *privdev;
+	struct ipsecpriv *priv;
+
+	KLIPS_PRINT(debug_tunnel & DB_TN_PROCFS,
+		    "klips_debug:ipsec_tncfg_get_info: "
+		    "buffer=0p%p, *start=0p%p, offset=%d, length=%d\n",
+		    buffer,
+		    *start,
+		    (int)offset,
+		    length);
+
+	for(i = 0; i < IPSEC_NUM_IF; i++) {
+		ipsec_snprintf(name, (ssize_t) sizeof(name), IPSEC_DEV_FORMAT, i);
+		dev = __ipsec_dev_get(name);
+		if(dev) {
+			priv = (struct ipsecpriv *)(dev->priv);
+			len += ipsec_snprintf(buffer+len, length-len, "%s",
+				       dev->name);
+			if(priv) {
+				privdev = (struct net_device *)(priv->dev);
+				len += ipsec_snprintf(buffer+len, length-len, " -> %s",
+					       privdev ? privdev->name : "NULL");
+				len += ipsec_snprintf(buffer+len, length-len, " mtu=%d(%d) -> %d",
+					       dev->mtu,
+					       priv->mtu,
+					       privdev ? privdev->mtu : 0);
+			} else {
+				KLIPS_PRINT(debug_tunnel & DB_TN_PROCFS,
+					    "klips_debug:ipsec_tncfg_get_info: device '%s' has no private data space!\n",
+					    dev->name);
+			}
+			len += ipsec_snprintf(buffer+len, length-len, "\n");
+
+                        if (len >= max_content) {
+                                /* we've done all that can fit -- stop loop */
+                                len = max_content;      /* truncate crap */
+                                 break;
+                        } else {
+                                const off_t pos = begin + len;
+                                if (pos <= offset) {
+                                        len = 0;
+                                        begin = pos;
+                                }
+			}
+		}
+	}
+	*start = buffer + (offset - begin);	/* Start of wanted data */
+	len -= (offset - begin);			/* Start slop */
+	if (len > length)
+		len = length;
+	return len;
+}
+
+IPSEC_PROCFS_DEBUG_NO_STATIC
+int
+ipsec_version_get_info(char *buffer,
+		       char **start,
+		       off_t offset,
+		       int length  IPSEC_PROC_LAST_ARG)
+{
+	int len = 0;
+	off_t begin = 0;
+
+	KLIPS_PRINT(debug_tunnel & DB_TN_PROCFS,
+		    "klips_debug:ipsec_version_get_info: "
+		    "buffer=0p%p, *start=0p%p, offset=%d, length=%d\n",
+		    buffer,
+		    *start,
+		    (int)offset,
+		    length);
+
+	len += ipsec_snprintf(buffer + len,length-len, "Openswan version: %s\n",
+		       ipsec_version_code());
+#if 0
+	KLIPS_PRINT(debug_tunnel & DB_TN_PROCFS,
+		    "klips_debug:ipsec_version_get_info: "
+		    "ipsec_init version: %s\n",
+		    ipsec_init_c_version);
+	KLIPS_PRINT(debug_tunnel & DB_TN_PROCFS,
+		    "klips_debug:ipsec_version_get_info: "
+		    "ipsec_tunnel version: %s\n",
+		    ipsec_tunnel_c_version);
+	KLIPS_PRINT(debug_tunnel & DB_TN_PROCFS,
+		    "klips_debug:ipsec_version_get_info: "
+		    "ipsec_netlink version: %s\n",
+		    ipsec_netlink_c_version);
+	KLIPS_PRINT(debug_tunnel & DB_TN_PROCFS,
+		    "klips_debug:ipsec_version_get_info: "
+		    "radij_c_version: %s\n",
+		    radij_c_version);
+#endif
+
+
+	*start = buffer + (offset - begin);	/* Start of wanted data */
+	len -= (offset - begin);			/* Start slop */
+	if (len > length)
+		len = length;
+	return len;
+}
+
+#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
+unsigned int natt_available = 1;
+#else
+unsigned int natt_available = 0;
+#endif
+module_param(natt_available, int, 0444);
+
+IPSEC_PROCFS_DEBUG_NO_STATIC
+int
+ipsec_natt_get_info(char *buffer,
+                    char **start,
+                    off_t offset,
+                    int length  IPSEC_PROC_LAST_ARG)
+{
+        int len = 0;
+        off_t begin = 0;
+
+        len += ipsec_snprintf(buffer + len,
+                              length-len, "%d\n",
+#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
+                              1
+#else
+                              0
+#endif
+                );
+
+        *start = buffer + (offset - begin);     /* Start of wanted data */
+        len -= (offset - begin);                        /* Start slop */
+        if (len > length)
+                len = length;
+        return len;
+}
+
+IPSEC_PROCFS_DEBUG_NO_STATIC
+int
+ipsec_birth_info(char *page,
+		 char **start,
+		 off_t offset,
+		 int count,
+		 int *eof,
+		 void *data)
+{
+	struct ipsec_birth_reply *ibr = (struct ipsec_birth_reply *)data;
+	int len;
+
+	if(offset >= ibr->packet_template_len) {
+		if(eof) {
+			*eof=1;
+		}
+		return 0;
+	}
+
+	len = ibr->packet_template_len;
+	len -= offset;
+	if (len > count)
+		len = count;
+
+	memcpy(page + offset, ibr->packet_template+offset, len);
+
+	return len;
+}
+
+IPSEC_PROCFS_DEBUG_NO_STATIC
+int
+ipsec_birth_set(struct file *file, const char *buffer,
+		unsigned long count, void *data)
+{
+	struct ipsec_birth_reply *ibr = (struct ipsec_birth_reply *)data;
+	int len;
+
+	KLIPS_INC_USE;
+        if(count > IPSEC_BIRTH_TEMPLATE_MAXLEN) {
+                len = IPSEC_BIRTH_TEMPLATE_MAXLEN;
+	} else {
+                len = count;
+	}
+
+        if(copy_from_user(ibr->packet_template, buffer, len)) {
+                KLIPS_DEC_USE;
+                return -EFAULT;
+        }
+	ibr->packet_template_len = len;
+
+        KLIPS_DEC_USE;
+
+        return len;
+}
+
+
+#ifdef CONFIG_KLIPS_DEBUG
+IPSEC_PROCFS_DEBUG_NO_STATIC
+int
+ipsec_klipsdebug_get_info(char *buffer,
+			  char **start,
+			  off_t offset,
+			  int length      IPSEC_PROC_LAST_ARG)
+{
+	int len = 0;
+	off_t begin = 0;
+
+	KLIPS_PRINT(debug_tunnel & DB_TN_PROCFS,
+		    "klips_debug:ipsec_klipsdebug_get_info: "
+		    "buffer=0p%p, *start=0p%p, offset=%d, length=%d\n",
+		    buffer,
+		    *start,
+		    (int)offset,
+		    length);
+
+	len += ipsec_snprintf(buffer+len, length-len, "debug_tunnel=%08x.\n", debug_tunnel);
+	len += ipsec_snprintf(buffer+len, length-len, "debug_xform=%08x.\n", debug_xform);
+	len += ipsec_snprintf(buffer+len, length-len, "debug_eroute=%08x.\n", debug_eroute);
+	len += ipsec_snprintf(buffer+len, length-len, "debug_spi=%08x.\n", debug_spi);
+	len += ipsec_snprintf(buffer+len, length-len, "debug_radij=%08x.\n", debug_radij);
+	len += ipsec_snprintf(buffer+len, length-len, "debug_esp=%08x.\n", debug_esp);
+	len += ipsec_snprintf(buffer+len, length-len, "debug_ah=%08x.\n", debug_ah);
+	len += ipsec_snprintf(buffer+len, length-len, "debug_rcv=%08x.\n", debug_rcv);
+	len += ipsec_snprintf(buffer+len, length-len, "debug_pfkey=%08x.\n", debug_pfkey);
+
+	*start = buffer + (offset - begin);	/* Start of wanted data */
+	len -= (offset - begin);			/* Start slop */
+	if (len > length)
+		len = length;
+	return len;
+}
+#endif /* CONFIG_KLIPS_DEBUG */
+
+IPSEC_PROCFS_DEBUG_NO_STATIC
+int
+ipsec_stats_get_int_info(char *buffer,
+			 char **start,
+			 off_t offset,
+			 int   length,
+			 int   *eof,
+			 void  *data)
+{
+
+	const int max_content = length > 0? length-1 : 0;
+	int len = 0;
+	int *thing;
+
+	thing = (int *)data;
+	
+	len = ipsec_snprintf(buffer+len, length-len, "%08x\n", *thing);
+
+	if (len >= max_content)
+               len = max_content;      /* truncate crap */
+
+        *start = buffer + offset;       /* Start of wanted data */
+        return len > offset? len - offset : 0;
+
+}
+
+#ifndef PROC_FS_2325
+struct proc_dir_entry ipsec_eroute =
+{
+	0,
+	12, "ipsec_eroute",
+	S_IFREG | S_IRUGO, 1, 0, 0, 0,
+	&proc_net_inode_operations,
+	ipsec_eroute_get_info,
+	NULL, NULL, NULL, NULL, NULL
+};
+
+struct proc_dir_entry ipsec_spi =
+{
+	0,
+	9, "ipsec_spi",
+	S_IFREG | S_IRUGO, 1, 0, 0, 0,
+	&proc_net_inode_operations,
+	ipsec_spi_get_info,
+	NULL, NULL, NULL, NULL, NULL
+};
+
+struct proc_dir_entry ipsec_spigrp =
+{
+	0,
+	12, "ipsec_spigrp",
+	S_IFREG | S_IRUGO, 1, 0, 0, 0,
+	&proc_net_inode_operations,
+	ipsec_spigrp_get_info,
+	NULL, NULL, NULL, NULL, NULL
+};
+
+struct proc_dir_entry ipsec_tncfg =
+{
+	0,
+	11, "ipsec_tncfg",
+	S_IFREG | S_IRUGO, 1, 0, 0, 0,
+	&proc_net_inode_operations,
+	ipsec_tncfg_get_info,
+	NULL, NULL, NULL, NULL, NULL
+};
+
+struct proc_dir_entry ipsec_version =
+{
+	0,
+	13, "ipsec_version",
+	S_IFREG | S_IRUGO, 1, 0, 0, 0,
+	&proc_net_inode_operations,
+	ipsec_version_get_info,
+	NULL, NULL, NULL, NULL, NULL
+};
+
+#ifdef CONFIG_KLIPS_DEBUG
+struct proc_dir_entry ipsec_klipsdebug =
+{
+	0,
+	16, "ipsec_klipsdebug",
+	S_IFREG | S_IRUGO, 1, 0, 0, 0,
+	&proc_net_inode_operations,
+	ipsec_klipsdebug_get_info,
+	NULL, NULL, NULL, NULL, NULL
+};
+#endif /* CONFIG_KLIPS_DEBUG */
+#endif /* !PROC_FS_2325 */
+#endif /* CONFIG_PROC_FS */
+
+#if defined(PROC_FS_2325) 
+struct ipsec_proc_list {
+	char                   *name;
+	struct proc_dir_entry **parent;
+	struct proc_dir_entry **dir;
+	read_proc_t            *readthing;
+	write_proc_t           *writething;
+	void                   *data;
+};
+static struct ipsec_proc_list proc_items[]={
+#ifdef CONFIG_KLIPS_DEBUG
+	{"klipsdebug", &proc_net_ipsec_dir, NULL,             ipsec_klipsdebug_get_info, NULL, NULL},
+#endif
+	{"eroute",     &proc_net_ipsec_dir, &proc_eroute_dir, NULL, NULL, NULL},
+	{"all",        &proc_eroute_dir,    NULL,             ipsec_eroute_get_info,     NULL, NULL},
+	{"spi",        &proc_net_ipsec_dir, &proc_spi_dir,    NULL, NULL, NULL},
+	{"all",        &proc_spi_dir,       NULL,             ipsec_spi_get_info,        NULL, NULL},
+	{"spigrp",     &proc_net_ipsec_dir, &proc_spigrp_dir, NULL, NULL, NULL},
+	{"all",        &proc_spigrp_dir,    NULL,             ipsec_spigrp_get_info,     NULL, NULL},
+	{"birth",      &proc_net_ipsec_dir, &proc_birth_dir,  NULL,      NULL, NULL},
+	{"ipv4",       &proc_birth_dir,     NULL,             ipsec_birth_info, ipsec_birth_set, (void *)&ipsec_ipv4_birth_packet},
+	{"ipv6",       &proc_birth_dir,     NULL,             ipsec_birth_info, ipsec_birth_set, (void *)&ipsec_ipv6_birth_packet},
+	{"tncfg",      &proc_net_ipsec_dir, NULL,             ipsec_tncfg_get_info,      NULL, NULL},
+	{"xforms",     &proc_net_ipsec_dir, NULL,             ipsec_xform_get_info,      NULL, NULL},
+	{"stats",      &proc_net_ipsec_dir, &proc_stats_dir,  NULL,      NULL, NULL},
+	{"trap_count", &proc_stats_dir,     NULL,             ipsec_stats_get_int_info, NULL, &ipsec_xmit_trap_count},
+	{"trap_sendcount", &proc_stats_dir, NULL,             ipsec_stats_get_int_info, NULL, &ipsec_xmit_trap_sendcount},
+	{"version",    &proc_net_ipsec_dir, NULL,             ipsec_version_get_info,    NULL, NULL},
+	{NULL,         NULL,                NULL,             NULL,      NULL, NULL}
+};
+#endif
+		
+int
+ipsec_proc_init()
+{
+	int error = 0;
+#ifdef IPSEC_PROC_SUBDIRS
+	struct proc_dir_entry *item;
+#endif
+
+	/*
+	 * just complain because pluto won't run without /proc!
+	 */
+#ifndef CONFIG_PROC_FS 
+#error You must have PROC_FS built in to use KLIPS
+#endif
+
+        /* for 2.0 kernels */
+#if !defined(PROC_FS_2325) && !defined(PROC_FS_21)
+	error |= proc_register_dynamic(&proc_net, &ipsec_eroute);
+	error |= proc_register_dynamic(&proc_net, &ipsec_spi);
+	error |= proc_register_dynamic(&proc_net, &ipsec_spigrp);
+	error |= proc_register_dynamic(&proc_net, &ipsec_tncfg);
+	error |= proc_register_dynamic(&proc_net, &ipsec_version);
+#ifdef CONFIG_KLIPS_DEBUG
+	error |= proc_register_dynamic(&proc_net, &ipsec_klipsdebug);
+#endif /* CONFIG_KLIPS_DEBUG */
+#endif
+
+	/* for 2.2 kernels */
+#if !defined(PROC_FS_2325) && defined(PROC_FS_21)
+	error |= proc_register(proc_net, &ipsec_eroute);
+	error |= proc_register(proc_net, &ipsec_spi);
+	error |= proc_register(proc_net, &ipsec_spigrp);
+	error |= proc_register(proc_net, &ipsec_tncfg);
+	error |= proc_register(proc_net, &ipsec_version);
+#ifdef CONFIG_KLIPS_DEBUG
+	error |= proc_register(proc_net, &ipsec_klipsdebug);
+#endif /* CONFIG_KLIPS_DEBUG */
+#endif
+
+	/* for 2.4 kernels */
+#if defined(PROC_FS_2325)
+	/* create /proc/net/ipsec */
+
+	/* zero these out before we initialize /proc/net/ipsec/birth/stuff */
+	memset(&ipsec_ipv4_birth_packet, 0, sizeof(struct ipsec_birth_reply));
+	memset(&ipsec_ipv6_birth_packet, 0, sizeof(struct ipsec_birth_reply));
+
+	proc_net_ipsec_dir = proc_mkdir("ipsec", proc_net);
+	if(proc_net_ipsec_dir == NULL) {
+		/* no point in continuing */
+		return 1;
+	} 	
+
+	{
+		struct ipsec_proc_list *it;
+
+		it=proc_items;
+		while(it->name!=NULL) {
+			if(it->dir) {
+				/* make a dir instead */
+				item = proc_mkdir(it->name, *it->parent);
+				*it->dir = item;
+			} else {
+				item = create_proc_entry(it->name, 0400, *it->parent);
+			}
+			if(item) {
+				item->read_proc  = it->readthing;
+				item->write_proc = it->writething;
+				item->data       = it->data;
+#ifdef MODULE
+				item->owner = THIS_MODULE;
+#endif
+			} else {
+				error |= 1;
+			}
+			it++;
+		}
+	}
+	
+	/* now create some symlinks to provide compatibility */
+	proc_symlink("ipsec_eroute", proc_net, "ipsec/eroute/all");
+	proc_symlink("ipsec_spi",    proc_net, "ipsec/spi/all");
+	proc_symlink("ipsec_spigrp", proc_net, "ipsec/spigrp/all");
+	proc_symlink("ipsec_tncfg",  proc_net, "ipsec/tncfg");
+	proc_symlink("ipsec_version",proc_net, "ipsec/version");
+	proc_symlink("ipsec_klipsdebug",proc_net,"ipsec/klipsdebug");
+
+#endif /* !PROC_FS_2325 */
+
+	return error;
+}
+
+void
+ipsec_proc_cleanup()
+{
+
+	/* for 2.0 and 2.2 kernels */
+#if !defined(PROC_FS_2325) 
+
+#ifdef CONFIG_KLIPS_DEBUG
+	if (proc_net_unregister(ipsec_klipsdebug.low_ino) != 0)
+		printk("klips_debug:ipsec_cleanup: "
+		       "cannot unregister /proc/net/ipsec_klipsdebug\n");
+#endif /* CONFIG_KLIPS_DEBUG */
+
+	if (proc_net_unregister(ipsec_version.low_ino) != 0)
+		printk("klips_debug:ipsec_cleanup: "
+		       "cannot unregister /proc/net/ipsec_version\n");
+	if (proc_net_unregister(ipsec_eroute.low_ino) != 0)
+		printk("klips_debug:ipsec_cleanup: "
+		       "cannot unregister /proc/net/ipsec_eroute\n");
+	if (proc_net_unregister(ipsec_spi.low_ino) != 0)
+		printk("klips_debug:ipsec_cleanup: "
+		       "cannot unregister /proc/net/ipsec_spi\n");
+	if (proc_net_unregister(ipsec_spigrp.low_ino) != 0)
+		printk("klips_debug:ipsec_cleanup: "
+		       "cannot unregister /proc/net/ipsec_spigrp\n");
+	if (proc_net_unregister(ipsec_tncfg.low_ino) != 0)
+		printk("klips_debug:ipsec_cleanup: "
+		       "cannot unregister /proc/net/ipsec_tncfg\n");
+#endif
+
+	/* for 2.4 kernels */
+#if defined(PROC_FS_2325)
+	{
+		struct ipsec_proc_list *it;
+
+		/* find end of list */
+		it=proc_items;
+		while(it->name!=NULL) {
+			it++;
+		}
+		it--;
+
+		do {
+			remove_proc_entry(it->name, *it->parent);
+			it--;
+		} while(it >= proc_items);
+	}
+
+
+#ifdef CONFIG_KLIPS_DEBUG
+	remove_proc_entry("ipsec_klipsdebug", proc_net);
+#endif /* CONFIG_KLIPS_DEBUG */
+	remove_proc_entry("ipsec_eroute",     proc_net);
+	remove_proc_entry("ipsec_spi",        proc_net);
+	remove_proc_entry("ipsec_spigrp",     proc_net);
+	remove_proc_entry("ipsec_tncfg",      proc_net);
+	remove_proc_entry("ipsec_version",    proc_net);
+	remove_proc_entry("ipsec",            proc_net);
+#endif /* 2.4 kernel */
+}
+
+/*
+ * $Log: ipsec_proc.c,v $
+ * Revision 1.39.2.4  2006/11/15 22:21:39  paul
+ * backport of creating a /sys/ file to test for nat-t capability in kernel.
+ *
+ * Revision 1.39.2.3  2006/10/06 21:39:26  paul
+ * Fix for 2.6.18+ only include linux/config.h if AUTOCONF_INCLUDED is not
+ * set. This is defined through autoconf.h which is included through the
+ * linux kernel build macros.
+ *
+ * Revision 1.39.2.2  2006/02/13 18:48:12  paul
+ * Fix by  Ankit Desai <ankit@elitecore.com> for module unloading.
+ *
+ * Revision 1.39.2.1  2005/09/07 00:45:59  paul
+ * pull up of mcr's nat-t klips detection patch from head
+ *
+ * Revision 1.39  2005/05/20 03:19:18  mcr
+ * 	modifications for use on 2.4.30 kernel, with backported
+ * 	printk_ratelimit(). all warnings removed.
+ *
+ * Revision 1.38  2005/04/29 05:10:22  mcr
+ * 	removed from extraenous includes to make unit testing easier.
+ *
+ * Revision 1.37  2005/04/13 22:49:49  mcr
+ * 	moved KLIPS specific snprintf() wrapper to seperate file.
+ *
+ * Revision 1.36  2005/04/06 17:44:36  mcr
+ * 	when NAT-T is compiled out, show encap as "NA"
+ *
+ * Revision 1.35  2005/01/26 00:50:35  mcr
+ * 	adjustment of confusion of CONFIG_IPSEC_NAT vs CONFIG_KLIPS_NAT,
+ * 	and make sure that NAT_TRAVERSAL is set as well to match
+ * 	userspace compiles of code.
+ *
+ * Revision 1.34  2004/12/03 21:25:57  mcr
+ * 	compile time fixes for running on 2.6.
+ * 	still experimental.
+ *
+ * Revision 1.33  2004/08/17 03:27:23  mcr
+ * 	klips 2.6 edits.
+ *
+ * Revision 1.32  2004/08/03 18:19:08  mcr
+ * 	in 2.6, use "net_device" instead of #define device->net_device.
+ * 	this probably breaks 2.0 compiles.
+ *
+ * Revision 1.31  2004/07/10 19:11:18  mcr
+ * 	CONFIG_IPSEC -> CONFIG_KLIPS.
+ *
+ * Revision 1.30  2004/04/25 21:23:11  ken
+ * Pull in dhr's changes from FreeS/WAN 2.06
+ *
+ * Revision 1.29  2004/04/06 02:49:26  mcr
+ * 	pullup of algo code from alg-branch.
+ *
+ * Revision 1.28  2004/03/28 20:29:58  paul
+ *      <hugh_> ssize_t, not ssized_t
+ *
+ * Revision 1.27  2004/03/28 20:27:20  paul
+ * Included tested and confirmed fixes mcr made and dhr verified for
+ * snprint statements. Changed one other snprintf to use ipsec_snprintf
+ * so it wouldnt break compatibility with 2.0/2.2 kernels. Verified with
+ * dhr. (thanks dhr!)
+ *
+ * Revision 1.26  2004/02/09 22:07:06  mcr
+ * 	added information about nat-traversal setting to spi-output.
+ *
+ * Revision 1.25.4.1  2004/04/05 04:30:46  mcr
+ * 	patches for alg-branch to compile/work with 2.x openswan
+ *
+ * Revision 1.25  2003/10/31 02:27:55  mcr
+ * 	pulled up port-selector patches and sa_id elimination.
+ *
+ * Revision 1.24.4.1  2003/10/29 01:30:41  mcr
+ * 	elimited "struct sa_id".
+ *
+ * Revision 1.24  2003/06/20 01:42:21  mcr
+ * 	added counters to measure how many ACQUIREs we send to pluto,
+ * 	and how many are successfully sent.
+ *
+ * Revision 1.23  2003/04/03 17:38:09  rgb
+ * Centralised ipsec_kfree_skb and ipsec_dev_{get,put}.
+ *
+ * Revision 1.22  2002/09/20 15:40:57  rgb
+ * Renamed saref macros for consistency and brevity.
+ *
+ * Revision 1.21  2002/09/20 05:01:35  rgb
+ * Print ref and  reftable, refentry seperately.
+ *
+ * Revision 1.20  2002/09/19 02:35:39  mcr
+ * 	do not define structures needed by /proc/net/ipsec/ if we
+ * 	aren't going create that directory.
+ *
+ * Revision 1.19  2002/09/10 01:43:25  mcr
+ * 	fixed problem in /-* comment.
+ *
+ * Revision 1.18  2002/09/03 16:22:11  mcr
+ * 	fixed initialization of birth/stuff values - some simple
+ * 	screw ups in the code.
+ * 	removed debugging that was left in by mistake.
+ *
+ * Revision 1.17  2002/09/02 17:54:53  mcr
+ * 	changed how the table driven /proc entries are created so that
+ * 	making subdirs is now explicit rather than implicit.
+ *
+ * Revision 1.16  2002/08/30 01:23:37  mcr
+ * 	reorganized /proc creating code to clear up ifdefs,
+ * 	make the 2.4 code table driven, and put things into
+ * 	/proc/net/ipsec subdir. Symlinks are left for compatibility.
+ *
+ * Revision 1.15  2002/08/13 19:01:25  mcr
+ * 	patches from kenb to permit compilation of FreeSWAN on ia64.
+ * 	des library patched to use proper DES_LONG type for ia64.
+ *
+ * Revision 1.14  2002/07/26 08:48:31  rgb
+ * Added SA ref table code.
+ *
+ * Revision 1.13  2002/07/24 18:44:54  rgb
+ * Type fiddling to tame ia64 compiler.
+ *
+ * Revision 1.12  2002/05/27 18:56:07  rgb
+ * Convert to dynamic ipsec device allocation.
+ *
+ * Revision 1.11  2002/05/23 07:14:50  rgb
+ * Added refcount code.
+ * Cleaned up %p variants to 0p%p for test suite cleanup.
+ * Convert "usecount" to "refcount" to remove ambiguity.
+ *
+ * Revision 1.10  2002/04/24 07:55:32  mcr
+ * 	#include patches and Makefiles for post-reorg compilation.
+ *
+ * Revision 1.9  2002/04/24 07:36:28  mcr
+ * Moved from ./klips/net/ipsec/ipsec_proc.c,v
+ *
+ * Revision 1.8  2002/01/29 17:17:55  mcr
+ * 	moved include of ipsec_param.h to after include of linux/kernel.h
+ * 	otherwise, it seems that some option that is set in ipsec_param.h
+ * 	screws up something subtle in the include path to kernel.h, and
+ * 	it complains on the snprintf() prototype.
+ *
+ * Revision 1.7  2002/01/29 04:00:52  mcr
+ * 	more excise of kversions.h header.
+ *
+ * Revision 1.6  2002/01/29 02:13:17  mcr
+ * 	introduction of ipsec_kversion.h means that include of
+ * 	ipsec_param.h must preceed any decisions about what files to
+ * 	include to deal with differences in kernel source.
+ *
+ * Revision 1.5  2002/01/12 02:54:30  mcr
+ * 	beginnings of /proc/net/ipsec dir.
+ *
+ * Revision 1.4  2001/12/11 02:21:05  rgb
+ * Don't include module version here, fixing 2.2 compile bug.
+ *
+ * Revision 1.3  2001/12/05 07:19:44  rgb
+ * Fixed extraneous #include "version.c" bug causing modular KLIPS failure.
+ *
+ * Revision 1.2  2001/11/26 09:16:14  rgb
+ * Merge MCR's ipsec_sa, eroute, proc and struct lifetime changes.
+ *
+ * Revision 1.74  2001/11/22 05:44:11  henry
+ * new version stuff
+ *
+ * Revision 1.1.2.1  2001/09/25 02:19:40  mcr
+ * 	/proc manipulation code moved to new ipsec_proc.c
+ *
+ *
+ * Local variables:
+ * c-file-style: "linux"
+ * End:
+ *
+ */
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/ipsec_radij.c     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,889 @@
+/*
+ * Interface between the IPSEC code and the radix (radij) tree code
+ * Copyright (C) 1996, 1997  John Ioannidis.
+ * Copyright (C) 1998, 1999, 2000, 2001  Richard Guy Briggs.
+ * 
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ * 
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: ipsec_radij.c,v 1.73.2.1 2006/10/06 21:39:26 paul Exp $
+ */
+
+#ifndef AUTOCONF_INCLUDED
+#include <linux/config.h>
+#endif
+#include <linux/version.h>
+#include <linux/kernel.h> /* printk() */
+
+#include "openswan/ipsec_param.h"
+
+#ifdef MALLOC_SLAB
+# include <linux/slab.h> /* kmalloc() */
+#else /* MALLOC_SLAB */
+# include <linux/malloc.h> /* kmalloc() */
+#endif /* MALLOC_SLAB */
+#include <linux/errno.h>  /* error codes */
+#include <linux/types.h>  /* size_t */
+#include <linux/interrupt.h> /* mark_bh */
+
+#include <linux/netdevice.h>   /* struct device, struct net_device_stats and other headers */
+#include <linux/etherdevice.h> /* eth_type_trans */
+#include <linux/ip.h>          /* struct iphdr */
+#include <linux/skbuff.h>
+#include <openswan.h>
+#ifdef SPINLOCK
+# ifdef SPINLOCK_23
+#  include <linux/spinlock.h> /* *lock* */
+# else /* 23_SPINLOCK */
+#  include <asm/spinlock.h> /* *lock* */
+# endif /* 23_SPINLOCK */
+#endif /* SPINLOCK */
+
+#include <net/ip.h>
+
+#include "openswan/ipsec_eroute.h"
+#include "openswan/ipsec_sa.h"
+ 
+#include "openswan/radij.h"
+#include "openswan/ipsec_encap.h"
+#include "openswan/radij.h"
+#include "openswan/ipsec_encap.h"
+#include "openswan/ipsec_radij.h"
+#include "openswan/ipsec_tunnel.h"	/* struct ipsecpriv */
+#include "openswan/ipsec_xform.h"
+ 
+#include <pfkeyv2.h>
+#include <pfkey.h>
+
+#include "openswan/ipsec_proto.h"
+
+#ifdef CONFIG_KLIPS_DEBUG
+int debug_radij = 0;
+#endif /* CONFIG_KLIPS_DEBUG */
+
+struct radij_node_head *rnh = NULL;
+#ifdef SPINLOCK
+spinlock_t eroute_lock = SPIN_LOCK_UNLOCKED;
+#else /* SPINLOCK */
+spinlock_t eroute_lock;
+#endif /* SPINLOCK */
+
+int
+ipsec_radijinit(void)
+{
+	maj_keylen = sizeof (struct sockaddr_encap);
+
+	rj_init();
+	
+	if (rj_inithead((void **)&rnh, /*16*/offsetof(struct sockaddr_encap, sen_type) * sizeof(__u8)) == 0) /* 16 is bit offset of sen_type */
+		return -1;
+	return 0;
+}
+
+int
+ipsec_radijcleanup(void)
+{
+	int error;
+
+	spin_lock_bh(&eroute_lock);
+
+	error = radijcleanup();
+
+	spin_unlock_bh(&eroute_lock);
+
+	return error;
+}
+
+int
+ipsec_cleareroutes(void)
+{
+	int error;
+
+	spin_lock_bh(&eroute_lock);
+
+	error = radijcleartree();
+
+	spin_unlock_bh(&eroute_lock);
+
+	return error;
+}
+
+int
+ipsec_breakroute(struct sockaddr_encap *eaddr,
+		 struct sockaddr_encap *emask,
+		 struct sk_buff **first,
+		 struct sk_buff **last)
+{
+	struct eroute *ro;
+	struct radij_node *rn;
+	int error;
+#ifdef CONFIG_KLIPS_DEBUG
+	
+	if (debug_eroute) {
+                char buf1[SUBNETTOA_BUF], buf2[SUBNETTOA_BUF];
+		subnettoa(eaddr->sen_ip_src, emask->sen_ip_src, 0, buf1, sizeof(buf1));
+		subnettoa(eaddr->sen_ip_dst, emask->sen_ip_dst, 0, buf2, sizeof(buf2));
+		KLIPS_PRINT(debug_eroute,
+			    "klips_debug:ipsec_breakroute: "
+			    "attempting to delete eroute for %s:%d->%s:%d %d\n",
+			    buf1, ntohs(eaddr->sen_sport),
+			    buf2, ntohs(eaddr->sen_dport), eaddr->sen_proto);
+	}
+#endif /* CONFIG_KLIPS_DEBUG */
+
+	spin_lock_bh(&eroute_lock);
+
+	if ((error = rj_delete(eaddr, emask, rnh, &rn)) != 0) {
+		spin_unlock_bh(&eroute_lock);
+		KLIPS_PRINT(debug_eroute, 
+			    "klips_debug:ipsec_breakroute: "
+			    "node not found, eroute delete failed.\n");
+		return error;
+	}
+
+	spin_unlock_bh(&eroute_lock);
+	
+	ro = (struct eroute *)rn;
+	
+	KLIPS_PRINT(debug_eroute, 
+		    "klips_debug:ipsec_breakroute: "
+		    "deleted eroute=0p%p, ident=0p%p->0p%p, first=0p%p, last=0p%p\n",
+		    ro,
+		    ro->er_ident_s.data,
+		    ro->er_ident_d.data,
+		    ro->er_first,
+		    ro->er_last);
+	
+	if (ro->er_ident_s.data != NULL) {
+		kfree(ro->er_ident_s.data);
+	}
+	if (ro->er_ident_d.data != NULL) {
+		kfree(ro->er_ident_d.data);
+	}
+	if (ro->er_first != NULL) {
+#if 0
+		struct net_device_stats *stats = (struct net_device_stats *) &(((struct ipsecpriv *)(ro->er_first->dev->priv))->mystats);
+		stats->tx_dropped--;
+#endif
+		*first = ro->er_first;
+	}
+	if (ro->er_last != NULL) {
+#if 0
+		struct net_device_stats *stats = (struct net_device_stats *) &(((struct ipsecpriv *)(ro->er_last->dev->priv))->mystats);
+		stats->tx_dropped--;
+#endif
+		*last = ro->er_last;
+	}
+	
+	if (rn->rj_flags & (RJF_ACTIVE | RJF_ROOT))
+		panic ("ipsec_breakroute RMT_DELEROUTE root or active node\n");
+	memset((caddr_t)rn, 0, sizeof (struct eroute));
+	kfree(rn);
+	
+	return 0;
+}
+
+int
+ipsec_makeroute(struct sockaddr_encap *eaddr,
+		struct sockaddr_encap *emask,
+		ip_said said,
+		uint32_t pid,
+		struct sk_buff *skb,
+		struct ident *ident_s,
+		struct ident *ident_d)
+{
+	struct eroute *retrt;
+	int error;
+	char sa[SATOT_BUF];
+	size_t sa_len;
+
+#ifdef CONFIG_KLIPS_DEBUG
+	
+	if (debug_eroute) {
+
+		{
+                       char buf1[SUBNETTOA_BUF], buf2[SUBNETTOA_BUF];
+
+                       subnettoa(eaddr->sen_ip_src, emask->sen_ip_src, 0, buf1, sizeof(buf1));
+                       subnettoa(eaddr->sen_ip_dst, emask->sen_ip_dst, 0, buf2, sizeof(buf2));
+                       sa_len = satot(&said, 0, sa, sizeof(sa));
+                       KLIPS_PRINT(debug_eroute,
+                                   "klips_debug:ipsec_makeroute: "
+                                   "attempting to allocate %lu bytes to insert eroute for %s->%s, SA: %s, PID:%d, skb=0p%p, ident:%s->%s\n",
+                                   (unsigned long) sizeof(struct eroute),
+                                   buf1,
+                                   buf2,
+                                   sa_len ? sa : " (error)",
+                                   pid,
+                                   skb,
+                                   (ident_s ? (ident_s->data ? ident_s->data : "NULL") : "NULL"),
+                                   (ident_d ? (ident_d->data ? ident_d->data : "NULL") : "NULL"));
+               }
+               {
+                       char buf1[sizeof(struct sockaddr_encap)*2 + 1],   
+                               buf2[sizeof(struct sockaddr_encap)*2 + 1];
+                       int i;
+                       unsigned char *b1 = buf1,
+                               *b2 = buf2,
+                               *ea = (unsigned char *)eaddr,
+                               *em = (unsigned char *)emask;
+                                   
+                                   
+                       for (i=0; i<sizeof(struct sockaddr_encap); i++) {
+                               sprintf(b1, "%02x", ea[i]);
+                               sprintf(b2, "%02x", em[i]);
+                               b1+=2;
+                               b2+=2;
+                       }
+                       KLIPS_PRINT(debug_eroute, "klips_debug:ipsec_makeroute: %s / %s \n", buf1, buf2);
+                }
+
+	}
+#endif /* CONFIG_KLIPS_DEBUG */
+
+	retrt = (struct eroute *)kmalloc(sizeof (struct eroute), GFP_ATOMIC);
+	if (retrt == NULL) {
+		printk("klips_error:ipsec_makeroute: "
+		       "not able to allocate kernel memory");
+		return -ENOMEM;
+	}
+	memset((caddr_t)retrt, 0, sizeof (struct eroute));
+
+	retrt->er_eaddr = *eaddr;
+	retrt->er_emask = *emask;
+	retrt->er_said = said;
+	retrt->er_pid = pid;
+	retrt->er_count = 0;
+	retrt->er_lasttime = jiffies/HZ;
+
+	{
+	  /* this is because gcc 3. doesn't like cast's as lvalues */
+	  struct rjtentry *rje = (struct rjtentry *)&(retrt->er_rjt);
+	  caddr_t er = (caddr_t)&(retrt->er_eaddr);
+	  
+	  rje->rd_nodes->rj_key= er;
+	}
+	
+	if (ident_s && ident_s->type != SADB_IDENTTYPE_RESERVED) {
+		int data_len = ident_s->len * IPSEC_PFKEYv2_ALIGN - sizeof(struct sadb_ident);
+		
+		retrt->er_ident_s.type = ident_s->type;
+		retrt->er_ident_s.id = ident_s->id;
+		retrt->er_ident_s.len = ident_s->len;
+		if(data_len) {
+			KLIPS_PRINT(debug_eroute, 
+				    "klips_debug:ipsec_makeroute: "
+				    "attempting to allocate %u bytes for ident_s.\n",
+				    data_len);
+			if(!(retrt->er_ident_s.data = kmalloc(data_len, GFP_KERNEL))) {
+				kfree(retrt);
+				printk("klips_error:ipsec_makeroute: not able to allocate kernel memory (%d)\n", data_len);
+				return ENOMEM;
+			}
+			memcpy(retrt->er_ident_s.data, ident_s->data, data_len);
+		} else {
+			retrt->er_ident_s.data = NULL;
+		}
+	}
+	
+	if (ident_d && ident_d->type != SADB_IDENTTYPE_RESERVED) {
+		int data_len = ident_d->len  * IPSEC_PFKEYv2_ALIGN - sizeof(struct sadb_ident);
+		
+		retrt->er_ident_d.type = ident_d->type;
+		retrt->er_ident_d.id = ident_d->id;
+		retrt->er_ident_d.len = ident_d->len;
+		if(data_len) {
+			KLIPS_PRINT(debug_eroute, 
+				    "klips_debug:ipsec_makeroute: "
+				    "attempting to allocate %u bytes for ident_d.\n",
+				    data_len);
+			if(!(retrt->er_ident_d.data = kmalloc(data_len, GFP_KERNEL))) {
+				if (retrt->er_ident_s.data)
+					kfree(retrt->er_ident_s.data);
+				kfree(retrt);
+				printk("klips_error:ipsec_makeroute: not able to allocate kernel memory (%d)\n", data_len);
+				return ENOMEM;
+			}
+			memcpy(retrt->er_ident_d.data, ident_d->data, data_len);
+		} else {
+			retrt->er_ident_d.data = NULL;
+		}
+	}
+	retrt->er_first = skb;
+	retrt->er_last = NULL;
+	
+	KLIPS_PRINT(debug_eroute, 
+		    "klips_debug:ipsec_makeroute: "
+		    "calling rj_addroute now\n");
+
+	spin_lock_bh(&eroute_lock);
+	
+	error = rj_addroute(&(retrt->er_eaddr), &(retrt->er_emask), 
+			 rnh, retrt->er_rjt.rd_nodes);
+
+	spin_unlock_bh(&eroute_lock);
+	
+	if(error) {
+		sa_len = satot(&said, 0, sa, sizeof(sa));
+		KLIPS_PRINT(debug_eroute, 
+			    "klips_debug:ipsec_makeroute: "
+			    "rj_addroute not able to insert eroute for SA:%s (error:%d)\n",
+			    sa_len ? sa : " (error)", error);
+		if (retrt->er_ident_s.data)
+			kfree(retrt->er_ident_s.data);
+		if (retrt->er_ident_d.data)
+			kfree(retrt->er_ident_d.data);
+		
+		kfree(retrt);
+		
+		return error;
+	}
+
+#ifdef CONFIG_KLIPS_DEBUG
+	if (debug_eroute) {
+		char buf1[SUBNETTOA_BUF], buf2[SUBNETTOA_BUF];
+/*
+		subnettoa(eaddr->sen_ip_src, emask->sen_ip_src, 0, buf1, sizeof(buf1));
+		subnettoa(eaddr->sen_ip_dst, emask->sen_ip_dst, 0, buf2, sizeof(buf2));
+*/
+		subnettoa(rd_key((&(retrt->er_rjt)))->sen_ip_src, rd_mask((&(retrt->er_rjt)))->sen_ip_src, 0, buf1, sizeof(buf1));
+		subnettoa(rd_key((&(retrt->er_rjt)))->sen_ip_dst, rd_mask((&(retrt->er_rjt)))->sen_ip_dst, 0, buf2, sizeof(buf2));
+		sa_len = satot(&retrt->er_said, 0, sa, sizeof(sa));
+		
+		KLIPS_PRINT(debug_eroute,
+			    "klips_debug:ipsec_makeroute: "
+			    "pid=%05d "
+			    "count=%10d "
+			    "lasttime=%6d "
+			    "%-18s -> %-18s => %s\n",
+			    retrt->er_pid,
+			    retrt->er_count,
+			    (int)(jiffies/HZ - retrt->er_lasttime),
+			    buf1,
+			    buf2,
+			    sa_len ? sa : " (error)");
+	}
+#endif /* CONFIG_KLIPS_DEBUG */
+	KLIPS_PRINT(debug_eroute,
+		    "klips_debug:ipsec_makeroute: "
+		    "succeeded.\n");
+	return 0;
+}
+
+struct eroute *
+ipsec_findroute(struct sockaddr_encap *eaddr)
+{
+	struct radij_node *rn;
+#ifdef CONFIG_KLIPS_DEBUG
+	char buf1[ADDRTOA_BUF], buf2[ADDRTOA_BUF];
+	
+	if (debug_radij & DB_RJ_FINDROUTE) {
+		addrtoa(eaddr->sen_ip_src, 0, buf1, sizeof(buf1));
+		addrtoa(eaddr->sen_ip_dst, 0, buf2, sizeof(buf2));
+		KLIPS_PRINT(debug_eroute,
+			    "klips_debug:ipsec_findroute: "
+			    "%s:%d->%s:%d %d\n",
+			    buf1, ntohs(eaddr->sen_sport),
+			    buf2, ntohs(eaddr->sen_dport),
+			    eaddr->sen_proto);
+	}
+#endif /* CONFIG_KLIPS_DEBUG */
+	rn = rj_match((caddr_t)eaddr, rnh);
+	if(rn) {
+		KLIPS_PRINT(debug_eroute && sysctl_ipsec_debug_verbose,
+			    "klips_debug:ipsec_findroute: "
+			    "found, points to proto=%d, spi=%x, dst=%x.\n",
+			    ((struct eroute*)rn)->er_said.proto,
+			    ntohl(((struct eroute*)rn)->er_said.spi),
+			    ntohl(((struct eroute*)rn)->er_said.dst.u.v4.sin_addr.s_addr));
+	}
+	return (struct eroute *)rn;
+}
+		
+#ifdef CONFIG_PROC_FS
+/** ipsec_rj_walker_procprint: print one line of eroute table output.
+ *
+ * Theoretical BUG: if w->length is less than the length
+ * of some line we should produce, that line will never
+ * be finished.  In effect, the "file" will stop part way 
+ * through that line.
+ */
+int
+ipsec_rj_walker_procprint(struct radij_node *rn, void *w0)
+{
+	struct eroute *ro = (struct eroute *)rn;
+	struct rjtentry *rd = (struct rjtentry *)rn;
+	struct wsbuf *w = (struct wsbuf *)w0;
+	char buf1[SUBNETTOA_BUF], buf2[SUBNETTOA_BUF];
+	char buf3[16];
+	char sa[SATOT_BUF];
+	size_t sa_len, buf_len;
+	struct sockaddr_encap *key, *mask;
+	
+	KLIPS_PRINT(debug_radij,
+		    "klips_debug:ipsec_rj_walker_procprint: "
+		    "rn=0p%p, w0=0p%p\n",
+		    rn,
+		    w0);
+	if (rn->rj_b >= 0) {
+		return 0;
+	}
+	
+	key = rd_key(rd);
+	mask = rd_mask(rd);
+
+	if (key == NULL || mask == NULL) {
+                return 0;
+        }
+
+	buf_len = subnettoa(key->sen_ip_src, mask->sen_ip_src, 0, buf1, sizeof(buf1));
+	if(key->sen_sport != 0) {
+	  sprintf(buf1+buf_len-1, ":%d", ntohs(key->sen_sport));
+	}
+
+	buf_len = subnettoa(key->sen_ip_dst, mask->sen_ip_dst, 0, buf2, sizeof(buf2));
+	if(key->sen_dport != 0) {
+	  sprintf(buf2+buf_len-1, ":%d", ntohs(key->sen_dport));
+	}
+
+	buf3[0]='\0';
+	if(key->sen_proto != 0) {
+	  sprintf(buf3, ":%d", key->sen_proto);
+	}
+
+	sa_len = satot(&ro->er_said, 'x', sa, sizeof(sa));
+	w->len += ipsec_snprintf(w->buffer + w->len,
+				 w->length - w->len,
+				 "%-10d "
+				 "%-18s -> %-18s => %s%s\n",
+				 ro->er_count,
+				 buf1,
+				 buf2,
+				 sa_len ? sa : " (error)",
+				 buf3);
+	
+       {
+               /* snprintf can only fill the last character with NUL
+                * so the maximum useful character is w->length-1.
+                * However, if w->length == 0, we cannot go back.
+                * (w->length surely cannot be negative.)
+                */
+               int max_content = w->length > 0? w->length-1 : 0;
+
+               if (w->len >= max_content) {
+                       /* we've done all that can fit -- stop treewalking */
+                       w->len = max_content;   /* truncate crap */
+                       return -ENOBUFS;
+               } else {
+                       const off_t pos = w->begin + w->len;    /* file position of end of what we've generated */
+                
+                       if (pos <= w->offset) {
+                               /* all is before first interesting character:
+                                * discard, but note where we are.
+                                */
+                               w->len = 0;
+                               w->begin = pos;
+                       }
+                       return 0;
+               }
+        }        
+}
+#endif          /* CONFIG_PROC_FS */
+
+int
+ipsec_rj_walker_delete(struct radij_node *rn, void *w0)
+{
+	struct eroute *ro;
+	struct rjtentry *rd = (struct rjtentry *)rn;
+	struct radij_node *rn2;
+	int error;
+	struct sockaddr_encap *key, *mask;
+	
+	key = rd_key(rd);
+	mask = rd_mask(rd);
+	
+	if(!key || !mask) {
+		return -ENODATA;
+	}
+#ifdef CONFIG_KLIPS_DEBUG
+	if(debug_radij)	{
+		char buf1[SUBNETTOA_BUF], buf2[SUBNETTOA_BUF];
+		subnettoa(key->sen_ip_src, mask->sen_ip_src, 0, buf1, sizeof(buf1));
+		subnettoa(key->sen_ip_dst, mask->sen_ip_dst, 0, buf2, sizeof(buf2));
+		KLIPS_PRINT(debug_radij, 
+			    "klips_debug:ipsec_rj_walker_delete: "
+			    "deleting: %s -> %s\n",
+			    buf1,
+			    buf2);
+	}
+#endif /* CONFIG_KLIPS_DEBUG */
+
+	if((error = rj_delete(key, mask, rnh, &rn2))) {
+		KLIPS_PRINT(debug_radij,
+			    "klips_debug:ipsec_rj_walker_delete: "
+			    "rj_delete failed with error=%d.\n", error);
+		return error;
+	}
+
+	if(rn2 != rn) {
+		printk("klips_debug:ipsec_rj_walker_delete: "
+		       "tried to delete a different node?!?  This should never happen!\n");
+	}
+ 
+	ro = (struct eroute *)rn;
+	
+	if (ro->er_ident_s.data)
+		kfree(ro->er_ident_s.data);
+	if (ro->er_ident_d.data)
+		kfree(ro->er_ident_d.data);
+	
+	memset((caddr_t)rn, 0, sizeof (struct eroute));
+	kfree(rn);
+	
+	return 0;
+}
+
+/*
+ * $Log: ipsec_radij.c,v $
+ * Revision 1.73.2.1  2006/10/06 21:39:26  paul
+ * Fix for 2.6.18+ only include linux/config.h if AUTOCONF_INCLUDED is not
+ * set. This is defined through autoconf.h which is included through the
+ * linux kernel build macros.
+ *
+ * Revision 1.73  2005/04/29 05:10:22  mcr
+ * 	removed from extraenous includes to make unit testing easier.
+ *
+ * Revision 1.72  2004/12/03 21:25:57  mcr
+ * 	compile time fixes for running on 2.6.
+ * 	still experimental.
+ *
+ * Revision 1.71  2004/07/10 19:11:18  mcr
+ * 	CONFIG_IPSEC -> CONFIG_KLIPS.
+ *
+ * Revision 1.70  2004/04/25 21:10:52  ken
+ * Pull in dhr's changes from FreeS/WAN 2.06
+ *
+ * Revision 1.69  2004/04/06 02:49:26  mcr
+ * 	pullup of algo code from alg-branch.
+ *
+ * Revision 1.68  2004/03/28 20:27:20  paul
+ * Included tested and confirmed fixes mcr made and dhr verified for
+ * snprint statements. Changed one other snprintf to use ipsec_snprintf
+ * so it wouldnt break compatibility with 2.0/2.2 kernels. Verified with
+ * dhr. (thanks dhr!)
+ *
+ * Revision 1.67.4.1  2004/04/05 04:30:46  mcr
+ * 	patches for alg-branch to compile/work with 2.x openswan
+ *
+ * Revision 1.67  2003/10/31 02:27:55  mcr
+ * 	pulled up port-selector patches and sa_id elimination.
+ *
+ * Revision 1.66.24.2  2003/10/29 01:30:41  mcr
+ * 	elimited "struct sa_id".
+ *
+ * Revision 1.66.24.1  2003/09/21 13:59:56  mcr
+ * 	pre-liminary X.509 patch - does not yet pass tests.
+ *
+ * Revision 1.66  2002/10/12 23:11:53  dhr
+ *
+ * [KenB + DHR] more 64-bit cleanup
+ *
+ * Revision 1.65  2002/09/20 05:01:40  rgb
+ * Added memory allocation debugging.
+ *
+ * Revision 1.64  2002/05/31 01:46:05  mcr
+ * 	added && sysctl_ipsec_debug_verbose verbose to ipsec_findroute
+ * 	as requested in PR#14.
+ *
+ * Revision 1.63  2002/05/23 07:14:11  rgb
+ * Cleaned up %p variants to 0p%p for test suite cleanup.
+ *
+ * Revision 1.62  2002/04/24 07:55:32  mcr
+ * 	#include patches and Makefiles for post-reorg compilation.
+ *
+ * Revision 1.61  2002/04/24 07:36:29  mcr
+ * Moved from ./klips/net/ipsec/ipsec_radij.c,v
+ *
+ * Revision 1.60  2002/02/19 23:59:45  rgb
+ * Removed redundant compiler directives.
+ *
+ * Revision 1.59  2002/02/06 04:13:47  mcr
+ * 	missing #ifdef CONFIG_IPSEC_DEBUG.
+ *
+ * Revision 1.58  2002/01/29 17:17:56  mcr
+ * 	moved include of ipsec_param.h to after include of linux/kernel.h
+ * 	otherwise, it seems that some option that is set in ipsec_param.h
+ * 	screws up something subtle in the include path to kernel.h, and
+ * 	it complains on the snprintf() prototype.
+ *
+ * Revision 1.57  2002/01/29 04:00:52  mcr
+ * 	more excise of kversions.h header.
+ *
+ * Revision 1.56  2002/01/29 02:13:17  mcr
+ * 	introduction of ipsec_kversion.h means that include of
+ * 	ipsec_param.h must preceed any decisions about what files to
+ * 	include to deal with differences in kernel source.
+ *
+ * Revision 1.55  2001/11/26 09:23:48  rgb
+ * Merge MCR's ipsec_sa, eroute, proc and struct lifetime changes.
+ *
+ * Revision 1.53.2.1  2001/09/25 02:26:32  mcr
+ * 	headers adjusted for new usage.
+ *
+ * Revision 1.54  2001/10/18 04:45:20  rgb
+ * 2.4.9 kernel deprecates linux/malloc.h in favour of linux/slab.h,
+ * lib/freeswan.h version macros moved to lib/kversions.h.
+ * Other compiler directive cleanups.
+ *
+ * Revision 1.53  2001/09/19 17:19:40  rgb
+ * Debug output bugfix for NetCelo's PF_KEY ident patch.
+ *
+ * Revision 1.52  2001/09/19 16:33:37  rgb
+ * Temporarily disable ident fields to /proc/net/ipsec_eroute.
+ *
+ * Revision 1.51  2001/09/15 16:24:04  rgb
+ * Re-inject first and last HOLD packet when an eroute REPLACE is done.
+ *
+ * Revision 1.50  2001/09/14 16:58:36  rgb
+ * Added support for storing the first and last packets through a HOLD.
+ *
+ * Revision 1.49  2001/09/08 21:13:32  rgb
+ * Added pfkey ident extension support for ISAKMPd. (NetCelo)
+ *
+ * Revision 1.48  2001/06/15 04:12:56  rgb
+ * Fixed kernel memory allocation error return code polarity bug.
+ *
+ * Revision 1.47  2001/06/14 19:35:09  rgb
+ * Update copyright date.
+ *
+ * Revision 1.46  2001/06/08 08:47:18  rgb
+ * Fixed for debug disabled.
+ *
+ * Revision 1.45  2001/05/27 06:12:11  rgb
+ * Added structures for pid, packet count and last access time to eroute.
+ * Added packet count to beginning of /proc/net/ipsec_eroute.
+ *
+ * Revision 1.44  2001/05/03 19:41:01  rgb
+ * Initialise error return variable.
+ * Use more appropriate return value for ipsec_rj_walker_delete().
+ *
+ * Revision 1.43  2001/02/27 22:24:54  rgb
+ * Re-formatting debug output (line-splitting, joining, 1arg/line).
+ * Check for satoa() return codes.
+ *
+ * Revision 1.42  2001/02/27 06:21:57  rgb
+ * Added findroute success instrumentation.
+ *
+ * Revision 1.41  2000/11/06 04:32:08  rgb
+ * Ditched spin_lock_irqsave in favour of spin_lock_bh.
+ *
+ * Revision 1.40  2000/09/08 19:12:56  rgb
+ * Change references from DEBUG_IPSEC to CONFIG_IPSEC_DEBUG.
+ *
+ * Revision 1.39  2000/08/30 05:25:20  rgb
+ * Correct debug text in ipsec_breakroute() from incorrect
+ * "ipsec_callback".
+ *
+ * Revision 1.38  2000/07/28 14:58:31  rgb
+ * Changed kfree_s to kfree, eliminating extra arg to fix 2.4.0-test5.
+ *
+ * Revision 1.37  2000/03/16 14:02:50  rgb
+ * Fixed debug scope to enable compilation with debug off.
+ *
+ * Revision 1.36  2000/01/21 06:14:46  rgb
+ * Added debugging text to ipsec_rj_walker_delete().
+ * Set return code to negative for consistency.
+ *
+ * Revision 1.35  1999/11/23 23:05:24  rgb
+ * Use provided macro ADDRTOA_BUF instead of hardcoded value.
+ *
+ * Revision 1.34  1999/11/18 04:13:56  rgb
+ * Replaced all kernel version macros to shorter, readable form.
+ * Added CONFIG_PROC_FS compiler directives in case it is shut off.
+ *
+ * Revision 1.33  1999/11/17 15:53:39  rgb
+ * Changed all occurrences of #include "../../../lib/freeswan.h"
+ * to #include <freeswan.h> which works due to -Ilibfreeswan in the
+ * klips/net/ipsec/Makefile.
+ *
+ * Revision 1.32  1999/10/26 13:58:33  rgb
+ * Put spinlock flags variable declaration outside the debug compiler
+ * directive to enable compilation with debug shut off.
+ *
+ * Revision 1.31  1999/10/15 22:13:29  rgb
+ * Clean out cruft.
+ * Align /proc/net/ipsec_eroute output for easier readability.
+ * Fix double linefeed in radij debug output.
+ * Fix double locking bug that locks up 2.0.36 but not 2.0.38.
+ *
+ * Revision 1.30  1999/10/08 18:37:33  rgb
+ * Fix end-of-line spacing to sate whining PHMs.
+ *
+ * Revision 1.29  1999/10/03 18:52:45  rgb
+ * Spinlock support for 2.0.xx.
+ * Dumb return code spin_unlock fix.
+ *
+ * Revision 1.28  1999/10/01 16:22:24  rgb
+ * Switch from assignment init. to functional init. of spinlocks.
+ *
+ * Revision 1.27  1999/10/01 15:44:53  rgb
+ * Move spinlock header include to 2.1> scope.
+ *
+ * Revision 1.26  1999/10/01 00:01:23  rgb
+ * Added eroute structure locking.
+ *
+ * Revision 1.25  1999/06/10 16:07:30  rgb
+ * Silence delete eroute on no debug.
+ *
+ * Revision 1.24  1999/05/09 03:25:36  rgb
+ * Fix bug introduced by 2.2 quick-and-dirty patch.
+ *
+ * Revision 1.23  1999/05/05 22:02:31  rgb
+ * Add a quick and dirty port to 2.2 kernels by Marc Boucher <marc@mbsi.ca>.
+ *
+ * Revision 1.22  1999/04/29 15:17:23  rgb
+ * Add return values to init and cleanup functions.
+ * Add sanity checking for null pointer arguments.
+ *
+ * Revision 1.21  1999/04/11 00:28:58  henry
+ * GPL boilerplate
+ *
+ * Revision 1.20  1999/04/06 04:54:26  rgb
+ * Fix/Add RCSID Id: and Log: bits to make PHMDs happy.  This includes
+ * patch shell fixes.
+ *
+ * Revision 1.19  1999/02/17 16:50:35  rgb
+ * Clean out unused cruft.
+ * Consolidate for space and speed efficiency.
+ * Convert DEBUG_IPSEC to KLIPS_PRINT
+ *
+ * Revision 1.18  1999/01/22 06:22:06  rgb
+ * Cruft clean-out.
+ * 64-bit clean-up.
+ *
+ * Revision 1.17  1998/12/02 03:09:39  rgb
+ * Clean up debug printing conditionals to compile with debugging off.
+ *
+ * Revision 1.16  1998/12/01 13:49:39  rgb
+ * Wrap version info printing in debug switches.
+ *
+ * Revision 1.15  1998/11/30 13:22:54  rgb
+ * Rationalised all the klips kernel file headers.  They are much shorter
+ * now and won't conflict under RH5.2.
+ *
+ * Revision 1.14  1998/10/31 06:48:17  rgb
+ * Fixed up comments in #endif directives.
+ *
+ * Revision 1.13  1998/10/27 13:48:09  rgb
+ * Cleaned up /proc/net/ipsec_* filesystem for easy parsing by scripts.
+ * Fixed less(1) truncated output bug.
+ * Code clean-up.
+ *
+ * Revision 1.12  1998/10/25 02:41:36  rgb
+ * Change return type on ipsec_breakroute and ipsec_makeroute and add an
+ * argument to be able to transmit more infomation about errors.
+ * Fix cut-and-paste debug statement identifier.
+ *
+ * Revision 1.11  1998/10/22 06:45:39  rgb
+ * Cleaned up cruft.
+ * Convert to use satoa for printk.
+ *
+ * Revision 1.10  1998/10/19 14:44:28  rgb
+ * Added inclusion of freeswan.h.
+ * sa_id structure implemented and used: now includes protocol.
+ *
+ * Revision 1.9  1998/10/09 04:30:52  rgb
+ * Added 'klips_debug' prefix to all klips printk debug statements.
+ * Deleted old commented out cruft.
+ *
+ * Revision 1.8  1998/08/06 17:24:23  rgb
+ * Fix addrtoa return code bug from stale manpage advice preventing packets
+ * from being erouted.
+ *
+ * Revision 1.7  1998/08/06 07:44:59  rgb
+ * Fixed /proc/net/ipsec_eroute subnettoa and addrtoa return value bug that
+ * ended up in nothing being printed.
+ *
+ * Revision 1.6  1998/08/05 22:16:41  rgb
+ * Cleanup to prevent cosmetic errors (ie. debug output) from being fatal.
+ *
+ * Revision 1.5  1998/07/29 20:38:44  rgb
+ * Debug and fix subnettoa and addrtoa output.
+ *
+ * Revision 1.4  1998/07/28 00:02:39  rgb
+ * Converting to exclusive use of addrtoa.
+ * Fix eroute delete.
+ *
+ * Revision 1.3  1998/07/14 18:21:26  rgb
+ * Add function to clear the eroute table.
+ *
+ * Revision 1.2  1998/06/23 02:59:14  rgb
+ * Added debugging output to eroute add/delete routines.
+ *
+ * Revision 1.9  1998/06/18 21:29:06  henry
+ * move sources from klips/src to klips/net/ipsec, to keep stupid kernel
+ * build scripts happier in presence of symbolic links
+ *
+ * Revision 1.8  1998/06/05 02:32:26  rgb
+ * Fix spi ntoh kernel debug output.
+ *
+ * Revision 1.7  1998/05/25 20:30:37  rgb
+ * Remove temporary ipsec_walk, rj_deltree and rj_delnodes functions.
+ *
+ * Rename ipsec_rj_walker (ipsec_walk) to ipsec_rj_walker_procprint and
+ * add ipsec_rj_walker_delete.
+ *
+ * Revision 1.6  1998/05/21 13:08:57  rgb
+ * Rewrote procinfo subroutines to avoid *bad things* when more that 3k of
+ * information is available for printout.
+ *
+ * Revision 1.5  1998/05/18 21:35:55  rgb
+ * Clean up output for numerical consistency and readability.  Zero freed
+ * eroute memory.
+ *
+ * Revision 1.4  1998/04/21 21:28:58  rgb
+ * Rearrange debug switches to change on the fly debug output from user
+ * space.  Only kernel changes checked in at this time.  radij.c was also
+ * changed to temporarily remove buggy debugging code in rj_delete causing
+ * an OOPS and hence, netlink device open errors.
+ *
+ * Revision 1.3  1998/04/14 17:30:39  rgb
+ * Fix up compiling errors for radij tree memory reclamation.
+ *
+ * Revision 1.2  1998/04/12 22:03:23  rgb
+ * Updated ESP-3DES-HMAC-MD5-96,
+ * 	ESP-DES-HMAC-MD5-96,
+ * 	AH-HMAC-MD5-96,
+ * 	AH-HMAC-SHA1-96 since Henry started freeswan cvs repository
+ * from old standards (RFC182[5-9] to new (as of March 1998) drafts.
+ *
+ * Fixed eroute references in /proc/net/ipsec*.
+ *
+ * Started to patch module unloading memory leaks in ipsec_netlink and
+ * radij tree unloading.
+ *
+ * Revision 1.1  1998/04/09 03:06:10  henry
+ * sources moved up from linux/net/ipsec
+ *
+ * Revision 1.1.1.1  1998/04/08 05:35:03  henry
+ * RGB's ipsec-0.8pre2.tar.gz ipsec-0.8
+ *
+ * Revision 0.4  1997/01/15 01:28:15  ji
+ * No changes.
+ *
+ * Revision 0.3  1996/11/20 14:39:04  ji
+ * Minor cleanups.
+ * Rationalized debugging code.
+ *
+ * Revision 0.2  1996/11/02 00:18:33  ji
+ * First limited release.
+ *
+ *
+ */
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/ipsec_rcv.c     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,2317 @@
+/*
+ * receive code
+ * Copyright (C) 1996, 1997  John Ioannidis.
+ * Copyright (C) 1998-2003   Richard Guy Briggs.
+ * Copyright (C) 2004        Michael Richardson <mcr@xelerance.com>
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+char ipsec_rcv_c_version[] = "RCSID $Id: ipsec_rcv.c,v 1.171.2.11 2007/04/28 20:46:40 paul Exp $";
+
+#ifndef AUTOCONF_INCLUDED
+#include <linux/config.h>
+#endif
+#include <linux/version.h>
+
+#define __NO_VERSION__
+#include <linux/module.h>
+#include <linux/kernel.h> /* printk() */
+
+#include "openswan/ipsec_param.h"
+
+#ifdef MALLOC_SLAB
+# include <linux/slab.h> /* kmalloc() */
+#else /* MALLOC_SLAB */
+# include <linux/malloc.h> /* kmalloc() */
+#endif /* MALLOC_SLAB */
+#include <linux/errno.h>  /* error codes */
+#include <linux/types.h>  /* size_t */
+#include <linux/interrupt.h> /* mark_bh */
+
+#include <linux/netdevice.h>	/* struct device, and other headers */
+#include <linux/etherdevice.h>	/* eth_type_trans */
+#include <linux/ip.h>		/* struct iphdr */
+
+#include <net/tcp.h>
+#include <net/udp.h>
+#include <linux/skbuff.h>
+#include <openswan.h>
+#ifdef SPINLOCK
+# ifdef SPINLOCK_23
+#  include <linux/spinlock.h> /* *lock* */
+# else /* SPINLOCK_23 */
+#  include <asm/spinlock.h> /* *lock* */
+# endif /* SPINLOCK_23 */
+#endif /* SPINLOCK */
+
+#include <net/ip.h>
+
+#include "openswan/ipsec_kern24.h"
+#include "openswan/radij.h"
+#include "openswan/ipsec_encap.h"
+#include "openswan/ipsec_sa.h"
+
+#include "openswan/ipsec_radij.h"
+#include "openswan/ipsec_xform.h"
+#include "openswan/ipsec_tunnel.h"
+#include "openswan/ipsec_rcv.h"
+
+#include "openswan/ipsec_auth.h"
+
+#include "openswan/ipsec_esp.h"
+
+#ifdef CONFIG_KLIPS_AH
+#include "openswan/ipsec_ah.h"
+#endif /* CONFIG_KLIPS_AH */
+
+#ifdef CONFIG_KLIPS_IPCOMP
+#include "openswan/ipsec_ipcomp.h"
+#endif /* CONFIG_KLIPS_COMP */
+
+#include <pfkeyv2.h>
+#include <pfkey.h>
+
+#include "openswan/ipsec_proto.h"
+#include "openswan/ipsec_alg.h"
+#include "openswan/ipsec_kern24.h"
+
+#ifdef CONFIG_KLIPS_DEBUG
+int debug_rcv = 0;
+#endif /* CONFIG_KLIPS_DEBUG */
+
+int sysctl_ipsec_inbound_policy_check = 1;
+
+#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
+#include <linux/udp.h>
+#endif
+
+/* This is a private use protocol, and AT&T should be ashamed. They should have
+ * used protocol # 59, which is "no next header" instead of 0xFE.
+ */
+#ifndef IPPROTO_ATT_HEARTBEAT
+#define IPPROTO_ATT_HEARTBEAT 0xFE
+#endif
+
+/*
+ * Check-replay-window routine, adapted from the original
+ * by J. Hughes, from draft-ietf-ipsec-esp-des-md5-03.txt
+ *
+ *  This is a routine that implements a 64 packet window. This is intend-
+ *  ed on being an implementation sample.
+ */
+
+DEBUG_NO_STATIC int
+ipsec_checkreplaywindow(struct ipsec_sa*ipsp, __u32 seq)
+{
+	__u32 diff;
+
+	if (ipsp->ips_replaywin == 0)	/* replay shut off */
+		return 1;
+	if (seq == 0)
+		return 0;		/* first == 0 or wrapped */
+
+	/* new larger sequence number */
+	if (seq > ipsp->ips_replaywin_lastseq) {
+		return 1;		/* larger is good */
+	}
+	diff = ipsp->ips_replaywin_lastseq - seq;
+
+	/* too old or wrapped */ /* if wrapped, kill off SA? */
+	if (diff >= ipsp->ips_replaywin) {
+		return 0;
+	}
+	/* this packet already seen */
+	if (ipsp->ips_replaywin_bitmap & (1 << diff))
+		return 0;
+	return 1;			/* out of order but good */
+}
+
+DEBUG_NO_STATIC int
+ipsec_updatereplaywindow(struct ipsec_sa*ipsp, __u32 seq)
+{
+	__u32 diff;
+
+	if (ipsp->ips_replaywin == 0)	/* replay shut off */
+		return 1;
+	if (seq == 0)
+		return 0;		/* first == 0 or wrapped */
+
+	/* new larger sequence number */
+	if (seq > ipsp->ips_replaywin_lastseq) {
+		diff = seq - ipsp->ips_replaywin_lastseq;
+
+		/* In win, set bit for this pkt */
+		if (diff < ipsp->ips_replaywin)
+			ipsp->ips_replaywin_bitmap =
+				(ipsp->ips_replaywin_bitmap << diff) | 1;
+		else
+			/* This packet has way larger seq num */
+			ipsp->ips_replaywin_bitmap = 1;
+
+		if(seq - ipsp->ips_replaywin_lastseq - 1 > ipsp->ips_replaywin_maxdiff) {
+			ipsp->ips_replaywin_maxdiff = seq - ipsp->ips_replaywin_lastseq - 1;
+		}
+		ipsp->ips_replaywin_lastseq = seq;
+		return 1;		/* larger is good */
+	}
+	diff = ipsp->ips_replaywin_lastseq - seq;
+
+	/* too old or wrapped */ /* if wrapped, kill off SA? */
+	if (diff >= ipsp->ips_replaywin) {
+/*
+		if(seq < 0.25*max && ipsp->ips_replaywin_lastseq > 0.75*max) {
+			ipsec_sa_delchain(ipsp);
+		}
+*/
+		return 0;
+	}
+	/* this packet already seen */
+	if (ipsp->ips_replaywin_bitmap & (1 << diff))
+		return 0;
+	ipsp->ips_replaywin_bitmap |= (1 << diff);	/* mark as seen */
+	return 1;			/* out of order but good */
+}
+
+#ifdef CONFIG_KLIPS_AUTH_HMAC_MD5
+struct auth_alg ipsec_rcv_md5[]={
+	{osMD5Init, osMD5Update, osMD5Final, AHMD596_ALEN}
+};
+
+#endif /* CONFIG_KLIPS_AUTH_HMAC_MD5 */
+
+#ifdef CONFIG_KLIPS_AUTH_HMAC_SHA1
+struct auth_alg ipsec_rcv_sha1[]={
+	{SHA1Init, SHA1Update, SHA1Final, AHSHA196_ALEN}
+};
+#endif /* CONFIG_KLIPS_AUTH_HMAC_MD5 */
+
+/*
+ * decapsulate a single layer of the system
+ *
+ * the following things should be setup to enter this function.
+ *
+ * irs->stats  == stats structure (or NULL)
+ * irs->ipp    = IP header.
+ * irs->len    = total length of packet
+ * skb->nh.iph = ipp;
+ * skb->h.raw  = start of payload
+ * irs->ipsp   = NULL.
+ * irs->iphlen = N/A = is recalculated.
+ * irs->ilen   = 0;
+ * irs->authlen = 0;
+ * irs->authfuncs = NULL;
+ * irs->skb    = the skb;
+ *
+ * proto_funcs should be from ipsec_esp.c, ipsec_ah.c or ipsec_ipcomp.c.
+ *
+ */
+enum ipsec_rcv_value
+ipsec_rcv_decap_once(struct ipsec_rcv_state *irs
+		     , struct xform_functions *proto_funcs)
+{
+	int iphlen;
+	__u8 proto;
+	struct in_addr ipsaddr;
+	struct in_addr ipdaddr;
+	int replay = 0;	/* replay value in AH or ESP packet */
+	struct ipsec_sa* ipsnext = NULL;	/* next SA towards inside of packet */
+	struct ipsec_sa *newipsp;
+	struct iphdr *ipp;
+	struct sk_buff *skb;
+	struct ipsec_alg_auth *ixt_a=NULL;
+
+	skb = irs->skb;
+	irs->len = skb->len;
+	ipp = irs->ipp;
+	proto = ipp->protocol;
+	ipsaddr.s_addr = ipp->saddr;
+	addrtoa(ipsaddr, 0, irs->ipsaddr_txt, sizeof(irs->ipsaddr_txt));
+	ipdaddr.s_addr = ipp->daddr;
+	addrtoa(ipdaddr, 0, irs->ipdaddr_txt, sizeof(irs->ipdaddr_txt));
+
+	iphlen = ipp->ihl << 2;
+	irs->iphlen=iphlen;
+	ipp->check = 0;			/* we know the sum is good */
+	
+	KLIPS_PRINT(debug_rcv,
+		    "klips_debug:ipsec_rcv_decap_once: "
+		    "decap (%d) from %s -> %s\n",
+		    proto, irs->ipsaddr_txt, irs->ipdaddr_txt);
+
+	/*
+	 * Find tunnel control block and (indirectly) call the
+	 * appropriate tranform routine. The resulting sk_buf
+	 * is a valid IP packet ready to go through input processing.
+	 */
+
+	irs->said.dst.u.v4.sin_addr.s_addr = ipp->daddr;
+	irs->said.dst.u.v4.sin_family = AF_INET;
+
+	/* note: rcv_checks set up the said.spi value, if appropriate */
+	if(proto_funcs->rcv_checks) {
+		enum ipsec_rcv_value retval =
+		  (*proto_funcs->rcv_checks)(irs, skb);
+
+		if(retval < 0) {
+			return retval;
+		}
+	}
+
+	irs->said.proto = proto;
+	irs->sa_len = satot(&irs->said, 0, irs->sa, sizeof(irs->sa));
+	if(irs->sa_len == 0) {
+		strcpy(irs->sa, "(error)");
+	}
+
+	newipsp = ipsec_sa_getbyid(&irs->said);
+	if (newipsp == NULL) {
+		KLIPS_PRINT(debug_rcv,
+			    "klips_debug:ipsec_rcv: "
+			    "no ipsec_sa for SA:%s: incoming packet with no SA dropped\n",
+			    irs->sa_len ? irs->sa : " (error)");
+		if(irs->stats) {
+			irs->stats->rx_dropped++;
+		}
+		return IPSEC_RCV_SAIDNOTFOUND;
+	}
+
+	/* MCR - XXX this is bizarre. ipsec_sa_getbyid returned it, having
+	 * incremented the refcount, why in the world would we decrement it
+	 * here? */
+	/* ipsec_sa_put(irs->ipsp);*/ /* incomplete */
+
+	/* If it is in larval state, drop the packet, we cannot process yet. */
+	if(newipsp->ips_state == SADB_SASTATE_LARVAL) {
+		KLIPS_PRINT(debug_rcv,
+			    "klips_debug:ipsec_rcv: "
+			    "ipsec_sa in larval state, cannot be used yet, dropping packet.\n");
+		if(irs->stats) {
+			irs->stats->rx_dropped++;
+		}
+		ipsec_sa_put(newipsp);
+		return IPSEC_RCV_SAIDNOTLIVE;
+	}
+
+	if(newipsp->ips_state == SADB_SASTATE_DEAD) {
+		KLIPS_PRINT(debug_rcv,
+			    "klips_debug:ipsec_rcv: "
+			    "ipsec_sa in dead state, cannot be used any more, dropping packet.\n");
+		if(irs->stats) {
+			irs->stats->rx_dropped++;
+		}
+		ipsec_sa_put(newipsp);
+		return IPSEC_RCV_SAIDNOTLIVE;
+	}
+
+	if(sysctl_ipsec_inbound_policy_check) {
+		if(irs->ipp->saddr != ((struct sockaddr_in*)(newipsp->ips_addr_s))->sin_addr.s_addr) {
+			KLIPS_PRINT(debug_rcv,
+				    "klips_debug:ipsec_rcv: "
+				    "SA:%s, src=%s of pkt does not agree with expected SA source address policy.\n",
+				    irs->sa_len ? irs->sa : " (error)",
+				    irs->ipsaddr_txt);
+			if(irs->stats) {
+				irs->stats->rx_dropped++;
+			}
+			ipsec_sa_put(newipsp);
+			return IPSEC_RCV_FAILEDINBOUND;
+		}
+
+		KLIPS_PRINT(debug_rcv,
+			    "klips_debug:ipsec_rcv: "
+			    "SA:%s, src=%s of pkt agrees with expected SA source address policy.\n",
+			    irs->sa_len ? irs->sa : " (error)",
+			    irs->ipsaddr_txt);
+
+		/*
+		 * at this point, we have looked up a new SA, and we want to make sure that if this
+		 * isn't the first SA in the list, that the previous SA actually points at this one.
+		 */
+		if(irs->ipsp) {
+			if(irs->ipsp->ips_inext != newipsp) {
+				KLIPS_PRINT(debug_rcv,
+					    "klips_debug:ipsec_rcv: "
+					    "unexpected SA:%s: does not agree with ips->inext policy, dropped\n",
+					    irs->sa_len ? irs->sa : " (error)");
+				if(irs->stats) {
+					irs->stats->rx_dropped++;
+				}
+				ipsec_sa_put(newipsp);
+				return IPSEC_RCV_FAILEDINBOUND;
+			}
+			KLIPS_PRINT(debug_rcv,
+				    "klips_debug:ipsec_rcv: "
+				    "SA:%s grouping from previous SA is OK.\n",
+				    irs->sa_len ? irs->sa : " (error)");
+		} else {
+			KLIPS_PRINT(debug_rcv,
+				    "klips_debug:ipsec_rcv: "
+				    "SA:%s First SA in group.\n",
+				    irs->sa_len ? irs->sa : " (error)");
+		}
+
+
+
+
+
+#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
+		if (proto == IPPROTO_ESP) {
+			KLIPS_PRINT(debug_rcv,
+				"klips_debug:ipsec_rcv: "
+				"natt_type=%u tdbp->ips_natt_type=%u : %s\n",
+				irs->natt_type, newipsp->ips_natt_type,
+				(irs->natt_type==newipsp->ips_natt_type)?"ok":"bad");
+			if (irs->natt_type != newipsp->ips_natt_type) {
+				KLIPS_PRINT(debug_rcv,
+					    "klips_debug:ipsec_rcv: "
+					    "SA:%s does not agree with expected NAT-T policy.\n",
+					    irs->sa_len ? irs->sa : " (error)");
+				if(irs->stats) {
+					irs->stats->rx_dropped++;
+				}
+				ipsec_sa_put(newipsp);
+				return IPSEC_RCV_FAILEDINBOUND;
+			}
+		}
+#endif		 
+	}
+
+	/* okay, SA checks out, so free any previous SA, and record a new one*/
+
+	if(irs->ipsp) {
+		ipsec_sa_put(irs->ipsp);
+	}
+	irs->ipsp=newipsp;
+
+	/* note that the outer code will free the irs->ipsp
+	   if there is an error */
+
+
+	/* now check the lifetimes */
+	if(ipsec_lifetime_check(&irs->ipsp->ips_life.ipl_bytes,   "bytes",
+				irs->sa, ipsec_life_countbased, ipsec_incoming,
+				irs->ipsp) == ipsec_life_harddied ||
+	   ipsec_lifetime_check(&irs->ipsp->ips_life.ipl_addtime, "addtime",
+				irs->sa, ipsec_life_timebased,  ipsec_incoming,
+				irs->ipsp) == ipsec_life_harddied ||
+	   ipsec_lifetime_check(&irs->ipsp->ips_life.ipl_addtime, "usetime",
+				irs->sa, ipsec_life_timebased,  ipsec_incoming,
+				irs->ipsp) == ipsec_life_harddied ||
+	   ipsec_lifetime_check(&irs->ipsp->ips_life.ipl_packets, "packets",
+				irs->sa, ipsec_life_countbased, ipsec_incoming,
+				irs->ipsp) == ipsec_life_harddied) {
+		ipsec_sa_delchain(irs->ipsp);
+		if(irs->stats) {
+			irs->stats->rx_dropped++;
+		}
+		
+		KLIPS_PRINT(debug_rcv,
+			    "klips_debug:ipsec_rcv_decap_once: "
+			    "decap (%d) failed lifetime check\n",
+			    proto);
+
+		return IPSEC_RCV_LIFETIMEFAILED;
+	}
+
+#if 0
+	/*
+	 * This is removed for some reasons:
+	 *   1) it needs to happen *after* authentication.
+	 *   2) do we really care, if it authenticates, if it came
+	 *      from the wrong location?
+         *   3) the NAT_KA messages in IKE will also get to pluto
+	 *      and it will figure out that stuff has moved.
+	 *   4) the 2.6 udp-esp encap function does not pass us
+	 *      the originating port number, and I can't tell
+	 *      if skb->sk is guaranteed to be valid here.
+	 *  2005-04-16: mcr@xelerance.com
+	 */
+#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
+	/*
+	 *
+	 * XXX we should ONLY update pluto if the SA passes all checks,
+	 *     which we clearly do not now.
+	 */
+	if ((irs->natt_type) &&
+		( (irs->ipp->saddr != (((struct sockaddr_in*)(newipsp->ips_addr_s))->sin_addr.s_addr)) ||
+		  (irs->natt_sport != newipsp->ips_natt_sport)
+		)) {
+		struct sockaddr sipaddr;
+		struct sockaddr_in *psin = (struct sockaddr_in*)(newipsp->ips_addr_s);
+
+		/** Advertise NAT-T addr change to pluto **/
+		sipaddr.sa_family = AF_INET;
+		((struct sockaddr_in*)&sipaddr)->sin_addr.s_addr = irs->ipp->saddr;
+		((struct sockaddr_in*)&sipaddr)->sin_port = htons(irs->natt_sport);
+		pfkey_nat_t_new_mapping(newipsp, &sipaddr, irs->natt_sport);
+
+		/**
+		 * Then allow or block packet depending on
+		 * sysctl_ipsec_inbound_policy_check.
+		 *
+		 * In all cases, pluto will update SA if new mapping is
+		 * accepted.
+		 */
+		if (sysctl_ipsec_inbound_policy_check) {
+			KLIPS_PRINT(debug_rcv,
+				"klips_debug:ipsec_rcv: "
+				"SA:%s, src=%s:%u of pkt does not agree with expected "
+				"SA source address [%08x:%u] (notifying pluto of change).\n",
+				irs->sa_len ? irs->sa : " (error)",
+				    irs->ipsaddr_txt, irs->natt_sport,
+				    psin->sin_addr.s_addr,
+				    newipsp->ips_natt_sport);
+			if(irs->stats) {
+				irs->stats->rx_dropped++;
+			}
+			ipsec_sa_put(newipsp);
+			return IPSEC_RCV_FAILEDINBOUND;
+		}
+	}
+#endif
+#endif
+
+	irs->authfuncs=NULL;
+
+	/* authenticate, if required */
+	if ((ixt_a=irs->ipsp->ips_alg_auth)) {
+		irs->authlen = AHHMAC_HASHLEN;
+		irs->authfuncs = NULL;
+		irs->ictx = NULL;
+		irs->octx = NULL;
+		irs->ictx_len = 0;
+		irs->octx_len = 0;
+		KLIPS_PRINT(debug_rcv,
+				"klips_debug:ipsec_rcv: "
+				"authalg=%d authlen=%d\n",
+				irs->ipsp->ips_authalg, 
+				irs->authlen);
+	} else
+	switch(irs->ipsp->ips_authalg) {
+#ifdef CONFIG_KLIPS_AUTH_HMAC_MD5
+	case AH_MD5:
+		irs->authlen = AHHMAC_HASHLEN;
+		irs->authfuncs = ipsec_rcv_md5;
+		irs->ictx = (void *)&((struct md5_ctx*)(irs->ipsp->ips_key_a))->ictx;
+		irs->octx = (void *)&((struct md5_ctx*)(irs->ipsp->ips_key_a))->octx;
+		irs->ictx_len = sizeof(((struct md5_ctx*)(irs->ipsp->ips_key_a))->ictx);
+		irs->octx_len = sizeof(((struct md5_ctx*)(irs->ipsp->ips_key_a))->octx);
+		break;
+#endif /* CONFIG_KLIPS_AUTH_HMAC_MD5 */
+#ifdef CONFIG_KLIPS_AUTH_HMAC_SHA1
+	case AH_SHA:
+		irs->authlen = AHHMAC_HASHLEN;
+		irs->authfuncs = ipsec_rcv_sha1;
+		irs->ictx = (void *)&((struct sha1_ctx*)(irs->ipsp->ips_key_a))->ictx;
+		irs->octx = (void *)&((struct sha1_ctx*)(irs->ipsp->ips_key_a))->octx;
+		irs->ictx_len = sizeof(((struct sha1_ctx*)(irs->ipsp->ips_key_a))->ictx);
+		irs->octx_len = sizeof(((struct sha1_ctx*)(irs->ipsp->ips_key_a))->octx);
+		break;
+#endif /* CONFIG_KLIPS_AUTH_HMAC_SHA1 */
+	case AH_NONE:
+		irs->authlen = 0;
+		irs->authfuncs = NULL;
+		irs->ictx = NULL;
+		irs->octx = NULL;
+		irs->ictx_len = 0;
+		irs->octx_len = 0;
+		break;
+	default:
+		irs->ipsp->ips_errs.ips_alg_errs += 1;
+		if(irs->stats) {
+			irs->stats->rx_errors++;
+		}
+		return IPSEC_RCV_BADAUTH;
+	}
+
+	/* ilen counts number of bytes in ESP portion */
+	irs->ilen = ((skb->data + skb->len) - skb->h.raw) - irs->authlen;
+	if(irs->ilen <= 0) {
+	  KLIPS_PRINT(debug_rcv,
+		      "klips_debug:ipsec_rcv: "
+		      "runt %s packet with no data, dropping.\n",
+		      (proto == IPPROTO_ESP ? "esp" : "ah"));
+	  if(irs->stats) {
+	    irs->stats->rx_dropped++;
+	  }
+	  return IPSEC_RCV_BADLEN;
+	}
+
+	if(irs->authfuncs || ixt_a) {
+		unsigned char *authenticator = NULL;
+
+		if(proto_funcs->rcv_setup_auth) {
+			enum ipsec_rcv_value retval
+			    = (*proto_funcs->rcv_setup_auth)(irs, skb,
+							 &replay,
+							 &authenticator);
+			if(retval < 0) {
+				return retval;
+			}
+		}
+
+		if(!authenticator) {
+			irs->ipsp->ips_errs.ips_auth_errs += 1;
+			if(irs->stats) {
+				irs->stats->rx_dropped++;
+			}
+			return IPSEC_RCV_BADAUTH;
+		}
+
+		if(!ipsec_checkreplaywindow(irs->ipsp, replay)) {
+			irs->ipsp->ips_errs.ips_replaywin_errs += 1;
+			KLIPS_PRINT(debug_rcv & DB_RX_REPLAY,
+				    "klips_debug:ipsec_rcv: "
+				    "duplicate frame from %s, packet dropped\n",
+				    irs->ipsaddr_txt);
+			if(irs->stats) {
+				irs->stats->rx_dropped++;
+			}
+			return IPSEC_RCV_REPLAYFAILED;
+		}
+
+		/*
+		 * verify authenticator
+		 */
+
+		KLIPS_PRINT(debug_rcv,
+			    "klips_debug:ipsec_rcv: "
+			    "encalg = %d, authalg = %d.\n",
+			    irs->ipsp->ips_encalg,
+			    irs->ipsp->ips_authalg);
+
+		/* calculate authenticator */
+		if(proto_funcs->rcv_calc_auth == NULL) {
+			return IPSEC_RCV_BADAUTH;
+		}
+		(*proto_funcs->rcv_calc_auth)(irs, skb);
+
+		if (memcmp(irs->hash, authenticator, irs->authlen)) {
+			irs->ipsp->ips_errs.ips_auth_errs += 1;
+			KLIPS_PRINT(debug_rcv & DB_RX_INAU,
+				    "klips_debug:ipsec_rcv: "
+				    "auth failed on incoming packet from %s: hash=%08x%08x%08x auth=%08x%08x%08x, dropped\n",
+				    irs->ipsaddr_txt,
+				    ntohl(*(__u32*)&irs->hash[0]),
+				    ntohl(*(__u32*)&irs->hash[4]),
+				    ntohl(*(__u32*)&irs->hash[8]),
+				    ntohl(*(__u32*)authenticator),
+				    ntohl(*((__u32*)authenticator + 1)),
+				    ntohl(*((__u32*)authenticator + 2)));
+			if(irs->stats) {
+				irs->stats->rx_dropped++;
+			}
+			return IPSEC_RCV_AUTHFAILED;
+		} else {
+			KLIPS_PRINT(debug_rcv,
+				    "klips_debug:ipsec_rcv: "
+				    "authentication successful.\n");
+		}
+
+		/* Crypto hygiene: clear memory used to calculate autheticator.
+		 * The length varies with the algorithm.
+		 */
+		memset(irs->hash, 0, irs->authlen);
+
+		/* If the sequence number == 0, expire SA, it had rolled */
+		if(irs->ipsp->ips_replaywin && !replay /* !irs->ipsp->ips_replaywin_lastseq */) {
+			ipsec_sa_delchain(irs->ipsp);
+			KLIPS_PRINT(debug_rcv,
+				    "klips_debug:ipsec_rcv: "
+				    "replay window counter rolled, expiring SA.\n");
+			if(irs->stats) {
+				irs->stats->rx_dropped++;
+			}
+			return IPSEC_RCV_REPLAYROLLED;
+		}
+
+		/* now update the replay counter */
+		if (!ipsec_updatereplaywindow(irs->ipsp, replay)) {
+			irs->ipsp->ips_errs.ips_replaywin_errs += 1;
+			KLIPS_PRINT(debug_rcv & DB_RX_REPLAY,
+				    "klips_debug:ipsec_rcv: "
+				    "duplicate frame from %s, packet dropped\n",
+				    irs->ipsaddr_txt);
+			if(irs->stats) {
+				irs->stats->rx_dropped++;
+			}
+			return IPSEC_RCV_REPLAYROLLED;
+		}
+	}
+
+	if(proto_funcs->rcv_decrypt) {
+		enum ipsec_rcv_value retval =
+		  (*proto_funcs->rcv_decrypt)(irs);
+
+		if(retval != IPSEC_RCV_OK) {
+			return retval;
+		}
+	}
+
+	/*
+	 *	Adjust pointers
+	 */
+	skb = irs->skb;
+	irs->len = skb->len;
+	ipp = irs->ipp = skb->nh.iph;
+	iphlen = ipp->ihl<<2;
+	skb->h.raw = skb->nh.raw + iphlen;
+	
+	/* zero any options that there might be */
+	memset(&(IPCB(skb)->opt), 0, sizeof(struct ip_options));
+
+	ipsaddr.s_addr = ipp->saddr;
+	addrtoa(ipsaddr, 0, irs->ipsaddr_txt, sizeof(irs->ipsaddr_txt));
+	ipdaddr.s_addr = ipp->daddr;
+	addrtoa(ipdaddr, 0, irs->ipdaddr_txt, sizeof(irs->ipdaddr_txt));
+
+	/*
+	 *	Discard the original ESP/AH header
+	 */
+	ipp->protocol = irs->next_header;
+
+	ipp->check = 0;	/* NOTE: this will be included in checksum */
+	ipp->check = ip_fast_csum((unsigned char *)skb->nh.iph, iphlen >> 2);
+
+	KLIPS_PRINT(debug_rcv & DB_RX_PKTRX,
+		    "klips_debug:ipsec_rcv: "
+		    "after <%s%s%s>, SA:%s:\n",
+		    IPS_XFORM_NAME(irs->ipsp),
+		    irs->sa_len ? irs->sa : " (error)");
+	KLIPS_IP_PRINT(debug_rcv & DB_RX_PKTRX, ipp);
+
+	skb->protocol = htons(ETH_P_IP);
+	skb->ip_summed = 0;
+
+	ipsnext = irs->ipsp->ips_inext;
+	if(sysctl_ipsec_inbound_policy_check) {
+		if(ipsnext) {
+			if(
+				ipp->protocol != IPPROTO_AH
+				&& ipp->protocol != IPPROTO_ESP
+#ifdef CONFIG_KLIPS_IPCOMP
+				&& ipp->protocol != IPPROTO_COMP
+				&& (ipsnext->ips_said.proto != IPPROTO_COMP
+				    || ipsnext->ips_inext)
+#endif /* CONFIG_KLIPS_IPCOMP */
+				&& ipp->protocol != IPPROTO_IPIP
+				&& ipp->protocol != IPPROTO_ATT_HEARTBEAT  /* heartbeats to AT&T SIG/GIG */
+				) {
+				KLIPS_PRINT(debug_rcv,
+					    "klips_debug:ipsec_rcv: "
+					    "packet with incomplete policy dropped, last successful SA:%s.\n",
+					    irs->sa_len ? irs->sa : " (error)");
+				if(irs->stats) {
+					irs->stats->rx_dropped++;
+				}
+				return IPSEC_RCV_FAILEDINBOUND;
+			}
+			KLIPS_PRINT(debug_rcv,
+				    "klips_debug:ipsec_rcv: "
+				    "SA:%s, Another IPSEC header to process.\n",
+				    irs->sa_len ? irs->sa : " (error)");
+		} else {
+			KLIPS_PRINT(debug_rcv,
+				    "klips_debug:ipsec_rcv: "
+				    "No ips_inext from this SA:%s.\n",
+				    irs->sa_len ? irs->sa : " (error)");
+		}
+	}
+
+#ifdef CONFIG_KLIPS_IPCOMP
+	/* update ipcomp ratio counters, even if no ipcomp packet is present */
+	if (ipsnext
+	    && ipsnext->ips_said.proto == IPPROTO_COMP
+	    && ipp->protocol != IPPROTO_COMP) {
+		ipsnext->ips_comp_ratio_cbytes += ntohs(ipp->tot_len);
+		ipsnext->ips_comp_ratio_dbytes += ntohs(ipp->tot_len);
+	}
+#endif /* CONFIG_KLIPS_IPCOMP */
+
+	irs->ipsp->ips_life.ipl_bytes.ipl_count += irs->len;
+	irs->ipsp->ips_life.ipl_bytes.ipl_last   = irs->len;
+
+	if(!irs->ipsp->ips_life.ipl_usetime.ipl_count) {
+		irs->ipsp->ips_life.ipl_usetime.ipl_count = jiffies / HZ;
+	}
+	irs->ipsp->ips_life.ipl_usetime.ipl_last = jiffies / HZ;
+	irs->ipsp->ips_life.ipl_packets.ipl_count += 1;
+
+#ifdef CONFIG_NETFILTER
+	if(proto == IPPROTO_ESP || proto == IPPROTO_AH) {
+		skb->nfmark = (skb->nfmark & (~(IPsecSAref2NFmark(IPSEC_SA_REF_MASK))))
+			| IPsecSAref2NFmark(IPsecSA2SAref(irs->ipsp));
+		KLIPS_PRINT(debug_rcv & DB_RX_PKTRX,
+			    "klips_debug:ipsec_rcv: "
+			    "%s SA sets skb->nfmark=0x%x.\n",
+			    proto == IPPROTO_ESP ? "ESP" : "AH",
+			    (unsigned)skb->nfmark);
+	}
+#endif /* CONFIG_NETFILTER */
+
+	return IPSEC_RCV_OK;
+}
+
+
+/*
+ * core decapsulation loop for all protocols.
+ *
+ * the following things should be setup to enter this function.
+ *
+ * irs->stats  == stats structure (or NULL)
+ * irs->ipp    = IP header.
+ * irs->ipsp   = NULL.
+ * irs->ilen   = 0;
+ * irs->authlen = 0;
+ * irs->authfuncs = NULL;
+ * irs->skb    = skb;
+ * skb->nh.iph = ipp;
+ * skb->h.raw  = start of payload
+ *
+ */
+int ipsec_rcv_decap(struct ipsec_rcv_state *irs)
+{
+	struct ipsec_sa *ipsp = NULL;
+	struct ipsec_sa* ipsnext = NULL;
+	struct in_addr ipsaddr;
+	struct in_addr ipdaddr;
+	struct iphdr *ipp;
+	struct sk_buff *skb = NULL;
+
+	/* begin decapsulating loop here */
+
+	/*
+	  The spinlock is to prevent any other process from
+	  accessing or deleting the ipsec_sa hash table or any of the
+	  ipsec_sa s while we are using and updating them.
+
+	  This is not optimal, but was relatively straightforward
+	  at the time.  A better way to do it has been planned for
+	  more than a year, to lock the hash table and put reference
+	  counts on each ipsec_sa instead.  This is not likely to happen
+	  in KLIPS1 unless a volunteer contributes it, but will be
+	  designed into KLIPS2.
+	*/
+	spin_lock(&tdb_lock);
+
+	do {
+	        int decap_stat;
+		struct xform_functions *proto_funcs;
+
+		switch(irs->ipp->protocol) {
+		case IPPROTO_ESP:
+		  proto_funcs = esp_xform_funcs;
+		  break;
+		  
+#ifdef CONFIG_KLIPS_AH
+		case IPPROTO_AH:
+		  proto_funcs = ah_xform_funcs;
+		  break;
+#endif /* !CONFIG_KLIPS_AH */
+		  
+#ifdef CONFIG_KLIPS_IPCOMP
+		case IPPROTO_COMP:
+		  proto_funcs = ipcomp_xform_funcs;
+		  break;
+#endif /* !CONFIG_KLIPS_IPCOMP */
+		default:
+		  if(irs->stats) {
+		    irs->stats->rx_errors++;
+		  }
+		  decap_stat = IPSEC_RCV_BADPROTO;
+		  goto rcvleave;
+		}
+
+	        decap_stat = ipsec_rcv_decap_once(irs, proto_funcs);
+
+		if(decap_stat != IPSEC_RCV_OK) {
+			spin_unlock(&tdb_lock);
+			KLIPS_PRINT(debug_rcv,
+				    "klips_debug:ipsec_rcv: decap_once failed: %d\n",
+				    decap_stat);
+		
+			goto rcvleave;
+		}
+	/* end decapsulation loop here */
+	} while(   (irs->ipp->protocol == IPPROTO_ESP )
+		|| (irs->ipp->protocol == IPPROTO_AH  )
+#ifdef CONFIG_KLIPS_IPCOMP
+		|| (irs->ipp->protocol == IPPROTO_COMP)
+#endif /* CONFIG_KLIPS_IPCOMP */
+		);
+
+	/* set up for decap loop */
+	ipp  =irs->ipp;
+	ipsp =irs->ipsp;
+	ipsnext = ipsp->ips_inext;
+	skb = irs->skb;
+
+	/* if there is an IPCOMP, but we don't have an IPPROTO_COMP,
+	 * then we can just skip it
+	 */
+#ifdef CONFIG_KLIPS_IPCOMP
+	if(ipsnext && ipsnext->ips_said.proto == IPPROTO_COMP) {
+		ipsp = ipsnext;
+		ipsnext = ipsp->ips_inext;
+	}
+#endif /* CONFIG_KLIPS_IPCOMP */
+
+#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
+	if ((irs->natt_type) && (ipp->protocol != IPPROTO_IPIP)) {
+	  /**
+	   * NAT-Traversal and Transport Mode:
+	   *   we need to correct TCP/UDP checksum
+	   *
+	   * If we've got NAT-OA, we can fix checksum without recalculation.
+	   */
+	  __u32 natt_oa = ipsp->ips_natt_oa ?
+	    ((struct sockaddr_in*)(ipsp->ips_natt_oa))->sin_addr.s_addr : 0;
+	  __u16 pkt_len = skb->tail - (unsigned char *)ipp;
+	  __u16 data_len = pkt_len - (ipp->ihl << 2);
+	  
+	  switch (ipp->protocol) {
+	  case IPPROTO_TCP:
+	    if (data_len >= sizeof(struct tcphdr)) {
+	      struct tcphdr *tcp = skb->h.th;
+	      if (natt_oa) {
+		__u32 buff[2] = { ~natt_oa, ipp->saddr };
+		KLIPS_PRINT(debug_rcv,
+			    "klips_debug:ipsec_rcv: "
+			    "NAT-T & TRANSPORT: "
+			    "fix TCP checksum using NAT-OA\n");
+		tcp->check = csum_fold(
+				       csum_partial((unsigned char *)buff, sizeof(buff),
+						    tcp->check^0xffff));
+	      }
+	      else {
+		KLIPS_PRINT(debug_rcv,
+			    "klips_debug:ipsec_rcv: "
+			    "NAT-T & TRANSPORT: recalc TCP checksum\n");
+		if (pkt_len > (ntohs(ipp->tot_len)))
+		  data_len -= (pkt_len - ntohs(ipp->tot_len));
+		tcp->check = 0;
+		tcp->check = csum_tcpudp_magic(ipp->saddr, ipp->daddr,
+					       data_len, IPPROTO_TCP,
+					       csum_partial((unsigned char *)tcp, data_len, 0));
+	      }
+	    }
+	    else {
+	      KLIPS_PRINT(debug_rcv,
+			  "klips_debug:ipsec_rcv: "
+			  "NAT-T & TRANSPORT: can't fix TCP checksum\n");
+	    }
+	    break;
+	  case IPPROTO_UDP:
+	    if (data_len >= sizeof(struct udphdr)) {
+	      struct udphdr *udp = skb->h.uh;
+	      if (udp->check == 0) {
+		KLIPS_PRINT(debug_rcv,
+			    "klips_debug:ipsec_rcv: "
+			    "NAT-T & TRANSPORT: UDP checksum already 0\n");
+	      }
+	      else if (natt_oa) {
+		__u32 buff[2] = { ~natt_oa, ipp->saddr };
+		KLIPS_PRINT(debug_rcv,
+			    "klips_debug:ipsec_rcv: "
+			    "NAT-T & TRANSPORT: "
+			    "fix UDP checksum using NAT-OA\n");
+#ifdef DISABLE_UDP_CHECKSUM
+		udp->check=0
+		KLIPS_PRINT(debug_rcv,
+			    "klips_debug:ipsec_rcv: "
+			    "NAT-T & TRANSPORT: "
+			    "UDP checksum using NAT-OA disabled at compile time\n");
+#else
+		udp->check = csum_fold(
+				       csum_partial((unsigned char *)buff, sizeof(buff),
+						    udp->check^0xffff));
+#endif
+	      }
+	      else {
+		KLIPS_PRINT(debug_rcv,
+			    "klips_debug:ipsec_rcv: "
+			    "NAT-T & TRANSPORT: zero UDP checksum\n");
+		udp->check = 0;
+	      }
+	    }
+	    else {
+	      KLIPS_PRINT(debug_rcv,
+			  "klips_debug:ipsec_rcv: "
+			  "NAT-T & TRANSPORT: can't fix UDP checksum\n");
+	    }
+	    break;
+	  default:
+	    KLIPS_PRINT(debug_rcv,
+			"klips_debug:ipsec_rcv: "
+			"NAT-T & TRANSPORT: non TCP/UDP packet -- do nothing\n");
+	    break;
+	  }
+	}
+#endif
+
+	/*
+	 * XXX this needs to be locked from when it was first looked
+	 * up in the decapsulation loop.  Perhaps it is better to put
+	 * the IPIP decap inside the loop.
+	 */
+	if(ipsnext) {
+		ipsp = ipsnext;
+		irs->sa_len = satot(&irs->said, 0, irs->sa, sizeof(irs->sa));
+		if((ipp->protocol != IPPROTO_IPIP) && 
+                   (ipp->protocol != IPPROTO_ATT_HEARTBEAT)) {  /* AT&T heartbeats to SIG/GIG */
+			spin_unlock(&tdb_lock);
+			KLIPS_PRINT(debug_rcv,
+				    "klips_debug:ipsec_rcv: "
+				    "SA:%s, Hey!  How did this get through?  Dropped.\n",
+				    irs->sa_len ? irs->sa : " (error)");
+			if(irs->stats) {
+				irs->stats->rx_dropped++;
+			}
+			goto rcvleave;
+		}
+		if(sysctl_ipsec_inbound_policy_check) {
+			struct sockaddr_in *psin = (struct sockaddr_in*)(ipsp->ips_addr_s);
+			if((ipsnext = ipsp->ips_inext)) {
+				char sa2[SATOT_BUF];
+				size_t sa_len2;
+				sa_len2 = satot(&ipsnext->ips_said, 0, sa2, sizeof(sa2));
+				spin_unlock(&tdb_lock);
+				KLIPS_PRINT(debug_rcv,
+					    "klips_debug:ipsec_rcv: "
+					    "unexpected SA:%s after IPIP SA:%s\n",
+					    sa_len2 ? sa2 : " (error)",
+					    irs->sa_len ? irs->sa : " (error)");
+				if(irs->stats) {
+					irs->stats->rx_dropped++;
+				}
+				goto rcvleave;
+			}
+			if(ipp->saddr != psin->sin_addr.s_addr) {
+				spin_unlock(&tdb_lock);
+				KLIPS_PRINT(debug_rcv,
+					    "klips_debug:ipsec_rcv: "
+					    "SA:%s, src=%s(%08x) does match expected 0x%08x.\n",
+					    irs->sa_len ? irs->sa : " (error)",
+					    irs->ipsaddr_txt, 
+					    ipp->saddr, psin->sin_addr.s_addr);
+				if(irs->stats) {
+					irs->stats->rx_dropped++;
+				}
+				goto rcvleave;
+			}
+		}
+
+	if(ipp->protocol == IPPROTO_IPIP)  /* added to support AT&T heartbeats to SIG/GIG */
+	{  
+		/*
+		 * XXX this needs to be locked from when it was first looked
+		 * up in the decapsulation loop.  Perhaps it is better to put
+		 * the IPIP decap inside the loop.
+		 */
+		ipsp->ips_life.ipl_bytes.ipl_count += skb->len;
+		ipsp->ips_life.ipl_bytes.ipl_last   = skb->len;
+
+		if(!ipsp->ips_life.ipl_usetime.ipl_count) {
+			ipsp->ips_life.ipl_usetime.ipl_count = jiffies / HZ;
+		}
+		ipsp->ips_life.ipl_usetime.ipl_last = jiffies / HZ;
+		ipsp->ips_life.ipl_packets.ipl_count += 1;
+
+		if(skb->len < irs->iphlen) {
+			spin_unlock(&tdb_lock);
+			printk(KERN_WARNING "klips_debug:ipsec_rcv: "
+			       "tried to skb_pull iphlen=%d, %d available.  This should never happen, please report.\n",
+			       irs->iphlen,
+			       (int)(skb->len));
+
+			goto rcvleave;
+		}
+
+		/*
+		 * we need to pull up by size of IP header,
+		 * options, but also by any UDP/ESP encap there might
+		 * have been, and this deals with all cases.
+		 */
+		skb_pull(skb, (skb->h.raw - skb->nh.raw));
+
+		/* new L3 header is where L4 payload was */
+		skb->nh.raw = skb->h.raw;
+
+		/* now setup new L4 payload location */
+		ipp = (struct iphdr *)skb->nh.raw;
+		skb->h.raw = skb->nh.raw + (ipp->ihl << 2);
+
+
+		/* remove any saved options that we might have,
+		 * since we have a new IP header.
+		 */
+		memset(&(IPCB(skb)->opt), 0, sizeof(struct ip_options));
+
+#if 0
+		KLIPS_PRINT(debug_rcv, "csum: %d\n", ip_fast_csum((u8 *)ipp, ipp->ihl));
+#endif
+
+		/* re-do any strings for debugging */
+		ipsaddr.s_addr = ipp->saddr;
+		addrtoa(ipsaddr, 0, irs->ipsaddr_txt, sizeof(irs->ipsaddr_txt));
+		ipdaddr.s_addr = ipp->daddr;
+		addrtoa(ipdaddr, 0, irs->ipdaddr_txt, sizeof(irs->ipdaddr_txt));
+
+		skb->protocol = htons(ETH_P_IP);
+		skb->ip_summed = 0;
+		KLIPS_PRINT(debug_rcv & DB_RX_PKTRX,
+			    "klips_debug:ipsec_rcv: "
+			    "IPIP tunnel stripped.\n");
+		KLIPS_IP_PRINT(debug_rcv & DB_RX_PKTRX, ipp);
+  }
+
+		if(sysctl_ipsec_inbound_policy_check
+		   /*
+		      Note: "xor" (^) logically replaces "not equal"
+		      (!=) and "bitwise or" (|) logically replaces
+		      "boolean or" (||).  This is done to speed up
+		      execution by doing only bitwise operations and
+		      no branch operations
+		   */
+		   && (((ipp->saddr & ipsp->ips_mask_s.u.v4.sin_addr.s_addr)
+				    ^ ipsp->ips_flow_s.u.v4.sin_addr.s_addr)
+		       | ((ipp->daddr & ipsp->ips_mask_d.u.v4.sin_addr.s_addr)
+				      ^ ipsp->ips_flow_d.u.v4.sin_addr.s_addr)) )
+		{
+			char sflow_txt[SUBNETTOA_BUF], dflow_txt[SUBNETTOA_BUF];
+
+			subnettoa(ipsp->ips_flow_s.u.v4.sin_addr,
+				ipsp->ips_mask_s.u.v4.sin_addr,
+				0, sflow_txt, sizeof(sflow_txt));
+			subnettoa(ipsp->ips_flow_d.u.v4.sin_addr,
+				ipsp->ips_mask_d.u.v4.sin_addr,
+				0, dflow_txt, sizeof(dflow_txt));
+			spin_unlock(&tdb_lock);
+			KLIPS_PRINT(debug_rcv,
+				    "klips_debug:ipsec_rcv: "
+				    "SA:%s, inner tunnel policy [%s -> %s] does not agree with pkt contents [%s -> %s].\n",
+				    irs->sa_len ? irs->sa : " (error)",
+				    sflow_txt,
+				    dflow_txt,
+				    irs->ipsaddr_txt,
+				    irs->ipdaddr_txt);
+			if(irs->stats) {
+				irs->stats->rx_dropped++;
+			}
+			goto rcvleave;
+		}
+#ifdef CONFIG_NETFILTER
+		skb->nfmark = (skb->nfmark & (~(IPsecSAref2NFmark(IPSEC_SA_REF_TABLE_MASK))))
+			| IPsecSAref2NFmark(IPsecSA2SAref(ipsp));
+		KLIPS_PRINT(debug_rcv & DB_RX_PKTRX,
+			    "klips_debug:ipsec_rcv: "
+			    "IPIP SA sets skb->nfmark=0x%x.\n",
+			    (unsigned)skb->nfmark);
+#endif /* CONFIG_NETFILTER */
+	}
+
+	spin_unlock(&tdb_lock);
+
+	if(irs->stats) {
+		irs->stats->rx_bytes += skb->len;
+	}
+	if(skb->dst) {
+		dst_release(skb->dst);
+		skb->dst = NULL;
+	}
+	skb->pkt_type = PACKET_HOST;
+	if(irs->hard_header_len &&
+	   (skb->mac.raw != (skb->nh.raw - irs->hard_header_len)) &&
+	   (irs->hard_header_len <= skb_headroom(skb))) {
+		/* copy back original MAC header */
+		memmove(skb->nh.raw - irs->hard_header_len,
+			skb->mac.raw, irs->hard_header_len);
+		skb->mac.raw = skb->nh.raw - irs->hard_header_len;
+	}
+
+#ifdef CONFIG_KLIPS_IPCOMP
+	if(ipp->protocol == IPPROTO_COMP) {
+		unsigned int flags = 0;
+
+		if(sysctl_ipsec_inbound_policy_check) {
+			KLIPS_PRINT(debug_rcv & DB_RX_PKTRX,
+				"klips_debug:ipsec_rcv: "
+				"inbound policy checking enabled, IPCOMP follows IPIP, dropped.\n");
+			if (irs->stats) {
+				irs->stats->rx_errors++;
+			}
+			goto rcvleave;
+		}
+		/*
+		  XXX need a ipsec_sa for updating ratio counters but it is not
+		  following policy anyways so it is not a priority
+		*/
+		skb = skb_decompress(skb, NULL, &flags);
+		if (!skb || flags) {
+			KLIPS_PRINT(debug_rcv & DB_RX_PKTRX,
+				"klips_debug:ipsec_rcv: "
+				"skb_decompress() returned error flags: %d, dropped.\n",
+				flags);
+			if (irs->stats) {
+				irs->stats->rx_errors++;
+			}
+			goto rcvleave;
+		}
+	}
+#endif /* CONFIG_KLIPS_IPCOMP */
+
+	/*
+	 * make sure that data now starts at IP header, since we are going
+	 * to pass this back to ip_input (aka netif_rx). Rules for what the
+	 * pointers wind up a different for 2.6 vs 2.4, so we just fudge it here.
+	 */
+#ifdef NET_26
+	skb->data = skb_push(skb, skb->h.raw - skb->nh.raw);
+#else
+	skb->data = skb->nh.raw;
+	{
+	  struct iphdr *iph = skb->nh.iph;
+	  int len = ntohs(iph->tot_len);
+	  skb->len  = len;
+	}
+#endif
+
+#ifdef SKB_RESET_NFCT
+	nf_conntrack_put(skb->nfct);
+	skb->nfct = NULL;
+#if defined(CONFIG_NETFILTER_DEBUG) && defined(HAVE_SKB_NF_DEBUG)
+	skb->nf_debug = 0;
+#endif /* CONFIG_NETFILTER_DEBUG */
+#endif /* SKB_RESET_NFCT */
+	KLIPS_PRINT(debug_rcv & DB_RX_PKTRX,
+		    "klips_debug:ipsec_rcv: "
+		    "netif_rx() called.\n");
+	netif_rx(skb);
+	skb=NULL;
+
+ rcvleave:
+	if(skb) {
+		ipsec_kfree_skb(skb);
+	}
+
+	/* KLIPS_DEC_USE; Artifact from refactor? bug # 454 */
+	return(0);
+}
+
+struct sk_buff *ipsec_rcv_unclone(struct sk_buff *skb,
+				  struct ipsec_rcv_state *irs)
+{
+	/* if skb was cloned (most likely due to a packet sniffer such as
+	   tcpdump being momentarily attached to the interface), make
+	   a copy of our own to modify */
+	if(skb_cloned(skb)) {
+		/* include any mac header while copying.. */
+		if(skb_headroom(skb) < irs->hard_header_len) {
+			printk(KERN_WARNING "klips_error:ipsec_rcv: "
+			       "tried to skb_push hhlen=%d, %d available.  This should never happen, please report.\n",
+			       irs->hard_header_len,
+			       skb_headroom(skb));
+			goto rcvleave;
+		}
+		skb_push(skb, irs->hard_header_len);
+		if
+#ifdef SKB_COW_NEW
+		  (skb_cow(skb, skb_headroom(skb)) != 0)
+#else /* SKB_COW_NEW */
+		  ((skb = skb_cow(skb, skb_headroom(skb))) == NULL)
+#endif /* SKB_COW_NEW */
+		{
+			goto rcvleave;
+		}
+		if(skb->len < irs->hard_header_len) {
+			printk(KERN_WARNING "klips_error:ipsec_rcv: "
+			       "tried to skb_pull hhlen=%d, %d available.  This should never happen, please report.\n",
+			       irs->hard_header_len,
+			       skb->len);
+			goto rcvleave;
+		}
+		skb_pull(skb, irs->hard_header_len);
+	}
+	return skb;
+
+rcvleave:
+	ipsec_kfree_skb(skb);
+	return NULL;
+}
+
+
+#if !defined(NET_26) && defined(CONFIG_IPSEC_NAT_TRAVERSAL)
+/*
+ * decapsulate a UDP encapsulated ESP packet
+ */
+struct sk_buff *ipsec_rcv_natt_decap(struct sk_buff *skb
+				     , struct ipsec_rcv_state *irs
+				     , int *udp_decap_ret_p)
+{
+	*udp_decap_ret_p = 0;
+	if (skb->sk && skb->nh.iph && skb->nh.iph->protocol==IPPROTO_UDP) {
+		/**
+		 * Packet comes from udp_queue_rcv_skb so it is already defrag,
+		 * checksum verified, ... (ie safe to use)
+		 *
+		 * If the packet is not for us, return -1 and udp_queue_rcv_skb
+		 * will continue to handle it (do not kfree skb !!).
+		 */
+
+#ifndef UDP_OPT_IN_SOCK
+		struct udp_opt {
+			__u32 esp_in_udp;
+		};
+		struct udp_opt *tp =  (struct udp_opt *)&(skb->sk->tp_pinfo.af_tcp);
+#else
+		struct udp_opt *tp =  &(skb->sk->tp_pinfo.af_udp);
+#endif
+
+		struct iphdr *ip = (struct iphdr *)skb->nh.iph;
+		struct udphdr *udp = (struct udphdr *)((__u32 *)ip+ip->ihl);
+		__u8 *udpdata = (__u8 *)udp + sizeof(struct udphdr);
+		__u32 *udpdata32 = (__u32 *)udpdata;
+		
+		irs->natt_sport = ntohs(udp->source);
+		irs->natt_dport = ntohs(udp->dest);
+	  
+		KLIPS_PRINT(debug_rcv,
+			    "klips_debug:ipsec_rcv: "
+			    "suspected ESPinUDP packet (NAT-Traversal) [%d].\n",
+			    tp->esp_in_udp);
+		KLIPS_IP_PRINT(debug_rcv, ip);
+	  
+		if (udpdata < skb->tail) {
+			unsigned int len = skb->tail - udpdata;
+			if ((len==1) && (udpdata[0]==0xff)) {
+				KLIPS_PRINT(debug_rcv,
+					    "klips_debug:ipsec_rcv: "
+					    /* not IPv6 compliant message */
+					    "NAT-keepalive from %d.%d.%d.%d.\n", NIPQUAD(ip->saddr));
+				*udp_decap_ret_p = 0;
+				return NULL;
+			}
+			else if ( (tp->esp_in_udp == ESPINUDP_WITH_NON_IKE) &&
+				  (len > (2*sizeof(__u32) + sizeof(struct esphdr))) &&
+				  (udpdata32[0]==0) && (udpdata32[1]==0) ) {
+				/* ESP Packet with Non-IKE header */
+				KLIPS_PRINT(debug_rcv, 
+					    "klips_debug:ipsec_rcv: "
+					    "ESPinUDP pkt with Non-IKE - spi=0x%x\n",
+					    ntohl(udpdata32[2]));
+				irs->natt_type = ESPINUDP_WITH_NON_IKE;
+				irs->natt_len = sizeof(struct udphdr)+(2*sizeof(__u32));
+			}
+			else if ( (tp->esp_in_udp == ESPINUDP_WITH_NON_ESP) &&
+				  (len > sizeof(struct esphdr)) &&
+				  (udpdata32[0]!=0) ) {
+				/* ESP Packet without Non-ESP header */
+				irs->natt_type = ESPINUDP_WITH_NON_ESP;
+				irs->natt_len = sizeof(struct udphdr);
+				KLIPS_PRINT(debug_rcv, 
+					    "klips_debug:ipsec_rcv: "
+					    "ESPinUDP pkt without Non-ESP - spi=0x%x\n",
+					    ntohl(udpdata32[0]));
+			}
+			else {
+				KLIPS_PRINT(debug_rcv,
+					    "klips_debug:ipsec_rcv: "
+					    "IKE packet - not handled here\n");
+				*udp_decap_ret_p = -1;
+				return NULL;
+			}
+		}
+		else {
+			return NULL;
+		}
+	}
+	return skb;
+}
+#endif
+
+
+int
+ipsec_rcv(struct sk_buff *skb
+#ifndef PROTO_HANDLER_SINGLE_PARM
+	  unsigned short xlen
+#endif /* PROTO_HANDLER_SINGLE_PARM */
+	  )
+{
+#ifdef CONFIG_KLIPS_DEBUG
+	struct net_device *dev = skb->dev;
+#endif /* CONFIG_KLIPS_DEBUG */
+	unsigned char protoc;
+	struct net_device_stats *stats = NULL;		/* This device's statistics */
+	struct net_device *ipsecdev = NULL, *prvdev;
+	struct ipsecpriv *prv;
+	struct ipsec_rcv_state nirs, *irs = &nirs;
+	struct iphdr *ipp;
+	char name[9];
+	int i;
+
+	/* Don't unlink in the middle of a turnaround */
+	KLIPS_INC_USE;
+
+	memset(&nirs, 0, sizeof(struct ipsec_rcv_state));
+
+	if (skb == NULL) {
+		KLIPS_PRINT(debug_rcv,
+			    "klips_debug:ipsec_rcv: "
+			    "NULL skb passed in.\n");
+		goto rcvleave;
+	}
+
+	if (skb->data == NULL) {
+		KLIPS_PRINT(debug_rcv,
+			    "klips_debug:ipsec_rcv: "
+			    "NULL skb->data passed in, packet is bogus, dropping.\n");
+		goto rcvleave;
+	}
+
+#if defined(CONFIG_IPSEC_NAT_TRAVERSAL) && !defined(NET_26)
+	{
+		/* NET_26 NAT-T is handled by seperate function */
+		struct sk_buff *nskb;
+		int udp_decap_ret = 0;
+
+		nskb = ipsec_rcv_natt_decap(skb, irs, &udp_decap_ret);
+		if(nskb == NULL) {
+			/* return with non-zero, because UDP.c code
+			 * need to send it upstream.
+			 */
+			if(skb && udp_decap_ret == 0) {
+				ipsec_kfree_skb(skb);
+			}
+			KLIPS_DEC_USE;
+			return(udp_decap_ret);
+		}
+		skb = nskb;
+	}
+#endif /* NAT_T */
+
+	/* dev->hard_header_len is unreliable and should not be used */
+	irs->hard_header_len = skb->mac.raw ? (skb->nh.raw - skb->mac.raw) : 0;
+	if((irs->hard_header_len < 0) || (irs->hard_header_len > skb_headroom(skb)))
+		irs->hard_header_len = 0;
+
+	skb = ipsec_rcv_unclone(skb, irs);
+	if(skb == NULL) {
+		goto rcvleave;
+	}
+
+#if IP_FRAGMENT_LINEARIZE
+	/* In Linux 2.4.4, we may have to reassemble fragments. They are
+	   not assembled automatically to save TCP from having to copy
+	   twice.
+	*/
+	if (skb_is_nonlinear(skb)) {
+#ifdef HAVE_NEW_SKB_LINEARIZE
+		if (skb_linearize_cow(skb) != 0)
+#else
+		if (skb_linearize(skb, GFP_ATOMIC) != 0) 
+#endif
+		{
+			goto rcvleave;
+		}
+	}
+#endif /* IP_FRAGMENT_LINEARIZE */
+
+#if defined(CONFIG_IPSEC_NAT_TRAVERSAL) && !defined(NET_26)
+	if (irs->natt_len) {
+		/**
+		 * Now, we are sure packet is ESPinUDP, and we have a private
+		 * copy that has been linearized, remove natt_len bytes
+		 * from packet and modify protocol to ESP.
+		 */
+		if (((unsigned char *)skb->data > (unsigned char *)skb->nh.iph)
+		    && ((unsigned char *)skb->nh.iph > (unsigned char *)skb->head))
+		{
+			unsigned int _len = (unsigned char *)skb->data -
+				(unsigned char *)skb->nh.iph;
+			KLIPS_PRINT(debug_rcv,
+				"klips_debug:ipsec_rcv: adjusting skb: skb_push(%u)\n",
+				_len);
+			skb_push(skb, _len);
+		}
+		KLIPS_PRINT(debug_rcv,
+		    "klips_debug:ipsec_rcv: "
+			"removing %d bytes from ESPinUDP packet\n", irs->natt_len);
+		ipp = skb->nh.iph;
+		irs->iphlen = ipp->ihl << 2;
+		ipp->tot_len = htons(ntohs(ipp->tot_len) - irs->natt_len);
+		if (skb->len < irs->iphlen + irs->natt_len) {
+			printk(KERN_WARNING
+		       "klips_error:ipsec_rcv: "
+		       "ESPinUDP packet is too small (%d < %d+%d). "
+			   "This should never happen, please report.\n",
+		       (int)(skb->len), irs->iphlen, irs->natt_len);
+			goto rcvleave;
+		}
+
+		/* advance payload pointer to point past the UDP header */
+		skb->h.raw = skb->h.raw + irs->natt_len;
+
+		/* modify protocol */
+		ipp->protocol = IPPROTO_ESP;
+
+		skb->sk = NULL;
+
+		KLIPS_IP_PRINT(debug_rcv, skb->nh.iph);
+	}
+#endif
+
+	ipp = skb->nh.iph;
+
+	{
+	  	struct in_addr ipsaddr;
+		struct in_addr ipdaddr;
+
+		ipsaddr.s_addr = ipp->saddr;
+		addrtoa(ipsaddr, 0, irs->ipsaddr_txt
+			, sizeof(irs->ipsaddr_txt));
+		ipdaddr.s_addr = ipp->daddr;
+		addrtoa(ipdaddr, 0, irs->ipdaddr_txt
+			, sizeof(irs->ipdaddr_txt));
+	}
+
+	irs->iphlen = ipp->ihl << 2;
+
+	KLIPS_PRINT(debug_rcv,
+		    "klips_debug:ipsec_rcv: "
+		    "<<< Info -- ");
+	KLIPS_PRINTMORE(debug_rcv && skb->dev, "skb->dev=%s ",
+			skb->dev->name ? skb->dev->name : "NULL");
+	KLIPS_PRINTMORE(debug_rcv && dev, "dev=%s ",
+			dev->name ? dev->name : "NULL");
+	KLIPS_PRINTMORE(debug_rcv, "\n");
+
+	KLIPS_PRINT(debug_rcv && !(skb->dev && dev && (skb->dev == dev)),
+		    "klips_debug:ipsec_rcv: "
+		    "Informational -- **if this happens, find out why** skb->dev:%s is not equal to dev:%s\n",
+		    skb->dev ? (skb->dev->name ? skb->dev->name : "NULL") : "NULL",
+		    dev ? (dev->name ? dev->name : "NULL") : "NULL");
+
+	protoc = ipp->protocol;
+#ifndef NET_21
+	if((!protocol) || (protocol->protocol != protoc)) {
+		KLIPS_PRINT(debug_rcv & DB_RX_IPSA,
+			    "klips_debug:ipsec_rcv: "
+			    "protocol arg is NULL or unequal to the packet contents, this is odd, using value in packet.\n");
+	}
+#endif /* !NET_21 */
+
+	if( (protoc != IPPROTO_AH) &&
+#ifdef CONFIG_KLIPS_IPCOMP_disabled_until_we_register_IPCOMP_HANDLER
+	    (protoc != IPPROTO_COMP) &&
+#endif /* CONFIG_KLIPS_IPCOMP */
+	    (protoc != IPPROTO_ESP) ) {
+		KLIPS_PRINT(debug_rcv & DB_RX_IPSA,
+			    "klips_debug:ipsec_rcv: Why the hell is someone "
+			    "passing me a non-ipsec protocol = %d packet? -- dropped.\n",
+			    protoc);
+		goto rcvleave;
+	}
+
+	if(skb->dev) {
+		for(i = 0; i < IPSEC_NUM_IF; i++) {
+			sprintf(name, IPSEC_DEV_FORMAT, i);
+			if(!strcmp(name, skb->dev->name)) {
+				prv = (struct ipsecpriv *)(skb->dev->priv);
+				if(prv) {
+					stats = (struct net_device_stats *) &(prv->mystats);
+				}
+				ipsecdev = skb->dev;
+				KLIPS_PRINT(debug_rcv,
+					    "klips_debug:ipsec_rcv: "
+					    "Info -- pkt already proc'ed a group of ipsec headers, processing next group of ipsec headers.\n");
+				break;
+			}
+			if((ipsecdev = __ipsec_dev_get(name)) == NULL) {
+				KLIPS_PRINT(debug_rcv,
+					    "klips_error:ipsec_rcv: "
+					    "device %s does not exist\n",
+					    name);
+			}
+			prv = ipsecdev ? (struct ipsecpriv *)(ipsecdev->priv) : NULL;
+			prvdev = prv ? (struct net_device *)(prv->dev) : NULL;
+
+#if 0
+			KLIPS_PRINT(debug_rcv && prvdev,
+				    "klips_debug:ipsec_rcv: "
+				    "physical device for device %s is %s\n",
+				    name,
+				    prvdev->name);
+#endif
+			if(prvdev && skb->dev &&
+			   !strcmp(prvdev->name, skb->dev->name)) {
+				stats = prv ? ((struct net_device_stats *) &(prv->mystats)) : NULL;
+				skb->dev = ipsecdev;
+				KLIPS_PRINT(debug_rcv && prvdev,
+					    "klips_debug:ipsec_rcv: "
+					    "assigning packet ownership to virtual device %s from physical device %s.\n",
+					    name, prvdev->name);
+				if(stats) {
+					stats->rx_packets++;
+				}
+				break;
+			}
+		}
+	} else {
+		KLIPS_PRINT(debug_rcv,
+			    "klips_debug:ipsec_rcv: "
+			    "device supplied with skb is NULL\n");
+	}
+
+	if(stats == NULL) {
+		KLIPS_PRINT((debug_rcv),
+			    "klips_error:ipsec_rcv: "
+			    "packet received from physical I/F (%s) not connected to ipsec I/F.  Cannot record stats.  May not have SA for decoding.  Is IPSEC traffic expected on this I/F?  Check routing.\n",
+			    skb->dev ? (skb->dev->name ? skb->dev->name : "NULL") : "NULL");
+	}
+		
+	KLIPS_IP_PRINT(debug_rcv, ipp);
+
+	/* set up for decap loop */
+	irs->stats= stats;
+	irs->ipp  = ipp;
+	irs->ipsp = NULL;
+	irs->ilen = 0;
+	irs->authlen=0;
+	irs->authfuncs=NULL;
+	irs->skb = skb;
+
+	ipsec_rcv_decap(irs);
+	KLIPS_DEC_USE;
+	return(0);
+
+ rcvleave:
+	if(skb) {
+		ipsec_kfree_skb(skb);
+	}
+	KLIPS_DEC_USE;
+	return(0);
+
+}
+
+#ifdef NET_26
+/*
+ * this entry point is not a protocol entry point, so the entry
+ * is a bit different.
+ *
+ * skb->iph->tot_len has been byte-swapped, and reduced by the size of
+ *              the IP header (and options).
+ * 
+ * skb->h.raw has been pulled up the ESP header.
+ *
+ * skb->iph->protocol = 50 IPPROTO_ESP;
+ *
+ */
+int klips26_rcv_encap(struct sk_buff *skb, __u16 encap_type)
+{
+	struct ipsec_rcv_state nirs, *irs = &nirs;
+	struct iphdr *ipp;
+
+	/* Don't unlink in the middle of a turnaround */
+	KLIPS_INC_USE;
+
+	memset(irs, 0, sizeof(*irs));
+
+	/* XXX fudge it so that all nat-t stuff comes from ipsec0    */
+	/*     eventually, the SA itself will determine which device
+	 *     it comes from
+	 */ 
+	{
+	  skb->dev = ipsec_get_device(0);
+	}
+
+	/* set up for decap loop */
+	irs->hard_header_len = skb->dev->hard_header_len;
+
+	skb = ipsec_rcv_unclone(skb, irs);
+
+#if IP_FRAGMENT_LINEARIZE
+	/* In Linux 2.4.4, we may have to reassemble fragments. They are
+	   not assembled automatically to save TCP from having to copy
+	   twice.
+	*/
+	if (skb_is_nonlinear(skb)) {
+#ifdef HAVE_NEW_SKB_LINEARIZE
+		if (skb_linearize_cow(skb) != 0) 
+#else
+		if (skb_linearize(skb, GFP_ATOMIC) != 0) 
+#endif
+		{
+			goto rcvleave;
+		}
+	}
+#endif /* IP_FRAGMENT_LINEARIZE */
+
+	ipp = skb->nh.iph;
+
+	{
+	  	struct in_addr ipsaddr;
+		struct in_addr ipdaddr;
+
+		ipsaddr.s_addr = ipp->saddr;
+		addrtoa(ipsaddr, 0, irs->ipsaddr_txt
+			, sizeof(irs->ipsaddr_txt));
+		ipdaddr.s_addr = ipp->daddr;
+		addrtoa(ipdaddr, 0, irs->ipdaddr_txt
+			, sizeof(irs->ipdaddr_txt));
+	}
+
+	irs->iphlen = ipp->ihl << 2;
+
+	KLIPS_IP_PRINT(debug_rcv, ipp);
+
+	irs->stats= NULL;
+	irs->ipp  = ipp;
+	irs->ipsp = NULL;
+	irs->ilen = 0;
+	irs->authlen=0;
+	irs->authfuncs=NULL;
+	irs->skb = skb;
+
+#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
+	switch(encap_type) {
+	case UDP_ENCAP_ESPINUDP:
+	  irs->natt_type = ESPINUDP_WITH_NON_ESP;
+	  break;
+	  
+	case UDP_ENCAP_ESPINUDP_NON_IKE:
+	  irs->natt_type = ESPINUDP_WITH_NON_IKE;
+	  break;
+	  
+	default:
+	  if(printk_ratelimit()) {
+	    printk(KERN_INFO "KLIPS received unknown UDP-ESP encap type %u\n",
+		   encap_type);
+	  }
+	  return -1;
+	}
+
+#endif
+	ipsec_rcv_decap(irs);
+	KLIPS_DEC_USE;
+	return 0;
+
+rcvleave:
+	if(skb) {
+		ipsec_kfree_skb(skb);
+	}
+	KLIPS_DEC_USE;
+	return 0;
+}
+#endif
+
+
+/*
+ * $Log: ipsec_rcv.c,v $
+ * Revision 1.171.2.11  2007/04/28 20:46:40  paul
+ * Added compile time switch for -DDISABLE_UDP_CHECKSUM that seems to be
+ * breaking IPsec+NAT+Transport mode with NAT-OA. Enabled this per default
+ * via Makefile.inc's USERCOMPILE flags.
+ *
+ * Revision 1.171.2.10  2006/10/06 21:39:26  paul
+ * Fix for 2.6.18+ only include linux/config.h if AUTOCONF_INCLUDED is not
+ * set. This is defined through autoconf.h which is included through the
+ * linux kernel build macros.
+ *
+ * Revision 1.171.2.9  2006/07/30 02:09:33  paul
+ * Author: Bart Trojanowski <bart@xelerance.com>
+ * This fixes a NATT+ESP bug in rcv path.
+ *
+ *     We only want to test NATT policy on the ESP packet.  Doing so on the
+ *     bundled SA breaks because the next layer does not know anything about
+ *     NATT.
+ *
+ *     Fix just puts an if(proto == IPPROTO_ESP) around the NATT policy check.
+ *
+ * Revision 1.171.2.8  2006/07/29 05:03:04  paul
+ * Added check for new version of skb_linearize that only takes 1 argument,
+ * for 2.6.18+ kernels.
+ *
+ * Revision 1.171.2.7  2006/04/20 16:33:07  mcr
+ * remove all of CONFIG_KLIPS_ALG --- one can no longer build without it.
+ * Fix in-kernel module compilation. Sub-makefiles do not work.
+ *
+ * Revision 1.171.2.6  2005/12/07 06:07:04  paul
+ * comment out KLIPS_DEC_USE in ipsec_rcv_decap. Likely an artifact from
+ * refactoring. http://bugs.xelerance.com/view.php?id=454
+ *
+ * Revision 1.171.2.5  2005/10/21 02:22:29  mcr
+ * 	pull up of another try at 2.4.x kernel fix
+ *
+ * Revision 1.171.2.4  2005/10/21 01:39:56  mcr
+ *     nat-t fix is 2.4/2.6 specific
+ *
+ * Revision 1.178  2005/10/21 02:19:34  mcr
+ * 	on 2.4 systems, we have to fix up the length as well.
+ *
+ * Revision 1.177  2005/10/21 00:18:31  mcr
+ * 	nat-t fix is 2.4 specific.
+ *
+ * Revision 1.176  2005/10/20 21:06:11  mcr
+ * 	possible fix for nat-t problem on 2.4 kernels.
+ *
+ * Revision 1.175  2005/10/13 02:49:24  mcr
+ * 	tested UDP-encapsulated ESP packets that were not actually ESP,
+ * 	(but IKE) were being eaten.
+ *
+ * Revision 1.174  2005/10/13 01:25:22  mcr
+ * 	UDP-encapsulated ESP packets that were not actually ESP,
+ * 	(but IKE) were being eaten.
+ *
+ * Revision 1.173  2005/08/31 23:26:11  mcr
+ * 	fixes for 2.6.13
+ *
+ * Revision 1.172  2005/08/05 08:44:54  mcr
+ * 	ipsec_kern24.h (compat code for 2.4) must be include
+ * 	explicitely now.
+ *
+ * Revision 1.171  2005/07/08 23:56:06  ken
+ * #ifdef
+ *
+ * Revision 1.170  2005/07/08 23:50:05  ken
+ * Don't attempt to decapsulate if NAT-T isn't available in the code
+ *
+ * Revision 1.169  2005/06/06 00:27:31  mcr
+ * 	fix for making tcpdump (packet capture) work correctly for
+ * 	nat-t received packets.
+ *
+ * Revision 1.168  2005/06/04 16:06:06  mcr
+ * 	better patch for nat-t rcv-device code.
+ *
+ * Revision 1.167  2005/06/03 17:04:46  mcr
+ * 	nat-t packets are forced to arrive from ipsec0.
+ *
+ * Revision 1.166  2005/04/29 05:10:22  mcr
+ * 	removed from extraenous includes to make unit testing easier.
+ *
+ * Revision 1.165  2005/04/20 17:11:32  mcr
+ * 	fixed to compile on 2.4.
+ *
+ * Revision 1.164  2005/04/18 03:09:50  ken
+ * Fix typo
+ *
+ * Revision 1.163  2005/04/17 05:32:58  mcr
+ * 	remove extraneous debugging
+ * 	make sure to return success from klips26_encap_rcv().
+ *
+ * Revision 1.162  2005/04/17 04:37:01  mcr
+ * 	make sure that irs->ipp is still set.
+ *
+ * Revision 1.161  2005/04/17 03:51:52  mcr
+ * 	removed old comment about removed code.
+ * 	added translation from udp.c/2.6 to KLIPS NAT-ESP naming.
+ * 	comment about check for origin address/port for incoming NAT-ESP packets.
+ *
+ * Revision 1.160  2005/04/15 19:55:58  mcr
+ * 	adjustments to use proper skb fields for data.
+ *
+ * Revision 1.159  2005/04/10 22:58:20  mcr
+ * 	refactoring of receive functions to make it easier to
+ * 	call the ESP decap.
+ *
+ * Revision 1.158  2005/04/08 18:27:53  mcr
+ * 	refactored ipsec_rcv() into ipsec_rcv() and ipsec_rcv_decap().
+ *
+ * Revision 1.157  2004/12/28 23:13:09  mcr
+ * 	use consistent CONFIG_IPSEC_NAT_TRAVERSAL.
+ *
+ * Revision 1.156  2004/12/03 21:34:51  mcr
+ * 	mistype of KLIPS_USE_COUNT -> KLIPS_INC_USE;
+ *
+ * Revision 1.155  2004/12/03 21:25:57  mcr
+ * 	compile time fixes for running on 2.6.
+ * 	still experimental.
+ *
+ * Revision 1.154  2004/09/08 17:21:36  ken
+ * Rename MD5* -> osMD5 functions to prevent clashes with other symbols exported by kernel modules (CIFS in 2.6 initiated this)
+ *
+ * Revision 1.153  2004/08/22 20:10:00  mcr
+ * 	removed check for incorrect setting of NET_26.
+ *
+ * Revision 1.152  2004/08/21 15:22:39  mcr
+ * 	added #defines for ATT heartbeat.
+ *
+ * Revision 1.151  2004/08/21 02:16:32  ken
+ * Patch from Jochen Eisinger for AT&T MTS Heartbeat packet support
+ *
+ * Revision 1.150  2004/08/21 00:44:48  mcr
+ * 	CONFIG_KLIPS_NAT was wrong, also need to include udp.h.
+ *
+ * Revision 1.149  2004/08/20 21:45:45  mcr
+ * 	CONFIG_KLIPS_NAT_TRAVERSAL is not used in an attempt to
+ * 	be 26sec compatible. But, some defines where changed.
+ *
+ * Revision 1.148  2004/08/17 03:27:23  mcr
+ * 	klips 2.6 edits.
+ *
+ * Revision 1.147  2004/08/05 23:29:27  mcr
+ * 	fixed nesting of #ifdef vs {} in ipsec_rcv().
+ *
+ * Revision 1.146  2004/08/04 15:57:07  mcr
+ * 	moved des .h files to include/des/ *
+ * 	included 2.6 protocol specific things
+ * 	started at NAT-T support, but it will require a kernel patch.
+ *
+ * Revision 1.145  2004/08/03 18:19:08  mcr
+ * 	in 2.6, use "net_device" instead of #define device->net_device.
+ * 	this probably breaks 2.0 compiles.
+ *
+ * Revision 1.144  2004/07/10 19:11:18  mcr
+ * 	CONFIG_IPSEC -> CONFIG_KLIPS.
+ *
+ * Revision 1.143  2004/05/10 22:27:00  mcr
+ * 	fix for ESP-3DES-noauth test case.
+ *
+ * Revision 1.142  2004/05/10 22:25:57  mcr
+ * 	reformat of calls to ipsec_lifetime_check().
+ *
+ * Revision 1.141  2004/04/06 02:49:26  mcr
+ * 	pullup of algo code from alg-branch.
+ *
+ * Revision 1.140  2004/02/03 03:12:53  mcr
+ * 	removed erroneously, double patched code.
+ *
+ * Revision 1.139  2004/01/05 23:21:29  mcr
+ * 	initialize sin_family in ipsec_rcv.c
+ *
+ * Revision 1.138  2003/12/24 19:46:52  mcr
+ * 	if sock.h patch has not been applied, then define appropriate
+ * 	structure so we can use it. This is serious inferior, and
+ * 	depends upon the concept that the structure in question is
+ * 	smaller than the other members of that union.
+ * 	getting rid of differing methods is a better solution.
+ *
+ * Revision 1.137  2003/12/22 19:40:57  mcr
+ * 	NAT-T patches 0.6c.
+ *
+ * Revision 1.136  2003/12/15 18:13:12  mcr
+ * 	when compiling with NAT traversal, don't assume that the
+ * 	kernel has been patched, unless CONFIG_IPSEC_NAT_NON_ESP
+ * 	is set.
+ *
+ * Revision 1.135  2003/12/13 19:10:21  mcr
+ * 	refactored rcv and xmit code - same as FS 2.05.
+ *
+ * Revision 1.134.2.1  2003/12/22 15:25:52  jjo
+ *      Merged algo-0.8.1-rc11-test1 into alg-branch
+ *
+ * Revision 1.134  2003/12/10 01:14:27  mcr
+ * 	NAT-traversal patches to KLIPS.
+ *
+ * Revision 1.133  2003/10/31 02:27:55  mcr
+ * 	pulled up port-selector patches and sa_id elimination.
+ *
+ * Revision 1.132.2.1  2003/10/29 01:30:41  mcr
+ * 	elimited "struct sa_id".
+ *
+ * Revision 1.132  2003/09/02 19:51:48  mcr
+ * 	fixes for PR#252.
+ *
+ * Revision 1.131  2003/07/31 22:47:16  mcr
+ * 	preliminary (untested by FS-team) 2.5 patches.
+ *
+ * Revision 1.130  2003/04/03 17:38:25  rgb
+ * Centralised ipsec_kfree_skb and ipsec_dev_{get,put}.
+ * Clarified logic for non-connected devices.
+ *
+ * Revision 1.129  2003/02/06 02:21:34  rgb
+ *
+ * Moved "struct auth_alg" from ipsec_rcv.c to ipsec_ah.h .
+ * Changed "struct ah" to "struct ahhdr" and "struct esp" to "struct esphdr".
+ * Removed "#ifdef INBOUND_POLICY_CHECK_eroute" dead code.
+ *
+ * Revision 1.128  2002/12/13 20:58:03  rgb
+ * Relegated MCR's recent "_dmp" routine to debug_verbose.
+ * Cleaned up printing of source and destination addresses in debug output.
+ *
+ * Revision 1.127  2002/12/04 16:00:16  rgb
+ *
+ * Fixed AH decapsulation pointer update bug and added some comments and
+ * debugging.
+ * This bug was caught by west-ah-0[12].
+ *
+ * Revision 1.126  2002/11/04 05:03:43  mcr
+ * 	fixes for IPCOMP. There were two problems:
+ * 	1) the irs->ipp pointer was not being updated properly after
+ * 	   the ESP descryption. The meant nothing for IPIP, as the
+ * 	   later IP header overwrote the earlier one.
+ *  	2) the more serious problem was that skb_decompress will
+ * 	   usually allocate a new SKB, so we have to make sure that
+ * 	   it doesn't get lost.
+ * 	#2 meant removing the skb argument from the ->decrypt routine
+ * 	and moving it to the irs->skb, so it could be value/result.
+ *
+ * Revision 1.125  2002/11/01 01:53:35  dhr
+ *
+ * fix typo
+ *
+ * Revision 1.124  2002/10/31 22:49:01  dhr
+ *
+ * - eliminate unused variable "hash"
+ * - reduce scope of variable "authenticator"
+ * - add comment on a couple of tricky bits
+ *
+ * Revision 1.123  2002/10/31 22:39:56  dhr
+ *
+ * use correct type for result of function calls
+ *
+ * Revision 1.122  2002/10/31 22:36:25  dhr
+ *
+ * simplify complex test
+ *
+ * Revision 1.121  2002/10/31 22:34:04  dhr
+ *
+ * ipsprev is never used: ditch it
+ *
+ * Revision 1.120  2002/10/31 22:30:21  dhr
+ *
+ * eliminate redundant assignments
+ *
+ * Revision 1.119  2002/10/31 22:27:43  dhr
+ *
+ * make whitespace canonical
+ *
+ * Revision 1.118  2002/10/30 05:47:17  rgb
+ * Fixed cut-and-paste error mis-identifying comp runt as ah.
+ *
+ * Revision 1.117  2002/10/17 16:37:45  rgb
+ * Remove compp intermediate variable and in-line its contents
+ * where used
+ *
+ * Revision 1.116  2002/10/12 23:11:53  dhr
+ *
+ * [KenB + DHR] more 64-bit cleanup
+ *
+ * Revision 1.115  2002/10/07 19:06:58  rgb
+ * Minor fixups and activation to west-rcv-nfmark-set-01 test to check for SA reference properly set on incoming.
+ *
+ * Revision 1.114  2002/10/07 18:31:31  rgb
+ * Set saref on incoming packets.
+ *
+ * Revision 1.113  2002/09/16 21:28:12  mcr
+ * 	adjust hash length for HMAC calculation - must look at whether
+ * 	it is MD5 or SHA1.
+ *
+ * Revision 1.112  2002/09/16 21:19:15  mcr
+ * 	fixes for west-ah-icmp-01 - length of AH header must be
+ * 	calculated properly, and next_header field properly copied.
+ *
+ * Revision 1.111  2002/09/10 02:45:56  mcr
+ * 	re-factored the ipsec_rcv function into several functions,
+ * 	ipsec_rcv_decap_once, and a set of functions for AH, ESP and IPCOMP.
+ * 	In addition, the MD5 and SHA1 functions are replaced with pointers.
+ *
+ * Revision 1.110  2002/08/30 06:34:33  rgb
+ * Fix scope of shift in AH header length check.
+ *
+ * Revision 1.109  2002/08/27 16:49:20  rgb
+ * Fixed ESP short packet DOS (and AH and IPCOMP).
+ *
+ * Revision 1.108  2002/07/24 18:44:54  rgb
+ * Type fiddling to tame ia64 compiler.
+ *
+ * Revision 1.107  2002/05/27 18:58:18  rgb
+ * Convert to dynamic ipsec device allocation.
+ * Remove final vistiges of tdb references via IPSEC_KLIPS1_COMPAT.
+ *
+ * Revision 1.106  2002/05/23 07:15:21  rgb
+ * Pointer clean-up.
+ * Added refcount code.
+ *
+ * Revision 1.105  2002/05/14 02:35:06  rgb
+ * Change all references to tdb, TDB or Tunnel Descriptor Block to ips,
+ * ipsec_sa or ipsec_sa.
+ * Change references to _TDB to _IPSA.
+ *
+ * Revision 1.104  2002/04/24 07:55:32  mcr
+ * 	#include patches and Makefiles for post-reorg compilation.
+ *
+ * Revision 1.103  2002/04/24 07:36:30  mcr
+ * Moved from ./klips/net/ipsec/ipsec_rcv.c,v
+ *
+ * Revision 1.102  2002/01/29 17:17:56  mcr
+ * 	moved include of ipsec_param.h to after include of linux/kernel.h
+ * 	otherwise, it seems that some option that is set in ipsec_param.h
+ * 	screws up something subtle in the include path to kernel.h, and
+ * 	it complains on the snprintf() prototype.
+ *
+ * Revision 1.101  2002/01/29 04:00:52  mcr
+ * 	more excise of kversions.h header.
+ *
+ * Revision 1.100  2002/01/29 02:13:17  mcr
+ * 	introduction of ipsec_kversion.h means that include of
+ * 	ipsec_param.h must preceed any decisions about what files to
+ * 	include to deal with differences in kernel source.
+ *
+ * Revision 1.99  2002/01/28 21:40:59  mcr
+ * 	should use #if to test boolean option rather than #ifdef.
+ *
+ * Revision 1.98  2002/01/20 20:19:36  mcr
+ * 	renamed option to IP_FRAGMENT_LINEARIZE.
+ *
+ * Revision 1.97  2002/01/12 02:55:36  mcr
+ * 	fix for post-2.4.4 to linearize skb's when ESP packet
+ * 	was assembled from fragments.
+ *
+ * Revision 1.96  2001/11/26 09:23:49  rgb
+ * Merge MCR's ipsec_sa, eroute, proc and struct lifetime changes.
+ *
+ * Revision 1.93.2.2  2001/10/22 20:54:07  mcr
+ * 	include des.h, removed phony prototypes and fixed calling
+ * 	conventions to match real prototypes.
+ *
+ * Revision 1.93.2.1  2001/09/25 02:22:22  mcr
+ * 	struct tdb -> struct ipsec_sa.
+ * 	lifetime checks moved to ipsec_life.c
+ * 	some sa(tdb) manipulation functions renamed.
+ *
+ * Revision 1.95  2001/11/06 19:49:07  rgb
+ * Added variable descriptions.
+ * Removed unauthenticated sequence==0 check to prevent DoS.
+ *
+ * Revision 1.94  2001/10/18 04:45:20  rgb
+ * 2.4.9 kernel deprecates linux/malloc.h in favour of linux/slab.h,
+ * lib/freeswan.h version macros moved to lib/kversions.h.
+ * Other compiler directive cleanups.
+ *
+ * Revision 1.93  2001/09/07 22:17:24  rgb
+ * Fix for removal of transport layer protocol handler arg in 2.4.4.
+ * Fix to accomodate peer non-conformance to IPCOMP rfc2393.
+ *
+ * Revision 1.92  2001/08/27 19:44:41  rgb
+ * Fix error in comment.
+ *
+ * Revision 1.91  2001/07/20 19:31:48  dhr
+ * [DHR] fix source and destination subnets of policy in diagnostic
+ *
+ * Revision 1.90  2001/07/06 19:51:09  rgb
+ * Added inbound policy checking code for IPIP SAs.
+ * Renamed unused function argument for ease and intuitive naming.
+ *
+ * Revision 1.89  2001/06/22 19:35:23  rgb
+ * Disable ipcomp processing if we are handed a ipcomp packet with no esp
+ * or ah header.
+ * Print protocol if we are handed a non-ipsec packet.
+ *
+ * Revision 1.88  2001/06/20 06:30:47  rgb
+ * Fixed transport mode IPCOMP policy check bug.
+ *
+ * Revision 1.87  2001/06/13 20:58:40  rgb
+ * Added parentheses around assignment used as truth value to silence
+ * compiler.
+ *
+ * Revision 1.86  2001/06/07 22:25:23  rgb
+ * Added a source address policy check for tunnel mode.  It still does
+ * not check client addresses and masks.
+ * Only decapsulate IPIP if it is expected.
+ *
+ * Revision 1.85  2001/05/30 08:14:02  rgb
+ * Removed vestiges of esp-null transforms.
+ *
+ * Revision 1.84  2001/05/27 06:12:11  rgb
+ * Added structures for pid, packet count and last access time to eroute.
+ * Added packet count to beginning of /proc/net/ipsec_eroute.
+ *
+ * Revision 1.83  2001/05/04 16:45:47  rgb
+ * Remove unneeded code.  ipp is not used after this point.
+ *
+ * Revision 1.82  2001/05/04 16:36:00  rgb
+ * Fix skb_cow() call for 2.4.4. (SS)
+ *
+ * Revision 1.81  2001/05/02 14:46:53  rgb
+ * Fix typo for compiler directive to pull IPH back.
+ *
+ * Revision 1.80  2001/04/30 19:46:34  rgb
+ * Update for 2.4.4.  We now receive the skb with skb->data pointing to
+ * h.raw.
+ *
+ * Revision 1.79  2001/04/23 15:01:15  rgb
+ * Added spin_lock() check to prevent double-locking for multiple
+ * transforms and hence kernel lock-ups with SMP kernels.
+ * Minor spin_unlock() adjustments to unlock before non-dependant prints
+ * and IPSEC device stats updates.
+ *
+ * Revision 1.78  2001/04/21 23:04:24  rgb
+ * Check if soft expire has already been sent before sending another to
+ * prevent ACQUIRE flooding.
+ *
+ * Revision 1.77  2001/03/16 07:35:20  rgb
+ * Ditch extra #if 1 around now permanent policy checking code.
+ *
+ * Revision 1.76  2001/02/27 22:24:54  rgb
+ * Re-formatting debug output (line-splitting, joining, 1arg/line).
+ * Check for satoa() return codes.
+ *
+ * Revision 1.75  2001/02/19 22:28:30  rgb
+ * Minor change to virtual device discovery code to assert which I/F has
+ * been found.
+ *
+ * Revision 1.74  2000/11/25 03:50:36  rgb
+ * Oops fix by minor re-arrangement of code to avoid accessing a freed tdb.
+ *
+ * Revision 1.73  2000/11/09 20:52:15  rgb
+ * More spinlock shuffling, locking earlier and unlocking later in rcv to
+ * include ipcomp and prevent races, renaming some tdb variables that got
+ * forgotten, moving some unlocks to include tdbs and adding a missing
+ * unlock.  Thanks to Svenning for some of these.
+ *
+ * Revision 1.72  2000/11/09 20:11:22  rgb
+ * Minor shuffles to fix non-standard kernel config option selection.
+ *
+ * Revision 1.71  2000/11/06 04:36:18  rgb
+ * Ditched spin_lock_irqsave in favour of spin_lock.
+ * Minor initial protocol check rewrite.
+ * Clean up debug printing.
+ * Clean up tdb handling on ipcomp.
+ * Fixed transport mode null pointer de-reference without ipcomp.
+ * Add Svenning's adaptive content compression.
+ * Disabled registration of ipcomp handler.
+ *
+ * Revision 1.70  2000/10/30 23:41:43  henry
+ * Hans-Joerg Hoexer's null-pointer fix
+ *
+ * Revision 1.69  2000/10/10 18:54:16  rgb
+ * Added a fix for incoming policy check with ipcomp enabled but
+ * uncompressible.
+ *
+ * Revision 1.68  2000/09/22 17:53:12  rgb
+ * Fixed ipcomp tdb pointers update for policy checking.
+ *
+ * Revision 1.67  2000/09/21 03:40:58  rgb
+ * Added more debugging to try and track down the cpi outward copy problem.
+ *
+ * Revision 1.66  2000/09/20 04:00:10  rgb
+ * Changed static functions to DEBUG_NO_STATIC to reveal function names for
+ * debugging oopsen.
+ *
+ * Revision 1.65  2000/09/19 07:07:16  rgb
+ * Added debugging to inbound policy check for ipcomp.
+ * Added missing spin_unlocks (thanks Svenning!).
+ * Fixed misplaced tdbnext pointers causing mismatched ipip policy check.
+ * Protect ipcomp policy check following ipip decap with sysctl switch.
+ *
+ * Revision 1.64  2000/09/18 21:27:29  rgb
+ * 2.0 fixes.
+ *
+ * Revision 1.63  2000/09/18 02:35:50  rgb
+ * Added policy checking to ipcomp and re-enabled policy checking by
+ * default.
+ * Optimised satoa calls.
+ *
+ * Revision 1.62  2000/09/17 21:02:32  rgb
+ * Clean up debugging, removing slow timestamp debug code.
+ *
+ * Revision 1.61  2000/09/16 01:07:55  rgb
+ * Fixed erroneous ref from struct ipcomp to struct ipcomphdr.
+ *
+ * Revision 1.60  2000/09/15 11:37:01  rgb
+ * Merge in heavily modified Svenning Soerensen's <svenning@post5.tele.dk>
+ * IPCOMP zlib deflate code.
+ *
+ * Revision 1.59  2000/09/15 04:56:20  rgb
+ * Remove redundant satoa() call, reformat comment.
+ *
+ * Revision 1.58  2000/09/13 08:00:52  rgb
+ * Flick on inbound policy checking.
+ *
+ * Revision 1.57  2000/09/12 03:22:19  rgb
+ * Converted inbound_policy_check to sysctl.
+ * Re-enabled policy backcheck.
+ * Moved policy checks to top and within tdb lock.
+ *
+ * Revision 1.56  2000/09/08 19:12:56  rgb
+ * Change references from DEBUG_IPSEC to CONFIG_IPSEC_DEBUG.
+ *
+ * Revision 1.55  2000/08/28 18:15:46  rgb
+ * Added MB's nf-debug reset patch.
+ *
+ * Revision 1.54  2000/08/27 01:41:26  rgb
+ * More minor tweaks to the bad padding debug code.
+ *
+ * Revision 1.53  2000/08/24 16:54:16  rgb
+ * Added KLIPS_PRINTMORE macro to continue lines without KERN_INFO level
+ * info.
+ * Tidied up device reporting at the start of ipsec_rcv.
+ * Tidied up bad padding debugging and processing.
+ *
+ * Revision 1.52  2000/08/20 21:36:03  rgb
+ * Activated pfkey_expire() calls.
+ * Added a hard/soft expiry parameter to pfkey_expire().
+ * Added sanity checking to avoid propagating zero or smaller-length skbs
+ * from a bogus decryption.
+ * Re-arranged the order of soft and hard expiry to conform to RFC2367.
+ * Clean up references to CONFIG_IPSEC_PFKEYv2.
+ *
+ * Revision 1.51  2000/08/18 21:23:30  rgb
+ * Improve bad padding warning so that the printk buffer doesn't get
+ * trampled.
+ *
+ * Revision 1.50  2000/08/01 14:51:51  rgb
+ * Removed _all_ remaining traces of DES.
+ *
+ * Revision 1.49  2000/07/28 13:50:53  rgb
+ * Changed enet_statistics to net_device_stats and added back compatibility
+ * for pre-2.1.19.
+ *
+ * Revision 1.48  2000/05/10 19:14:40  rgb
+ * Only check usetime against soft and hard limits if the tdb has been
+ * used.
+ * Cast output of ntohl so that the broken prototype doesn't make our
+ * compile noisy.
+ *
+ * Revision 1.47  2000/05/09 17:45:43  rgb
+ * Fix replay bitmap corruption bug upon receipt of bogus packet
+ * with correct SPI.  This was a DoS.
+ *
+ * Revision 1.46  2000/03/27 02:31:58  rgb
+ * Fixed authentication failure printout bug.
+ *
+ * Revision 1.45  2000/03/22 16:15:37  rgb
+ * Fixed renaming of dev_get (MB).
+ *
+ * Revision 1.44  2000/03/16 08:17:24  rgb
+ * Hardcode PF_KEYv2 support.
+ * Fixed minor bug checking AH header length.
+ *
+ * Revision 1.43  2000/03/14 12:26:59  rgb
+ * Added skb->nfct support for clearing netfilter conntrack bits (MB).
+ *
+ * Revision 1.42  2000/01/26 10:04:04  rgb
+ * Fixed inbound policy checking on transport mode bug.
+ * Fixed noisy 2.0 printk arguments.
+ *
+ * Revision 1.41  2000/01/24 20:58:02  rgb
+ * Improve debugging/reporting support for (disabled) inbound
+ * policy checking.
+ *
+ * Revision 1.40  2000/01/22 23:20:10  rgb
+ * Fixed up inboud policy checking code.
+ * Cleaned out unused crud.
+ *
+ * Revision 1.39  2000/01/21 06:15:29  rgb
+ * Added sanity checks on skb_push(), skb_pull() to prevent panics.
+ * Fixed cut-and-paste debug_tunnel to debug_rcv.
+ * Added inbound policy checking code, disabled.
+ * Simplified output code by updating ipp to post-IPIP decapsulation.
+ *
+ * elided pre-2000 comments. Use "cvs log"
+ *
+ *
+ * Local Variables:
+ * c-set-style: linux
+ * End:
+ *
+ */
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/ipsec_sa.c     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,1870 @@
+/*
+ * Common routines for IPsec SA maintenance routines.
+ *
+ * Copyright (C) 1996, 1997  John Ioannidis.
+ * Copyright (C) 1998, 1999, 2000, 2001, 2002  Richard Guy Briggs.
+ * 
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ * 
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: ipsec_sa.c,v 1.30.2.2 2006/10/06 21:39:26 paul Exp $
+ *
+ * This is the file formerly known as "ipsec_xform.h"
+ *
+ */
+
+#ifndef AUTOCONF_INCLUDED
+#include <linux/config.h>
+#endif
+#include <linux/version.h>
+#include <linux/kernel.h> /* printk() */
+
+#include "openswan/ipsec_param.h"
+
+#ifdef MALLOC_SLAB
+# include <linux/slab.h> /* kmalloc() */
+#else /* MALLOC_SLAB */
+# include <linux/malloc.h> /* kmalloc() */
+#endif /* MALLOC_SLAB */
+#include <linux/vmalloc.h> /* vmalloc() */
+#include <linux/errno.h>  /* error codes */
+#include <linux/types.h>  /* size_t */
+#include <linux/interrupt.h> /* mark_bh */
+
+#include <linux/netdevice.h>   /* struct device, and other headers */
+#include <linux/etherdevice.h> /* eth_type_trans */
+#include <linux/ip.h>          /* struct iphdr */
+#include <linux/skbuff.h>
+#include <openswan.h>
+#ifdef SPINLOCK
+#ifdef SPINLOCK_23
+#include <linux/spinlock.h> /* *lock* */
+#else /* SPINLOCK_23 */
+#include <asm/spinlock.h> /* *lock* */
+#endif /* SPINLOCK_23 */
+#endif /* SPINLOCK */
+
+#include <net/ip.h>
+
+#include "openswan/radij.h"
+
+#include "openswan/ipsec_stats.h"
+#include "openswan/ipsec_life.h"
+#include "openswan/ipsec_sa.h"
+#include "openswan/ipsec_xform.h"
+
+#include "openswan/ipsec_encap.h"
+#include "openswan/ipsec_radij.h"
+#include "openswan/ipsec_xform.h"
+#include "openswan/ipsec_ipe4.h"
+#include "openswan/ipsec_ah.h"
+#include "openswan/ipsec_esp.h"
+
+#include <pfkeyv2.h>
+#include <pfkey.h>
+
+#include "openswan/ipsec_proto.h"
+#include "openswan/ipsec_alg.h"
+
+
+#ifdef CONFIG_KLIPS_DEBUG
+int debug_xform = 0;
+#endif /* CONFIG_KLIPS_DEBUG */
+
+#define SENDERR(_x) do { error = -(_x); goto errlab; } while (0)
+
+struct ipsec_sa *ipsec_sadb_hash[SADB_HASHMOD];
+#ifdef SPINLOCK
+spinlock_t tdb_lock = SPIN_LOCK_UNLOCKED;
+#else /* SPINLOCK */
+spinlock_t tdb_lock;
+#endif /* SPINLOCK */
+
+struct ipsec_sadb ipsec_sadb;
+
+#if IPSEC_SA_REF_CODE
+
+/* the sub table must be narrower (or equal) in bits than the variable type
+   in the main table to count the number of unused entries in it. */
+typedef struct {
+	int testSizeOf_refSubTable :
+		((sizeof(IPsecRefTableUnusedCount) * 8) < IPSEC_SA_REF_SUBTABLE_IDX_WIDTH ? -1 : 1);
+} dummy;
+
+
+/* The field where the saref will be hosted in the skb must be wide enough to
+   accomodate the information it needs to store. */
+typedef struct {
+	int testSizeOf_refField : 
+		(IPSEC_SA_REF_HOST_FIELD_WIDTH < IPSEC_SA_REF_TABLE_IDX_WIDTH ? -1 : 1 );
+} dummy2;
+
+
+#define IPS_HASH(said) (((said)->spi + (said)->dst.u.v4.sin_addr.s_addr + (said)->proto) % SADB_HASHMOD)
+
+
+void
+ipsec_SAtest(void)
+{
+	IPsecSAref_t SAref = 258;
+	struct ipsec_sa ips;
+	ips.ips_ref = 772;
+
+	printk("klips_debug:ipsec_SAtest: "
+	       "IPSEC_SA_REF_SUBTABLE_IDX_WIDTH=%u\n"
+	       "IPSEC_SA_REF_MAINTABLE_NUM_ENTRIES=%u\n"
+	       "IPSEC_SA_REF_SUBTABLE_NUM_ENTRIES=%u\n"
+	       "IPSEC_SA_REF_HOST_FIELD_WIDTH=%lu\n"
+	       "IPSEC_SA_REF_TABLE_MASK=%x\n"
+	       "IPSEC_SA_REF_ENTRY_MASK=%x\n"
+	       "IPsecSAref2table(%d)=%u\n"
+	       "IPsecSAref2entry(%d)=%u\n"
+	       "IPsecSAref2NFmark(%d)=%u\n"
+	       "IPsecSAref2SA(%d)=%p\n"
+	       "IPsecSA2SAref(%p)=%d\n"
+	       ,
+	       IPSEC_SA_REF_SUBTABLE_IDX_WIDTH,
+	       IPSEC_SA_REF_MAINTABLE_NUM_ENTRIES,
+	       IPSEC_SA_REF_SUBTABLE_NUM_ENTRIES,
+	       (unsigned long) IPSEC_SA_REF_HOST_FIELD_WIDTH,
+	       IPSEC_SA_REF_TABLE_MASK,
+	       IPSEC_SA_REF_ENTRY_MASK,
+	       SAref, IPsecSAref2table(SAref),
+	       SAref, IPsecSAref2entry(SAref),
+	       SAref, IPsecSAref2NFmark(SAref),
+	       SAref, IPsecSAref2SA(SAref),
+	       (&ips), IPsecSA2SAref((&ips))
+		);
+	return;
+}
+
+int
+ipsec_SAref_recycle(void)
+{
+	int table;
+	int entry;
+	int error = 0;
+
+	ipsec_sadb.refFreeListHead = -1;
+	ipsec_sadb.refFreeListTail = -1;
+
+	if(ipsec_sadb.refFreeListCont == IPSEC_SA_REF_MAINTABLE_NUM_ENTRIES * IPSEC_SA_REF_SUBTABLE_NUM_ENTRIES) {
+		KLIPS_PRINT(debug_xform,
+			    "klips_debug:ipsec_SAref_recycle: "
+			    "end of table reached, continuing at start..\n");
+		ipsec_sadb.refFreeListCont = 0;
+	}
+
+	KLIPS_PRINT(debug_xform,
+		    "klips_debug:ipsec_SAref_recycle: "
+		    "recycling, continuing from SAref=%d (0p%p), table=%d, entry=%d.\n",
+		    ipsec_sadb.refFreeListCont,
+		    (ipsec_sadb.refTable[IPsecSAref2table(ipsec_sadb.refFreeListCont)] != NULL) ? IPsecSAref2SA(ipsec_sadb.refFreeListCont) : NULL,
+		    IPsecSAref2table(ipsec_sadb.refFreeListCont),
+		    IPsecSAref2entry(ipsec_sadb.refFreeListCont));
+
+	for(table = IPsecSAref2table(ipsec_sadb.refFreeListCont);
+	    table < IPSEC_SA_REF_MAINTABLE_NUM_ENTRIES;
+	    table++) {
+		if(ipsec_sadb.refTable[table] == NULL) {
+			error = ipsec_SArefSubTable_alloc(table);
+			if(error) {
+				return error;
+			}
+		}
+		for(entry = IPsecSAref2entry(ipsec_sadb.refFreeListCont);
+		    entry < IPSEC_SA_REF_SUBTABLE_NUM_ENTRIES;
+		    entry++) {
+			if(ipsec_sadb.refTable[table]->entry[entry] == NULL) {
+				ipsec_sadb.refFreeList[++ipsec_sadb.refFreeListTail] = IPsecSArefBuild(table, entry);
+				if(ipsec_sadb.refFreeListTail == (IPSEC_SA_REF_FREELIST_NUM_ENTRIES - 1)) {
+					ipsec_sadb.refFreeListHead = 0;
+					ipsec_sadb.refFreeListCont = ipsec_sadb.refFreeList[ipsec_sadb.refFreeListTail] + 1;
+					KLIPS_PRINT(debug_xform,
+						    "klips_debug:ipsec_SAref_recycle: "
+						    "SArefFreeList refilled.\n");
+					return 0;
+				}
+			}
+		}
+	}
+
+	if(ipsec_sadb.refFreeListTail == -1) {
+		KLIPS_PRINT(debug_xform,
+			    "klips_debug:ipsec_SAref_recycle: "
+			    "out of room in the SArefTable.\n");
+
+		return(-ENOSPC);
+	}
+
+	ipsec_sadb.refFreeListHead = 0;
+	ipsec_sadb.refFreeListCont = ipsec_sadb.refFreeList[ipsec_sadb.refFreeListTail] + 1;
+	KLIPS_PRINT(debug_xform,
+		    "klips_debug:ipsec_SAref_recycle: "
+		    "SArefFreeList partly refilled to %d of %d.\n",
+		    ipsec_sadb.refFreeListTail,
+		    IPSEC_SA_REF_FREELIST_NUM_ENTRIES);
+	return 0;
+}
+
+int
+ipsec_SArefSubTable_alloc(unsigned table)
+{
+	unsigned entry;
+	struct IPsecSArefSubTable* SArefsub;
+
+	KLIPS_PRINT(debug_xform,
+		    "klips_debug:ipsec_SArefSubTable_alloc: "
+		    "allocating %lu bytes for table %u of %u.\n",
+		    (unsigned long) (IPSEC_SA_REF_SUBTABLE_NUM_ENTRIES * sizeof(struct ipsec_sa *)),
+		    table,
+		    IPSEC_SA_REF_MAINTABLE_NUM_ENTRIES);
+
+	/* allocate another sub-table */
+	SArefsub = vmalloc(IPSEC_SA_REF_SUBTABLE_NUM_ENTRIES * sizeof(struct ipsec_sa *));
+	if(SArefsub == NULL) {
+		KLIPS_PRINT(debug_xform,
+			    "klips_debug:ipsec_SArefSubTable_alloc: "
+			    "error allocating memory for table %u of %u!\n",
+			    table,
+			    IPSEC_SA_REF_MAINTABLE_NUM_ENTRIES);
+		return -ENOMEM;
+	}
+
+	/* add this sub-table to the main table */
+	ipsec_sadb.refTable[table] = SArefsub;
+
+	/* initialise each element to NULL */
+	KLIPS_PRINT(debug_xform,
+		    "klips_debug:ipsec_SArefSubTable_alloc: "
+		    "initialising %u elements (2 ^ %u) of table %u.\n",
+		    IPSEC_SA_REF_SUBTABLE_NUM_ENTRIES,
+		    IPSEC_SA_REF_SUBTABLE_IDX_WIDTH,
+		    table);
+	for(entry = 0; entry < IPSEC_SA_REF_SUBTABLE_NUM_ENTRIES; entry++) {
+		SArefsub->entry[entry] = NULL;
+	}
+
+	return 0;
+}
+#endif /* IPSEC_SA_REF_CODE */
+
+int
+ipsec_saref_freelist_init(void)
+{
+	int i;
+
+	KLIPS_PRINT(debug_xform,
+		    "klips_debug:ipsec_saref_freelist_init: "
+		    "initialising %u elements of FreeList.\n",
+		    IPSEC_SA_REF_FREELIST_NUM_ENTRIES);
+
+	for(i = 0; i < IPSEC_SA_REF_FREELIST_NUM_ENTRIES; i++) {
+		ipsec_sadb.refFreeList[i] = IPSEC_SAREF_NULL;
+	}
+	ipsec_sadb.refFreeListHead = -1;
+	ipsec_sadb.refFreeListCont = 0;
+	ipsec_sadb.refFreeListTail = -1;
+       
+	return 0;
+}
+
+int
+ipsec_sadb_init(void)
+{
+	int error = 0;
+	unsigned i;
+
+	for(i = 0; i < SADB_HASHMOD; i++) {
+		ipsec_sadb_hash[i] = NULL;
+	}
+	/* parts above are for the old style SADB hash table */
+	
+
+#if IPSEC_SA_REF_CODE
+	/* initialise SA reference table */
+
+	/* initialise the main table */
+	KLIPS_PRINT(debug_xform,
+		    "klips_debug:ipsec_sadb_init: "
+		    "initialising main table of size %u (2 ^ %u).\n",
+		    IPSEC_SA_REF_MAINTABLE_NUM_ENTRIES,
+		    IPSEC_SA_REF_MAINTABLE_IDX_WIDTH);
+	{
+		unsigned table;
+		for(table = 0; table < IPSEC_SA_REF_MAINTABLE_NUM_ENTRIES; table++) {
+			ipsec_sadb.refTable[table] = NULL;
+		}
+	}
+
+	/* allocate the first sub-table */
+	error = ipsec_SArefSubTable_alloc(0);
+	if(error) {
+		return error;
+	}
+
+	error = ipsec_saref_freelist_init();
+#endif /* IPSEC_SA_REF_CODE */
+	return error;
+}
+
+#if IPSEC_SA_REF_CODE
+IPsecSAref_t
+ipsec_SAref_alloc(int*error) /* pass in error var by pointer */
+{
+	IPsecSAref_t SAref;
+
+	KLIPS_PRINT(debug_xform,
+		    "klips_debug:ipsec_SAref_alloc: "
+		    "SAref requested... head=%d, cont=%d, tail=%d, listsize=%d.\n",
+		    ipsec_sadb.refFreeListHead,
+		    ipsec_sadb.refFreeListCont,
+		    ipsec_sadb.refFreeListTail,
+		    IPSEC_SA_REF_FREELIST_NUM_ENTRIES);
+
+	if(ipsec_sadb.refFreeListHead == -1) {
+		KLIPS_PRINT(debug_xform,
+			    "klips_debug:ipsec_SAref_alloc: "
+			    "FreeList empty, recycling...\n");
+		*error = ipsec_SAref_recycle();
+		if(*error) {
+			return IPSEC_SAREF_NULL;
+		}
+	}
+
+	SAref = ipsec_sadb.refFreeList[ipsec_sadb.refFreeListHead];
+	if(SAref == IPSEC_SAREF_NULL) {
+		KLIPS_PRINT(debug_xform,
+			    "klips_debug:ipsec_SAref_alloc: "
+			    "unexpected error, refFreeListHead = %d points to invalid entry.\n",
+			    ipsec_sadb.refFreeListHead);
+			*error = -ESPIPE;
+			return IPSEC_SAREF_NULL;
+	}
+
+	KLIPS_PRINT(debug_xform,
+		    "klips_debug:ipsec_SAref_alloc: "
+		    "allocating SAref=%d, table=%u, entry=%u of %u.\n",
+		    SAref,
+		    IPsecSAref2table(SAref),
+		    IPsecSAref2entry(SAref),
+		    IPSEC_SA_REF_MAINTABLE_NUM_ENTRIES * IPSEC_SA_REF_SUBTABLE_NUM_ENTRIES);
+	
+	ipsec_sadb.refFreeList[ipsec_sadb.refFreeListHead] = IPSEC_SAREF_NULL;
+	ipsec_sadb.refFreeListHead++;
+	if(ipsec_sadb.refFreeListHead > ipsec_sadb.refFreeListTail) {
+		KLIPS_PRINT(debug_xform,
+			    "klips_debug:ipsec_SAref_alloc: "
+			    "last FreeList entry allocated, resetting list head to empty.\n");
+		ipsec_sadb.refFreeListHead = -1;
+	}
+
+	return SAref;
+}
+#endif /* IPSEC_SA_REF_CODE */
+
+int
+ipsec_sa_print(struct ipsec_sa *ips)
+{
+        char sa[SATOT_BUF];
+	size_t sa_len;
+
+	printk(KERN_INFO "klips_debug:   SA:");
+	if(ips == NULL) {
+		printk("NULL\n");
+		return -ENOENT;
+	}
+	printk(" ref=%d", ips->ips_ref);
+	printk(" refcount=%d", atomic_read(&ips->ips_refcount));
+	if(ips->ips_hnext != NULL) {
+		printk(" hnext=0p%p", ips->ips_hnext);
+	}
+	if(ips->ips_inext != NULL) {
+		printk(" inext=0p%p", ips->ips_inext);
+	}
+	if(ips->ips_onext != NULL) {
+		printk(" onext=0p%p", ips->ips_onext);
+	}
+	sa_len = satot(&ips->ips_said, 0, sa, sizeof(sa));
+	printk(" said=%s", sa_len ? sa : " (error)");
+	if(ips->ips_seq) {
+		printk(" seq=%u", ips->ips_seq);
+	}
+	if(ips->ips_pid) {
+		printk(" pid=%u", ips->ips_pid);
+	}
+	if(ips->ips_authalg) {
+		printk(" authalg=%u", ips->ips_authalg);
+	}
+	if(ips->ips_encalg) {
+		printk(" encalg=%u", ips->ips_encalg);
+	}
+	printk(" XFORM=%s%s%s", IPS_XFORM_NAME(ips));
+	if(ips->ips_replaywin) {
+		printk(" ooowin=%u", ips->ips_replaywin);
+	}
+	if(ips->ips_flags) {
+		printk(" flags=%u", ips->ips_flags);
+	}
+	if(ips->ips_addr_s) {
+		char buf[SUBNETTOA_BUF];
+		addrtoa(((struct sockaddr_in*)(ips->ips_addr_s))->sin_addr,
+			0, buf, sizeof(buf));
+		printk(" src=%s", buf);
+	}
+	if(ips->ips_addr_d) {
+		char buf[SUBNETTOA_BUF];
+		addrtoa(((struct sockaddr_in*)(ips->ips_addr_s))->sin_addr,
+			0, buf, sizeof(buf));
+		printk(" dst=%s", buf);
+	}
+	if(ips->ips_addr_p) {
+		char buf[SUBNETTOA_BUF];
+		addrtoa(((struct sockaddr_in*)(ips->ips_addr_p))->sin_addr,
+			0, buf, sizeof(buf));
+		printk(" proxy=%s", buf);
+	}
+	if(ips->ips_key_bits_a) {
+		printk(" key_bits_a=%u", ips->ips_key_bits_a);
+	}
+	if(ips->ips_key_bits_e) {
+		printk(" key_bits_e=%u", ips->ips_key_bits_e);
+	}
+
+	printk("\n");
+	return 0;
+}
+
+struct ipsec_sa*
+ipsec_sa_alloc(int*error) /* pass in error var by pointer */
+{
+	struct ipsec_sa* ips;
+
+	if((ips = kmalloc(sizeof(*ips), GFP_ATOMIC) ) == NULL) {
+		KLIPS_PRINT(debug_xform,
+			    "klips_debug:ipsec_sa_alloc: "
+			    "memory allocation error\n");
+		*error = -ENOMEM;
+		return NULL;
+	}
+	memset((caddr_t)ips, 0, sizeof(*ips));
+#if IPSEC_SA_REF_CODE
+	ips->ips_ref = ipsec_SAref_alloc(error); /* pass in error return by pointer */
+	KLIPS_PRINT(debug_xform,
+		    "klips_debug:ipsec_sa_alloc: "
+		    "allocated %lu bytes for ipsec_sa struct=0p%p ref=%d.\n",
+		    (unsigned long) sizeof(*ips),
+		    ips,
+		    ips->ips_ref);
+	if(ips->ips_ref == IPSEC_SAREF_NULL) {
+		kfree(ips);
+		KLIPS_PRINT(debug_xform,
+			    "klips_debug:ipsec_sa_alloc: "
+			    "SAref allocation error\n");
+		return NULL;
+	}
+
+	atomic_inc(&ips->ips_refcount);
+	IPsecSAref2SA(ips->ips_ref) = ips;
+#endif /* IPSEC_SA_REF_CODE */
+
+	*error = 0;
+	return(ips);
+}
+
+int
+ipsec_sa_free(struct ipsec_sa* ips)
+{
+	return ipsec_sa_wipe(ips);
+}
+
+struct ipsec_sa *
+ipsec_sa_getbyid(ip_said *said)
+{
+	int hashval;
+	struct ipsec_sa *ips;
+        char sa[SATOT_BUF];
+	size_t sa_len;
+
+	if(said == NULL) {
+		KLIPS_PRINT(debug_xform,
+			    "klips_error:ipsec_sa_getbyid: "
+			    "null pointer passed in!\n");
+		return NULL;
+	}
+
+	sa_len = satot(said, 0, sa, sizeof(sa));
+
+	hashval = IPS_HASH(said);
+	
+	KLIPS_PRINT(debug_xform,
+		    "klips_debug:ipsec_sa_getbyid: "
+		    "linked entry in ipsec_sa table for hash=%d of SA:%s requested.\n",
+		    hashval,
+		    sa_len ? sa : " (error)");
+
+	if((ips = ipsec_sadb_hash[hashval]) == NULL) {
+		KLIPS_PRINT(debug_xform,
+			    "klips_debug:ipsec_sa_getbyid: "
+			    "no entries in ipsec_sa table for hash=%d of SA:%s.\n",
+			    hashval,
+			    sa_len ? sa : " (error)");
+		return NULL;
+	}
+
+	for (; ips; ips = ips->ips_hnext) {
+		if ((ips->ips_said.spi == said->spi) &&
+		    (ips->ips_said.dst.u.v4.sin_addr.s_addr == said->dst.u.v4.sin_addr.s_addr) &&
+		    (ips->ips_said.proto == said->proto)) {
+			atomic_inc(&ips->ips_refcount);
+			return ips;
+		}
+	}
+	
+	KLIPS_PRINT(debug_xform,
+		    "klips_debug:ipsec_sa_getbyid: "
+		    "no entry in linked list for hash=%d of SA:%s.\n",
+		    hashval,
+		    sa_len ? sa : " (error)");
+	return NULL;
+}
+
+int
+ipsec_sa_put(struct ipsec_sa *ips)
+{
+        char sa[SATOT_BUF];
+	size_t sa_len;
+
+	if(ips == NULL) {
+		KLIPS_PRINT(debug_xform,
+			    "klips_error:ipsec_sa_put: "
+			    "null pointer passed in!\n");
+		return -1;
+	}
+
+	sa_len = satot(&ips->ips_said, 0, sa, sizeof(sa));
+
+	KLIPS_PRINT(debug_xform,
+		    "klips_debug:ipsec_sa_put: "
+		    "ipsec_sa SA:%s, ref:%d reference count decremented.\n",
+		    sa_len ? sa : " (error)",
+		    ips->ips_ref);
+
+	atomic_dec(&ips->ips_refcount);
+
+	return 0;
+}
+
+/*
+  The ipsec_sa table better *NOT* be locked before it is handed in, or SMP locks will happen
+*/
+int
+ipsec_sa_add(struct ipsec_sa *ips)
+{
+	int error = 0;
+	unsigned int hashval;
+
+	if(ips == NULL) {
+		KLIPS_PRINT(debug_xform,
+			    "klips_error:ipsec_sa_add: "
+			    "null pointer passed in!\n");
+		return -ENODATA;
+	}
+	hashval = IPS_HASH(&ips->ips_said);
+
+	atomic_inc(&ips->ips_refcount);
+	spin_lock_bh(&tdb_lock);
+	
+	ips->ips_hnext = ipsec_sadb_hash[hashval];
+	ipsec_sadb_hash[hashval] = ips;
+	
+	spin_unlock_bh(&tdb_lock);
+
+	return error;
+}
+
+/*
+  The ipsec_sa table better be locked before it is handed in, or races might happen
+*/
+int
+ipsec_sa_del(struct ipsec_sa *ips)
+{
+	unsigned int hashval;
+	struct ipsec_sa *ipstp;
+        char sa[SATOT_BUF];
+	size_t sa_len;
+
+	if(ips == NULL) {
+		KLIPS_PRINT(debug_xform,
+			    "klips_error:ipsec_sa_del: "
+			    "null pointer passed in!\n");
+		return -ENODATA;
+	}
+	
+	sa_len = satot(&ips->ips_said, 0, sa, sizeof(sa));
+	if(ips->ips_inext || ips->ips_onext) {
+		KLIPS_PRINT(debug_xform,
+			    "klips_error:ipsec_sa_del: "
+			    "SA:%s still linked!\n",
+			    sa_len ? sa : " (error)");
+		return -EMLINK;
+	}
+	
+	hashval = IPS_HASH(&ips->ips_said);
+	
+	KLIPS_PRINT(debug_xform,
+		    "klips_debug:ipsec_sa_del: "
+		    "deleting SA:%s, hashval=%d.\n",
+		    sa_len ? sa : " (error)",
+		    hashval);
+	if(ipsec_sadb_hash[hashval] == NULL) {
+		KLIPS_PRINT(debug_xform,
+			    "klips_debug:ipsec_sa_del: "
+			    "no entries in ipsec_sa table for hash=%d of SA:%s.\n",
+			    hashval,
+			    sa_len ? sa : " (error)");
+		return -ENOENT;
+	}
+	
+	if (ips == ipsec_sadb_hash[hashval]) {
+		ipsec_sadb_hash[hashval] = ipsec_sadb_hash[hashval]->ips_hnext;
+		ips->ips_hnext = NULL;
+		atomic_dec(&ips->ips_refcount);
+		KLIPS_PRINT(debug_xform,
+			    "klips_debug:ipsec_sa_del: "
+			    "successfully deleted first ipsec_sa in chain.\n");
+		return 0;
+	} else {
+		for (ipstp = ipsec_sadb_hash[hashval];
+		     ipstp;
+		     ipstp = ipstp->ips_hnext) {
+			if (ipstp->ips_hnext == ips) {
+				ipstp->ips_hnext = ips->ips_hnext;
+				ips->ips_hnext = NULL;
+				atomic_dec(&ips->ips_refcount);
+				KLIPS_PRINT(debug_xform,
+					    "klips_debug:ipsec_sa_del: "
+					    "successfully deleted link in ipsec_sa chain.\n");
+				return 0;
+			}
+		}
+	}
+	
+	KLIPS_PRINT(debug_xform,
+		    "klips_debug:ipsec_sa_del: "
+		    "no entries in linked list for hash=%d of SA:%s.\n",
+		    hashval,
+		    sa_len ? sa : " (error)");
+	return -ENOENT;
+}
+
+/*
+  The ipsec_sa table better be locked before it is handed in, or races
+  might happen
+*/
+int
+ipsec_sa_delchain(struct ipsec_sa *ips)
+{
+	struct ipsec_sa *ipsdel;
+	int error = 0;
+        char sa[SATOT_BUF];
+	size_t sa_len;
+
+	if(ips == NULL) {
+		KLIPS_PRINT(debug_xform,
+			    "klips_error:ipsec_sa_delchain: "
+			    "null pointer passed in!\n");
+		return -ENODATA;
+	}
+
+	sa_len = satot(&ips->ips_said, 0, sa, sizeof(sa));
+	KLIPS_PRINT(debug_xform,
+		    "klips_debug:ipsec_sa_delchain: "
+		    "passed SA:%s\n",
+		    sa_len ? sa : " (error)");
+	while(ips->ips_onext != NULL) {
+		ips = ips->ips_onext;
+	}
+
+	while(ips) {
+		/* XXX send a pfkey message up to advise of deleted ipsec_sa */
+		sa_len = satot(&ips->ips_said, 0, sa, sizeof(sa));
+		KLIPS_PRINT(debug_xform,
+			    "klips_debug:ipsec_sa_delchain: "
+			    "unlinking and delting SA:%s",
+			    sa_len ? sa : " (error)");
+		ipsdel = ips;
+		ips = ips->ips_inext;
+		if(ips != NULL) {
+			sa_len = satot(&ips->ips_said, 0, sa, sizeof(sa));
+			KLIPS_PRINT(debug_xform,
+				    ", inext=%s",
+				    sa_len ? sa : " (error)");
+			atomic_dec(&ipsdel->ips_refcount);
+			ipsdel->ips_inext = NULL;
+			atomic_dec(&ips->ips_refcount);
+			ips->ips_onext = NULL;
+		}
+		KLIPS_PRINT(debug_xform,
+			    ".\n");
+		if((error = ipsec_sa_del(ipsdel))) {
+			KLIPS_PRINT(debug_xform,
+				    "klips_debug:ipsec_sa_delchain: "
+				    "ipsec_sa_del returned error %d.\n", -error);
+			return error;
+		}
+		if((error = ipsec_sa_wipe(ipsdel))) {
+			KLIPS_PRINT(debug_xform,
+				    "klips_debug:ipsec_sa_delchain: "
+				    "ipsec_sa_wipe returned error %d.\n", -error);
+			return error;
+		}
+	}
+	return error;
+}
+
+int 
+ipsec_sadb_cleanup(__u8 proto)
+{
+	unsigned i;
+	int error = 0;
+	struct ipsec_sa *ips, **ipsprev, *ipsdel;
+        char sa[SATOT_BUF];
+	size_t sa_len;
+
+	KLIPS_PRINT(debug_xform,
+		    "klips_debug:ipsec_sadb_cleanup: "
+		    "cleaning up proto=%d.\n",
+		    proto);
+
+	spin_lock_bh(&tdb_lock);
+
+	for (i = 0; i < SADB_HASHMOD; i++) {
+		ipsprev = &(ipsec_sadb_hash[i]);
+		ips = ipsec_sadb_hash[i];
+		if(ips != NULL) {
+			atomic_inc(&ips->ips_refcount);
+		}
+		for(; ips != NULL;) {
+			sa_len = satot(&ips->ips_said, 0, sa, sizeof(sa));
+			KLIPS_PRINT(debug_xform,
+				    "klips_debug:ipsec_sadb_cleanup: "
+				    "checking SA:%s, hash=%d, ref=%d",
+				    sa_len ? sa : " (error)",
+				    i,
+				    ips->ips_ref);
+			ipsdel = ips;
+			ips = ipsdel->ips_hnext;
+			if(ips != NULL) {
+				atomic_inc(&ips->ips_refcount);
+				sa_len = satot(&ips->ips_said, 0, sa, sizeof(sa));
+				KLIPS_PRINT(debug_xform,
+					    ", hnext=%s",
+					    sa_len ? sa : " (error)");
+			}
+			if(*ipsprev != NULL) {
+				sa_len = satot(&(*ipsprev)->ips_said, 0, sa, sizeof(sa));
+				KLIPS_PRINT(debug_xform,
+					    ", *ipsprev=%s",
+					    sa_len ? sa : " (error)");
+				if((*ipsprev)->ips_hnext) {
+					sa_len = satot(&(*ipsprev)->ips_hnext->ips_said, 0, sa, sizeof(sa));
+					KLIPS_PRINT(debug_xform,
+						    ", *ipsprev->ips_hnext=%s",
+						    sa_len ? sa : " (error)");
+				}
+			}
+			KLIPS_PRINT(debug_xform,
+				    ".\n");
+			if(proto == 0 || (proto == ipsdel->ips_said.proto)) {
+				sa_len = satot(&ipsdel->ips_said, 0, sa, sizeof(sa));
+				KLIPS_PRINT(debug_xform,
+					    "klips_debug:ipsec_sadb_cleanup: "
+					    "deleting SA chain:%s.\n",
+					    sa_len ? sa : " (error)");
+				if((error = ipsec_sa_delchain(ipsdel))) {
+					SENDERR(-error);
+				}
+				ipsprev = &(ipsec_sadb_hash[i]);
+				ips = ipsec_sadb_hash[i];
+
+				KLIPS_PRINT(debug_xform,
+					    "klips_debug:ipsec_sadb_cleanup: "
+					    "deleted SA chain:%s",
+					    sa_len ? sa : " (error)");
+				if(ips != NULL) {
+					sa_len = satot(&ips->ips_said, 0, sa, sizeof(sa));
+					KLIPS_PRINT(debug_xform,
+						    ", ipsec_sadb_hash[%d]=%s",
+						    i,
+						    sa_len ? sa : " (error)");
+				}
+				if(*ipsprev != NULL) {
+					sa_len = satot(&(*ipsprev)->ips_said, 0, sa, sizeof(sa));
+					KLIPS_PRINT(debug_xform,
+						    ", *ipsprev=%s",
+						    sa_len ? sa : " (error)");
+					if((*ipsprev)->ips_hnext != NULL) {
+					        sa_len = satot(&(*ipsprev)->ips_hnext->ips_said, 0, sa, sizeof(sa));
+						KLIPS_PRINT(debug_xform,
+							    ", *ipsprev->ips_hnext=%s",
+							    sa_len ? sa : " (error)");
+					}
+				}
+				KLIPS_PRINT(debug_xform,
+					    ".\n");
+			} else {
+				ipsprev = &ipsdel;
+			}
+			if(ipsdel != NULL) {
+				ipsec_sa_put(ipsdel);
+			}
+		}
+	}
+ errlab:
+
+	spin_unlock_bh(&tdb_lock);
+
+
+#if IPSEC_SA_REF_CODE
+	/* clean up SA reference table */
+
+	/* go through the ref table and clean out all the SAs */
+	KLIPS_PRINT(debug_xform,
+		    "klips_debug:ipsec_sadb_cleanup: "
+		    "removing SAref entries and tables.");
+	{
+		unsigned table, entry;
+		for(table = 0; table < IPSEC_SA_REF_MAINTABLE_NUM_ENTRIES; table++) {
+			KLIPS_PRINT(debug_xform,
+				    "klips_debug:ipsec_sadb_cleanup: "
+				    "cleaning SAref table=%u.\n",
+				    table);
+			if(ipsec_sadb.refTable[table] == NULL) {
+				printk("\n");
+				KLIPS_PRINT(debug_xform,
+					    "klips_debug:ipsec_sadb_cleanup: "
+					    "cleaned %u used refTables.\n",
+					    table);
+				break;
+			}
+			for(entry = 0; entry < IPSEC_SA_REF_SUBTABLE_NUM_ENTRIES; entry++) {
+				if(ipsec_sadb.refTable[table]->entry[entry] != NULL) {
+					ipsec_sa_delchain(ipsec_sadb.refTable[table]->entry[entry]);
+					ipsec_sadb.refTable[table]->entry[entry] = NULL;
+				}
+			}
+		}
+	}
+#endif /* IPSEC_SA_REF_CODE */
+
+	return(error);
+}
+
+int 
+ipsec_sadb_free(void)
+{
+	int error = 0;
+
+	KLIPS_PRINT(debug_xform,
+		    "klips_debug:ipsec_sadb_free: "
+		    "freeing SArefTable memory.\n");
+
+	/* clean up SA reference table */
+
+	/* go through the ref table and clean out all the SAs if any are
+	   left and free table memory */
+	KLIPS_PRINT(debug_xform,
+		    "klips_debug:ipsec_sadb_free: "
+		    "removing SAref entries and tables.\n");
+	{
+		unsigned table, entry;
+		for(table = 0; table < IPSEC_SA_REF_MAINTABLE_NUM_ENTRIES; table++) {
+			KLIPS_PRINT(debug_xform,
+				    "klips_debug:ipsec_sadb_free: "
+				    "removing SAref table=%u.\n",
+				    table);
+			if(ipsec_sadb.refTable[table] == NULL) {
+				KLIPS_PRINT(debug_xform,
+					    "klips_debug:ipsec_sadb_free: "
+					    "removed %u used refTables.\n",
+					    table);
+				break;
+			}
+			for(entry = 0; entry < IPSEC_SA_REF_SUBTABLE_NUM_ENTRIES; entry++) {
+				if(ipsec_sadb.refTable[table]->entry[entry] != NULL) {
+					ipsec_sa_delchain(ipsec_sadb.refTable[table]->entry[entry]);
+					ipsec_sadb.refTable[table]->entry[entry] = NULL;
+				}
+			}
+			vfree(ipsec_sadb.refTable[table]);
+			ipsec_sadb.refTable[table] = NULL;
+		}
+	}
+
+	return(error);
+}
+
+int
+ipsec_sa_wipe(struct ipsec_sa *ips)
+{
+	if(ips == NULL) {
+		return -ENODATA;
+	}
+
+	/* if(atomic_dec_and_test(ips)) {
+	}; */
+
+#if IPSEC_SA_REF_CODE
+	/* remove me from the SArefTable */
+	{
+		char sa[SATOT_BUF];
+		size_t sa_len;
+		sa_len = satot(&ips->ips_said, 0, sa, sizeof(sa));
+		KLIPS_PRINT(debug_xform,
+			    "klips_debug:ipsec_sa_wipe: "
+			    "removing SA=%s(0p%p), SAref=%d, table=%d(0p%p), entry=%d from the refTable.\n",
+			    sa_len ? sa : " (error)",
+			    ips,
+			    ips->ips_ref,
+			    IPsecSAref2table(IPsecSA2SAref(ips)),
+			    ipsec_sadb.refTable[IPsecSAref2table(IPsecSA2SAref(ips))],
+			    IPsecSAref2entry(IPsecSA2SAref(ips)));
+	}
+	if(ips->ips_ref == IPSEC_SAREF_NULL) {
+		KLIPS_PRINT(debug_xform,
+			    "klips_debug:ipsec_sa_wipe: "
+			    "why does this SA not have a valid SAref?.\n");
+	}
+	ipsec_sadb.refTable[IPsecSAref2table(IPsecSA2SAref(ips))]->entry[IPsecSAref2entry(IPsecSA2SAref(ips))] = NULL;
+	ips->ips_ref = IPSEC_SAREF_NULL;
+	ipsec_sa_put(ips);
+#endif /* IPSEC_SA_REF_CODE */
+
+	/* paranoid clean up */
+	if(ips->ips_addr_s != NULL) {
+		memset((caddr_t)(ips->ips_addr_s), 0, ips->ips_addr_s_size);
+		kfree(ips->ips_addr_s);
+	}
+	ips->ips_addr_s = NULL;
+
+	if(ips->ips_addr_d != NULL) {
+		memset((caddr_t)(ips->ips_addr_d), 0, ips->ips_addr_d_size);
+		kfree(ips->ips_addr_d);
+	}
+	ips->ips_addr_d = NULL;
+
+	if(ips->ips_addr_p != NULL) {
+		memset((caddr_t)(ips->ips_addr_p), 0, ips->ips_addr_p_size);
+		kfree(ips->ips_addr_p);
+	}
+	ips->ips_addr_p = NULL;
+
+#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
+	if(ips->ips_natt_oa) {
+		memset((caddr_t)(ips->ips_natt_oa), 0, ips->ips_natt_oa_size);
+		kfree(ips->ips_natt_oa);
+	}
+	ips->ips_natt_oa = NULL;
+#endif
+
+	if(ips->ips_key_a != NULL) {
+		memset((caddr_t)(ips->ips_key_a), 0, ips->ips_key_a_size);
+		kfree(ips->ips_key_a);
+	}
+	ips->ips_key_a = NULL;
+
+	if(ips->ips_key_e != NULL) {
+		if (ips->ips_alg_enc &&
+		    ips->ips_alg_enc->ixt_e_destroy_key)
+		{
+			ips->ips_alg_enc->ixt_e_destroy_key(ips->ips_alg_enc, 
+							    ips->ips_key_e);
+		} else
+		{
+			memset((caddr_t)(ips->ips_key_e), 0, ips->ips_key_e_size);
+			kfree(ips->ips_key_e);
+		}
+	}
+	ips->ips_key_e = NULL;
+
+	if(ips->ips_iv != NULL) {
+		memset((caddr_t)(ips->ips_iv), 0, ips->ips_iv_size);
+		kfree(ips->ips_iv);
+	}
+	ips->ips_iv = NULL;
+
+	if(ips->ips_ident_s.data != NULL) {
+		memset((caddr_t)(ips->ips_ident_s.data),
+                       0,
+		       ips->ips_ident_s.len * IPSEC_PFKEYv2_ALIGN - sizeof(struct sadb_ident));
+		kfree(ips->ips_ident_s.data);
+        }
+	ips->ips_ident_s.data = NULL;
+	
+	if(ips->ips_ident_d.data != NULL) {
+		memset((caddr_t)(ips->ips_ident_d.data),
+                       0,
+		       ips->ips_ident_d.len * IPSEC_PFKEYv2_ALIGN - sizeof(struct sadb_ident));
+		kfree(ips->ips_ident_d.data);
+        }
+	ips->ips_ident_d.data = NULL;
+
+	if (ips->ips_alg_enc||ips->ips_alg_auth) {
+		ipsec_alg_sa_wipe(ips);
+	}
+	
+	memset((caddr_t)ips, 0, sizeof(*ips));
+	kfree(ips);
+	ips = NULL;
+
+	return 0;
+}
+
+extern int sysctl_ipsec_debug_verbose;
+
+int ipsec_sa_init(struct ipsec_sa *ipsp)
+{
+        int i;
+        int error = 0;
+        char sa[SATOT_BUF];
+	size_t sa_len;
+	char ipaddr_txt[ADDRTOA_BUF];
+	char ipaddr2_txt[ADDRTOA_BUF];
+#if defined (CONFIG_KLIPS_AUTH_HMAC_MD5) || defined (CONFIG_KLIPS_AUTH_HMAC_SHA1)
+	unsigned char kb[AHMD596_BLKLEN];
+#endif
+	struct ipsec_alg_enc *ixt_e = NULL;
+	struct ipsec_alg_auth *ixt_a = NULL;
+
+	if(ipsp == NULL) {
+		KLIPS_PRINT(debug_pfkey,
+			    "ipsec_sa_init: "
+			    "ipsp is NULL, fatal\n");
+		SENDERR(EINVAL);
+	}
+
+	sa_len = satot(&ipsp->ips_said, 0, sa, sizeof(sa));
+
+        KLIPS_PRINT(debug_pfkey,
+		    "ipsec_sa_init: "
+		    "(pfkey defined) called for SA:%s\n",
+		    sa_len ? sa : " (error)");
+
+	KLIPS_PRINT(debug_pfkey,
+		    "ipsec_sa_init: "
+		    "calling init routine of %s%s%s\n",
+		    IPS_XFORM_NAME(ipsp));
+	
+	switch(ipsp->ips_said.proto) {
+		
+#ifdef CONFIG_KLIPS_IPIP
+	case IPPROTO_IPIP: {
+		addrtoa(((struct sockaddr_in*)(ipsp->ips_addr_s))->sin_addr,
+			0,
+			ipaddr_txt, sizeof(ipaddr_txt));
+		addrtoa(((struct sockaddr_in*)(ipsp->ips_addr_d))->sin_addr,
+			0,
+			ipaddr2_txt, sizeof(ipaddr_txt));
+		KLIPS_PRINT(debug_pfkey,
+			    "ipsec_sa_init: "
+			    "(pfkey defined) IPIP ipsec_sa set for %s->%s.\n",
+			    ipaddr_txt,
+			    ipaddr2_txt);
+	}
+	break;
+#endif /* !CONFIG_KLIPS_IPIP */
+
+#ifdef CONFIG_KLIPS_AH
+	case IPPROTO_AH:
+		switch(ipsp->ips_authalg) {
+# ifdef CONFIG_KLIPS_AUTH_HMAC_MD5
+		case AH_MD5: {
+			unsigned char *akp;
+			unsigned int aks;
+			MD5_CTX *ictx;
+			MD5_CTX *octx;
+			
+			if(ipsp->ips_key_bits_a != (AHMD596_KLEN * 8)) {
+				KLIPS_PRINT(debug_pfkey,
+					    "ipsec_sa_init: "
+					    "incorrect key size: %d bits -- must be %d bits\n"/*octets (bytes)\n"*/,
+					    ipsp->ips_key_bits_a, AHMD596_KLEN * 8);
+				SENDERR(EINVAL);
+			}
+			
+#  if KLIPS_DIVULGE_HMAC_KEY
+			KLIPS_PRINT(debug_pfkey && sysctl_ipsec_debug_verbose,
+				    "ipsec_sa_init: "
+				    "hmac md5-96 key is 0x%08x %08x %08x %08x\n",
+				    ntohl(*(((__u32 *)ipsp->ips_key_a)+0)),
+				    ntohl(*(((__u32 *)ipsp->ips_key_a)+1)),
+				    ntohl(*(((__u32 *)ipsp->ips_key_a)+2)),
+				    ntohl(*(((__u32 *)ipsp->ips_key_a)+3)));
+#  endif /* KLIPS_DIVULGE_HMAC_KEY */
+			
+			ipsp->ips_auth_bits = AHMD596_ALEN * 8;
+			
+			/* save the pointer to the key material */
+			akp = ipsp->ips_key_a;
+			aks = ipsp->ips_key_a_size;
+			
+			KLIPS_PRINT(debug_pfkey && sysctl_ipsec_debug_verbose,
+			           "ipsec_sa_init: "
+			           "allocating %lu bytes for md5_ctx.\n",
+			           (unsigned long) sizeof(struct md5_ctx));
+			if((ipsp->ips_key_a = (caddr_t)
+			    kmalloc(sizeof(struct md5_ctx), GFP_ATOMIC)) == NULL) {
+				ipsp->ips_key_a = akp;
+				SENDERR(ENOMEM);
+			}
+			ipsp->ips_key_a_size = sizeof(struct md5_ctx);
+
+			for (i = 0; i < DIVUP(ipsp->ips_key_bits_a, 8); i++) {
+				kb[i] = akp[i] ^ HMAC_IPAD;
+			}
+			for (; i < AHMD596_BLKLEN; i++) {
+				kb[i] = HMAC_IPAD;
+			}
+
+			ictx = &(((struct md5_ctx*)(ipsp->ips_key_a))->ictx);
+			osMD5Init(ictx);
+			osMD5Update(ictx, kb, AHMD596_BLKLEN);
+
+			for (i = 0; i < AHMD596_BLKLEN; i++) {
+				kb[i] ^= (HMAC_IPAD ^ HMAC_OPAD);
+			}
+
+			octx = &(((struct md5_ctx*)(ipsp->ips_key_a))->octx);
+			osMD5Init(octx);
+			osMD5Update(octx, kb, AHMD596_BLKLEN);
+			
+#  if KLIPS_DIVULGE_HMAC_KEY
+			KLIPS_PRINT(debug_pfkey && sysctl_ipsec_debug_verbose,
+				    "ipsec_sa_init: "
+				    "MD5 ictx=0x%08x %08x %08x %08x octx=0x%08x %08x %08x %08x\n",
+				    ((__u32*)ictx)[0],
+				    ((__u32*)ictx)[1],
+				    ((__u32*)ictx)[2],
+				    ((__u32*)ictx)[3],
+				    ((__u32*)octx)[0],
+				    ((__u32*)octx)[1],
+				    ((__u32*)octx)[2],
+				    ((__u32*)octx)[3] );
+#  endif /* KLIPS_DIVULGE_HMAC_KEY */
+			
+			/* zero key buffer -- paranoid */
+			memset(akp, 0, aks);
+			kfree(akp);
+		}
+		break;
+# endif /* CONFIG_KLIPS_AUTH_HMAC_MD5 */
+# ifdef CONFIG_KLIPS_AUTH_HMAC_SHA1
+		case AH_SHA: {
+			unsigned char *akp;
+			unsigned int aks;
+			SHA1_CTX *ictx;
+			SHA1_CTX *octx;
+			
+			if(ipsp->ips_key_bits_a != (AHSHA196_KLEN * 8)) {
+				KLIPS_PRINT(debug_pfkey,
+					    "ipsec_sa_init: "
+					    "incorrect key size: %d bits -- must be %d bits\n"/*octets (bytes)\n"*/,
+					    ipsp->ips_key_bits_a, AHSHA196_KLEN * 8);
+				SENDERR(EINVAL);
+			}
+			
+#  if KLIPS_DIVULGE_HMAC_KEY
+			KLIPS_PRINT(debug_pfkey && sysctl_ipsec_debug_verbose,
+				    "ipsec_sa_init: "
+				    "hmac sha1-96 key is 0x%08x %08x %08x %08x\n",
+				    ntohl(*(((__u32 *)ipsp->ips_key_a)+0)),
+				    ntohl(*(((__u32 *)ipsp->ips_key_a)+1)),
+				    ntohl(*(((__u32 *)ipsp->ips_key_a)+2)),
+				    ntohl(*(((__u32 *)ipsp->ips_key_a)+3)));
+#  endif /* KLIPS_DIVULGE_HMAC_KEY */
+			
+			ipsp->ips_auth_bits = AHSHA196_ALEN * 8;
+			
+			/* save the pointer to the key material */
+			akp = ipsp->ips_key_a;
+			aks = ipsp->ips_key_a_size;
+			
+			KLIPS_PRINT(debug_pfkey && sysctl_ipsec_debug_verbose,
+			            "ipsec_sa_init: "
+			            "allocating %lu bytes for sha1_ctx.\n",
+			            (unsigned long) sizeof(struct sha1_ctx));
+			if((ipsp->ips_key_a = (caddr_t)
+			    kmalloc(sizeof(struct sha1_ctx), GFP_ATOMIC)) == NULL) {
+				ipsp->ips_key_a = akp;
+				SENDERR(ENOMEM);
+			}
+			ipsp->ips_key_a_size = sizeof(struct sha1_ctx);
+
+			for (i = 0; i < DIVUP(ipsp->ips_key_bits_a, 8); i++) {
+				kb[i] = akp[i] ^ HMAC_IPAD;
+			}
+			for (; i < AHMD596_BLKLEN; i++) {
+				kb[i] = HMAC_IPAD;
+			}
+
+			ictx = &(((struct sha1_ctx*)(ipsp->ips_key_a))->ictx);
+			SHA1Init(ictx);
+			SHA1Update(ictx, kb, AHSHA196_BLKLEN);
+
+			for (i = 0; i < AHSHA196_BLKLEN; i++) {
+				kb[i] ^= (HMAC_IPAD ^ HMAC_OPAD);
+			}
+
+			octx = &(((struct sha1_ctx*)(ipsp->ips_key_a))->octx);
+			SHA1Init(octx);
+			SHA1Update(octx, kb, AHSHA196_BLKLEN);
+			
+#  if KLIPS_DIVULGE_HMAC_KEY
+			KLIPS_PRINT(debug_pfkey && sysctl_ipsec_debug_verbose,
+				    "ipsec_sa_init: "
+				    "SHA1 ictx=0x%08x %08x %08x %08x octx=0x%08x %08x %08x %08x\n", 
+				    ((__u32*)ictx)[0],
+				    ((__u32*)ictx)[1],
+				    ((__u32*)ictx)[2],
+				    ((__u32*)ictx)[3],
+				    ((__u32*)octx)[0],
+				    ((__u32*)octx)[1],
+				    ((__u32*)octx)[2],
+				    ((__u32*)octx)[3] );
+#  endif /* KLIPS_DIVULGE_HMAC_KEY */
+			/* zero key buffer -- paranoid */
+			memset(akp, 0, aks);
+			kfree(akp);
+		}
+		break;
+# endif /* CONFIG_KLIPS_AUTH_HMAC_SHA1 */
+		default:
+			KLIPS_PRINT(debug_pfkey,
+				    "ipsec_sa_init: "
+				    "authalg=%d support not available in the kernel",
+				    ipsp->ips_authalg);
+			SENDERR(EINVAL);
+		}
+	break;
+#endif /* CONFIG_KLIPS_AH */
+
+#ifdef CONFIG_KLIPS_ESP
+	case IPPROTO_ESP:
+	{
+#if defined (CONFIG_KLIPS_AUTH_HMAC_MD5) || defined (CONFIG_KLIPS_AUTH_HMAC_SHA1)
+		unsigned char *akp;
+		unsigned int aks;
+#endif
+
+		ipsec_alg_sa_init(ipsp);
+		ixt_e=ipsp->ips_alg_enc;
+
+		if (ixt_e == NULL) {
+			if(printk_ratelimit()) {
+				printk(KERN_INFO 
+				       "ipsec_sa_init: "
+				       "encalg=%d support not available in the kernel",
+				       ipsp->ips_encalg);
+			}
+			SENDERR(ENOENT);
+		}
+
+		ipsp->ips_iv_size = ixt_e->ixt_common.ixt_support.ias_ivlen/8;
+
+		/* Create IV */
+		if (ipsp->ips_iv_size) {
+			if((ipsp->ips_iv = (caddr_t)
+			    kmalloc(ipsp->ips_iv_size, GFP_ATOMIC)) == NULL) {
+				SENDERR(ENOMEM);
+			}
+			prng_bytes(&ipsec_prng,
+				   (char *)ipsp->ips_iv,
+				   ipsp->ips_iv_size);
+			ipsp->ips_iv_bits = ipsp->ips_iv_size * 8;
+		}
+		
+		if ((error=ipsec_alg_enc_key_create(ipsp)) < 0)
+			SENDERR(-error);
+
+		if ((ixt_a=ipsp->ips_alg_auth)) {
+			if ((error=ipsec_alg_auth_key_create(ipsp)) < 0)
+				SENDERR(-error);
+		} else	
+		
+		switch(ipsp->ips_authalg) {
+# ifdef CONFIG_KLIPS_AUTH_HMAC_MD5
+		case AH_MD5: {
+			MD5_CTX *ictx;
+			MD5_CTX *octx;
+
+			if(ipsp->ips_key_bits_a != (AHMD596_KLEN * 8)) {
+				KLIPS_PRINT(debug_pfkey,
+					    "ipsec_sa_init: "
+					    "incorrect authorisation key size: %d bits -- must be %d bits\n"/*octets (bytes)\n"*/,
+					    ipsp->ips_key_bits_a,
+					    AHMD596_KLEN * 8);
+				SENDERR(EINVAL);
+			}
+			
+#  if KLIPS_DIVULGE_HMAC_KEY
+			KLIPS_PRINT(debug_pfkey && sysctl_ipsec_debug_verbose,
+				    "ipsec_sa_init: "
+				    "hmac md5-96 key is 0x%08x %08x %08x %08x\n",
+				    ntohl(*(((__u32 *)(ipsp->ips_key_a))+0)),
+				    ntohl(*(((__u32 *)(ipsp->ips_key_a))+1)),
+				    ntohl(*(((__u32 *)(ipsp->ips_key_a))+2)),
+				    ntohl(*(((__u32 *)(ipsp->ips_key_a))+3)));
+#  endif /* KLIPS_DIVULGE_HMAC_KEY */
+			ipsp->ips_auth_bits = AHMD596_ALEN * 8;
+			
+			/* save the pointer to the key material */
+			akp = ipsp->ips_key_a;
+			aks = ipsp->ips_key_a_size;
+			
+			KLIPS_PRINT(debug_pfkey && sysctl_ipsec_debug_verbose,
+			            "ipsec_sa_init: "
+			            "allocating %lu bytes for md5_ctx.\n",
+			            (unsigned long) sizeof(struct md5_ctx));
+			if((ipsp->ips_key_a = (caddr_t)
+			    kmalloc(sizeof(struct md5_ctx), GFP_ATOMIC)) == NULL) {
+				ipsp->ips_key_a = akp;
+				SENDERR(ENOMEM);
+			}
+			ipsp->ips_key_a_size = sizeof(struct md5_ctx);
+
+			for (i = 0; i < DIVUP(ipsp->ips_key_bits_a, 8); i++) {
+				kb[i] = akp[i] ^ HMAC_IPAD;
+			}
+			for (; i < AHMD596_BLKLEN; i++) {
+				kb[i] = HMAC_IPAD;
+			}
+
+			ictx = &(((struct md5_ctx*)(ipsp->ips_key_a))->ictx);
+			osMD5Init(ictx);
+			osMD5Update(ictx, kb, AHMD596_BLKLEN);
+
+			for (i = 0; i < AHMD596_BLKLEN; i++) {
+				kb[i] ^= (HMAC_IPAD ^ HMAC_OPAD);
+			}
+
+			octx = &(((struct md5_ctx*)(ipsp->ips_key_a))->octx);
+			osMD5Init(octx);
+			osMD5Update(octx, kb, AHMD596_BLKLEN);
+			
+#  if KLIPS_DIVULGE_HMAC_KEY
+			KLIPS_PRINT(debug_pfkey && sysctl_ipsec_debug_verbose,
+				    "ipsec_sa_init: "
+				    "MD5 ictx=0x%08x %08x %08x %08x octx=0x%08x %08x %08x %08x\n",
+				    ((__u32*)ictx)[0],
+				    ((__u32*)ictx)[1],
+				    ((__u32*)ictx)[2],
+				    ((__u32*)ictx)[3],
+				    ((__u32*)octx)[0],
+				    ((__u32*)octx)[1],
+				    ((__u32*)octx)[2],
+				    ((__u32*)octx)[3] );
+#  endif /* KLIPS_DIVULGE_HMAC_KEY */
+			/* paranoid */
+			memset(akp, 0, aks);
+			kfree(akp);
+			break;
+		}
+# endif /* CONFIG_KLIPS_AUTH_HMAC_MD5 */
+# ifdef CONFIG_KLIPS_AUTH_HMAC_SHA1
+		case AH_SHA: {
+			SHA1_CTX *ictx;
+			SHA1_CTX *octx;
+
+			if(ipsp->ips_key_bits_a != (AHSHA196_KLEN * 8)) {
+				KLIPS_PRINT(debug_pfkey,
+					    "ipsec_sa_init: "
+					    "incorrect authorisation key size: %d bits -- must be %d bits\n"/*octets (bytes)\n"*/,
+					    ipsp->ips_key_bits_a,
+					    AHSHA196_KLEN * 8);
+				SENDERR(EINVAL);
+			}
+			
+#  if KLIPS_DIVULGE_HMAC_KEY
+			KLIPS_PRINT(debug_pfkey && sysctl_ipsec_debug_verbose,
+				    "ipsec_sa_init: "
+				    "hmac sha1-96 key is 0x%08x %08x %08x %08x\n",
+				    ntohl(*(((__u32 *)ipsp->ips_key_a)+0)),
+				    ntohl(*(((__u32 *)ipsp->ips_key_a)+1)),
+				    ntohl(*(((__u32 *)ipsp->ips_key_a)+2)),
+				    ntohl(*(((__u32 *)ipsp->ips_key_a)+3)));
+#  endif /* KLIPS_DIVULGE_HMAC_KEY */
+			ipsp->ips_auth_bits = AHSHA196_ALEN * 8;
+			
+			/* save the pointer to the key material */
+			akp = ipsp->ips_key_a;
+			aks = ipsp->ips_key_a_size;
+
+			KLIPS_PRINT(debug_pfkey && sysctl_ipsec_debug_verbose,
+			            "ipsec_sa_init: "
+			            "allocating %lu bytes for sha1_ctx.\n",
+			            (unsigned long) sizeof(struct sha1_ctx));
+			if((ipsp->ips_key_a = (caddr_t)
+			    kmalloc(sizeof(struct sha1_ctx), GFP_ATOMIC)) == NULL) {
+				ipsp->ips_key_a = akp;
+				SENDERR(ENOMEM);
+			}
+			ipsp->ips_key_a_size = sizeof(struct sha1_ctx);
+
+			for (i = 0; i < DIVUP(ipsp->ips_key_bits_a, 8); i++) {
+				kb[i] = akp[i] ^ HMAC_IPAD;
+			}
+			for (; i < AHMD596_BLKLEN; i++) {
+				kb[i] = HMAC_IPAD;
+			}
+
+			ictx = &(((struct sha1_ctx*)(ipsp->ips_key_a))->ictx);
+			SHA1Init(ictx);
+			SHA1Update(ictx, kb, AHSHA196_BLKLEN);
+
+			for (i = 0; i < AHSHA196_BLKLEN; i++) {
+				kb[i] ^= (HMAC_IPAD ^ HMAC_OPAD);
+			}
+
+			octx = &((struct sha1_ctx*)(ipsp->ips_key_a))->octx;
+			SHA1Init(octx);
+			SHA1Update(octx, kb, AHSHA196_BLKLEN);
+			
+#  if KLIPS_DIVULGE_HMAC_KEY
+			KLIPS_PRINT(debug_pfkey && sysctl_ipsec_debug_verbose,
+				    "ipsec_sa_init: "
+				    "SHA1 ictx=0x%08x %08x %08x %08x octx=0x%08x %08x %08x %08x\n",
+				    ((__u32*)ictx)[0],
+				    ((__u32*)ictx)[1],
+				    ((__u32*)ictx)[2],
+				    ((__u32*)ictx)[3],
+				    ((__u32*)octx)[0],
+				    ((__u32*)octx)[1],
+				    ((__u32*)octx)[2],
+				    ((__u32*)octx)[3] );
+#  endif /* KLIPS_DIVULGE_HMAC_KEY */
+			memset(akp, 0, aks);
+			kfree(akp);
+			break;
+		}
+# endif /* CONFIG_KLIPS_AUTH_HMAC_SHA1 */
+		case AH_NONE:
+			break;
+		default:
+			KLIPS_PRINT(debug_pfkey,
+				    "ipsec_sa_init: "
+				    "authalg=%d support not available in the kernel.\n",
+				    ipsp->ips_authalg);
+			SENDERR(EINVAL);
+		}
+	}
+			break;
+#endif /* !CONFIG_KLIPS_ESP */
+#ifdef CONFIG_KLIPS_IPCOMP
+	case IPPROTO_COMP:
+		ipsp->ips_comp_adapt_tries = 0;
+		ipsp->ips_comp_adapt_skip = 0;
+		ipsp->ips_comp_ratio_cbytes = 0;
+		ipsp->ips_comp_ratio_dbytes = 0;
+		break;
+#endif /* CONFIG_KLIPS_IPCOMP */
+	default:
+		printk(KERN_ERR "KLIPS sa initialization: "
+		       "proto=%d unknown.\n",
+		       ipsp->ips_said.proto);
+		SENDERR(EINVAL);
+	}
+	
+ errlab:
+	return(error);
+}
+
+
+
+/*
+ * $Log: ipsec_sa.c,v $
+ * Revision 1.30.2.2  2006/10/06 21:39:26  paul
+ * Fix for 2.6.18+ only include linux/config.h if AUTOCONF_INCLUDED is not
+ * set. This is defined through autoconf.h which is included through the
+ * linux kernel build macros.
+ *
+ * Revision 1.30.2.1  2006/04/20 16:33:07  mcr
+ * remove all of CONFIG_KLIPS_ALG --- one can no longer build without it.
+ * Fix in-kernel module compilation. Sub-makefiles do not work.
+ *
+ * Revision 1.30  2005/05/24 01:02:35  mcr
+ * 	some refactoring/simplification of situation where alg
+ * 	is not found.
+ *
+ * Revision 1.29  2005/05/18 19:13:28  mcr
+ * 	rename debug messages. make sure that algo not found is not
+ * 	a debug message.
+ *
+ * Revision 1.28  2005/05/11 01:30:20  mcr
+ * 	removed "poor-man"s OOP in favour of proper C structures.
+ *
+ * Revision 1.27  2005/04/29 05:10:22  mcr
+ * 	removed from extraenous includes to make unit testing easier.
+ *
+ * Revision 1.26  2005/04/14 20:56:24  mcr
+ * 	moved (pfkey_)ipsec_sa_init to ipsec_sa.c.
+ *
+ * Revision 1.25  2004/08/22 20:12:16  mcr
+ * 	one more KLIPS_NAT->IPSEC_NAT.
+ *
+ * Revision 1.24  2004/07/10 19:11:18  mcr
+ * 	CONFIG_IPSEC -> CONFIG_KLIPS.
+ *
+ * Revision 1.23  2004/04/06 02:49:26  mcr
+ * 	pullup of algo code from alg-branch.
+ *
+ * Revision 1.22.2.1  2003/12/22 15:25:52  jjo
+ * . Merged algo-0.8.1-rc11-test1 into alg-branch
+ *
+ * Revision 1.22  2003/12/10 01:14:27  mcr
+ * 	NAT-traversal patches to KLIPS.
+ *
+ * Revision 1.21  2003/10/31 02:27:55  mcr
+ * 	pulled up port-selector patches and sa_id elimination.
+ *
+ * Revision 1.20.4.1  2003/10/29 01:30:41  mcr
+ * 	elimited "struct sa_id".
+ *
+ * Revision 1.20  2003/02/06 01:50:34  rgb
+ * Fixed initialisation bug for first sadb hash bucket that would only manifest itself on platforms where NULL != 0.
+ *
+ * Revision 1.19  2003/01/30 02:32:22  rgb
+ *
+ * Rename SAref table macro names for clarity.
+ * Transmit error code through to caller from callee for better diagnosis of problems.
+ * Convert IPsecSAref_t from signed to unsigned to fix apparent SAref exhaustion bug.
+ *
+ * Revision 1.18  2002/10/12 23:11:53  dhr
+ *
+ * [KenB + DHR] more 64-bit cleanup
+ *
+ * Revision 1.17  2002/10/07 18:31:43  rgb
+ * Move field width sanity checks to ipsec_sa.c
+ *
+ * Revision 1.16  2002/09/20 15:41:02  rgb
+ * Re-wrote most of the SAref code to eliminate Entry pointers.
+ * Added SAref code compiler directive switch.
+ * Added a saref test function for testing macros.
+ * Switch from pfkey_alloc_ipsec_sa() to ipsec_sa_alloc().
+ * Split ipsec_sadb_cleanup from new funciton ipsec_sadb_free to avoid problem
+ * of freeing newly created structures when clearing the reftable upon startup
+ * to start from a known state.
+ * Place all ipsec sadb globals into one struct.
+ * Rework saref freelist.
+ * Added memory allocation debugging.
+ *
+ * Revision 1.15  2002/09/20 05:01:44  rgb
+ * Update copyright date.
+ *
+ * Revision 1.14  2002/08/13 19:01:25  mcr
+ * 	patches from kenb to permit compilation of FreeSWAN on ia64.
+ * 	des library patched to use proper DES_LONG type for ia64.
+ *
+ * Revision 1.13  2002/07/29 03:06:20  mcr
+ * 	get rid of variable not used warnings.
+ *
+ * Revision 1.12  2002/07/26 08:48:31  rgb
+ * Added SA ref table code.
+ *
+ * Revision 1.11  2002/06/04 16:48:49  rgb
+ * Tidied up pointer code for processor independance.
+ *
+ * Revision 1.10  2002/05/23 07:16:17  rgb
+ * Added ipsec_sa_put() for releasing an ipsec_sa refcount.
+ * Pointer clean-up.
+ * Added refcount code.
+ * Convert "usecount" to "refcount" to remove ambiguity.
+ *
+ * Revision 1.9  2002/05/14 02:34:49  rgb
+ * Converted reference from ipsec_sa_put to ipsec_sa_add to avoid confusion
+ * with "put" usage in the kernel.
+ * Change all references to tdb, TDB or Tunnel Descriptor Block to ips,
+ * ipsec_sa or ipsec_sa.
+ * Added some preliminary refcount code.
+ *
+ * Revision 1.8  2002/04/24 07:55:32  mcr
+ * 	#include patches and Makefiles for post-reorg compilation.
+ *
+ * Revision 1.7  2002/04/24 07:36:30  mcr
+ * Moved from ./klips/net/ipsec/ipsec_sa.c,v
+ *
+ * Revision 1.6  2002/04/20 00:12:25  rgb
+ * Added esp IV CBC attack fix, disabled.
+ *
+ * Revision 1.5  2002/01/29 17:17:56  mcr
+ * 	moved include of ipsec_param.h to after include of linux/kernel.h
+ * 	otherwise, it seems that some option that is set in ipsec_param.h
+ * 	screws up something subtle in the include path to kernel.h, and
+ * 	it complains on the snprintf() prototype.
+ *
+ * Revision 1.4  2002/01/29 04:00:52  mcr
+ * 	more excise of kversions.h header.
+ *
+ * Revision 1.3  2002/01/29 02:13:18  mcr
+ * 	introduction of ipsec_kversion.h means that include of
+ * 	ipsec_param.h must preceed any decisions about what files to
+ * 	include to deal with differences in kernel source.
+ *
+ * Revision 1.2  2001/11/26 09:16:15  rgb
+ * Merge MCR's ipsec_sa, eroute, proc and struct lifetime changes.
+ *
+ * Revision 1.1.2.2  2001/10/22 21:05:41  mcr
+ * 	removed phony prototype for des_set_key.
+ *
+ * Revision 1.1.2.1  2001/09/25 02:24:57  mcr
+ * 	struct tdb -> struct ipsec_sa.
+ * 	sa(tdb) manipulation functions renamed and moved to ipsec_sa.c
+ * 	ipsec_xform.c removed. header file still contains useful things.
+ *
+ *
+ *
+ * CLONED from ipsec_xform.c:
+ * Revision 1.53  2001/09/08 21:13:34  rgb
+ * Added pfkey ident extension support for ISAKMPd. (NetCelo)
+ *
+ * Revision 1.52  2001/06/14 19:35:11  rgb
+ * Update copyright date.
+ *
+ * Revision 1.51  2001/05/30 08:14:03  rgb
+ * Removed vestiges of esp-null transforms.
+ *
+ * Revision 1.50  2001/05/03 19:43:18  rgb
+ * Initialise error return variable.
+ * Update SENDERR macro.
+ * Fix sign of error return code for ipsec_tdbcleanup().
+ * Use more appropriate return code for ipsec_tdbwipe().
+ *
+ * Revision 1.49  2001/04/19 18:56:17  rgb
+ * Fixed tdb table locking comments.
+ *
+ * Revision 1.48  2001/02/27 22:24:55  rgb
+ * Re-formatting debug output (line-splitting, joining, 1arg/line).
+ * Check for satoa() return codes.
+ *
+ * Revision 1.47  2000/11/06 04:32:08  rgb
+ * Ditched spin_lock_irqsave in favour of spin_lock_bh.
+ *
+ * Revision 1.46  2000/09/20 16:21:57  rgb
+ * Cleaned up ident string alloc/free.
+ *
+ * Revision 1.45  2000/09/08 19:16:51  rgb
+ * Change references from DEBUG_IPSEC to CONFIG_IPSEC_DEBUG.
+ * Removed all references to CONFIG_IPSEC_PFKEYv2.
+ *
+ * Revision 1.44  2000/08/30 05:29:04  rgb
+ * Compiler-define out no longer used tdb_init() in ipsec_xform.c.
+ *
+ * Revision 1.43  2000/08/18 21:30:41  rgb
+ * Purged all tdb_spi, tdb_proto and tdb_dst macros.  They are unclear.
+ *
+ * Revision 1.42  2000/08/01 14:51:51  rgb
+ * Removed _all_ remaining traces of DES.
+ *
+ * Revision 1.41  2000/07/28 14:58:31  rgb
+ * Changed kfree_s to kfree, eliminating extra arg to fix 2.4.0-test5.
+ *
+ * Revision 1.40  2000/06/28 05:50:11  rgb
+ * Actually set iv_bits.
+ *
+ * Revision 1.39  2000/05/10 23:11:09  rgb
+ * Added netlink debugging output.
+ * Added a cast to quiet down the ntohl bug.
+ *
+ * Revision 1.38  2000/05/10 19:18:42  rgb
+ * Cast output of ntohl so that the broken prototype doesn't make our
+ * compile noisy.
+ *
+ * Revision 1.37  2000/03/16 14:04:59  rgb
+ * Hardwired CONFIG_IPSEC_PFKEYv2 on.
+ *
+ * Revision 1.36  2000/01/26 10:11:28  rgb
+ * Fixed spacing in error text causing run-in words.
+ *
+ * Revision 1.35  2000/01/21 06:17:16  rgb
+ * Tidied up compiler directive indentation for readability.
+ * Added ictx,octx vars for simplification.(kravietz)
+ * Added macros for HMAC padding magic numbers.(kravietz)
+ * Fixed missing key length reporting bug.
+ * Fixed bug in tdbwipe to return immediately on NULL tdbp passed in.
+ *
+ * Revision 1.34  1999/12/08 00:04:19  rgb
+ * Fixed SA direction overwriting bug for netlink users.
+ *
+ * Revision 1.33  1999/12/01 22:16:44  rgb
+ * Minor formatting changes in ESP MD5 initialisation.
+ *
+ * Revision 1.32  1999/11/25 09:06:36  rgb
+ * Fixed error return messages, should be returning negative numbers.
+ * Implemented SENDERR macro for propagating error codes.
+ * Added debug message and separate error code for algorithms not compiled
+ * in.
+ *
+ * Revision 1.31  1999/11/23 23:06:26  rgb
+ * Sort out pfkey and freeswan headers, putting them in a library path.
+ *
+ * Revision 1.30  1999/11/18 04:09:20  rgb
+ * Replaced all kernel version macros to shorter, readable form.
+ *
+ * Revision 1.29  1999/11/17 15:53:40  rgb
+ * Changed all occurrences of #include "../../../lib/freeswan.h"
+ * to #include <freeswan.h> which works due to -Ilibfreeswan in the
+ * klips/net/ipsec/Makefile.
+ *
+ * Revision 1.28  1999/10/18 20:04:01  rgb
+ * Clean-out unused cruft.
+ *
+ * Revision 1.27  1999/10/03 19:01:03  rgb
+ * Spinlock support for 2.3.xx and 2.0.xx kernels.
+ *
+ * Revision 1.26  1999/10/01 16:22:24  rgb
+ * Switch from assignment init. to functional init. of spinlocks.
+ *
+ * Revision 1.25  1999/10/01 15:44:54  rgb
+ * Move spinlock header include to 2.1> scope.
+ *
+ * Revision 1.24  1999/10/01 00:03:46  rgb
+ * Added tdb structure locking.
+ * Minor formatting changes.
+ * Add function to initialize tdb hash table.
+ *
+ * Revision 1.23  1999/05/25 22:42:12  rgb
+ * Add deltdbchain() debugging.
+ *
+ * Revision 1.22  1999/05/25 21:24:31  rgb
+ * Add debugging statements to deltdbchain().
+ *
+ * Revision 1.21  1999/05/25 03:51:48  rgb
+ * Refix error return code.
+ *
+ * Revision 1.20  1999/05/25 03:34:07  rgb
+ * Fix error return for flush.
+ *
+ * Revision 1.19  1999/05/09 03:25:37  rgb
+ * Fix bug introduced by 2.2 quick-and-dirty patch.
+ *
+ * Revision 1.18  1999/05/05 22:02:32  rgb
+ * Add a quick and dirty port to 2.2 kernels by Marc Boucher <marc@mbsi.ca>.
+ *
+ * Revision 1.17  1999/04/29 15:20:16  rgb
+ * Change gettdb parameter to a pointer to reduce stack loading and
+ * facilitate parameter sanity checking.
+ * Add sanity checking for null pointer arguments.
+ * Add debugging instrumentation.
+ * Add function deltdbchain() which will take care of unlinking,
+ * zeroing and deleting a chain of tdbs.
+ * Add a parameter to tdbcleanup to be able to delete a class of SAs.
+ * tdbwipe now actually zeroes the tdb as well as any of its pointed
+ * structures.
+ *
+ * Revision 1.16  1999/04/16 15:36:29  rgb
+ * Fix cut-and-paste error causing a memory leak in IPIP TDB freeing.
+ *
+ * Revision 1.15  1999/04/11 00:29:01  henry
+ * GPL boilerplate
+ *
+ * Revision 1.14  1999/04/06 04:54:28  rgb
+ * Fix/Add RCSID Id: and Log: bits to make PHMDs happy.  This includes
+ * patch shell fixes.
+ *
+ * Revision 1.13  1999/02/19 18:23:01  rgb
+ * Nix debug off compile warning.
+ *
+ * Revision 1.12  1999/02/17 16:52:16  rgb
+ * Consolidate satoa()s for space and speed efficiency.
+ * Convert DEBUG_IPSEC to KLIPS_PRINT
+ * Clean out unused cruft.
+ * Ditch NET_IPIP dependancy.
+ * Loop for 3des key setting.
+ *
+ * Revision 1.11  1999/01/26 02:09:05  rgb
+ * Remove ah/esp/IPIP switching on include files.
+ * Removed CONFIG_IPSEC_ALGO_SWITCH macro.
+ * Removed dead code.
+ * Clean up debug code when switched off.
+ * Remove references to INET_GET_PROTOCOL.
+ * Added code exclusion macros to reduce code from unused algorithms.
+ *
+ * Revision 1.10  1999/01/22 06:28:55  rgb
+ * Cruft clean-out.
+ * Put random IV generation in kernel.
+ * Added algorithm switch code.
+ * Enhanced debugging.
+ * 64-bit clean-up.
+ *
+ * Revision 1.9  1998/11/30 13:22:55  rgb
+ * Rationalised all the klips kernel file headers.  They are much shorter
+ * now and won't conflict under RH5.2.
+ *
+ * Revision 1.8  1998/11/25 04:59:06  rgb
+ * Add conditionals for no IPIP tunnel code.
+ * Delete commented out code.
+ *
+ * Revision 1.7  1998/10/31 06:50:41  rgb
+ * Convert xform ASCII names to no spaces.
+ * Fixed up comments in #endif directives.
+ *
+ * Revision 1.6  1998/10/19 14:44:28  rgb
+ * Added inclusion of freeswan.h.
+ * sa_id structure implemented and used: now includes protocol.
+ *
+ * Revision 1.5  1998/10/09 04:32:19  rgb
+ * Added 'klips_debug' prefix to all klips printk debug statements.
+ *
+ * Revision 1.4  1998/08/12 00:11:31  rgb
+ * Added new xform functions to the xform table.
+ * Fixed minor debug output spelling error.
+ *
+ * Revision 1.3  1998/07/09 17:45:31  rgb
+ * Clarify algorithm not available message.
+ *
+ * Revision 1.2  1998/06/23 03:00:51  rgb
+ * Check for presence of IPIP protocol if it is setup one way (we don't
+ * know what has been set up the other way and can only assume it will be
+ * symmetrical with the exception of keys).
+ *
+ * Revision 1.1  1998/06/18 21:27:51  henry
+ * move sources from klips/src to klips/net/ipsec, to keep stupid
+ * kernel-build scripts happier in the presence of symlinks
+ *
+ * Revision 1.3  1998/06/11 05:54:59  rgb
+ * Added transform version string pointer to xformsw initialisations.
+ *
+ * Revision 1.2  1998/04/21 21:28:57  rgb
+ * Rearrange debug switches to change on the fly debug output from user
+ * space.  Only kernel changes checked in at this time.  radij.c was also
+ * changed to temporarily remove buggy debugging code in rj_delete causing
+ * an OOPS and hence, netlink device open errors.
+ *
+ * Revision 1.1  1998/04/09 03:06:13  henry
+ * sources moved up from linux/net/ipsec
+ *
+ * Revision 1.1.1.1  1998/04/08 05:35:02  henry
+ * RGB's ipsec-0.8pre2.tar.gz ipsec-0.8
+ *
+ * Revision 0.5  1997/06/03 04:24:48  ji
+ * Added ESP-3DES-MD5-96
+ *
+ * Revision 0.4  1997/01/15 01:28:15  ji
+ * Added new transforms.
+ *
+ * Revision 0.3  1996/11/20 14:39:04  ji
+ * Minor cleanups.
+ * Rationalized debugging code.
+ *
+ * Revision 0.2  1996/11/02 00:18:33  ji
+ * First limited release.
+ *
+ *
+ */
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/ipsec_sha1.c     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,219 @@
+/*
+ * RCSID $Id: ipsec_sha1.c,v 1.9 2004/04/06 02:49:26 mcr Exp $
+ */
+
+/*
+ * The rest of the code is derived from sha1.c by Steve Reid, which is
+ * public domain.
+ * Minor cosmetic changes to accomodate it in the Linux kernel by ji.
+ */
+
+#include <asm/byteorder.h>
+#include <linux/string.h>
+
+#include "openswan/ipsec_sha1.h"
+
+#if defined(rol)
+#undef rol
+#endif
+
+#define SHA1HANDSOFF
+
+#define rol(value, bits) (((value) << (bits)) | ((value) >> (32 - (bits))))
+
+/* blk0() and blk() perform the initial expand. */
+/* I got the idea of expanding during the round function from SSLeay */
+#ifdef __LITTLE_ENDIAN
+#define blk0(i) (block->l[i] = (rol(block->l[i],24)&0xFF00FF00) \
+    |(rol(block->l[i],8)&0x00FF00FF))
+#else
+#define blk0(i) block->l[i]
+#endif
+#define blk(i) (block->l[i&15] = rol(block->l[(i+13)&15]^block->l[(i+8)&15] \
+    ^block->l[(i+2)&15]^block->l[i&15],1))
+
+/* (R0+R1), R2, R3, R4 are the different operations used in SHA1 */
+#define R0(v,w,x,y,z,i) z+=((w&(x^y))^y)+blk0(i)+0x5A827999+rol(v,5);w=rol(w,30);
+#define R1(v,w,x,y,z,i) z+=((w&(x^y))^y)+blk(i)+0x5A827999+rol(v,5);w=rol(w,30);
+#define R2(v,w,x,y,z,i) z+=(w^x^y)+blk(i)+0x6ED9EBA1+rol(v,5);w=rol(w,30);
+#define R3(v,w,x,y,z,i) z+=(((w|x)&y)|(w&x))+blk(i)+0x8F1BBCDC+rol(v,5);w=rol(w,30);
+#define R4(v,w,x,y,z,i) z+=(w^x^y)+blk(i)+0xCA62C1D6+rol(v,5);w=rol(w,30);
+
+
+/* Hash a single 512-bit block. This is the core of the algorithm. */
+
+void SHA1Transform(__u32 state[5], __u8 buffer[64])
+{
+__u32 a, b, c, d, e;
+typedef union {
+    unsigned char c[64];
+    __u32 l[16];
+} CHAR64LONG16;
+CHAR64LONG16* block;
+#ifdef SHA1HANDSOFF
+static unsigned char workspace[64];
+    block = (CHAR64LONG16*)workspace;
+    memcpy(block, buffer, 64);
+#else
+    block = (CHAR64LONG16*)buffer;
+#endif
+    /* Copy context->state[] to working vars */
+    a = state[0];
+    b = state[1];
+    c = state[2];
+    d = state[3];
+    e = state[4];
+    /* 4 rounds of 20 operations each. Loop unrolled. */
+    R0(a,b,c,d,e, 0); R0(e,a,b,c,d, 1); R0(d,e,a,b,c, 2); R0(c,d,e,a,b, 3);
+    R0(b,c,d,e,a, 4); R0(a,b,c,d,e, 5); R0(e,a,b,c,d, 6); R0(d,e,a,b,c, 7);
+    R0(c,d,e,a,b, 8); R0(b,c,d,e,a, 9); R0(a,b,c,d,e,10); R0(e,a,b,c,d,11);
+    R0(d,e,a,b,c,12); R0(c,d,e,a,b,13); R0(b,c,d,e,a,14); R0(a,b,c,d,e,15);
+    R1(e,a,b,c,d,16); R1(d,e,a,b,c,17); R1(c,d,e,a,b,18); R1(b,c,d,e,a,19);
+    R2(a,b,c,d,e,20); R2(e,a,b,c,d,21); R2(d,e,a,b,c,22); R2(c,d,e,a,b,23);
+    R2(b,c,d,e,a,24); R2(a,b,c,d,e,25); R2(e,a,b,c,d,26); R2(d,e,a,b,c,27);
+    R2(c,d,e,a,b,28); R2(b,c,d,e,a,29); R2(a,b,c,d,e,30); R2(e,a,b,c,d,31);
+    R2(d,e,a,b,c,32); R2(c,d,e,a,b,33); R2(b,c,d,e,a,34); R2(a,b,c,d,e,35);
+    R2(e,a,b,c,d,36); R2(d,e,a,b,c,37); R2(c,d,e,a,b,38); R2(b,c,d,e,a,39);
+    R3(a,b,c,d,e,40); R3(e,a,b,c,d,41); R3(d,e,a,b,c,42); R3(c,d,e,a,b,43);
+    R3(b,c,d,e,a,44); R3(a,b,c,d,e,45); R3(e,a,b,c,d,46); R3(d,e,a,b,c,47);
+    R3(c,d,e,a,b,48); R3(b,c,d,e,a,49); R3(a,b,c,d,e,50); R3(e,a,b,c,d,51);
+    R3(d,e,a,b,c,52); R3(c,d,e,a,b,53); R3(b,c,d,e,a,54); R3(a,b,c,d,e,55);
+    R3(e,a,b,c,d,56); R3(d,e,a,b,c,57); R3(c,d,e,a,b,58); R3(b,c,d,e,a,59);
+    R4(a,b,c,d,e,60); R4(e,a,b,c,d,61); R4(d,e,a,b,c,62); R4(c,d,e,a,b,63);
+    R4(b,c,d,e,a,64); R4(a,b,c,d,e,65); R4(e,a,b,c,d,66); R4(d,e,a,b,c,67);
+    R4(c,d,e,a,b,68); R4(b,c,d,e,a,69); R4(a,b,c,d,e,70); R4(e,a,b,c,d,71);
+    R4(d,e,a,b,c,72); R4(c,d,e,a,b,73); R4(b,c,d,e,a,74); R4(a,b,c,d,e,75);
+    R4(e,a,b,c,d,76); R4(d,e,a,b,c,77); R4(c,d,e,a,b,78); R4(b,c,d,e,a,79);
+    /* Add the working vars back into context.state[] */
+    state[0] += a;
+    state[1] += b;
+    state[2] += c;
+    state[3] += d;
+    state[4] += e;
+    /* Wipe variables */
+    a = b = c = d = e = 0;
+}
+
+
+/* SHA1Init - Initialize new context */
+
+void SHA1Init(void *vcontext)
+{
+    SHA1_CTX* context = vcontext;
+
+    /* SHA1 initialization constants */
+    context->state[0] = 0x67452301;
+    context->state[1] = 0xEFCDAB89;
+    context->state[2] = 0x98BADCFE;
+    context->state[3] = 0x10325476;
+    context->state[4] = 0xC3D2E1F0;
+    context->count[0] = context->count[1] = 0;
+}
+
+
+/* Run your data through this. */
+
+void SHA1Update(void *vcontext, unsigned char* data, __u32 len)
+{
+    SHA1_CTX* context = vcontext;
+    __u32 i, j;
+
+    j = context->count[0];
+    if ((context->count[0] += len << 3) < j)
+	context->count[1]++;
+    context->count[1] += (len>>29);
+    j = (j >> 3) & 63;
+    if ((j + len) > 63) {
+        memcpy(&context->buffer[j], data, (i = 64-j));
+        SHA1Transform(context->state, context->buffer);
+        for ( ; i + 63 < len; i += 64) {
+            SHA1Transform(context->state, &data[i]);
+        }
+        j = 0;
+    }
+    else i = 0;
+    memcpy(&context->buffer[j], &data[i], len - i);
+}
+
+
+/* Add padding and return the message digest. */
+
+void SHA1Final(unsigned char digest[20], void *vcontext)
+{
+  __u32 i, j;
+  unsigned char finalcount[8];
+  SHA1_CTX* context = vcontext;
+    
+    for (i = 0; i < 8; i++) {
+        finalcount[i] = (unsigned char)((context->count[(i >= 4 ? 0 : 1)]
+         >> ((3-(i & 3)) * 8) ) & 255);  /* Endian independent */
+    }
+    SHA1Update(context, (unsigned char *)"\200", 1);
+    while ((context->count[0] & 504) != 448) {
+        SHA1Update(context, (unsigned char *)"\0", 1);
+    }
+    SHA1Update(context, finalcount, 8);  /* Should cause a SHA1Transform() */
+    for (i = 0; i < 20; i++) {
+        digest[i] = (unsigned char)
+         ((context->state[i>>2] >> ((3-(i & 3)) * 8) ) & 255);
+    }
+    /* Wipe variables */
+    i = j = 0;
+    memset(context->buffer, 0, 64);
+    memset(context->state, 0, 20);
+    memset(context->count, 0, 8);
+    memset(&finalcount, 0, 8);
+#ifdef SHA1HANDSOFF  /* make SHA1Transform overwrite its own static vars */
+    SHA1Transform(context->state, context->buffer);
+#endif
+}
+
+
+/*
+ * $Log: ipsec_sha1.c,v $
+ * Revision 1.9  2004/04/06 02:49:26  mcr
+ * 	pullup of algo code from alg-branch.
+ *
+ * Revision 1.8  2002/09/10 01:45:14  mcr
+ * 	changed type of MD5_CTX and SHA1_CTX to void * so that
+ * 	the function prototypes would match, and could be placed
+ * 	into a pointer to a function.
+ *
+ * Revision 1.7  2002/04/24 07:55:32  mcr
+ * 	#include patches and Makefiles for post-reorg compilation.
+ *
+ * Revision 1.6  2002/04/24 07:36:30  mcr
+ * Moved from ./klips/net/ipsec/ipsec_sha1.c,v
+ *
+ * Revision 1.5  1999/12/13 13:59:13  rgb
+ * Quick fix to argument size to Update bugs.
+ *
+ * Revision 1.4  1999/04/11 00:29:00  henry
+ * GPL boilerplate
+ *
+ * Revision 1.3  1999/04/06 04:54:27  rgb
+ * Fix/Add RCSID Id: and Log: bits to make PHMDs happy.  This includes
+ * patch shell fixes.
+ *
+ * Revision 1.2  1999/01/22 06:55:50  rgb
+ * 64-bit clean-up.
+ *
+ * Revision 1.1  1998/06/18 21:27:50  henry
+ * move sources from klips/src to klips/net/ipsec, to keep stupid
+ * kernel-build scripts happier in the presence of symlinks
+ *
+ * Revision 1.2  1998/04/23 20:54:04  rgb
+ * Fixed md5 and sha1 include file nesting issues, to be cleaned up when
+ * verified.
+ *
+ * Revision 1.1  1998/04/09 03:06:11  henry
+ * sources moved up from linux/net/ipsec
+ *
+ * Revision 1.1.1.1  1998/04/08 05:35:05  henry
+ * RGB's ipsec-0.8pre2.tar.gz ipsec-0.8
+ *
+ * Revision 0.4  1997/01/15 01:28:15  ji
+ * New transform
+ *
+ *
+ */
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/ipsec_snprintf.c     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,135 @@
+/*
+ * @(#) ipsec_snprintf() function
+ *
+ * Copyright (C) 1998, 1999, 2000, 2001  Richard Guy Briggs <rgb@freeswan.org>
+ *                                 2001  Michael Richardson <mcr@freeswan.org>
+ * Copyright (C) 2005 Michael Richardson <mcr@xelerance.com>
+ * 
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ * 
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * Split out from ipsec_proc.c.
+ */
+
+#ifndef AUTOCONF_INCLUDED
+#include <linux/config.h>
+#endif
+#include <linux/version.h>
+#define __NO_VERSION__
+#include <linux/module.h>
+#include <linux/kernel.h> /* printk() */
+
+#include "openswan/ipsec_kversion.h"
+#include "openswan/ipsec_param.h"
+
+#include <net/ip.h>
+
+#include "openswan/radij.h"
+
+#include "openswan/ipsec_life.h"
+#include "openswan/ipsec_stats.h"
+#include "openswan/ipsec_sa.h"
+
+#include "openswan/ipsec_encap.h"
+#include "openswan/ipsec_radij.h"
+#include "openswan/ipsec_xform.h"
+#include "openswan/ipsec_tunnel.h"
+#include "openswan/ipsec_xmit.h"
+
+#include "openswan/ipsec_rcv.h"
+#include "openswan/ipsec_ah.h"
+#include "openswan/ipsec_esp.h"
+#include "openswan/ipsec_kern24.h"
+
+#ifdef CONFIG_KLIPS_IPCOMP
+#include "openswan/ipcomp.h"
+#endif /* CONFIG_KLIPS_IPCOMP */
+
+#include "openswan/ipsec_proto.h"
+
+#include <pfkeyv2.h>
+#include <pfkey.h>
+
+/* ipsec_snprintf: like snprintf except
+ * - size is signed and a negative value is treated as if it were 0
+ * - the returned result is never negative --
+ *   an error generates a "?" or null output (depending on space).
+ *   (Our callers are too lazy to check for an error return.)
+ * 
+ * @param buf String buffer
+ * @param size Size of the string
+ * @param fmt printf string
+ * @param ... Variables to be displayed in fmt
+ * @return int Return code
+ */
+int ipsec_snprintf(char *buf, ssize_t size, const char *fmt, ...)
+{
+       va_list args;
+       int i;
+       size_t possize = size < 0? 0 : size;
+       va_start(args, fmt);
+       i = vsnprintf(buf,possize,fmt,args);
+       va_end(args);
+       if (i < 0) {
+           /* create empty output in place of error */
+           i = 0;
+           if (size > 0) {
+               *buf = '\0';
+           }
+       }
+       return i;
+}
+
+
+void ipsec_dmp_block(char *s, caddr_t bb, int len)
+{
+	int i;
+	unsigned char *b = bb;
+  
+	printk(KERN_INFO "klips_dmp: "
+	       "at %s, len=%d:\n", s, len);
+	
+	for(i = 0; i < len; i++ /*, c++*/) {
+		if(!(i % 16)) {
+			printk(KERN_INFO
+			       "klips_debug:   @%03x:",
+			       i);
+		}
+		printk(" %02x", b[i]);
+		if(!((i + 1) % 16)) {
+			printk("\n");
+		}
+	}
+	if(i % 16) {
+		printk("\n");
+	}
+}
+		
+/*
+ *
+ * $Log: ipsec_snprintf.c,v $
+ * Revision 1.3.2.1  2006/10/06 21:39:26  paul
+ * Fix for 2.6.18+ only include linux/config.h if AUTOCONF_INCLUDED is not
+ * set. This is defined through autoconf.h which is included through the
+ * linux kernel build macros.
+ *
+ * Revision 1.3  2005/04/29 05:10:22  mcr
+ * 	removed from extraenous includes to make unit testing easier.
+ *
+ * Revision 1.2  2005/04/15 00:32:01  mcr
+ * 	added ipsec_dmp_block routine.
+ *
+ *
+ * Local Variables:
+ * c-file-style: "linux"
+ * End:
+ *
+ */
+
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/ipsec_tunnel.c     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,2878 @@
+/*
+ * IPSEC Tunneling code. Heavily based on drivers/net/new_tunnel.c
+ * Copyright (C) 1996, 1997  John Ioannidis.
+ * Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003  Richard Guy Briggs.
+ * 
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ * 
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+char ipsec_tunnel_c_version[] = "RCSID $Id: ipsec_tunnel.c,v 1.232.2.5 2006/10/06 21:39:26 paul Exp $";
+
+#define __NO_VERSION__
+#include <linux/module.h>
+#ifndef AUTOCONF_INCLUDED
+#include <linux/config.h>
+#endif	/* for CONFIG_IP_FORWARD */
+#include <linux/version.h>
+#include <linux/kernel.h> /* printk() */
+
+#include "openswan/ipsec_param.h"
+
+#ifdef MALLOC_SLAB
+# include <linux/slab.h> /* kmalloc() */
+#else /* MALLOC_SLAB */
+# include <linux/malloc.h> /* kmalloc() */
+#endif /* MALLOC_SLAB */
+#include <linux/errno.h>  /* error codes */
+#include <linux/types.h>  /* size_t */
+#include <linux/interrupt.h> /* mark_bh */
+
+#include <net/tcp.h>
+#include <net/udp.h>
+#include <linux/skbuff.h>
+
+#include <linux/netdevice.h>   /* struct device, struct net_device_stats, dev_queue_xmit() and other headers */
+#include <linux/etherdevice.h> /* eth_type_trans */
+#include <linux/ip.h>          /* struct iphdr */
+#include <linux/skbuff.h>
+
+#include <openswan.h>
+
+#ifdef NET_21
+# include <linux/in6.h>
+# define ip_chk_addr inet_addr_type
+# define IS_MYADDR RTN_LOCAL
+# include <net/dst.h>
+# undef dev_kfree_skb
+# define dev_kfree_skb(a,b) kfree_skb(a)
+# define PHYSDEV_TYPE
+#endif /* NET_21 */
+
+#include <net/icmp.h>		/* icmp_send() */
+#include <net/ip.h>
+#ifdef NETDEV_23
+# include <linux/netfilter_ipv4.h>
+#endif /* NETDEV_23 */
+
+#include <linux/if_arp.h>
+#include <net/arp.h>
+
+#include "openswan/ipsec_kversion.h"
+#include "openswan/radij.h"
+#include "openswan/ipsec_life.h"
+#include "openswan/ipsec_xform.h"
+#include "openswan/ipsec_eroute.h"
+#include "openswan/ipsec_encap.h"
+#include "openswan/ipsec_radij.h"
+#include "openswan/ipsec_sa.h"
+#include "openswan/ipsec_tunnel.h"
+#include "openswan/ipsec_xmit.h"
+#include "openswan/ipsec_ipe4.h"
+#include "openswan/ipsec_ah.h"
+#include "openswan/ipsec_esp.h"
+#include "openswan/ipsec_kern24.h"
+
+#include <pfkeyv2.h>
+#include <pfkey.h>
+
+#include "openswan/ipsec_proto.h"
+#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
+#include <linux/udp.h>
+#endif
+
+static __u32 zeroes[64];
+
+#ifdef CONFIG_KLIPS_DEBUG
+int debug_tunnel = 0;
+#endif /* CONFIG_KLIPS_DEBUG */
+
+DEBUG_NO_STATIC int
+ipsec_tunnel_open(struct net_device *dev)
+{
+	struct ipsecpriv *prv = dev->priv;
+	
+	/*
+	 * Can't open until attached.
+	 */
+
+	KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
+		    "klips_debug:ipsec_tunnel_open: "
+		    "dev = %s, prv->dev = %s\n",
+		    dev->name, prv->dev?prv->dev->name:"NONE");
+
+	if (prv->dev == NULL)
+		return -ENODEV;
+	
+	KLIPS_INC_USE;
+	return 0;
+}
+
+DEBUG_NO_STATIC int
+ipsec_tunnel_close(struct net_device *dev)
+{
+	KLIPS_DEC_USE;
+	return 0;
+}
+
+#ifdef NETDEV_23
+static inline int ipsec_tunnel_xmit2(struct sk_buff *skb)
+{
+#ifdef NETDEV_25	/* 2.6 kernels */
+	return dst_output(skb);
+#else
+	return ip_send(skb);
+#endif
+}
+#endif /* NETDEV_23 */
+
+enum ipsec_xmit_value
+ipsec_tunnel_strip_hard_header(struct ipsec_xmit_state *ixs)
+{
+	/* ixs->physdev->hard_header_len is unreliable and should not be used */
+        ixs->hard_header_len = (unsigned char *)(ixs->iph) - ixs->skb->data;
+
+	if(ixs->hard_header_len < 0) {
+		KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
+			    "klips_error:ipsec_xmit_strip_hard_header: "
+			    "Negative hard_header_len (%d)?!\n", ixs->hard_header_len);
+		ixs->stats->tx_dropped++;
+		return IPSEC_XMIT_BADHHLEN;
+	}
+
+	/* while ixs->physdev->hard_header_len is unreliable and
+	 * should not be trusted, it accurate and required for ATM, GRE and
+	 * some other interfaces to work. Thanks to Willy Tarreau 
+	 * <willy@w.ods.org>.
+	 */
+	if(ixs->hard_header_len == 0) { /* no hard header present */
+		ixs->hard_header_stripped = 1;
+		ixs->hard_header_len = ixs->physdev->hard_header_len;
+	}
+
+#ifdef CONFIG_KLIPS_DEBUG
+	if (debug_tunnel & DB_TN_XMIT) {
+		int i;
+		char c;
+		
+		printk(KERN_INFO "klips_debug:ipsec_xmit_strip_hard_header: "
+		       ">>> skb->len=%ld hard_header_len:%d",
+		       (unsigned long int)ixs->skb->len, ixs->hard_header_len);
+		c = ' ';
+		for (i=0; i < ixs->hard_header_len; i++) {
+			printk("%c%02x", c, ixs->skb->data[i]);
+			c = ':';
+		}
+		printk(" \n");
+	}
+#endif /* CONFIG_KLIPS_DEBUG */
+
+	KLIPS_IP_PRINT(debug_tunnel & DB_TN_XMIT, ixs->iph);
+
+	KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
+		    "klips_debug:ipsec_xmit_strip_hard_header: "
+		    "Original head,tailroom: %d,%d\n",
+		    skb_headroom(ixs->skb), skb_tailroom(ixs->skb));
+
+	return IPSEC_XMIT_OK;
+}
+
+enum ipsec_xmit_value
+ipsec_tunnel_SAlookup(struct ipsec_xmit_state *ixs)
+{
+	unsigned int bypass;
+
+	bypass = FALSE;
+
+	/*
+	 * First things first -- look us up in the erouting tables.
+	 */
+	ixs->matcher.sen_len = sizeof (struct sockaddr_encap);
+	ixs->matcher.sen_family = AF_ENCAP;
+	ixs->matcher.sen_type = SENT_IP4;
+	ixs->matcher.sen_ip_src.s_addr = ixs->iph->saddr;
+	ixs->matcher.sen_ip_dst.s_addr = ixs->iph->daddr;
+	ixs->matcher.sen_proto = ixs->iph->protocol;
+	ipsec_extract_ports(ixs->iph, &ixs->matcher);
+
+	/*
+	 * The spinlock is to prevent any other process from accessing or deleting
+	 * the eroute while we are using and updating it.
+	 */
+	spin_lock(&eroute_lock);
+	
+	ixs->eroute = ipsec_findroute(&ixs->matcher);
+
+	if(ixs->iph->protocol == IPPROTO_UDP) {
+		struct udphdr *t = NULL;
+
+		KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
+			    "klips_debug:udp port check: "
+			    "fragoff: %d len: %d>%ld \n",
+			    ntohs(ixs->iph->frag_off) & IP_OFFSET,
+			    (ixs->skb->len - ixs->hard_header_len),
+                            (unsigned long int) ((ixs->iph->ihl << 2) + sizeof(struct udphdr)));
+		
+		if((ntohs(ixs->iph->frag_off) & IP_OFFSET) == 0 &&
+		   ((ixs->skb->len - ixs->hard_header_len) >=
+		    ((ixs->iph->ihl << 2) + sizeof(struct udphdr))))
+		{
+			t =((struct udphdr*)((caddr_t)ixs->iph+(ixs->iph->ihl<<2)));
+			KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
+				    "klips_debug:udp port in packet: "
+				    "port %d -> %d\n",
+				    ntohs(t->source), ntohs(t->dest));
+		}
+
+		ixs->sport=0; ixs->dport=0;
+
+		if(ixs->skb->sk) {
+#ifdef NET_26
+			struct udp_sock *us;
+			
+			us = (struct udp_sock *)ixs->skb->sk;
+
+			ixs->sport = ntohs(us->inet.sport);
+			ixs->dport = ntohs(us->inet.dport);
+#else
+			ixs->sport = ntohs(ixs->skb->sk->sport);
+			ixs->dport = ntohs(ixs->skb->sk->dport);
+#endif
+
+		} 
+
+		if(t != NULL) {
+			if(ixs->sport == 0) {
+				ixs->sport = ntohs(t->source);
+			}
+			if(ixs->dport == 0) {
+				ixs->dport = ntohs(t->dest);
+			}
+		}
+	}
+
+	/*
+	 * practically identical to above, but let's be careful about
+	 * tcp vs udp headers
+	 */
+	if(ixs->iph->protocol == IPPROTO_TCP) {
+		struct tcphdr *t = NULL;
+
+		if((ntohs(ixs->iph->frag_off) & IP_OFFSET) == 0 &&
+		   ((ixs->skb->len - ixs->hard_header_len) >=
+		    ((ixs->iph->ihl << 2) + sizeof(struct tcphdr)))) {
+			t =((struct tcphdr*)((caddr_t)ixs->iph+(ixs->iph->ihl<<2)));
+		}
+
+		ixs->sport=0; ixs->dport=0;
+
+		if(ixs->skb->sk) {
+#ifdef NET_26
+#ifdef HAVE_INET_SK_SPORT
+                       ixs->sport = ntohs(inet_sk(ixs->skb->sk)->sport);
+                       ixs->dport = ntohs(inet_sk(ixs->skb->sk)->dport);
+#else
+                        struct tcp_tw_bucket *tw;
+
+                        tw = (struct tcp_tw_bucket *)ixs->skb->sk;
+
+                        ixs->sport = ntohs(tw->tw_sport);
+                        ixs->dport = ntohs(tw->tw_dport);
+#endif
+#else
+                        ixs->sport = ntohs(ixs->skb->sk->sport);
+                        ixs->dport = ntohs(ixs->skb->sk->dport);
+#endif
+		} 
+
+		if(t != NULL) {
+			if(ixs->sport == 0) {
+				ixs->sport = ntohs(t->source);
+			}
+			if(ixs->dport == 0) {
+				ixs->dport = ntohs(t->dest);
+			}
+		}
+	}
+	
+	/* default to a %drop eroute */
+	ixs->outgoing_said.proto = IPPROTO_INT;
+	ixs->outgoing_said.spi = htonl(SPI_DROP);
+	ixs->outgoing_said.dst.u.v4.sin_addr.s_addr = INADDR_ANY;
+	KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
+		    "klips_debug:ipsec_xmit_SAlookup: "
+		    "checking for local udp/500 IKE packet "
+		    "saddr=%x, er=0p%p, daddr=%x, er_dst=%x, proto=%d sport=%d dport=%d\n",
+		    ntohl((unsigned int)ixs->iph->saddr),
+		    ixs->eroute,
+		    ntohl((unsigned int)ixs->iph->daddr),
+		    ixs->eroute ? ntohl((unsigned int)ixs->eroute->er_said.dst.u.v4.sin_addr.s_addr) : 0,
+		    ixs->iph->protocol,
+		    ixs->sport,
+		    ixs->dport); 
+
+	/*
+	 * cheat for now...are we udp/500? If so, let it through
+	 * without interference since it is most likely an IKE packet.
+	 */
+
+	if (ip_chk_addr((unsigned long)ixs->iph->saddr) == IS_MYADDR
+	    && (ixs->eroute==NULL
+		|| ixs->iph->daddr == ixs->eroute->er_said.dst.u.v4.sin_addr.s_addr
+		|| INADDR_ANY == ixs->eroute->er_said.dst.u.v4.sin_addr.s_addr)
+	    && (ixs->iph->protocol == IPPROTO_UDP &&
+		(ixs->sport == 500 || ixs->sport == 4500))) {
+		/* Whatever the eroute, this is an IKE message 
+		 * from us (i.e. not being forwarded).
+		 * Furthermore, if there is a tunnel eroute,
+		 * the destination is the peer for this eroute.
+		 * So %pass the packet: modify the default %drop.
+		 */
+
+		ixs->outgoing_said.spi = htonl(SPI_PASS);
+		if(!(ixs->skb->sk) && ((ntohs(ixs->iph->frag_off) & IP_MF) != 0)) {
+			KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
+				    "klips_debug:ipsec_xmit_SAlookup: "
+				    "local UDP/500 (probably IKE) passthrough: base fragment, rest of fragments will probably get filtered.\n");
+		}
+		bypass = TRUE;
+	}
+
+#ifdef KLIPS_EXCEPT_DNS53
+	/*
+	 *
+	 * if we are udp/53 or tcp/53, also let it through a %trap or %hold,
+	 * since it is DNS, but *also* follow the %trap.
+	 * 
+	 * we do not do this for tunnels, only %trap's and %hold's.
+	 *
+	 */
+
+	if (ip_chk_addr((unsigned long)ixs->iph->saddr) == IS_MYADDR
+	    && (ixs->eroute==NULL
+		|| ixs->iph->daddr == ixs->eroute->er_said.dst.u.v4.sin_addr.s_addr
+		|| INADDR_ANY == ixs->eroute->er_said.dst.u.v4.sin_addr.s_addr)
+	    && ((ixs->iph->protocol == IPPROTO_UDP
+		 || ixs->iph->protocol == IPPROTO_TCP)
+		&& ixs->dport == 53)) {
+		
+		KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
+			    "klips_debug:ipsec_xmit_SAlookup: "
+			    "possible DNS packet\n");
+
+		if(ixs->eroute)
+		{
+			if(ixs->eroute->er_said.spi == htonl(SPI_TRAP)
+			   || ixs->eroute->er_said.spi == htonl(SPI_HOLD))
+			{
+				ixs->outgoing_said.spi = htonl(SPI_PASSTRAP);
+				bypass = TRUE;
+			}
+		}
+		else
+		{
+			ixs->outgoing_said.spi = htonl(SPI_PASSTRAP);
+			bypass = TRUE;
+		}
+				
+		KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
+			    "klips_debug:ipsec_xmit_SAlookup: "
+			    "bypass = %d\n", bypass);
+
+		if(bypass
+		   && !(ixs->skb->sk)
+		   && ((ntohs(ixs->iph->frag_off) & IP_MF) != 0))
+		{
+			KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
+				    "klips_debug:ipsec_xmit_SAlookup: "
+				    "local port 53 (probably DNS) passthrough:"
+				    "base fragment, rest of fragments will "
+				    "probably get filtered.\n");
+		}
+	}
+#endif
+
+	if (bypass==FALSE && ixs->eroute) {
+		ixs->eroute->er_count++;
+		ixs->eroute->er_lasttime = jiffies/HZ;
+		if(ixs->eroute->er_said.proto==IPPROTO_INT
+		   && ixs->eroute->er_said.spi==htonl(SPI_HOLD))
+		{
+			KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
+				    "klips_debug:ipsec_xmit_SAlookup: "
+				    "shunt SA of HOLD: skb stored in HOLD.\n");
+			if(ixs->eroute->er_last != NULL) {
+				kfree_skb(ixs->eroute->er_last);
+			}
+			ixs->eroute->er_last = ixs->skb;
+			ixs->skb = NULL;
+			ixs->stats->tx_dropped++;
+			spin_unlock(&eroute_lock);
+			return IPSEC_XMIT_STOLEN;
+		}
+		ixs->outgoing_said = ixs->eroute->er_said;
+		ixs->eroute_pid = ixs->eroute->er_pid;
+
+		/* Copy of the ident for the TRAP/TRAPSUBNET eroutes */
+		if(ixs->outgoing_said.proto==IPPROTO_INT
+		   && (ixs->outgoing_said.spi==htonl(SPI_TRAP)
+		       || (ixs->outgoing_said.spi==htonl(SPI_TRAPSUBNET)))) {
+			int len;
+			
+			ixs->ips.ips_ident_s.type = ixs->eroute->er_ident_s.type;
+			ixs->ips.ips_ident_s.id = ixs->eroute->er_ident_s.id;
+			ixs->ips.ips_ident_s.len = ixs->eroute->er_ident_s.len;
+			if (ixs->ips.ips_ident_s.len)
+			{
+				len = ixs->ips.ips_ident_s.len * IPSEC_PFKEYv2_ALIGN - sizeof(struct sadb_ident);
+				KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
+					    "klips_debug:ipsec_xmit_SAlookup: "
+					    "allocating %d bytes for ident_s shunt SA of HOLD: skb stored in HOLD.\n",
+					    len);
+				if ((ixs->ips.ips_ident_s.data = kmalloc(len, GFP_ATOMIC)) == NULL) {
+					printk(KERN_WARNING "klips_debug:ipsec_xmit_SAlookup: "
+					       "Failed, tried to allocate %d bytes for source ident.\n", 
+					       len);
+					ixs->stats->tx_dropped++;
+					spin_unlock(&eroute_lock);
+					return IPSEC_XMIT_ERRMEMALLOC;
+				}
+				memcpy(ixs->ips.ips_ident_s.data, ixs->eroute->er_ident_s.data, len);
+			}
+			ixs->ips.ips_ident_d.type = ixs->eroute->er_ident_d.type;
+			ixs->ips.ips_ident_d.id = ixs->eroute->er_ident_d.id;
+			ixs->ips.ips_ident_d.len = ixs->eroute->er_ident_d.len;
+			if (ixs->ips.ips_ident_d.len)
+			{
+				len = ixs->ips.ips_ident_d.len * IPSEC_PFKEYv2_ALIGN - sizeof(struct sadb_ident);
+				KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
+					    "klips_debug:ipsec_xmit_SAlookup: "
+					    "allocating %d bytes for ident_d shunt SA of HOLD: skb stored in HOLD.\n",
+					    len);
+				if ((ixs->ips.ips_ident_d.data = kmalloc(len, GFP_ATOMIC)) == NULL) {
+					printk(KERN_WARNING "klips_debug:ipsec_xmit_SAlookup: "
+					       "Failed, tried to allocate %d bytes for dest ident.\n", 
+					       len);
+					ixs->stats->tx_dropped++;
+					spin_unlock(&eroute_lock);
+					return IPSEC_XMIT_ERRMEMALLOC;
+				}
+				memcpy(ixs->ips.ips_ident_d.data, ixs->eroute->er_ident_d.data, len);
+			}
+		}
+	}
+
+	spin_unlock(&eroute_lock);
+	return IPSEC_XMIT_OK;
+}
+
+
+enum ipsec_xmit_value
+ipsec_tunnel_restore_hard_header(struct ipsec_xmit_state*ixs)
+{
+	KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
+		    "klips_debug:ipsec_xmit_restore_hard_header: "
+		    "After recursive xforms -- head,tailroom: %d,%d\n",
+		    skb_headroom(ixs->skb),
+		    skb_tailroom(ixs->skb));
+
+	if(ixs->saved_header) {
+		if(skb_headroom(ixs->skb) < ixs->hard_header_len) {
+			printk(KERN_WARNING
+			       "klips_error:ipsec_xmit_restore_hard_header: "
+			       "tried to skb_push hhlen=%d, %d available.  This should never happen, please report.\n",
+			       ixs->hard_header_len,
+			       skb_headroom(ixs->skb));
+			ixs->stats->tx_errors++;
+			return IPSEC_XMIT_PUSHPULLERR;
+
+		}
+		skb_push(ixs->skb, ixs->hard_header_len);
+		{
+			int i;
+			for (i = 0; i < ixs->hard_header_len; i++) {
+				ixs->skb->data[i] = ixs->saved_header[i];
+			}
+		}
+	}
+#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
+	if (ixs->natt_type && ixs->natt_head) {
+		struct iphdr *ipp = ixs->skb->nh.iph;
+		struct udphdr *udp;
+		KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
+			    "klips_debug:ipsec_tunnel_start_xmit: "
+			    "encapsuling packet into UDP (NAT-Traversal) (%d %d)\n",
+			    ixs->natt_type, ixs->natt_head);
+
+		ixs->iphlen = ipp->ihl << 2;
+		ipp->tot_len =
+			htons(ntohs(ipp->tot_len) + ixs->natt_head);
+		if(skb_tailroom(ixs->skb) < ixs->natt_head) {
+			printk(KERN_WARNING "klips_error:ipsec_tunnel_start_xmit: "
+				"tried to skb_put %d, %d available. "
+				"This should never happen, please report.\n",
+				ixs->natt_head,
+				skb_tailroom(ixs->skb));
+			ixs->stats->tx_errors++;
+			return IPSEC_XMIT_ESPUDP;
+		}
+		skb_put(ixs->skb, ixs->natt_head);
+
+		udp = (struct udphdr *)((char *)ipp + ixs->iphlen);
+
+		/* move ESP hdr after UDP hdr */
+		memmove((void *)((char *)udp + ixs->natt_head),
+			(void *)(udp),
+			ntohs(ipp->tot_len) - ixs->iphlen - ixs->natt_head);
+
+		/* clear UDP & Non-IKE Markers (if any) */
+		memset(udp, 0, ixs->natt_head);
+
+		/* fill UDP with usefull informations ;-) */
+		udp->source = htons(ixs->natt_sport);
+		udp->dest = htons(ixs->natt_dport);
+		udp->len = htons(ntohs(ipp->tot_len) - ixs->iphlen);
+
+		/* set protocol */
+		ipp->protocol = IPPROTO_UDP;
+
+		/* fix IP checksum */
+		ipp->check = 0;
+		ipp->check = ip_fast_csum((unsigned char *)ipp, ipp->ihl);
+	}
+#endif	
+	KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
+		    "klips_debug:ipsec_xmit_restore_hard_header: "
+		    "With hard_header, final head,tailroom: %d,%d\n",
+		    skb_headroom(ixs->skb),
+		    skb_tailroom(ixs->skb));
+
+	return IPSEC_XMIT_OK;
+}
+
+enum ipsec_xmit_value
+ipsec_tunnel_send(struct ipsec_xmit_state*ixs)
+{
+#ifdef NETDEV_25
+	struct flowi fl;
+#endif
+  
+#ifdef NET_21	/* 2.2 and 2.4 kernels */
+	/* new route/dst cache code from James Morris */
+	ixs->skb->dev = ixs->physdev;
+#ifdef NETDEV_25
+	memset (&fl, 0x0, sizeof (struct flowi));
+ 	fl.oif = ixs->physdev->iflink;
+ 	fl.nl_u.ip4_u.daddr = ixs->skb->nh.iph->daddr;
+ 	fl.nl_u.ip4_u.saddr = ixs->pass ? 0 : ixs->skb->nh.iph->saddr;
+ 	fl.nl_u.ip4_u.tos = RT_TOS(ixs->skb->nh.iph->tos);
+ 	fl.proto = ixs->skb->nh.iph->protocol;
+ 	if ((ixs->error = ip_route_output_key(&ixs->route, &fl))) {
+#else
+	/*skb_orphan(ixs->skb);*/
+	if((ixs->error = ip_route_output(&ixs->route,
+				    ixs->skb->nh.iph->daddr,
+				    ixs->pass ? 0 : ixs->skb->nh.iph->saddr,
+				    RT_TOS(ixs->skb->nh.iph->tos),
+                                    /* mcr->rgb: should this be 0 instead? */
+				    ixs->physdev->iflink))) {
+#endif
+		ixs->stats->tx_errors++;
+		KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
+			    "klips_debug:ipsec_xmit_send: "
+			    "ip_route_output failed with error code %d, rt->u.dst.dev=%s, dropped\n",
+			    ixs->error,
+			    ixs->route->u.dst.dev->name);
+		return IPSEC_XMIT_ROUTEERR;
+	}
+	if(ixs->dev == ixs->route->u.dst.dev) {
+		ip_rt_put(ixs->route);
+		/* This is recursion, drop it. */
+		ixs->stats->tx_errors++;
+		KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
+			    "klips_debug:ipsec_xmit_send: "
+			    "suspect recursion, dev=rt->u.dst.dev=%s, dropped\n",
+			    ixs->dev->name);
+		return IPSEC_XMIT_RECURSDETECT;
+	}
+	dst_release(ixs->skb->dst);
+	ixs->skb->dst = &ixs->route->u.dst;
+	ixs->stats->tx_bytes += ixs->skb->len;
+	if(ixs->skb->len < ixs->skb->nh.raw - ixs->skb->data) {
+		ixs->stats->tx_errors++;
+		printk(KERN_WARNING
+		       "klips_error:ipsec_xmit_send: "
+		       "tried to __skb_pull nh-data=%ld, %d available.  This should never happen, please report.\n",
+		       (unsigned long)(ixs->skb->nh.raw - ixs->skb->data),
+		       ixs->skb->len);
+		return IPSEC_XMIT_PUSHPULLERR;
+	}
+	__skb_pull(ixs->skb, ixs->skb->nh.raw - ixs->skb->data);
+#ifdef SKB_RESET_NFCT
+	if(!ixs->pass) {
+	  nf_conntrack_put(ixs->skb->nfct);
+	  ixs->skb->nfct = NULL;
+	}
+#if defined(CONFIG_NETFILTER_DEBUG) && defined(HAVE_SKB_NF_DEBUG)
+	ixs->skb->nf_debug = 0;
+#endif /* CONFIG_NETFILTER_DEBUG */
+#endif /* SKB_RESET_NFCT */
+	KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
+		    "klips_debug:ipsec_xmit_send: "
+		    "...done, calling ip_send() on device:%s\n",
+		    ixs->skb->dev ? ixs->skb->dev->name : "NULL");
+	KLIPS_IP_PRINT(debug_tunnel & DB_TN_XMIT, ixs->skb->nh.iph);
+#ifdef NETDEV_23	/* 2.4 kernels */
+	{
+		int err;
+
+		err = NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, ixs->skb, NULL, ixs->route->u.dst.dev,
+			      ipsec_tunnel_xmit2);
+		if(err != NET_XMIT_SUCCESS && err != NET_XMIT_CN) {
+			if(net_ratelimit())
+				printk(KERN_ERR
+				       "klips_error:ipsec_xmit_send: "
+				       "ip_send() failed, err=%d\n", 
+				       -err);
+			ixs->stats->tx_errors++;
+			ixs->stats->tx_aborted_errors++;
+			ixs->skb = NULL;
+			return IPSEC_XMIT_IPSENDFAILURE;
+		}
+	}
+#else /* NETDEV_23 */	/* 2.2 kernels */
+	ip_send(ixs->skb);
+#endif /* NETDEV_23 */
+#else /* NET_21 */	/* 2.0 kernels */
+	ixs->skb->arp = 1;
+	/* ISDN/ASYNC PPP from Matjaz Godec. */
+	/*	skb->protocol = htons(ETH_P_IP); */
+	KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
+		    "klips_debug:ipsec_xmit_send: "
+		    "...done, calling dev_queue_xmit() or ip_fragment().\n");
+	IP_SEND(ixs->skb, ixs->physdev);
+#endif /* NET_21 */
+	ixs->stats->tx_packets++;
+
+	ixs->skb = NULL;
+	
+	return IPSEC_XMIT_OK;
+}
+
+void
+ipsec_tunnel_cleanup(struct ipsec_xmit_state*ixs)
+{
+#if defined(HAS_NETIF_QUEUE) || defined (HAVE_NETIF_QUEUE)
+	netif_wake_queue(ixs->dev);
+#else /* defined(HAS_NETIF_QUEUE) || defined (HAVE_NETIF_QUEUE) */
+	ixs->dev->tbusy = 0;
+#endif /* defined(HAS_NETIF_QUEUE) || defined (HAVE_NETIF_QUEUE) */
+	if(ixs->saved_header) {
+		kfree(ixs->saved_header);
+	}
+	if(ixs->skb) {
+		dev_kfree_skb(ixs->skb, FREE_WRITE);
+	}
+	if(ixs->oskb) {
+		dev_kfree_skb(ixs->oskb, FREE_WRITE);
+	}
+	if (ixs->ips.ips_ident_s.data) {
+		kfree(ixs->ips.ips_ident_s.data);
+	}
+	if (ixs->ips.ips_ident_d.data) {
+		kfree(ixs->ips.ips_ident_d.data);
+	}
+}
+
+/*
+ *	This function assumes it is being called from dev_queue_xmit()
+ *	and that skb is filled properly by that function.
+ */
+int
+ipsec_tunnel_start_xmit(struct sk_buff *skb, struct net_device *dev)
+{
+	struct ipsec_xmit_state ixs_mem;
+	struct ipsec_xmit_state *ixs = &ixs_mem;
+	enum ipsec_xmit_value stat;
+
+#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
+	ixs->natt_type = 0, ixs->natt_head = 0;
+	ixs->natt_sport = 0, ixs->natt_dport = 0;
+#endif
+
+	memset((caddr_t)ixs, 0, sizeof(*ixs));
+	ixs->oskb = NULL;
+	ixs->saved_header = NULL;	/* saved copy of the hard header */
+	ixs->route = NULL;
+	memset((caddr_t)&(ixs->ips), 0, sizeof(ixs->ips));
+	ixs->dev = dev;
+	ixs->skb = skb;
+
+	stat = ipsec_xmit_sanity_check_dev(ixs);
+	if(stat != IPSEC_XMIT_OK) {
+		goto cleanup;
+	}
+
+	stat = ipsec_xmit_sanity_check_skb(ixs);
+	if(stat != IPSEC_XMIT_OK) {
+		goto cleanup;
+	}
+
+	stat = ipsec_tunnel_strip_hard_header(ixs);
+	if(stat != IPSEC_XMIT_OK) {
+		goto cleanup;
+	}
+
+	stat = ipsec_tunnel_SAlookup(ixs);
+	if(stat != IPSEC_XMIT_OK) {
+		KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
+			    "klips_debug:ipsec_tunnel_start_xmit: SAlookup failed: %d\n",
+			    stat);
+		goto cleanup;
+	}
+	
+	ixs->innersrc = ixs->iph->saddr;
+	/* start encapsulation loop here XXX */
+	do {
+ 		stat = ipsec_xmit_encap_bundle(ixs);
+	 	if(stat != IPSEC_XMIT_OK) {
+			if(stat == IPSEC_XMIT_PASS) {
+				goto bypass;
+			}
+			
+			KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
+				    "klips_debug:ipsec_tunnel_start_xmit: encap_bundle failed: %d\n",
+				    stat);
+ 			goto cleanup;
+	 	}
+
+		ixs->matcher.sen_ip_src.s_addr = ixs->iph->saddr;
+		ixs->matcher.sen_ip_dst.s_addr = ixs->iph->daddr;
+		ixs->matcher.sen_proto = ixs->iph->protocol;
+		ipsec_extract_ports(ixs->iph, &ixs->matcher);
+
+		spin_lock(&eroute_lock);
+		ixs->eroute = ipsec_findroute(&ixs->matcher);
+		if(ixs->eroute) {
+			ixs->outgoing_said = ixs->eroute->er_said;
+			ixs->eroute_pid = ixs->eroute->er_pid;
+			ixs->eroute->er_count++;
+			ixs->eroute->er_lasttime = jiffies/HZ;
+		}
+		spin_unlock(&eroute_lock);
+
+		KLIPS_PRINT((debug_tunnel & DB_TN_XMIT) &&
+			    /* ((ixs->orgdst != ixs->newdst) || (ixs->orgsrc != ixs->newsrc)) */
+			    (ixs->orgedst != ixs->outgoing_said.dst.u.v4.sin_addr.s_addr) &&
+			    ixs->outgoing_said.dst.u.v4.sin_addr.s_addr &&
+			    ixs->eroute,
+			    "klips_debug:ipsec_tunnel_start_xmit: "
+			    "We are recursing here.\n");
+
+	} while(/*((ixs->orgdst != ixs->newdst) || (ixs->orgsrc != ixs->newsrc))*/
+		(ixs->orgedst != ixs->outgoing_said.dst.u.v4.sin_addr.s_addr) &&
+		ixs->outgoing_said.dst.u.v4.sin_addr.s_addr &&
+		ixs->eroute);
+	
+	stat = ipsec_tunnel_restore_hard_header(ixs);
+	if(stat != IPSEC_XMIT_OK) {
+		goto cleanup;
+	}
+
+ bypass:
+	stat = ipsec_tunnel_send(ixs);
+
+ cleanup:
+	ipsec_tunnel_cleanup(ixs);
+
+	return 0;
+}
+
+DEBUG_NO_STATIC struct net_device_stats *
+ipsec_tunnel_get_stats(struct net_device *dev)
+{
+	return &(((struct ipsecpriv *)(dev->priv))->mystats);
+}
+
+/*
+ * Revectored calls.
+ * For each of these calls, a field exists in our private structure.
+ */
+
+DEBUG_NO_STATIC int
+ipsec_tunnel_hard_header(struct sk_buff *skb, struct net_device *dev,
+	unsigned short type, void *daddr, void *saddr, unsigned len)
+{
+	struct ipsecpriv *prv = dev->priv;
+	struct net_device *tmp;
+	int ret;
+	struct net_device_stats *stats;	/* This device's statistics */
+	
+	if(skb == NULL) {
+		KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+			    "klips_debug:ipsec_tunnel_hard_header: "
+			    "no skb...\n");
+		return -ENODATA;
+	}
+
+	if(dev == NULL) {
+		KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+			    "klips_debug:ipsec_tunnel_hard_header: "
+			    "no device...\n");
+		return -ENODEV;
+	}
+
+	KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+		    "klips_debug:ipsec_tunnel_hard_header: "
+		    "skb->dev=%s dev=%s.\n",
+		    skb->dev ? skb->dev->name : "NULL",
+		    dev->name);
+	
+	if(prv == NULL) {
+		KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+			    "klips_debug:ipsec_tunnel_hard_header: "
+			    "no private space associated with dev=%s\n",
+			    dev->name ? dev->name : "NULL");
+		return -ENODEV;
+	}
+
+	stats = (struct net_device_stats *) &(prv->mystats);
+
+	if(prv->dev == NULL) {
+		KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+			    "klips_debug:ipsec_tunnel_hard_header: "
+			    "no physical device associated with dev=%s\n",
+			    dev->name ? dev->name : "NULL");
+		stats->tx_dropped++;
+		return -ENODEV;
+	}
+
+	/* check if we have to send a IPv6 packet. It might be a Router
+	   Solicitation, where the building of the packet happens in
+	   reverse order:
+	   1. ll hdr,
+	   2. IPv6 hdr,
+	   3. ICMPv6 hdr
+	   -> skb->nh.raw is still uninitialized when this function is
+	   called!!  If this is no IPv6 packet, we can print debugging
+	   messages, otherwise we skip all debugging messages and just
+	   build the ll header */
+	if(type != ETH_P_IPV6) {
+		/* execute this only, if we don't have to build the
+		   header for a IPv6 packet */
+		if(!prv->hard_header) {
+			KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+				    "klips_debug:ipsec_tunnel_hard_header: "
+				    "physical device has been detached, packet dropped 0p%p->0p%p len=%d type=%d dev=%s->NULL ",
+				    saddr,
+				    daddr,
+				    len,
+				    type,
+				    dev->name);
+#ifdef NET_21
+			KLIPS_PRINTMORE(debug_tunnel & DB_TN_REVEC,
+					"ip=%08x->%08x\n",
+					(__u32)ntohl(skb->nh.iph->saddr),
+					(__u32)ntohl(skb->nh.iph->daddr) );
+#else /* NET_21 */
+			KLIPS_PRINTMORE(debug_tunnel & DB_TN_REVEC,
+					"ip=%08x->%08x\n",
+					(__u32)ntohl(skb->ip_hdr->saddr),
+					(__u32)ntohl(skb->ip_hdr->daddr) );
+#endif /* NET_21 */
+			stats->tx_dropped++;
+			return -ENODEV;
+		}
+		
+#define da ((struct net_device *)(prv->dev))->dev_addr
+		KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+			    "klips_debug:ipsec_tunnel_hard_header: "
+			    "Revectored 0p%p->0p%p len=%d type=%d dev=%s->%s dev_addr=%02x:%02x:%02x:%02x:%02x:%02x ",
+			    saddr,
+			    daddr,
+			    len,
+			    type,
+			    dev->name,
+			    prv->dev->name,
+			    da[0], da[1], da[2], da[3], da[4], da[5]);
+#ifdef NET_21
+		KLIPS_PRINTMORE(debug_tunnel & DB_TN_REVEC,
+			    "ip=%08x->%08x\n",
+			    (__u32)ntohl(skb->nh.iph->saddr),
+			    (__u32)ntohl(skb->nh.iph->daddr) );
+#else /* NET_21 */
+		KLIPS_PRINTMORE(debug_tunnel & DB_TN_REVEC,
+			    "ip=%08x->%08x\n",
+			    (__u32)ntohl(skb->ip_hdr->saddr),
+			    (__u32)ntohl(skb->ip_hdr->daddr) );
+#endif /* NET_21 */
+	} else {
+		KLIPS_PRINT(debug_tunnel,
+			    "klips_debug:ipsec_tunnel_hard_header: "
+			    "is IPv6 packet, skip debugging messages, only revector and build linklocal header.\n");
+	}                                                                       
+	tmp = skb->dev;
+	skb->dev = prv->dev;
+	ret = prv->hard_header(skb, prv->dev, type, (void *)daddr, (void *)saddr, len);
+	skb->dev = tmp;
+	return ret;
+}
+
+DEBUG_NO_STATIC int
+#ifdef NET_21
+ipsec_tunnel_rebuild_header(struct sk_buff *skb)
+#else /* NET_21 */
+ipsec_tunnel_rebuild_header(void *buff, struct net_device *dev,
+			unsigned long raddr, struct sk_buff *skb)
+#endif /* NET_21 */
+{
+	struct ipsecpriv *prv = skb->dev->priv;
+	struct net_device *tmp;
+	int ret;
+	struct net_device_stats *stats;	/* This device's statistics */
+	
+	if(skb->dev == NULL) {
+		KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+			    "klips_debug:ipsec_tunnel_rebuild_header: "
+			    "no device...");
+		return -ENODEV;
+	}
+
+	if(prv == NULL) {
+		KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+			    "klips_debug:ipsec_tunnel_rebuild_header: "
+			    "no private space associated with dev=%s",
+			    skb->dev->name ? skb->dev->name : "NULL");
+		return -ENODEV;
+	}
+
+	stats = (struct net_device_stats *) &(prv->mystats);
+
+	if(prv->dev == NULL) {
+		KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+			    "klips_debug:ipsec_tunnel_rebuild_header: "
+			    "no physical device associated with dev=%s",
+			    skb->dev->name ? skb->dev->name : "NULL");
+		stats->tx_dropped++;
+		return -ENODEV;
+	}
+
+	if(!prv->rebuild_header) {
+		KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+			    "klips_debug:ipsec_tunnel_rebuild_header: "
+			    "physical device has been detached, packet dropped skb->dev=%s->NULL ",
+			    skb->dev->name);
+#ifdef NET_21
+		KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+			    "ip=%08x->%08x\n",
+			    (__u32)ntohl(skb->nh.iph->saddr),
+			    (__u32)ntohl(skb->nh.iph->daddr) );
+#else /* NET_21 */
+		KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+			    "ip=%08x->%08x\n",
+			    (__u32)ntohl(skb->ip_hdr->saddr),
+			    (__u32)ntohl(skb->ip_hdr->daddr) );
+#endif /* NET_21 */
+		stats->tx_dropped++;
+		return -ENODEV;
+	}
+
+	KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+		    "klips_debug:ipsec_tunnel: "
+		    "Revectored rebuild_header dev=%s->%s ",
+		    skb->dev->name, prv->dev->name);
+#ifdef NET_21
+	KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+		    "ip=%08x->%08x\n",
+		    (__u32)ntohl(skb->nh.iph->saddr),
+		    (__u32)ntohl(skb->nh.iph->daddr) );
+#else /* NET_21 */
+	KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+		    "ip=%08x->%08x\n",
+		    (__u32)ntohl(skb->ip_hdr->saddr),
+		    (__u32)ntohl(skb->ip_hdr->daddr) );
+#endif /* NET_21 */
+	tmp = skb->dev;
+	skb->dev = prv->dev;
+	
+#ifdef NET_21
+	ret = prv->rebuild_header(skb);
+#else /* NET_21 */
+	ret = prv->rebuild_header(buff, prv->dev, raddr, skb);
+#endif /* NET_21 */
+	skb->dev = tmp;
+	return ret;
+}
+
+DEBUG_NO_STATIC int
+ipsec_tunnel_set_mac_address(struct net_device *dev, void *addr)
+{
+	struct ipsecpriv *prv = dev->priv;
+	
+	struct net_device_stats *stats;	/* This device's statistics */
+	
+	if(dev == NULL) {
+		KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+			    "klips_debug:ipsec_tunnel_set_mac_address: "
+			    "no device...");
+		return -ENODEV;
+	}
+
+	if(prv == NULL) {
+		KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+			    "klips_debug:ipsec_tunnel_set_mac_address: "
+			    "no private space associated with dev=%s",
+			    dev->name ? dev->name : "NULL");
+		return -ENODEV;
+	}
+
+	stats = (struct net_device_stats *) &(prv->mystats);
+
+	if(prv->dev == NULL) {
+		KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+			    "klips_debug:ipsec_tunnel_set_mac_address: "
+			    "no physical device associated with dev=%s",
+			    dev->name ? dev->name : "NULL");
+		stats->tx_dropped++;
+		return -ENODEV;
+	}
+
+	if(!prv->set_mac_address) {
+		KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+			    "klips_debug:ipsec_tunnel_set_mac_address: "
+			    "physical device has been detached, cannot set - skb->dev=%s->NULL\n",
+			    dev->name);
+		return -ENODEV;
+	}
+
+	KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+		    "klips_debug:ipsec_tunnel_set_mac_address: "
+		    "Revectored dev=%s->%s addr=0p%p\n",
+		    dev->name, prv->dev->name, addr);
+	return prv->set_mac_address(prv->dev, addr);
+
+}
+
+#ifndef NET_21
+DEBUG_NO_STATIC void
+ipsec_tunnel_cache_bind(struct hh_cache **hhp, struct net_device *dev,
+				 unsigned short htype, __u32 daddr)
+{
+	struct ipsecpriv *prv = dev->priv;
+	
+	struct net_device_stats *stats;	/* This device's statistics */
+	
+	if(dev == NULL) {
+		KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+			    "klips_debug:ipsec_tunnel_cache_bind: "
+			    "no device...");
+		return;
+	}
+
+	if(prv == NULL) {
+		KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+			    "klips_debug:ipsec_tunnel_cache_bind: "
+			    "no private space associated with dev=%s",
+			    dev->name ? dev->name : "NULL");
+		return;
+	}
+
+	stats = (struct net_device_stats *) &(prv->mystats);
+
+	if(prv->dev == NULL) {
+		KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+			    "klips_debug:ipsec_tunnel_cache_bind: "
+			    "no physical device associated with dev=%s",
+			    dev->name ? dev->name : "NULL");
+		stats->tx_dropped++;
+		return;
+	}
+
+	if(!prv->header_cache_bind) {
+		KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+			    "klips_debug:ipsec_tunnel_cache_bind: "
+			    "physical device has been detached, cannot set - skb->dev=%s->NULL\n",
+			    dev->name);
+		stats->tx_dropped++;
+		return;
+	}
+
+	KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+		    "klips_debug:ipsec_tunnel_cache_bind: "
+		    "Revectored \n");
+	prv->header_cache_bind(hhp, prv->dev, htype, daddr);
+	return;
+}
+#endif /* !NET_21 */
+
+
+DEBUG_NO_STATIC void
+ipsec_tunnel_cache_update(struct hh_cache *hh, struct net_device *dev, unsigned char *  haddr)
+{
+	struct ipsecpriv *prv = dev->priv;
+	
+	struct net_device_stats *stats;	/* This device's statistics */
+	
+	if(dev == NULL) {
+		KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+			    "klips_debug:ipsec_tunnel_cache_update: "
+			    "no device...");
+		return;
+	}
+
+	if(prv == NULL) {
+		KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+			    "klips_debug:ipsec_tunnel_cache_update: "
+			    "no private space associated with dev=%s",
+			    dev->name ? dev->name : "NULL");
+		return;
+	}
+
+	stats = (struct net_device_stats *) &(prv->mystats);
+
+	if(prv->dev == NULL) {
+		KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+			    "klips_debug:ipsec_tunnel_cache_update: "
+			    "no physical device associated with dev=%s",
+			    dev->name ? dev->name : "NULL");
+		stats->tx_dropped++;
+		return;
+	}
+
+	if(!prv->header_cache_update) {
+		KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+			    "klips_debug:ipsec_tunnel_cache_update: "
+			    "physical device has been detached, cannot set - skb->dev=%s->NULL\n",
+			    dev->name);
+		return;
+	}
+
+	KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+		    "klips_debug:ipsec_tunnel: "
+		    "Revectored cache_update\n");
+	prv->header_cache_update(hh, prv->dev, haddr);
+	return;
+}
+
+#ifdef NET_21
+DEBUG_NO_STATIC int
+ipsec_tunnel_neigh_setup(struct neighbour *n)
+{
+	KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+		    "klips_debug:ipsec_tunnel_neigh_setup:\n");
+
+        if (n->nud_state == NUD_NONE) {
+                n->ops = &arp_broken_ops;
+                n->output = n->ops->output;
+        }
+        return 0;
+}
+
+DEBUG_NO_STATIC int
+ipsec_tunnel_neigh_setup_dev(struct net_device *dev, struct neigh_parms *p)
+{
+	KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+		    "klips_debug:ipsec_tunnel_neigh_setup_dev: "
+		    "setting up %s\n",
+		    dev ? dev->name : "NULL");
+
+        if (p->tbl->family == AF_INET) {
+                p->neigh_setup = ipsec_tunnel_neigh_setup;
+                p->ucast_probes = 0;
+                p->mcast_probes = 0;
+        }
+        return 0;
+}
+#endif /* NET_21 */
+
+/*
+ * We call the attach routine to attach another device.
+ */
+
+DEBUG_NO_STATIC int
+ipsec_tunnel_attach(struct net_device *dev, struct net_device *physdev)
+{
+        int i;
+	struct ipsecpriv *prv = dev->priv;
+
+	if(dev == NULL) {
+		KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+			    "klips_debug:ipsec_tunnel_attach: "
+			    "no device...");
+		return -ENODEV;
+	}
+
+	if(prv == NULL) {
+		KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+			    "klips_debug:ipsec_tunnel_attach: "
+			    "no private space associated with dev=%s",
+			    dev->name ? dev->name : "NULL");
+		return -ENODATA;
+	}
+
+	prv->dev = physdev;
+	prv->hard_start_xmit = physdev->hard_start_xmit;
+	prv->get_stats = physdev->get_stats;
+
+	if (physdev->hard_header) {
+		prv->hard_header = physdev->hard_header;
+		dev->hard_header = ipsec_tunnel_hard_header;
+	} else
+		dev->hard_header = NULL;
+	
+	if (physdev->rebuild_header) {
+		prv->rebuild_header = physdev->rebuild_header;
+		dev->rebuild_header = ipsec_tunnel_rebuild_header;
+	} else
+		dev->rebuild_header = NULL;
+	
+	if (physdev->set_mac_address) {
+		prv->set_mac_address = physdev->set_mac_address;
+		dev->set_mac_address = ipsec_tunnel_set_mac_address;
+	} else
+		dev->set_mac_address = NULL;
+	
+#ifndef NET_21
+	if (physdev->header_cache_bind) {
+		prv->header_cache_bind = physdev->header_cache_bind;
+		dev->header_cache_bind = ipsec_tunnel_cache_bind;
+	} else
+		dev->header_cache_bind = NULL;
+#endif /* !NET_21 */
+
+	if (physdev->header_cache_update) {
+		prv->header_cache_update = physdev->header_cache_update;
+		dev->header_cache_update = ipsec_tunnel_cache_update;
+	} else
+		dev->header_cache_update = NULL;
+
+	dev->hard_header_len = physdev->hard_header_len;
+
+#ifdef NET_21
+/*	prv->neigh_setup        = physdev->neigh_setup; */
+	dev->neigh_setup        = ipsec_tunnel_neigh_setup_dev;
+#endif /* NET_21 */
+	dev->mtu = 16260; /* 0xfff0; */ /* dev->mtu; */
+	prv->mtu = physdev->mtu;
+
+#ifdef PHYSDEV_TYPE
+	dev->type = physdev->type; /* ARPHRD_TUNNEL; */
+#endif /*  PHYSDEV_TYPE */
+
+	dev->addr_len = physdev->addr_len;
+	for (i=0; i<dev->addr_len; i++) {
+		dev->dev_addr[i] = physdev->dev_addr[i];
+	}
+#ifdef CONFIG_KLIPS_DEBUG
+	if(debug_tunnel & DB_TN_INIT) {
+		printk(KERN_INFO "klips_debug:ipsec_tunnel_attach: "
+		       "physical device %s being attached has HW address: %2x",
+		       physdev->name, physdev->dev_addr[0]);
+		for (i=1; i < physdev->addr_len; i++) {
+			printk(":%02x", physdev->dev_addr[i]);
+		}
+		printk("\n");
+	}
+#endif /* CONFIG_KLIPS_DEBUG */
+
+	return 0;
+}
+
+/*
+ * We call the detach routine to detach the ipsec tunnel from another device.
+ */
+
+DEBUG_NO_STATIC int
+ipsec_tunnel_detach(struct net_device *dev)
+{
+        int i;
+	struct ipsecpriv *prv = dev->priv;
+
+	if(dev == NULL) {
+		KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+			    "klips_debug:ipsec_tunnel_detach: "
+			    "no device...");
+		return -ENODEV;
+	}
+
+	if(prv == NULL) {
+		KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+			    "klips_debug:ipsec_tunnel_detach: "
+			    "no private space associated with dev=%s",
+			    dev->name ? dev->name : "NULL");
+		return -ENODATA;
+	}
+
+	KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
+		    "klips_debug:ipsec_tunnel_detach: "
+		    "physical device %s being detached from virtual device %s\n",
+		    prv->dev ? prv->dev->name : "NULL",
+		    dev->name);
+
+	ipsec_dev_put(prv->dev);
+	prv->dev = NULL;
+	prv->hard_start_xmit = NULL;
+	prv->get_stats = NULL;
+
+	prv->hard_header = NULL;
+#ifdef DETACH_AND_DOWN
+	dev->hard_header = NULL;
+#endif /* DETACH_AND_DOWN */
+	
+	prv->rebuild_header = NULL;
+#ifdef DETACH_AND_DOWN
+	dev->rebuild_header = NULL;
+#endif /* DETACH_AND_DOWN */
+	
+	prv->set_mac_address = NULL;
+#ifdef DETACH_AND_DOWN
+	dev->set_mac_address = NULL;
+#endif /* DETACH_AND_DOWN */
+	
+#ifndef NET_21
+	prv->header_cache_bind = NULL;
+#ifdef DETACH_AND_DOWN
+	dev->header_cache_bind = NULL;
+#endif /* DETACH_AND_DOWN */
+#endif /* !NET_21 */
+
+	prv->header_cache_update = NULL;
+#ifdef DETACH_AND_DOWN
+	dev->header_cache_update = NULL;
+#endif /* DETACH_AND_DOWN */
+
+#ifdef NET_21
+/*	prv->neigh_setup        = NULL; */
+#ifdef DETACH_AND_DOWN
+	dev->neigh_setup        = NULL;
+#endif /* DETACH_AND_DOWN */
+#endif /* NET_21 */
+	dev->hard_header_len = 0;
+#ifdef DETACH_AND_DOWN
+	dev->mtu = 0;
+#endif /* DETACH_AND_DOWN */
+	prv->mtu = 0;
+	for (i=0; i<MAX_ADDR_LEN; i++) {
+		dev->dev_addr[i] = 0;
+	}
+	dev->addr_len = 0;
+#ifdef PHYSDEV_TYPE
+	dev->type = ARPHRD_VOID; /* ARPHRD_TUNNEL; */
+#endif /*  PHYSDEV_TYPE */
+	
+	return 0;
+}
+
+/*
+ * We call the clear routine to detach all ipsec tunnels from other devices.
+ */
+DEBUG_NO_STATIC int
+ipsec_tunnel_clear(void)
+{
+	int i;
+	struct net_device *ipsecdev = NULL, *prvdev;
+	struct ipsecpriv *prv;
+	int ret;
+
+	KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
+		    "klips_debug:ipsec_tunnel_clear: .\n");
+
+	for(i = 0; i < IPSEC_NUM_IF; i++) {
+   	        ipsecdev = ipsecdevices[i];
+		if(ipsecdev != NULL) {
+			if((prv = (struct ipsecpriv *)(ipsecdev->priv))) {
+				prvdev = (struct net_device *)(prv->dev);
+				if(prvdev) {
+					KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
+						    "klips_debug:ipsec_tunnel_clear: "
+						    "physical device for device %s is %s\n",
+						    ipsecdev->name, prvdev->name);
+					if((ret = ipsec_tunnel_detach(ipsecdev))) {
+						KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
+							    "klips_debug:ipsec_tunnel_clear: "
+							    "error %d detatching device %s from device %s.\n",
+							    ret, ipsecdev->name, prvdev->name);
+						return ret;
+					}
+				}
+			}
+		}
+	}
+	return 0;
+}
+
+DEBUG_NO_STATIC int
+ipsec_tunnel_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
+{
+	struct ipsectunnelconf *cf = (struct ipsectunnelconf *)&ifr->ifr_data;
+	struct ipsecpriv *prv = dev->priv;
+	struct net_device *them; /* physical device */
+#ifdef CONFIG_IP_ALIAS
+	char *colon;
+	char realphysname[IFNAMSIZ];
+#endif /* CONFIG_IP_ALIAS */
+	
+	if(dev == NULL) {
+		KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
+			    "klips_debug:ipsec_tunnel_ioctl: "
+			    "device not supplied.\n");
+		return -ENODEV;
+	}
+
+	KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
+		    "klips_debug:ipsec_tunnel_ioctl: "
+		    "tncfg service call #%d for dev=%s\n",
+		    cmd,
+		    dev->name ? dev->name : "NULL");
+	switch (cmd) {
+	/* attach a virtual ipsec? device to a physical device */
+	case IPSEC_SET_DEV:
+		KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
+			    "klips_debug:ipsec_tunnel_ioctl: "
+			    "calling ipsec_tunnel_attatch...\n");
+#ifdef CONFIG_IP_ALIAS
+		/* If this is an IP alias interface, get its real physical name */
+		strncpy(realphysname, cf->cf_name, IFNAMSIZ);
+		realphysname[IFNAMSIZ-1] = 0;
+		colon = strchr(realphysname, ':');
+		if (colon) *colon = 0;
+		them = ipsec_dev_get(realphysname);
+#else /* CONFIG_IP_ALIAS */
+		them = ipsec_dev_get(cf->cf_name);
+#endif /* CONFIG_IP_ALIAS */
+
+		if (them == NULL) {
+			KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
+				    "klips_debug:ipsec_tunnel_ioctl: "
+				    "physical device %s requested is null\n",
+				    cf->cf_name);
+			return -ENXIO;
+		}
+		
+#if 0
+		if (them->flags & IFF_UP) {
+			KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
+				    "klips_debug:ipsec_tunnel_ioctl: "
+				    "physical device %s requested is not up.\n",
+				    cf->cf_name);
+			ipsec_dev_put(them);
+			return -ENXIO;
+		}
+#endif
+		
+		if (prv && prv->dev) {
+			KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
+				    "klips_debug:ipsec_tunnel_ioctl: "
+				    "virtual device is already connected to %s.\n",
+				    prv->dev->name ? prv->dev->name : "NULL");
+			ipsec_dev_put(them);
+			return -EBUSY;
+		}
+		return ipsec_tunnel_attach(dev, them);
+
+	case IPSEC_DEL_DEV:
+		KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
+			    "klips_debug:ipsec_tunnel_ioctl: "
+			    "calling ipsec_tunnel_detatch.\n");
+		if (! prv->dev) {
+			KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
+				    "klips_debug:ipsec_tunnel_ioctl: "
+				    "physical device not connected.\n");
+			return -ENODEV;
+		}
+		return ipsec_tunnel_detach(dev);
+	       
+	case IPSEC_CLR_DEV:
+		KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
+			    "klips_debug:ipsec_tunnel_ioctl: "
+			    "calling ipsec_tunnel_clear.\n");
+		return ipsec_tunnel_clear();
+
+	default:
+		KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
+			    "klips_debug:ipsec_tunnel_ioctl: "
+			    "unknown command %d.\n",
+			    cmd);
+		return -EOPNOTSUPP;
+	}
+}
+
+struct net_device *ipsec_get_device(int inst)
+{
+  struct net_device *ipsec_dev;
+
+  ipsec_dev = NULL;
+
+  if(inst < IPSEC_NUM_IF) {
+    ipsec_dev = ipsecdevices[inst];
+  }
+
+  return ipsec_dev;
+}
+
+int
+ipsec_device_event(struct notifier_block *unused, unsigned long event, void *ptr)
+{
+	struct net_device *dev = ptr;
+	struct net_device *ipsec_dev;
+	struct ipsecpriv *priv;
+	int i;
+
+	if (dev == NULL) {
+		KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
+			    "klips_debug:ipsec_device_event: "
+			    "dev=NULL for event type %ld.\n",
+			    event);
+		return(NOTIFY_DONE);
+	}
+
+	/* check for loopback devices */
+	if (dev && (dev->flags & IFF_LOOPBACK)) {
+		return(NOTIFY_DONE);
+	}
+
+	switch (event) {
+	case NETDEV_DOWN:
+		/* look very carefully at the scope of these compiler
+		   directives before changing anything... -- RGB */
+#ifdef NET_21
+	case NETDEV_UNREGISTER:
+		switch (event) {
+		case NETDEV_DOWN:
+#endif /* NET_21 */
+			KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
+				    "klips_debug:ipsec_device_event: "
+				    "NETDEV_DOWN dev=%s flags=%x\n",
+				    dev->name,
+				    dev->flags);
+			if(strncmp(dev->name, "ipsec", strlen("ipsec")) == 0) {
+				printk(KERN_CRIT "IPSEC EVENT: KLIPS device %s shut down.\n",
+				       dev->name);
+			}
+#ifdef NET_21
+			break;
+		case NETDEV_UNREGISTER:
+			KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
+				    "klips_debug:ipsec_device_event: "
+				    "NETDEV_UNREGISTER dev=%s flags=%x\n",
+				    dev->name,
+				    dev->flags);
+			break;
+		}
+#endif /* NET_21 */
+		
+		/* find the attached physical device and detach it. */
+		for(i = 0; i < IPSEC_NUM_IF; i++) {
+			ipsec_dev = ipsecdevices[i];
+
+			if(ipsec_dev) {
+				priv = (struct ipsecpriv *)(ipsec_dev->priv);
+				if(priv) {
+					;
+					if(((struct net_device *)(priv->dev)) == dev) {
+						/* dev_close(ipsec_dev); */
+						/* return */ ipsec_tunnel_detach(ipsec_dev);
+						KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
+							    "klips_debug:ipsec_device_event: "
+							    "device '%s' has been detached.\n",
+							    ipsec_dev->name);
+						break;
+					}
+				} else {
+					KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
+						    "klips_debug:ipsec_device_event: "
+						    "device '%s' has no private data space!\n",
+						    ipsec_dev->name);
+				}
+			}
+		}
+		break;
+	case NETDEV_UP:
+		KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
+			    "klips_debug:ipsec_device_event: "
+			    "NETDEV_UP dev=%s\n",
+			    dev->name);
+		break;
+#ifdef NET_21
+	case NETDEV_REBOOT:
+		KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
+			    "klips_debug:ipsec_device_event: "
+			    "NETDEV_REBOOT dev=%s\n",
+			    dev->name);
+		break;
+	case NETDEV_CHANGE:
+		KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
+			    "klips_debug:ipsec_device_event: "
+			    "NETDEV_CHANGE dev=%s flags=%x\n",
+			    dev->name,
+			    dev->flags);
+		break;
+	case NETDEV_REGISTER:
+		KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
+			    "klips_debug:ipsec_device_event: "
+			    "NETDEV_REGISTER dev=%s\n",
+			    dev->name);
+		break;
+	case NETDEV_CHANGEMTU:
+		KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
+			    "klips_debug:ipsec_device_event: "
+			    "NETDEV_CHANGEMTU dev=%s to mtu=%d\n",
+			    dev->name,
+			    dev->mtu);
+		break;
+	case NETDEV_CHANGEADDR:
+		KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
+			    "klips_debug:ipsec_device_event: "
+			    "NETDEV_CHANGEADDR dev=%s\n",
+			    dev->name);
+		break;
+	case NETDEV_GOING_DOWN:
+		KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
+			    "klips_debug:ipsec_device_event: "
+			    "NETDEV_GOING_DOWN dev=%s\n",
+			    dev->name);
+		break;
+	case NETDEV_CHANGENAME:
+		KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
+			    "klips_debug:ipsec_device_event: "
+			    "NETDEV_CHANGENAME dev=%s\n",
+			    dev->name);
+		break;
+#endif /* NET_21 */
+	default:
+		KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
+			    "klips_debug:ipsec_device_event: "
+			    "event type %ld unrecognised for dev=%s\n",
+			    event,
+			    dev->name);
+		break;
+	}
+	return NOTIFY_DONE;
+}
+
+/*
+ *	Called when an ipsec tunnel device is initialized.
+ *	The ipsec tunnel device structure is passed to us.
+ */
+ 
+int
+ipsec_tunnel_init(struct net_device *dev)
+{
+	int i;
+
+	KLIPS_PRINT(debug_tunnel,
+		    "klips_debug:ipsec_tunnel_init: "
+		    "allocating %lu bytes initialising device: %s\n",
+		    (unsigned long) sizeof(struct ipsecpriv),
+		    dev->name ? dev->name : "NULL");
+
+	/* Add our tunnel functions to the device */
+	dev->open		= ipsec_tunnel_open;
+	dev->stop		= ipsec_tunnel_close;
+	dev->hard_start_xmit	= ipsec_tunnel_start_xmit;
+	dev->get_stats		= ipsec_tunnel_get_stats;
+
+	dev->priv = kmalloc(sizeof(struct ipsecpriv), GFP_KERNEL);
+	if (dev->priv == NULL)
+		return -ENOMEM;
+	memset((caddr_t)(dev->priv), 0, sizeof(struct ipsecpriv));
+
+	for(i = 0; i < sizeof(zeroes); i++) {
+		((__u8*)(zeroes))[i] = 0;
+	}
+	
+#ifndef NET_21
+	/* Initialize the tunnel device structure */
+	for (i = 0; i < DEV_NUMBUFFS; i++)
+		skb_queue_head_init(&dev->buffs[i]);
+#endif /* !NET_21 */
+
+	dev->set_multicast_list = NULL;
+	dev->do_ioctl		= ipsec_tunnel_ioctl;
+	dev->hard_header	= NULL;
+	dev->rebuild_header 	= NULL;
+	dev->set_mac_address 	= NULL;
+#ifndef NET_21
+	dev->header_cache_bind 	= NULL;
+#endif /* !NET_21 */
+	dev->header_cache_update= NULL;
+
+#ifdef NET_21
+/*	prv->neigh_setup        = NULL; */
+	dev->neigh_setup        = ipsec_tunnel_neigh_setup_dev;
+#endif /* NET_21 */
+	dev->hard_header_len 	= 0;
+	dev->mtu		= 0;
+	dev->addr_len		= 0;
+	dev->type		= ARPHRD_VOID; /* ARPHRD_TUNNEL; */ /* ARPHRD_ETHER; */
+	dev->tx_queue_len	= 10;		/* Small queue */
+	memset((caddr_t)(dev->broadcast),0xFF, ETH_ALEN);	/* what if this is not attached to ethernet? */
+
+	/* New-style flags. */
+	dev->flags		= IFF_NOARP /* 0 */ /* Petr Novak */;
+
+#if 0
+#ifdef NET_21
+	dev_init_buffers(dev);
+#else /* NET_21 */
+	dev->family		= AF_INET;
+	dev->pa_addr		= 0;
+	dev->pa_brdaddr 	= 0;
+	dev->pa_mask		= 0;
+	dev->pa_alen		= 4;
+#endif /* NET_21 */
+#endif
+
+	/* We're done.  Have I forgotten anything? */
+	return 0;
+}
+
+/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
+/*  Module specific interface (but it links with the rest of IPSEC)  */
+/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
+
+int
+ipsec_tunnel_probe(struct net_device *dev)
+{
+	ipsec_tunnel_init(dev); 
+	return 0;
+}
+
+struct net_device *ipsecdevices[IPSEC_NUM_IF];
+
+int 
+ipsec_tunnel_init_devices(void)
+{
+	int i;
+	char name[IFNAMSIZ];
+	struct net_device *dev_ipsec;
+	
+	KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
+		    "klips_debug:ipsec_tunnel_init_devices: "
+		    "creating and registering IPSEC_NUM_IF=%u devices, allocating %lu per device, IFNAMSIZ=%u.\n",
+		    IPSEC_NUM_IF,
+		    (unsigned long) (sizeof(struct net_device) + IFNAMSIZ),
+		    IFNAMSIZ);
+
+	for(i = 0; i < IPSEC_NUM_IF; i++) {
+		sprintf(name, IPSEC_DEV_FORMAT, i);
+		dev_ipsec = (struct net_device*)kmalloc(sizeof(struct net_device), GFP_KERNEL);
+		if (dev_ipsec == NULL) {
+			KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
+				    "klips_debug:ipsec_tunnel_init_devices: "
+				    "failed to allocate memory for device %s, quitting device init.\n",
+				    name);
+			return -ENOMEM;
+		}
+		memset((caddr_t)dev_ipsec, 0, sizeof(struct net_device));
+#ifdef NETDEV_23
+		strncpy(dev_ipsec->name, name, sizeof(dev_ipsec->name));
+#else /* NETDEV_23 */
+		dev_ipsec->name = (char*)kmalloc(IFNAMSIZ, GFP_KERNEL);
+		if (dev_ipsec->name == NULL) {
+			KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
+				    "klips_debug:ipsec_tunnel_init_devices: "
+				    "failed to allocate memory for device %s name, quitting device init.\n",
+				    name);
+			return -ENOMEM;
+		}
+		memset((caddr_t)dev_ipsec->name, 0, IFNAMSIZ);
+		strncpy(dev_ipsec->name, name, IFNAMSIZ);
+#endif /* NETDEV_23 */
+		dev_ipsec->next = NULL;
+		dev_ipsec->init = &ipsec_tunnel_probe;
+		KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
+			    "klips_debug:ipsec_tunnel_init_devices: "
+			    "registering device %s\n",
+			    dev_ipsec->name);
+
+		/* reference and hold the device reference */
+		dev_hold(dev_ipsec);
+		ipsecdevices[i]=dev_ipsec;
+
+		if (register_netdev(dev_ipsec) != 0) {
+			KLIPS_PRINT(1 || debug_tunnel & DB_TN_INIT,
+				    "klips_debug:ipsec_tunnel_init_devices: "
+				    "registering device %s failed, quitting device init.\n",
+				    dev_ipsec->name);
+			return -EIO;
+		} else {
+			KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
+				    "klips_debug:ipsec_tunnel_init_devices: "
+				    "registering device %s succeeded, continuing...\n",
+				    dev_ipsec->name);
+		}
+	}
+	return 0;
+}
+
+/* void */
+int
+ipsec_tunnel_cleanup_devices(void)
+{
+	int error = 0;
+	int i;
+	struct net_device *dev_ipsec;
+	
+	for(i = 0; i < IPSEC_NUM_IF; i++) {
+   	        dev_ipsec = ipsecdevices[i];
+		if(dev_ipsec == NULL) {
+		  continue;
+		}
+
+		/* release reference */
+		ipsecdevices[i]=NULL;
+		ipsec_dev_put(dev_ipsec);
+
+		KLIPS_PRINT(debug_tunnel, "Unregistering %s (refcnt=%d)\n",
+			    dev_ipsec->name,
+			    atomic_read(&dev_ipsec->refcnt));
+		unregister_netdev(dev_ipsec);
+		KLIPS_PRINT(debug_tunnel, "Unregisted %s\n", dev_ipsec->name);
+#ifndef NETDEV_23
+		kfree(dev_ipsec->name);
+		dev_ipsec->name=NULL;
+#endif /* !NETDEV_23 */
+		kfree(dev_ipsec->priv);
+		dev_ipsec->priv=NULL;
+	}
+	return error;
+}
+
+/*
+ * $Log: ipsec_tunnel.c,v $
+ * Revision 1.232.2.5  2006/10/06 21:39:26  paul
+ * Fix for 2.6.18+ only include linux/config.h if AUTOCONF_INCLUDED is not
+ * set. This is defined through autoconf.h which is included through the
+ * linux kernel build macros.
+ *
+ * Revision 1.232.2.4  2006/03/28 20:58:19  ken
+ * Fix for KLIPS on 2.6.16 - need to include <net/arp.h> now
+ *
+ * Revision 1.232.2.3  2006/02/15 05:14:12  paul
+ * 568: uninitialized struct in ipsec_tunnel.c coud break routing under 2.6 kernels
+ * ipsec_tunnel_send() calls the entry point function of routing subsystem
+ * (ip_route_output_key()) using a not fully initialized struct of type
+ * struct flowi.
+ * This will cause a failure in routing packets through an ipsec interface
+ * when patches for multipath routing from http://www.ssi.bg/~ja/
+ * are applied.
+ *
+ * Revision 1.232.2.2  2005/11/22 04:11:52  ken
+ * Backport fixes for 2.6.14 kernels from HEAD
+ *
+ * Revision 1.232.2.1  2005/09/21 22:57:43  paul
+ * pulled up compile fix for 2.6.13
+ *
+ * Revision 1.232  2005/06/04 16:06:06  mcr
+ * 	better patch for nat-t rcv-device code.
+ *
+ * Revision 1.231  2005/05/21 03:28:51  mcr
+ * 	make sure that port-500 hole is used for port-4500 as well.
+ *
+ * Revision 1.230  2005/05/11 01:42:04  mcr
+ * 	removal of debugging showed useless/wrong variables used.
+ *
+ * Revision 1.229  2005/04/29 05:10:22  mcr
+ * 	removed from extraenous includes to make unit testing easier.
+ *
+ * Revision 1.228  2005/01/26 00:50:35  mcr
+ * 	adjustment of confusion of CONFIG_IPSEC_NAT vs CONFIG_KLIPS_NAT,
+ * 	and make sure that NAT_TRAVERSAL is set as well to match
+ * 	userspace compiles of code.
+ *
+ * Revision 1.227  2004/12/10 21:16:08  ken
+ * 64bit fixes from Opteron port of KLIPS 2.6
+ *
+ * Revision 1.226  2004/12/04 07:11:23  mcr
+ * 	fix for snmp SIOCPRIVATE use of snmpd.
+ * 	http://bugs.xelerance.com/view.php?id=144
+ *
+ * Revision 1.225  2004/12/03 21:25:57  mcr
+ * 	compile time fixes for running on 2.6.
+ * 	still experimental.
+ *
+ * Revision 1.224  2004/08/14 03:28:24  mcr
+ * 	fixed log comment to remove warning about embedded comment.
+ *
+ * Revision 1.223  2004/08/04 15:57:07  mcr
+ * 	moved des .h files to include/des/ *
+ * 	included 2.6 protocol specific things
+ * 	started at NAT-T support, but it will require a kernel patch.
+ *
+ * Revision 1.222  2004/08/03 18:19:08  mcr
+ * 	in 2.6, use "net_device" instead of #define device->net_device.
+ * 	this probably breaks 2.0 compiles.
+ *
+ * Revision 1.221  2004/07/10 19:11:18  mcr
+ * 	CONFIG_IPSEC -> CONFIG_KLIPS.
+ *
+ * Revision 1.220  2004/04/06 02:49:26  mcr
+ * 	pullup of algo code from alg-branch.
+ *
+ * Revision 1.219  2004/02/03 03:13:17  mcr
+ * 	minor edits for readability, and error reporting.
+ *
+ * Revision 1.218  2004/01/27 20:29:20  mcr
+ * 	fix for unregister_netdev() problem for underlying eth0.
+ *
+ * Revision 1.217  2003/12/10 01:14:27  mcr
+ * 	NAT-traversal patches to KLIPS.
+ *
+ * Revision 1.216  2003/12/04 23:01:17  mcr
+ * 	removed ipsec_netlink.h
+ *
+ * Revision 1.215  2003/12/04 16:35:16  ken
+ * Fix for ATM devices where physdev->hard_header_len *is* correct
+ *
+ * Revision 1.214  2003/11/25 23:52:37  mcr
+ * 	fix typo in patch - ixs-> needed.
+ *
+ * Revision 1.213  2003/11/24 18:25:49  mcr
+ * 	patch from willy@w.ods.org to fix problems with ATM interfaces.
+ *
+ * Revision 1.212  2003/10/31 02:27:55  mcr
+ * 	pulled up port-selector patches and sa_id elimination.
+ *
+ * Revision 1.211.2.2  2003/10/29 01:30:41  mcr
+ * 	elimited "struct sa_id".
+ *
+ * Revision 1.211.2.1  2003/09/21 13:59:56  mcr
+ * 	pre-liminary X.509 patch - does not yet pass tests.
+ *
+ * Revision 1.211  2003/09/10 16:46:30  mcr
+ * 	patches for 2.4 backport/2.6 existence.
+ *
+ * Revision 1.210  2003/07/31 22:47:16  mcr
+ * 	preliminary (untested by FS-team) 2.5 patches.
+ *
+ * Revision 1.209  2003/06/22 21:28:43  mcr
+ * 	inability to unload module was caused by calls to dev_get
+ * 	(ipsec_dev_get), to gather a device from a name. There is
+ * 	simply no reason to look the devices up - they should be kept
+ * 	in a nice array, ready for use.
+ *
+ * Revision 1.208  2003/06/22 21:25:07  mcr
+ * 	all staticly counted ipsecXXX device support removed.
+ *
+ * Revision 1.207  2003/04/02 20:15:37  mcr
+ * 	fix for PR#204 - do not clear connection tracking info if we
+ * 	the packet is being sent in the clear.
+ *
+ * Revision 1.206  2003/02/12 19:32:51  rgb
+ * Refactored file to:
+ * ipsec_xmit.c
+ * ipsec_xmit.h
+ * ipsec_mast.c
+ *
+ * Revision 1.205  2003/02/06 17:47:00  rgb
+ *
+ * Remove unused ipsec_tunnel_lock() and ipsec_tunnel_unlock() code.
+ * Refactor ipsec_tunnel_start_xmit() further into:
+ *         ipsec_xmit_sanity_check_dev()
+ *         ipsec_xmit_sanity_check_skb()
+ *         ipsec_xmit_strip_hard_header()
+ *         ipsec_xmit_restore_hard_header()
+ *         ipsec_xmit_send()
+ *         ipsec_xmit_cleanup()
+ * and start a skeletal ipsec_mast_start_xmit() .
+ *
+ * Revision 1.204  2003/02/06 06:43:46  rgb
+ *
+ * Refactor ipsec_tunnel_start_xmit, bringing out:
+ *     ipsec_xmit_SAlookup
+ *     ipsec_xmit_encap_once
+ *     ipsec_xmit_encap_bundle
+ *
+ * Revision 1.203  2003/02/06 02:21:34  rgb
+ *
+ * Moved "struct auth_alg" from ipsec_rcv.c to ipsec_ah.h .
+ * Changed "struct ah" to "struct ahhdr" and "struct esp" to "struct esphdr".
+ * Removed "#ifdef INBOUND_POLICY_CHECK_eroute" dead code.
+ *
+ * Revision 1.202  2003/01/03 07:38:01  rgb
+ *
+ * Start to refactor ipsec_tunnel_start_xmit() by putting local variables
+ * into struct ipsec_xmit_state and renaming a few variables to give more
+ * unique or searchable names.
+ *
+ * Revision 1.201  2003/01/03 00:31:28  rgb
+ *
+ * Clean up memset usage, including fixing 2 places where keys were not
+ * properly wiped.
+ *
+ * Revision 1.200  2002/12/06 02:24:02  mcr
+ * 	patches for compiling against SUSE 8.1 kernels. Requires
+ * 	an additional -DSUSE_LINUX_2_4_19_IS_STUPID.
+ *
+ * Revision 1.199  2002/10/12 23:11:53  dhr
+ *
+ * [KenB + DHR] more 64-bit cleanup
+ *
+ * Revision 1.198  2002/10/05 05:02:58  dhr
+ *
+ * C labels go on statements
+ *
+ * Revision 1.197  2002/09/20 05:01:50  rgb
+ * Added compiler directive to switch on IP options and fix IP options bug.
+ * Make ip->ihl treatment consistent using shifts rather than multiplications.
+ * Check for large enough packet before accessing udp header for IKE bypass.
+ * Added memory allocation debugging.
+ * Fixed potential memory allocation failure-induced oops.
+ *
+ * Revision 1.196  2002/07/24 18:44:54  rgb
+ * Type fiddling to tame ia64 compiler.
+ *
+ * Revision 1.195  2002/07/23 03:36:07  rgb
+ * Fixed 2.2 device initialisation hang.
+ *
+ * Revision 1.194  2002/05/27 21:40:34  rgb
+ * Set unused ipsec devices to ARPHRD_VOID to avoid confusing iproute2.
+ * Cleaned up intermediate step to dynamic device allocation.
+ *
+ * Revision 1.193  2002/05/27 19:31:36  rgb
+ * Convert to dynamic ipsec device allocation.
+ * Remove final vistiges of tdb references via IPSEC_KLIPS1_COMPAT.
+ *
+ * Revision 1.192  2002/05/23 07:14:28  rgb
+ * Added refcount code.
+ * Cleaned up %p variants to 0p%p for test suite cleanup.
+ *
+ * Revision 1.191  2002/05/14 02:34:37  rgb
+ * Change all references to tdb, TDB or Tunnel Descriptor Block to ips,
+ * ipsec_sa or ipsec_sa.
+ *
+ * Revision 1.190  2002/04/24 07:55:32  mcr
+ * 	#include patches and Makefiles for post-reorg compilation.
+ *
+ * Revision 1.189  2002/04/24 07:36:32  mcr
+ * Moved from ./klips/net/ipsec/ipsec_tunnel.c,v
+ *
+ * Revision 1.188  2002/04/20 00:12:25  rgb
+ * Added esp IV CBC attack fix, disabled.
+ *
+ * Revision 1.187  2002/03/23 19:55:17  rgb
+ * Fix for 2.2 local IKE fragmentation blackhole.  Still won't work if
+ * iptraf or another pcap app is running.
+ *
+ * Revision 1.186  2002/03/19 03:26:22  rgb
+ * Applied DHR's tunnel patch to streamline IKE/specialSA processing.
+ *
+ * Revision 1.185  2002/02/20 04:13:05  rgb
+ * Send back ICMP_PKT_FILTERED upon %reject.
+ *
+ * Revision 1.184  2002/01/29 17:17:56  mcr
+ * 	moved include of ipsec_param.h to after include of linux/kernel.h
+ * 	otherwise, it seems that some option that is set in ipsec_param.h
+ * 	screws up something subtle in the include path to kernel.h, and
+ * 	it complains on the snprintf() prototype.
+ *
+ * Revision 1.183  2002/01/29 04:00:53  mcr
+ * 	more excise of kversions.h header.
+ *
+ * Revision 1.182  2002/01/29 02:13:18  mcr
+ * 	introduction of ipsec_kversion.h means that include of
+ * 	ipsec_param.h must preceed any decisions about what files to
+ * 	include to deal with differences in kernel source.
+ *
+ * Revision 1.181  2002/01/07 20:00:33  rgb
+ * Added IKE destination port debugging.
+ *
+ * Revision 1.180  2001/12/21 21:49:54  rgb
+ * Fixed bug as a result of moving IKE bypass above %trap/%hold code.
+ *
+ * Revision 1.179  2001/12/19 21:08:14  rgb
+ * Added transport protocol ports to ipsec_print_ip().
+ * Update eroute info for non-SA targets.
+ * Added obey DF code disabled.
+ * Fixed formatting bugs in ipsec_tunnel_hard_header().
+ *
+ * Revision 1.178  2001/12/05 09:36:10  rgb
+ * Moved the UDP/500 IKE check just above the %hold/%trap checks to avoid
+ * IKE packets being stolen by the %hold (and returned to the sending KMd
+ * in an ACQUIRE, ironically  ;-).
+ *
+ * Revision 1.177  2001/11/26 09:23:50  rgb
+ * Merge MCR's ipsec_sa, eroute, proc and struct lifetime changes.
+ *
+ * Revision 1.170.2.1  2001/09/25 02:28:27  mcr
+ * 	struct tdb -> struct ipsec_sa.
+ * 	lifetime checks moved to common routines.
+ * 	cleaned up includes.
+ *
+ * Revision 1.170.2.2  2001/10/22 21:08:01  mcr
+ * 	include des.h, removed phony prototypes and fixed calling
+ * 	conventions to match real prototypes.
+ *
+ * Revision 1.176  2001/11/09 18:32:31  rgb
+ * Added Hans Schultz' fragmented UDP/500 IKE socket port selector.
+ *
+ * Revision 1.175  2001/11/06 20:47:00  rgb
+ * Added Eric Espie's TRAPSUBNET fix, minus spin-lock-bh dabbling.
+ *
+ * Revision 1.174  2001/11/06 19:50:43  rgb
+ * Moved IP_SEND, ICMP_SEND, DEV_QUEUE_XMIT macros to ipsec_tunnel.h for
+ * use also by pfkey_v2_parser.c
+ *
+ * Revision 1.173  2001/10/29 21:53:44  henry
+ * tone down the device-down message slightly, until we can make it smarter
+ *
+ * Revision 1.172  2001/10/26 04:59:37  rgb
+ * Added a critical level syslog message if an ipsec device goes down.
+ *
+ * Revision 1.171  2001/10/18 04:45:21  rgb
+ * 2.4.9 kernel deprecates linux/malloc.h in favour of linux/slab.h,
+ * lib/freeswan.h version macros moved to lib/kversions.h.
+ * Other compiler directive cleanups.
+ *
+ * Revision 1.170  2001/09/25 00:09:50  rgb
+ * Added NetCelo's TRAPSUBNET code to convert a new type TRAPSUBNET into a
+ * HOLD.
+ *
+ * Revision 1.169  2001/09/15 16:24:05  rgb
+ * Re-inject first and last HOLD packet when an eroute REPLACE is done.
+ *
+ * Revision 1.168  2001/09/14 16:58:37  rgb
+ * Added support for storing the first and last packets through a HOLD.
+ *
+ * Revision 1.167  2001/09/08 21:13:33  rgb
+ * Added pfkey ident extension support for ISAKMPd. (NetCelo)
+ *
+ * Revision 1.166  2001/08/27 19:47:59  rgb
+ * Clear tdb  before usage.
+ * Added comment: clear IF before calling routing?
+ *
+ * Revision 1.165  2001/07/03 01:23:53  rgb
+ * Send back ICMP iff DF set, !ICMP, offset==0, sysctl_icmp, iph->tot_len >
+ * emtu, and don't drop.
+ *
+ * Revision 1.164  2001/06/14 19:35:10  rgb
+ * Update copyright date.
+ *
+ * Revision 1.163  2001/06/06 20:28:51  rgb
+ * Added sanity checks for NULL skbs and devices.
+ * Added more debugging output to various functions.
+ * Removed redundant dev->priv argument to ipsec_tunnel_{at,de}tach().
+ * Renamed ipsec_tunnel_attach() virtual and physical device arguments.
+ * Corrected neigh_setup() device function assignment.
+ * Keep valid pointers to ipsec_tunnel_*() on detach.
+ * Set dev->type to the originally-initiallised value.
+ *
+ * Revision 1.162  2001/06/01 07:28:04  rgb
+ * Added sanity checks for detached devices.  Don't down virtual devices
+ * to prevent packets going out in the clear if the detached device comes
+ * back up.
+ *
+ * Revision 1.161  2001/05/30 08:14:52  rgb
+ * Removed vestiges of esp-null transforms.
+ * NetDev Notifier instrumentation to track down disappearing devices.
+ *
+ * Revision 1.160  2001/05/29 05:15:12  rgb
+ * Added SS' PMTU patch which notifies sender if packet doesn't fit
+ * physical MTU (if it wasn't ICMP) and then drops it.
+ *
+ * Revision 1.159  2001/05/27 06:12:12  rgb
+ * Added structures for pid, packet count and last access time to eroute.
+ * Added packet count to beginning of /proc/net/ipsec_eroute.
+ *
+ * Revision 1.158  2001/05/24 05:39:33  rgb
+ * Applied source zeroing to 2.2 ip_route_output() call as well to enable
+ * PASS eroutes for opportunism.
+ *
+ * Revision 1.157  2001/05/23 22:35:28  rgb
+ * 2.4 source override simplification.
+ *
+ * Revision 1.156  2001/05/23 21:41:31  rgb
+ * Added error return code printing on ip_route_output().
+ *
+ * Revision 1.155  2001/05/23 05:09:13  rgb
+ * Fixed incorrect ip_route_output() failure message.
+ *
+ * Revision 1.154  2001/05/21 14:53:31  rgb
+ * Added debug statement for case when ip_route_output() fails, causing
+ * packet to be dropped, but log looked ok.
+ *
+ * Revision 1.153  2001/05/19 02:37:54  rgb
+ * Fixed missing comment termination.
+ *
+ * Revision 1.152  2001/05/19 02:35:50  rgb
+ * Debug code optimisation for non-debug speed.
+ * Kernel version compiler define comments.
+ * 2.2 and 2.4 kernel ip_send device and ip debug output added.
+ *
+ * Revision 1.151  2001/05/18 16:17:35  rgb
+ * Changed reference from "magic" to "shunt" SAs.
+ *
+ * Revision 1.150  2001/05/18 16:12:19  rgb
+ * Changed UDP/500 bypass test from 3 nested ifs to one anded if.
+ *
+ * Revision 1.149  2001/05/16 04:39:33  rgb
+ * Add default == eroute.dest to IKE bypass conditions for magic eroutes.
+ *
+ * Revision 1.148  2001/05/05 03:31:41  rgb
+ * IP frag debugging updates and enhancements.
+ *
+ * Revision 1.147  2001/05/03 19:41:40  rgb
+ * Added SS' skb_cow fix for 2.4.4.
+ *
+ * Revision 1.146  2001/04/30 19:28:16  rgb
+ * Update for 2.4.4.  ip_select_ident() now has 3 args.
+ *
+ * Revision 1.145  2001/04/23 14:56:10  rgb
+ * Added spin_lock() check to prevent double-locking for multiple
+ * transforms and hence kernel lock-ups with SMP kernels.
+ *
+ * Revision 1.144  2001/04/21 23:04:45  rgb
+ * Define out skb->used for 2.4 kernels.
+ * Check if soft expire has already been sent before sending another to
+ * prevent ACQUIRE flooding.
+ *
+ * Revision 1.143  2001/03/16 07:37:21  rgb
+ * Added comments to all #endifs.
+ *
+ * Revision 1.142  2001/02/28 05:03:27  rgb
+ * Clean up and rationalise startup messages.
+ *
+ * Revision 1.141  2001/02/27 22:24:54  rgb
+ * Re-formatting debug output (line-splitting, joining, 1arg/line).
+ * Check for satoa() return codes.
+ *
+ * Revision 1.140  2001/02/27 06:40:12  rgb
+ * Fixed TRAP->HOLD eroute byte order.
+ *
+ * Revision 1.139  2001/02/26 20:38:59  rgb
+ * Added compiler defines for 2.4.x-specific code.
+ *
+ * Revision 1.138  2001/02/26 19:57:27  rgb
+ * Implement magic SAs %drop, %reject, %trap, %hold, %pass as part
+ * of the new SPD and to support opportunistic.
+ * Drop sysctl_ipsec_{no_eroute_pass,opportunistic}, replaced by magic SAs.
+ *
+ * Revision 1.137  2001/02/19 22:29:49  rgb
+ * Fixes for presence of active ipv6 segments which share ipsec physical
+ * device (gg).
+ *
+ * Revision 1.136  2001/01/29 22:30:38  rgb
+ * Fixed minor acquire debug printing bug.
+ *
+ * Revision 1.135  2001/01/29 22:19:45  rgb
+ * Zero source address for 2.4 bypass route lookup.
+ *
+ * Revision 1.134  2001/01/23 20:19:49  rgb
+ * 2.4 fix to remove removed is_clone member.
+ *
+ * Revision 1.133  2000/12/09 22:08:35  rgb
+ * Fix NET_23 bug, should be NETDEV_23.
+ *
+ * Revision 1.132  2000/12/01 06:54:50  rgb
+ * Fix for new 2.4 IP TTL default variable name.
+ *
+ * Revision 1.131  2000/11/09 20:52:15  rgb
+ * More spinlock shuffling, locking earlier and unlocking later in rcv to
+ * include ipcomp and prevent races, renaming some tdb variables that got
+ * forgotten, moving some unlocks to include tdbs and adding a missing
+ * unlock.  Thanks to Svenning for some of these.
+ *
+ * Revision 1.130  2000/11/09 20:11:22  rgb
+ * Minor shuffles to fix non-standard kernel config option selection.
+ *
+ * Revision 1.129  2000/11/06 04:32:49  rgb
+ * Clean up debug printing.
+ * Copy skb->protocol for all kernel versions.
+ * Ditched spin_lock_irqsave in favour of spin_lock.
+ * Disabled TTL decrement, done in ip_forward.
+ * Added debug printing before pfkey_acquire().
+ * Fixed printk-deltdbchain-spin_lock races (Svenning).
+ * Use defaultTTL for 2.1+ kernels.
+ * Add Svenning's adaptive content compression.
+ * Fix up debug display arguments.
+ *
+ * Revision 1.128  2000/09/28 00:58:57  rgb
+ * Moved the IKE passthrough check after the eroute lookup so we can pass
+ * IKE through intermediate tunnels.
+ *
+ * Revision 1.127  2000/09/22 17:52:11  rgb
+ * Fixed misleading ipcomp debug output.
+ *
+ * Revision 1.126  2000/09/22 04:22:56  rgb
+ * Fixed dumb spi->cpi conversion error.
+ *
+ * Revision 1.125  2000/09/21 04:34:48  rgb
+ * A few debug-specific things should be hidden under
+ * CONFIG_IPSEC_DEBUG.(MB)
+ * Improved ip_send() error handling.(MB)
+ *
+ * Revision 1.124  2000/09/21 03:40:58  rgb
+ * Added more debugging to try and track down the cpi outward copy problem.
+ *
+ * Revision 1.123  2000/09/19 07:08:49  rgb
+ * Added debugging to outgoing compression report.
+ *
+ * Revision 1.122  2000/09/18 19:21:26  henry
+ * RGB-supplied fix for RH5.2 problem
+ *
+ * Revision 1.121  2000/09/17 21:05:09  rgb
+ * Added tdb to skb_compress call to write in cpi.
+ *
+ * Revision 1.120  2000/09/17 16:57:16  rgb
+ * Added Svenning's patch to remove restriction of ipcomp to innermost
+ * transform.
+ *
+ * Revision 1.119  2000/09/15 11:37:01  rgb
+ * Merge in heavily modified Svenning Soerensen's <svenning@post5.tele.dk>
+ * IPCOMP zlib deflate code.
+ *
+ * Revision 1.118  2000/09/15 04:57:16  rgb
+ * Moved debug output after sanity check.
+ * Added tos copy sysctl.
+ *
+ * Revision 1.117  2000/09/12 03:22:51  rgb
+ * Converted ipsec_icmp, no_eroute_pass, opportunistic and #if0 debugs to
+ * sysctl.
+ *
+ * Revision 1.116  2000/09/08 19:18:19  rgb
+ * Change references from DEBUG_IPSEC to CONFIG_IPSEC_DEBUG.
+ * Added outgoing opportunistic hook, ifdef'ed out.
+ *
+ * Revision 1.115  2000/08/30 05:27:29  rgb
+ * Removed all the rest of the references to tdb_spi, tdb_proto, tdb_dst.
+ * Kill remainder of tdb_xform, tdb_xdata, xformsw.
+ *
+ * Revision 1.114  2000/08/28 18:15:46  rgb
+ * Added MB's nf-debug reset patch.
+ *
+ * Revision 1.113  2000/08/27 02:26:40  rgb
+ * Send all no-eroute-bypass, pluto-bypass and passthrough packets through
+ * fragmentation machinery for 2.0, 2.2 and 2.4 kernels.
+ *
+ * Revision 1.112  2000/08/20 21:37:33  rgb
+ * Activated pfkey_expire() calls.
+ * Added a hard/soft expiry parameter to pfkey_expire(). (Momchil)
+ * Re-arranged the order of soft and hard expiry to conform to RFC2367.
+ * Clean up references to CONFIG_IPSEC_PFKEYv2.
+ *
+ * Revision 1.111  2000/08/01 14:51:51  rgb
+ * Removed _all_ remaining traces of DES.
+ *
+ * Revision 1.110  2000/07/28 14:58:31  rgb
+ * Changed kfree_s to kfree, eliminating extra arg to fix 2.4.0-test5.
+ *
+ * Revision 1.109  2000/07/28 13:50:54  rgb
+ * Changed enet_statistics to net_device_stats and added back compatibility
+ * for pre-2.1.19.
+ *
+ * Revision 1.108  2000/05/16 03:03:11  rgb
+ * Updates for 2.3.99pre8 from MB.
+ *
+ * Revision 1.107  2000/05/10 23:08:21  rgb
+ * Print a debug warning about bogus packets received by the outgoing
+ * processing machinery only when klipsdebug is not set to none.
+ * Comment out the device initialisation informational messages.
+ *
+ * Revision 1.106  2000/05/10 19:17:14  rgb
+ * Define an IP_SEND macro, intending to have all packet passthroughs
+ * use fragmentation.  This didn't quite work, but is a step in the
+ * right direction.
+ * Added buffer allocation debugging statements.
+ * Added configure option to shut off no eroute passthrough.
+ * Only check usetime against soft and hard limits if the tdb has been
+ * used.
+ * Cast output of ntohl so that the broken prototype doesn't make our
+ * compile noisy.
+ *
+ * Revision 1.105  2000/03/22 16:15:37  rgb
+ * Fixed renaming of dev_get (MB).
+ *
+ * Revision 1.104  2000/03/16 14:04:15  rgb
+ * Indented headers for readability.
+ * Fixed debug scope to enable compilation with debug off.
+ * Added macros for ip_chk_addr and IS_MYADDR for identifying self.
+ *
+ * Revision 1.103  2000/03/16 07:11:07  rgb
+ * Hardcode PF_KEYv2 support.
+ * Fixed bug which allowed UDP/500 packet from another machine
+ * through in the clear.
+ * Added disabled skb->protocol fix for ISDN/ASYNC PPP from Matjaz Godec.
+ *
+ * Revision 1.102  2000/03/14 12:26:59  rgb
+ * Added skb->nfct support for clearing netfilter conntrack bits (MB).
+ *
+ * Revision 1.101  2000/02/14 21:05:22  rgb
+ * Added MB's netif_queue fix for kernels 2.3.43+.
+ *
+ * Revision 1.100  2000/01/26 10:04:57  rgb
+ * Fixed noisy 2.0 printk arguments.
+ *
+ * Revision 1.99  2000/01/21 06:16:25  rgb
+ * Added sanity checks on skb_push(), skb_pull() to prevent panics.
+ * Switched to AF_ENCAP macro.
+ * Shortened debug output per packet and re-arranging debug_tunnel
+ * bitmap flags, while retaining necessary information to avoid
+ * trampling the kernel print ring buffer.
+ * Reformatted recursion switch code.
+ * Changed all references to tdb_proto to tdb_said.proto for clarity.
+ *
+ * Revision 1.98  2000/01/13 08:09:31  rgb
+ * Shuffled debug_tunnel switches to focus output.
+ * Fixed outgoing recursion bug, limiting to recursing only if the remote
+ * SG changes and if it is valid, ie. not passthrough.
+ * Clarified a number of debug messages.
+ *
+ * Revision 1.97  2000/01/10 16:37:16  rgb
+ * MB support for new ip_select_ident() upon disappearance of
+ * ip_id_count in 2.3.36+.
+ *
+ * Revision 1.96  1999/12/31 14:59:08  rgb
+ * MB fix to use new skb_copy_expand in kernel 2.3.35.
+ *
+ * Revision 1.95  1999/12/29 21:15:44  rgb
+ * Fix tncfg to aliased device bug.
+ *
+ * Revision 1.94  1999/12/22 04:26:06  rgb
+ * Converted all 'static' functions to 'DEBUG_NO_STATIC' to enable
+ * debugging by providing external labels to all functions with debugging
+ * turned on.
+ *
+ * Revision 1.93  1999/12/13 13:30:14  rgb
+ * Changed MTU reports and HW address reporting back to debug only.
+ *
+ * Revision 1.92  1999/12/07 18:57:56  rgb
+ * Fix PFKEY symbol compile error (SADB_*) without pfkey enabled.
+ *
+ * Revision 1.91  1999/12/01 22:15:36  rgb
+ * Add checks for LARVAL and DEAD SAs.
+ * Change state of SA from MATURE to DYING when a soft lifetime is
+ * reached and print debug warning.
+ *
+ * Revision 1.90  1999/11/23 23:04:04  rgb
+ * Use provided macro ADDRTOA_BUF instead of hardcoded value.
+ * Sort out pfkey and freeswan headers, putting them in a library path.
+ *
+ * Revision 1.89  1999/11/18 18:50:59  rgb
+ * Changed all device registrations for static linking to
+ * dynamic to reduce the number and size of patches.
+ *
+ * Revision 1.88  1999/11/18 04:09:19  rgb
+ * Replaced all kernel version macros to shorter, readable form.
+ *
+ * Revision 1.87  1999/11/17 15:53:40  rgb
+ * Changed all occurrences of #include "../../../lib/freeswan.h"
+ * to #include <freeswan.h> which works due to -Ilibfreeswan in the
+ * klips/net/ipsec/Makefile.
+ *
+ * Revision 1.86  1999/10/16 18:25:37  rgb
+ * Moved SA lifetime expiry checks before packet processing.
+ * Expire SA on replay counter rollover.
+ *
+ * Revision 1.85  1999/10/16 04:24:31  rgb
+ * Add stats for time since last packet.
+ *
+ * Revision 1.84  1999/10/16 00:30:47  rgb
+ * Added SA lifetime counting.
+ *
+ * Revision 1.83  1999/10/15 22:15:57  rgb
+ * Clean out cruft.
+ * Add debugging.
+ *
+ * Revision 1.82  1999/10/08 18:26:19  rgb
+ * Fix 2.0.3x outgoing fragmented packet memory leak.
+ *
+ * Revision 1.81  1999/10/05 02:38:54  rgb
+ * Lower the default mtu of virtual devices to 16260.
+ *
+ * Revision 1.80  1999/10/03 18:56:41  rgb
+ * Spinlock support for 2.3.xx.
+ * Don't forget to undo spinlocks on error!
+ * Check for valid eroute before copying the structure.
+ *
+ * Revision 1.79  1999/10/01 15:44:53  rgb
+ * Move spinlock header include to 2.1> scope.
+ *
+ * Revision 1.78  1999/10/01 00:02:43  rgb
+ * Added tdb structure locking.
+ * Added eroute structure locking.
+ *
+ * Revision 1.77  1999/09/30 02:52:29  rgb
+ * Add Marc Boucher's Copy-On-Write code (same as ipsec_rcv.c).
+ *
+ * Revision 1.76  1999/09/25 19:31:27  rgb
+ * Refine MSS hack to affect SYN, but not SYN+ACK packets.
+ *
+ * Revision 1.75  1999/09/24 22:52:38  rgb
+ * Fix two things broken in 2.0.38 by trying to fix network notifiers.
+ *
+ * Revision 1.74  1999/09/24 00:30:37  rgb
+ * Add test for changed source as well as destination to check for
+ * recursion.
+ *
+ * Revision 1.73  1999/09/23 20:52:24  rgb
+ * Add James Morris' MSS hack patch, disabled.
+ *
+ * Revision 1.72  1999/09/23 20:22:40  rgb
+ * Enable, tidy and fix network notifier code.
+ *
+ * Revision 1.71  1999/09/23 18:09:05  rgb
+ * Clean up 2.2.x fragmenting traces.
+ * Disable dev->type switching, forcing ARPHRD_TUNNEL.
+ *
+ * Revision 1.70  1999/09/22 14:14:24  rgb
+ * Add sanity checks for revectored calls to prevent calling a downed I/F.
+ *
+ * Revision 1.69  1999/09/21 15:00:57  rgb
+ * Add Marc Boucher's packet size check.
+ * Flesh out network device notifier code.
+ *
+ * Revision 1.68  1999/09/18 11:39:57  rgb
+ * Start to add (disabled) netdevice notifier code.
+ *
+ * Revision 1.67  1999/09/17 23:44:40  rgb
+ * Add a comment warning potential code hackers to stay away from mac.raw.
+ *
+ * Revision 1.66  1999/09/17 18:04:02  rgb
+ * Add fix for unpredictable hard_header_len for ISDN folks (thanks MB).
+ * Ditch TTL decrement in 2.2 (MB).
+ *
+ * Revision 1.65  1999/09/15 23:15:35  henry
+ * Marc Boucher's PPP fixes
+ *
+ * Revision 1.64  1999/09/07 13:40:53  rgb
+ * Ditch unreliable references to skb->mac.raw.
+ *
+ * Revision 1.63  1999/08/28 11:33:09  rgb
+ * Check for null skb->mac pointer.
+ *
+ * Revision 1.62  1999/08/28 02:02:30  rgb
+ * Add Marc Boucher's fix for properly dealing with skb->sk.
+ *
+ * Revision 1.61  1999/08/27 05:23:05  rgb
+ * Clean up skb->data/raw/nh/h manipulation.
+ * Add Marc Boucher's mods to aid tcpdump.
+ * Add sanity checks to skb->raw/nh/h pointer copies in skb_copy_expand.
+ * Re-order hard_header stripping -- might be able to remove it...
+ *
+ * Revision 1.60  1999/08/26 20:01:02  rgb
+ * Tidy up compiler directives and macros.
+ * Re-enable ICMP for tunnels where inner_dst !=  outer_dst.
+ * Remove unnecessary skb->dev = physdev assignment affecting 2.2.x.
+ *
+ * Revision 1.59  1999/08/25 15:44:41  rgb
+ * Clean up from 2.2.x instrumenting for compilation under 2.0.36.
+ *
+ * Revision 1.58  1999/08/25 15:00:54  rgb
+ * Add dst cache code for 2.2.xx.
+ * Add sanity check for skb packet header pointers.
+ * Add/modify debugging instrumentation to *_start_xmit, *_hard_header and
+ * *_rebuild_header.
+ * Add neigh_* cache code.
+ * Change dev->type back to ARPHRD_TUNNEL.
+ *
+ * Revision 1.57  1999/08/17 21:50:23  rgb
+ * Fixed minor debug output bugs.
+ * Regrouped error recovery exit code.
+ * Added compiler directives to remove unwanted code and symbols.
+ * Shut off ICMP messages: to be refined to only send ICMP to remote systems.
+ * Add debugging code for output function addresses.
+ * Fix minor bug in (possibly unused) header_cache_bind function.
+ * Add device neighbour caching code.
+ * Change dev->type from ARPHRD_TUNNEL to physdev->type.
+ *
+ * Revision 1.56  1999/08/03 17:22:56  rgb
+ * Debug output clarification using KERN_* macros.  Other inactive changes
+ * added.
+ *
+ * Revision 1.55  1999/08/03 16:58:46  rgb
+ * Fix skb_copy_expand size bug.  Was getting incorrect size.
+ *
+ * Revision 1.54  1999/07/14 19:32:38  rgb
+ * Fix oversize packet crash and ssh stalling in 2.2.x kernels.
+ *
+ * Revision 1.53  1999/06/10 15:44:02  rgb
+ * Minor reformatting and clean-up.
+ *
+ * Revision 1.52  1999/05/09 03:25:36  rgb
+ * Fix bug introduced by 2.2 quick-and-dirty patch.
+ *
+ * Revision 1.51  1999/05/08 21:24:59  rgb
+ * Add casting to silence the 2.2.x compile.
+ *
+ * Revision 1.50  1999/05/05 22:02:32  rgb
+ * Add a quick and dirty port to 2.2 kernels by Marc Boucher <marc@mbsi.ca>.
+ *
+ * Revision 1.49  1999/04/29 15:18:52  rgb
+ * Change gettdb parameter to a pointer to reduce stack loading and
+ * facilitate parameter sanity checking.
+ * Fix undetected bug that might have tried to access a null pointer.
+ * Eliminate unnessessary usage of tdb_xform member to further switch
+ * away from the transform switch to the algorithm switch.
+ * Add return values to init and cleanup functions.
+ *
+ * Revision 1.48  1999/04/16 15:38:00  rgb
+ * Minor rearrangement of freeing code to avoid memory leaks with impossible or
+ * rare situations.
+ *
+ * Revision 1.47  1999/04/15 15:37:25  rgb
+ * Forward check changes from POST1_00 branch.
+ *
+ * Revision 1.32.2.4  1999/04/13 21:00:18  rgb
+ * Ditch 'things I wish I had known before...'.
+ *
+ * Revision 1.32.2.3  1999/04/13 20:34:38  rgb
+ * Free skb after fragmentation.
+ * Use stats more effectively.
+ * Add I/F to mtu notch-down reporting.
+ *
+ * Revision 1.32.2.2  1999/04/02 04:26:14  rgb
+ * Backcheck from HEAD, pre1.0.
+ *
+ * Revision 1.46  1999/04/11 00:29:00  henry
+ * GPL boilerplate
+ *
+ * Revision 1.45  1999/04/07 15:42:01  rgb
+ * Fix mtu/ping bug AGAIN!
+ *
+ * Revision 1.44  1999/04/06 04:54:27  rgb
+ * Fix/Add RCSID Id: and Log: bits to make PHMDs happy.  This includes
+ * patch shell fixes.
+ *
+ * Revision 1.43  1999/04/04 03:57:07  rgb
+ * ip_fragment() doesn't free the supplied skb.  Freed.
+ *
+ * Revision 1.42  1999/04/01 23:27:15  rgb
+ * Preload size of virtual mtu.
+ *
+ * Revision 1.41  1999/04/01 09:31:23  rgb
+ * Invert meaning of ICMP PMTUD config option and clarify.
+ * Code clean-up.
+ *
+ * Revision 1.40  1999/04/01 04:37:17  rgb
+ * SSH stalling bug fix.
+ *
+ * Revision 1.39  1999/03/31 23:44:28  rgb
+ * Don't send ICMP on DF and frag_off.
+ *
+ * Revision 1.38  1999/03/31 15:20:10  rgb
+ * Quiet down debugging.
+ *
+ * Revision 1.37  1999/03/31 08:30:31  rgb
+ * Add switch to shut off ICMP PMTUD packets.
+ *
+ * Revision 1.36  1999/03/31 05:44:47  rgb
+ * Keep PMTU reduction private.
+ *
+ * Revision 1.35  1999/03/27 15:13:02  rgb
+ * PMTU/fragmentation bug fix.
+ *
+ * Revision 1.34  1999/03/17 21:19:26  rgb
+ * Fix kmalloc nonatomic bug.
+ *
+ * Revision 1.33  1999/03/17 15:38:42  rgb
+ * Code clean-up.
+ * ESP_NULL IV bug fix.
+ *
+ * Revision 1.32  1999/03/01 20:44:25  rgb
+ * Code clean-up.
+ * Memory leak bug fix.
+ *
+ * Revision 1.31  1999/02/27 00:02:09  rgb
+ * Tune to report the MTU reduction once, rather than after every recursion
+ * through the encapsulating code, preventing tcp stream stalling.
+ *
+ * Revision 1.30  1999/02/24 20:21:01  rgb
+ * Reformat debug printk's.
+ * Fix recursive encapsulation, dynamic MTU bugs and add debugging code.
+ * Clean-up.
+ *
+ * Revision 1.29  1999/02/22 17:08:14  rgb
+ * Fix recursive encapsulation code.
+ *
+ * Revision 1.28  1999/02/19 18:27:02  rgb
+ * Improve DF, fragmentation and PMTU behaviour and add dynamic MTU discovery.
+ *
+ * Revision 1.27  1999/02/17 16:51:37  rgb
+ * Clean out unused cruft.
+ * Temporarily tone down volume of debug output.
+ * Temporarily shut off fragment rejection.
+ * Disabled temporary failed recursive encapsulation loop.
+ *
+ * Revision 1.26  1999/02/12 21:21:26  rgb
+ * Move KLIPS_PRINT to ipsec_netlink.h for accessibility.
+ *
+ * Revision 1.25  1999/02/11 19:38:27  rgb
+ * More clean-up.
+ * Add sanity checking for skb_copy_expand() to prevent kernel panics on
+ * skb_put() values out of range.
+ * Fix head/tailroom calculation causing skb_put() out-of-range values.
+ * Fix return values to prevent 'nonatomic alloc_skb' warnings.
+ * Allocate new skb iff needed.
+ * Added more debug statements.
+ * Make headroom depend on structure, not hard-coded values.
+ *
+ * Revision 1.24  1999/02/10 23:20:33  rgb
+ * Shut up annoying 'statement has no effect' compiler warnings with
+ * debugging compiled out.
+ *
+ * Revision 1.23  1999/02/10 22:36:30  rgb
+ * Clean-up obsolete, unused and messy code.
+ * Converted most IPSEC_DEBUG statements to KLIPS_PRINT macros.
+ * Rename ipsec_tunnel_do_xmit to ipsec_tunnel_start_xmit and eliminated
+ * original ipsec_tunnel_start_xmit.
+ * Send all packet with different inner and outer destinations directly to
+ * the attached physical device, rather than back through ip_forward,
+ * preventing disappearing routes problems.
+ * Do sanity checking before investing too much CPU in allocating new
+ * structures.
+ * Fail on IP header options: We cannot process them yet.
+ * Add some helpful comments.
+ * Use virtual device for parameters instead of physical device.
+ *
+ * Revision 1.22  1999/02/10 03:03:02  rgb
+ * Duh.  Fixed the TTL bug: forgot to update the checksum.
+ *
+ * Revision 1.21  1999/02/09 23:17:53  rgb
+ * Add structure members to ipsec_print_ip debug function.
+ * Temporarily fix TTL bug preventing tunnel mode from functioning.
+ *
+ * Revision 1.20  1999/02/09 00:14:25  rgb
+ * Add KLIPSPRINT macro.  (Not used yet, though.)
+ * Delete old ip_tunnel code (BADCODE).
+ * Decrement TTL in outgoing packet.
+ * Set TTL on new IPIP_TUNNEL to default, not existing packet TTL.
+ * Delete ethernet only feature and fix hard-coded hard_header_len.
+ *
+ * Revision 1.19  1999/01/29 17:56:22  rgb
+ * 64-bit re-fix submitted by Peter Onion.
+ *
+ * Revision 1.18  1999/01/28 22:43:24  rgb
+ * Fixed bug in ipsec_print_ip that caused an OOPS, found by P.Onion.
+ *
+ * Revision 1.17  1999/01/26 02:08:16  rgb
+ * Removed CONFIG_IPSEC_ALGO_SWITCH macro.
+ * Removed dead code.
+ *
+ * Revision 1.16  1999/01/22 06:25:26  rgb
+ * Cruft clean-out.
+ * Added algorithm switch code.
+ * 64-bit clean-up.
+ * Passthrough on IPIP protocol, spi 0x0 fix.
+ * Enhanced debugging.
+ *
+ * Revision 1.15  1998/12/01 13:22:04  rgb
+ * Added support for debug printing of version info.
+ *
+ * Revision 1.14  1998/11/30 13:22:55  rgb
+ * Rationalised all the klips kernel file headers.  They are much shorter
+ * now and won't conflict under RH5.2.
+ *
+ * Revision 1.13  1998/11/17 21:13:52  rgb
+ * Put IKE port bypass debug output in user-switched debug statements.
+ *
+ * Revision 1.12  1998/11/13 13:20:25  rgb
+ * Fixed ntohs bug in udp/500 hole for IKE.
+ *
+ * Revision 1.11  1998/11/10 08:01:19  rgb
+ * Kill tcp/500 hole,  keep udp/500 hole.
+ *
+ * Revision 1.10  1998/11/09 21:29:26  rgb
+ * If no eroute is found, discard packet and incr. tx_error.
+ *
+ * Revision 1.9  1998/10/31 06:50:00  rgb
+ * Add tcp/udp/500 bypass.
+ * Fixed up comments in #endif directives.
+ *
+ * Revision 1.8  1998/10/27 00:34:31  rgb
+ * Reformat debug output of IP headers.
+ * Newlines added before calls to ipsec_print_ip.
+ *
+ * Revision 1.7  1998/10/19 14:44:28  rgb
+ * Added inclusion of freeswan.h.
+ * sa_id structure implemented and used: now includes protocol.
+ *
+ * Revision 1.6  1998/10/09 04:31:35  rgb
+ * Added 'klips_debug' prefix to all klips printk debug statements.
+ *
+ * Revision 1.5  1998/08/28 03:09:51  rgb
+ * Prevent kernel log spam with default route through ipsec.
+ *
+ * Revision 1.4  1998/08/05 22:23:09  rgb
+ * Change setdev return code to ENXIO for a non-existant physical device.
+ *
+ * Revision 1.3  1998/07/29 20:41:11  rgb
+ * Add ipsec_tunnel_clear to clear all tunnel attachments.
+ *
+ * Revision 1.2  1998/06/25 20:00:33  rgb
+ * Clean up #endif comments.
+ * Rename dev_ipsec to dev_ipsec0 for consistency.
+ * Document ipsec device fields.
+ * Make ipsec_tunnel_probe visible from rest of kernel for static linking.
+ * Get debugging report for *every* ipsec device initialisation.
+ * Comment out redundant code.
+ *
+ * Revision 1.1  1998/06/18 21:27:50  henry
+ * move sources from klips/src to klips/net/ipsec, to keep stupid
+ * kernel-build scripts happier in the presence of symlinks
+ *
+ * Revision 1.8  1998/06/14 23:49:40  rgb
+ * Clarify version reporting on module loading.
+ *
+ * Revision 1.7  1998/05/27 23:19:20  rgb
+ * Added version reporting.
+ *
+ * Revision 1.6  1998/05/18 21:56:23  rgb
+ * Clean up for numerical consistency of output and cleaning up debug code.
+ *
+ * Revision 1.5  1998/05/12 02:44:23  rgb
+ * Clarifying 'no e-route to host' message.
+ *
+ * Revision 1.4  1998/04/30 15:34:35  rgb
+ * Enclosed most remaining debugging statements in #ifdef's to make it quieter.
+ *
+ * Revision 1.3  1998/04/21 21:28:54  rgb
+ * Rearrange debug switches to change on the fly debug output from user
+ * space.  Only kernel changes checked in at this time.  radij.c was also
+ * changed to temporarily remove buggy debugging code in rj_delete causing
+ * an OOPS and hence, netlink device open errors.
+ *
+ * Revision 1.2  1998/04/12 22:03:24  rgb
+ * Updated ESP-3DES-HMAC-MD5-96,
+ * 	ESP-DES-HMAC-MD5-96,
+ * 	AH-HMAC-MD5-96,
+ * 	AH-HMAC-SHA1-96 since Henry started freeswan cvs repository
+ * from old standards (RFC182[5-9] to new (as of March 1998) drafts.
+ *
+ * Fixed eroute references in /proc/net/ipsec*.
+ *
+ * Started to patch module unloading memory leaks in ipsec_netlink and
+ * radij tree unloading.
+ *
+ * Revision 1.1  1998/04/09 03:06:12  henry
+ * sources moved up from linux/net/ipsec
+ *
+ * Revision 1.1.1.1  1998/04/08 05:35:04  henry
+ * RGB's ipsec-0.8pre2.tar.gz ipsec-0.8
+ *
+ * Revision 0.5  1997/06/03 04:24:48  ji
+ * Added transport mode.
+ * Changed the way routing is done.
+ * Lots of bug fixes.
+ *
+ * Revision 0.4  1997/01/15 01:28:15  ji
+ * No changes.
+ *
+ * Revision 0.3  1996/11/20 14:39:04  ji
+ * Minor cleanups.
+ * Rationalized debugging code.
+ *
+ * Revision 0.2  1996/11/02 00:18:33  ji
+ * First limited release.
+ *
+ * Local Variables:
+ * c-style: linux
+ * End:
+ */
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/ipsec_xform.c     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,360 @@
+/*
+ * Common routines for IPSEC transformations.
+ * Copyright (C) 1996, 1997  John Ioannidis.
+ * Copyright (C) 1998, 1999, 2000, 2001  Richard Guy Briggs.
+ * 
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ * 
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: ipsec_xform.c,v 1.65.2.1 2006/10/06 21:39:26 paul Exp $
+ */
+
+#ifndef AUTOCONF_INCLUDED
+#include <linux/config.h>
+#endif
+#include <linux/version.h>
+#include <linux/kernel.h> /* printk() */
+
+#include "freeswan/ipsec_param.h"
+
+#ifdef MALLOC_SLAB
+# include <linux/slab.h> /* kmalloc() */
+#else /* MALLOC_SLAB */
+# include <linux/malloc.h> /* kmalloc() */
+#endif /* MALLOC_SLAB */
+#include <linux/errno.h>  /* error codes */
+#include <linux/types.h>  /* size_t */
+#include <linux/interrupt.h> /* mark_bh */
+
+#include <linux/netdevice.h>   /* struct device, and other headers */
+#include <linux/etherdevice.h> /* eth_type_trans */
+#include <linux/ip.h>          /* struct iphdr */
+#include <linux/skbuff.h>
+#include <linux/random.h>	/* get_random_bytes() */
+#include <freeswan.h>
+#ifdef SPINLOCK
+# ifdef SPINLOCK_23
+#  include <linux/spinlock.h> /* *lock* */
+# else /* SPINLOCK_23 */
+#  include <asm/spinlock.h> /* *lock* */
+# endif /* SPINLOCK_23 */
+#endif /* SPINLOCK */
+
+#include <net/ip.h>
+
+#include "freeswan/radij.h"
+#include "freeswan/ipsec_encap.h"
+#include "freeswan/ipsec_radij.h"
+#include "freeswan/ipsec_xform.h"
+#include "freeswan/ipsec_ipe4.h"
+#include "freeswan/ipsec_ah.h"
+#include "freeswan/ipsec_esp.h"
+
+#include <pfkeyv2.h>
+#include <pfkey.h>
+
+#ifdef CONFIG_KLIPS_DEBUG
+int debug_xform = 0;
+#endif /* CONFIG_KLIPS_DEBUG */
+
+#ifdef SPINLOCK
+spinlock_t tdb_lock = SPIN_LOCK_UNLOCKED;
+#else /* SPINLOCK */
+spinlock_t tdb_lock;
+#endif /* SPINLOCK */
+
+/*
+ * $Log: ipsec_xform.c,v $
+ * Revision 1.65.2.1  2006/10/06 21:39:26  paul
+ * Fix for 2.6.18+ only include linux/config.h if AUTOCONF_INCLUDED is not
+ * set. This is defined through autoconf.h which is included through the
+ * linux kernel build macros.
+ *
+ * Revision 1.65  2005/04/29 05:10:22  mcr
+ * 	removed from extraenous includes to make unit testing easier.
+ *
+ * Revision 1.64  2004/07/10 19:11:18  mcr
+ * 	CONFIG_IPSEC -> CONFIG_KLIPS.
+ *
+ * Revision 1.63  2003/10/31 02:27:55  mcr
+ * 	pulled up port-selector patches and sa_id elimination.
+ *
+ * Revision 1.62.30.1  2003/10/29 01:30:41  mcr
+ * 	elimited "struct sa_id".
+ *
+ * Revision 1.62  2002/05/14 02:34:21  rgb
+ * Delete stale code.
+ *
+ * Revision 1.61  2002/04/24 07:55:32  mcr
+ * 	#include patches and Makefiles for post-reorg compilation.
+ *
+ * Revision 1.60  2002/04/24 07:36:33  mcr
+ * Moved from ./klips/net/ipsec/ipsec_xform.c,v
+ *
+ * Revision 1.59  2002/03/29 15:01:36  rgb
+ * Delete decommissioned code.
+ *
+ * Revision 1.58  2002/01/29 17:17:57  mcr
+ * 	moved include of ipsec_param.h to after include of linux/kernel.h
+ * 	otherwise, it seems that some option that is set in ipsec_param.h
+ * 	screws up something subtle in the include path to kernel.h, and
+ * 	it complains on the snprintf() prototype.
+ *
+ * Revision 1.57  2002/01/29 04:00:53  mcr
+ * 	more excise of kversions.h header.
+ *
+ * Revision 1.56  2001/11/27 05:17:22  mcr
+ * 	turn off the worst of the per-packet debugging.
+ *
+ * Revision 1.55  2001/11/26 09:23:50  rgb
+ * Merge MCR's ipsec_sa, eroute, proc and struct lifetime changes.
+ *
+ * Revision 1.54  2001/10/18 04:45:21  rgb
+ * 2.4.9 kernel deprecates linux/malloc.h in favour of linux/slab.h,
+ * lib/freeswan.h version macros moved to lib/kversions.h.
+ * Other compiler directive cleanups.
+ *
+ * Revision 1.53  2001/09/08 21:13:34  rgb
+ * Added pfkey ident extension support for ISAKMPd. (NetCelo)
+ *
+ * Revision 1.52  2001/06/14 19:35:11  rgb
+ * Update copyright date.
+ *
+ * Revision 1.51  2001/05/30 08:14:03  rgb
+ * Removed vestiges of esp-null transforms.
+ *
+ * Revision 1.50  2001/05/03 19:43:18  rgb
+ * Initialise error return variable.
+ * Update SENDERR macro.
+ * Fix sign of error return code for ipsec_tdbcleanup().
+ * Use more appropriate return code for ipsec_tdbwipe().
+ *
+ * Revision 1.49  2001/04/19 18:56:17  rgb
+ * Fixed tdb table locking comments.
+ *
+ * Revision 1.48  2001/02/27 22:24:55  rgb
+ * Re-formatting debug output (line-splitting, joining, 1arg/line).
+ * Check for satoa() return codes.
+ *
+ * Revision 1.47  2000/11/06 04:32:08  rgb
+ * Ditched spin_lock_irqsave in favour of spin_lock_bh.
+ *
+ * Revision 1.46  2000/09/20 16:21:57  rgb
+ * Cleaned up ident string alloc/free.
+ *
+ * Revision 1.45  2000/09/08 19:16:51  rgb
+ * Change references from DEBUG_IPSEC to CONFIG_IPSEC_DEBUG.
+ * Removed all references to CONFIG_IPSEC_PFKEYv2.
+ *
+ * Revision 1.44  2000/08/30 05:29:04  rgb
+ * Compiler-define out no longer used tdb_init() in ipsec_xform.c.
+ *
+ * Revision 1.43  2000/08/18 21:30:41  rgb
+ * Purged all tdb_spi, tdb_proto and tdb_dst macros.  They are unclear.
+ *
+ * Revision 1.42  2000/08/01 14:51:51  rgb
+ * Removed _all_ remaining traces of DES.
+ *
+ * Revision 1.41  2000/07/28 14:58:31  rgb
+ * Changed kfree_s to kfree, eliminating extra arg to fix 2.4.0-test5.
+ *
+ * Revision 1.40  2000/06/28 05:50:11  rgb
+ * Actually set iv_bits.
+ *
+ * Revision 1.39  2000/05/10 23:11:09  rgb
+ * Added netlink debugging output.
+ * Added a cast to quiet down the ntohl bug.
+ *
+ * Revision 1.38  2000/05/10 19:18:42  rgb
+ * Cast output of ntohl so that the broken prototype doesn't make our
+ * compile noisy.
+ *
+ * Revision 1.37  2000/03/16 14:04:59  rgb
+ * Hardwired CONFIG_IPSEC_PFKEYv2 on.
+ *
+ * Revision 1.36  2000/01/26 10:11:28  rgb
+ * Fixed spacing in error text causing run-in words.
+ *
+ * Revision 1.35  2000/01/21 06:17:16  rgb
+ * Tidied up compiler directive indentation for readability.
+ * Added ictx,octx vars for simplification.(kravietz)
+ * Added macros for HMAC padding magic numbers.(kravietz)
+ * Fixed missing key length reporting bug.
+ * Fixed bug in tdbwipe to return immediately on NULL tdbp passed in.
+ *
+ * Revision 1.34  1999/12/08 00:04:19  rgb
+ * Fixed SA direction overwriting bug for netlink users.
+ *
+ * Revision 1.33  1999/12/01 22:16:44  rgb
+ * Minor formatting changes in ESP MD5 initialisation.
+ *
+ * Revision 1.32  1999/11/25 09:06:36  rgb
+ * Fixed error return messages, should be returning negative numbers.
+ * Implemented SENDERR macro for propagating error codes.
+ * Added debug message and separate error code for algorithms not compiled
+ * in.
+ *
+ * Revision 1.31  1999/11/23 23:06:26  rgb
+ * Sort out pfkey and freeswan headers, putting them in a library path.
+ *
+ * Revision 1.30  1999/11/18 04:09:20  rgb
+ * Replaced all kernel version macros to shorter, readable form.
+ *
+ * Revision 1.29  1999/11/17 15:53:40  rgb
+ * Changed all occurrences of #include "../../../lib/freeswan.h"
+ * to #include <freeswan.h> which works due to -Ilibfreeswan in the
+ * klips/net/ipsec/Makefile.
+ *
+ * Revision 1.28  1999/10/18 20:04:01  rgb
+ * Clean-out unused cruft.
+ *
+ * Revision 1.27  1999/10/03 19:01:03  rgb
+ * Spinlock support for 2.3.xx and 2.0.xx kernels.
+ *
+ * Revision 1.26  1999/10/01 16:22:24  rgb
+ * Switch from assignment init. to functional init. of spinlocks.
+ *
+ * Revision 1.25  1999/10/01 15:44:54  rgb
+ * Move spinlock header include to 2.1> scope.
+ *
+ * Revision 1.24  1999/10/01 00:03:46  rgb
+ * Added tdb structure locking.
+ * Minor formatting changes.
+ * Add function to initialize tdb hash table.
+ *
+ * Revision 1.23  1999/05/25 22:42:12  rgb
+ * Add deltdbchain() debugging.
+ *
+ * Revision 1.22  1999/05/25 21:24:31  rgb
+ * Add debugging statements to deltdbchain().
+ *
+ * Revision 1.21  1999/05/25 03:51:48  rgb
+ * Refix error return code.
+ *
+ * Revision 1.20  1999/05/25 03:34:07  rgb
+ * Fix error return for flush.
+ *
+ * Revision 1.19  1999/05/09 03:25:37  rgb
+ * Fix bug introduced by 2.2 quick-and-dirty patch.
+ *
+ * Revision 1.18  1999/05/05 22:02:32  rgb
+ * Add a quick and dirty port to 2.2 kernels by Marc Boucher <marc@mbsi.ca>.
+ *
+ * Revision 1.17  1999/04/29 15:20:16  rgb
+ * Change gettdb parameter to a pointer to reduce stack loading and
+ * facilitate parameter sanity checking.
+ * Add sanity checking for null pointer arguments.
+ * Add debugging instrumentation.
+ * Add function deltdbchain() which will take care of unlinking,
+ * zeroing and deleting a chain of tdbs.
+ * Add a parameter to tdbcleanup to be able to delete a class of SAs.
+ * tdbwipe now actually zeroes the tdb as well as any of its pointed
+ * structures.
+ *
+ * Revision 1.16  1999/04/16 15:36:29  rgb
+ * Fix cut-and-paste error causing a memory leak in IPIP TDB freeing.
+ *
+ * Revision 1.15  1999/04/11 00:29:01  henry
+ * GPL boilerplate
+ *
+ * Revision 1.14  1999/04/06 04:54:28  rgb
+ * Fix/Add RCSID Id: and Log: bits to make PHMDs happy.  This includes
+ * patch shell fixes.
+ *
+ * Revision 1.13  1999/02/19 18:23:01  rgb
+ * Nix debug off compile warning.
+ *
+ * Revision 1.12  1999/02/17 16:52:16  rgb
+ * Consolidate satoa()s for space and speed efficiency.
+ * Convert DEBUG_IPSEC to KLIPS_PRINT
+ * Clean out unused cruft.
+ * Ditch NET_IPIP dependancy.
+ * Loop for 3des key setting.
+ *
+ * Revision 1.11  1999/01/26 02:09:05  rgb
+ * Remove ah/esp/IPIP switching on include files.
+ * Removed CONFIG_IPSEC_ALGO_SWITCH macro.
+ * Removed dead code.
+ * Clean up debug code when switched off.
+ * Remove references to INET_GET_PROTOCOL.
+ * Added code exclusion macros to reduce code from unused algorithms.
+ *
+ * Revision 1.10  1999/01/22 06:28:55  rgb
+ * Cruft clean-out.
+ * Put random IV generation in kernel.
+ * Added algorithm switch code.
+ * Enhanced debugging.
+ * 64-bit clean-up.
+ *
+ * Revision 1.9  1998/11/30 13:22:55  rgb
+ * Rationalised all the klips kernel file headers.  They are much shorter
+ * now and won't conflict under RH5.2.
+ *
+ * Revision 1.8  1998/11/25 04:59:06  rgb
+ * Add conditionals for no IPIP tunnel code.
+ * Delete commented out code.
+ *
+ * Revision 1.7  1998/10/31 06:50:41  rgb
+ * Convert xform ASCII names to no spaces.
+ * Fixed up comments in #endif directives.
+ *
+ * Revision 1.6  1998/10/19 14:44:28  rgb
+ * Added inclusion of freeswan.h.
+ * sa_id structure implemented and used: now includes protocol.
+ *
+ * Revision 1.5  1998/10/09 04:32:19  rgb
+ * Added 'klips_debug' prefix to all klips printk debug statements.
+ *
+ * Revision 1.4  1998/08/12 00:11:31  rgb
+ * Added new xform functions to the xform table.
+ * Fixed minor debug output spelling error.
+ *
+ * Revision 1.3  1998/07/09 17:45:31  rgb
+ * Clarify algorithm not available message.
+ *
+ * Revision 1.2  1998/06/23 03:00:51  rgb
+ * Check for presence of IPIP protocol if it is setup one way (we don't
+ * know what has been set up the other way and can only assume it will be
+ * symmetrical with the exception of keys).
+ *
+ * Revision 1.1  1998/06/18 21:27:51  henry
+ * move sources from klips/src to klips/net/ipsec, to keep stupid
+ * kernel-build scripts happier in the presence of symlinks
+ *
+ * Revision 1.3  1998/06/11 05:54:59  rgb
+ * Added transform version string pointer to xformsw initialisations.
+ *
+ * Revision 1.2  1998/04/21 21:28:57  rgb
+ * Rearrange debug switches to change on the fly debug output from user
+ * space.  Only kernel changes checked in at this time.  radij.c was also
+ * changed to temporarily remove buggy debugging code in rj_delete causing
+ * an OOPS and hence, netlink device open errors.
+ *
+ * Revision 1.1  1998/04/09 03:06:13  henry
+ * sources moved up from linux/net/ipsec
+ *
+ * Revision 1.1.1.1  1998/04/08 05:35:02  henry
+ * RGB's ipsec-0.8pre2.tar.gz ipsec-0.8
+ *
+ * Revision 0.5  1997/06/03 04:24:48  ji
+ * Added ESP-3DES-MD5-96
+ *
+ * Revision 0.4  1997/01/15 01:28:15  ji
+ * Added new transforms.
+ *
+ * Revision 0.3  1996/11/20 14:39:04  ji
+ * Minor cleanups.
+ * Rationalized debugging code.
+ *
+ * Revision 0.2  1996/11/02 00:18:33  ji
+ * First limited release.
+ *
+ *
+ */
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/ipsec_xmit.c     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,1855 @@
+/*
+ * IPSEC Transmit code.
+ * Copyright (C) 1996, 1997  John Ioannidis.
+ * Copyright (C) 1998-2003   Richard Guy Briggs.
+ * Copyright (C) 2004-2005   Michael Richardson <mcr@xelerance.com>
+ * 
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ * 
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+char ipsec_xmit_c_version[] = "RCSID $Id: ipsec_xmit.c,v 1.20.2.9 2007/07/06 17:18:43 paul Exp $";
+
+#define __NO_VERSION__
+#include <linux/module.h>
+#ifndef AUTOCONF_INCLUDED
+#include <linux/config.h>
+#endif	/* for CONFIG_IP_FORWARD */
+#include <linux/version.h>
+#include <linux/kernel.h> /* printk() */
+
+#include "openswan/ipsec_param.h"
+
+#ifdef MALLOC_SLAB
+# include <linux/slab.h> /* kmalloc() */
+#else /* MALLOC_SLAB */
+# include <linux/malloc.h> /* kmalloc() */
+#endif /* MALLOC_SLAB */
+#include <linux/errno.h>  /* error codes */
+#include <linux/types.h>  /* size_t */
+#include <linux/interrupt.h> /* mark_bh */
+
+#include <linux/netdevice.h>   /* struct device, struct net_device_stats, dev_queue_xmit() and other headers */
+#include <linux/etherdevice.h> /* eth_type_trans */
+#include <linux/ip.h>          /* struct iphdr */
+#include <linux/tcp.h>         /* struct tcphdr */
+#include <linux/udp.h>         /* struct udphdr */
+#include <linux/skbuff.h>
+#include <asm/uaccess.h>
+#include <asm/checksum.h>
+#include <openswan.h>
+#ifdef NET_21
+# define MSS_HACK_		/* experimental */
+# include <linux/in6.h>
+# include <net/dst.h>
+# define proto_priv cb
+#endif /* NET_21 */
+
+#include <net/icmp.h>		/* icmp_send() */
+#include <net/ip.h>
+#ifdef NETDEV_23
+# include <linux/netfilter_ipv4.h>
+#endif /* NETDEV_23 */
+
+#include <linux/if_arp.h>
+#ifdef MSS_HACK
+# include <net/tcp.h>		/* TCP options */
+#endif	/* MSS_HACK */
+
+#include "openswan/radij.h"
+#include "openswan/ipsec_life.h"
+#include "openswan/ipsec_xform.h"
+#include "openswan/ipsec_eroute.h"
+#include "openswan/ipsec_encap.h"
+#include "openswan/ipsec_radij.h"
+#include "openswan/ipsec_xmit.h"
+#include "openswan/ipsec_sa.h"
+#include "openswan/ipsec_tunnel.h"
+#include "openswan/ipsec_ipe4.h"
+#include "openswan/ipsec_ah.h"
+#include "openswan/ipsec_esp.h"
+
+#ifdef CONFIG_KLIPS_IPCOMP
+#include "openswan/ipcomp.h"
+#endif /* CONFIG_KLIPS_IPCOMP */
+
+#include <pfkeyv2.h>
+#include <pfkey.h>
+
+#include "openswan/ipsec_proto.h"
+#include "openswan/ipsec_alg.h"
+
+
+/* 
+ * Stupid kernel API differences in APIs. Not only do some
+ * kernels not have ip_select_ident, but some have differing APIs,
+ * and SuSE has one with one parameter, but no way of checking to
+ * see what is really what.
+ */
+
+#ifdef SUSE_LINUX_2_4_19_IS_STUPID
+#define KLIPS_IP_SELECT_IDENT(iph, skb) ip_select_ident(iph)
+#else
+
+/* simplest case, nothing */
+#if !defined(IP_SELECT_IDENT)
+#define KLIPS_IP_SELECT_IDENT(iph, skb)  do { iph->id = htons(ip_id_count++); } while(0)
+#endif
+
+/* kernels > 2.3.37-ish */
+#if defined(IP_SELECT_IDENT) && !defined(IP_SELECT_IDENT_NEW)
+#define KLIPS_IP_SELECT_IDENT(iph, skb) ip_select_ident(iph, skb->dst)
+#endif
+
+/* kernels > 2.4.2 */
+#if defined(IP_SELECT_IDENT) && defined(IP_SELECT_IDENT_NEW)
+#define KLIPS_IP_SELECT_IDENT(iph, skb) ip_select_ident(iph, skb->dst, NULL)
+#endif
+
+#endif /* SUSE_LINUX_2_4_19_IS_STUPID */
+
+
+
+#if defined(CONFIG_KLIPS_AH)
+static __u32 zeroes[64];
+#endif
+
+#ifdef CONFIG_KLIPS_DEBUG
+int sysctl_ipsec_debug_verbose = 0;
+#endif /* CONFIG_KLIPS_DEBUG */
+
+int ipsec_xmit_trap_count = 0;
+int ipsec_xmit_trap_sendcount = 0;
+
+int sysctl_ipsec_icmp = 0;
+int sysctl_ipsec_tos = 0;
+
+#ifdef CONFIG_KLIPS_DEBUG
+#define dmp(_x,_y,_z) if(debug_tunnel) ipsec_dmp_block(_x,_y,_z)
+#else /* CONFIG_KLIPS_DEBUG */
+#define dmp(_x, _y, _z) 
+#endif /* CONFIG_KLIPS_DEBUG */
+
+
+#if !defined(SKB_COPY_EXPAND) || defined(KLIPS_UNIT_TESTS)
+/*
+ *	This is mostly skbuff.c:skb_copy().
+ */
+struct sk_buff *
+skb_copy_expand(const struct sk_buff *skb, int headroom,
+		int tailroom, int priority)
+{
+	struct sk_buff *n;
+	unsigned long offset;
+
+	/*
+	 *	Do sanity checking
+	 */
+	if((headroom < 0) || (tailroom < 0) || ((headroom+tailroom) < 0)) {
+		printk(KERN_WARNING
+		       "klips_error:skb_copy_expand: "
+		       "Illegal negative head,tailroom %d,%d\n",
+		       headroom,
+		       tailroom);
+		return NULL;
+	}
+	/*
+	 *	Allocate the copy buffer
+	 */
+	 
+#ifndef NET_21
+	IS_SKB(skb);
+#endif /* !NET_21 */
+
+
+	n=alloc_skb(skb->end - skb->head + headroom + tailroom, priority);
+
+	KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
+		    "klips_debug:skb_copy_expand: "
+		    "allocating %d bytes, head=0p%p data=0p%p tail=0p%p end=0p%p end-head=%d tail-data=%d\n",
+		    skb->end - skb->head + headroom + tailroom,
+		    skb->head,
+		    skb->data,
+		    skb->tail,
+		    skb->end,
+		    skb->end - skb->head,
+		    skb->tail - skb->data);
+
+	if(n==NULL)
+		return NULL;
+
+	/*
+	 *	Shift between the two data areas in bytes
+	 */
+	 
+	/* Set the data pointer */
+	skb_reserve(n,skb->data-skb->head+headroom);
+	/* Set the tail pointer and length */
+	if(skb_tailroom(n) < skb->len) {
+		printk(KERN_WARNING "klips_error:skb_copy_expand: "
+		       "tried to skb_put %ld, %d available.  This should never happen, please report.\n",
+		       (unsigned long int)skb->len,
+		       skb_tailroom(n));
+		ipsec_kfree_skb(n);
+		return NULL;
+	}
+	skb_put(n,skb->len);
+
+	offset=n->head + headroom - skb->head;
+
+	/* Copy the bytes */
+	memcpy(n->head + headroom, skb->head,skb->end-skb->head);
+#ifdef NET_21
+	n->csum=skb->csum;
+	n->priority=skb->priority;
+	n->dst=dst_clone(skb->dst);
+	if(skb->nh.raw)
+		n->nh.raw=skb->nh.raw+offset;
+#ifndef NETDEV_23
+	n->is_clone=0;
+#endif /* NETDEV_23 */
+	atomic_set(&n->users, 1);
+	n->destructor = NULL;
+#ifdef HAVE_SOCK_SECURITY
+	n->security=skb->security;
+#endif
+#else /* NET_21 */
+	n->link3=NULL;
+	n->when=skb->when;
+	if(skb->ip_hdr)
+	        n->ip_hdr=(struct iphdr *)(((char *)skb->ip_hdr)+offset);
+	n->saddr=skb->saddr;
+	n->daddr=skb->daddr;
+	n->raddr=skb->raddr;
+	n->seq=skb->seq;
+	n->end_seq=skb->end_seq;
+	n->ack_seq=skb->ack_seq;
+	n->acked=skb->acked;
+	n->free=1;
+	n->arp=skb->arp;
+	n->tries=0;
+	n->lock=0;
+	n->users=0;
+#endif /* NET_21 */
+	n->protocol=skb->protocol;
+	n->list=NULL;
+	n->sk=NULL;
+	n->dev=skb->dev;
+	if(skb->h.raw)
+		n->h.raw=skb->h.raw+offset;
+	if(skb->mac.raw) 
+		n->mac.raw=skb->mac.raw+offset;
+	memcpy(n->proto_priv, skb->proto_priv, sizeof(skb->proto_priv));
+#ifndef NETDEV_23
+	n->used=skb->used;
+#endif /* !NETDEV_23 */
+	n->pkt_type=skb->pkt_type;
+	n->stamp=skb->stamp;
+	
+#ifndef NET_21
+	IS_SKB(n);
+#endif /* !NET_21 */
+	return n;
+}
+#endif /* !SKB_COPY_EXPAND */
+
+#ifdef CONFIG_KLIPS_DEBUG
+void
+ipsec_print_ip(struct iphdr *ip)
+{
+	char buf[ADDRTOA_BUF];
+
+	printk(KERN_INFO "klips_debug:   IP:");
+	printk(" ihl:%d", ip->ihl << 2);
+	printk(" ver:%d", ip->version);
+	printk(" tos:%d", ip->tos);
+	printk(" tlen:%d", ntohs(ip->tot_len));
+	printk(" id:%d", ntohs(ip->id));
+	printk(" %s%s%sfrag_off:%d",
+               ip->frag_off & __constant_htons(IP_CE) ? "CE " : "",
+               ip->frag_off & __constant_htons(IP_DF) ? "DF " : "",
+               ip->frag_off & __constant_htons(IP_MF) ? "MF " : "",
+               (ntohs(ip->frag_off) & IP_OFFSET) << 3);
+	printk(" ttl:%d", ip->ttl);
+	printk(" proto:%d", ip->protocol);
+	if(ip->protocol == IPPROTO_UDP)
+		printk(" (UDP)");
+	if(ip->protocol == IPPROTO_TCP)
+		printk(" (TCP)");
+	if(ip->protocol == IPPROTO_ICMP)
+		printk(" (ICMP)");
+	if(ip->protocol == IPPROTO_ESP)
+		printk(" (ESP)");
+	if(ip->protocol == IPPROTO_AH)
+		printk(" (AH)");
+	if(ip->protocol == IPPROTO_COMP)
+		printk(" (COMP)");
+	printk(" chk:%d", ntohs(ip->check));
+	addrtoa(*((struct in_addr*)(&ip->saddr)), 0, buf, sizeof(buf));
+	printk(" saddr:%s", buf);
+	if(ip->protocol == IPPROTO_UDP)
+		printk(":%d",
+		       ntohs(((struct udphdr*)((caddr_t)ip + (ip->ihl << 2)))->source));
+	if(ip->protocol == IPPROTO_TCP)
+		printk(":%d",
+		       ntohs(((struct tcphdr*)((caddr_t)ip + (ip->ihl << 2)))->source));
+	addrtoa(*((struct in_addr*)(&ip->daddr)), 0, buf, sizeof(buf));
+	printk(" daddr:%s", buf);
+	if(ip->protocol == IPPROTO_UDP)
+		printk(":%d",
+		       ntohs(((struct udphdr*)((caddr_t)ip + (ip->ihl << 2)))->dest));
+	if(ip->protocol == IPPROTO_TCP)
+		printk(":%d",
+		       ntohs(((struct tcphdr*)((caddr_t)ip + (ip->ihl << 2)))->dest));
+	if(ip->protocol == IPPROTO_ICMP)
+		printk(" type:code=%d:%d",
+		       ((struct icmphdr*)((caddr_t)ip + (ip->ihl << 2)))->type,
+		       ((struct icmphdr*)((caddr_t)ip + (ip->ihl << 2)))->code);
+	printk("\n");
+
+	if(sysctl_ipsec_debug_verbose) {
+		__u8 *c;
+		int len = ntohs(ip->tot_len) - ip->ihl*4;
+		
+		c = ((__u8*)ip) + ip->ihl*4;
+		ipsec_dmp_block("ip_print", c, len);
+	}
+}
+#endif /* CONFIG_KLIPS_DEBUG */
+
+#ifdef MSS_HACK
+/*
+ * Issues:
+ *  1) Fragments arriving in the tunnel should probably be rejected.
+ *  2) How does this affect syncookies, mss_cache, dst cache ?
+ *  3) Path MTU discovery handling needs to be reviewed.  For example,
+ *     if we receive an ICMP 'packet too big' message from an intermediate 
+ *     router specifying it's next hop MTU, our stack may process this and
+ *     adjust the MSS without taking our AH/ESP overheads into account.
+ */
+
+ 
+/*
+ * Recaclulate checksum using differences between changed datum, 
+ * borrowed from netfilter.
+ */
+DEBUG_NO_STATIC u_int16_t 
+ipsec_fast_csum(u_int32_t oldvalinv, u_int32_t newval, u_int16_t oldcheck)
+{
+	u_int32_t diffs[] = { oldvalinv, newval };
+	return csum_fold(csum_partial((char *)diffs, sizeof(diffs),
+	oldcheck^0xFFFF));
+}
+
+/*
+ * Determine effective MSS.
+ *
+ * Note that we assume that there is always an MSS option for our own
+ * SYN segments, which is mentioned in tcp_syn_build_options(), kernel 2.2.x.
+ * This could change, and we should probably parse TCP options instead.
+ *
+ */
+DEBUG_NO_STATIC u_int8_t
+ipsec_adjust_mss(struct sk_buff *skb, struct tcphdr *tcph, u_int16_t mtu)
+{
+	u_int16_t oldmss, newmss;
+	u_int32_t *mssp;
+	struct sock *sk = skb->sk;
+	
+	newmss = tcp_sync_mss(sk, mtu);
+	printk(KERN_INFO "klips: setting mss to %u\n", newmss);
+	mssp = (u_int32_t *)tcph + sizeof(struct tcphdr) / sizeof(u_int32_t);
+	oldmss = ntohl(*mssp) & 0x0000FFFF;
+	*mssp = htonl((TCPOPT_MSS << 24) | (TCPOLEN_MSS << 16) | newmss);
+	tcph->check = ipsec_fast_csum(htons(~oldmss), 
+	                              htons(newmss), tcph->check);
+	return 1;
+}
+#endif	/* MSS_HACK */
+                                                        
+/*
+ * Sanity checks
+ */
+enum ipsec_xmit_value
+ipsec_xmit_sanity_check_dev(struct ipsec_xmit_state *ixs)
+{
+
+	if (ixs->dev == NULL) {
+		KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
+			    "klips_error:ipsec_xmit_sanity_check_dev: "
+			    "No device associated with skb!\n" );
+		return IPSEC_XMIT_NODEV;
+	}
+
+	ixs->prv = ixs->dev->priv;
+	if (ixs->prv == NULL) {
+		KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
+			    "klips_error:ipsec_xmit_sanity_check_dev: "
+			    "Device has no private structure!\n" );
+		return 	IPSEC_XMIT_NOPRIVDEV;
+	}
+
+	ixs->physdev = ixs->prv->dev;
+	if (ixs->physdev == NULL) {
+		KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
+			    "klips_error:ipsec_xmit_sanity_check_dev: "
+			    "Device is not attached to physical device!\n" );
+		return IPSEC_XMIT_NOPHYSDEV;
+	}
+
+	ixs->physmtu = ixs->physdev->mtu;
+        ixs->cur_mtu = ixs->physdev->mtu;
+	ixs->stats = (struct net_device_stats *) &(ixs->prv->mystats);
+
+	return IPSEC_XMIT_OK;
+}
+
+enum ipsec_xmit_value
+ipsec_xmit_sanity_check_skb(struct ipsec_xmit_state *ixs)
+{
+	/*
+	 *	Return if there is nothing to do.  (Does this ever happen?) XXX
+	 */
+	if (ixs->skb == NULL) {
+		KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
+			    "klips_error:ipsec_xmit_sanity_check_skb: "
+			    "Nothing to do!\n" );
+		return IPSEC_XMIT_NOSKB;
+	}
+
+	/* if skb was cloned (most likely due to a packet sniffer such as
+	   tcpdump being momentarily attached to the interface), make
+	   a copy of our own to modify */
+	if(skb_cloned(ixs->skb)) {
+		if
+#ifdef SKB_COW_NEW
+	       (skb_cow(ixs->skb, skb_headroom(ixs->skb)) != 0)
+#else /* SKB_COW_NEW */
+	       ((ixs->skb = skb_cow(ixs->skb, skb_headroom(ixs->skb))) == NULL)
+#endif /* SKB_COW_NEW */
+		{
+			KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
+				    "klips_error:ipsec_xmit_sanity_check_skb: "
+				    "skb_cow failed to allocate buffer, dropping.\n" );
+			ixs->stats->tx_dropped++;
+			return IPSEC_XMIT_ERRSKBALLOC;
+		}
+	}
+
+	ixs->iph = ixs->skb->nh.iph;
+
+	/* sanity check for IP version as we can't handle IPv6 right now */
+	if (ixs->iph->version != 4) {
+		KLIPS_PRINT(debug_tunnel,
+			    "klips_debug:ipsec_xmit_sanity_check_skb: "
+			    "found IP Version %d but cannot process other IP versions than v4.\n",
+			    ixs->iph->version); /* XXX */
+		ixs->stats->tx_dropped++;
+		return IPSEC_XMIT_NOIPV6;
+	}
+	
+#if IPSEC_DISALLOW_IPOPTIONS
+	if ((ixs->iph->ihl << 2) != sizeof (struct iphdr)) {
+		KLIPS_PRINT(debug_tunnel,
+			    "klips_debug:ipsec_xmit_sanity_check_skb: "
+			    "cannot process IP header options yet.  May be mal-formed packet.\n"); /* XXX */
+		ixs->stats->tx_dropped++;
+		return IPSEC_XMIT_NOIPOPTIONS;
+	}
+#endif /* IPSEC_DISALLOW_IPOPTIONS */
+	
+#ifndef NET_21
+	if (ixs->iph->ttl <= 0) {
+		/* Tell the sender its packet died... */
+		ICMP_SEND(ixs->skb, ICMP_TIME_EXCEEDED, ICMP_EXC_TTL, 0, ixs->physdev);
+
+		KLIPS_PRINT(debug_tunnel, "klips_debug:ipsec_xmit_sanity_check_skb: "
+			    "TTL=0, too many hops!\n");
+		ixs->stats->tx_dropped++;
+		return IPSEC_XMIT_TTLEXPIRED;
+	}
+#endif /* !NET_21 */
+	
+	return IPSEC_XMIT_OK;
+}
+
+enum ipsec_xmit_value
+ipsec_xmit_encap_once(struct ipsec_xmit_state *ixs)
+{
+#ifdef CONFIG_KLIPS_ESP
+	struct esphdr *espp;
+	unsigned char *idat, *pad;
+	int authlen = 0, padlen = 0, i;
+#endif /* !CONFIG_KLIPS_ESP */
+#ifdef CONFIG_KLIPS_AH
+	struct iphdr ipo;
+	struct ahhdr *ahp;
+#endif /* CONFIG_KLIPS_AH */
+#if defined(CONFIG_KLIPS_AUTH_HMAC_MD5) || defined(CONFIG_KLIPS_AUTH_HMAC_SHA1)
+	union {
+#ifdef CONFIG_KLIPS_AUTH_HMAC_MD5
+		MD5_CTX md5;
+#endif /* CONFIG_KLIPS_AUTH_HMAC_MD5 */
+#ifdef CONFIG_KLIPS_AUTH_HMAC_SHA1
+		SHA1_CTX sha1;
+#endif /* CONFIG_KLIPS_AUTH_HMAC_SHA1 */
+	} tctx;
+	__u8 hash[AH_AMAX];
+#endif /* defined(CONFIG_KLIPS_AUTH_HMAC_MD5) || defined(CONFIG_KLIPS_AUTH_HMACn_SHA1) */
+	int headroom = 0, tailroom = 0, ilen = 0, len = 0;
+	unsigned char *dat;
+	int blocksize = 8; /* XXX: should be inside ixs --jjo */
+	struct ipsec_alg_enc *ixt_e = NULL;
+	struct ipsec_alg_auth *ixt_a = NULL;
+	
+	ixs->iphlen = ixs->iph->ihl << 2;
+	ixs->pyldsz = ntohs(ixs->iph->tot_len) - ixs->iphlen;
+	ixs->sa_len = satot(&ixs->ipsp->ips_said, 0, ixs->sa_txt, SATOT_BUF);
+	KLIPS_PRINT(debug_tunnel & DB_TN_OXFS,
+		    "klips_debug:ipsec_xmit_encap_once: "
+		    "calling output for <%s%s%s>, SA:%s\n", 
+		    IPS_XFORM_NAME(ixs->ipsp),
+		    ixs->sa_len ? ixs->sa_txt : " (error)");
+	
+	switch(ixs->ipsp->ips_said.proto) {
+#ifdef CONFIG_KLIPS_AH
+	case IPPROTO_AH:
+		headroom += sizeof(struct ahhdr);
+		break;
+#endif /* CONFIG_KLIPS_AH */
+
+#ifdef CONFIG_KLIPS_ESP
+	case IPPROTO_ESP:
+		ixt_e=ixs->ipsp->ips_alg_enc;
+		if (ixt_e) {
+			blocksize = ixt_e->ixt_common.ixt_blocksize;
+			headroom += ESP_HEADER_LEN + ixt_e->ixt_common.ixt_support.ias_ivlen/8;
+		} else {
+			ixs->stats->tx_errors++;
+			return IPSEC_XMIT_ESP_BADALG;
+		}
+
+		ixt_a=ixs->ipsp->ips_alg_auth;
+		if (ixt_a) {
+			tailroom += AHHMAC_HASHLEN;
+			authlen = AHHMAC_HASHLEN;
+		} else 
+		switch(ixs->ipsp->ips_authalg) {
+#ifdef CONFIG_KLIPS_AUTH_HMAC_MD5
+		case AH_MD5:
+			authlen = AHHMAC_HASHLEN;
+			break;
+#endif /* CONFIG_KLIPS_AUTH_HMAC_MD5 */
+#ifdef CONFIG_KLIPS_AUTH_HMAC_SHA1
+		case AH_SHA:
+			authlen = AHHMAC_HASHLEN;
+			break;
+#endif /* CONFIG_KLIPS_AUTH_HMAC_SHA1 */
+		case AH_NONE:
+			break;
+		default:
+			ixs->stats->tx_errors++;
+			return IPSEC_XMIT_ESP_BADALG;
+		}		
+		tailroom += blocksize != 1 ?
+			((blocksize - ((ixs->pyldsz + 2) % blocksize)) % blocksize) + 2 :
+			((4 - ((ixs->pyldsz + 2) % 4)) % 4) + 2;
+		tailroom += authlen;
+		break;
+#endif /* CONFIG_KLIPS_ESP */
+
+#ifdef CONFIG_KLIPS_IPIP
+	case IPPROTO_IPIP:
+		headroom += sizeof(struct iphdr);
+		ixs->iphlen = sizeof(struct iphdr);
+		break;
+#endif /* !CONFIG_KLIPS_IPIP */
+
+#ifdef CONFIG_KLIPS_IPCOMP
+	case IPPROTO_COMP:
+		break;
+#endif /* CONFIG_KLIPS_IPCOMP */
+
+	default:
+		ixs->stats->tx_errors++;
+		return IPSEC_XMIT_BADPROTO;
+	}
+	
+	KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
+		    "klips_debug:ipsec_xmit_encap_once: "
+		    "pushing %d bytes, putting %d, proto %d.\n", 
+		    headroom, tailroom, ixs->ipsp->ips_said.proto);
+	if(skb_headroom(ixs->skb) < headroom) {
+		printk(KERN_WARNING
+		       "klips_error:ipsec_xmit_encap_once: "
+		       "tried to skb_push headroom=%d, %d available.  This should never happen, please report.\n",
+		       headroom, skb_headroom(ixs->skb));
+		ixs->stats->tx_errors++;
+		return IPSEC_XMIT_ESP_PUSHPULLERR;
+	}
+
+	dat = skb_push(ixs->skb, headroom);
+	ilen = ixs->skb->len - tailroom;
+	if(skb_tailroom(ixs->skb) < tailroom) {
+		printk(KERN_WARNING
+		       "klips_error:ipsec_xmit_encap_once: "
+		       "tried to skb_put %d, %d available.  This should never happen, please report.\n",
+		       tailroom, skb_tailroom(ixs->skb));
+		ixs->stats->tx_errors++;
+		return IPSEC_XMIT_ESP_PUSHPULLERR;
+	}
+	skb_put(ixs->skb, tailroom);
+	KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
+		    "klips_debug:ipsec_xmit_encap_once: "
+		    "head,tailroom: %d,%d before xform.\n",
+		    skb_headroom(ixs->skb), skb_tailroom(ixs->skb));
+	len = ixs->skb->len;
+	if(len > 0xfff0) {
+		printk(KERN_WARNING "klips_error:ipsec_xmit_encap_once: "
+		       "tot_len (%d) > 65520.  This should never happen, please report.\n",
+		       len);
+		ixs->stats->tx_errors++;
+		return IPSEC_XMIT_BADLEN;
+	}
+	memmove((void *)dat, (void *)(dat + headroom), ixs->iphlen);
+	ixs->iph = (struct iphdr *)dat;
+	ixs->iph->tot_len = htons(ixs->skb->len);
+
+	switch(ixs->ipsp->ips_said.proto) {
+#ifdef CONFIG_KLIPS_ESP
+	case IPPROTO_ESP:
+		espp = (struct esphdr *)(dat + ixs->iphlen);
+		espp->esp_spi = ixs->ipsp->ips_said.spi;
+		espp->esp_rpl = htonl(++(ixs->ipsp->ips_replaywin_lastseq));
+		
+		if (!ixt_e) {
+			ixs->stats->tx_errors++;
+			return IPSEC_XMIT_ESP_BADALG;
+		}
+		
+		idat = dat + ixs->iphlen + headroom;
+		ilen = len - (ixs->iphlen + headroom + authlen);
+		
+		/* Self-describing padding */
+		pad = &dat[len - tailroom];
+		padlen = tailroom - 2 - authlen;
+		for (i = 0; i < padlen; i++) {
+			pad[i] = i + 1; 
+		}
+		dat[len - authlen - 2] = padlen;
+		
+		dat[len - authlen - 1] = ixs->iph->protocol;
+		ixs->iph->protocol = IPPROTO_ESP;
+#ifdef CONFIG_KLIPS_DEBUG
+		if(debug_tunnel & DB_TN_ENCAP) {
+		        dmp("pre-encrypt", dat, len);
+		}
+#endif
+
+		/*
+		 * Do all operations here:
+		 * copy IV->ESP, encrypt, update ips IV
+		 *
+		 */
+		{
+			int ret;
+			memcpy(espp->esp_iv, 
+			       ixs->ipsp->ips_iv, 
+			       ixs->ipsp->ips_iv_size);
+			ret=ipsec_alg_esp_encrypt(ixs->ipsp, 
+						  idat, ilen, espp->esp_iv,
+						  IPSEC_ALG_ENCRYPT);
+
+			prng_bytes(&ipsec_prng,
+				   (char *)ixs->ipsp->ips_iv,
+				   ixs->ipsp->ips_iv_size);
+		} 
+		
+		if (ixt_a) {
+			ipsec_alg_sa_esp_hash(ixs->ipsp,
+					(caddr_t)espp, len - ixs->iphlen - authlen,
+					&(dat[len - authlen]), authlen);
+
+		} else
+		switch(ixs->ipsp->ips_authalg) {
+#ifdef CONFIG_KLIPS_AUTH_HMAC_MD5
+		case AH_MD5:
+			dmp("espp", (char*)espp, len - ixs->iphlen - authlen);
+			tctx.md5 = ((struct md5_ctx*)(ixs->ipsp->ips_key_a))->ictx;
+			dmp("ictx", (char*)&tctx.md5, sizeof(tctx.md5));
+			osMD5Update(&tctx.md5, (caddr_t)espp, len - ixs->iphlen - authlen);
+			dmp("ictx+dat", (char*)&tctx.md5, sizeof(tctx.md5));
+			osMD5Final(hash, &tctx.md5);
+			dmp("ictx hash", (char*)&hash, sizeof(hash));
+			tctx.md5 = ((struct md5_ctx*)(ixs->ipsp->ips_key_a))->octx;
+			dmp("octx", (char*)&tctx.md5, sizeof(tctx.md5));
+			osMD5Update(&tctx.md5, hash, AHMD596_ALEN);
+			dmp("octx+hash", (char*)&tctx.md5, sizeof(tctx.md5));
+			osMD5Final(hash, &tctx.md5);
+			dmp("octx hash", (char*)&hash, sizeof(hash));
+			memcpy(&(dat[len - authlen]), hash, authlen);
+			
+			/* paranoid */
+			memset((caddr_t)&tctx.md5, 0, sizeof(tctx.md5));
+			memset((caddr_t)hash, 0, sizeof(*hash));
+			break;
+#endif /* CONFIG_KLIPS_AUTH_HMAC_MD5 */
+#ifdef CONFIG_KLIPS_AUTH_HMAC_SHA1
+		case AH_SHA:
+			tctx.sha1 = ((struct sha1_ctx*)(ixs->ipsp->ips_key_a))->ictx;
+			SHA1Update(&tctx.sha1, (caddr_t)espp, len - ixs->iphlen - authlen);
+			SHA1Final(hash, &tctx.sha1);
+			tctx.sha1 = ((struct sha1_ctx*)(ixs->ipsp->ips_key_a))->octx;
+			SHA1Update(&tctx.sha1, hash, AHSHA196_ALEN);
+			SHA1Final(hash, &tctx.sha1);
+			memcpy(&(dat[len - authlen]), hash, authlen);
+			
+			/* paranoid */
+			memset((caddr_t)&tctx.sha1, 0, sizeof(tctx.sha1));
+			memset((caddr_t)hash, 0, sizeof(*hash));
+			break;
+#endif /* CONFIG_KLIPS_AUTH_HMAC_SHA1 */
+		case AH_NONE:
+			break;
+		default:
+			ixs->stats->tx_errors++;
+			return IPSEC_XMIT_AH_BADALG;
+		}
+#ifdef NET_21
+		ixs->skb->h.raw = (unsigned char*)espp;
+#endif /* NET_21 */
+		break;
+#endif /* !CONFIG_KLIPS_ESP */
+#ifdef CONFIG_KLIPS_AH
+	case IPPROTO_AH:
+		ahp = (struct ahhdr *)(dat + ixs->iphlen);
+		ahp->ah_spi = ixs->ipsp->ips_said.spi;
+		ahp->ah_rpl = htonl(++(ixs->ipsp->ips_replaywin_lastseq));
+		ahp->ah_rv = 0;
+		ahp->ah_nh = ixs->iph->protocol;
+		ahp->ah_hl = (headroom >> 2) - sizeof(__u64)/sizeof(__u32);
+		ixs->iph->protocol = IPPROTO_AH;
+		dmp("ahp", (char*)ahp, sizeof(*ahp));
+		
+		ipo = *ixs->iph;
+		ipo.tos = 0;
+		ipo.frag_off = 0;
+		ipo.ttl = 0;
+		ipo.check = 0;
+		dmp("ipo", (char*)&ipo, sizeof(ipo));
+		
+		switch(ixs->ipsp->ips_authalg) {
+#ifdef CONFIG_KLIPS_AUTH_HMAC_MD5
+		case AH_MD5:
+			tctx.md5 = ((struct md5_ctx*)(ixs->ipsp->ips_key_a))->ictx;
+			dmp("ictx", (char*)&tctx.md5, sizeof(tctx.md5));
+			osMD5Update(&tctx.md5, (unsigned char *)&ipo, sizeof (struct iphdr));
+			dmp("ictx+ipo", (char*)&tctx.md5, sizeof(tctx.md5));
+			osMD5Update(&tctx.md5, (unsigned char *)ahp, headroom - sizeof(ahp->ah_data));
+			dmp("ictx+ahp", (char*)&tctx.md5, sizeof(tctx.md5));
+			osMD5Update(&tctx.md5, (unsigned char *)zeroes, AHHMAC_HASHLEN);
+			dmp("ictx+zeroes", (char*)&tctx.md5, sizeof(tctx.md5));
+			osMD5Update(&tctx.md5,  dat + ixs->iphlen + headroom, len - ixs->iphlen - headroom);
+			dmp("ictx+dat", (char*)&tctx.md5, sizeof(tctx.md5));
+			osMD5Final(hash, &tctx.md5);
+			dmp("ictx hash", (char*)&hash, sizeof(hash));
+			tctx.md5 = ((struct md5_ctx*)(ixs->ipsp->ips_key_a))->octx;
+			dmp("octx", (char*)&tctx.md5, sizeof(tctx.md5));
+			osMD5Update(&tctx.md5, hash, AHMD596_ALEN);
+			dmp("octx+hash", (char*)&tctx.md5, sizeof(tctx.md5));
+			osMD5Final(hash, &tctx.md5);
+			dmp("octx hash", (char*)&hash, sizeof(hash));
+					
+			memcpy(ahp->ah_data, hash, AHHMAC_HASHLEN);
+					
+			/* paranoid */
+			memset((caddr_t)&tctx.md5, 0, sizeof(tctx.md5));
+			memset((caddr_t)hash, 0, sizeof(*hash));
+			break;
+#endif /* CONFIG_KLIPS_AUTH_HMAC_MD5 */
+#ifdef CONFIG_KLIPS_AUTH_HMAC_SHA1
+		case AH_SHA:
+			tctx.sha1 = ((struct sha1_ctx*)(ixs->ipsp->ips_key_a))->ictx;
+			SHA1Update(&tctx.sha1, (unsigned char *)&ipo, sizeof (struct iphdr));
+			SHA1Update(&tctx.sha1, (unsigned char *)ahp, headroom - sizeof(ahp->ah_data));
+			SHA1Update(&tctx.sha1, (unsigned char *)zeroes, AHHMAC_HASHLEN);
+			SHA1Update(&tctx.sha1,  dat + ixs->iphlen + headroom, len - ixs->iphlen - headroom);
+			SHA1Final(hash, &tctx.sha1);
+			tctx.sha1 = ((struct sha1_ctx*)(ixs->ipsp->ips_key_a))->octx;
+			SHA1Update(&tctx.sha1, hash, AHSHA196_ALEN);
+			SHA1Final(hash, &tctx.sha1);
+					
+			memcpy(ahp->ah_data, hash, AHHMAC_HASHLEN);
+					
+			/* paranoid */
+			memset((caddr_t)&tctx.sha1, 0, sizeof(tctx.sha1));
+			memset((caddr_t)hash, 0, sizeof(*hash));
+			break;
+#endif /* CONFIG_KLIPS_AUTH_HMAC_SHA1 */
+		default:
+			ixs->stats->tx_errors++;
+			return IPSEC_XMIT_AH_BADALG;
+		}
+#ifdef NET_21
+		ixs->skb->h.raw = (unsigned char*)ahp;
+#endif /* NET_21 */
+		break;
+#endif /* CONFIG_KLIPS_AH */
+#ifdef CONFIG_KLIPS_IPIP
+	case IPPROTO_IPIP:
+		ixs->iph->version  = 4;
+		switch(sysctl_ipsec_tos) {
+		case 0:
+#ifdef NET_21
+			ixs->iph->tos = ixs->skb->nh.iph->tos;
+#else /* NET_21 */
+			ixs->iph->tos = ixs->skb->ip_hdr->tos;
+#endif /* NET_21 */
+			break;
+		case 1:
+			ixs->iph->tos = 0;
+			break;
+		default:
+			break;
+		}
+		ixs->iph->ttl      = SYSCTL_IPSEC_DEFAULT_TTL;
+		ixs->iph->frag_off = 0;
+		ixs->iph->saddr    = ((struct sockaddr_in*)(ixs->ipsp->ips_addr_s))->sin_addr.s_addr;
+		ixs->iph->daddr    = ((struct sockaddr_in*)(ixs->ipsp->ips_addr_d))->sin_addr.s_addr;
+		ixs->iph->protocol = IPPROTO_IPIP;
+		ixs->iph->ihl      = sizeof(struct iphdr) >> 2;
+
+		KLIPS_IP_SELECT_IDENT(ixs->iph, ixs->skb);
+
+		ixs->newdst = (__u32)ixs->iph->daddr;
+		ixs->newsrc = (__u32)ixs->iph->saddr;
+		
+#ifdef NET_21
+		ixs->skb->h.ipiph = ixs->skb->nh.iph;
+#endif /* NET_21 */
+		break;
+#endif /* !CONFIG_KLIPS_IPIP */
+#ifdef CONFIG_KLIPS_IPCOMP
+	case IPPROTO_COMP:
+	{
+		unsigned int flags = 0;
+#ifdef CONFIG_KLIPS_DEBUG
+		unsigned int old_tot_len = ntohs(ixs->iph->tot_len);
+#endif /* CONFIG_KLIPS_DEBUG */
+		ixs->ipsp->ips_comp_ratio_dbytes += ntohs(ixs->iph->tot_len);
+
+		ixs->skb = skb_compress(ixs->skb, ixs->ipsp, &flags);
+
+#ifdef NET_21
+		ixs->iph = ixs->skb->nh.iph;
+#else /* NET_21 */
+		ixs->iph = ixs->skb->ip_hdr;
+#endif /* NET_21 */
+
+		ixs->ipsp->ips_comp_ratio_cbytes += ntohs(ixs->iph->tot_len);
+
+#ifdef CONFIG_KLIPS_DEBUG
+		if (debug_tunnel & DB_TN_CROUT)
+		{
+			if (old_tot_len > ntohs(ixs->iph->tot_len))
+				KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
+					    "klips_debug:ipsec_xmit_encap_once: "
+					    "packet shrunk from %d to %d bytes after compression, cpi=%04x (should be from spi=%08x, spi&0xffff=%04x.\n",
+					    old_tot_len, ntohs(ixs->iph->tot_len),
+					    ntohs(((struct ipcomphdr*)(((char*)ixs->iph) + ((ixs->iph->ihl) << 2)))->ipcomp_cpi),
+					    ntohl(ixs->ipsp->ips_said.spi),
+					    (__u16)(ntohl(ixs->ipsp->ips_said.spi) & 0x0000ffff));
+			else
+				KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
+					    "klips_debug:ipsec_xmit_encap_once: "
+					    "packet did not compress (flags = %d).\n",
+					    flags);
+		}
+#endif /* CONFIG_KLIPS_DEBUG */
+	}
+	break;
+#endif /* CONFIG_KLIPS_IPCOMP */
+	default:
+		ixs->stats->tx_errors++;
+		return IPSEC_XMIT_BADPROTO;
+	}
+			
+#ifdef NET_21
+	ixs->skb->nh.raw = ixs->skb->data;
+#else /* NET_21 */
+	ixs->skb->ip_hdr = ixs->skb->h.iph = (struct iphdr *) ixs->skb->data;
+#endif /* NET_21 */
+	ixs->iph->check = 0;
+	ixs->iph->check = ip_fast_csum((unsigned char *)ixs->iph, ixs->iph->ihl);
+			
+	KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
+		    "klips_debug:ipsec_xmit_encap_once: "
+		    "after <%s%s%s>, SA:%s:\n",
+		    IPS_XFORM_NAME(ixs->ipsp),
+		    ixs->sa_len ? ixs->sa_txt : " (error)");
+	KLIPS_IP_PRINT(debug_tunnel & DB_TN_XMIT, ixs->iph);
+ 			
+	ixs->ipsp->ips_life.ipl_bytes.ipl_count += len;
+	ixs->ipsp->ips_life.ipl_bytes.ipl_last = len;
+
+	if(!ixs->ipsp->ips_life.ipl_usetime.ipl_count) {
+		ixs->ipsp->ips_life.ipl_usetime.ipl_count = jiffies / HZ;
+	}
+	ixs->ipsp->ips_life.ipl_usetime.ipl_last = jiffies / HZ;
+	ixs->ipsp->ips_life.ipl_packets.ipl_count++; 
+
+	ixs->ipsp = ixs->ipsp->ips_onext;
+			
+	return IPSEC_XMIT_OK;
+}
+
+/*
+ * If the IP packet (iph) is a carrying TCP/UDP, then set the encaps
+ * source and destination ports to those from the TCP/UDP header.
+ */
+void ipsec_extract_ports(struct iphdr * iph, struct sockaddr_encap * er)
+{
+	struct udphdr *udp;
+
+	switch (iph->protocol) {
+	case IPPROTO_UDP:
+	case IPPROTO_TCP:
+		/*
+		 * The ports are at the same offsets in a TCP and UDP
+		 * header so hack it ...
+		 */
+		udp = (struct udphdr*)(((char*)iph)+(iph->ihl<<2));
+		er->sen_sport = udp->source;
+		er->sen_dport = udp->dest;
+		break;
+	default:
+		er->sen_sport = 0;
+		er->sen_dport = 0;
+		break;
+	}
+}
+
+/*
+ * A TRAP eroute is installed and we want to replace it with a HOLD
+ * eroute.
+ */
+static int create_hold_eroute(struct eroute *origtrap,
+			      struct sk_buff * skb, struct iphdr * iph,
+			      uint32_t eroute_pid)
+{
+	struct eroute hold_eroute;
+	ip_said hold_said;
+	struct sk_buff *first, *last;
+	int error;
+
+	first = last = NULL;
+	memset((caddr_t)&hold_eroute, 0, sizeof(hold_eroute));
+	memset((caddr_t)&hold_said, 0, sizeof(hold_said));
+	
+	hold_said.proto = IPPROTO_INT;
+	hold_said.spi = htonl(SPI_HOLD);
+	hold_said.dst.u.v4.sin_addr.s_addr = INADDR_ANY;
+	
+	hold_eroute.er_eaddr.sen_len = sizeof(struct sockaddr_encap);
+	hold_eroute.er_emask.sen_len = sizeof(struct sockaddr_encap);
+	hold_eroute.er_eaddr.sen_family = AF_ENCAP;
+	hold_eroute.er_emask.sen_family = AF_ENCAP;
+	hold_eroute.er_eaddr.sen_type = SENT_IP4;
+	hold_eroute.er_emask.sen_type = 255;
+	
+	hold_eroute.er_eaddr.sen_ip_src.s_addr = iph->saddr;
+	hold_eroute.er_eaddr.sen_ip_dst.s_addr = iph->daddr;
+	hold_eroute.er_emask.sen_ip_src.s_addr = INADDR_BROADCAST;
+	hold_eroute.er_emask.sen_ip_dst.s_addr = INADDR_BROADCAST;
+	hold_eroute.er_emask.sen_sport = 0;
+	hold_eroute.er_emask.sen_dport = 0;
+	hold_eroute.er_pid = eroute_pid;
+	hold_eroute.er_count = 0;
+	hold_eroute.er_lasttime = jiffies/HZ;
+
+	/*
+	 * if it wasn't captured by a wildcard, then don't record it as
+	 * a wildcard.
+	 */
+	if(origtrap->er_eaddr.sen_proto != 0) {
+	  hold_eroute.er_eaddr.sen_proto = iph->protocol;
+
+	  if((iph->protocol == IPPROTO_TCP ||
+	      iph->protocol == IPPROTO_UDP) &&
+	     (origtrap->er_eaddr.sen_sport != 0 ||
+	      origtrap->er_eaddr.sen_dport != 0)) {
+
+	    if(origtrap->er_eaddr.sen_sport != 0)
+	      hold_eroute.er_emask.sen_sport = ~0;
+
+	    if(origtrap->er_eaddr.sen_dport != 0) 
+	      hold_eroute.er_emask.sen_dport = ~0;
+
+	    ipsec_extract_ports(iph, &hold_eroute.er_eaddr);
+	  }
+	}
+
+#ifdef CONFIG_KLIPS_DEBUG
+	if (debug_pfkey) {
+		char buf1[64], buf2[64];
+		subnettoa(hold_eroute.er_eaddr.sen_ip_src,
+			  hold_eroute.er_emask.sen_ip_src, 0, buf1, sizeof(buf1));
+		subnettoa(hold_eroute.er_eaddr.sen_ip_dst,
+			  hold_eroute.er_emask.sen_ip_dst, 0, buf2, sizeof(buf2));
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:ipsec_tunnel_start_xmit: "
+			    "calling breakeroute and makeroute for %s:%d->%s:%d %d HOLD eroute.\n",
+			    buf1, ntohs(hold_eroute.er_eaddr.sen_sport),
+			    buf2, ntohs(hold_eroute.er_eaddr.sen_dport),
+			    hold_eroute.er_eaddr.sen_proto);
+	}
+#endif /* CONFIG_KLIPS_DEBUG */
+
+	if (ipsec_breakroute(&(hold_eroute.er_eaddr), &(hold_eroute.er_emask),
+			     &first, &last)) {
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:ipsec_tunnel_start_xmit: "
+			    "HOLD breakeroute found nothing.\n");
+	} else {
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:ipsec_tunnel_start_xmit: "
+			    "HOLD breakroute deleted %u.%u.%u.%u:%u -> %u.%u.%u.%u:%u %u\n",
+			    NIPQUAD(hold_eroute.er_eaddr.sen_ip_src),
+			    ntohs(hold_eroute.er_eaddr.sen_sport),
+			    NIPQUAD(hold_eroute.er_eaddr.sen_ip_dst),
+			    ntohs(hold_eroute.er_eaddr.sen_dport),
+			    hold_eroute.er_eaddr.sen_proto);
+	}
+	if (first != NULL)
+		kfree_skb(first);
+	if (last != NULL)
+		kfree_skb(last);
+
+	error = ipsec_makeroute(&(hold_eroute.er_eaddr),
+				&(hold_eroute.er_emask),
+				hold_said, eroute_pid, skb, NULL, NULL);
+	if (error) {
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:ipsec_tunnel_start_xmit: "
+			    "HOLD makeroute returned %d, failed.\n", error);
+	} else {
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:ipsec_tunnel_start_xmit: "
+			    "HOLD makeroute call successful.\n");
+	}
+	return (error == 0);
+}
+
+/*
+ * upon entry to this function, ixs->skb should be setup
+ * as follows:
+ *
+ *   data   = beginning of IP packet   <- differs from ipsec_rcv().
+ *   nh.raw = beginning of IP packet.
+ *   h.raw  = data after the IP packet.
+ *
+ */
+enum ipsec_xmit_value
+ipsec_xmit_encap_bundle(struct ipsec_xmit_state *ixs)
+{
+	struct ipsec_alg_enc *ixt_e = NULL;
+	struct ipsec_alg_auth *ixt_a = NULL;
+	int blocksize = 8;
+	enum ipsec_xmit_value bundle_stat = IPSEC_XMIT_OK;
+ 
+	ixs->newdst = ixs->orgdst = ixs->iph->daddr;
+	ixs->newsrc = ixs->orgsrc = ixs->iph->saddr;
+	ixs->orgedst = ixs->outgoing_said.dst.u.v4.sin_addr.s_addr;
+	ixs->iphlen = ixs->iph->ihl << 2;
+	ixs->pyldsz = ntohs(ixs->iph->tot_len) - ixs->iphlen;
+	ixs->max_headroom = ixs->max_tailroom = 0;
+		
+	if (ixs->outgoing_said.proto == IPPROTO_INT) {
+		switch (ntohl(ixs->outgoing_said.spi)) {
+		case SPI_DROP:
+			KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
+				    "klips_debug:ipsec_xmit_encap_bundle: "
+				    "shunt SA of DROP or no eroute: dropping.\n");
+			ixs->stats->tx_dropped++;
+			break;
+				
+		case SPI_REJECT:
+			KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
+				    "klips_debug:ipsec_xmit_encap_bundle: "
+				    "shunt SA of REJECT: notifying and dropping.\n");
+			ICMP_SEND(ixs->skb,
+				  ICMP_DEST_UNREACH,
+				  ICMP_PKT_FILTERED,
+				  0,
+				  ixs->physdev);
+			ixs->stats->tx_dropped++;
+			break;
+				
+		case SPI_PASS:
+#ifdef NET_21
+			ixs->pass = 1;
+#endif /* NET_21 */
+			KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
+				    "klips_debug:ipsec_xmit_encap_bundle: "
+				    "PASS: calling dev_queue_xmit\n");
+			return IPSEC_XMIT_PASS;
+			goto cleanup;
+				
+		case SPI_HOLD:
+			KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
+				    "klips_debug:ipsec_xmit_encap_bundle: "
+				    "shunt SA of HOLD: this does not make sense here, dropping.\n");
+			ixs->stats->tx_dropped++;
+			break;
+
+		case SPI_TRAP:
+		case SPI_TRAPSUBNET:
+		{
+			struct sockaddr_in src, dst;
+#ifdef CONFIG_KLIPS_DEBUG
+			char bufsrc[ADDRTOA_BUF], bufdst[ADDRTOA_BUF];
+#endif /* CONFIG_KLIPS_DEBUG */
+
+			/* Signal all listening KMds with a PF_KEY ACQUIRE */
+
+			memset(&src, 0, sizeof(src));
+			memset(&dst, 0, sizeof(dst));
+			src.sin_family = AF_INET;
+			dst.sin_family = AF_INET;
+			src.sin_addr.s_addr = ixs->iph->saddr;
+			dst.sin_addr.s_addr = ixs->iph->daddr;
+
+			ixs->ips.ips_transport_protocol = 0;
+			src.sin_port = 0;
+			dst.sin_port = 0;
+			
+			if(ixs->eroute->er_eaddr.sen_proto != 0) {
+			  ixs->ips.ips_transport_protocol = ixs->iph->protocol;
+			  
+			  if(ixs->eroute->er_eaddr.sen_sport != 0) {
+			    src.sin_port = 
+			      (ixs->iph->protocol == IPPROTO_UDP
+			       ? ((struct udphdr*) (((caddr_t)ixs->iph) + (ixs->iph->ihl << 2)))->source
+			       : (ixs->iph->protocol == IPPROTO_TCP
+				  ? ((struct tcphdr*)((caddr_t)ixs->iph + (ixs->iph->ihl << 2)))->source
+				  : 0));
+			  }
+			  if(ixs->eroute->er_eaddr.sen_dport != 0) {
+			    dst.sin_port = 
+			      (ixs->iph->protocol == IPPROTO_UDP
+			       ? ((struct udphdr*) (((caddr_t)ixs->iph) + (ixs->iph->ihl << 2)))->dest
+			       : (ixs->iph->protocol == IPPROTO_TCP
+				  ? ((struct tcphdr*)((caddr_t)ixs->iph + (ixs->iph->ihl << 2)))->dest
+				  : 0));
+			  }
+			}
+				
+			ixs->ips.ips_addr_s = (struct sockaddr*)(&src);
+			ixs->ips.ips_addr_d = (struct sockaddr*)(&dst);
+			KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
+				    "klips_debug:ipsec_xmit_encap_bundle: "
+				    "SADB_ACQUIRE sent with src=%s:%d, dst=%s:%d, proto=%d.\n",
+				    addrtoa(((struct sockaddr_in*)(ixs->ips.ips_addr_s))->sin_addr, 0, bufsrc, sizeof(bufsrc)) <= ADDRTOA_BUF ? bufsrc : "BAD_ADDR",
+				    ntohs(((struct sockaddr_in*)(ixs->ips.ips_addr_s))->sin_port),
+				    addrtoa(((struct sockaddr_in*)(ixs->ips.ips_addr_d))->sin_addr, 0, bufdst, sizeof(bufdst)) <= ADDRTOA_BUF ? bufdst : "BAD_ADDR",
+				    ntohs(((struct sockaddr_in*)(ixs->ips.ips_addr_d))->sin_port),
+				    ixs->ips.ips_said.proto);
+				
+			/* increment count of total traps needed */
+			ipsec_xmit_trap_count++;
+
+			if (pfkey_acquire(&ixs->ips) == 0) {
+
+				/* note that we succeeded */
+			        ipsec_xmit_trap_sendcount++;
+					
+				if (ixs->outgoing_said.spi==htonl(SPI_TRAPSUBNET)) {
+					/*
+					 * The spinlock is to prevent any other
+					 * process from accessing or deleting
+					 * the eroute while we are using and
+					 * updating it.
+					 */
+					spin_lock(&eroute_lock);
+					ixs->eroute = ipsec_findroute(&ixs->matcher);
+					if(ixs->eroute) {
+						ixs->eroute->er_said.spi = htonl(SPI_HOLD);
+						ixs->eroute->er_first = ixs->skb;
+						ixs->skb = NULL;
+					}
+					spin_unlock(&eroute_lock);
+				} else if (create_hold_eroute(ixs->eroute,
+							      ixs->skb,
+							      ixs->iph,
+							      ixs->eroute_pid)) {
+					ixs->skb = NULL;
+				} 
+				/* whether or not the above succeeded, we continue */
+				
+			}
+			ixs->stats->tx_dropped++;
+		}
+		default:
+			/* XXX what do we do with an unknown shunt spi? */
+			break;
+		} /* switch (ntohl(ixs->outgoing_said.spi)) */
+		return IPSEC_XMIT_STOLEN;
+	} /* if (ixs->outgoing_said.proto == IPPROTO_INT) */
+	
+	/*
+	  The spinlock is to prevent any other process from
+	  accessing or deleting the ipsec_sa hash table or any of the
+	  ipsec_sa s while we are using and updating them.
+		  
+	  This is not optimal, but was relatively straightforward
+	  at the time.  A better way to do it has been planned for
+	  more than a year, to lock the hash table and put reference
+	  counts on each ipsec_sa instead.  This is not likely to happen
+	  in KLIPS1 unless a volunteer contributes it, but will be
+	  designed into KLIPS2.
+	*/
+	spin_lock(&tdb_lock);
+
+	ixs->ipsp = ipsec_sa_getbyid(&ixs->outgoing_said);
+	ixs->sa_len = satot(&ixs->outgoing_said, 0, ixs->sa_txt, sizeof(ixs->sa_txt));
+
+	if (ixs->ipsp == NULL) {
+		KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
+			    "klips_debug:ipsec_xmit_encap_bundle: "
+			    "no ipsec_sa for SA%s: outgoing packet with no SA, dropped.\n",
+			    ixs->sa_len ? ixs->sa_txt : " (error)");
+		if(ixs->stats) {
+			ixs->stats->tx_dropped++;
+		}
+		bundle_stat = IPSEC_XMIT_SAIDNOTFOUND;
+		goto cleanup;
+	}
+		
+	KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
+		    "klips_debug:ipsec_xmit_encap_bundle: "
+		    "found ipsec_sa -- SA:<%s%s%s> %s\n",
+		    IPS_XFORM_NAME(ixs->ipsp),
+		    ixs->sa_len ? ixs->sa_txt : " (error)");
+		
+	/*
+	 * How much headroom do we need to be able to apply
+	 * all the grouped transforms?
+	 */
+	ixs->ipsq = ixs->ipsp;	/* save the head of the ipsec_sa chain */
+	while (ixs->ipsp) {
+		ixs->sa_len = satot(&ixs->ipsp->ips_said, 0, ixs->sa_txt, sizeof(ixs->sa_txt));
+		if(ixs->sa_len == 0) {
+			strcpy(ixs->sa_txt, "(error)");
+		}
+
+		/* If it is in larval state, drop the packet, we cannot process yet. */
+		if(ixs->ipsp->ips_state == SADB_SASTATE_LARVAL) {
+			KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
+				    "klips_debug:ipsec_xmit_encap_bundle: "
+				    "ipsec_sa in larval state for SA:<%s%s%s> %s, cannot be used yet, dropping packet.\n",
+				    IPS_XFORM_NAME(ixs->ipsp),
+				    ixs->sa_len ? ixs->sa_txt : " (error)");
+			if(ixs->stats) {
+				ixs->stats->tx_errors++;
+			}
+			bundle_stat = IPSEC_XMIT_SAIDNOTLIVE;
+			goto cleanup;
+		}
+
+		if(ixs->ipsp->ips_state == SADB_SASTATE_DEAD) {
+			KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
+				    "klips_debug:ipsec_xmit_encap_bundle: "
+				    "ipsec_sa in dead state for SA:<%s%s%s> %s, can no longer be used, dropping packet.\n",
+				    IPS_XFORM_NAME(ixs->ipsp),
+				    ixs->sa_len ? ixs->sa_txt : " (error)");
+			ixs->stats->tx_errors++;
+			bundle_stat = IPSEC_XMIT_SAIDNOTLIVE;
+			goto cleanup;
+		}
+
+		/* If the replay window counter == -1, expire SA, it will roll */
+		if(ixs->ipsp->ips_replaywin && ixs->ipsp->ips_replaywin_lastseq == -1) {
+			pfkey_expire(ixs->ipsp, 1);
+			KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
+				    "klips_debug:ipsec_xmit_encap_bundle: "
+				    "replay window counter rolled for SA:<%s%s%s> %s, packet dropped, expiring SA.\n",
+				    IPS_XFORM_NAME(ixs->ipsp),
+				    ixs->sa_len ? ixs->sa_txt : " (error)");
+			ipsec_sa_delchain(ixs->ipsp);
+			ixs->stats->tx_errors++;
+			bundle_stat = IPSEC_XMIT_REPLAYROLLED;
+			goto cleanup;
+		}
+
+		/*
+		 * if this is the first time we are using this SA, mark start time,
+		 * and offset hard/soft counters by "now" for later checking.
+		 */
+#if 0
+		if(ixs->ipsp->ips_life.ipl_usetime.count == 0) {
+			ixs->ipsp->ips_life.ipl_usetime.count = jiffies;
+			ixs->ipsp->ips_life.ipl_usetime.hard += jiffies;
+			ixs->ipsp->ips_life.ipl_usetime.soft += jiffies;
+		}
+#endif
+			  
+
+		if(ipsec_lifetime_check(&ixs->ipsp->ips_life.ipl_bytes, "bytes", ixs->sa_txt, 
+					ipsec_life_countbased, ipsec_outgoing, ixs->ipsp) == ipsec_life_harddied ||
+		   ipsec_lifetime_check(&ixs->ipsp->ips_life.ipl_addtime, "addtime",ixs->sa_txt,
+					ipsec_life_timebased,  ipsec_outgoing, ixs->ipsp) == ipsec_life_harddied ||
+		   ipsec_lifetime_check(&ixs->ipsp->ips_life.ipl_usetime, "usetime",ixs->sa_txt,
+					ipsec_life_timebased,  ipsec_outgoing, ixs->ipsp) == ipsec_life_harddied ||
+		   ipsec_lifetime_check(&ixs->ipsp->ips_life.ipl_packets, "packets",ixs->sa_txt,
+					ipsec_life_countbased, ipsec_outgoing, ixs->ipsp) == ipsec_life_harddied) {
+				
+			ipsec_sa_delchain(ixs->ipsp);
+			ixs->stats->tx_errors++;
+			bundle_stat = IPSEC_XMIT_LIFETIMEFAILED;
+			goto cleanup;
+		}
+			
+
+		ixs->headroom = ixs->tailroom = 0;
+		KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
+			    "klips_debug:ipsec_xmit_encap_bundle: "
+			    "calling room for <%s%s%s>, SA:%s\n", 
+			    IPS_XFORM_NAME(ixs->ipsp),
+			    ixs->sa_len ? ixs->sa_txt : " (error)");
+		switch(ixs->ipsp->ips_said.proto) {
+#ifdef CONFIG_KLIPS_AH
+		case IPPROTO_AH:
+			ixs->headroom += sizeof(struct ahhdr);
+			break;
+#endif /* CONFIG_KLIPS_AH */
+#ifdef CONFIG_KLIPS_ESP
+		case IPPROTO_ESP:
+			ixt_e=ixs->ipsp->ips_alg_enc;
+			if (ixt_e) {
+				blocksize = ixt_e->ixt_common.ixt_blocksize;
+				ixs->headroom += ESP_HEADER_LEN + ixt_e->ixt_common.ixt_support.ias_ivlen/8;
+			}
+			else {
+				ixs->stats->tx_errors++;
+				bundle_stat = IPSEC_XMIT_ESP_BADALG;
+				goto cleanup;
+			}
+
+			if ((ixt_a=ixs->ipsp->ips_alg_auth)) {
+				ixs->tailroom += AHHMAC_HASHLEN;
+			} else
+			switch(ixs->ipsp->ips_authalg) {
+#ifdef CONFIG_KLIPS_AUTH_HMAC_MD5
+			case AH_MD5:
+				ixs->tailroom += AHHMAC_HASHLEN;
+				break;
+#endif /* CONFIG_KLIPS_AUTH_HMAC_MD5 */
+#ifdef CONFIG_KLIPS_AUTH_HMAC_SHA1
+			case AH_SHA:
+				ixs->tailroom += AHHMAC_HASHLEN;
+				break;
+#endif /* CONFIG_KLIPS_AUTH_HMAC_SHA1 */
+			case AH_NONE:
+				break;
+			default:
+				ixs->stats->tx_errors++;
+				bundle_stat = IPSEC_XMIT_AH_BADALG;
+				goto cleanup;
+			}			
+			ixs->tailroom += blocksize != 1 ?
+				((blocksize - ((ixs->pyldsz + 2) % blocksize)) % blocksize) + 2 :
+				((4 - ((ixs->pyldsz + 2) % 4)) % 4) + 2;
+#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
+		if ((ixs->ipsp->ips_natt_type) && (!ixs->natt_type)) {
+			ixs->natt_type = ixs->ipsp->ips_natt_type;
+			ixs->natt_sport = ixs->ipsp->ips_natt_sport;
+			ixs->natt_dport = ixs->ipsp->ips_natt_dport;
+			switch (ixs->natt_type) {
+				case ESPINUDP_WITH_NON_IKE:
+					ixs->natt_head = sizeof(struct udphdr)+(2*sizeof(__u32));
+					break;
+					
+				case ESPINUDP_WITH_NON_ESP:
+					ixs->natt_head = sizeof(struct udphdr);
+					break;
+					
+				default:
+				  KLIPS_PRINT(debug_tunnel & DB_TN_CROUT
+					      , "klips_xmit: invalid nat-t type %d"
+					      , ixs->natt_type);
+				  bundle_stat = IPSEC_XMIT_ESPUDP_BADTYPE;
+				  goto cleanup;
+					      
+					break;
+			}
+			ixs->tailroom += ixs->natt_head;
+		}
+#endif
+			break;
+#endif /* !CONFIG_KLIPS_ESP */
+#ifdef CONFIG_KLIPS_IPIP
+		case IPPROTO_IPIP:
+			ixs->headroom += sizeof(struct iphdr);
+			break;
+#endif /* !CONFIG_KLIPS_IPIP */
+		case IPPROTO_COMP:
+#ifdef CONFIG_KLIPS_IPCOMP
+			/*
+			  We can't predict how much the packet will
+			  shrink without doing the actual compression.
+			  We could do it here, if we were the first
+			  encapsulation in the chain.  That might save
+			  us a skb_copy_expand, since we might fit
+			  into the existing skb then.  However, this
+			  would be a bit unclean (and this hack has
+			  bit us once), so we better not do it. After
+			  all, the skb_copy_expand is cheap in
+			  comparison to the actual compression.
+			  At least we know the packet will not grow.
+			*/
+			break;
+#endif /* CONFIG_KLIPS_IPCOMP */
+		default:
+			ixs->stats->tx_errors++;
+			bundle_stat = IPSEC_XMIT_BADPROTO;
+			goto cleanup;
+		}
+		ixs->ipsp = ixs->ipsp->ips_onext;
+		KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
+			    "klips_debug:ipsec_xmit_encap_bundle: "
+			    "Required head,tailroom: %d,%d\n", 
+			    ixs->headroom, ixs->tailroom);
+		ixs->max_headroom += ixs->headroom;
+		ixs->max_tailroom += ixs->tailroom;
+		ixs->pyldsz += (ixs->headroom + ixs->tailroom);
+	}
+	ixs->ipsp = ixs->ipsq;	/* restore the head of the ipsec_sa chain */
+		
+	KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
+		    "klips_debug:ipsec_xmit_encap_bundle: "
+		    "existing head,tailroom: %d,%d before applying xforms with head,tailroom: %d,%d .\n",
+		    skb_headroom(ixs->skb), skb_tailroom(ixs->skb),
+		    ixs->max_headroom, ixs->max_tailroom);
+		
+	ixs->tot_headroom += ixs->max_headroom;
+	ixs->tot_tailroom += ixs->max_tailroom;
+
+	ixs->mtudiff = ixs->cur_mtu + ixs->tot_headroom + ixs->tot_tailroom - ixs->physmtu;
+
+	KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
+		    "klips_debug:ipsec_xmit_encap_bundle: "
+		    "mtu:%d physmtu:%d tothr:%d tottr:%d mtudiff:%d ippkttotlen:%d\n",
+		    ixs->cur_mtu, ixs->physmtu,
+		    ixs->tot_headroom, ixs->tot_tailroom, ixs->mtudiff, ntohs(ixs->iph->tot_len));
+	if(ixs->mtudiff > 0) {
+		int newmtu = ixs->physmtu - (ixs->tot_headroom + ((ixs->tot_tailroom + 2) & ~7) + 5);
+
+		KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
+			    "klips_info:ipsec_xmit_encap_bundle: "
+			    "dev %s mtu of %d decreased by %d to %d\n",
+			    ixs->dev ? ixs->dev->name : "ifX",
+			    ixs->cur_mtu,
+			    ixs->cur_mtu - newmtu,
+			    newmtu);
+		ixs->cur_mtu = newmtu;
+
+		/* this would seem to adjust the MTU of the route as well */
+#if 0
+		ixs->skb->dst->pmtu = ixs->prv->mtu; /* RGB */
+#endif /* 0 */
+	}
+
+	/* 
+	   If the sender is doing PMTU discovery, and the
+	   packet doesn't fit within ixs->prv->mtu, notify him
+	   (unless it was an ICMP packet, or it was not the
+	   zero-offset packet) and send it anyways.
+
+	   Note: buggy firewall configuration may prevent the
+	   ICMP packet from getting back.
+	*/
+	if(sysctl_ipsec_icmp
+	   && ixs->cur_mtu < ntohs(ixs->iph->tot_len)
+	   && (ixs->iph->frag_off & __constant_htons(IP_DF)) ) {
+		int notify = ixs->iph->protocol != IPPROTO_ICMP
+			&& (ixs->iph->frag_off & __constant_htons(IP_OFFSET)) == 0;
+			
+#ifdef IPSEC_obey_DF
+		KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
+			    "klips_debug:ipsec_xmit_encap_bundle: "
+			    "fragmentation needed and DF set; %sdropping packet\n",
+			    notify ? "sending ICMP and " : "");
+		if (notify)
+			ICMP_SEND(ixs->skb,
+				  ICMP_DEST_UNREACH,
+				  ICMP_FRAG_NEEDED,
+				  ixs->cur_mtu,
+				  ixs->physdev);
+		ixs->stats->tx_errors++;
+		bundle_stat = IPSEC_XMIT_CANNOTFRAG;
+		goto cleanup;
+#else /* IPSEC_obey_DF */
+		KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
+			    "klips_debug:ipsec_xmit_encap_bundle: "
+			    "fragmentation needed and DF set; %spassing packet\n",
+			    notify ? "sending ICMP and " : "");
+		if (notify)
+			ICMP_SEND(ixs->skb,
+				  ICMP_DEST_UNREACH,
+				  ICMP_FRAG_NEEDED,
+				  ixs->cur_mtu,
+				  ixs->physdev);
+#endif /* IPSEC_obey_DF */
+	}
+		
+#ifdef MSS_HACK
+	/*
+	 * If this is a transport mode TCP packet with
+	 * SYN set, determine an effective MSS based on 
+	 * AH/ESP overheads determined above.
+	 */
+	if (ixs->iph->protocol == IPPROTO_TCP 
+	    && ixs->outgoing_said.proto != IPPROTO_IPIP) {
+		struct tcphdr *tcph = ixs->skb->h.th;
+		if (tcph->syn && !tcph->ack) {
+			if(!ipsec_adjust_mss(ixs->skb, tcph, ixs->cur_mtu)) {
+				printk(KERN_WARNING
+				       "klips_warning:ipsec_xmit_encap_bundle: "
+				       "ipsec_adjust_mss() failed\n");
+				ixs->stats->tx_errors++;
+				bundle_stat = IPSEC_XMIT_MSSERR;
+				goto cleanup;
+			}
+		}
+	}
+#endif /* MSS_HACK */
+
+#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
+      if ((ixs->natt_type) && (ixs->outgoing_said.proto != IPPROTO_IPIP)) {
+	      /**
+	       * NAT-Traversal and Transport Mode:
+	       *   we need to correct TCP/UDP checksum
+	       *
+	       * If we've got NAT-OA, we can fix checksum without recalculation.
+	       * If we don't we can zero udp checksum.
+	       */
+	      __u32 natt_oa = ixs->ipsp->ips_natt_oa ?
+		      ((struct sockaddr_in*)(ixs->ipsp->ips_natt_oa))->sin_addr.s_addr : 0;
+	      __u16 pkt_len = ixs->skb->tail - (unsigned char *)ixs->iph;
+	      __u16 data_len = pkt_len - (ixs->iph->ihl << 2);
+	      switch (ixs->iph->protocol) {
+		      case IPPROTO_TCP:
+			      if (data_len >= sizeof(struct tcphdr)) {
+				      struct tcphdr *tcp = (struct tcphdr *)((__u32 *)ixs->iph+ixs->iph->ihl);
+				      if (natt_oa) {
+					      __u32 buff[2] = { ~ixs->iph->daddr, natt_oa };
+					      KLIPS_PRINT(debug_tunnel,
+						      "klips_debug:ipsec_tunnel_start_xmit: "
+						      "NAT-T & TRANSPORT: "
+						      "fix TCP checksum using NAT-OA\n");
+					      tcp->check = csum_fold(
+						      csum_partial((unsigned char *)buff, sizeof(buff),
+						      tcp->check^0xffff));
+				      }
+				      else {
+					      KLIPS_PRINT(debug_tunnel,
+						      "klips_debug:ipsec_tunnel_start_xmit: "
+						      "NAT-T & TRANSPORT: do not recalc TCP checksum\n");
+				      }
+			      }
+			      else {
+				      KLIPS_PRINT(debug_tunnel,
+					      "klips_debug:ipsec_tunnel_start_xmit: "
+					      "NAT-T & TRANSPORT: can't fix TCP checksum\n");
+			      }
+			      break;
+		      case IPPROTO_UDP:
+			      if (data_len >= sizeof(struct udphdr)) {
+				      struct udphdr *udp = (struct udphdr *)((__u32 *)ixs->iph+ixs->iph->ihl);
+				      if (udp->check == 0) {
+					      KLIPS_PRINT(debug_tunnel,
+						      "klips_debug:ipsec_tunnel_start_xmit: "
+						      "NAT-T & TRANSPORT: UDP checksum already 0\n");
+				      }
+				      else if (natt_oa) {
+					      __u32 buff[2] = { ~ixs->iph->daddr, natt_oa };
+					      KLIPS_PRINT(debug_tunnel,
+						      "klips_debug:ipsec_tunnel_start_xmit: "
+						      "NAT-T & TRANSPORT: "
+						      "fix UDP checksum using NAT-OA\n");
+					      udp->check = csum_fold(
+						      csum_partial((unsigned char *)buff, sizeof(buff),
+						      udp->check^0xffff));
+				      }
+				      else {
+					      KLIPS_PRINT(debug_tunnel,
+						      "klips_debug:ipsec_tunnel_start_xmit: "
+						      "NAT-T & TRANSPORT: zero UDP checksum\n");
+					      udp->check = 0;
+				      }
+			      }
+			      else {
+				      KLIPS_PRINT(debug_tunnel,
+					      "klips_debug:ipsec_tunnel_start_xmit: "
+					      "NAT-T & TRANSPORT: can't fix UDP checksum\n");
+			      }
+			      break;
+		      default:
+			      KLIPS_PRINT(debug_tunnel,
+				      "klips_debug:ipsec_tunnel_start_xmit: "
+				      "NAT-T & TRANSPORT: non TCP/UDP packet -- do nothing\n");
+			      break;
+	      }
+      }
+#endif /* CONFIG_IPSEC_NAT_TRAVERSAL */
+
+	if(!ixs->hard_header_stripped && ixs->hard_header_len>0) {
+		KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
+			    "klips_debug:ipsec_xmit_encap_bundle: "
+			    "allocating %d bytes for hardheader.\n",
+			    ixs->hard_header_len);
+		if((ixs->saved_header = kmalloc(ixs->hard_header_len, GFP_ATOMIC)) == NULL) {
+			printk(KERN_WARNING "klips_debug:ipsec_xmit_encap_bundle: "
+			       "Failed, tried to allocate %d bytes for temp hard_header.\n", 
+			       ixs->hard_header_len);
+			ixs->stats->tx_errors++;
+			bundle_stat = IPSEC_XMIT_ERRMEMALLOC;
+			goto cleanup;
+		}
+		{
+			int i;
+			for (i = 0; i < ixs->hard_header_len; i++) {
+				ixs->saved_header[i] = ixs->skb->data[i];
+			}
+		}
+		if(ixs->skb->len < ixs->hard_header_len) {
+			printk(KERN_WARNING "klips_error:ipsec_xmit_encap_bundle: "
+			       "tried to skb_pull hhlen=%d, %d available.  This should never happen, please report.\n",
+			       ixs->hard_header_len, (int)(ixs->skb->len));
+			ixs->stats->tx_errors++;
+			bundle_stat = IPSEC_XMIT_ESP_PUSHPULLERR;
+			goto cleanup;
+		}
+		skb_pull(ixs->skb, ixs->hard_header_len);
+		ixs->hard_header_stripped = 1;
+			
+/*			ixs->iph = (struct iphdr *) (ixs->skb->data); */
+		KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
+			    "klips_debug:ipsec_xmit_encap_bundle: "
+			    "head,tailroom: %d,%d after hard_header stripped.\n",
+			    skb_headroom(ixs->skb), skb_tailroom(ixs->skb));
+		KLIPS_IP_PRINT(debug_tunnel & DB_TN_CROUT, ixs->iph);
+	} else {
+		KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
+			    "klips_debug:ipsec_xmit_encap_bundle: "
+			    "hard header already stripped.\n");
+	}
+		
+	ixs->ll_headroom = (ixs->hard_header_len + 15) & ~15;
+
+	if ((skb_headroom(ixs->skb) >= ixs->max_headroom + 2 * ixs->ll_headroom) && 
+	    (skb_tailroom(ixs->skb) >= ixs->max_tailroom)
+#ifndef NET_21
+	    && ixs->skb->free
+#endif /* !NET_21 */
+		) {
+		KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
+			    "klips_debug:ipsec_xmit_encap_bundle: "
+			    "data fits in existing skb\n");
+	} else {
+		struct sk_buff* tskb;
+
+		if(!ixs->oskb) {
+			ixs->oskb = ixs->skb;
+		}
+
+		tskb = skb_copy_expand(ixs->skb,
+				       /* The need for 2 * link layer length here remains unexplained...RGB */
+				       ixs->max_headroom + 2 * ixs->ll_headroom,
+				       ixs->max_tailroom,
+				       GFP_ATOMIC);
+
+		if(tskb && ixs->skb->sk) {
+			skb_set_owner_w(tskb, ixs->skb->sk);
+		}
+
+		if(ixs->skb != ixs->oskb) {
+			ipsec_kfree_skb(ixs->skb);
+		}
+		ixs->skb = tskb;
+		if (!ixs->skb) {
+			printk(KERN_WARNING
+			       "klips_debug:ipsec_xmit_encap_bundle: "
+			       "Failed, tried to allocate %d head and %d tailroom\n", 
+			       ixs->max_headroom, ixs->max_tailroom);
+			ixs->stats->tx_errors++;
+			bundle_stat = IPSEC_XMIT_ERRSKBALLOC;
+			goto cleanup;
+		}
+		KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
+			    "klips_debug:ipsec_xmit_encap_bundle: "
+			    "head,tailroom: %d,%d after allocation\n",
+			    skb_headroom(ixs->skb), skb_tailroom(ixs->skb));
+	}
+#ifdef CONFIG_KLIPS_DEBUG		
+	if(debug_tunnel & DB_TN_ENCAP) {
+		ipsec_print_ip(ixs->iph);
+	}
+#endif
+
+	/*
+	 * Apply grouped transforms to packet
+	 */
+	while (ixs->ipsp) {
+		enum ipsec_xmit_value encap_stat = IPSEC_XMIT_OK;
+
+		encap_stat = ipsec_xmit_encap_once(ixs);
+#ifdef CONFIG_KLIPS_DEBUG
+		if(debug_tunnel & DB_TN_ENCAP) {
+			ipsec_print_ip(ixs->iph);
+		}
+#endif
+
+		if(encap_stat != IPSEC_XMIT_OK) {
+			KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
+				    "klips_debug:ipsec_xmit_encap_bundle: encap_once failed: %d\n",
+				    encap_stat);
+				
+			bundle_stat = IPSEC_XMIT_ENCAPFAIL;
+			goto cleanup;
+		}
+	}
+
+	/* we are done with this SA */
+	ipsec_sa_put(ixs->ipsp); 
+
+	/* end encapsulation loop here XXX */
+ cleanup:
+	spin_unlock(&tdb_lock);
+	return bundle_stat;
+}
+
+/*
+ * $Log: ipsec_xmit.c,v $
+ * Revision 1.20.2.9  2007/07/06 17:18:43  paul
+ * Fix for authentication field on sent packets has size equals to zero when
+ * using custom auth algorithms. This is bug #811. Patch by "iamscared".
+ *
+ * Revision 1.20.2.8  2006/10/06 21:39:26  paul
+ * Fix for 2.6.18+ only include linux/config.h if AUTOCONF_INCLUDED is not
+ * set. This is defined through autoconf.h which is included through the
+ * linux kernel build macros.
+ *
+ * Revision 1.20.2.7  2006/08/24 03:02:01  paul
+ * Compile fixes for when CONFIG_KLIPS_DEBUG is not set. (bug #642)
+ *
+ * Revision 1.20.2.6  2006/07/07 22:09:49  paul
+ * From: Bart Trojanowski <bart@xelerance.com>
+ * Removing a left over '#else' that split another '#if/#endif' block in two.
+ *
+ * Revision 1.20.2.5  2006/07/07 15:43:17  paul
+ * From: Bart Trojanowski <bart@xelerance.com>
+ * improved protocol detection in ipsec_print_ip() -- a debug aid.
+ *
+ * Revision 1.20.2.4  2006/04/20 16:33:07  mcr
+ * remove all of CONFIG_KLIPS_ALG --- one can no longer build without it.
+ * Fix in-kernel module compilation. Sub-makefiles do not work.
+ *
+ * Revision 1.20.2.3  2005/11/29 21:52:57  ken
+ * Fix for #518 MTU issues
+ *
+ * Revision 1.20.2.2  2005/11/27 21:41:03  paul
+ * Pull down TTL fixes from head. this fixes "Unknown symbol sysctl_ip_default_ttl"in for klips as module.
+ *
+ * Revision 1.20.2.1  2005/08/27 23:40:00  paul
+ * recommited HAVE_SOCK_SECURITY fixes for linux 2.6.13
+ *
+ * Revision 1.20  2005/07/12 15:39:27  paul
+ * include asm/uaccess.h for VERIFY_WRITE
+ *
+ * Revision 1.19  2005/05/24 01:02:35  mcr
+ * 	some refactoring/simplification of situation where alg
+ * 	is not found.
+ *
+ * Revision 1.18  2005/05/23 23:52:33  mcr
+ * 	adjust comments, add additional debugging.
+ *
+ * Revision 1.17  2005/05/23 22:57:23  mcr
+ * 	removed explicit 3DES support.
+ *
+ * Revision 1.16  2005/05/21 03:29:15  mcr
+ * 	fixed warning about unused zeroes if AH is off.
+ *
+ * Revision 1.15  2005/05/20 16:47:59  mcr
+ * 	include asm/checksum.h to get ip_fast_csum macro.
+ *
+ * Revision 1.14  2005/05/11 01:43:03  mcr
+ * 	removed "poor-man"s OOP in favour of proper C structures.
+ *
+ * Revision 1.13  2005/04/29 05:10:22  mcr
+ * 	removed from extraenous includes to make unit testing easier.
+ *
+ * Revision 1.12  2005/04/15 01:28:34  mcr
+ * 	use ipsec_dmp_block.
+ *
+ * Revision 1.11  2005/01/26 00:50:35  mcr
+ * 	adjustment of confusion of CONFIG_IPSEC_NAT vs CONFIG_KLIPS_NAT,
+ * 	and make sure that NAT_TRAVERSAL is set as well to match
+ * 	userspace compiles of code.
+ *
+ * Revision 1.10  2004/09/13 17:55:21  ken
+ * MD5* -> osMD5*
+ *
+ * Revision 1.9  2004/07/10 19:11:18  mcr
+ * 	CONFIG_IPSEC -> CONFIG_KLIPS.
+ *
+ * Revision 1.8  2004/04/06 02:49:26  mcr
+ * 	pullup of algo code from alg-branch.
+ *
+ * Revision 1.7  2004/02/03 03:13:41  mcr
+ * 	mark invalid encapsulation states.
+ *
+ * Revision 1.6.2.1  2003/12/22 15:25:52  jjo
+ *      Merged algo-0.8.1-rc11-test1 into alg-branch
+ *
+ * Revision 1.6  2003/12/10 01:14:27  mcr
+ * 	NAT-traversal patches to KLIPS.
+ *
+ * Revision 1.5  2003/10/31 02:27:55  mcr
+ * 	pulled up port-selector patches and sa_id elimination.
+ *
+ * Revision 1.4.4.2  2003/10/29 01:37:39  mcr
+ * 	when creating %hold from %trap, only make the %hold as
+ * 	specific as the %trap was - so if the protocol and ports
+ * 	were wildcards, then the %hold will be too.
+ *
+ * Revision 1.4.4.1  2003/09/21 13:59:56  mcr
+ * 	pre-liminary X.509 patch - does not yet pass tests.
+ *
+ * Revision 1.4  2003/06/20 02:28:10  mcr
+ * 	misstype of variable name, not detected by module build.
+ *
+ * Revision 1.3  2003/06/20 01:42:21  mcr
+ * 	added counters to measure how many ACQUIREs we send to pluto,
+ * 	and how many are successfully sent.
+ *
+ * Revision 1.2  2003/04/03 17:38:35  rgb
+ * Centralised ipsec_kfree_skb and ipsec_dev_{get,put}.
+ * Normalised coding style.
+ * Simplified logic and reduced duplication of code.
+ *
+ * Revision 1.1  2003/02/12 19:31:23  rgb
+ * Refactored from ipsec_tunnel.c
+ *
+ * Local Variables:
+ * c-file-style: "linux"
+ * End:
+ *
+ */
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/match586.S     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,357 @@
+/* match.s -- Pentium-optimized version of longest_match()
+ * Written for zlib 1.1.2
+ * Copyright (C) 1998 Brian Raiter <breadbox@muppetlabs.com>
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License.
+ */
+
+#ifndef NO_UNDERLINE
+#define	match_init	_ipcomp_match_init
+#define	longest_match	_ipcomp_longest_match
+#else
+#define match_init	ipcomp_match_init
+#define longest_match	ipcomp_longest_match
+#endif
+
+#define	MAX_MATCH	(258)
+#define	MIN_MATCH	(3)
+#define	MIN_LOOKAHEAD	(MAX_MATCH + MIN_MATCH + 1)
+#define	MAX_MATCH_8	((MAX_MATCH + 7) & ~7)
+
+/* stack frame offsets */
+
+#define	wmask			0	/* local copy of s->wmask	*/
+#define	window			4	/* local copy of s->window	*/
+#define	windowbestlen		8	/* s->window + bestlen		*/
+#define	chainlenscanend		12	/* high word: current chain len	*/
+					/* low word: last bytes sought	*/
+#define	scanstart		16	/* first two bytes of string	*/
+#define	scanalign		20	/* dword-misalignment of string	*/
+#define	nicematch		24	/* a good enough match size	*/
+#define	bestlen			28	/* size of best match so far	*/
+#define	scan			32	/* ptr to string wanting match	*/
+
+#define	LocalVarsSize		(36)
+/*	saved ebx		36 */
+/*	saved edi		40 */
+/*	saved esi		44 */
+/*	saved ebp		48 */
+/*	return address		52 */
+#define	deflatestate		56	/* the function arguments	*/
+#define	curmatch		60
+
+/* Offsets for fields in the deflate_state structure. These numbers
+ * are calculated from the definition of deflate_state, with the
+ * assumption that the compiler will dword-align the fields. (Thus,
+ * changing the definition of deflate_state could easily cause this
+ * program to crash horribly, without so much as a warning at
+ * compile time. Sigh.)
+ */
+#define	dsWSize			36
+#define	dsWMask			44
+#define	dsWindow		48
+#define	dsPrev			56
+#define	dsMatchLen		88
+#define	dsPrevMatch		92
+#define	dsStrStart		100
+#define	dsMatchStart		104
+#define	dsLookahead		108
+#define	dsPrevLen		112
+#define	dsMaxChainLen		116
+#define	dsGoodMatch		132
+#define	dsNiceMatch		136
+
+
+.file "match.S"
+
+.globl	match_init, longest_match
+
+.text
+
+/* uInt longest_match(deflate_state *deflatestate, IPos curmatch) */
+
+longest_match:
+
+/* Save registers that the compiler may be using, and adjust %esp to	*/
+/* make room for our stack frame.					*/
+
+		pushl	%ebp
+		pushl	%edi
+		pushl	%esi
+		pushl	%ebx
+		subl	$LocalVarsSize, %esp
+
+/* Retrieve the function arguments. %ecx will hold cur_match		*/
+/* throughout the entire function. %edx will hold the pointer to the	*/
+/* deflate_state structure during the function's setup (before		*/
+/* entering the main loop).						*/
+
+		movl	deflatestate(%esp), %edx
+		movl	curmatch(%esp), %ecx
+
+/* if ((uInt)nice_match > s->lookahead) nice_match = s->lookahead;	*/
+
+		movl	dsNiceMatch(%edx), %eax
+		movl	dsLookahead(%edx), %ebx
+		cmpl	%eax, %ebx
+		jl	LookaheadLess
+		movl	%eax, %ebx
+LookaheadLess:	movl	%ebx, nicematch(%esp)
+
+/* register Bytef *scan = s->window + s->strstart;			*/
+
+		movl	dsWindow(%edx), %esi
+		movl	%esi, window(%esp)
+		movl	dsStrStart(%edx), %ebp
+		lea	(%esi,%ebp), %edi
+		movl	%edi, scan(%esp)
+
+/* Determine how many bytes the scan ptr is off from being		*/
+/* dword-aligned.							*/
+
+		movl	%edi, %eax
+		negl	%eax
+		andl	$3, %eax
+		movl	%eax, scanalign(%esp)
+
+/* IPos limit = s->strstart > (IPos)MAX_DIST(s) ?			*/
+/*     s->strstart - (IPos)MAX_DIST(s) : NIL;				*/
+
+		movl	dsWSize(%edx), %eax
+		subl	$MIN_LOOKAHEAD, %eax
+		subl	%eax, %ebp
+		jg	LimitPositive
+		xorl	%ebp, %ebp
+LimitPositive:
+
+/* unsigned chain_length = s->max_chain_length;				*/
+/* if (s->prev_length >= s->good_match) {				*/
+/*     chain_length >>= 2;						*/
+/* }									*/
+
+		movl	dsPrevLen(%edx), %eax
+		movl	dsGoodMatch(%edx), %ebx
+		cmpl	%ebx, %eax
+		movl	dsMaxChainLen(%edx), %ebx
+		jl	LastMatchGood
+		shrl	$2, %ebx
+LastMatchGood:
+
+/* chainlen is decremented once beforehand so that the function can	*/
+/* use the sign flag instead of the zero flag for the exit test.	*/
+/* It is then shifted into the high word, to make room for the scanend	*/
+/* scanend value, which it will always accompany.			*/
+
+		decl	%ebx
+		shll	$16, %ebx
+
+/* int best_len = s->prev_length;					*/
+
+		movl	dsPrevLen(%edx), %eax
+		movl	%eax, bestlen(%esp)
+
+/* Store the sum of s->window + best_len in %esi locally, and in %esi.	*/
+
+		addl	%eax, %esi
+		movl	%esi, windowbestlen(%esp)
+
+/* register ush scan_start = *(ushf*)scan;				*/
+/* register ush scan_end   = *(ushf*)(scan+best_len-1);			*/
+
+		movw	(%edi), %bx
+		movw	%bx, scanstart(%esp)
+		movw	-1(%edi,%eax), %bx
+		movl	%ebx, chainlenscanend(%esp)
+
+/* Posf *prev = s->prev;						*/
+/* uInt wmask = s->w_mask;						*/
+
+		movl	dsPrev(%edx), %edi
+		movl	dsWMask(%edx), %edx
+		mov	%edx, wmask(%esp)
+
+/* Jump into the main loop.						*/
+
+		jmp	LoopEntry
+
+.balign 16
+
+/* do {
+ *     match = s->window + cur_match;
+ *     if (*(ushf*)(match+best_len-1) != scan_end ||
+ *         *(ushf*)match != scan_start) continue;
+ *     [...]
+ * } while ((cur_match = prev[cur_match & wmask]) > limit
+ *          && --chain_length != 0);
+ *
+ * Here is the inner loop of the function. The function will spend the
+ * majority of its time in this loop, and majority of that time will
+ * be spent in the first ten instructions.
+ *
+ * Within this loop:
+ * %ebx = chainlenscanend - i.e., ((chainlen << 16) | scanend)
+ * %ecx = curmatch
+ * %edx = curmatch & wmask
+ * %esi = windowbestlen - i.e., (window + bestlen)
+ * %edi = prev
+ * %ebp = limit
+ *
+ * Two optimization notes on the choice of instructions:
+ *
+ * The first instruction uses a 16-bit address, which costs an extra,
+ * unpairable cycle. This is cheaper than doing a 32-bit access and
+ * zeroing the high word, due to the 3-cycle misalignment penalty which
+ * would occur half the time. This also turns out to be cheaper than
+ * doing two separate 8-bit accesses, as the memory is so rarely in the
+ * L1 cache.
+ *
+ * The window buffer, however, apparently spends a lot of time in the
+ * cache, and so it is faster to retrieve the word at the end of the
+ * match string with two 8-bit loads. The instructions that test the
+ * word at the beginning of the match string, however, are executed
+ * much less frequently, and there it was cheaper to use 16-bit
+ * instructions, which avoided the necessity of saving off and
+ * subsequently reloading one of the other registers.
+ */
+LookupLoop:
+							/* 1 U & V  */
+		movw	(%edi,%edx,2), %cx		/* 2 U pipe */
+		movl	wmask(%esp), %edx		/* 2 V pipe */
+		cmpl	%ebp, %ecx			/* 3 U pipe */
+		jbe	LeaveNow			/* 3 V pipe */
+		subl	$0x00010000, %ebx		/* 4 U pipe */
+		js	LeaveNow			/* 4 V pipe */
+LoopEntry:	movb	-1(%esi,%ecx), %al		/* 5 U pipe */
+		andl	%ecx, %edx			/* 5 V pipe */
+		cmpb	%bl, %al			/* 6 U pipe */
+		jnz	LookupLoop			/* 6 V pipe */
+		movb	(%esi,%ecx), %ah
+		cmpb	%bh, %ah
+		jnz	LookupLoop
+		movl	window(%esp), %eax
+		movw	(%eax,%ecx), %ax
+		cmpw	scanstart(%esp), %ax
+		jnz	LookupLoop
+
+/* Store the current value of chainlen.					*/
+
+		movl	%ebx, chainlenscanend(%esp)
+
+/* Point %edi to the string under scrutiny, and %esi to the string we	*/
+/* are hoping to match it up with. In actuality, %esi and %edi are	*/
+/* both pointed (MAX_MATCH_8 - scanalign) bytes ahead, and %edx is	*/
+/* initialized to -(MAX_MATCH_8 - scanalign).				*/
+
+		movl	window(%esp), %esi
+		movl	scan(%esp), %edi
+		addl	%ecx, %esi
+		movl	scanalign(%esp), %eax
+		movl	$(-MAX_MATCH_8), %edx
+		lea	MAX_MATCH_8(%edi,%eax), %edi
+		lea	MAX_MATCH_8(%esi,%eax), %esi
+
+/* Test the strings for equality, 8 bytes at a time. At the end,
+ * adjust %edx so that it is offset to the exact byte that mismatched.
+ *
+ * We already know at this point that the first three bytes of the
+ * strings match each other, and they can be safely passed over before
+ * starting the compare loop. So what this code does is skip over 0-3
+ * bytes, as much as necessary in order to dword-align the %edi
+ * pointer. (%esi will still be misaligned three times out of four.)
+ *
+ * It should be confessed that this loop usually does not represent
+ * much of the total running time. Replacing it with a more
+ * straightforward "rep cmpsb" would not drastically degrade
+ * performance.
+ */
+LoopCmps:
+		movl	(%esi,%edx), %eax
+		movl	(%edi,%edx), %ebx
+		xorl	%ebx, %eax
+		jnz	LeaveLoopCmps
+		movl	4(%esi,%edx), %eax
+		movl	4(%edi,%edx), %ebx
+		xorl	%ebx, %eax
+		jnz	LeaveLoopCmps4
+		addl	$8, %edx
+		jnz	LoopCmps
+		jmp	LenMaximum
+LeaveLoopCmps4:	addl	$4, %edx
+LeaveLoopCmps:	testl	$0x0000FFFF, %eax
+		jnz	LenLower
+		addl	$2, %edx
+		shrl	$16, %eax
+LenLower:	subb	$1, %al
+		adcl	$0, %edx
+
+/* Calculate the length of the match. If it is longer than MAX_MATCH,	*/
+/* then automatically accept it as the best possible match and leave.	*/
+
+		lea	(%edi,%edx), %eax
+		movl	scan(%esp), %edi
+		subl	%edi, %eax
+		cmpl	$MAX_MATCH, %eax
+		jge	LenMaximum
+
+/* If the length of the match is not longer than the best match we	*/
+/* have so far, then forget it and return to the lookup loop.		*/
+
+		movl	deflatestate(%esp), %edx
+		movl	bestlen(%esp), %ebx
+		cmpl	%ebx, %eax
+		jg	LongerMatch
+		movl	chainlenscanend(%esp), %ebx
+		movl	windowbestlen(%esp), %esi
+		movl	dsPrev(%edx), %edi
+		movl	wmask(%esp), %edx
+		andl	%ecx, %edx
+		jmp	LookupLoop
+
+/*         s->match_start = cur_match;					*/
+/*         best_len = len;						*/
+/*         if (len >= nice_match) break;				*/
+/*         scan_end = *(ushf*)(scan+best_len-1);			*/
+
+LongerMatch:	movl	nicematch(%esp), %ebx
+		movl	%eax, bestlen(%esp)
+		movl	%ecx, dsMatchStart(%edx)
+		cmpl	%ebx, %eax
+		jge	LeaveNow
+		movl	window(%esp), %esi
+		addl	%eax, %esi
+		movl	%esi, windowbestlen(%esp)
+		movl	chainlenscanend(%esp), %ebx
+		movw	-1(%edi,%eax), %bx
+		movl	dsPrev(%edx), %edi
+		movl	%ebx, chainlenscanend(%esp)
+		movl	wmask(%esp), %edx
+		andl	%ecx, %edx
+		jmp	LookupLoop
+
+/* Accept the current string, with the maximum possible length.		*/
+
+LenMaximum:	movl	deflatestate(%esp), %edx
+		movl	$MAX_MATCH, bestlen(%esp)
+		movl	%ecx, dsMatchStart(%edx)
+
+/* if ((uInt)best_len <= s->lookahead) return (uInt)best_len;		*/
+/* return s->lookahead;							*/
+
+LeaveNow:
+		movl	deflatestate(%esp), %edx
+		movl	bestlen(%esp), %ebx
+		movl	dsLookahead(%edx), %eax
+		cmpl	%eax, %ebx
+		jg	LookaheadRet
+		movl	%ebx, %eax
+LookaheadRet:
+
+/* Restore the stack and return from whence we came.			*/
+
+		addl	$LocalVarsSize, %esp
+		popl	%ebx
+		popl	%esi
+		popl	%edi
+		popl	%ebp
+match_init:	ret
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/match686.S     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,330 @@
+/* match.s -- Pentium-Pro-optimized version of longest_match()
+ * Written for zlib 1.1.2
+ * Copyright (C) 1998 Brian Raiter <breadbox@muppetlabs.com>
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License.
+ */
+
+#ifndef NO_UNDERLINE
+#define	match_init	_ipcomp_match_init
+#define	longest_match	_ipcomp_longest_match
+#else
+#define match_init	ipcomp_match_init
+#define longest_match	ipcomp_longest_match
+#endif
+
+#define	MAX_MATCH	(258)
+#define	MIN_MATCH	(3)
+#define	MIN_LOOKAHEAD	(MAX_MATCH + MIN_MATCH + 1)
+#define	MAX_MATCH_8	((MAX_MATCH + 7) & ~7)
+
+/* stack frame offsets */
+
+#define	chainlenwmask		0	/* high word: current chain len	*/
+					/* low word: s->wmask		*/
+#define	window			4	/* local copy of s->window	*/
+#define	windowbestlen		8	/* s->window + bestlen		*/
+#define	scanstart		16	/* first two bytes of string	*/
+#define	scanend			12	/* last two bytes of string	*/
+#define	scanalign		20	/* dword-misalignment of string	*/
+#define	nicematch		24	/* a good enough match size	*/
+#define	bestlen			28	/* size of best match so far	*/
+#define	scan			32	/* ptr to string wanting match	*/
+
+#define	LocalVarsSize		(36)
+/*	saved ebx		36 */
+/*	saved edi		40 */
+/*	saved esi		44 */
+/*	saved ebp		48 */
+/*	return address		52 */
+#define	deflatestate		56	/* the function arguments	*/
+#define	curmatch		60
+
+/* Offsets for fields in the deflate_state structure. These numbers
+ * are calculated from the definition of deflate_state, with the
+ * assumption that the compiler will dword-align the fields. (Thus,
+ * changing the definition of deflate_state could easily cause this
+ * program to crash horribly, without so much as a warning at
+ * compile time. Sigh.)
+ */
+#define	dsWSize			36
+#define	dsWMask			44
+#define	dsWindow		48
+#define	dsPrev			56
+#define	dsMatchLen		88
+#define	dsPrevMatch		92
+#define	dsStrStart		100
+#define	dsMatchStart		104
+#define	dsLookahead		108
+#define	dsPrevLen		112
+#define	dsMaxChainLen		116
+#define	dsGoodMatch		132
+#define	dsNiceMatch		136
+
+
+.file "match.S"
+
+.globl	match_init, longest_match
+
+.text
+
+/* uInt longest_match(deflate_state *deflatestate, IPos curmatch) */
+
+longest_match:
+
+/* Save registers that the compiler may be using, and adjust %esp to	*/
+/* make room for our stack frame.					*/
+
+		pushl	%ebp
+		pushl	%edi
+		pushl	%esi
+		pushl	%ebx
+		subl	$LocalVarsSize, %esp
+
+/* Retrieve the function arguments. %ecx will hold cur_match		*/
+/* throughout the entire function. %edx will hold the pointer to the	*/
+/* deflate_state structure during the function's setup (before		*/
+/* entering the main loop).						*/
+
+		movl	deflatestate(%esp), %edx
+		movl	curmatch(%esp), %ecx
+
+/* uInt wmask = s->w_mask;						*/
+/* unsigned chain_length = s->max_chain_length;				*/
+/* if (s->prev_length >= s->good_match) {				*/
+/*     chain_length >>= 2;						*/
+/* }									*/
+
+		movl	dsPrevLen(%edx), %eax
+		movl	dsGoodMatch(%edx), %ebx
+		cmpl	%ebx, %eax
+		movl	dsWMask(%edx), %eax
+		movl	dsMaxChainLen(%edx), %ebx
+		jl	LastMatchGood
+		shrl	$2, %ebx
+LastMatchGood:
+
+/* chainlen is decremented once beforehand so that the function can	*/
+/* use the sign flag instead of the zero flag for the exit test.	*/
+/* It is then shifted into the high word, to make room for the wmask	*/
+/* value, which it will always accompany.				*/
+
+		decl	%ebx
+		shll	$16, %ebx
+		orl	%eax, %ebx
+		movl	%ebx, chainlenwmask(%esp)
+
+/* if ((uInt)nice_match > s->lookahead) nice_match = s->lookahead;	*/
+
+		movl	dsNiceMatch(%edx), %eax
+		movl	dsLookahead(%edx), %ebx
+		cmpl	%eax, %ebx
+		jl	LookaheadLess
+		movl	%eax, %ebx
+LookaheadLess:	movl	%ebx, nicematch(%esp)
+
+/* register Bytef *scan = s->window + s->strstart;			*/
+
+		movl	dsWindow(%edx), %esi
+		movl	%esi, window(%esp)
+		movl	dsStrStart(%edx), %ebp
+		lea	(%esi,%ebp), %edi
+		movl	%edi, scan(%esp)
+
+/* Determine how many bytes the scan ptr is off from being		*/
+/* dword-aligned.							*/
+
+		movl	%edi, %eax
+		negl	%eax
+		andl	$3, %eax
+		movl	%eax, scanalign(%esp)
+
+/* IPos limit = s->strstart > (IPos)MAX_DIST(s) ?			*/
+/*     s->strstart - (IPos)MAX_DIST(s) : NIL;				*/
+
+		movl	dsWSize(%edx), %eax
+		subl	$MIN_LOOKAHEAD, %eax
+		subl	%eax, %ebp
+		jg	LimitPositive
+		xorl	%ebp, %ebp
+LimitPositive:
+
+/* int best_len = s->prev_length;					*/
+
+		movl	dsPrevLen(%edx), %eax
+		movl	%eax, bestlen(%esp)
+
+/* Store the sum of s->window + best_len in %esi locally, and in %esi.	*/
+
+		addl	%eax, %esi
+		movl	%esi, windowbestlen(%esp)
+
+/* register ush scan_start = *(ushf*)scan;				*/
+/* register ush scan_end   = *(ushf*)(scan+best_len-1);			*/
+/* Posf *prev = s->prev;						*/
+
+		movzwl	(%edi), %ebx
+		movl	%ebx, scanstart(%esp)
+		movzwl	-1(%edi,%eax), %ebx
+		movl	%ebx, scanend(%esp)
+		movl	dsPrev(%edx), %edi
+
+/* Jump into the main loop.						*/
+
+		movl	chainlenwmask(%esp), %edx
+		jmp	LoopEntry
+
+.balign 16
+
+/* do {
+ *     match = s->window + cur_match;
+ *     if (*(ushf*)(match+best_len-1) != scan_end ||
+ *         *(ushf*)match != scan_start) continue;
+ *     [...]
+ * } while ((cur_match = prev[cur_match & wmask]) > limit
+ *          && --chain_length != 0);
+ *
+ * Here is the inner loop of the function. The function will spend the
+ * majority of its time in this loop, and majority of that time will
+ * be spent in the first ten instructions.
+ *
+ * Within this loop:
+ * %ebx = scanend
+ * %ecx = curmatch
+ * %edx = chainlenwmask - i.e., ((chainlen << 16) | wmask)
+ * %esi = windowbestlen - i.e., (window + bestlen)
+ * %edi = prev
+ * %ebp = limit
+ */
+LookupLoop:
+		andl	%edx, %ecx
+		movzwl	(%edi,%ecx,2), %ecx
+		cmpl	%ebp, %ecx
+		jbe	LeaveNow
+		subl	$0x00010000, %edx
+		js	LeaveNow
+LoopEntry:	movzwl	-1(%esi,%ecx), %eax
+		cmpl	%ebx, %eax
+		jnz	LookupLoop
+		movl	window(%esp), %eax
+		movzwl	(%eax,%ecx), %eax
+		cmpl	scanstart(%esp), %eax
+		jnz	LookupLoop
+
+/* Store the current value of chainlen.					*/
+
+		movl	%edx, chainlenwmask(%esp)
+
+/* Point %edi to the string under scrutiny, and %esi to the string we	*/
+/* are hoping to match it up with. In actuality, %esi and %edi are	*/
+/* both pointed (MAX_MATCH_8 - scanalign) bytes ahead, and %edx is	*/
+/* initialized to -(MAX_MATCH_8 - scanalign).				*/
+
+		movl	window(%esp), %esi
+		movl	scan(%esp), %edi
+		addl	%ecx, %esi
+		movl	scanalign(%esp), %eax
+		movl	$(-MAX_MATCH_8), %edx
+		lea	MAX_MATCH_8(%edi,%eax), %edi
+		lea	MAX_MATCH_8(%esi,%eax), %esi
+
+/* Test the strings for equality, 8 bytes at a time. At the end,
+ * adjust %edx so that it is offset to the exact byte that mismatched.
+ *
+ * We already know at this point that the first three bytes of the
+ * strings match each other, and they can be safely passed over before
+ * starting the compare loop. So what this code does is skip over 0-3
+ * bytes, as much as necessary in order to dword-align the %edi
+ * pointer. (%esi will still be misaligned three times out of four.)
+ *
+ * It should be confessed that this loop usually does not represent
+ * much of the total running time. Replacing it with a more
+ * straightforward "rep cmpsb" would not drastically degrade
+ * performance.
+ */
+LoopCmps:
+		movl	(%esi,%edx), %eax
+		xorl	(%edi,%edx), %eax
+		jnz	LeaveLoopCmps
+		movl	4(%esi,%edx), %eax
+		xorl	4(%edi,%edx), %eax
+		jnz	LeaveLoopCmps4
+		addl	$8, %edx
+		jnz	LoopCmps
+		jmp	LenMaximum
+LeaveLoopCmps4:	addl	$4, %edx
+LeaveLoopCmps:	testl	$0x0000FFFF, %eax
+		jnz	LenLower
+		addl	$2, %edx
+		shrl	$16, %eax
+LenLower:	subb	$1, %al
+		adcl	$0, %edx
+
+/* Calculate the length of the match. If it is longer than MAX_MATCH,	*/
+/* then automatically accept it as the best possible match and leave.	*/
+
+		lea	(%edi,%edx), %eax
+		movl	scan(%esp), %edi
+		subl	%edi, %eax
+		cmpl	$MAX_MATCH, %eax
+		jge	LenMaximum
+
+/* If the length of the match is not longer than the best match we	*/
+/* have so far, then forget it and return to the lookup loop.		*/
+
+		movl	deflatestate(%esp), %edx
+		movl	bestlen(%esp), %ebx
+		cmpl	%ebx, %eax
+		jg	LongerMatch
+		movl	windowbestlen(%esp), %esi
+		movl	dsPrev(%edx), %edi
+		movl	scanend(%esp), %ebx
+		movl	chainlenwmask(%esp), %edx
+		jmp	LookupLoop
+
+/*         s->match_start = cur_match;					*/
+/*         best_len = len;						*/
+/*         if (len >= nice_match) break;				*/
+/*         scan_end = *(ushf*)(scan+best_len-1);			*/
+
+LongerMatch:	movl	nicematch(%esp), %ebx
+		movl	%eax, bestlen(%esp)
+		movl	%ecx, dsMatchStart(%edx)
+		cmpl	%ebx, %eax
+		jge	LeaveNow
+		movl	window(%esp), %esi
+		addl	%eax, %esi
+		movl	%esi, windowbestlen(%esp)
+		movzwl	-1(%edi,%eax), %ebx
+		movl	dsPrev(%edx), %edi
+		movl	%ebx, scanend(%esp)
+		movl	chainlenwmask(%esp), %edx
+		jmp	LookupLoop
+
+/* Accept the current string, with the maximum possible length.		*/
+
+LenMaximum:	movl	deflatestate(%esp), %edx
+		movl	$MAX_MATCH, bestlen(%esp)
+		movl	%ecx, dsMatchStart(%edx)
+
+/* if ((uInt)best_len <= s->lookahead) return (uInt)best_len;		*/
+/* return s->lookahead;							*/
+
+LeaveNow:
+		movl	deflatestate(%esp), %edx
+		movl	bestlen(%esp), %ebx
+		movl	dsLookahead(%edx), %eax
+		cmpl	%eax, %ebx
+		jg	LookaheadRet
+		movl	%ebx, %eax
+LookaheadRet:
+
+/* Restore the stack and return from whence we came.			*/
+
+		addl	$LocalVarsSize, %esp
+		popl	%ebx
+		popl	%esi
+		popl	%edi
+		popl	%ebp
+match_init:	ret
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/null/ipsec_alg_null.c     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,145 @@
+/*
+ * ipsec_alg NULL cipher stubs
+ *
+ * Author: JuanJo Ciarlante <jjo-ipsec@mendoza.gov.ar>
+ * 
+ * $Id: ipsec_alg_null.c,v 1.1.2.1 2006/10/11 18:14:33 paul Exp $
+ * 
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ * 
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ */
+#include <linux/config.h>
+#include <linux/version.h>
+
+/*	
+ *	special case: ipsec core modular with this static algo inside:
+ *	must avoid MODULE magic for this file
+ */
+#if defined(CONFIG_KLIPS_MODULE) && defined(CONFIG_KLIPS_ENC_NULL)
+#undef MODULE
+#endif
+
+#include <linux/module.h>
+#include <linux/init.h>
+
+#include <linux/kernel.h> /* printk() */
+#include <linux/errno.h>  /* error codes */
+#include <linux/types.h>  /* size_t */
+#include <linux/string.h>
+
+/* Check if __exit is defined, if not null it */
+#ifndef __exit
+#define __exit
+#endif
+
+/*	Low freeswan header coupling	*/
+#include "openswan/ipsec_alg.h"
+
+#define ESP_NULL		11	/* from ipsec drafts */
+#define ESP_NULL_BLK_LEN	1
+
+MODULE_AUTHOR("JuanJo Ciarlante <jjo-ipsec@mendoza.gov.ar>");
+static int debug_null=0;
+static int test_null=0;
+#ifdef module_param
+module_param(debug_null, int, 0600);
+module_param(test_null, int, 0600);
+#else
+MODULE_PARM(debug_null, "i");
+MODULE_PARM(test_null, "i");
+#endif
+
+typedef int null_context;
+
+struct null_eks{
+	null_context null_ctx;
+};
+static int _null_set_key(struct ipsec_alg_enc *alg, 
+			__u8 * key_e, const __u8 * key, 
+			size_t keysize) {
+	null_context *ctx=&((struct null_eks*)key_e)->null_ctx;
+	if (debug_null > 0)
+		printk(KERN_DEBUG "klips_debug:_null_set_key:"
+				"key_e=%p key=%p keysize=%d\n",
+				key_e, key, keysize);
+	*ctx = 1;
+	return 0;
+}
+static int _null_cbc_encrypt(struct ipsec_alg_enc *alg, 
+		__u8 * key_e, __u8 * in, int ilen, const __u8 * iv, 
+		int encrypt) {
+	null_context *ctx=&((struct null_eks*)key_e)->null_ctx;
+	if (debug_null > 0)
+		printk(KERN_DEBUG "klips_debug:_null_cbc_encrypt:"
+				"key_e=%p in=%p ilen=%d iv=%p encrypt=%d\n",
+				key_e, in, ilen, iv, encrypt);
+	(*ctx)++;
+	return ilen;
+}
+static struct ipsec_alg_enc ipsec_alg_NULL = {
+	ixt_common: { ixt_version:	IPSEC_ALG_VERSION,
+		      ixt_refcnt:	ATOMIC_INIT(0),
+		      ixt_name: 	"null",
+		      ixt_blocksize:	ESP_NULL_BLK_LEN,
+		      ixt_support: {
+			ias_exttype:	IPSEC_ALG_TYPE_ENCRYPT,
+			ias_id: 	ESP_NULL,
+			ias_ivlen:	0,
+			ias_keyminbits:	0,
+			ias_keymaxbits:	0,
+		},
+	},
+#if defined(CONFIG_KLIPS_ENC_NULL_MODULE)
+	ixt_module:	THIS_MODULE,
+#endif
+	ixt_e_keylen:	0,
+	ixt_e_ctx_size:	sizeof(null_context),
+	ixt_e_set_key:	_null_set_key,
+	ixt_e_cbc_encrypt:_null_cbc_encrypt,
+};
+
+#if defined(CONFIG_KLIPS_ENC_NULL_MODULE)
+IPSEC_ALG_MODULE_INIT_MOD( ipsec_null_init )
+#else
+IPSEC_ALG_MODULE_INIT_STATIC( ipsec_null_init )
+#endif
+{
+	int ret, test_ret;
+	ret=register_ipsec_alg_enc(&ipsec_alg_NULL);
+	printk("ipsec_null_init(alg_type=%d alg_id=%d name=%s): ret=%d\n", 
+			ipsec_alg_NULL.ixt_common.ixt_support.ias_exttype,
+			ipsec_alg_NULL.ixt_common.ixt_support.ias_id,
+			ipsec_alg_NULL.ixt_common.ixt_name, 
+			ret);
+	if (ret==0 && test_null) {
+		test_ret=ipsec_alg_test(
+				ipsec_alg_NULL.ixt_common.ixt_support.ias_exttype,
+				ipsec_alg_NULL.ixt_common.ixt_support.ias_id,
+				test_null);
+		printk("ipsec_null_init(alg_type=%d alg_id=%d): test_ret=%d\n", 
+				ipsec_alg_NULL.ixt_common.ixt_support.ias_exttype,
+				ipsec_alg_NULL.ixt_common.ixt_support.ias_id,
+				test_ret);
+	}
+	return ret;
+}
+#if defined(CONFIG_KLIPS_ENC_NULL_MODULE)
+IPSEC_ALG_MODULE_EXIT_MOD( ipsec_null_fini )
+#else
+IPSEC_ALG_MODULE_EXIT_STATIC( ipsec_null_fini )
+#endif
+{
+	unregister_ipsec_alg_enc(&ipsec_alg_NULL);
+	return;
+}
+#ifdef MODULE_LICENSE
+MODULE_LICENSE("GPL");
+#endif
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/pfkey_v2.c     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,2022 @@
+/*
+ * @(#) RFC2367 PF_KEYv2 Key management API domain socket I/F
+ * Copyright (C) 1999, 2000, 2001  Richard Guy Briggs.
+ * 
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ * 
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: pfkey_v2.c,v 1.97.2.12 2006/11/24 05:43:29 paul Exp $
+ */
+
+/*
+ *		Template from /usr/src/linux-2.0.36/net/unix/af_unix.c.
+ *		Hints from /usr/src/linux-2.0.36/net/ipv4/udp.c.
+ */
+
+#define __NO_VERSION__
+#include <linux/module.h>
+#include <linux/version.h>
+#ifndef AUTOCONF_INCLUDED
+#include <linux/config.h>
+#endif
+#include <linux/kernel.h>
+
+#include "openswan/ipsec_param.h"
+
+#include <linux/major.h>
+#include <linux/signal.h>
+#include <linux/sched.h>
+#include <linux/errno.h>
+#include <linux/string.h>
+#include <linux/stat.h>
+#include <linux/socket.h>
+#include <linux/un.h>
+#include <linux/fcntl.h>
+#include <linux/termios.h>
+#include <linux/socket.h>
+#include <linux/sockios.h>
+#include <linux/net.h> /* struct socket */
+#include <linux/in.h>
+#include <linux/fs.h>
+#ifdef MALLOC_SLAB
+# include <linux/slab.h> /* kmalloc() */
+#else /* MALLOC_SLAB */
+# include <linux/malloc.h> /* kmalloc() */
+#endif /* MALLOC_SLAB */
+#include <asm/segment.h>
+#include <linux/skbuff.h>
+#include <linux/netdevice.h>
+#include <net/sock.h> /* struct sock */
+#include <net/protocol.h>
+/* #include <net/tcp.h> */
+#include <net/af_unix.h>
+#ifdef CONFIG_PROC_FS
+# include <linux/proc_fs.h>
+#endif /* CONFIG_PROC_FS */
+
+#include <linux/types.h>
+ 
+#include <openswan.h>
+
+#include "openswan/radij.h"
+#include "openswan/ipsec_encap.h"
+#include "openswan/ipsec_sa.h"
+
+#include <pfkeyv2.h>
+#include <pfkey.h>
+
+#include "openswan/ipsec_proto.h"
+#include "openswan/ipsec_kern24.h"
+
+#ifdef CONFIG_KLIPS_DEBUG
+int debug_pfkey = 0;
+extern int sysctl_ipsec_debug_verbose;
+#endif /* CONFIG_KLIPS_DEBUG */
+
+#define SENDERR(_x) do { error = -(_x); goto errlab; } while (0)
+
+#ifndef SOCKOPS_WRAPPED
+#define SOCKOPS_WRAPPED(name) name
+#endif /* SOCKOPS_WRAPPED */
+
+#ifdef NET_26
+static rwlock_t pfkey_sock_lock = RW_LOCK_UNLOCKED;
+HLIST_HEAD(pfkey_sock_list);
+static DECLARE_WAIT_QUEUE_HEAD(pfkey_sock_wait);
+static atomic_t pfkey_sock_users = ATOMIC_INIT(0);
+#else
+struct sock *pfkey_sock_list = NULL;
+#endif
+
+struct supported_list *pfkey_supported_list[SADB_SATYPE_MAX+1];
+
+struct socket_list *pfkey_open_sockets = NULL;
+struct socket_list *pfkey_registered_sockets[SADB_SATYPE_MAX+1];
+
+int pfkey_msg_interp(struct sock *, struct sadb_msg *, struct sadb_msg **);
+
+DEBUG_NO_STATIC int pfkey_create(struct socket *sock, int protocol);
+DEBUG_NO_STATIC int pfkey_shutdown(struct socket *sock, int mode);
+DEBUG_NO_STATIC int pfkey_release(struct socket *sock);
+
+#ifdef NET_26
+DEBUG_NO_STATIC int pfkey_sendmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, size_t len);
+DEBUG_NO_STATIC int pfkey_recvmsg(struct kiocb *kiocb, struct socket *sock, struct msghdr *msg
+				  , size_t size, int flags);
+#else
+DEBUG_NO_STATIC int pfkey_sendmsg(struct socket *sock, struct msghdr *msg, int len, struct scm_cookie *scm);
+DEBUG_NO_STATIC int pfkey_recvmsg(struct socket *sock, struct msghdr *msg, int size, int flags, struct scm_cookie *scm);
+#endif
+
+struct net_proto_family pfkey_family_ops = {
+#ifdef NETDEV_23
+	.family	= PF_KEY,
+	.create = pfkey_create,
+#ifdef NET_26
+	.owner  = THIS_MODULE,
+#endif
+#else
+	PF_KEY,
+	pfkey_create
+#endif
+};
+
+struct proto_ops SOCKOPS_WRAPPED(pfkey_ops) = {
+#ifdef NETDEV_23
+	family:		PF_KEY,
+#ifdef NET_26
+	owner:		THIS_MODULE,
+#endif
+	release:	pfkey_release,
+	bind:		sock_no_bind,
+	connect:	sock_no_connect,
+	socketpair:	sock_no_socketpair,
+	accept:		sock_no_accept,
+	getname:	sock_no_getname,
+	poll:		datagram_poll,
+	ioctl:		sock_no_ioctl,
+	listen:		sock_no_listen,
+	shutdown:	pfkey_shutdown,
+	setsockopt:	sock_no_setsockopt,
+	getsockopt:	sock_no_getsockopt,
+	sendmsg:	pfkey_sendmsg,
+	recvmsg:	pfkey_recvmsg,
+	mmap:		sock_no_mmap,
+#else /* NETDEV_23 */
+	PF_KEY,
+	sock_no_dup,
+	pfkey_release,
+	sock_no_bind,
+	sock_no_connect,
+	sock_no_socketpair,
+	sock_no_accept,
+	sock_no_getname,
+	datagram_poll,
+	sock_no_ioctl,
+	sock_no_listen,
+	pfkey_shutdown,
+	sock_no_setsockopt,
+	sock_no_getsockopt,
+	sock_no_fcntl,
+	pfkey_sendmsg,
+	pfkey_recvmsg
+#endif /* NETDEV_23 */
+};
+
+#ifdef NETDEV_23
+#include <linux/smp_lock.h>
+SOCKOPS_WRAP(pfkey, PF_KEY);
+#endif  /* NETDEV_23 */
+
+#ifdef NET_26
+static void pfkey_sock_list_grab(void)
+{
+	write_lock_bh(&pfkey_sock_lock);
+
+	if (atomic_read(&pfkey_sock_users)) {
+		DECLARE_WAITQUEUE(wait, current);
+
+		add_wait_queue_exclusive(&pfkey_sock_wait, &wait);
+		for(;;) {
+			set_current_state(TASK_UNINTERRUPTIBLE);
+			if (atomic_read(&pfkey_sock_users) == 0)
+				break;
+			write_unlock_bh(&pfkey_sock_lock);
+			schedule();
+			write_lock_bh(&pfkey_sock_lock);
+		}
+
+		__set_current_state(TASK_RUNNING);
+		remove_wait_queue(&pfkey_sock_wait, &wait);
+	}
+}
+
+static __inline__ void pfkey_sock_list_ungrab(void)
+{
+	write_unlock_bh(&pfkey_sock_lock);
+	wake_up(&pfkey_sock_wait);
+}
+
+static __inline__ void pfkey_lock_sock_list(void)
+{
+	/* read_lock() synchronizes us to pfkey_table_grab */
+
+	read_lock(&pfkey_sock_lock);
+	atomic_inc(&pfkey_sock_users);
+	read_unlock(&pfkey_sock_lock);
+}
+
+static __inline__ void pfkey_unlock_sock_list(void)
+{
+	if (atomic_dec_and_test(&pfkey_sock_users))
+		wake_up(&pfkey_sock_wait);
+}
+#endif
+
+int
+pfkey_list_remove_socket(struct socket *socketp, struct socket_list **sockets)
+{
+	struct socket_list *socket_listp,*prev;
+
+	if(!socketp) {
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_list_remove_socket: "
+			    "NULL socketp handed in, failed.\n");
+		return -EINVAL;
+	}
+
+	if(!sockets) {
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_list_remove_socket: "
+			    "NULL sockets list handed in, failed.\n");
+		return -EINVAL;
+	}
+
+	socket_listp = *sockets;
+	prev = NULL;
+	
+	KLIPS_PRINT(debug_pfkey,
+		    "klips_debug:pfkey_list_remove_socket: "
+		    "removing sock=0p%p\n",
+		    socketp);
+	
+	while(socket_listp != NULL) {
+		if(socket_listp->socketp == socketp) {
+			if(prev != NULL) {
+				prev->next = socket_listp->next;
+			} else {
+				*sockets = socket_listp->next;
+			}
+			
+			kfree((void*)socket_listp);
+			
+			break;
+		}
+		prev = socket_listp;
+		socket_listp = socket_listp->next;
+	}
+
+	return 0;
+}
+
+int
+pfkey_list_insert_socket(struct socket *socketp, struct socket_list **sockets)
+{
+	struct socket_list *socket_listp;
+
+	if(!socketp) {
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_list_insert_socket: "
+			    "NULL socketp handed in, failed.\n");
+		return -EINVAL;
+	}
+
+	if(!sockets) {
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_list_insert_socket: "
+			    "NULL sockets list handed in, failed.\n");
+		return -EINVAL;
+	}
+
+	KLIPS_PRINT(debug_pfkey,
+		    "klips_debug:pfkey_list_insert_socket: "
+		    "allocating %lu bytes for socketp=0p%p\n",
+		    (unsigned long) sizeof(struct socket_list),
+		    socketp);
+	
+	if((socket_listp = (struct socket_list *)kmalloc(sizeof(struct socket_list), GFP_KERNEL)) == NULL) {
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_list_insert_socket: "
+			    "memory allocation error.\n");
+		return -ENOMEM;
+	}
+	
+	socket_listp->socketp = socketp;
+	socket_listp->next = *sockets;
+	*sockets = socket_listp;
+
+	return 0;
+}
+  
+int
+pfkey_list_remove_supported(struct ipsec_alg_supported *supported, struct supported_list **supported_list)
+{
+	struct supported_list *supported_listp = *supported_list, *prev = NULL;
+	
+	if(!supported) {
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_list_remove_supported: "
+			    "NULL supported handed in, failed.\n");
+		return -EINVAL;
+	}
+
+	if(!supported_list) {
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_list_remove_supported: "
+			    "NULL supported_list handed in, failed.\n");
+		return -EINVAL;
+	}
+
+	KLIPS_PRINT(debug_pfkey,
+		    "klips_debug:pfkey_list_remove_supported: "
+		    "removing supported=0p%p\n",
+		    supported);
+	
+	while(supported_listp != NULL) {
+		if(supported_listp->supportedp == supported) {
+			if(prev != NULL) {
+				prev->next = supported_listp->next;
+			} else {
+				*supported_list = supported_listp->next;
+			}
+			
+			kfree((void*)supported_listp);
+			
+			break;
+		}
+		prev = supported_listp;
+		supported_listp = supported_listp->next;
+	}
+
+	return 0;
+}
+
+int
+pfkey_list_insert_supported(struct ipsec_alg_supported *supported
+			    , struct supported_list **supported_list)
+{
+	struct supported_list *supported_listp;
+
+	if(!supported) {
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_list_insert_supported: "
+			    "NULL supported handed in, failed.\n");
+		return -EINVAL;
+	}
+
+	if(!supported_list) {
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_list_insert_supported: "
+			    "NULL supported_list handed in, failed.\n");
+		return -EINVAL;
+	}
+
+	KLIPS_PRINT(debug_pfkey,
+		    "klips_debug:pfkey_list_insert_supported: "
+		    "allocating %lu bytes for incoming, supported=0p%p, supported_list=0p%p\n",
+		    (unsigned long) sizeof(struct supported_list),
+		    supported,
+		    supported_list);
+	
+	supported_listp = (struct supported_list *)kmalloc(sizeof(struct supported_list), GFP_KERNEL);
+
+	if(supported_listp == NULL)
+	{
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_list_insert_supported: "
+			    "memory allocation error.\n");
+		return -ENOMEM;
+	}
+	
+	supported_listp->supportedp = supported;
+	supported_listp->next = *supported_list;
+	*supported_list = supported_listp;
+	KLIPS_PRINT(debug_pfkey,
+		    "klips_debug:pfkey_list_insert_supported: "
+		    "outgoing, supported=0p%p, supported_list=0p%p\n",
+		    supported,
+		    supported_list);
+
+	return 0;
+}
+  
+#ifdef NET_26
+DEBUG_NO_STATIC void
+pfkey_insert_socket(struct sock *sk)
+{
+	KLIPS_PRINT(debug_pfkey,
+		    "klips_debug:pfkey_insert_socket: "
+		    "sk=0p%p\n",
+		    sk);
+	pfkey_sock_list_grab();
+	sk_add_node(sk, &pfkey_sock_list);
+	pfkey_sock_list_ungrab();
+}
+
+DEBUG_NO_STATIC void
+pfkey_remove_socket(struct sock *sk)
+{
+	KLIPS_PRINT(debug_pfkey,
+		    "klips_debug:pfkey_remove_socket: 0p%p\n", sk);
+	pfkey_sock_list_grab();
+	sk_del_node_init(sk);
+	pfkey_sock_list_ungrab();
+	return;
+}
+#else
+
+DEBUG_NO_STATIC void
+pfkey_insert_socket(struct sock *sk)
+{
+	KLIPS_PRINT(debug_pfkey,
+		    "klips_debug:pfkey_insert_socket: "
+		    "sk=0p%p\n",
+		    sk);
+	cli();
+	sk->next=pfkey_sock_list;
+	pfkey_sock_list=sk;
+	sti();
+}
+DEBUG_NO_STATIC void
+pfkey_remove_socket(struct sock *sk)
+{
+	struct sock **s;
+
+	s = NULL;
+	KLIPS_PRINT(debug_pfkey,
+		    "klips_debug:pfkey_remove_socket: .\n");
+
+	cli();
+	s=&pfkey_sock_list;
+
+	while(*s!=NULL) {
+		if(*s==sk) {
+			*s=sk->next;
+			sk->next=NULL;
+			sti();
+			KLIPS_PRINT(debug_pfkey,
+				    "klips_debug:pfkey_remove_socket: "
+				    "succeeded.\n");
+			return;
+		}
+		s=&((*s)->next);
+	}
+	sti();
+
+	KLIPS_PRINT(debug_pfkey,
+		    "klips_debug:pfkey_remove_socket: "
+		    "not found.\n");
+	return;
+}
+#endif
+
+DEBUG_NO_STATIC void
+pfkey_destroy_socket(struct sock *sk)
+{
+	struct sk_buff *skb;
+
+	KLIPS_PRINT(debug_pfkey,
+		    "klips_debug:pfkey_destroy_socket: 0p%p\n",sk);
+	pfkey_remove_socket(sk);
+
+	KLIPS_PRINT(debug_pfkey,
+		    "klips_debug:pfkey_destroy_socket: "
+		    "pfkey_remove_socket called, sk=0p%p\n",sk);
+	
+	KLIPS_PRINT(debug_pfkey,
+		    "klips_debug:pfkey_destroy_socket: "
+		    "sk(0p%p)->(&0p%p)receive_queue.{next=0p%p,prev=0p%p}.\n",
+		    sk,
+		    &(sk->sk_receive_queue),
+		    sk->sk_receive_queue.next,
+		    sk->sk_receive_queue.prev);
+
+	while(sk && ((skb=skb_dequeue(&(sk->sk_receive_queue)))!=NULL)) {
+#ifdef CONFIG_KLIPS_DEBUG
+		if(debug_pfkey && sysctl_ipsec_debug_verbose) {
+			KLIPS_PRINT(debug_pfkey,
+				    "klips_debug:pfkey_destroy_socket: "
+				    "skb=0p%p dequeued.\n", skb);
+			printk(KERN_INFO "klips_debug:pfkey_destroy_socket: "
+			       "pfkey_skb contents:");
+			printk(" next:0p%p", skb->next);
+			printk(" prev:0p%p", skb->prev);
+			printk(" sk:0p%p", skb->sk);
+			printk(" dev:0p%p", skb->dev);
+			if(skb->dev) {
+				if(skb->dev->name) {
+					printk(" dev->name:%s", skb->dev->name);
+				} else {
+					printk(" dev->name:NULL?");
+				}
+			} else {
+				printk(" dev:NULL");
+			}
+			printk(" h:0p%p", skb->h.raw);
+			printk(" nh:0p%p", skb->nh.raw);
+			printk(" mac:0p%p", skb->mac.raw);
+			printk(" dst:0p%p", skb->dst);
+			if(sysctl_ipsec_debug_verbose) {
+				int i;
+				
+				printk(" cb");
+				for(i=0; i<48; i++) {
+					printk(":%2x", skb->cb[i]);
+				}
+			}
+			printk(" len:%d", skb->len);
+			printk(" csum:%d", skb->csum);
+#ifndef NETDEV_23
+			printk(" used:%d", skb->used);
+			printk(" is_clone:%d", skb->is_clone);
+#endif /* NETDEV_23 */
+			printk(" cloned:%d", skb->cloned);
+			printk(" pkt_type:%d", skb->pkt_type);
+			printk(" ip_summed:%d", skb->ip_summed);
+			printk(" priority:%d", skb->priority);
+			printk(" protocol:%d", skb->protocol);
+#ifdef HAVE_SOCK_SECURITY
+			printk(" security:%d", skb->security);
+#endif
+			printk(" truesize:%d", skb->truesize);
+			printk(" head:0p%p", skb->head);
+			printk(" data:0p%p", skb->data);
+			printk(" tail:0p%p", skb->tail);
+			printk(" end:0p%p", skb->end);
+			if(sysctl_ipsec_debug_verbose) {
+				unsigned char* i;
+				printk(" data");
+				for(i = skb->head; i < skb->end; i++) {
+					printk(":%2x", (unsigned char)(*(i)));
+				}
+			}
+			printk(" destructor:0p%p", skb->destructor);
+			printk("\n");
+		}
+#endif /* CONFIG_KLIPS_DEBUG */
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_destroy_socket: "
+			    "skb=0p%p freed.\n",
+			    skb);
+		ipsec_kfree_skb(skb);
+	}
+
+#ifdef NET_26
+	sock_set_flag(sk, SOCK_DEAD);
+#else
+	sk->dead = 1;
+#endif
+	sk_free(sk);
+
+	KLIPS_PRINT(debug_pfkey,
+		    "klips_debug:pfkey_destroy_socket: destroyed.\n");
+}
+
+int
+pfkey_upmsg(struct socket *sock, struct sadb_msg *pfkey_msg)
+{
+	int error = 0;
+	struct sk_buff * skb = NULL;
+	struct sock *sk;
+
+	if(sock == NULL) {
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_upmsg: "
+			    "NULL socket passed in.\n");
+		return -EINVAL;
+	}
+
+	if(pfkey_msg == NULL) {
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_upmsg: "
+			    "NULL pfkey_msg passed in.\n");
+		return -EINVAL;
+	}
+
+	sk = sock->sk;
+
+	if(sk == NULL) {
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_upmsg: "
+			    "NULL sock passed in.\n");
+		return -EINVAL;
+	}
+
+	KLIPS_PRINT(debug_pfkey,
+		    "klips_debug:pfkey_upmsg: "
+		    "allocating %d bytes...\n",
+		    (int)(pfkey_msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN));
+	if(!(skb = alloc_skb(pfkey_msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN, GFP_ATOMIC) )) {
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_upmsg: "
+			    "no buffers left to send up a message.\n");
+		return -ENOBUFS;
+	}
+	KLIPS_PRINT(debug_pfkey,
+		    "klips_debug:pfkey_upmsg: "
+		    "...allocated at 0p%p.\n",
+		    skb);
+	
+	skb->dev = NULL;
+	
+	if(skb_tailroom(skb) < pfkey_msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN) {
+		printk(KERN_WARNING "klips_error:pfkey_upmsg: "
+		       "tried to skb_put %ld, %d available.  This should never happen, please report.\n",
+		       (unsigned long int)pfkey_msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN,
+		       skb_tailroom(skb));
+		ipsec_kfree_skb(skb);
+		return -ENOBUFS;
+	}
+	skb->h.raw = skb_put(skb, pfkey_msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN);
+	memcpy(skb->h.raw, pfkey_msg, pfkey_msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN);
+
+	if((error = sock_queue_rcv_skb(sk, skb)) < 0) {
+		skb->sk=NULL;
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_upmsg: "
+			    "error=%d calling sock_queue_rcv_skb with skb=0p%p.\n",
+			    error,
+			    skb);
+		ipsec_kfree_skb(skb);
+		return error;
+	}
+	return error;
+}
+
+#ifdef NET_26_12_SKALLOC
+static struct proto key_proto = {
+	.name	  = "KEY",
+	.owner	  = THIS_MODULE,
+	.obj_size = sizeof(struct sock),
+	
+};
+#endif
+
+DEBUG_NO_STATIC int
+pfkey_create(struct socket *sock, int protocol)
+{
+	struct sock *sk;
+
+	if(sock == NULL) {
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_create: "
+			    "socket NULL.\n");
+		return -EINVAL;
+	}
+
+	KLIPS_PRINT(debug_pfkey,
+		    "klips_debug:pfkey_create: "
+		    "sock=0p%p type:%d state:%d flags:%ld protocol:%d\n",
+		    sock,
+		    sock->type,
+		    (unsigned int)(sock->state),
+		    sock->flags, protocol);
+
+	if(sock->type != SOCK_RAW) {
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_create: "
+			    "only SOCK_RAW supported.\n");
+		return -ESOCKTNOSUPPORT;
+	}
+
+	if(protocol != PF_KEY_V2) {
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_create: "
+			    "protocol not PF_KEY_V2.\n");
+		return -EPROTONOSUPPORT;
+	}
+
+	if((current->uid != 0)) {
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_create: "
+			    "must be root to open pfkey sockets.\n");
+		return -EACCES;
+	}
+
+	sock->state = SS_UNCONNECTED;
+
+	KLIPS_INC_USE;
+
+#ifdef NET_26
+#ifdef NET_26_12_SKALLOC
+	sk=(struct sock *)sk_alloc(PF_KEY, GFP_KERNEL, &key_proto, 1);
+#else
+	sk=(struct sock *)sk_alloc(PF_KEY, GFP_KERNEL, 1, NULL);
+#endif
+#else
+	/* 2.4 interface */
+	sk=(struct sock *)sk_alloc(PF_KEY, GFP_KERNEL, 1);
+#endif
+
+	if(sk == NULL)
+	{
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_create: "
+			    "Out of memory trying to allocate.\n");
+		KLIPS_DEC_USE;
+		return -ENOMEM;
+	}
+
+	sock_init_data(sock, sk);
+
+	sk->sk_destruct = NULL;
+	sk->sk_reuse = 1;
+	sock->ops = &pfkey_ops;
+
+	sk->sk_family = PF_KEY;
+/*	sk->num = protocol; */
+	sk->sk_protocol = protocol;
+	key_pid(sk) = current->pid;
+	KLIPS_PRINT(debug_pfkey,
+		    "klips_debug:pfkey_create: "
+		    "sock->fasync_list=0p%p sk->sleep=0p%p.\n",
+		    sock->fasync_list,
+		    sk->sk_sleep);
+
+	pfkey_insert_socket(sk);
+	pfkey_list_insert_socket(sock, &pfkey_open_sockets);
+
+	KLIPS_PRINT(debug_pfkey,
+		    "klips_debug:pfkey_create: "
+		    "Socket sock=0p%p sk=0p%p initialised.\n", sock, sk);
+	return 0;
+}
+
+DEBUG_NO_STATIC int
+#ifdef NETDEV_23
+pfkey_release(struct socket *sock)
+#else /* NETDEV_23 */
+pfkey_release(struct socket *sock, struct socket *peersock)
+#endif /* NETDEV_23 */
+{
+	struct sock *sk;
+	int i;
+
+	if(sock==NULL) {
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_release: "
+			    "No socket attached.\n");
+		return 0; /* -EINVAL; */
+	}
+		
+	sk=sock->sk;
+	
+	/* May not have data attached */
+	if(sk==NULL) {
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_release: "
+			    "No sk attached to sock=0p%p.\n", sock);
+		return 0; /* -EINVAL; */
+	}
+		
+	KLIPS_PRINT(debug_pfkey,
+		    "klips_debug:pfkey_release: "
+		    "sock=0p%p sk=0p%p\n", sock, sk);
+
+	if(sock_flag(sk, SOCK_DEAD))
+		if(sk->sk_state_change) {
+			sk->sk_state_change(sk);
+		}
+
+	sock->sk = NULL;
+
+	/* Try to flush out this socket. Throw out buffers at least */
+	pfkey_destroy_socket(sk);
+	pfkey_list_remove_socket(sock, &pfkey_open_sockets);
+	for(i = SADB_SATYPE_UNSPEC; i <= SADB_SATYPE_MAX; i++) {
+		pfkey_list_remove_socket(sock, &(pfkey_registered_sockets[i]));
+	}
+
+	KLIPS_DEC_USE;
+	KLIPS_PRINT(debug_pfkey,
+		    "klips_debug:pfkey_release: "
+		    "succeeded.\n");
+
+	return 0;
+}
+
+DEBUG_NO_STATIC int
+pfkey_shutdown(struct socket *sock, int mode)
+{
+	struct sock *sk;
+
+	if(sock == NULL) {
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_shutdown: "
+			    "NULL socket passed in.\n");
+		return -EINVAL;
+	}
+
+	sk=sock->sk;
+	
+	if(sk == NULL) {
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_shutdown: "
+			    "No sock attached to socket.\n");
+		return -EINVAL;
+	}
+
+	KLIPS_PRINT(debug_pfkey,
+		    "klips_debug:pfkey_shutdown: "
+		    "mode=%x.\n", mode);
+	mode++;
+	
+	if(mode&SEND_SHUTDOWN) {
+		sk->sk_shutdown|=SEND_SHUTDOWN;
+		sk->sk_state_change(sk);
+	}
+
+	if(mode&RCV_SHUTDOWN) {
+		sk->sk_shutdown|=RCV_SHUTDOWN;
+		sk->sk_state_change(sk);
+	}
+	return 0;
+}
+
+/*
+ *	Send PF_KEY data down.
+ */
+		
+DEBUG_NO_STATIC int
+#ifdef NET_26
+pfkey_sendmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, size_t len)
+#else
+pfkey_sendmsg(struct socket *sock, struct msghdr *msg, int len, struct scm_cookie *scm)
+#endif
+{
+	struct sock *sk;
+	int error = 0;
+	struct sadb_msg *pfkey_msg = NULL, *pfkey_reply = NULL;
+	
+	if(sock == NULL) {
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_sendmsg: "
+			    "Null socket passed in.\n");
+		SENDERR(EINVAL);
+	}
+	
+	sk = sock->sk;
+
+	if(sk == NULL) {
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_sendmsg: "
+			    "Null sock passed in.\n");
+		SENDERR(EINVAL);
+	}
+	
+	if(msg == NULL) {
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_sendmsg: "
+			    "Null msghdr passed in.\n");
+		SENDERR(EINVAL);
+	}
+
+	KLIPS_PRINT(debug_pfkey,
+		    "klips_debug:pfkey_sendmsg: .\n");
+	if(sk->sk_err) {
+		error = sock_error(sk);
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_sendmsg: "
+			    "sk->err is non-zero, returns %d.\n",
+			    error);
+		SENDERR(-error);
+	}
+
+	if((current->uid != 0)) {
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_sendmsg: "
+			    "must be root to send messages to pfkey sockets.\n");
+		SENDERR(EACCES);
+	}
+
+	if(msg->msg_control)
+	{
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_sendmsg: "
+			    "can't set flags or set msg_control.\n");
+		SENDERR(EINVAL);
+	}
+		
+	if(sk->sk_shutdown & SEND_SHUTDOWN) {
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_sendmsg: "
+			    "shutdown.\n");
+		send_sig(SIGPIPE, current, 0);
+		SENDERR(EPIPE);
+	}
+	
+	if(len < sizeof(struct sadb_msg)) {
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_sendmsg: "
+			    "bogus msg len of %d, too small.\n", (int)len);
+		SENDERR(EMSGSIZE);
+	}
+
+	KLIPS_PRINT(debug_pfkey,
+		    "klips_debug:pfkey_sendmsg: "
+		    "allocating %d bytes for downward message.\n",
+		    (int)len);
+	if((pfkey_msg = (struct sadb_msg*)kmalloc(len, GFP_KERNEL)) == NULL) {
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_sendmsg: "
+			    "memory allocation error.\n");
+		SENDERR(ENOBUFS);
+	}
+
+	memcpy_fromiovec((void *)pfkey_msg, msg->msg_iov, len);
+
+	if(pfkey_msg->sadb_msg_version != PF_KEY_V2) {
+		KLIPS_PRINT(1 || debug_pfkey,
+			    "klips_debug:pfkey_sendmsg: "
+			    "not PF_KEY_V2 msg, found %d, should be %d.\n",
+			    pfkey_msg->sadb_msg_version,
+			    PF_KEY_V2);
+		kfree((void*)pfkey_msg);
+		return -EINVAL;
+	}
+
+	if(len != pfkey_msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN) {
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_sendmsg: "
+			    "bogus msg len of %d, not %d byte aligned.\n",
+			    (int)len, (int)IPSEC_PFKEYv2_ALIGN);
+		SENDERR(EMSGSIZE);
+	}
+
+#if 0
+	/* This check is questionable, since a downward message could be
+	   the result of an ACQUIRE either from kernel (PID==0) or
+	   userspace (some other PID). */
+	/* check PID */
+	if(pfkey_msg->sadb_msg_pid != current->pid) {
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_sendmsg: "
+			    "pid (%d) does not equal sending process pid (%d).\n",
+			    pfkey_msg->sadb_msg_pid, current->pid);
+		SENDERR(EINVAL);
+	}
+#endif
+
+	if(pfkey_msg->sadb_msg_reserved) {
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_sendmsg: "
+			    "reserved field must be zero, set to %d.\n",
+			    pfkey_msg->sadb_msg_reserved);
+		SENDERR(EINVAL);
+	}
+	
+	if((pfkey_msg->sadb_msg_type > SADB_MAX) || (!pfkey_msg->sadb_msg_type)){
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_sendmsg: "
+			    "msg type too large or small:%d.\n",
+			    pfkey_msg->sadb_msg_type);
+		SENDERR(EINVAL);
+	}
+	
+	KLIPS_PRINT(debug_pfkey,
+		    "klips_debug:pfkey_sendmsg: "
+		    "msg sent for parsing.\n");
+	
+	if((error = pfkey_msg_interp(sk, pfkey_msg, &pfkey_reply))) {
+		struct socket_list *pfkey_socketsp;
+
+		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_sendmsg: "
+			    "pfkey_msg_parse returns %d.\n",
+			    error);
+
+		if((pfkey_reply = (struct sadb_msg*)kmalloc(sizeof(struct sadb_msg), GFP_KERNEL)) == NULL) {
+			KLIPS_PRINT(debug_pfkey,
+				    "klips_debug:pfkey_sendmsg: "
+				    "memory allocation error.\n");
+			SENDERR(ENOBUFS);
+		}
+		memcpy((void*)pfkey_reply, (void*)pfkey_msg, sizeof(struct sadb_msg));
+		pfkey_reply->sadb_msg_errno = -error;
+		pfkey_reply->sadb_msg_len = sizeof(struct sadb_msg) / IPSEC_PFKEYv2_ALIGN;
+
+		for(pfkey_socketsp = pfkey_open_sockets;
+		    pfkey_socketsp;
+		    pfkey_socketsp = pfkey_socketsp->next) {
+			int error_upmsg = 0;
+			KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_sendmsg: "
+				    "sending up error=%d message=0p%p to socket=0p%p.\n",
+				    error,
+				    pfkey_reply,
+				    pfkey_socketsp->socketp);
+			if((error_upmsg = pfkey_upmsg(pfkey_socketsp->socketp, pfkey_reply))) {
+				KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_sendmsg: "
+					    "sending up error message to socket=0p%p failed with error=%d.\n",
+					    pfkey_socketsp->socketp,
+					    error_upmsg);
+				/* pfkey_msg_free(&pfkey_reply); */
+				/* SENDERR(-error); */
+			}
+			KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_sendmsg: "
+				    "sending up error message to socket=0p%p succeeded.\n",
+				    pfkey_socketsp->socketp);
+		}
+		
+		pfkey_msg_free(&pfkey_reply);
+		
+		SENDERR(-error);
+	}
+
+ errlab:
+	if (pfkey_msg) {
+		kfree((void*)pfkey_msg);
+	}
+	
+	if(error) {
+		return error;
+	} else {
+		return len;
+	}
+}
+
+/*
+ *	Receive PF_KEY data up.
+ */
+		
+DEBUG_NO_STATIC int
+#ifdef NET_26
+pfkey_recvmsg(struct kiocb *kiocb
+	      , struct socket *sock
+	      , struct msghdr *msg
+	      , size_t size
+	      , int flags)
+#else
+pfkey_recvmsg(struct socket *sock
+	      , struct msghdr *msg
+	      , int size, int flags
+	      , struct scm_cookie *scm)
+#endif
+{
+	struct sock *sk;
+	int noblock = flags & MSG_DONTWAIT;
+	struct sk_buff *skb;
+	int error;
+
+	if(sock == NULL) {
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_recvmsg: "
+			    "Null socket passed in.\n");
+		return -EINVAL;
+	}
+
+	sk = sock->sk;
+
+	if(sk == NULL) {
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_recvmsg: "
+			    "Null sock passed in for sock=0p%p.\n", sock);
+		return -EINVAL;
+	}
+
+	if(msg == NULL) {
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_recvmsg: "
+			    "Null msghdr passed in for sock=0p%p, sk=0p%p.\n",
+			    sock, sk);
+		return -EINVAL;
+	}
+
+	KLIPS_PRINT(debug_pfkey && sysctl_ipsec_debug_verbose,
+		    "klips_debug:pfkey_recvmsg: sock=0p%p sk=0p%p msg=0p%p size=%d.\n",
+		    sock, sk, msg, (int)size);
+	if(flags & ~MSG_PEEK) {
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_sendmsg: "
+			    "flags (%d) other than MSG_PEEK not supported.\n",
+			    flags);
+		return -EOPNOTSUPP;
+	}
+		
+	msg->msg_namelen = 0; /* sizeof(*ska); */
+		
+	if(sk->sk_err) {
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_sendmsg: "
+			    "sk->sk_err=%d.\n", sk->sk_err);
+		return sock_error(sk);
+	}
+
+	if((skb = skb_recv_datagram(sk, flags, noblock, &error) ) == NULL) {
+                return error;
+	}
+
+	if(size > skb->len) {
+		size = skb->len;
+	}
+	else if(size <skb->len) {
+		msg->msg_flags |= MSG_TRUNC;
+	}
+
+	skb_copy_datagram_iovec(skb, 0, msg->msg_iov, size);
+#ifdef HAVE_TSTAMP
+	sk->sk_stamp.tv_sec  = skb->tstamp.off_sec;
+	sk->sk_stamp.tv_usec = skb->tstamp.off_usec;
+#else
+        sk->sk_stamp=skb->stamp;
+#endif
+
+	skb_free_datagram(sk, skb);
+	return size;
+}
+
+#ifdef CONFIG_PROC_FS
+#ifndef PROC_FS_2325
+DEBUG_NO_STATIC
+#endif /* PROC_FS_2325 */
+int
+pfkey_get_info(char *buffer, char **start, off_t offset, int length
+#ifndef  PROC_NO_DUMMY
+, int dummy
+#endif /* !PROC_NO_DUMMY */
+)
+{
+	const int max_content = length > 0? length-1 : 0;	/* limit of useful snprintf output */
+#ifdef NET_26
+	struct hlist_node *node;
+#endif
+	off_t begin=0;
+	int len=0;
+	struct sock *sk;
+	
+#ifdef CONFIG_KLIPS_DEBUG
+	if(!sysctl_ipsec_debug_verbose) {
+#endif /* CONFIG_KLIPS_DEBUG */
+	len += ipsec_snprintf(buffer, length,
+		      "    sock   pid   socket     next     prev e n p sndbf    Flags     Type St\n");
+#ifdef CONFIG_KLIPS_DEBUG
+	} else {
+	len += ipsec_snprintf(buffer, length,
+		      "    sock   pid d    sleep   socket     next     prev e r z n p sndbf    stamp    Flags     Type St\n");
+	}
+#endif /* CONFIG_KLIPS_DEBUG */
+
+	sk_for_each(sk, node, &pfkey_sock_list) {
+
+#ifdef CONFIG_KLIPS_DEBUG
+		if(!sysctl_ipsec_debug_verbose) {
+#endif /* CONFIG_KLIPS_DEBUG */
+		  len += ipsec_snprintf(buffer+len, length-len,
+					"%8p %5d %8p %d %d %5d %08lX %8X %2X\n",
+					sk,
+					key_pid(sk),
+					sk->sk_socket,
+					sk->sk_err,
+					sk->sk_protocol,
+					sk->sk_sndbuf,
+					sk->sk_socket->flags,
+					sk->sk_socket->type,
+					sk->sk_socket->state);
+#ifdef CONFIG_KLIPS_DEBUG
+		} else {
+		  len += ipsec_snprintf(buffer+len, length-len,
+					"%8p %5d %d %8p %8p %d %d %d %d %5d %d.%06d %08lX %8X %2X\n",
+					sk,
+					key_pid(sk),
+					sock_flag(sk, SOCK_DEAD),
+					sk->sk_sleep,
+					sk->sk_socket,
+					sk->sk_err,
+					sk->sk_reuse,
+#ifdef HAVE_SOCK_ZAPPED
+					sock_flag(sk, SOCK_ZAPPED),
+#else
+					sk->sk_zapped,
+#endif					
+					sk->sk_protocol,
+					sk->sk_sndbuf,
+					(unsigned int)sk->sk_stamp.tv_sec,
+					(unsigned int)sk->sk_stamp.tv_usec,
+					sk->sk_socket->flags,
+					sk->sk_socket->type,
+					sk->sk_socket->state);
+		}
+#endif /* CONFIG_KLIPS_DEBUG */
+		
+		if (len >= max_content) {
+			/* we've done all that can fit -- stop loop */
+			len = max_content;	/* truncate crap */
+			break;
+		} else {
+			const off_t pos = begin + len;	/* file position of end of what we've generated */
+
+			if (pos <= offset) {
+				/* all is before first interesting character:
+				 * discard, but note where we are.
+				 */
+				len = 0;
+				begin = pos;
+			}
+		}
+	}
+
+	*start = buffer + (offset - begin);	/* Start of wanted data */
+	return len - (offset - begin);
+}
+
+#ifndef PROC_FS_2325
+DEBUG_NO_STATIC
+#endif /* PROC_FS_2325 */
+int
+pfkey_supported_get_info(char *buffer, char **start, off_t offset, int length
+#ifndef  PROC_NO_DUMMY
+, int dummy
+#endif /* !PROC_NO_DUMMY */
+)
+{
+	/* limit of useful snprintf output */
+	const int max_content = length > 0? length-1 : 0;	
+	off_t begin=0;
+	int len=0;
+	int satype;
+	struct supported_list *ps;
+	
+	len += ipsec_snprintf(buffer, length,
+		      "satype exttype alg_id ivlen minbits maxbits name\n");
+	
+	for(satype = SADB_SATYPE_UNSPEC; satype <= SADB_SATYPE_MAX; satype++) {
+		ps = pfkey_supported_list[satype];
+		while(ps) {
+			struct ipsec_alg_supported *alg = ps->supportedp;
+			unsigned char *n = alg->ias_name;
+			if(n == NULL) n = "unknown";
+
+			len += ipsec_snprintf(buffer+len, length-len,
+					      "    %2d      %2d     %2d   %3d     %3d     %3d %20s\n",
+					      satype,
+					      alg->ias_exttype,
+					      alg->ias_id,
+					      alg->ias_ivlen,
+					      alg->ias_keyminbits,
+					      alg->ias_keymaxbits,
+					      n);
+			
+			if (len >= max_content) {
+				/* we've done all that can fit -- stop loop */
+				len = max_content;	/* truncate crap */
+				break;
+			} else {
+				const off_t pos = begin + len;	/* file position of end of what we've generated */
+
+				if (pos <= offset) {
+					/* all is before first interesting character:
+					 * discard, but note where we are.
+					 */
+					len = 0;
+					begin = pos;
+				}
+			}
+
+			ps = ps->next;
+		}
+	}
+	*start = buffer + (offset - begin);	/* Start of wanted data */
+	return len - (offset - begin);
+}
+
+#ifndef PROC_FS_2325
+DEBUG_NO_STATIC
+#endif /* PROC_FS_2325 */
+int
+pfkey_registered_get_info(char *buffer, char **start, off_t offset, int length
+#ifndef  PROC_NO_DUMMY
+, int dummy
+#endif /* !PROC_NO_DUMMY */
+)
+{
+	const int max_content = length > 0? length-1 : 0;	/* limit of useful snprintf output */
+	off_t begin=0;
+	int len=0;
+	int satype;
+	struct socket_list *pfkey_sockets;
+	
+	len += ipsec_snprintf(buffer, length,
+		      "satype   socket   pid       sk\n");
+	
+	for(satype = SADB_SATYPE_UNSPEC; satype <= SADB_SATYPE_MAX; satype++) {
+		pfkey_sockets = pfkey_registered_sockets[satype];
+		while(pfkey_sockets) {
+			len += ipsec_snprintf(buffer+len, length-len,
+				     "    %2d %8p %5d %8p\n",
+				     satype,
+				     pfkey_sockets->socketp,
+				     key_pid(pfkey_sockets->socketp->sk),
+				     pfkey_sockets->socketp->sk);
+			
+			if (len >= max_content) {
+				/* we've done all that can fit -- stop loop (could stop two) */
+				len = max_content;	/* truncate crap */
+				break;
+			} else {
+				const off_t pos = begin + len;	/* file position of end of what we've generated */
+
+				if (pos <= offset) {
+					/* all is before first interesting character:
+					 * discard, but note where we are.
+					 */
+					len = 0;
+					begin = pos;
+				}
+			}
+
+			pfkey_sockets = pfkey_sockets->next;
+		}
+	}
+	*start = buffer + (offset - begin);	/* Start of wanted data */
+	return len - (offset - begin);
+}
+
+#ifndef PROC_FS_2325
+struct proc_dir_entry proc_net_pfkey =
+{
+	0,
+	6, "pf_key",
+	S_IFREG | S_IRUGO, 1, 0, 0,
+	0, &proc_net_inode_operations,
+	pfkey_get_info
+};
+struct proc_dir_entry proc_net_pfkey_supported =
+{
+	0,
+	16, "pf_key_supported",
+	S_IFREG | S_IRUGO, 1, 0, 0,
+	0, &proc_net_inode_operations,
+	pfkey_supported_get_info
+};
+struct proc_dir_entry proc_net_pfkey_registered =
+{
+	0,
+	17, "pf_key_registered",
+	S_IFREG | S_IRUGO, 1, 0, 0,
+	0, &proc_net_inode_operations,
+	pfkey_registered_get_info
+};
+#endif /* !PROC_FS_2325 */
+#endif /* CONFIG_PROC_FS */
+
+DEBUG_NO_STATIC int
+supported_add_all(int satype, struct ipsec_alg_supported supported[], int size)
+{
+	int i;
+	int error = 0;
+
+	KLIPS_PRINT(debug_pfkey,
+		    "klips_debug:init_pfkey: "
+		    "sizeof(supported_init_<satype=%d>)[%d]/sizeof(struct ipsec_alg_supported)[%d]=%d.\n",
+		    satype,
+		    size,
+		    (int)sizeof(struct ipsec_alg_supported),
+		    (int)(size/sizeof(struct ipsec_alg_supported)));
+
+	for(i = 0; i < size / sizeof(struct ipsec_alg_supported); i++) {
+
+		unsigned char *n = supported[i].ias_name;
+		if(n == NULL) n="unknown";
+
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:init_pfkey: "
+			    "i=%d inserting satype=%d exttype=%d id=%d ivlen=%d minbits=%d maxbits=%d name=%s.\n",
+			    i,
+			    satype,
+			    supported[i].ias_exttype,
+			    supported[i].ias_id,
+			    supported[i].ias_ivlen,
+			    supported[i].ias_keyminbits,
+			    supported[i].ias_keymaxbits,
+			    n);			    
+			    
+		error |= pfkey_list_insert_supported(&(supported[i]),
+					    &(pfkey_supported_list[satype]));
+	}
+	return error;
+}
+
+DEBUG_NO_STATIC int
+supported_remove_all(int satype)
+{
+	int error = 0;
+	struct ipsec_alg_supported*supportedp;
+
+	while(pfkey_supported_list[satype]) {
+		unsigned char *n;
+		supportedp = pfkey_supported_list[satype]->supportedp;
+
+		n = supportedp->ias_name;
+		if(n == NULL) n="unknown";
+
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:init_pfkey: "
+			    "removing satype=%d exttype=%d id=%d ivlen=%d minbits=%d maxbits=%d name=%s.\n",
+			    satype,
+			    supportedp->ias_exttype,
+			    supportedp->ias_id,
+			    supportedp->ias_ivlen,
+			    supportedp->ias_keyminbits,
+			    supportedp->ias_keymaxbits, n);
+			    
+		error |= pfkey_list_remove_supported(supportedp,
+					    &(pfkey_supported_list[satype]));
+	}
+	return error;
+}
+
+int
+pfkey_init(void)
+{
+	int error = 0;
+	int i;
+	
+	static struct ipsec_alg_supported supported_init_ah[] = {
+#ifdef CONFIG_KLIPS_AUTH_HMAC_MD5
+		{SADB_EXT_SUPPORTED_AUTH, SADB_AALG_MD5HMAC, 0, 128, 128},
+#endif /* CONFIG_KLIPS_AUTH_HMAC_MD5 */
+#ifdef CONFIG_KLIPS_AUTH_HMAC_SHA1
+		{SADB_EXT_SUPPORTED_AUTH, SADB_AALG_SHA1HMAC, 0, 160, 160}
+#endif /* CONFIG_KLIPS_AUTH_HMAC_SHA1 */
+	};
+	static struct ipsec_alg_supported supported_init_esp[] = {
+#ifdef CONFIG_KLIPS_AUTH_HMAC_MD5
+		{SADB_EXT_SUPPORTED_AUTH, SADB_AALG_MD5HMAC, 0, 128, 128},
+#endif /* CONFIG_KLIPS_AUTH_HMAC_MD5 */
+#ifdef CONFIG_KLIPS_AUTH_HMAC_SHA1
+		{SADB_EXT_SUPPORTED_AUTH, SADB_AALG_SHA1HMAC, 0, 160, 160},
+#endif /* CONFIG_KLIPS_AUTH_HMAC_SHA1 */
+#ifdef CONFIG_KLIPS_ENC_3DES
+		{SADB_EXT_SUPPORTED_ENCRYPT, SADB_EALG_3DESCBC, 64, 168, 168},
+#endif /* CONFIG_KLIPS_ENC_3DES */
+	};
+	static struct ipsec_alg_supported supported_init_ipip[] = {
+		{SADB_EXT_SUPPORTED_ENCRYPT, SADB_X_TALG_IPv4_in_IPv4, 0, 32, 32}
+#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
+		, {SADB_EXT_SUPPORTED_ENCRYPT, SADB_X_TALG_IPv6_in_IPv4, 0, 128, 32}
+		, {SADB_EXT_SUPPORTED_ENCRYPT, SADB_X_TALG_IPv4_in_IPv6, 0, 32, 128}
+		, {SADB_EXT_SUPPORTED_ENCRYPT, SADB_X_TALG_IPv6_in_IPv6, 0, 128, 128}
+#endif /* defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) */
+	};
+#ifdef CONFIG_KLIPS_IPCOMP
+	static struct ipsec_alg_supported supported_init_ipcomp[] = {
+		{SADB_EXT_SUPPORTED_ENCRYPT, SADB_X_CALG_DEFLATE, 0, 1, 1}
+	};
+#endif /* CONFIG_KLIPS_IPCOMP */
+
+#if 0
+        printk(KERN_INFO
+	       "klips_info:pfkey_init: "
+	       "FreeS/WAN: initialising PF_KEYv2 domain sockets.\n");
+#endif
+
+	for(i = SADB_SATYPE_UNSPEC; i <= SADB_SATYPE_MAX; i++) {
+		pfkey_registered_sockets[i] = NULL;
+		pfkey_supported_list[i] = NULL;
+	}
+
+	error |= supported_add_all(SADB_SATYPE_AH, supported_init_ah, sizeof(supported_init_ah));
+	error |= supported_add_all(SADB_SATYPE_ESP, supported_init_esp, sizeof(supported_init_esp));
+#ifdef CONFIG_KLIPS_IPCOMP
+	error |= supported_add_all(SADB_X_SATYPE_COMP, supported_init_ipcomp, sizeof(supported_init_ipcomp));
+#endif /* CONFIG_KLIPS_IPCOMP */
+	error |= supported_add_all(SADB_X_SATYPE_IPIP, supported_init_ipip, sizeof(supported_init_ipip));
+
+        error |= sock_register(&pfkey_family_ops);
+
+#ifdef CONFIG_PROC_FS
+#  ifndef PROC_FS_2325
+#    ifdef PROC_FS_21
+	error |= proc_register(proc_net, &proc_net_pfkey);
+	error |= proc_register(proc_net, &proc_net_pfkey_supported);
+	error |= proc_register(proc_net, &proc_net_pfkey_registered);
+#    else /* PROC_FS_21 */
+	error |= proc_register_dynamic(&proc_net, &proc_net_pfkey);
+	error |= proc_register_dynamic(&proc_net, &proc_net_pfkey_supported);
+	error |= proc_register_dynamic(&proc_net, &proc_net_pfkey_registered);
+#    endif /* PROC_FS_21 */
+#  else /* !PROC_FS_2325 */
+	proc_net_create ("pf_key", 0, pfkey_get_info);
+	proc_net_create ("pf_key_supported", 0, pfkey_supported_get_info);
+	proc_net_create ("pf_key_registered", 0, pfkey_registered_get_info);
+#  endif /* !PROC_FS_2325 */
+#endif /* CONFIG_PROC_FS */
+
+	return error;
+}
+
+int
+pfkey_cleanup(void)
+{
+	int error = 0;
+	
+        printk(KERN_INFO "klips_info:pfkey_cleanup: "
+	       "shutting down PF_KEY domain sockets.\n");
+        sock_unregister(PF_KEY);
+
+	error |= supported_remove_all(SADB_SATYPE_AH);
+	error |= supported_remove_all(SADB_SATYPE_ESP);
+#ifdef CONFIG_KLIPS_IPCOMP
+	error |= supported_remove_all(SADB_X_SATYPE_COMP);
+#endif /* CONFIG_KLIPS_IPCOMP */
+	error |= supported_remove_all(SADB_X_SATYPE_IPIP);
+
+#ifdef CONFIG_PROC_FS
+#  ifndef PROC_FS_2325
+	if (proc_net_unregister(proc_net_pfkey.low_ino) != 0)
+		printk("klips_debug:pfkey_cleanup: "
+		       "cannot unregister /proc/net/pf_key\n");
+	if (proc_net_unregister(proc_net_pfkey_supported.low_ino) != 0)
+		printk("klips_debug:pfkey_cleanup: "
+		       "cannot unregister /proc/net/pf_key_supported\n");
+	if (proc_net_unregister(proc_net_pfkey_registered.low_ino) != 0)
+		printk("klips_debug:pfkey_cleanup: "
+		       "cannot unregister /proc/net/pf_key_registered\n");
+#  else /* !PROC_FS_2325 */
+	proc_net_remove ("pf_key");
+	proc_net_remove ("pf_key_supported");
+	proc_net_remove ("pf_key_registered");
+#  endif /* !PROC_FS_2325 */
+#endif /* CONFIG_PROC_FS */
+
+	/* other module unloading cleanup happens here */
+	return error;
+}
+
+#ifdef MODULE
+#if 0
+int
+init_module(void)
+{
+	pfkey_init();
+	return 0;
+}
+
+void
+cleanup_module(void)
+{
+	pfkey_cleanup();
+}
+#endif /* 0 */
+#else /* MODULE */
+struct net_protocol;
+void pfkey_proto_init(struct net_protocol *pro)
+{
+	pfkey_init();
+}
+#endif /* MODULE */
+
+/*
+ * $Log: pfkey_v2.c,v $
+ * Revision 1.97.2.12  2006/11/24 05:43:29  paul
+ * kernels after 2.6.18 do not return a code from unregister_socket()
+ * backport from git 41e54a2684dc809d7952e816860ea646a3194a72
+ *
+ * Revision 1.97.2.11  2006/11/15 16:05:57  paul
+ * fix for compiling on 2.4. kernels by Matthias Haas.
+ *
+ * Revision 1.97.2.10  2006/10/10 20:43:28  paul
+ * Add family/create/owner for pfkey_family_ops. This fixes bug #671
+ *
+ * Revision 1.97.2.9  2006/10/06 21:39:26  paul
+ * Fix for 2.6.18+ only include linux/config.h if AUTOCONF_INCLUDED is not
+ * set. This is defined through autoconf.h which is included through the
+ * linux kernel build macros.
+ *
+ * Revision 1.97.2.8  2006/07/10 15:56:11  paul
+ * Fix for bug #642 by Bart.
+ *
+ * Revision 1.97.2.7  2006/04/04 11:34:19  ken
+ * Backport SMP fixes + #ifdef cleanup from #public
+ *
+ * Revision 1.97.2.6  2006/02/15 05:00:20  paul
+ * Fix for crasher on 2.6.12+ with klips (mostly seen on redhat kernels)
+ *
+ * Revision 1.97.2.5  2005/11/22 04:11:52  ken
+ * Backport fixes for 2.6.14 kernels from HEAD
+ *
+ * Revision 1.97.2.4  2005/09/14 16:40:45  mcr
+ *    pull up of compilation on 2.4
+ *
+ * Revision 1.97.2.3  2005/09/06 02:10:03  mcr
+ *    pulled up possible SMP-related compilation fix
+ *
+ * Revision 1.97.2.2  2005/08/28 01:21:12  paul
+ * Undid Ken's gcc4 fix in version 1.94 since it breaks linking KLIPS on
+ * SMP kernels.
+ *
+ * Revision 1.97.2.1  2005/08/27 23:40:00  paul
+ * recommited HAVE_SOCK_SECURITY fixes for linux 2.6.13
+ *
+ * Revision 1.102  2005/09/14 16:37:23  mcr
+ * 	fix to compile on 2.4.
+ *
+ * Revision 1.101  2005/09/06 01:42:25  mcr
+ *    removed additional SOCKOPS_WRAPPED code
+ *
+ * Revision 1.100  2005/08/30 18:10:15  mcr
+ * 	remove SOCKOPS_WRAPPED() code, add proper locking to the
+ * 	pfkey code. (cross fingers)
+ *
+ * Revision 1.99  2005/08/28 01:53:37  paul
+ * Undid Ken's gcc4 fix in version 1.94 since it breaks linking KLIPS on SMP kernels.
+ *
+ * Revision 1.98  2005/08/27 23:07:21  paul
+ * Somewhere between 2.6.12 and 2.6.13rc7 the unused security memnber in sk_buff
+ * has been removed. This patch should fix compilation for both cases.
+ *
+ * Revision 1.97  2005/07/20 00:33:36  mcr
+ * 	fixed typo in #ifdef for SKALLOC.
+ *
+ * Revision 1.96  2005/07/19 20:02:15  mcr
+ * 	sk_alloc() interface change.
+ *
+ * Revision 1.95  2005/07/09 00:40:06  ken
+ * Fix for GCC4 - it doesn't like the potential for duplicate declaration
+ *
+ * Revision 1.94  2005/07/09 00:14:04  ken
+ * Casts for 64bit cleanliness
+ *
+ * Revision 1.93  2005/07/08 16:20:05  mcr
+ * 	fix for 2.6.12 disapperance of sk_zapped field -> sock_flags.
+ *
+ * Revision 1.92  2005/05/21 03:29:39  mcr
+ * 	fixed missing prototype definition.
+ *
+ * Revision 1.91  2005/05/11 01:43:45  mcr
+ * 	removed "poor-man"s OOP in favour of proper C structures.
+ *
+ * Revision 1.90  2005/05/02 18:42:47  mcr
+ * 	fix for cut&paste error with pfkey_v2.c "supported_name"
+ *
+ * Revision 1.89  2005/05/01 03:12:31  mcr
+ * 	print name if it is available.
+ *
+ * Revision 1.88  2005/04/29 05:10:22  mcr
+ * 	removed from extraenous includes to make unit testing easier.
+ *
+ * Revision 1.87  2005/04/15 19:57:10  mcr
+ * 	make sure that address has 0p so that it will
+ * 	sanitized.
+ *
+ * Revision 1.86  2005/04/08 18:28:36  mcr
+ * 	some minor #ifdef simplification in pursuit of a possible bug.
+ *
+ * Revision 1.85  2004/12/03 21:25:57  mcr
+ * 	compile time fixes for running on 2.6.
+ * 	still experimental.
+ *
+ * Revision 1.84  2004/08/17 03:27:23  mcr
+ * 	klips 2.6 edits.
+ *
+ * Revision 1.83  2004/08/04 15:57:07  mcr
+ * 	moved des .h files to include/des/ *
+ * 	included 2.6 protocol specific things
+ * 	started at NAT-T support, but it will require a kernel patch.
+ *
+ * Revision 1.82  2004/07/10 19:11:18  mcr
+ * 	CONFIG_IPSEC -> CONFIG_KLIPS.
+ *
+ * Revision 1.81  2004/04/25 21:23:11  ken
+ * Pull in dhr's changes from FreeS/WAN 2.06
+ *
+ * Revision 1.80  2004/04/06 02:49:26  mcr
+ * 	pullup of algo code from alg-branch.
+ *
+ * Revision 1.79.4.1  2003/12/22 15:25:52  jjo
+ * . Merged algo-0.8.1-rc11-test1 into alg-branch
+ *
+ * Revision 1.79  2003/10/31 02:27:55  mcr
+ * 	pulled up port-selector patches and sa_id elimination.
+ *
+ * Revision 1.78.4.1  2003/10/29 01:30:41  mcr
+ * 	elimited "struct sa_id".
+ *
+ * Revision 1.78  2003/04/03 17:38:09  rgb
+ * Centralised ipsec_kfree_skb and ipsec_dev_{get,put}.
+ *
+ * Revision 1.77  2002/10/17 16:49:36  mcr
+ * 	sock->ops should reference the unwrapped options so that
+ * 	we get hacked in locking on SMP systems.
+ *
+ * Revision 1.76  2002/10/12 23:11:53  dhr
+ *
+ * [KenB + DHR] more 64-bit cleanup
+ *
+ * Revision 1.75  2002/09/20 05:01:57  rgb
+ * Added memory allocation debugging.
+ *
+ * Revision 1.74  2002/09/19 02:42:50  mcr
+ * 	do not define the pfkey_ops function for now.
+ *
+ * Revision 1.73  2002/09/17 17:29:23  mcr
+ * 	#if 0 out some dead code - pfkey_ops is never used as written.
+ *
+ * Revision 1.72  2002/07/24 18:44:54  rgb
+ * Type fiddling to tame ia64 compiler.
+ *
+ * Revision 1.71  2002/05/23 07:14:11  rgb
+ * Cleaned up %p variants to 0p%p for test suite cleanup.
+ *
+ * Revision 1.70  2002/04/24 07:55:32  mcr
+ * 	#include patches and Makefiles for post-reorg compilation.
+ *
+ * Revision 1.69  2002/04/24 07:36:33  mcr
+ * Moved from ./klips/net/ipsec/pfkey_v2.c,v
+ *
+ * Revision 1.68  2002/03/08 01:15:17  mcr
+ * 	put some internal structure only debug messages behind
+ * 	&& sysctl_ipsec_debug_verbose.
+ *
+ * Revision 1.67  2002/01/29 17:17:57  mcr
+ * 	moved include of ipsec_param.h to after include of linux/kernel.h
+ * 	otherwise, it seems that some option that is set in ipsec_param.h
+ * 	screws up something subtle in the include path to kernel.h, and
+ * 	it complains on the snprintf() prototype.
+ *
+ * Revision 1.66  2002/01/29 04:00:54  mcr
+ * 	more excise of kversions.h header.
+ *
+ * Revision 1.65  2002/01/29 02:13:18  mcr
+ * 	introduction of ipsec_kversion.h means that include of
+ * 	ipsec_param.h must preceed any decisions about what files to
+ * 	include to deal with differences in kernel source.
+ *
+ * Revision 1.64  2001/11/26 09:23:51  rgb
+ * Merge MCR's ipsec_sa, eroute, proc and struct lifetime changes.
+ *
+ * Revision 1.61.2.1  2001/09/25 02:28:44  mcr
+ * 	cleaned up includes.
+ *
+ * Revision 1.63  2001/11/12 19:38:00  rgb
+ * Continue trying other sockets even if one fails and return only original
+ * error.
+ *
+ * Revision 1.62  2001/10/18 04:45:22  rgb
+ * 2.4.9 kernel deprecates linux/malloc.h in favour of linux/slab.h,
+ * lib/freeswan.h version macros moved to lib/kversions.h.
+ * Other compiler directive cleanups.
+ *
+ * Revision 1.61  2001/09/20 15:32:59  rgb
+ * Min/max cleanup.
+ *
+ * Revision 1.60  2001/06/14 19:35:12  rgb
+ * Update copyright date.
+ *
+ * Revision 1.59  2001/06/13 15:35:48  rgb
+ * Fixed #endif comments.
+ *
+ * Revision 1.58  2001/05/04 16:37:24  rgb
+ * Remove erroneous checking of return codes for proc_net_* in 2.4.
+ *
+ * Revision 1.57  2001/05/03 19:43:36  rgb
+ * Initialise error return variable.
+ * Check error return codes in startup and shutdown.
+ * Standardise on SENDERR() macro.
+ *
+ * Revision 1.56  2001/04/21 23:05:07  rgb
+ * Define out skb->used for 2.4 kernels.
+ *
+ * Revision 1.55  2001/02/28 05:03:28  rgb
+ * Clean up and rationalise startup messages.
+ *
+ * Revision 1.54  2001/02/27 22:24:55  rgb
+ * Re-formatting debug output (line-splitting, joining, 1arg/line).
+ * Check for satoa() return codes.
+ *
+ * Revision 1.53  2001/02/27 06:48:18  rgb
+ * Fixed pfkey socket unregister log message to reflect type and function.
+ *
+ * Revision 1.52  2001/02/26 22:34:38  rgb
+ * Fix error return code that was getting overwritten by the error return
+ * code of an upmsg.
+ *
+ * Revision 1.51  2001/01/30 23:42:47  rgb
+ * Allow pfkey msgs from pid other than user context required for ACQUIRE
+ * and subsequent ADD or UDATE.
+ *
+ * Revision 1.50  2001/01/23 20:22:59  rgb
+ * 2.4 fix to remove removed is_clone member.
+ *
+ * Revision 1.49  2000/11/06 04:33:47  rgb
+ * Changed non-exported functions to DEBUG_NO_STATIC.
+ *
+ * Revision 1.48  2000/09/29 19:47:41  rgb
+ * Update copyright.
+ *
+ * Revision 1.47  2000/09/22 04:23:04  rgb
+ * Added more debugging to pfkey_upmsg() call from pfkey_sendmsg() error.
+ *
+ * Revision 1.46  2000/09/21 04:20:44  rgb
+ * Fixed array size off-by-one error.  (Thanks Svenning!)
+ *
+ * Revision 1.45  2000/09/20 04:01:26  rgb
+ * Changed static functions to DEBUG_NO_STATIC for revealing function names
+ * in oopsen.
+ *
+ * Revision 1.44  2000/09/19 00:33:17  rgb
+ * 2.0 fixes.
+ *
+ * Revision 1.43  2000/09/16 01:28:13  rgb
+ * Fixed use of 0 in p format warning.
+ *
+ * Revision 1.42  2000/09/16 01:09:41  rgb
+ * Fixed debug format warning for pointers that was expecting ints.
+ *
+ * Revision 1.41  2000/09/13 15:54:00  rgb
+ * Rewrote pfkey_get_info(), added pfkey_{supported,registered}_get_info().
+ * Moved supported algos add and remove to functions.
+ *
+ * Revision 1.40  2000/09/12 18:49:28  rgb
+ * Added IPIP tunnel and IPCOMP register support.
+ *
+ * Revision 1.39  2000/09/12 03:23:49  rgb
+ * Converted #if0 debugs to sysctl.
+ * Removed debug_pfkey initialisations that prevented no_debug loading or
+ * linking.
+ *
+ * Revision 1.38  2000/09/09 06:38:02  rgb
+ * Return positive errno in pfkey_reply error message.
+ *
+ * Revision 1.37  2000/09/08 19:19:09  rgb
+ * Change references from DEBUG_IPSEC to CONFIG_IPSEC_DEBUG.
+ * Clean-up of long-unused crud...
+ * Create pfkey error message on on failure.
+ * Give pfkey_list_{insert,remove}_{socket,supported}() some error
+ * checking.
+ *
+ * Revision 1.36  2000/09/01 18:49:38  rgb
+ * Reap experimental NET_21_ bits.
+ * Turned registered sockets list into an array of one list per satype.
+ * Remove references to deprecated sklist_{insert,remove}_socket.
+ * Removed leaking socket debugging code.
+ * Removed duplicate pfkey_insert_socket in pfkey_create.
+ * Removed all references to pfkey msg->msg_name, since it is not used for
+ * pfkey.
+ * Added a supported algorithms array lists, one per satype and registered
+ * existing algorithms.
+ * Fixed pfkey_list_{insert,remove}_{socket,support}() to allow change to
+ * list.
+ * Only send pfkey_expire() messages to sockets registered for that satype.
+ *
+ * Revision 1.35  2000/08/24 17:03:00  rgb
+ * Corrected message size error return code for PF_KEYv2.
+ * Removed downward error prohibition.
+ *
+ * Revision 1.34  2000/08/21 16:32:26  rgb
+ * Re-formatted for cosmetic consistency and readability.
+ *
+ * Revision 1.33  2000/08/20 21:38:24  rgb
+ * Added a pfkey_reply parameter to pfkey_msg_interp(). (Momchil)
+ * Extended the upward message initiation of pfkey_sendmsg(). (Momchil)
+ *
+ * Revision 1.32  2000/07/28 14:58:31  rgb
+ * Changed kfree_s to kfree, eliminating extra arg to fix 2.4.0-test5.
+ *
+ * Revision 1.31  2000/05/16 03:04:00  rgb
+ * Updates for 2.3.99pre8 from MB.
+ *
+ * Revision 1.30  2000/05/10 19:22:21  rgb
+ * Use sklist private functions for 2.3.xx compatibility.
+ *
+ * Revision 1.29  2000/03/22 16:17:03  rgb
+ * Fixed SOCKOPS_WRAPPED macro for SMP (MB).
+ *
+ * Revision 1.28  2000/02/21 19:30:45  rgb
+ * Removed references to pkt_bridged for 2.3.47 compatibility.
+ *
+ * Revision 1.27  2000/02/14 21:07:00  rgb
+ * Fixed /proc/net/pf-key legend spacing.
+ *
+ * Revision 1.26  2000/01/22 03:46:59  rgb
+ * Fixed pfkey error return mechanism so that we are able to free the
+ * local copy of the pfkey_msg, plugging a memory leak and silencing
+ * the bad object free complaints.
+ *
+ * Revision 1.25  2000/01/21 06:19:44  rgb
+ * Moved pfkey_list_remove_socket() calls to before MOD_USE_DEC_COUNT.
+ * Added debugging to pfkey_upmsg.
+ *
+ * Revision 1.24  2000/01/10 16:38:23  rgb
+ * MB fixups for 2.3.x.
+ *
+ * Revision 1.23  1999/12/09 23:22:16  rgb
+ * Added more instrumentation for debugging 2.0 socket
+ * selection/reading.
+ * Removed erroneous 2.0 wait==NULL check bug in select.
+ *
+ * Revision 1.22  1999/12/08 20:32:16  rgb
+ * Tidied up 2.0.xx support, after major pfkey work, eliminating
+ * msg->msg_name twiddling in the process, since it is not defined
+ * for PF_KEYv2.
+ *
+ * Revision 1.21  1999/12/01 22:17:19  rgb
+ * Set skb->dev to zero on new skb in case it is a reused skb.
+ * Added check for skb_put overflow and freeing to avoid upmsg on error.
+ * Added check for wrong pfkey version and freeing to avoid upmsg on
+ * error.
+ * Shut off content dumping in pfkey_destroy.
+ * Added debugging message for size of buffer allocated for upmsg.
+ *
+ * Revision 1.20  1999/11/27 12:11:00  rgb
+ * Minor clean-up, enabling quiet operation of pfkey if desired.
+ *
+ * Revision 1.19  1999/11/25 19:04:21  rgb
+ * Update proc_fs code for pfkey to use dynamic registration.
+ *
+ * Revision 1.18  1999/11/25 09:07:17  rgb
+ * Implemented SENDERR macro for propagating error codes.
+ * Fixed error return code bug.
+ *
+ * Revision 1.17  1999/11/23 23:07:20  rgb
+ * Change name of pfkey_msg_parser to pfkey_msg_interp since it no longer
+ * parses. (PJO)
+ * Sort out pfkey and freeswan headers, putting them in a library path.
+ *
+ * Revision 1.16  1999/11/20 22:00:22  rgb
+ * Moved socketlist type declarations and prototypes for shared use.
+ * Renamed reformatted and generically extended for use by other socket
+ * lists pfkey_{del,add}_open_socket to pfkey_list_{remove,insert}_socket.
+ *
+ * Revision 1.15  1999/11/18 04:15:09  rgb
+ * Make pfkey_data_ready temporarily available for 2.2.x testing.
+ * Clean up pfkey_destroy_socket() debugging statements.
+ * Add Peter Onion's code to send messages up to all listening sockets.
+ * Changed all occurrences of #include "../../../lib/freeswan.h"
+ * to #include <freeswan.h> which works due to -Ilibfreeswan in the
+ * klips/net/ipsec/Makefile.
+ * Replaced all kernel version macros to shorter, readable form.
+ * Added CONFIG_PROC_FS compiler directives in case it is shut off.
+ *
+ * Revision 1.14  1999/11/17 16:01:00  rgb
+ * Make pfkey_data_ready temporarily available for 2.2.x testing.
+ * Clean up pfkey_destroy_socket() debugging statements.
+ * Add Peter Onion's code to send messages up to all listening sockets.
+ * Changed #include "../../../lib/freeswan.h" to #include <freeswan.h>
+ * which works due to -Ilibfreeswan in the klips/net/ipsec/Makefile.
+ *
+ * Revision 1.13  1999/10/27 19:59:51  rgb
+ * Removed af_unix comments that are no longer relevant.
+ * Added debug prink statements.
+ * Added to the /proc output in pfkey_get_info.
+ * Made most functions non-static to enable oops tracing.
+ * Re-enable skb dequeueing and freeing.
+ * Fix skb_alloc() and skb_put() size bug in pfkey_upmsg().
+ *
+ * Revision 1.12  1999/10/26 17:05:42  rgb
+ * Complete re-ordering based on proto_ops structure order.
+ * Separated out proto_ops structures for 2.0.x and 2.2.x for clarity.
+ * Simplification to use built-in socket ops where possible for 2.2.x.
+ * Add shorter macros for compiler directives to visually clean-up.
+ * Add lots of sk skb dequeueing debugging statements.
+ * Added to the /proc output in pfkey_get_info.
+ *
+ * Revision 1.11  1999/09/30 02:55:10  rgb
+ * Bogus skb detection.
+ * Fix incorrect /proc/net/ipsec-eroute printk message.
+ *
+ * Revision 1.10  1999/09/21 15:22:13  rgb
+ * Temporary fix while I figure out the right way to destroy sockets.
+ *
+ * Revision 1.9  1999/07/08 19:19:44  rgb
+ * Fix pointer format warning.
+ * Fix missing member error under 2.0.xx kernels.
+ *
+ * Revision 1.8  1999/06/13 07:24:04  rgb
+ * Add more debugging.
+ *
+ * Revision 1.7  1999/06/10 05:24:17  rgb
+ * Clarified compiler directives.
+ * Renamed variables to reduce confusion.
+ * Used sklist_*_socket() kernel functions to simplify 2.2.x socket support.
+ * Added lots of sanity checking.
+ *
+ * Revision 1.6  1999/06/03 18:59:50  rgb
+ * More updates to 2.2.x socket support.  Almost works, oops at end of call.
+ *
+ * Revision 1.5  1999/05/25 22:44:05  rgb
+ * Start fixing 2.2 sockets.
+ *
+ * Revision 1.4  1999/04/29 15:21:34  rgb
+ * Move log to the end of the file.
+ * Eliminate min/max redefinition in #include <net/tcp.h>.
+ * Correct path for pfkey #includes
+ * Standardise an error return method.
+ * Add debugging instrumentation.
+ * Move message type checking to pfkey_msg_parse().
+ * Add check for errno incorrectly set.
+ * Add check for valid PID.
+ * Add check for reserved illegally set.
+ * Add check for message out of bounds.
+ *
+ * Revision 1.3  1999/04/15 17:58:07  rgb
+ * Add RCSID labels.
+ *
+ * Revision 1.2  1999/04/15 15:37:26  rgb
+ * Forward check changes from POST1_00 branch.
+ *
+ * Revision 1.1.2.2  1999/04/13 20:37:12  rgb
+ * Header Title correction.
+ *
+ * Revision 1.1.2.1  1999/03/26 20:58:55  rgb
+ * Add pfkeyv2 support to KLIPS.
+ *
+ *
+ * RFC 2367
+ * PF_KEY_v2 Key Management API
+ */
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/pfkey_v2_build.c     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,1581 @@
+/*
+ * RFC2367 PF_KEYv2 Key management API message parser
+ * Copyright (C) 1999, 2000, 2001  Richard Guy Briggs.
+ * 
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ * 
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: pfkey_v2_build.c,v 1.51.8.1 2006/05/01 14:36:39 mcr Exp $
+ */
+
+/*
+ *		Template from klips/net/ipsec/ipsec/ipsec_parser.c.
+ */
+
+char pfkey_v2_build_c_version[] = "$Id: pfkey_v2_build.c,v 1.51.8.1 2006/05/01 14:36:39 mcr Exp $";
+
+/*
+ * Some ugly stuff to allow consistent debugging code for use in the
+ * kernel and in user space
+*/
+
+#ifdef __KERNEL__
+
+# include <linux/kernel.h>  /* for printk */
+
+# include "openswan/ipsec_kversion.h" /* for malloc switch */
+# ifdef MALLOC_SLAB
+#  include <linux/slab.h> /* kmalloc() */
+# else /* MALLOC_SLAB */
+#  include <linux/malloc.h> /* kmalloc() */
+# endif /* MALLOC_SLAB */
+# include <linux/errno.h>  /* error codes */
+# include <linux/types.h>  /* size_t */
+# include <linux/interrupt.h> /* mark_bh */
+
+# include <linux/netdevice.h>   /* struct device, and other headers */
+# include <linux/etherdevice.h> /* eth_type_trans */
+# include <linux/ip.h>          /* struct iphdr */ 
+# if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
+#  include <linux/ipv6.h>        /* struct ipv6hdr */
+# endif /* if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) */
+
+# define MALLOC(size) kmalloc(size, GFP_ATOMIC)
+# define FREE(obj) kfree(obj)
+# include <openswan.h>
+#else /* __KERNEL__ */
+
+# include <sys/types.h>
+# include <linux/types.h>
+# include <linux/errno.h>
+# include <malloc.h>
+# include <string.h> /* memset */
+
+# include <openswan.h>
+
+#endif /* __KERNEL__ */
+
+#include <pfkeyv2.h>
+#include <pfkey.h>
+
+#ifdef __KERNEL__
+#include "openswan/radij.h"  /* rd_nodes */
+#include "openswan/ipsec_encap.h"  /* sockaddr_encap */
+#endif /* __KERNEL__ */
+
+
+#include "openswan/ipsec_sa.h"  /* IPSEC_SAREF_NULL, IPSEC_SA_REF_TABLE_IDX_WIDTH */
+#include "openswan/pfkey_debug.h"
+
+
+#define SENDERR(_x) do { error = -(_x); goto errlab; } while (0)
+
+void
+pfkey_extensions_init(struct sadb_ext *extensions[SADB_EXT_MAX + 1])
+{
+	int i;
+	
+	for (i = 0; i != SADB_EXT_MAX + 1; i++) {
+		extensions[i] = NULL;
+	}
+}
+
+void
+pfkey_extensions_free(struct sadb_ext *extensions[SADB_EXT_MAX + 1])
+{
+	int i;
+	
+	if(!extensions) {
+		return;
+	}
+
+	if(extensions[0]) {
+		memset(extensions[0], 0, sizeof(struct sadb_msg));
+		FREE(extensions[0]);
+		extensions[0] = NULL;
+	}
+	
+	for (i = 1; i != SADB_EXT_MAX + 1; i++) {
+		if(extensions[i]) {
+			memset(extensions[i], 0, extensions[i]->sadb_ext_len * IPSEC_PFKEYv2_ALIGN);
+			FREE(extensions[i]);
+			extensions[i] = NULL;
+		}
+	}
+}
+
+void
+pfkey_msg_free(struct sadb_msg **pfkey_msg)
+{
+	if(*pfkey_msg) {
+		memset(*pfkey_msg, 0, (*pfkey_msg)->sadb_msg_len * IPSEC_PFKEYv2_ALIGN);
+		FREE(*pfkey_msg);
+		*pfkey_msg = NULL;
+	}
+}
+
+/* Default extension builders taken from the KLIPS code */
+
+int
+pfkey_msg_hdr_build(struct sadb_ext**	pfkey_ext,
+		    uint8_t		msg_type,
+		    uint8_t		satype,
+		    uint8_t		msg_errno,
+		    uint32_t		seq,
+		    uint32_t		pid)
+{
+	int error = 0;
+	struct sadb_msg *pfkey_msg = (struct sadb_msg *)*pfkey_ext;
+
+	DEBUGGING(PF_KEY_DEBUG_BUILD,
+		"pfkey_msg_hdr_build:\n");
+	DEBUGGING(PF_KEY_DEBUG_BUILD,
+		"pfkey_msg_hdr_build: "
+		"on_entry &pfkey_ext=0p%p pfkey_ext=0p%p *pfkey_ext=0p%p.\n",
+		&pfkey_ext,
+		pfkey_ext,
+		*pfkey_ext);
+	/* sanity checks... */
+	if(pfkey_msg) {
+		DEBUGGING(PF_KEY_DEBUG_BUILD,
+			"pfkey_msg_hdr_build: "
+			"why is pfkey_msg already pointing to something?\n");
+		SENDERR(EINVAL);
+	}
+
+	if(!msg_type) {
+		DEBUGGING(PF_KEY_DEBUG_BUILD,
+			"pfkey_msg_hdr_build: "
+			"msg type not set, must be non-zero..\n");
+		SENDERR(EINVAL);
+	}
+
+	if(msg_type > SADB_MAX) {
+		DEBUGGING(PF_KEY_DEBUG_BUILD,
+			"pfkey_msg_hdr_build: "
+			"msg type too large:%d.\n",
+			msg_type);
+		SENDERR(EINVAL);
+	}
+
+	if(satype > SADB_SATYPE_MAX) {
+		DEBUGGING(PF_KEY_DEBUG_BUILD,
+			"pfkey_msg_hdr_build: "
+			"satype %d > max %d\n", 
+			satype, SADB_SATYPE_MAX);
+		SENDERR(EINVAL);
+	}
+
+	pfkey_msg = (struct sadb_msg*)MALLOC(sizeof(struct sadb_msg));
+	*pfkey_ext = (struct sadb_ext*)pfkey_msg;
+	
+	if(pfkey_msg == NULL) {
+		DEBUGGING(PF_KEY_DEBUG_BUILD,
+			"pfkey_msg_hdr_build: "
+			"memory allocation failed\n");
+		SENDERR(ENOMEM);
+	}
+	memset(pfkey_msg, 0, sizeof(struct sadb_msg));
+
+	pfkey_msg->sadb_msg_len = sizeof(struct sadb_msg) / IPSEC_PFKEYv2_ALIGN;
+
+	pfkey_msg->sadb_msg_type = msg_type;
+	pfkey_msg->sadb_msg_satype = satype;
+
+	pfkey_msg->sadb_msg_version = PF_KEY_V2;
+	pfkey_msg->sadb_msg_errno = msg_errno;
+	pfkey_msg->sadb_msg_reserved = 0;
+	pfkey_msg->sadb_msg_seq = seq;
+	pfkey_msg->sadb_msg_pid = pid;
+	DEBUGGING(PF_KEY_DEBUG_BUILD,
+		"pfkey_msg_hdr_build: "
+		"on_exit &pfkey_ext=0p%p pfkey_ext=0p%p *pfkey_ext=0p%p.\n",
+		&pfkey_ext,
+		pfkey_ext,
+		*pfkey_ext);
+errlab:
+	return error;
+}	
+
+int
+pfkey_sa_ref_build(struct sadb_ext **		pfkey_ext,
+		   uint16_t			exttype,
+		   uint32_t			spi,
+		   uint8_t			replay_window,
+		   uint8_t			sa_state,
+		   uint8_t			auth,
+		   uint8_t			encrypt,
+		   uint32_t			flags,
+		   uint32_t/*IPsecSAref_t*/	ref)
+{
+	int error = 0;
+	struct sadb_sa *pfkey_sa = (struct sadb_sa *)*pfkey_ext;
+
+	DEBUGGING(PF_KEY_DEBUG_BUILD,
+		    "pfkey_sa_build: "
+		    "spi=%08x replay=%d sa_state=%d auth=%d encrypt=%d flags=%d\n",
+		    ntohl(spi), /* in network order */
+		    replay_window,
+		    sa_state,
+		    auth,
+		    encrypt,
+		    flags);
+	/* sanity checks... */
+	if(pfkey_sa) {
+		DEBUGGING(PF_KEY_DEBUG_BUILD,
+			"pfkey_sa_build: "
+			"why is pfkey_sa already pointing to something?\n");
+		SENDERR(EINVAL);
+	}
+
+	if(exttype != SADB_EXT_SA &&
+	   exttype != SADB_X_EXT_SA2) {
+		DEBUGGING(PF_KEY_DEBUG_BUILD,
+			"pfkey_sa_build: "
+			"invalid exttype=%d.\n",
+			exttype);
+		SENDERR(EINVAL);
+	}
+
+	if(replay_window > 64) {
+		DEBUGGING(PF_KEY_DEBUG_BUILD,
+			"pfkey_sa_build: "
+			"replay window size: %d -- must be 0 <= size <= 64\n",
+			replay_window);
+		SENDERR(EINVAL);
+	}
+
+	if(auth > SADB_AALG_MAX) {
+		DEBUGGING(PF_KEY_DEBUG_BUILD,
+			"pfkey_sa_build: "
+			"auth=%d > SADB_AALG_MAX=%d.\n",
+			auth,
+			SADB_AALG_MAX);
+		SENDERR(EINVAL);
+	}
+
+#if SADB_EALG_MAX < 255	
+	if(encrypt > SADB_EALG_MAX) {
+		DEBUGGING(PF_KEY_DEBUG_BUILD,
+			"pfkey_sa_build: "
+			"encrypt=%d > SADB_EALG_MAX=%d.\n",
+			encrypt,
+			SADB_EALG_MAX);
+		SENDERR(EINVAL);
+	}
+#endif
+
+	if(sa_state > SADB_SASTATE_MAX) {
+		DEBUGGING(PF_KEY_DEBUG_BUILD,
+			"pfkey_sa_build: "
+			"sa_state=%d exceeds MAX=%d.\n",
+			sa_state,
+			SADB_SASTATE_MAX);
+		SENDERR(EINVAL);
+	}
+
+	if(sa_state == SADB_SASTATE_DEAD) {
+		DEBUGGING(PF_KEY_DEBUG_BUILD,
+			"pfkey_sa_build: "
+			"sa_state=%d is DEAD=%d is not allowed.\n",
+			sa_state,
+			SADB_SASTATE_DEAD);
+		SENDERR(EINVAL);
+	}
+	
+	if((IPSEC_SAREF_NULL != ref) && (ref >= (1 << IPSEC_SA_REF_TABLE_IDX_WIDTH))) {
+		DEBUGGING(PF_KEY_DEBUG_BUILD,
+			  "pfkey_sa_build: "
+			  "SAref=%d must be (SAref == IPSEC_SAREF_NULL(%d) || SAref < IPSEC_SA_REF_TABLE_NUM_ENTRIES(%d)).\n",
+			  ref,
+			  IPSEC_SAREF_NULL,
+			  IPSEC_SA_REF_TABLE_NUM_ENTRIES);
+		SENDERR(EINVAL);
+	}
+	
+	pfkey_sa = (struct sadb_sa*)MALLOC(sizeof(struct sadb_sa));
+	*pfkey_ext = (struct sadb_ext*)pfkey_sa;
+
+	if(pfkey_sa == NULL) {
+		DEBUGGING(PF_KEY_DEBUG_BUILD,
+			"pfkey_sa_build: "
+			"memory allocation failed\n");
+		SENDERR(ENOMEM);
+	}
+	memset(pfkey_sa, 0, sizeof(struct sadb_sa));
+	
+	pfkey_sa->sadb_sa_len = sizeof(*pfkey_sa) / IPSEC_PFKEYv2_ALIGN;
+	pfkey_sa->sadb_sa_exttype = exttype;
+	pfkey_sa->sadb_sa_spi = spi;
+	pfkey_sa->sadb_sa_replay = replay_window;
+	pfkey_sa->sadb_sa_state = sa_state;
+	pfkey_sa->sadb_sa_auth = auth;
+	pfkey_sa->sadb_sa_encrypt = encrypt;
+	pfkey_sa->sadb_sa_flags = flags;
+	pfkey_sa->sadb_x_sa_ref = ref;  
+
+errlab:
+	return error;
+}	
+
+int
+pfkey_sa_build(struct sadb_ext **	pfkey_ext,
+	       uint16_t			exttype,
+	       uint32_t			spi,
+	       uint8_t			replay_window,
+	       uint8_t			sa_state,
+	       uint8_t			auth,
+	       uint8_t			encrypt,
+	       uint32_t			flags)
+{
+	return pfkey_sa_ref_build(pfkey_ext,
+			   exttype,
+			   spi,
+			   replay_window,
+			   sa_state,
+			   auth,
+			   encrypt,
+			   flags,
+			   IPSEC_SAREF_NULL);
+}
+
+int
+pfkey_lifetime_build(struct sadb_ext **	pfkey_ext,
+		     uint16_t		exttype,
+		     uint32_t		allocations,
+		     uint64_t		bytes,
+		     uint64_t		addtime,
+		     uint64_t		usetime,
+		     uint32_t		packets)
+{
+	int error = 0;
+	struct sadb_lifetime *pfkey_lifetime = (struct sadb_lifetime *)*pfkey_ext;
+
+	DEBUGGING(PF_KEY_DEBUG_BUILD,
+		"pfkey_lifetime_build:\n");
+	/* sanity checks... */
+	if(pfkey_lifetime) {
+		DEBUGGING(PF_KEY_DEBUG_BUILD,
+			"pfkey_lifetime_build: "
+			"why is pfkey_lifetime already pointing to something?\n");
+		SENDERR(EINVAL);
+	}
+
+	if(exttype != SADB_EXT_LIFETIME_CURRENT &&
+	   exttype != SADB_EXT_LIFETIME_HARD &&
+	   exttype != SADB_EXT_LIFETIME_SOFT) {
+		DEBUGGING(PF_KEY_DEBUG_BUILD,
+			"pfkey_lifetime_build: "
+			"invalid exttype=%d.\n",
+			exttype);
+		SENDERR(EINVAL);
+	}
+
+	pfkey_lifetime = (struct sadb_lifetime*)MALLOC(sizeof(struct sadb_lifetime));
+	*pfkey_ext = (struct sadb_ext*) pfkey_lifetime;
+
+	if(pfkey_lifetime == NULL) {
+		DEBUGGING(PF_KEY_DEBUG_BUILD,
+			"pfkey_lifetime_build: "
+			"memory allocation failed\n");
+		SENDERR(ENOMEM);
+	}
+	memset(pfkey_lifetime, 0, sizeof(struct sadb_lifetime));
+
+	pfkey_lifetime->sadb_lifetime_len = sizeof(struct sadb_lifetime) / IPSEC_PFKEYv2_ALIGN;
+	pfkey_lifetime->sadb_lifetime_exttype = exttype;
+	pfkey_lifetime->sadb_lifetime_allocations = allocations;
+	pfkey_lifetime->sadb_lifetime_bytes = bytes;
+	pfkey_lifetime->sadb_lifetime_addtime = addtime;
+	pfkey_lifetime->sadb_lifetime_usetime = usetime;
+	pfkey_lifetime->sadb_x_lifetime_packets = packets;
+
+errlab:
+	return error;
+}
+
+int
+pfkey_address_build(struct sadb_ext**	pfkey_ext,
+		    uint16_t		exttype,
+		    uint8_t		proto,
+		    uint8_t		prefixlen,
+		    struct sockaddr*	address)
+{
+	int error = 0;
+	int saddr_len = 0;
+	char ipaddr_txt[ADDRTOT_BUF + 6/*extra for port number*/];
+	struct sadb_address *pfkey_address = (struct sadb_address *)*pfkey_ext;
+	
+	DEBUGGING(PF_KEY_DEBUG_BUILD,
+		"pfkey_address_build: "
+		"exttype=%d proto=%d prefixlen=%d\n",
+		exttype,
+		proto,
+		prefixlen);
+	/* sanity checks... */
+	if(pfkey_address) {
+		ERROR("pfkey_address_build: "
+		      "why is pfkey_address already pointing to something?\n");
+		SENDERR(EINVAL);
+	}
+
+	if (!address)  {
+			ERROR("pfkey_address_build: " "address is NULL\n");
+			SENDERR(EINVAL);
+	}
+	
+	switch(exttype) {	
+	case SADB_EXT_ADDRESS_SRC:
+	case SADB_EXT_ADDRESS_DST:
+	case SADB_EXT_ADDRESS_PROXY:
+	case SADB_X_EXT_ADDRESS_DST2:
+	case SADB_X_EXT_ADDRESS_SRC_FLOW:
+	case SADB_X_EXT_ADDRESS_DST_FLOW:
+	case SADB_X_EXT_ADDRESS_SRC_MASK:
+	case SADB_X_EXT_ADDRESS_DST_MASK:
+#ifdef NAT_TRAVERSAL
+	case SADB_X_EXT_NAT_T_OA:
+#endif	
+		break;
+	default:
+		ERROR("pfkey_address_build: "
+			"unrecognised ext_type=%d.\n", 
+			exttype); 
+		SENDERR(EINVAL); 
+	}
+
+	switch(address->sa_family) {
+	case AF_INET:
+		DEBUGGING(PF_KEY_DEBUG_BUILD,
+			"pfkey_address_build: "
+			"found address family AF_INET.\n");
+		saddr_len = sizeof(struct sockaddr_in);
+		sprintf(ipaddr_txt, "%d.%d.%d.%d:%d"
+			, (((struct sockaddr_in*)address)->sin_addr.s_addr >>  0) & 0xFF
+			, (((struct sockaddr_in*)address)->sin_addr.s_addr >>  8) & 0xFF
+			, (((struct sockaddr_in*)address)->sin_addr.s_addr >> 16) & 0xFF
+			, (((struct sockaddr_in*)address)->sin_addr.s_addr >> 24) & 0xFF
+			, ntohs(((struct sockaddr_in*)address)->sin_port));
+		break;
+	case AF_INET6:
+		DEBUGGING(PF_KEY_DEBUG_BUILD,
+			"pfkey_address_build: "
+			"found address family AF_INET6.\n");
+		saddr_len = sizeof(struct sockaddr_in6);
+		sprintf(ipaddr_txt, "%x:%x:%x:%x:%x:%x:%x:%x-%x"
+			, ntohs(((struct sockaddr_in6*)address)->sin6_addr.s6_addr16[0])
+			, ntohs(((struct sockaddr_in6*)address)->sin6_addr.s6_addr16[1])
+			, ntohs(((struct sockaddr_in6*)address)->sin6_addr.s6_addr16[2])
+			, ntohs(((struct sockaddr_in6*)address)->sin6_addr.s6_addr16[3])
+			, ntohs(((struct sockaddr_in6*)address)->sin6_addr.s6_addr16[4])
+			, ntohs(((struct sockaddr_in6*)address)->sin6_addr.s6_addr16[5])
+			, ntohs(((struct sockaddr_in6*)address)->sin6_addr.s6_addr16[6])
+			, ntohs(((struct sockaddr_in6*)address)->sin6_addr.s6_addr16[7])
+			, ntohs(((struct sockaddr_in6*)address)->sin6_port));
+		break;
+	default:
+		ERROR("pfkey_address_build: "
+		      "address->sa_family=%d not supported.\n",
+		      address->sa_family);
+		SENDERR(EPFNOSUPPORT);
+	}
+
+	DEBUGGING(PF_KEY_DEBUG_BUILD,
+		"pfkey_address_build: "
+		"found address=%s.\n",
+		ipaddr_txt);
+	if(prefixlen != 0) {
+		ERROR("pfkey_address_build: "
+			"address prefixes not supported yet.\n");
+		SENDERR(EAFNOSUPPORT); /* not supported yet */
+	}
+
+	/* allocate some memory for the extension */
+	pfkey_address = (struct sadb_address*)
+		MALLOC(ALIGN_N(sizeof(struct sadb_address) + saddr_len, IPSEC_PFKEYv2_ALIGN));
+	*pfkey_ext = (struct sadb_ext*)pfkey_address;
+
+	if(pfkey_address == NULL ) {
+		ERROR("pfkey_lifetime_build: "
+			"memory allocation failed\n");
+		SENDERR(ENOMEM);
+	}
+	memset(pfkey_address,
+	       0,
+	       ALIGN_N(sizeof(struct sadb_address) + saddr_len,
+		     IPSEC_PFKEYv2_ALIGN));
+	       
+	pfkey_address->sadb_address_len = DIVUP(sizeof(struct sadb_address) + saddr_len,
+						IPSEC_PFKEYv2_ALIGN);
+	
+	pfkey_address->sadb_address_exttype = exttype;
+	pfkey_address->sadb_address_proto = proto;
+	pfkey_address->sadb_address_prefixlen = prefixlen;
+	pfkey_address->sadb_address_reserved = 0;
+
+	memcpy((char*)pfkey_address + sizeof(struct sadb_address),
+	       address,
+	       saddr_len);
+
+#if 0
+	for(i = 0; i < sizeof(struct sockaddr_in) - offsetof(struct sockaddr_in, sin_zero); i++) {
+		pfkey_address_s_ska.sin_zero[i] = 0;
+	}
+#endif
+	DEBUGGING(PF_KEY_DEBUG_BUILD,
+		  "pfkey_address_build: "
+		  "successful created len: %d.\n", pfkey_address->sadb_address_len);
+
+ errlab:
+	return error;
+}
+
+int
+pfkey_key_build(struct sadb_ext**	pfkey_ext,
+		uint16_t		exttype,
+		uint16_t		key_bits,
+		char*			key)
+{
+	int error = 0;
+	struct sadb_key *pfkey_key = (struct sadb_key *)*pfkey_ext;
+
+	DEBUGGING(PF_KEY_DEBUG_BUILD,
+		"pfkey_key_build:\n");
+	/* sanity checks... */
+	if(pfkey_key) {
+		ERROR("pfkey_key_build: "
+			"why is pfkey_key already pointing to something?\n");
+		SENDERR(EINVAL);
+	}
+
+	if(!key_bits) {
+		ERROR("pfkey_key_build: "
+			"key_bits is zero, it must be non-zero.\n");
+		SENDERR(EINVAL);
+	}
+
+	if( !((exttype == SADB_EXT_KEY_AUTH) || (exttype == SADB_EXT_KEY_ENCRYPT))) {
+		ERROR("pfkey_key_build: "
+			"unsupported extension type=%d.\n",
+			exttype);
+		SENDERR(EINVAL);
+	}
+
+	pfkey_key = (struct sadb_key*)
+	  MALLOC(sizeof(struct sadb_key) +
+		 DIVUP(key_bits, 64) * IPSEC_PFKEYv2_ALIGN);
+
+	*pfkey_ext = (struct sadb_ext*)pfkey_key;
+
+	if(pfkey_key == NULL) {
+		ERROR("pfkey_key_build: "
+			"memory allocation failed\n");
+		SENDERR(ENOMEM);
+	}
+	memset(pfkey_key,
+	       0,
+	       sizeof(struct sadb_key) +
+	       DIVUP(key_bits, 64) * IPSEC_PFKEYv2_ALIGN);
+	
+	pfkey_key->sadb_key_len = DIVUP(sizeof(struct sadb_key) * IPSEC_PFKEYv2_ALIGN +	key_bits,
+					64);
+	pfkey_key->sadb_key_exttype = exttype;
+	pfkey_key->sadb_key_bits = key_bits;
+	pfkey_key->sadb_key_reserved = 0;
+	memcpy((char*)pfkey_key + sizeof(struct sadb_key),
+	       key,
+	       DIVUP(key_bits, 8));
+
+errlab:
+	return error;
+}
+
+int
+pfkey_ident_build(struct sadb_ext**	pfkey_ext,
+		  uint16_t		exttype,
+		  uint16_t		ident_type,
+		  uint64_t		ident_id,
+		  uint8_t               ident_len,
+		  char*			ident_string)
+{
+	int error = 0;
+	struct sadb_ident *pfkey_ident = (struct sadb_ident *)*pfkey_ext;
+	int data_len = ident_len * IPSEC_PFKEYv2_ALIGN - sizeof(struct sadb_ident);
+
+	DEBUGGING(PF_KEY_DEBUG_BUILD,
+		"pfkey_ident_build:\n");
+	/* sanity checks... */
+	if(pfkey_ident) {
+		ERROR("pfkey_ident_build: "
+			"why is pfkey_ident already pointing to something?\n");
+		SENDERR(EINVAL);
+	}
+
+	if( ! ((exttype == SADB_EXT_IDENTITY_SRC) ||
+	       (exttype == SADB_EXT_IDENTITY_DST))) {
+		ERROR("pfkey_ident_build: "
+			"unsupported extension type=%d.\n",
+			exttype);
+		SENDERR(EINVAL);
+	}
+
+	if((ident_type == SADB_IDENTTYPE_RESERVED)) {
+		ERROR("pfkey_ident_build: "
+			"ident_type must be non-zero.\n");
+		SENDERR(EINVAL);
+	}
+
+	if(ident_type > SADB_IDENTTYPE_MAX) {
+		ERROR("pfkey_ident_build: "
+			"identtype=%d out of range.\n",
+			ident_type);
+		SENDERR(EINVAL);
+	}
+
+	if(((ident_type == SADB_IDENTTYPE_PREFIX) ||
+	    (ident_type == SADB_IDENTTYPE_FQDN)) &&
+	   !ident_string) {
+		ERROR("pfkey_ident_build: "
+			"string required to allocate size of extension.\n");
+		SENDERR(EINVAL);
+	}
+	
+#if 0
+	if((ident_type == SADB_IDENTTYPE_USERFQDN) ) {
+	}
+#endif
+	    
+	pfkey_ident = (struct sadb_ident*)
+	  MALLOC(ident_len * IPSEC_PFKEYv2_ALIGN);
+
+	*pfkey_ext = (struct sadb_ext*)pfkey_ident;
+
+	if(pfkey_ident == NULL) {
+		ERROR("pfkey_ident_build: "
+			"memory allocation failed\n");
+		SENDERR(ENOMEM);
+	}
+	memset(pfkey_ident, 0, ident_len * IPSEC_PFKEYv2_ALIGN);
+	
+	pfkey_ident->sadb_ident_len = ident_len;
+	pfkey_ident->sadb_ident_exttype = exttype;
+	pfkey_ident->sadb_ident_type = ident_type;
+	pfkey_ident->sadb_ident_reserved = 0;
+	pfkey_ident->sadb_ident_id = ident_id;
+	memcpy((char*)pfkey_ident + sizeof(struct sadb_ident),
+	       ident_string,
+	       data_len);
+
+errlab:
+	return error;
+}
+
+int
+pfkey_sens_build(struct sadb_ext**	pfkey_ext,
+		 uint32_t		dpd,
+		 uint8_t		sens_level,
+		 uint8_t		sens_len,
+		 uint64_t*		sens_bitmap,
+		 uint8_t		integ_level,
+		 uint8_t		integ_len,
+		 uint64_t*		integ_bitmap)
+{
+	int error = 0;
+	struct sadb_sens *pfkey_sens = (struct sadb_sens *)*pfkey_ext;
+	int i;
+	uint64_t* bitmap;
+
+	DEBUGGING(PF_KEY_DEBUG_BUILD,
+		"pfkey_sens_build:\n");
+	/* sanity checks... */
+	if(pfkey_sens) {
+		ERROR("pfkey_sens_build: "
+			"why is pfkey_sens already pointing to something?\n");
+		SENDERR(EINVAL);
+	}
+
+	DEBUGGING(PF_KEY_DEBUG_BUILD,
+		"pfkey_sens_build: "
+		"Sorry, I can't build exttype=%d yet.\n",
+		(*pfkey_ext)->sadb_ext_type);
+	SENDERR(EINVAL); /* don't process these yet */
+
+	pfkey_sens = (struct sadb_sens*)
+	  MALLOC(sizeof(struct sadb_sens) +
+		 (sens_len + integ_len) * sizeof(uint64_t));
+
+	*pfkey_ext = (struct sadb_ext*)pfkey_sens;
+
+	if(pfkey_sens == NULL) {
+		ERROR("pfkey_sens_build: "
+			"memory allocation failed\n");
+		SENDERR(ENOMEM);
+	}
+	memset(pfkey_sens,
+	       0,
+	       sizeof(struct sadb_sens) +
+	       (sens_len + integ_len) * sizeof(uint64_t));
+	
+	pfkey_sens->sadb_sens_len = (sizeof(struct sadb_sens) +
+		    (sens_len + integ_len) * sizeof(uint64_t)) / IPSEC_PFKEYv2_ALIGN;
+	pfkey_sens->sadb_sens_exttype = SADB_EXT_SENSITIVITY;
+	pfkey_sens->sadb_sens_dpd = dpd;
+	pfkey_sens->sadb_sens_sens_level = sens_level;
+	pfkey_sens->sadb_sens_sens_len = sens_len;
+	pfkey_sens->sadb_sens_integ_level = integ_level;
+	pfkey_sens->sadb_sens_integ_len = integ_len;
+	pfkey_sens->sadb_sens_reserved = 0;
+
+	bitmap = (uint64_t*)((char*)pfkey_ext + sizeof(struct sadb_sens));
+	for(i = 0; i < sens_len; i++) {
+		*bitmap = sens_bitmap[i];
+		bitmap++;
+	}
+	for(i = 0; i < integ_len; i++) {
+		*bitmap = integ_bitmap[i];
+		bitmap++;
+	}
+
+errlab:
+	return error;
+}
+
+int
+pfkey_prop_build(struct sadb_ext**	pfkey_ext,
+		 uint8_t		replay,
+		 unsigned int		comb_num,
+		 struct sadb_comb*	comb)
+{
+	int error = 0;
+	int i;
+	struct sadb_prop *pfkey_prop = (struct sadb_prop *)*pfkey_ext;
+	struct sadb_comb *combp;
+
+	DEBUGGING(PF_KEY_DEBUG_BUILD,
+		"pfkey_prop_build:\n");
+	/* sanity checks... */
+	if(pfkey_prop) {
+		ERROR("pfkey_prop_build: "
+			"why is pfkey_prop already pointing to something?\n");
+		SENDERR(EINVAL);
+	}
+
+	pfkey_prop = (struct sadb_prop*)
+	  MALLOC(sizeof(struct sadb_prop) +
+		 comb_num * sizeof(struct sadb_comb));
+
+	*pfkey_ext = (struct sadb_ext*)pfkey_prop;
+
+	if(pfkey_prop == NULL) {
+		ERROR("pfkey_prop_build: "
+			"memory allocation failed\n");
+		SENDERR(ENOMEM);
+	}
+	memset(pfkey_prop,
+	       0,
+	       sizeof(struct sadb_prop) +
+		    comb_num * sizeof(struct sadb_comb));
+	
+	pfkey_prop->sadb_prop_len = (sizeof(struct sadb_prop) +
+		    comb_num * sizeof(struct sadb_comb)) / IPSEC_PFKEYv2_ALIGN;
+
+	pfkey_prop->sadb_prop_exttype = SADB_EXT_PROPOSAL;
+	pfkey_prop->sadb_prop_replay = replay;
+
+	for(i=0; i<3; i++) {
+		pfkey_prop->sadb_prop_reserved[i] = 0;
+	}
+
+	combp = (struct sadb_comb*)((char*)*pfkey_ext + sizeof(struct sadb_prop));
+	for(i = 0; i < comb_num; i++) {
+		memcpy (combp, &(comb[i]), sizeof(struct sadb_comb));
+		combp++;
+	}
+
+#if 0
+  uint8_t sadb_comb_auth;
+  uint8_t sadb_comb_encrypt;
+  uint16_t sadb_comb_flags;
+  uint16_t sadb_comb_auth_minbits;
+  uint16_t sadb_comb_auth_maxbits;
+  uint16_t sadb_comb_encrypt_minbits;
+  uint16_t sadb_comb_encrypt_maxbits;
+  uint32_t sadb_comb_reserved;
+  uint32_t sadb_comb_soft_allocations;
+  uint32_t sadb_comb_hard_allocations;
+  uint64_t sadb_comb_soft_bytes;
+  uint64_t sadb_comb_hard_bytes;
+  uint64_t sadb_comb_soft_addtime;
+  uint64_t sadb_comb_hard_addtime;
+  uint64_t sadb_comb_soft_usetime;
+  uint64_t sadb_comb_hard_usetime;
+  uint32_t sadb_comb_soft_packets;
+  uint32_t sadb_comb_hard_packets;
+#endif
+errlab:
+	return error;
+}
+
+int
+pfkey_supported_build(struct sadb_ext**	pfkey_ext,
+		      uint16_t		exttype,
+		      unsigned int	alg_num,
+		      struct sadb_alg*	alg)
+{
+	int error = 0;
+	unsigned int i;
+	struct sadb_supported *pfkey_supported = (struct sadb_supported *)*pfkey_ext;
+	struct sadb_alg *pfkey_alg;
+
+	/* sanity checks... */
+	if(pfkey_supported) {
+		DEBUGGING(PF_KEY_DEBUG_BUILD,
+			"pfkey_supported_build: "
+			"why is pfkey_supported already pointing to something?\n");
+		SENDERR(EINVAL);
+	}
+
+	if( !((exttype == SADB_EXT_SUPPORTED_AUTH) || (exttype == SADB_EXT_SUPPORTED_ENCRYPT))) {
+		DEBUGGING(PF_KEY_DEBUG_BUILD,
+			"pfkey_supported_build: "
+			"unsupported extension type=%d.\n",
+			exttype);
+		SENDERR(EINVAL);
+	}
+
+	pfkey_supported = (struct sadb_supported*)
+	  MALLOC(sizeof(struct sadb_supported) +
+		    alg_num *
+		    sizeof(struct sadb_alg));
+
+	*pfkey_ext = (struct sadb_ext*)pfkey_supported;
+
+	if(pfkey_supported == NULL) {
+		DEBUGGING(PF_KEY_DEBUG_BUILD,
+			"pfkey_supported_build: "
+			"memory allocation failed\n");
+		SENDERR(ENOMEM);
+	}
+	memset(pfkey_supported,
+	       0,
+	       sizeof(struct sadb_supported) +
+					       alg_num *
+					       sizeof(struct sadb_alg));
+	
+	pfkey_supported->sadb_supported_len = (sizeof(struct sadb_supported) +
+					       alg_num *
+					       sizeof(struct sadb_alg)) /
+						IPSEC_PFKEYv2_ALIGN;
+	pfkey_supported->sadb_supported_exttype = exttype;
+	pfkey_supported->sadb_supported_reserved = 0;
+
+	pfkey_alg = (struct sadb_alg*)((char*)pfkey_supported + sizeof(struct sadb_supported));
+	for(i = 0; i < alg_num; i++) {
+		memcpy (pfkey_alg, &(alg[i]), sizeof(struct sadb_alg));
+		pfkey_alg->sadb_alg_reserved = 0;
+		pfkey_alg++;
+	}
+	
+#if 0
+	DEBUGGING(PF_KEY_DEBUG_BUILD,
+		"pfkey_supported_build: "
+		"Sorry, I can't build exttype=%d yet.\n",
+		(*pfkey_ext)->sadb_ext_type);
+	SENDERR(EINVAL); /* don't process these yet */
+
+  uint8_t sadb_alg_id;
+  uint8_t sadb_alg_ivlen;
+  uint16_t sadb_alg_minbits;
+  uint16_t sadb_alg_maxbits;
+  uint16_t sadb_alg_reserved;
+#endif
+errlab:
+	return error;
+}
+
+int
+pfkey_spirange_build(struct sadb_ext**	pfkey_ext,
+		     uint16_t		exttype,
+		     uint32_t		min, /* in network order */
+		     uint32_t		max) /* in network order */
+{
+	int error = 0;
+	struct sadb_spirange *pfkey_spirange = (struct sadb_spirange *)*pfkey_ext;
+	
+	/* sanity checks... */
+	if(pfkey_spirange) {
+		DEBUGGING(PF_KEY_DEBUG_BUILD,
+			"pfkey_spirange_build: "
+			"why is pfkey_spirange already pointing to something?\n");
+		SENDERR(EINVAL);
+	}
+	
+        if(ntohl(max) < ntohl(min)) {
+		DEBUGGING(PF_KEY_DEBUG_BUILD,
+			"pfkey_spirange_build: "
+			"minspi=%08x must be < maxspi=%08x.\n",
+			ntohl(min),
+			ntohl(max));
+                SENDERR(EINVAL);
+        }
+	
+	if(ntohl(min) <= 255) {
+		DEBUGGING(PF_KEY_DEBUG_BUILD,
+			"pfkey_spirange_build: "
+			"minspi=%08x must be > 255.\n",
+			ntohl(min));
+		SENDERR(EEXIST);
+	}
+	
+	pfkey_spirange = (struct sadb_spirange*)
+	  MALLOC(sizeof(struct sadb_spirange));
+
+	*pfkey_ext = (struct sadb_ext*)pfkey_spirange;
+
+	if(pfkey_spirange == NULL) {
+		DEBUGGING(PF_KEY_DEBUG_BUILD,
+			"pfkey_spirange_build: "
+			"memory allocation failed\n");
+		SENDERR(ENOMEM);
+	}
+	memset(pfkey_spirange,
+	       0,
+	       sizeof(struct sadb_spirange));
+	
+        pfkey_spirange->sadb_spirange_len = sizeof(struct sadb_spirange) / IPSEC_PFKEYv2_ALIGN;
+
+	pfkey_spirange->sadb_spirange_exttype = SADB_EXT_SPIRANGE;
+	pfkey_spirange->sadb_spirange_min = min;
+	pfkey_spirange->sadb_spirange_max = max;
+	pfkey_spirange->sadb_spirange_reserved = 0;
+ errlab:
+	return error;
+}
+
+int
+pfkey_x_kmprivate_build(struct sadb_ext**	pfkey_ext)
+{
+	int error = 0;
+	struct sadb_x_kmprivate *pfkey_x_kmprivate = (struct sadb_x_kmprivate *)*pfkey_ext;
+
+	/* sanity checks... */
+	if(pfkey_x_kmprivate) {
+		DEBUGGING(PF_KEY_DEBUG_BUILD,
+			"pfkey_x_kmprivate_build: "
+			"why is pfkey_x_kmprivate already pointing to something?\n");
+		SENDERR(EINVAL);
+	}
+	
+	pfkey_x_kmprivate->sadb_x_kmprivate_reserved = 0;
+
+	DEBUGGING(PF_KEY_DEBUG_BUILD,
+		"pfkey_x_kmprivate_build: "
+		"Sorry, I can't build exttype=%d yet.\n",
+		(*pfkey_ext)->sadb_ext_type);
+	SENDERR(EINVAL); /* don't process these yet */
+
+	pfkey_x_kmprivate = (struct sadb_x_kmprivate*)
+	  MALLOC(sizeof(struct sadb_x_kmprivate));
+
+	*pfkey_ext = (struct sadb_ext*)pfkey_x_kmprivate;
+
+	if(pfkey_x_kmprivate == NULL) {
+		DEBUGGING(PF_KEY_DEBUG_BUILD,
+			"pfkey_x_kmprivate_build: "
+			"memory allocation failed\n");
+		SENDERR(ENOMEM);
+	}
+	memset(pfkey_x_kmprivate,
+	       0,
+	       sizeof(struct sadb_x_kmprivate));
+	
+        pfkey_x_kmprivate->sadb_x_kmprivate_len =
+		sizeof(struct sadb_x_kmprivate) / IPSEC_PFKEYv2_ALIGN;
+
+        pfkey_x_kmprivate->sadb_x_kmprivate_exttype = SADB_X_EXT_KMPRIVATE;
+        pfkey_x_kmprivate->sadb_x_kmprivate_reserved = 0;
+errlab:
+	return error;
+}
+
+int
+pfkey_x_satype_build(struct sadb_ext**	pfkey_ext,
+		     uint8_t		satype)
+{
+	int error = 0;
+	int i;
+	struct sadb_x_satype *pfkey_x_satype = (struct sadb_x_satype *)*pfkey_ext;
+
+	DEBUGGING(PF_KEY_DEBUG_BUILD,
+		"pfkey_x_satype_build:\n");
+	/* sanity checks... */
+	if(pfkey_x_satype) {
+		ERROR("pfkey_x_satype_build: "
+			"why is pfkey_x_satype already pointing to something?\n");
+		SENDERR(EINVAL);
+	}
+	
+	if(!satype) {
+		ERROR("pfkey_x_satype_build: "
+			"SA type not set, must be non-zero.\n");
+		SENDERR(EINVAL);
+	}
+
+	if(satype > SADB_SATYPE_MAX) {
+		ERROR("pfkey_x_satype_build: "
+			"satype %d > max %d\n", 
+			satype, SADB_SATYPE_MAX);
+		SENDERR(EINVAL);
+	}
+
+	pfkey_x_satype = (struct sadb_x_satype*)
+	  MALLOC(sizeof(struct sadb_x_satype));
+
+	*pfkey_ext = (struct sadb_ext*)pfkey_x_satype;
+	if(pfkey_x_satype == NULL) {
+		ERROR("pfkey_x_satype_build: "
+			"memory allocation failed\n");
+		SENDERR(ENOMEM);
+	}
+	memset(pfkey_x_satype,
+	       0,
+	       sizeof(struct sadb_x_satype));
+	
+        pfkey_x_satype->sadb_x_satype_len = sizeof(struct sadb_x_satype) / IPSEC_PFKEYv2_ALIGN;
+
+	pfkey_x_satype->sadb_x_satype_exttype = SADB_X_EXT_SATYPE2;
+	pfkey_x_satype->sadb_x_satype_satype = satype;
+	for(i=0; i<3; i++) {
+		pfkey_x_satype->sadb_x_satype_reserved[i] = 0;
+	}
+
+errlab:
+	return error;
+}
+
+int
+pfkey_x_debug_build(struct sadb_ext**	pfkey_ext,
+		    uint32_t            tunnel,
+		    uint32_t		netlink,
+		    uint32_t		xform,
+		    uint32_t		eroute,
+		    uint32_t		spi,
+		    uint32_t		radij,
+		    uint32_t		esp,
+		    uint32_t		ah,
+		    uint32_t		rcv,
+		    uint32_t            pfkey,
+		    uint32_t            ipcomp,
+		    uint32_t            verbose)
+{
+	int error = 0;
+	int i;
+	struct sadb_x_debug *pfkey_x_debug = (struct sadb_x_debug *)*pfkey_ext;
+
+	DEBUGGING(PF_KEY_DEBUG_BUILD,
+		"pfkey_x_debug_build:\n");
+	/* sanity checks... */
+	if(pfkey_x_debug) {
+		ERROR("pfkey_x_debug_build: "
+			"why is pfkey_x_debug already pointing to something?\n");
+		SENDERR(EINVAL);
+	}
+	
+	DEBUGGING(PF_KEY_DEBUG_BUILD,
+		"pfkey_x_debug_build: "
+		"tunnel=%x netlink=%x xform=%x eroute=%x spi=%x radij=%x esp=%x ah=%x rcv=%x pfkey=%x ipcomp=%x verbose=%x?\n",
+		tunnel, netlink, xform, eroute, spi, radij, esp, ah, rcv, pfkey, ipcomp, verbose);
+
+	pfkey_x_debug = (struct sadb_x_debug*)
+	  MALLOC(sizeof(struct sadb_x_debug));
+
+	*pfkey_ext = (struct sadb_ext*)pfkey_x_debug;
+
+	if(pfkey_x_debug == NULL) {
+		ERROR("pfkey_x_debug_build: "
+			"memory allocation failed\n");
+		SENDERR(ENOMEM);
+	}
+#if 0
+	memset(pfkey_x_debug,
+	       0,
+	       sizeof(struct sadb_x_debug));
+#endif
+	
+        pfkey_x_debug->sadb_x_debug_len = sizeof(struct sadb_x_debug) / IPSEC_PFKEYv2_ALIGN;
+	pfkey_x_debug->sadb_x_debug_exttype = SADB_X_EXT_DEBUG;
+
+	pfkey_x_debug->sadb_x_debug_tunnel = tunnel;
+	pfkey_x_debug->sadb_x_debug_netlink = netlink;
+	pfkey_x_debug->sadb_x_debug_xform = xform;
+	pfkey_x_debug->sadb_x_debug_eroute = eroute;
+	pfkey_x_debug->sadb_x_debug_spi = spi;
+	pfkey_x_debug->sadb_x_debug_radij = radij;
+	pfkey_x_debug->sadb_x_debug_esp = esp;
+	pfkey_x_debug->sadb_x_debug_ah = ah;
+	pfkey_x_debug->sadb_x_debug_rcv = rcv;
+	pfkey_x_debug->sadb_x_debug_pfkey = pfkey;
+	pfkey_x_debug->sadb_x_debug_ipcomp = ipcomp;
+	pfkey_x_debug->sadb_x_debug_verbose = verbose;
+
+	for(i=0; i<4; i++) {
+		pfkey_x_debug->sadb_x_debug_reserved[i] = 0;
+	}
+
+errlab:
+	return error;
+}
+
+int
+pfkey_x_nat_t_type_build(struct sadb_ext**	pfkey_ext,
+			 uint8_t         type)
+{
+	int error = 0;
+	int i;
+	struct sadb_x_nat_t_type *pfkey_x_nat_t_type = (struct sadb_x_nat_t_type *)*pfkey_ext;
+
+	DEBUGGING(PF_KEY_DEBUG_BUILD,
+		"pfkey_x_nat_t_type_build:\n");
+	/* sanity checks... */
+	if(pfkey_x_nat_t_type) {
+		DEBUGGING(PF_KEY_DEBUG_BUILD,
+			"pfkey_x_nat_t_type_build: "
+			"why is pfkey_x_nat_t_type already pointing to something?\n");
+		SENDERR(EINVAL);
+	}
+	
+	DEBUGGING(PF_KEY_DEBUG_BUILD,
+		"pfkey_x_nat_t_type_build: "
+		"type=%d\n", type);
+
+	pfkey_x_nat_t_type = (struct sadb_x_nat_t_type*)
+	  MALLOC(sizeof(struct sadb_x_nat_t_type));
+
+	*pfkey_ext = (struct sadb_ext*)pfkey_x_nat_t_type;
+
+	if(pfkey_x_nat_t_type == NULL) {
+		DEBUGGING(PF_KEY_DEBUG_BUILD,
+			"pfkey_x_nat_t_type_build: "
+			"memory allocation failed\n");
+		SENDERR(ENOMEM);
+	}
+	
+	pfkey_x_nat_t_type->sadb_x_nat_t_type_len = sizeof(struct sadb_x_nat_t_type) / IPSEC_PFKEYv2_ALIGN;
+	pfkey_x_nat_t_type->sadb_x_nat_t_type_exttype = SADB_X_EXT_NAT_T_TYPE;
+	pfkey_x_nat_t_type->sadb_x_nat_t_type_type = type;
+	for(i=0; i<3; i++) {
+		pfkey_x_nat_t_type->sadb_x_nat_t_type_reserved[i] = 0;
+	}
+
+errlab:
+	return error;
+}
+int
+pfkey_x_nat_t_port_build(struct sadb_ext**	pfkey_ext,
+		    uint16_t         exttype,
+		    uint16_t         port)
+{
+	int error = 0;
+	struct sadb_x_nat_t_port *pfkey_x_nat_t_port = (struct sadb_x_nat_t_port *)*pfkey_ext;
+
+	DEBUGGING(PF_KEY_DEBUG_BUILD,
+		"pfkey_x_nat_t_port_build:\n");
+	/* sanity checks... */
+	if(pfkey_x_nat_t_port) {
+		DEBUGGING(PF_KEY_DEBUG_BUILD,
+			"pfkey_x_nat_t_port_build: "
+			"why is pfkey_x_nat_t_port already pointing to something?\n");
+		SENDERR(EINVAL);
+	}
+	
+	switch(exttype) {	
+	case SADB_X_EXT_NAT_T_SPORT:
+	case SADB_X_EXT_NAT_T_DPORT:
+		break;
+	default:
+		DEBUGGING(PF_KEY_DEBUG_BUILD,
+			"pfkey_nat_t_port_build: "
+			"unrecognised ext_type=%d.\n", 
+			exttype); 
+		SENDERR(EINVAL); 
+	}
+
+	DEBUGGING(PF_KEY_DEBUG_BUILD,
+		"pfkey_x_nat_t_port_build: "
+		"ext=%d, port=%d\n", exttype, port);
+
+	pfkey_x_nat_t_port = (struct sadb_x_nat_t_port*)
+	  MALLOC(sizeof(struct sadb_x_nat_t_port));
+
+	*pfkey_ext = (struct sadb_ext*)pfkey_x_nat_t_port;
+
+	if(pfkey_x_nat_t_port == NULL) {
+		DEBUGGING(PF_KEY_DEBUG_BUILD,
+			"pfkey_x_nat_t_port_build: "
+			"memory allocation failed\n");
+		SENDERR(ENOMEM);
+	}
+	
+	pfkey_x_nat_t_port->sadb_x_nat_t_port_len = sizeof(struct sadb_x_nat_t_port) / IPSEC_PFKEYv2_ALIGN;
+	pfkey_x_nat_t_port->sadb_x_nat_t_port_exttype = exttype;
+	pfkey_x_nat_t_port->sadb_x_nat_t_port_port = port;
+	pfkey_x_nat_t_port->sadb_x_nat_t_port_reserved = 0;
+
+errlab:
+	return error;
+}
+
+int pfkey_x_protocol_build(struct sadb_ext **pfkey_ext,
+			   uint8_t protocol)
+{
+	int error = 0;
+	struct sadb_protocol * p = (struct sadb_protocol *)*pfkey_ext;
+	DEBUGGING(PF_KEY_DEBUG_BUILD,"pfkey_x_protocol_build: protocol=%u\n", protocol);
+	/* sanity checks... */
+	if  (p != 0) {
+		ERROR("pfkey_x_protocol_build: bogus protocol pointer\n");
+		SENDERR(EINVAL);
+	}
+	if ((p = (struct sadb_protocol*)MALLOC(sizeof(*p))) == 0) {
+		ERROR("pfkey_build: memory allocation failed\n");
+		SENDERR(ENOMEM);
+	}
+	*pfkey_ext = (struct sadb_ext *)p;
+	p->sadb_protocol_len = sizeof(*p) / sizeof(uint64_t);
+	p->sadb_protocol_exttype = SADB_X_EXT_PROTOCOL;
+	p->sadb_protocol_proto = protocol;
+	p->sadb_protocol_flags = 0;
+	p->sadb_protocol_reserved2 = 0;
+ errlab:
+	return error;
+}
+
+int
+pfkey_msg_build(struct sadb_msg **pfkey_msg, struct sadb_ext *extensions[], int dir)
+{
+	int error = 0;
+	unsigned ext;
+	unsigned total_size;
+	struct sadb_ext *pfkey_ext;
+	int extensions_seen = 0;
+#ifndef __KERNEL__	
+	struct sadb_ext *extensions_check[SADB_EXT_MAX + 1];
+#endif
+	
+	if(!extensions[0]) {
+		ERROR("pfkey_msg_build: "
+			"extensions[0] must be specified (struct sadb_msg).\n");
+		SENDERR(EINVAL);
+	}
+
+	/* figure out the total size for all the requested extensions */
+	total_size = IPSEC_PFKEYv2_WORDS(sizeof(struct sadb_msg));
+	for(ext = 1; ext <= SADB_EXT_MAX; ext++) {
+		if(extensions[ext]) {
+			total_size += (extensions[ext])->sadb_ext_len;
+		}
+        }                
+
+	/* allocate that much space */
+	*pfkey_msg = (struct sadb_msg*)MALLOC(total_size * IPSEC_PFKEYv2_ALIGN);
+	if(*pfkey_msg == NULL) {
+		ERROR("pfkey_msg_build: "
+		      "memory allocation failed\n");
+		SENDERR(ENOMEM);
+	}
+	
+	DEBUGGING(PF_KEY_DEBUG_BUILD,
+		  "pfkey_msg_build: "
+		  "pfkey_msg=0p%p allocated %lu bytes, &(extensions[0])=0p%p\n",
+		  *pfkey_msg,
+		  (unsigned long)(total_size * IPSEC_PFKEYv2_ALIGN),
+		  &(extensions[0]));
+
+	memcpy(*pfkey_msg,
+	       extensions[0],
+	       sizeof(struct sadb_msg));
+	(*pfkey_msg)->sadb_msg_len = total_size;
+	(*pfkey_msg)->sadb_msg_reserved = 0;
+	extensions_seen =  1 ;
+	
+	/*
+	 * point pfkey_ext to immediately after the space for the header,
+	 * i.e. at the first extension location.
+	 */
+	pfkey_ext = (struct sadb_ext*)(((char*)(*pfkey_msg)) + sizeof(struct sadb_msg));
+
+	for(ext = 1; ext <= SADB_EXT_MAX; ext++) {
+		/* copy from extension[ext] to buffer */
+		if(extensions[ext]) {    
+			/* Is this type of extension permitted for this type of message? */
+			if(!(extensions_bitmaps[dir][EXT_BITS_PERM][(*pfkey_msg)->sadb_msg_type] &
+			     1<<ext)) {
+				ERROR("pfkey_msg_build: "
+					"ext type %d not permitted, exts_perm=%08x, 1<<type=%08x\n", 
+					ext, 
+					extensions_bitmaps[dir][EXT_BITS_PERM][(*pfkey_msg)->sadb_msg_type],
+					1<<ext);
+				SENDERR(EINVAL);
+			}
+
+			DEBUGGING(PF_KEY_DEBUG_BUILD,
+				  "pfkey_msg_build: "
+				  "copying %lu bytes from extensions[%u] (type=%d)\n",
+				  (unsigned long)(extensions[ext]->sadb_ext_len * IPSEC_PFKEYv2_ALIGN),
+				  ext,
+				  extensions[ext]->sadb_ext_type);
+
+			memcpy(pfkey_ext,
+			       extensions[ext],
+			       (extensions[ext])->sadb_ext_len * IPSEC_PFKEYv2_ALIGN);
+			{
+			  char *pfkey_ext_c = (char *)pfkey_ext;
+
+			  pfkey_ext_c += (extensions[ext])->sadb_ext_len * IPSEC_PFKEYv2_ALIGN;
+			  pfkey_ext = (struct sadb_ext *)pfkey_ext_c;
+			}
+
+			/* Mark that we have seen this extension and remember the header location */
+			extensions_seen |= ( 1 << ext );
+		}
+	}
+
+	/* check required extensions */
+	DEBUGGING(PF_KEY_DEBUG_BUILD,
+		"pfkey_msg_build: "
+		"extensions permitted=%08x, seen=%08x, required=%08x.\n",
+		extensions_bitmaps[dir][EXT_BITS_PERM][(*pfkey_msg)->sadb_msg_type],
+		extensions_seen,
+		extensions_bitmaps[dir][EXT_BITS_REQ][(*pfkey_msg)->sadb_msg_type]);
+	
+	if((extensions_seen &
+	    extensions_bitmaps[dir][EXT_BITS_REQ][(*pfkey_msg)->sadb_msg_type]) !=
+	   extensions_bitmaps[dir][EXT_BITS_REQ][(*pfkey_msg)->sadb_msg_type]) {
+		DEBUGGING(PF_KEY_DEBUG_BUILD,
+			"pfkey_msg_build: "
+			"required extensions missing:%08x.\n",
+			extensions_bitmaps[dir][EXT_BITS_REQ][(*pfkey_msg)->sadb_msg_type] -
+			(extensions_seen &
+			 extensions_bitmaps[dir][EXT_BITS_REQ][(*pfkey_msg)->sadb_msg_type]) );
+		SENDERR(EINVAL);
+	}
+
+#ifndef __KERNEL__	
+/*
+ * this is silly, there is no need to reparse the message that we just built.
+ *
+ */
+	if((error = pfkey_msg_parse(*pfkey_msg, NULL, extensions_check, dir))) {
+		ERROR(
+			"pfkey_msg_build: "
+			"Trouble parsing newly built pfkey message, error=%d.\n",
+			error);
+		SENDERR(-error);
+	}
+#endif
+
+errlab:
+
+	return error;
+}
+
+/*
+ * $Log: pfkey_v2_build.c,v $
+ * Revision 1.51.8.1  2006/05/01 14:36:39  mcr
+ * get rid of dead code.
+ *
+ * Revision 1.51  2004/10/03 01:26:36  mcr
+ * 	fixes for gcc 3.4 compilation.
+ *
+ * Revision 1.50  2004/07/10 07:48:35  mcr
+ * Moved from linux/lib/libfreeswan/pfkey_v2_build.c,v
+ *
+ * Revision 1.49  2004/04/12 02:59:06  mcr
+ *     erroneously moved pfkey_v2_build.c
+ *
+ * Revision 1.48  2004/04/09 18:00:40  mcr
+ * Moved from linux/lib/libfreeswan/pfkey_v2_build.c,v
+ *
+ * Revision 1.47  2004/03/08 01:59:08  ken
+ * freeswan.h -> openswan.h
+ *
+ * Revision 1.46  2003/12/10 01:20:19  mcr
+ * 	NAT-traversal patches to KLIPS.
+ *
+ * Revision 1.45  2003/12/04 23:01:12  mcr
+ * 	removed ipsec_netlink.h
+ *
+ * Revision 1.44  2003/10/31 02:27:12  mcr
+ * 	pulled up port-selector patches and sa_id elimination.
+ *
+ * Revision 1.43.4.2  2003/10/29 01:11:32  mcr
+ * 	added debugging for pfkey library.
+ *
+ * Revision 1.43.4.1  2003/09/21 13:59:44  mcr
+ * 	pre-liminary X.509 patch - does not yet pass tests.
+ *
+ * Revision 1.43  2003/05/07 17:29:17  mcr
+ * 	new function pfkey_debug_func added for us in debugging from
+ * 	pfkey library.
+ *
+ * Revision 1.42  2003/01/30 02:32:09  rgb
+ *
+ * Rename SAref table macro names for clarity.
+ * Convert IPsecSAref_t from signed to unsigned to fix apparent SAref exhaustion bug.
+ *
+ * Revision 1.41  2002/12/13 18:16:02  mcr
+ * 	restored sa_ref code
+ *
+ * Revision 1.40  2002/12/13 18:06:52  mcr
+ * 	temporarily removed sadb_x_sa_ref reference for 2.xx
+ *
+ * Revision 1.39  2002/12/13 17:43:28  mcr
+ * 	commented out access to sadb_x_sa_ref for 2.xx branch
+ *
+ * Revision 1.38  2002/10/09 03:12:05  dhr
+ *
+ * [kenb+dhr] 64-bit fixes
+ *
+ * Revision 1.37  2002/09/20 15:40:39  rgb
+ * Added new function pfkey_sa_ref_build() to accomodate saref parameter.
+ *
+ * Revision 1.36  2002/09/20 05:01:22  rgb
+ * Generalise for platform independance: fix (ia64) using unsigned for sizes.
+ *
+ * Revision 1.35  2002/07/24 18:44:54  rgb
+ * Type fiddling to tame ia64 compiler.
+ *
+ * Revision 1.34  2002/05/23 07:14:11  rgb
+ * Cleaned up %p variants to 0p%p for test suite cleanup.
+ *
+ * Revision 1.33  2002/04/24 07:55:32  mcr
+ * 	#include patches and Makefiles for post-reorg compilation.
+ *
+ * Revision 1.32  2002/04/24 07:36:40  mcr
+ * Moved from ./lib/pfkey_v2_build.c,v
+ *
+ * Revision 1.31  2002/01/29 22:25:35  rgb
+ * Re-add ipsec_kversion.h to keep MALLOC happy.
+ *
+ * Revision 1.30  2002/01/29 01:59:09  mcr
+ * 	removal of kversions.h - sources that needed it now use ipsec_param.h.
+ * 	updating of IPv6 structures to match latest in6.h version.
+ * 	removed dead code from openswan.h that also duplicated kversions.h
+ * 	code.
+ *
+ * Revision 1.29  2001/12/19 21:06:09  rgb
+ * Added port numbers to pfkey_address_build() debugging.
+ *
+ * Revision 1.28  2001/11/06 19:47:47  rgb
+ * Added packet parameter to lifetime and comb structures.
+ *
+ * Revision 1.27  2001/10/18 04:45:24  rgb
+ * 2.4.9 kernel deprecates linux/malloc.h in favour of linux/slab.h,
+ * lib/openswan.h version macros moved to lib/kversions.h.
+ * Other compiler directive cleanups.
+ *
+ * Revision 1.26  2001/09/08 21:13:34  rgb
+ * Added pfkey ident extension support for ISAKMPd. (NetCelo)
+ *
+ * Revision 1.25  2001/06/14 19:35:16  rgb
+ * Update copyright date.
+ *
+ * Revision 1.24  2001/03/20 03:49:45  rgb
+ * Ditch superfluous debug_pfkey declaration.
+ * Move misplaced openswan.h inclusion for kernel case.
+ *
+ * Revision 1.23  2001/03/16 07:41:50  rgb
+ * Put openswan.h include before pluto includes.
+ *
+ * Revision 1.22  2001/02/27 22:24:56  rgb
+ * Re-formatting debug output (line-splitting, joining, 1arg/line).
+ * Check for satoa() return codes.
+ *
+ * Revision 1.21  2000/11/17 18:10:30  rgb
+ * Fixed bugs mostly relating to spirange, to treat all spi variables as
+ * network byte order since this is the way PF_KEYv2 stored spis.
+ *
+ * Revision 1.20  2000/10/12 00:02:39  rgb
+ * Removed 'format, ##' nonsense from debug macros for RH7.0.
+ *
+ * Revision 1.19  2000/10/10 20:10:20  rgb
+ * Added support for debug_ipcomp and debug_verbose to klipsdebug.
+ *
+ * Revision 1.18  2000/09/12 18:59:54  rgb
+ * Added Gerhard's IPv6 support to pfkey parts of libopenswan.
+ *
+ * Revision 1.17  2000/09/12 03:27:00  rgb
+ * Moved DEBUGGING definition to compile kernel with debug off.
+ *
+ * Revision 1.16  2000/09/08 19:22:12  rgb
+ * Fixed pfkey_prop_build() parameter to be only single indirection.
+ * Fixed struct alg copy.
+ *
+ * Revision 1.15  2000/08/20 21:40:01  rgb
+ * Added an address parameter sanity check to pfkey_address_build().
+ *
+ * Revision 1.14  2000/08/15 17:29:23  rgb
+ * Fixes from SZI to untested pfkey_prop_build().
+ *
+ * Revision 1.13  2000/06/02 22:54:14  rgb
+ * Added Gerhard Gessler's struct sockaddr_storage mods for IPv6 support.
+ *
+ * Revision 1.12  2000/05/10 19:24:01  rgb
+ * Fleshed out sensitivity, proposal and supported extensions.
+ *
+ * Revision 1.11  2000/03/16 14:07:23  rgb
+ * Renamed ALIGN macro to avoid fighting with others in kernel.
+ *
+ * Revision 1.10  2000/01/24 21:14:35  rgb
+ * Added disabled pluto pfkey lib debug flag.
+ *
+ * Revision 1.9  2000/01/21 06:27:32  rgb
+ * Added address cases for eroute flows.
+ * Removed unused code.
+ * Dropped unused argument to pfkey_x_satype_build().
+ * Indented compiler directives for readability.
+ * Added klipsdebug switching capability.
+ * Fixed SADB_EXT_MAX bug not permitting last extension access.
+ *
+ * Revision 1.8  1999/12/29 21:17:41  rgb
+ * Changed pfkey_msg_build() I/F to include a struct sadb_msg**
+ * parameter for cleaner manipulation of extensions[] and to guard
+ * against potential memory leaks.
+ * Changed the I/F to pfkey_msg_free() for the same reason.
+ *
+ * Revision 1.7  1999/12/09 23:12:20  rgb
+ * Removed unused cruft.
+ * Added argument to pfkey_sa_build() to do eroutes.
+ * Fixed exttype check in as yet unused pfkey_lifetime_build().
+ *
+ * Revision 1.6  1999/12/07 19:54:29  rgb
+ * Removed static pluto debug flag.
+ * Added functions for pfkey message and extensions initialisation
+ * and cleanup.
+ *
+ * Revision 1.5  1999/12/01 22:20:06  rgb
+ * Changed pfkey_sa_build to accept an SPI in network byte order.
+ * Added <string.h> to quiet userspace compiler.
+ * Moved pfkey_lib_debug variable into the library.
+ * Removed SATYPE check from pfkey_msg_hdr_build so FLUSH will work.
+ * Added extension assembly debugging.
+ * Isolated assignment with brackets to be sure of scope.
+ *
+ * Revision 1.4  1999/11/27 11:57:35  rgb
+ * Added ipv6 headers.
+ * Remove over-zealous algorithm sanity checkers from pfkey_sa_build.
+ * Debugging error messages added.
+ * Fixed missing auth and encrypt assignment bug.
+ * Add argument to pfkey_msg_parse() for direction.
+ * Move parse-after-build check inside pfkey_msg_build().
+ * Consolidated the 4 1-d extension bitmap arrays into one 4-d array.
+ * Add CVS log entry to bottom of file.
+ *
+ */
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/pfkey_v2_debug.c     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,181 @@
+/*
+ * @(#) pfkey version 2 debugging messages
+ *
+ * Copyright (C) 2001  Richard Guy Briggs  <rgb@openswan.org>
+ *                 and Michael Richardson  <mcr@openswan.org>
+ * 
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ * 
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: pfkey_v2_debug.c,v 1.11 2005/04/06 17:45:16 mcr Exp $
+ *
+ */
+
+#ifdef __KERNEL__
+
+# include <linux/kernel.h>  /* for printk */
+
+# include "openswan/ipsec_kversion.h" /* for malloc switch */
+# ifdef MALLOC_SLAB
+#  include <linux/slab.h> /* kmalloc() */
+# else /* MALLOC_SLAB */
+#  include <linux/malloc.h> /* kmalloc() */
+# endif /* MALLOC_SLAB */
+# include <linux/errno.h>  /* error codes */
+# include <linux/types.h>  /* size_t */
+# include <linux/interrupt.h> /* mark_bh */
+
+# include <linux/netdevice.h>   /* struct device, and other headers */
+# include <linux/etherdevice.h> /* eth_type_trans */
+extern int debug_pfkey;
+
+#else /* __KERNEL__ */
+
+# include <sys/types.h>
+# include <linux/types.h>
+# include <linux/errno.h>
+
+#endif /* __KERNEL__ */
+
+#include "openswan.h"
+#include "pfkeyv2.h"
+#include "pfkey.h"
+
+/* 
+ * This file provides ASCII translations of PF_KEY magic numbers.
+ *
+ */
+
+static char *pfkey_sadb_ext_strings[]={
+  "reserved",                     /* SADB_EXT_RESERVED             0 */
+  "security-association",         /* SADB_EXT_SA                   1 */
+  "lifetime-current",             /* SADB_EXT_LIFETIME_CURRENT     2 */
+  "lifetime-hard",                /* SADB_EXT_LIFETIME_HARD        3 */
+  "lifetime-soft",                /* SADB_EXT_LIFETIME_SOFT        4 */
+  "source-address",               /* SADB_EXT_ADDRESS_SRC          5 */
+  "destination-address",          /* SADB_EXT_ADDRESS_DST          6 */
+  "proxy-address",                /* SADB_EXT_ADDRESS_PROXY        7 */
+  "authentication-key",           /* SADB_EXT_KEY_AUTH             8 */
+  "cipher-key",                   /* SADB_EXT_KEY_ENCRYPT          9 */
+  "source-identity",              /* SADB_EXT_IDENTITY_SRC         10 */
+  "destination-identity",         /* SADB_EXT_IDENTITY_DST         11 */
+  "sensitivity-label",            /* SADB_EXT_SENSITIVITY          12 */
+  "proposal",                     /* SADB_EXT_PROPOSAL             13 */
+  "supported-auth",               /* SADB_EXT_SUPPORTED_AUTH       14 */
+  "supported-cipher",             /* SADB_EXT_SUPPORTED_ENCRYPT    15 */
+  "spi-range",                    /* SADB_EXT_SPIRANGE             16 */
+  "X-kmpprivate",                 /* SADB_X_EXT_KMPRIVATE          17 */
+  "X-satype2",                    /* SADB_X_EXT_SATYPE2            18 */
+  "X-security-association",       /* SADB_X_EXT_SA2                19 */
+  "X-destination-address2",       /* SADB_X_EXT_ADDRESS_DST2       20 */
+  "X-source-flow-address",        /* SADB_X_EXT_ADDRESS_SRC_FLOW   21 */
+  "X-dest-flow-address",          /* SADB_X_EXT_ADDRESS_DST_FLOW   22 */
+  "X-source-mask",                /* SADB_X_EXT_ADDRESS_SRC_MASK   23 */
+  "X-dest-mask",                  /* SADB_X_EXT_ADDRESS_DST_MASK   24 */
+  "X-set-debug",                  /* SADB_X_EXT_DEBUG              25 */
+  /* NAT_TRAVERSAL */
+  "X-NAT-T-type",                 /* SADB_X_EXT_NAT_T_TYPE         26 */
+  "X-NAT-T-sport",                /* SADB_X_EXT_NAT_T_SPORT        27 */
+  "X-NAT-T-dport",                /* SADB_X_EXT_NAT_T_DPORT        28 */
+  "X-NAT-T-OA",                   /* SADB_X_EXT_NAT_T_OA           29 */
+};
+
+const char *
+pfkey_v2_sadb_ext_string(int ext)
+{
+  if(ext <= SADB_EXT_MAX) {
+    return pfkey_sadb_ext_strings[ext];
+  } else {
+    return "unknown-ext";
+  }
+}
+
+
+static char *pfkey_sadb_type_strings[]={
+	"reserved",                     /* SADB_RESERVED      */
+	"getspi",                       /* SADB_GETSPI        */
+	"update",                       /* SADB_UPDATE        */
+	"add",                          /* SADB_ADD           */
+	"delete",                       /* SADB_DELETE        */
+	"get",                          /* SADB_GET           */
+	"acquire",                      /* SADB_ACQUIRE       */
+	"register",                     /* SADB_REGISTER      */
+	"expire",                       /* SADB_EXPIRE        */
+	"flush",                        /* SADB_FLUSH         */
+	"dump",                         /* SADB_DUMP          */
+	"x-promisc",                    /* SADB_X_PROMISC     */
+	"x-pchange",                    /* SADB_X_PCHANGE     */
+	"x-groupsa",                    /* SADB_X_GRPSA       */
+	"x-addflow(eroute)",            /* SADB_X_ADDFLOW     */
+	"x-delflow(eroute)",            /* SADB_X_DELFLOW     */
+	"x-debug",                      /* SADB_X_DEBUG       */
+};
+
+const char *
+pfkey_v2_sadb_type_string(int sadb_type)
+{
+  if(sadb_type <= SADB_MAX) {
+    return pfkey_sadb_type_strings[sadb_type];
+  } else {
+    return "unknown-sadb-type";
+  }
+}
+
+
+
+
+/*
+ * $Log: pfkey_v2_debug.c,v $
+ * Revision 1.11  2005/04/06 17:45:16  mcr
+ * 	always include NAT-T names.
+ *
+ * Revision 1.10  2004/07/10 07:48:35  mcr
+ * Moved from linux/lib/libfreeswan/pfkey_v2_debug.c,v
+ *
+ * Revision 1.9  2004/03/08 01:59:08  ken
+ * freeswan.h -> openswan.h
+ *
+ * Revision 1.8  2003/12/10 01:20:19  mcr
+ * 	NAT-traversal patches to KLIPS.
+ *
+ * Revision 1.7  2002/09/20 05:01:26  rgb
+ * Fixed limit inclusion error in both type and ext string conversion.
+ *
+ * Revision 1.6  2002/04/24 07:55:32  mcr
+ * 	#include patches and Makefiles for post-reorg compilation.
+ *
+ * Revision 1.5  2002/04/24 07:36:40  mcr
+ * Moved from ./lib/pfkey_v2_debug.c,v
+ *
+ * Revision 1.4  2002/01/29 22:25:36  rgb
+ * Re-add ipsec_kversion.h to keep MALLOC happy.
+ *
+ * Revision 1.3  2002/01/29 01:59:09  mcr
+ * 	removal of kversions.h - sources that needed it now use ipsec_param.h.
+ * 	updating of IPv6 structures to match latest in6.h version.
+ * 	removed dead code from openswan.h that also duplicated kversions.h
+ * 	code.
+ *
+ * Revision 1.2  2002/01/20 20:34:50  mcr
+ * 	added pfkey_v2_sadb_type_string to decode sadb_type to string.
+ *
+ * Revision 1.1  2001/11/27 05:30:06  mcr
+ * 	initial set of debug strings for pfkey debugging.
+ * 	this will eventually only be included for debug builds.
+ *
+ * Revision 1.1  2001/09/21 04:12:03  mcr
+ * 	first compilable version.
+ *
+ *
+ * Local variables:
+ * c-file-style: "linux"
+ * End:
+ *
+ */
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/pfkey_v2_ext_bits.c     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,814 @@
+/*
+ * RFC2367 PF_KEYv2 Key management API message parser
+ * Copyright (C) 1999, 2000, 2001  Richard Guy Briggs.
+ * 
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ * 
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: pfkey_v2_ext_bits.c,v 1.22 2005/05/11 01:45:31 mcr Exp $
+ */
+
+/*
+ *		Template from klips/net/ipsec/ipsec/ipsec_parse.c.
+ */
+
+char pfkey_v2_ext_bits_c_version[] = "$Id: pfkey_v2_ext_bits.c,v 1.22 2005/05/11 01:45:31 mcr Exp $";
+
+/*
+ * Some ugly stuff to allow consistent debugging code for use in the
+ * kernel and in user space
+*/
+
+#ifdef __KERNEL__
+
+# include <linux/kernel.h>  /* for printk */
+
+# include "openswan/ipsec_kversion.h" /* for malloc switch */
+# ifdef MALLOC_SLAB
+#  include <linux/slab.h> /* kmalloc() */
+# else /* MALLOC_SLAB */
+#  include <linux/malloc.h> /* kmalloc() */
+# endif /* MALLOC_SLAB */
+# include <linux/errno.h>  /* error codes */
+# include <linux/types.h>  /* size_t */
+# include <linux/interrupt.h> /* mark_bh */
+
+# include <linux/netdevice.h>   /* struct device, and other headers */
+# include <linux/etherdevice.h> /* eth_type_trans */
+# include <linux/ip.h>          /* struct iphdr */ 
+# if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
+#  include <linux/ipv6.h>
+# endif /* defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) */
+
+#else /* __KERNEL__ */
+
+# include <sys/types.h>
+# include <linux/types.h>
+# include <linux/errno.h>
+#endif
+
+#include <openswan.h>
+#include <pfkeyv2.h>
+#include <pfkey.h>
+
+unsigned int extensions_bitmaps[2/*in/out*/][2/*perm/req*/][SADB_EXTENSIONS_MAX] = {
+
+/* INBOUND EXTENSIONS */
+{
+
+/* PERMITTED IN */
+{
+/* SADB_RESERVED */
+0
+,
+/* SADB_GETSPI */
+1<<SADB_EXT_RESERVED
+| 1<<SADB_EXT_ADDRESS_SRC
+| 1<<SADB_EXT_ADDRESS_DST
+| 1<<SADB_EXT_ADDRESS_PROXY
+| 1<<SADB_EXT_SPIRANGE
+,
+/* SADB_UPDATE */
+1<<SADB_EXT_RESERVED
+| 1<<SADB_EXT_SA
+| 1<<SADB_EXT_LIFETIME_CURRENT
+| 1<<SADB_EXT_LIFETIME_HARD
+| 1<<SADB_EXT_LIFETIME_SOFT
+| 1<<SADB_EXT_ADDRESS_SRC
+| 1<<SADB_EXT_ADDRESS_DST
+| 1<<SADB_EXT_ADDRESS_PROXY
+| 1<<SADB_EXT_KEY_AUTH
+| 1<<SADB_EXT_KEY_ENCRYPT
+| 1<<SADB_EXT_IDENTITY_SRC
+| 1<<SADB_EXT_IDENTITY_DST
+| 1<<SADB_EXT_SENSITIVITY
+| 1<<SADB_X_EXT_NAT_T_SPORT
+| 1<<SADB_X_EXT_NAT_T_DPORT
+,
+/* SADB_ADD */
+1<<SADB_EXT_RESERVED
+| 1<<SADB_EXT_SA
+| 1<<SADB_EXT_LIFETIME_HARD
+| 1<<SADB_EXT_LIFETIME_SOFT
+| 1<<SADB_EXT_ADDRESS_SRC
+| 1<<SADB_EXT_ADDRESS_DST
+| 1<<SADB_EXT_ADDRESS_PROXY
+| 1<<SADB_EXT_KEY_AUTH
+| 1<<SADB_EXT_KEY_ENCRYPT
+| 1<<SADB_EXT_IDENTITY_SRC
+| 1<<SADB_EXT_IDENTITY_DST
+| 1<<SADB_EXT_SENSITIVITY
+| 1<<SADB_X_EXT_NAT_T_TYPE
+| 1<<SADB_X_EXT_NAT_T_SPORT
+| 1<<SADB_X_EXT_NAT_T_DPORT
+| 1<<SADB_X_EXT_NAT_T_OA
+,
+/* SADB_DELETE */
+1<<SADB_EXT_RESERVED
+| 1<<SADB_EXT_SA
+| 1<<SADB_EXT_ADDRESS_SRC
+| 1<<SADB_EXT_ADDRESS_DST
+,
+/* SADB_GET */
+1<<SADB_EXT_RESERVED
+| 1<<SADB_EXT_SA
+| 1<<SADB_EXT_ADDRESS_SRC
+| 1<<SADB_EXT_ADDRESS_DST
+,
+/* SADB_ACQUIRE */
+1<<SADB_EXT_RESERVED
+| 1<<SADB_EXT_ADDRESS_SRC
+| 1<<SADB_EXT_ADDRESS_DST
+| 1<<SADB_EXT_ADDRESS_PROXY
+| 1<<SADB_EXT_IDENTITY_SRC
+| 1<<SADB_EXT_IDENTITY_DST
+| 1<<SADB_EXT_SENSITIVITY
+| 1<<SADB_EXT_PROPOSAL
+,
+/* SADB_REGISTER */
+1<<SADB_EXT_RESERVED
+,
+/* SADB_EXPIRE */
+0
+,
+/* SADB_FLUSH */
+1<<SADB_EXT_RESERVED
+,
+/* SADB_DUMP */
+1<<SADB_EXT_RESERVED
+,
+/* SADB_X_PROMISC */
+1<<SADB_EXT_RESERVED
+| 1<<SADB_EXT_SA
+| 1<<SADB_EXT_LIFETIME_CURRENT
+| 1<<SADB_EXT_LIFETIME_HARD
+| 1<<SADB_EXT_LIFETIME_SOFT
+| 1<<SADB_EXT_ADDRESS_SRC
+| 1<<SADB_EXT_ADDRESS_DST
+| 1<<SADB_EXT_ADDRESS_PROXY
+| 1<<SADB_EXT_KEY_AUTH
+| 1<<SADB_EXT_KEY_ENCRYPT
+| 1<<SADB_EXT_IDENTITY_SRC
+| 1<<SADB_EXT_IDENTITY_DST
+| 1<<SADB_EXT_SENSITIVITY
+| 1<<SADB_EXT_PROPOSAL
+| 1<<SADB_EXT_SUPPORTED_AUTH
+| 1<<SADB_EXT_SUPPORTED_ENCRYPT
+| 1<<SADB_EXT_SPIRANGE
+| 1<<SADB_X_EXT_KMPRIVATE
+| 1<<SADB_X_EXT_SATYPE2
+| 1<<SADB_X_EXT_SA2
+| 1<<SADB_X_EXT_ADDRESS_DST2
+,
+/* SADB_X_PCHANGE */
+1<<SADB_EXT_RESERVED
+| 1<<SADB_EXT_SA
+| 1<<SADB_EXT_LIFETIME_CURRENT
+| 1<<SADB_EXT_LIFETIME_HARD
+| 1<<SADB_EXT_LIFETIME_SOFT
+| 1<<SADB_EXT_ADDRESS_SRC
+| 1<<SADB_EXT_ADDRESS_DST
+| 1<<SADB_EXT_ADDRESS_PROXY
+| 1<<SADB_EXT_KEY_AUTH
+| 1<<SADB_EXT_KEY_ENCRYPT
+| 1<<SADB_EXT_IDENTITY_SRC
+| 1<<SADB_EXT_IDENTITY_DST
+| 1<<SADB_EXT_SENSITIVITY
+| 1<<SADB_EXT_PROPOSAL
+| 1<<SADB_EXT_SUPPORTED_AUTH
+| 1<<SADB_EXT_SUPPORTED_ENCRYPT
+| 1<<SADB_EXT_SPIRANGE
+| 1<<SADB_X_EXT_KMPRIVATE
+| 1<<SADB_X_EXT_SATYPE2
+| 1<<SADB_X_EXT_SA2
+| 1<<SADB_X_EXT_ADDRESS_DST2
+,
+/* SADB_X_GRPSA */
+1<<SADB_EXT_RESERVED
+| 1<<SADB_EXT_SA
+| 1<<SADB_EXT_ADDRESS_DST
+| 1<<SADB_X_EXT_SATYPE2
+| 1<<SADB_X_EXT_SA2
+| 1<<SADB_X_EXT_ADDRESS_DST2
+,
+/* SADB_X_ADDFLOW */
+1<<SADB_EXT_RESERVED
+| 1<<SADB_EXT_SA
+| 1<<SADB_EXT_ADDRESS_SRC
+| 1<<SADB_EXT_ADDRESS_DST
+| 1<<SADB_X_EXT_ADDRESS_SRC_FLOW
+| 1<<SADB_X_EXT_ADDRESS_DST_FLOW
+| 1<<SADB_X_EXT_ADDRESS_SRC_MASK
+| 1<<SADB_X_EXT_ADDRESS_DST_MASK
+| 1<<SADB_EXT_IDENTITY_SRC
+| 1<<SADB_EXT_IDENTITY_DST
+| 1<<SADB_X_EXT_PROTOCOL
+,
+/* SADB_X_DELFLOW */
+1<<SADB_EXT_RESERVED
+| 1<<SADB_EXT_SA
+| 1<<SADB_X_EXT_ADDRESS_SRC_FLOW
+| 1<<SADB_X_EXT_ADDRESS_DST_FLOW
+| 1<<SADB_X_EXT_ADDRESS_SRC_MASK
+| 1<<SADB_X_EXT_ADDRESS_DST_MASK
+| 1<<SADB_EXT_IDENTITY_SRC
+| 1<<SADB_EXT_IDENTITY_DST
+| 1<<SADB_X_EXT_PROTOCOL
+,
+/* SADB_X_DEBUG */
+1<<SADB_EXT_RESERVED
+| 1<<SADB_X_EXT_DEBUG
+,
+/* SADB_X_NAT_T_NEW_MAPPING */
+1<<SADB_EXT_RESERVED
+| 1<<SADB_EXT_SA
+| 1<<SADB_EXT_ADDRESS_SRC
+| 1<<SADB_EXT_ADDRESS_DST
+| 1<<SADB_X_EXT_NAT_T_SPORT
+| 1<<SADB_X_EXT_NAT_T_DPORT
+},
+
+/* REQUIRED IN */
+{
+/* SADB_RESERVED */
+0
+,
+/* SADB_GETSPI */
+1<<SADB_EXT_RESERVED
+| 1<<SADB_EXT_ADDRESS_SRC
+| 1<<SADB_EXT_ADDRESS_DST
+| 1<<SADB_EXT_SPIRANGE
+,
+/* SADB_UPDATE */
+1<<SADB_EXT_RESERVED
+| 1<<SADB_EXT_SA
+| 1<<SADB_EXT_ADDRESS_SRC
+| 1<<SADB_EXT_ADDRESS_DST
+/*| 1<<SADB_EXT_KEY_AUTH*/
+/*| 1<<SADB_EXT_KEY_ENCRYPT*/
+,
+/* SADB_ADD */
+1<<SADB_EXT_RESERVED
+| 1<<SADB_EXT_SA
+| 1<<SADB_EXT_ADDRESS_SRC
+| 1<<SADB_EXT_ADDRESS_DST
+/*| 1<<SADB_EXT_KEY_AUTH*/
+/*| 1<<SADB_EXT_KEY_ENCRYPT*/
+,
+/* SADB_DELETE */
+1<<SADB_EXT_RESERVED
+| 1<<SADB_EXT_SA
+| 1<<SADB_EXT_ADDRESS_SRC
+| 1<<SADB_EXT_ADDRESS_DST
+,
+/* SADB_GET */
+1<<SADB_EXT_RESERVED
+| 1<<SADB_EXT_SA
+| 1<<SADB_EXT_ADDRESS_SRC
+| 1<<SADB_EXT_ADDRESS_DST
+,
+/* SADB_ACQUIRE */
+1<<SADB_EXT_RESERVED
+| 1<<SADB_EXT_ADDRESS_SRC
+| 1<<SADB_EXT_ADDRESS_DST
+| 1<<SADB_EXT_PROPOSAL
+,
+/* SADB_REGISTER */
+1<<SADB_EXT_RESERVED
+,
+/* SADB_EXPIRE */
+0
+,
+/* SADB_FLUSH */
+1<<SADB_EXT_RESERVED
+,
+/* SADB_DUMP */
+1<<SADB_EXT_RESERVED
+,
+/* SADB_X_PROMISC */
+1<<SADB_EXT_RESERVED
+| 1<<SADB_EXT_SA
+| 1<<SADB_EXT_LIFETIME_CURRENT
+| 1<<SADB_EXT_LIFETIME_HARD
+| 1<<SADB_EXT_LIFETIME_SOFT
+| 1<<SADB_EXT_ADDRESS_SRC
+| 1<<SADB_EXT_ADDRESS_DST
+| 1<<SADB_EXT_ADDRESS_PROXY
+| 1<<SADB_EXT_KEY_AUTH
+| 1<<SADB_EXT_KEY_ENCRYPT
+| 1<<SADB_EXT_IDENTITY_SRC
+| 1<<SADB_EXT_IDENTITY_DST
+| 1<<SADB_EXT_SENSITIVITY
+| 1<<SADB_EXT_PROPOSAL
+| 1<<SADB_EXT_SUPPORTED_AUTH
+| 1<<SADB_EXT_SUPPORTED_ENCRYPT
+| 1<<SADB_EXT_SPIRANGE
+| 1<<SADB_X_EXT_KMPRIVATE
+| 1<<SADB_X_EXT_SATYPE2
+| 1<<SADB_X_EXT_SA2
+| 1<<SADB_X_EXT_ADDRESS_DST2
+,
+/* SADB_X_PCHANGE */
+1<<SADB_EXT_RESERVED
+| 1<<SADB_EXT_SA
+| 1<<SADB_EXT_LIFETIME_CURRENT
+| 1<<SADB_EXT_LIFETIME_HARD
+| 1<<SADB_EXT_LIFETIME_SOFT
+| 1<<SADB_EXT_ADDRESS_SRC
+| 1<<SADB_EXT_ADDRESS_DST
+| 1<<SADB_EXT_ADDRESS_PROXY
+| 1<<SADB_EXT_KEY_AUTH
+| 1<<SADB_EXT_KEY_ENCRYPT
+| 1<<SADB_EXT_IDENTITY_SRC
+| 1<<SADB_EXT_IDENTITY_DST
+| 1<<SADB_EXT_SENSITIVITY
+| 1<<SADB_EXT_PROPOSAL
+| 1<<SADB_EXT_SUPPORTED_AUTH
+| 1<<SADB_EXT_SUPPORTED_ENCRYPT
+| 1<<SADB_EXT_SPIRANGE
+| 1<<SADB_X_EXT_KMPRIVATE
+| 1<<SADB_X_EXT_SATYPE2
+| 1<<SADB_X_EXT_SA2
+| 1<<SADB_X_EXT_ADDRESS_DST2
+,
+/* SADB_X_GRPSA */
+1<<SADB_EXT_RESERVED
+| 1<<SADB_EXT_SA
+| 1<<SADB_EXT_ADDRESS_DST
+/*| 1<<SADB_X_EXT_SATYPE2*/
+/*| 1<<SADB_X_EXT_SA2*/
+/*| 1<<SADB_X_EXT_ADDRESS_DST2*/
+,
+/* SADB_X_ADDFLOW */
+1<<SADB_EXT_RESERVED
+| 1<<SADB_EXT_SA
+| 1<<SADB_EXT_ADDRESS_DST
+| 1<<SADB_X_EXT_ADDRESS_SRC_FLOW
+| 1<<SADB_X_EXT_ADDRESS_DST_FLOW
+| 1<<SADB_X_EXT_ADDRESS_SRC_MASK
+| 1<<SADB_X_EXT_ADDRESS_DST_MASK
+,
+/* SADB_X_DELFLOW */
+1<<SADB_EXT_RESERVED
+/*| 1<<SADB_EXT_SA*/
+#if 0 /* SADB_X_CLREROUTE doesn't need all these... */
+| 1<<SADB_X_EXT_ADDRESS_SRC_FLOW
+| 1<<SADB_X_EXT_ADDRESS_DST_FLOW
+| 1<<SADB_X_EXT_ADDRESS_SRC_MASK
+| 1<<SADB_X_EXT_ADDRESS_DST_MASK
+#endif
+,
+/* SADB_X_DEBUG */
+1<<SADB_EXT_RESERVED
+| 1<<SADB_X_EXT_DEBUG
+,
+/* SADB_X_NAT_T_NEW_MAPPING */
+1<<SADB_EXT_RESERVED
+| 1<<SADB_EXT_SA
+| 1<<SADB_EXT_ADDRESS_SRC
+| 1<<SADB_EXT_ADDRESS_DST
+| 1<<SADB_X_EXT_NAT_T_SPORT
+| 1<<SADB_X_EXT_NAT_T_DPORT
+}
+
+},
+
+/* OUTBOUND EXTENSIONS */
+{
+
+/* PERMITTED OUT */
+{
+/* SADB_RESERVED */
+0
+,
+/* SADB_GETSPI */
+1<<SADB_EXT_RESERVED
+| 1<<SADB_EXT_SA
+| 1<<SADB_EXT_ADDRESS_SRC
+| 1<<SADB_EXT_ADDRESS_DST
+,
+/* SADB_UPDATE */
+1<<SADB_EXT_RESERVED
+| 1<<SADB_EXT_SA
+| 1<<SADB_EXT_LIFETIME_CURRENT
+| 1<<SADB_EXT_LIFETIME_HARD
+| 1<<SADB_EXT_LIFETIME_SOFT
+| 1<<SADB_EXT_ADDRESS_SRC
+| 1<<SADB_EXT_ADDRESS_DST
+| 1<<SADB_EXT_ADDRESS_PROXY
+| 1<<SADB_EXT_IDENTITY_SRC
+| 1<<SADB_EXT_IDENTITY_DST
+| 1<<SADB_EXT_SENSITIVITY
+| 1<<SADB_X_EXT_NAT_T_SPORT
+| 1<<SADB_X_EXT_NAT_T_DPORT
+,
+/* SADB_ADD */
+1<<SADB_EXT_RESERVED
+| 1<<SADB_EXT_SA
+| 1<<SADB_EXT_LIFETIME_HARD
+| 1<<SADB_EXT_LIFETIME_SOFT
+| 1<<SADB_EXT_ADDRESS_SRC
+| 1<<SADB_EXT_ADDRESS_DST
+| 1<<SADB_EXT_IDENTITY_SRC
+| 1<<SADB_EXT_IDENTITY_DST
+| 1<<SADB_EXT_SENSITIVITY
+| 1<<SADB_X_EXT_NAT_T_TYPE
+| 1<<SADB_X_EXT_NAT_T_SPORT
+| 1<<SADB_X_EXT_NAT_T_DPORT
+| 1<<SADB_X_EXT_NAT_T_OA
+,
+/* SADB_DELETE */
+1<<SADB_EXT_RESERVED
+| 1<<SADB_EXT_SA
+| 1<<SADB_EXT_ADDRESS_SRC
+| 1<<SADB_EXT_ADDRESS_DST
+,
+/* SADB_GET */
+1<<SADB_EXT_RESERVED
+| 1<<SADB_EXT_SA
+| 1<<SADB_EXT_LIFETIME_CURRENT
+| 1<<SADB_EXT_LIFETIME_HARD
+| 1<<SADB_EXT_LIFETIME_SOFT
+| 1<<SADB_EXT_ADDRESS_SRC
+| 1<<SADB_EXT_ADDRESS_DST
+| 1<<SADB_EXT_ADDRESS_PROXY
+| 1<<SADB_EXT_KEY_AUTH
+| 1<<SADB_EXT_KEY_ENCRYPT
+| 1<<SADB_EXT_IDENTITY_SRC
+| 1<<SADB_EXT_IDENTITY_DST
+| 1<<SADB_EXT_SENSITIVITY
+| 1<<SADB_X_EXT_NAT_T_TYPE
+| 1<<SADB_X_EXT_NAT_T_SPORT
+| 1<<SADB_X_EXT_NAT_T_DPORT
+| 1<<SADB_X_EXT_NAT_T_OA
+,
+/* SADB_ACQUIRE */
+1<<SADB_EXT_RESERVED
+| 1<<SADB_EXT_ADDRESS_SRC
+| 1<<SADB_EXT_ADDRESS_DST
+| 1<<SADB_EXT_ADDRESS_PROXY
+| 1<<SADB_EXT_IDENTITY_SRC
+| 1<<SADB_EXT_IDENTITY_DST
+| 1<<SADB_EXT_SENSITIVITY
+| 1<<SADB_EXT_PROPOSAL
+,
+/* SADB_REGISTER */
+1<<SADB_EXT_RESERVED
+| 1<<SADB_EXT_SUPPORTED_AUTH
+| 1<<SADB_EXT_SUPPORTED_ENCRYPT
+,
+/* SADB_EXPIRE */
+1<<SADB_EXT_RESERVED
+| 1<<SADB_EXT_SA
+| 1<<SADB_EXT_LIFETIME_CURRENT
+| 1<<SADB_EXT_LIFETIME_HARD
+| 1<<SADB_EXT_LIFETIME_SOFT
+| 1<<SADB_EXT_ADDRESS_SRC
+| 1<<SADB_EXT_ADDRESS_DST
+,
+/* SADB_FLUSH */
+1<<SADB_EXT_RESERVED
+,
+/* SADB_DUMP */
+1<<SADB_EXT_RESERVED
+| 1<<SADB_EXT_SA
+| 1<<SADB_EXT_LIFETIME_CURRENT
+| 1<<SADB_EXT_LIFETIME_HARD
+| 1<<SADB_EXT_LIFETIME_SOFT
+| 1<<SADB_EXT_ADDRESS_SRC
+| 1<<SADB_EXT_ADDRESS_DST
+| 1<<SADB_EXT_ADDRESS_PROXY
+| 1<<SADB_EXT_KEY_AUTH
+| 1<<SADB_EXT_KEY_ENCRYPT
+| 1<<SADB_EXT_IDENTITY_SRC
+| 1<<SADB_EXT_IDENTITY_DST
+| 1<<SADB_EXT_SENSITIVITY
+| 1<<SADB_X_EXT_NAT_T_TYPE
+| 1<<SADB_X_EXT_NAT_T_SPORT
+| 1<<SADB_X_EXT_NAT_T_DPORT
+| 1<<SADB_X_EXT_NAT_T_OA
+,
+/* SADB_X_PROMISC */
+1<<SADB_EXT_RESERVED
+| 1<<SADB_EXT_SA
+| 1<<SADB_EXT_LIFETIME_CURRENT
+| 1<<SADB_EXT_LIFETIME_HARD
+| 1<<SADB_EXT_LIFETIME_SOFT
+| 1<<SADB_EXT_ADDRESS_SRC
+| 1<<SADB_EXT_ADDRESS_DST
+| 1<<SADB_EXT_ADDRESS_PROXY
+| 1<<SADB_EXT_KEY_AUTH
+| 1<<SADB_EXT_KEY_ENCRYPT
+| 1<<SADB_EXT_IDENTITY_SRC
+| 1<<SADB_EXT_IDENTITY_DST
+| 1<<SADB_EXT_SENSITIVITY
+| 1<<SADB_EXT_PROPOSAL
+| 1<<SADB_EXT_SUPPORTED_AUTH
+| 1<<SADB_EXT_SUPPORTED_ENCRYPT
+| 1<<SADB_EXT_SPIRANGE
+| 1<<SADB_X_EXT_KMPRIVATE
+| 1<<SADB_X_EXT_SATYPE2
+| 1<<SADB_X_EXT_SA2
+| 1<<SADB_X_EXT_ADDRESS_DST2
+,
+/* SADB_X_PCHANGE */
+1<<SADB_EXT_RESERVED
+| 1<<SADB_EXT_SA
+| 1<<SADB_EXT_LIFETIME_CURRENT
+| 1<<SADB_EXT_LIFETIME_HARD
+| 1<<SADB_EXT_LIFETIME_SOFT
+| 1<<SADB_EXT_ADDRESS_SRC
+| 1<<SADB_EXT_ADDRESS_DST
+| 1<<SADB_EXT_ADDRESS_PROXY
+| 1<<SADB_EXT_KEY_AUTH
+| 1<<SADB_EXT_KEY_ENCRYPT
+| 1<<SADB_EXT_IDENTITY_SRC
+| 1<<SADB_EXT_IDENTITY_DST
+| 1<<SADB_EXT_SENSITIVITY
+| 1<<SADB_EXT_PROPOSAL
+| 1<<SADB_EXT_SUPPORTED_AUTH
+| 1<<SADB_EXT_SUPPORTED_ENCRYPT
+| 1<<SADB_EXT_SPIRANGE
+| 1<<SADB_X_EXT_KMPRIVATE
+| 1<<SADB_X_EXT_SATYPE2
+| 1<<SADB_X_EXT_SA2
+| 1<<SADB_X_EXT_ADDRESS_DST2
+,
+/* SADB_X_GRPSA */
+1<<SADB_EXT_RESERVED
+| 1<<SADB_EXT_SA
+| 1<<SADB_EXT_ADDRESS_DST
+| 1<<SADB_X_EXT_SATYPE2
+| 1<<SADB_X_EXT_SA2
+| 1<<SADB_X_EXT_ADDRESS_DST2
+,
+/* SADB_X_ADDFLOW */
+1<<SADB_EXT_RESERVED
+| 1<<SADB_EXT_SA
+| 1<<SADB_EXT_ADDRESS_SRC
+| 1<<SADB_EXT_ADDRESS_DST
+| 1<<SADB_X_EXT_ADDRESS_SRC_FLOW
+| 1<<SADB_X_EXT_ADDRESS_DST_FLOW
+| 1<<SADB_X_EXT_ADDRESS_SRC_MASK
+| 1<<SADB_X_EXT_ADDRESS_DST_MASK
+| 1<<SADB_X_EXT_PROTOCOL
+,
+/* SADB_X_DELFLOW */
+1<<SADB_EXT_RESERVED
+| 1<<SADB_EXT_SA
+| 1<<SADB_X_EXT_ADDRESS_SRC_FLOW
+| 1<<SADB_X_EXT_ADDRESS_DST_FLOW
+| 1<<SADB_X_EXT_ADDRESS_SRC_MASK
+| 1<<SADB_X_EXT_ADDRESS_DST_MASK
+| 1<<SADB_X_EXT_PROTOCOL
+,
+/* SADB_X_DEBUG */
+1<<SADB_EXT_RESERVED
+| 1<<SADB_X_EXT_DEBUG
+,
+/* SADB_X_NAT_T_NEW_MAPPING */
+1<<SADB_EXT_RESERVED
+| 1<<SADB_EXT_SA
+| 1<<SADB_EXT_ADDRESS_SRC
+| 1<<SADB_EXT_ADDRESS_DST
+| 1<<SADB_X_EXT_NAT_T_SPORT
+| 1<<SADB_X_EXT_NAT_T_DPORT
+},
+
+/* REQUIRED OUT */
+{
+/* SADB_RESERVED */
+0
+,
+/* SADB_GETSPI */
+1<<SADB_EXT_RESERVED
+| 1<<SADB_EXT_SA
+| 1<<SADB_EXT_ADDRESS_SRC
+| 1<<SADB_EXT_ADDRESS_DST
+,
+/* SADB_UPDATE */
+1<<SADB_EXT_RESERVED
+| 1<<SADB_EXT_SA
+| 1<<SADB_EXT_ADDRESS_SRC
+| 1<<SADB_EXT_ADDRESS_DST
+,
+/* SADB_ADD */
+1<<SADB_EXT_RESERVED
+| 1<<SADB_EXT_SA
+| 1<<SADB_EXT_ADDRESS_SRC
+| 1<<SADB_EXT_ADDRESS_DST
+,
+/* SADB_DELETE */
+1<<SADB_EXT_RESERVED
+| 1<<SADB_EXT_SA
+| 1<<SADB_EXT_ADDRESS_SRC
+| 1<<SADB_EXT_ADDRESS_DST
+,
+/* SADB_GET */
+1<<SADB_EXT_RESERVED
+| 1<<SADB_EXT_SA
+| 1<<SADB_EXT_ADDRESS_SRC
+| 1<<SADB_EXT_ADDRESS_DST
+/* | 1<<SADB_EXT_KEY_AUTH */
+/* | 1<<SADB_EXT_KEY_ENCRYPT */
+,
+/* SADB_ACQUIRE */
+1<<SADB_EXT_RESERVED
+| 1<<SADB_EXT_ADDRESS_SRC
+| 1<<SADB_EXT_ADDRESS_DST
+| 1<<SADB_EXT_PROPOSAL
+,
+/* SADB_REGISTER */
+1<<SADB_EXT_RESERVED
+/* | 1<<SADB_EXT_SUPPORTED_AUTH
+   | 1<<SADB_EXT_SUPPORTED_ENCRYPT */
+,
+/* SADB_EXPIRE */
+1<<SADB_EXT_RESERVED
+| 1<<SADB_EXT_SA
+| 1<<SADB_EXT_LIFETIME_CURRENT
+/* | 1<<SADB_EXT_LIFETIME_HARD
+   | 1<<SADB_EXT_LIFETIME_SOFT */
+| 1<<SADB_EXT_ADDRESS_SRC
+| 1<<SADB_EXT_ADDRESS_DST
+,
+/* SADB_FLUSH */
+1<<SADB_EXT_RESERVED
+,
+/* SADB_DUMP */
+1<<SADB_EXT_RESERVED
+| 1<<SADB_EXT_SA
+| 1<<SADB_EXT_ADDRESS_SRC
+| 1<<SADB_EXT_ADDRESS_DST
+| 1<<SADB_EXT_KEY_AUTH
+| 1<<SADB_EXT_KEY_ENCRYPT
+,
+/* SADB_X_PROMISC */
+1<<SADB_EXT_RESERVED
+| 1<<SADB_EXT_SA
+| 1<<SADB_EXT_LIFETIME_CURRENT
+| 1<<SADB_EXT_LIFETIME_HARD
+| 1<<SADB_EXT_LIFETIME_SOFT
+| 1<<SADB_EXT_ADDRESS_SRC
+| 1<<SADB_EXT_ADDRESS_DST
+| 1<<SADB_EXT_ADDRESS_PROXY
+| 1<<SADB_EXT_KEY_AUTH
+| 1<<SADB_EXT_KEY_ENCRYPT
+| 1<<SADB_EXT_IDENTITY_SRC
+| 1<<SADB_EXT_IDENTITY_DST
+| 1<<SADB_EXT_SENSITIVITY
+| 1<<SADB_EXT_PROPOSAL
+| 1<<SADB_EXT_SUPPORTED_AUTH
+| 1<<SADB_EXT_SUPPORTED_ENCRYPT
+| 1<<SADB_EXT_SPIRANGE
+| 1<<SADB_X_EXT_KMPRIVATE
+| 1<<SADB_X_EXT_SATYPE2
+| 1<<SADB_X_EXT_SA2
+| 1<<SADB_X_EXT_ADDRESS_DST2
+,
+/* SADB_X_PCHANGE */
+1<<SADB_EXT_RESERVED
+| 1<<SADB_EXT_SA
+| 1<<SADB_EXT_LIFETIME_CURRENT
+| 1<<SADB_EXT_LIFETIME_HARD
+| 1<<SADB_EXT_LIFETIME_SOFT
+| 1<<SADB_EXT_ADDRESS_SRC
+| 1<<SADB_EXT_ADDRESS_DST
+| 1<<SADB_EXT_ADDRESS_PROXY
+| 1<<SADB_EXT_KEY_AUTH
+| 1<<SADB_EXT_KEY_ENCRYPT
+| 1<<SADB_EXT_IDENTITY_SRC
+| 1<<SADB_EXT_IDENTITY_DST
+| 1<<SADB_EXT_SENSITIVITY
+| 1<<SADB_EXT_PROPOSAL
+| 1<<SADB_EXT_SUPPORTED_AUTH
+| 1<<SADB_EXT_SUPPORTED_ENCRYPT
+| 1<<SADB_EXT_SPIRANGE
+| 1<<SADB_X_EXT_KMPRIVATE
+| 1<<SADB_X_EXT_SATYPE2
+| 1<<SADB_X_EXT_SA2
+| 1<<SADB_X_EXT_ADDRESS_DST2
+,
+/* SADB_X_GRPSA */
+1<<SADB_EXT_RESERVED
+| 1<<SADB_EXT_SA
+| 1<<SADB_EXT_ADDRESS_DST
+,
+/* SADB_X_ADDFLOW */
+1<<SADB_EXT_RESERVED
+| 1<<SADB_EXT_SA
+| 1<<SADB_EXT_ADDRESS_DST
+| 1<<SADB_X_EXT_ADDRESS_SRC_FLOW
+| 1<<SADB_X_EXT_ADDRESS_DST_FLOW
+| 1<<SADB_X_EXT_ADDRESS_SRC_MASK
+| 1<<SADB_X_EXT_ADDRESS_DST_MASK
+,
+/* SADB_X_DELFLOW */
+1<<SADB_EXT_RESERVED
+/*| 1<<SADB_EXT_SA*/
+| 1<<SADB_X_EXT_ADDRESS_SRC_FLOW
+| 1<<SADB_X_EXT_ADDRESS_DST_FLOW
+| 1<<SADB_X_EXT_ADDRESS_SRC_MASK
+| 1<<SADB_X_EXT_ADDRESS_DST_MASK
+,
+/* SADB_X_DEBUG */
+1<<SADB_EXT_RESERVED
+| 1<<SADB_X_EXT_DEBUG
+,
+/* SADB_X_NAT_T_NEW_MAPPING */
+1<<SADB_EXT_RESERVED
+| 1<<SADB_EXT_SA
+| 1<<SADB_EXT_ADDRESS_SRC
+| 1<<SADB_EXT_ADDRESS_DST
+| 1<<SADB_X_EXT_NAT_T_SPORT
+| 1<<SADB_X_EXT_NAT_T_DPORT
+}
+}
+};
+
+/*
+ * $Log: pfkey_v2_ext_bits.c,v $
+ * Revision 1.22  2005/05/11 01:45:31  mcr
+ * 	make pfkey.h standalone.
+ *
+ * Revision 1.21  2004/07/10 07:48:36  mcr
+ * Moved from linux/lib/libfreeswan/pfkey_v2_ext_bits.c,v
+ *
+ * Revision 1.20  2004/03/08 01:59:08  ken
+ * freeswan.h -> openswan.h
+ *
+ * Revision 1.19  2003/12/22 21:38:13  mcr
+ * 	removed extraenous #endif.
+ *
+ * Revision 1.18  2003/12/22 19:34:41  mcr
+ * 	added 0.6c NAT-T patch.
+ *
+ * Revision 1.17  2003/12/10 01:20:19  mcr
+ * 	NAT-traversal patches to KLIPS.
+ *
+ * Revision 1.16  2003/10/31 02:27:12  mcr
+ * 	pulled up port-selector patches and sa_id elimination.
+ *
+ * Revision 1.15.30.1  2003/09/21 13:59:44  mcr
+ * 	pre-liminary X.509 patch - does not yet pass tests.
+ *
+ * Revision 1.15  2002/04/24 07:55:32  mcr
+ * 	#include patches and Makefiles for post-reorg compilation.
+ *
+ * Revision 1.14  2002/04/24 07:36:40  mcr
+ * Moved from ./lib/pfkey_v2_ext_bits.c,v
+ *
+ * Revision 1.13  2002/01/29 22:25:36  rgb
+ * Re-add ipsec_kversion.h to keep MALLOC happy.
+ *
+ * Revision 1.12  2002/01/29 01:59:10  mcr
+ * 	removal of kversions.h - sources that needed it now use ipsec_param.h.
+ * 	updating of IPv6 structures to match latest in6.h version.
+ * 	removed dead code from openswan.h that also duplicated kversions.h
+ * 	code.
+ *
+ * Revision 1.11  2001/10/18 04:45:24  rgb
+ * 2.4.9 kernel deprecates linux/malloc.h in favour of linux/slab.h,
+ * lib/openswan.h version macros moved to lib/kversions.h.
+ * Other compiler directive cleanups.
+ *
+ * Revision 1.10  2001/09/08 21:13:35  rgb
+ * Added pfkey ident extension support for ISAKMPd. (NetCelo)
+ *
+ * Revision 1.9  2001/06/14 19:35:16  rgb
+ * Update copyright date.
+ *
+ * Revision 1.8  2001/03/26 23:07:36  rgb
+ * Remove requirement for auth and enc key from UPDATE.
+ *
+ * Revision 1.7  2000/09/12 22:35:37  rgb
+ * Restructured to remove unused extensions from CLEARFLOW messages.
+ *
+ * Revision 1.6  2000/09/09 06:39:01  rgb
+ * Added comments for clarity.
+ *
+ * Revision 1.5  2000/06/02 22:54:14  rgb
+ * Added Gerhard Gessler's struct sockaddr_storage mods for IPv6 support.
+ *
+ * Revision 1.4  2000/01/21 06:27:56  rgb
+ * Added address cases for eroute flows.
+ * Added comments for each message type.
+ * Added klipsdebug switching capability.
+ * Fixed GRPSA bitfields.
+ *
+ * Revision 1.3  1999/12/01 22:20:27  rgb
+ * Remove requirement for a proxy address in an incoming getspi message.
+ *
+ * Revision 1.2  1999/11/27 11:57:06  rgb
+ * Consolidated the 4 1-d extension bitmap arrays into one 4-d array.
+ * Add CVS log entry to bottom of file.
+ * Cleaned out unused bits.
+ *
+ */
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/pfkey_v2_ext_process.c     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,951 @@
+/*
+ * @(#) RFC2367 PF_KEYv2 Key management API message parser
+ * Copyright (C) 1998-2003   Richard Guy Briggs.
+ * Copyright (C) 2004        Michael Richardson <mcr@xelerance.com>
+ * 
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ * 
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: pfkey_v2_ext_process.c,v 1.20.2.2 2006/10/06 21:39:26 paul Exp $
+ */
+
+/*
+ *		Template from klips/net/ipsec/ipsec/ipsec_netlink.c.
+ */
+
+char pfkey_v2_ext_process_c_version[] = "$Id: pfkey_v2_ext_process.c,v 1.20.2.2 2006/10/06 21:39:26 paul Exp $";
+
+#ifndef AUTOCONF_INCLUDED
+#include <linux/config.h>
+#endif
+#include <linux/version.h>
+#include <linux/kernel.h> /* printk() */
+
+#include "openswan/ipsec_param.h"
+
+#ifdef MALLOC_SLAB
+# include <linux/slab.h> /* kmalloc() */
+#else /* MALLOC_SLAB */
+# include <linux/malloc.h> /* kmalloc() */
+#endif /* MALLOC_SLAB */
+#include <linux/errno.h>  /* error codes */
+#include <linux/types.h>  /* size_t */
+#include <linux/interrupt.h> /* mark_bh */
+
+#include <linux/netdevice.h>   /* struct device, and other headers */
+#include <linux/etherdevice.h> /* eth_type_trans */
+#include <linux/ip.h>          /* struct iphdr */
+#include <linux/skbuff.h>
+
+#include <openswan.h>
+
+#include <crypto/des.h>
+
+#ifdef SPINLOCK
+# ifdef SPINLOCK_23
+#  include <linux/spinlock.h> /* *lock* */
+# else /* SPINLOCK_23 */
+#  include <asm/spinlock.h> /* *lock* */
+# endif /* SPINLOCK_23 */
+#endif /* SPINLOCK */
+#ifdef NET_21
+# include <linux/in6.h>
+# define ip_chk_addr inet_addr_type
+# define IS_MYADDR RTN_LOCAL
+#endif
+
+#include <net/ip.h>
+#ifdef NETLINK_SOCK
+# include <linux/netlink.h>
+#else
+# include <net/netlink.h>
+#endif
+
+#include <linux/random.h>	/* get_random_bytes() */
+
+#include "openswan/radij.h"
+#include "openswan/ipsec_encap.h"
+#include "openswan/ipsec_sa.h"
+
+#include "openswan/ipsec_radij.h"
+#include "openswan/ipsec_xform.h"
+#include "openswan/ipsec_ah.h"
+#include "openswan/ipsec_esp.h"
+#include "openswan/ipsec_tunnel.h"
+#include "openswan/ipsec_rcv.h"
+#include "openswan/ipcomp.h"
+
+#include <pfkeyv2.h>
+#include <pfkey.h>
+
+#include "openswan/ipsec_proto.h"
+#include "openswan/ipsec_alg.h"
+
+#define SENDERR(_x) do { error = -(_x); goto errlab; } while (0)
+
+int
+pfkey_sa_process(struct sadb_ext *pfkey_ext, struct pfkey_extracted_data* extr)
+{
+	struct sadb_sa *pfkey_sa = (struct sadb_sa *)pfkey_ext;
+	int error = 0;
+	struct ipsec_sa* ipsp;
+	
+	KLIPS_PRINT(debug_pfkey,
+		    "klips_debug:pfkey_sa_process: .\n");
+
+	if(!extr || !extr->ips) {
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_sa_process: "
+			    "extr or extr->ips is NULL, fatal\n");
+		SENDERR(EINVAL);
+	}
+
+	switch(pfkey_ext->sadb_ext_type) {
+	case SADB_EXT_SA:
+		ipsp = extr->ips;
+		break;
+	case SADB_X_EXT_SA2:
+		if(extr->ips2 == NULL) {
+			extr->ips2 = ipsec_sa_alloc(&error); /* pass error var by pointer */
+		}
+		if(extr->ips2 == NULL) {
+			SENDERR(-error);
+		}
+		ipsp = extr->ips2;
+		break;
+	default:
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_sa_process: "
+			    "invalid exttype=%d.\n",
+			    pfkey_ext->sadb_ext_type);
+		SENDERR(EINVAL);
+	}
+
+	ipsp->ips_said.spi = pfkey_sa->sadb_sa_spi;
+	ipsp->ips_replaywin = pfkey_sa->sadb_sa_replay;
+	ipsp->ips_state = pfkey_sa->sadb_sa_state;
+	ipsp->ips_flags = pfkey_sa->sadb_sa_flags;
+	ipsp->ips_replaywin_lastseq = ipsp->ips_replaywin_bitmap = 0;
+	ipsp->ips_ref_rel = pfkey_sa->sadb_x_sa_ref;
+	
+	switch(ipsp->ips_said.proto) {
+	case IPPROTO_AH:
+		ipsp->ips_authalg = pfkey_sa->sadb_sa_auth;
+		ipsp->ips_encalg = SADB_EALG_NONE;
+		break;
+	case IPPROTO_ESP:
+		ipsp->ips_authalg = pfkey_sa->sadb_sa_auth;
+		ipsp->ips_encalg = pfkey_sa->sadb_sa_encrypt;
+		ipsec_alg_sa_init(ipsp);
+		break;
+	case IPPROTO_IPIP:
+		ipsp->ips_authalg = AH_NONE;
+		ipsp->ips_encalg = ESP_NONE;
+		break;
+#ifdef CONFIG_KLIPS_IPCOMP
+	case IPPROTO_COMP:
+		ipsp->ips_authalg = AH_NONE;
+		ipsp->ips_encalg = pfkey_sa->sadb_sa_encrypt;
+		break;
+#endif /* CONFIG_KLIPS_IPCOMP */
+	case IPPROTO_INT:
+		ipsp->ips_authalg = AH_NONE;
+		ipsp->ips_encalg = ESP_NONE;
+		break;
+	case 0:
+		break;
+	default:
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_sa_process: "
+			    "unknown proto=%d.\n",
+			    ipsp->ips_said.proto);
+		SENDERR(EINVAL);
+	}
+
+errlab:
+	return error;
+}
+
+int
+pfkey_lifetime_process(struct sadb_ext *pfkey_ext, struct pfkey_extracted_data* extr)
+{
+	int error = 0;
+	struct sadb_lifetime *pfkey_lifetime = (struct sadb_lifetime *)pfkey_ext;
+
+	KLIPS_PRINT(debug_pfkey,
+		    "klips_debug:pfkey_lifetime_process: .\n");
+
+	if(!extr || !extr->ips) {
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_lifetime_process: "
+			    "extr or extr->ips is NULL, fatal\n");
+		SENDERR(EINVAL);
+	}
+
+	switch(pfkey_lifetime->sadb_lifetime_exttype) {
+	case SADB_EXT_LIFETIME_CURRENT:
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_lifetime_process: "
+			    "lifetime_current not supported yet.\n");
+  		SENDERR(EINVAL);
+  		break;
+	case SADB_EXT_LIFETIME_HARD:
+		ipsec_lifetime_update_hard(&extr->ips->ips_life.ipl_allocations,
+					  pfkey_lifetime->sadb_lifetime_allocations);
+
+		ipsec_lifetime_update_hard(&extr->ips->ips_life.ipl_bytes,
+					  pfkey_lifetime->sadb_lifetime_bytes);
+
+		ipsec_lifetime_update_hard(&extr->ips->ips_life.ipl_addtime,
+					  pfkey_lifetime->sadb_lifetime_addtime);
+
+		ipsec_lifetime_update_hard(&extr->ips->ips_life.ipl_usetime,
+					  pfkey_lifetime->sadb_lifetime_usetime);
+
+		break;
+
+	case SADB_EXT_LIFETIME_SOFT:
+		ipsec_lifetime_update_soft(&extr->ips->ips_life.ipl_allocations,
+					   pfkey_lifetime->sadb_lifetime_allocations);
+
+		ipsec_lifetime_update_soft(&extr->ips->ips_life.ipl_bytes,
+					   pfkey_lifetime->sadb_lifetime_bytes);
+
+		ipsec_lifetime_update_soft(&extr->ips->ips_life.ipl_addtime,
+					   pfkey_lifetime->sadb_lifetime_addtime);
+
+		ipsec_lifetime_update_soft(&extr->ips->ips_life.ipl_usetime,
+					   pfkey_lifetime->sadb_lifetime_usetime);
+
+		break;
+	default:
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_lifetime_process: "
+			    "invalid exttype=%d.\n",
+			    pfkey_ext->sadb_ext_type);
+		SENDERR(EINVAL);
+	}
+
+errlab:
+	return error;
+}
+
+int
+pfkey_address_process(struct sadb_ext *pfkey_ext, struct pfkey_extracted_data* extr)
+{
+	int error = 0;
+	int saddr_len = 0;
+	char ipaddr_txt[ADDRTOA_BUF];
+	unsigned char **sap;
+	unsigned short * portp = 0;
+	struct sadb_address *pfkey_address = (struct sadb_address *)pfkey_ext;
+	struct sockaddr* s = (struct sockaddr*)((char*)pfkey_address + sizeof(*pfkey_address));
+	struct ipsec_sa* ipsp;
+	
+	KLIPS_PRINT(debug_pfkey,
+		    "klips_debug:pfkey_address_process:\n");
+	
+	if(!extr || !extr->ips) {
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_address_process: "
+			    "extr or extr->ips is NULL, fatal\n");
+		SENDERR(EINVAL);
+	}
+
+	switch(s->sa_family) {
+	case AF_INET:
+		saddr_len = sizeof(struct sockaddr_in);
+		addrtoa(((struct sockaddr_in*)s)->sin_addr, 0, ipaddr_txt, sizeof(ipaddr_txt));
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_address_process: "
+			    "found address family=%d, AF_INET, %s.\n",
+			    s->sa_family,
+			    ipaddr_txt);
+		break;
+#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
+	case AF_INET6:
+		saddr_len = sizeof(struct sockaddr_in6);
+		break;
+#endif /* defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) */
+	default:
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_address_process: "
+			    "s->sa_family=%d not supported.\n",
+			    s->sa_family);
+		SENDERR(EPFNOSUPPORT);
+	}
+	
+	switch(pfkey_address->sadb_address_exttype) {
+	case SADB_EXT_ADDRESS_SRC:
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_address_process: "
+			    "found src address.\n");
+		sap = (unsigned char **)&(extr->ips->ips_addr_s);
+		extr->ips->ips_addr_s_size = saddr_len;
+		break;
+	case SADB_EXT_ADDRESS_DST:
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_address_process: "
+			    "found dst address.\n");
+		sap = (unsigned char **)&(extr->ips->ips_addr_d);
+		extr->ips->ips_addr_d_size = saddr_len;
+		break;
+	case SADB_EXT_ADDRESS_PROXY:
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_address_process: "
+			    "found proxy address.\n");
+		sap = (unsigned char **)&(extr->ips->ips_addr_p);
+		extr->ips->ips_addr_p_size = saddr_len;
+		break;
+	case SADB_X_EXT_ADDRESS_DST2:
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_address_process: "
+			    "found 2nd dst address.\n");
+		if(extr->ips2 == NULL) {
+			extr->ips2 = ipsec_sa_alloc(&error); /* pass error var by pointer */
+		}
+		if(extr->ips2 == NULL) {
+			SENDERR(-error);
+		}
+		sap = (unsigned char **)&(extr->ips2->ips_addr_d);
+		extr->ips2->ips_addr_d_size = saddr_len;
+		break;
+	case SADB_X_EXT_ADDRESS_SRC_FLOW:
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_address_process: "
+			    "found src flow address.\n");
+		if(pfkey_alloc_eroute(&(extr->eroute)) == ENOMEM) {
+			SENDERR(ENOMEM);
+		}
+		sap = (unsigned char **)&(extr->eroute->er_eaddr.sen_ip_src);
+		portp = &(extr->eroute->er_eaddr.sen_sport);
+		break;
+	case SADB_X_EXT_ADDRESS_DST_FLOW:
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_address_process: "
+			    "found dst flow address.\n");
+		if(pfkey_alloc_eroute(&(extr->eroute)) == ENOMEM) {
+			SENDERR(ENOMEM);
+		}
+		sap = (unsigned char **)&(extr->eroute->er_eaddr.sen_ip_dst);
+		portp = &(extr->eroute->er_eaddr.sen_dport);
+		break;
+	case SADB_X_EXT_ADDRESS_SRC_MASK:
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_address_process: "
+			    "found src mask address.\n");
+		if(pfkey_alloc_eroute(&(extr->eroute)) == ENOMEM) {
+			SENDERR(ENOMEM);
+		}
+		sap = (unsigned char **)&(extr->eroute->er_emask.sen_ip_src);
+		portp = &(extr->eroute->er_emask.sen_sport);
+		break;
+	case SADB_X_EXT_ADDRESS_DST_MASK:
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_address_process: "
+			    "found dst mask address.\n");
+		if(pfkey_alloc_eroute(&(extr->eroute)) == ENOMEM) {
+			SENDERR(ENOMEM);
+		}
+		sap = (unsigned char **)&(extr->eroute->er_emask.sen_ip_dst);
+		portp = &(extr->eroute->er_emask.sen_dport);
+		break;
+#ifdef NAT_TRAVERSAL
+	case SADB_X_EXT_NAT_T_OA:
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_address_process: "
+			    "found NAT-OA address.\n");
+		sap = (unsigned char **)&(extr->ips->ips_natt_oa);
+		extr->ips->ips_natt_oa_size = saddr_len;
+		break;
+#endif
+	default:
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_address_process: "
+			    "unrecognised ext_type=%d.\n",
+			    pfkey_address->sadb_address_exttype);
+		SENDERR(EINVAL);
+	}
+	
+	switch(pfkey_address->sadb_address_exttype) {
+	case SADB_EXT_ADDRESS_SRC:
+	case SADB_EXT_ADDRESS_DST:
+	case SADB_EXT_ADDRESS_PROXY:
+	case SADB_X_EXT_ADDRESS_DST2:
+#ifdef NAT_TRAVERSAL
+	case SADB_X_EXT_NAT_T_OA:
+#endif
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_address_process: "
+			    "allocating %d bytes for saddr.\n",
+			    saddr_len);
+		if(!(*sap = kmalloc(saddr_len, GFP_KERNEL))) {
+			SENDERR(ENOMEM);
+		}
+		memcpy(*sap, s, saddr_len);
+		break;
+	default:
+		if(s->sa_family	!= AF_INET) {
+			KLIPS_PRINT(debug_pfkey,
+				    "klips_debug:pfkey_address_process: "
+				    "s->sa_family=%d not supported.\n",
+				    s->sa_family);
+			SENDERR(EPFNOSUPPORT);
+		}
+		{
+			unsigned long *ulsap = (unsigned long *)sap;
+			*ulsap = ((struct sockaddr_in*)s)->sin_addr.s_addr;
+		}
+
+		if (portp != 0)
+			*portp = ((struct sockaddr_in*)s)->sin_port;
+#ifdef CONFIG_KLIPS_DEBUG
+		if(extr->eroute) {
+			char buf1[64], buf2[64];
+			if (debug_pfkey) {
+				subnettoa(extr->eroute->er_eaddr.sen_ip_src,
+					  extr->eroute->er_emask.sen_ip_src, 0, buf1, sizeof(buf1));
+				subnettoa(extr->eroute->er_eaddr.sen_ip_dst,
+					  extr->eroute->er_emask.sen_ip_dst, 0, buf2, sizeof(buf2));
+				KLIPS_PRINT(debug_pfkey,
+					    "klips_debug:pfkey_address_parse: "
+					    "extr->eroute set to %s:%d->%s:%d\n",
+					    buf1,
+					    ntohs(extr->eroute->er_eaddr.sen_sport),
+					    buf2,
+					    ntohs(extr->eroute->er_eaddr.sen_dport));
+			}
+		}
+#endif /* CONFIG_KLIPS_DEBUG */
+	}
+
+	ipsp = extr->ips;
+	switch(pfkey_address->sadb_address_exttype) {
+	case SADB_X_EXT_ADDRESS_DST2:
+		ipsp = extr->ips2;
+	case SADB_EXT_ADDRESS_DST:
+		if(s->sa_family == AF_INET) {
+			ipsp->ips_said.dst.u.v4.sin_addr.s_addr = ((struct sockaddr_in*)(ipsp->ips_addr_d))->sin_addr.s_addr;
+			ipsp->ips_said.dst.u.v4.sin_family      = AF_INET;
+			addrtoa(((struct sockaddr_in*)(ipsp->ips_addr_d))->sin_addr,
+				0,
+				ipaddr_txt,
+				sizeof(ipaddr_txt));
+			KLIPS_PRINT(debug_pfkey,
+				    "klips_debug:pfkey_address_process: "
+				    "ips_said.dst set to %s.\n",
+				    ipaddr_txt);
+		} else {
+			KLIPS_PRINT(debug_pfkey,
+				    "klips_debug:pfkey_address_process: "
+				    "uh, ips_said.dst doesn't do address family=%d yet, said will be invalid.\n",
+				    s->sa_family);
+		}
+	default:
+		break;
+	}
+	
+	/* XXX check if port!=0 */
+	
+	KLIPS_PRINT(debug_pfkey,
+		    "klips_debug:pfkey_address_process: successful.\n");
+ errlab:
+	return error;
+}
+
+int
+pfkey_key_process(struct sadb_ext *pfkey_ext, struct pfkey_extracted_data* extr)
+{
+        int error = 0;
+        struct sadb_key *pfkey_key = (struct sadb_key *)pfkey_ext;
+	
+	KLIPS_PRINT(debug_pfkey,
+		    "klips_debug:pfkey_key_process: .\n");
+
+	if(!extr || !extr->ips) {
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_key_process: "
+			    "extr or extr->ips is NULL, fatal\n");
+		SENDERR(EINVAL);
+	}
+
+        switch(pfkey_key->sadb_key_exttype) {
+        case SADB_EXT_KEY_AUTH:
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_key_process: "
+			    "allocating %d bytes for authkey.\n",
+			    DIVUP(pfkey_key->sadb_key_bits, 8));
+		if(!(extr->ips->ips_key_a = kmalloc(DIVUP(pfkey_key->sadb_key_bits, 8), GFP_KERNEL))) {
+			KLIPS_PRINT(debug_pfkey,
+				    "klips_debug:pfkey_key_process: "
+				    "memory allocation error.\n");
+			SENDERR(ENOMEM);
+		}
+                extr->ips->ips_key_bits_a = pfkey_key->sadb_key_bits;
+                extr->ips->ips_key_a_size = DIVUP(pfkey_key->sadb_key_bits, 8);
+		memcpy(extr->ips->ips_key_a,
+		       (char*)pfkey_key + sizeof(struct sadb_key),
+		       extr->ips->ips_key_a_size);
+		break;
+	case SADB_EXT_KEY_ENCRYPT: /* Key(s) */
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_key_process: "
+			    "allocating %d bytes for enckey.\n",
+			    DIVUP(pfkey_key->sadb_key_bits, 8));
+		if(!(extr->ips->ips_key_e = kmalloc(DIVUP(pfkey_key->sadb_key_bits, 8), GFP_KERNEL))) {
+			KLIPS_PRINT(debug_pfkey,
+				    "klips_debug:pfkey_key_process: "
+				    "memory allocation error.\n");
+			SENDERR(ENOMEM);
+		}
+		extr->ips->ips_key_bits_e = pfkey_key->sadb_key_bits;
+		extr->ips->ips_key_e_size = DIVUP(pfkey_key->sadb_key_bits, 8);
+		memcpy(extr->ips->ips_key_e,
+		       (char*)pfkey_key + sizeof(struct sadb_key),
+		       extr->ips->ips_key_e_size);
+		break;
+	default:
+		SENDERR(EINVAL);
+ 	}
+
+	KLIPS_PRINT(debug_pfkey,
+		    "klips_debug:pfkey_key_process: "
+		    "success.\n");
+errlab:
+	return error;
+}
+
+int
+pfkey_ident_process(struct sadb_ext *pfkey_ext, struct pfkey_extracted_data* extr)
+{
+        int error = 0;
+        struct sadb_ident *pfkey_ident = (struct sadb_ident *)pfkey_ext;
+	int data_len;
+
+	KLIPS_PRINT(debug_pfkey,
+		    "klips_debug:pfkey_ident_process: .\n");
+
+	if(!extr || !extr->ips) {
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_ident_process: "
+			    "extr or extr->ips is NULL, fatal\n");
+		SENDERR(EINVAL);
+	}
+
+	switch(pfkey_ident->sadb_ident_exttype) {
+	case SADB_EXT_IDENTITY_SRC:
+		data_len = pfkey_ident->sadb_ident_len * IPSEC_PFKEYv2_ALIGN - sizeof(struct sadb_ident);
+		
+		extr->ips->ips_ident_s.type = pfkey_ident->sadb_ident_type;
+		extr->ips->ips_ident_s.id = pfkey_ident->sadb_ident_id;
+		extr->ips->ips_ident_s.len = pfkey_ident->sadb_ident_len;
+		if(data_len) {
+			KLIPS_PRINT(debug_pfkey,
+				    "klips_debug:pfkey_ident_process: "
+				    "allocating %d bytes for ident_s.\n",
+				    data_len);
+			if(!(extr->ips->ips_ident_s.data
+			     = kmalloc(data_len, GFP_KERNEL))) {
+                                SENDERR(ENOMEM);
+                        }
+			memcpy(extr->ips->ips_ident_s.data,
+                               (char*)pfkey_ident + sizeof(struct sadb_ident),
+			       data_len);
+                } else {
+			extr->ips->ips_ident_s.data = NULL;
+                }
+                break;
+	case SADB_EXT_IDENTITY_DST: /* Identity(ies) */
+		data_len = pfkey_ident->sadb_ident_len * IPSEC_PFKEYv2_ALIGN - sizeof(struct sadb_ident);
+		
+		extr->ips->ips_ident_d.type = pfkey_ident->sadb_ident_type;
+		extr->ips->ips_ident_d.id = pfkey_ident->sadb_ident_id;
+		extr->ips->ips_ident_d.len = pfkey_ident->sadb_ident_len;
+		if(data_len) {
+			KLIPS_PRINT(debug_pfkey,
+				    "klips_debug:pfkey_ident_process: "
+				    "allocating %d bytes for ident_d.\n",
+				    data_len);
+			if(!(extr->ips->ips_ident_d.data
+			     = kmalloc(data_len, GFP_KERNEL))) {
+                                SENDERR(ENOMEM);
+                        }
+			memcpy(extr->ips->ips_ident_d.data,
+                               (char*)pfkey_ident + sizeof(struct sadb_ident),
+			       data_len);
+                } else {
+			extr->ips->ips_ident_d.data = NULL;
+                }
+                break;
+	default:
+		SENDERR(EINVAL);
+ 	}
+errlab:
+	return error;
+}
+
+int
+pfkey_sens_process(struct sadb_ext *pfkey_ext, struct pfkey_extracted_data* extr)
+{
+        int error = 0;
+	
+	KLIPS_PRINT(debug_pfkey,
+		    "klips_debug:pfkey_sens_process: "
+		    "Sorry, I can't process exttype=%d yet.\n",
+		    pfkey_ext->sadb_ext_type);
+        SENDERR(EINVAL); /* don't process these yet */
+ errlab:
+        return error;
+}
+
+int
+pfkey_prop_process(struct sadb_ext *pfkey_ext, struct pfkey_extracted_data* extr)
+{
+        int error = 0;
+	
+	KLIPS_PRINT(debug_pfkey,
+		    "klips_debug:pfkey_prop_process: "
+		    "Sorry, I can't process exttype=%d yet.\n",
+		    pfkey_ext->sadb_ext_type);
+	SENDERR(EINVAL); /* don't process these yet */
+	
+ errlab:
+	return error;
+}
+
+int
+pfkey_supported_process(struct sadb_ext *pfkey_ext, struct pfkey_extracted_data* extr)
+{
+        int error = 0;
+
+	KLIPS_PRINT(debug_pfkey,
+		    "klips_debug:pfkey_supported_process: "
+		    "Sorry, I can't process exttype=%d yet.\n",
+		    pfkey_ext->sadb_ext_type);
+	SENDERR(EINVAL); /* don't process these yet */
+
+errlab:
+	return error;
+}
+
+int
+pfkey_spirange_process(struct sadb_ext *pfkey_ext, struct pfkey_extracted_data* extr)
+{
+        int error = 0;
+
+	KLIPS_PRINT(debug_pfkey,
+		    "klips_debug:pfkey_spirange_process: .\n");
+/* errlab: */
+	return error;
+}
+
+int
+pfkey_x_kmprivate_process(struct sadb_ext *pfkey_ext, struct pfkey_extracted_data* extr)
+{
+	int error = 0;
+
+	KLIPS_PRINT(debug_pfkey,
+		    "klips_debug:pfkey_x_kmprivate_process: "
+		    "Sorry, I can't process exttype=%d yet.\n",
+		    pfkey_ext->sadb_ext_type);
+	SENDERR(EINVAL); /* don't process these yet */
+
+errlab:
+	return error;
+}
+
+int
+pfkey_x_satype_process(struct sadb_ext *pfkey_ext, struct pfkey_extracted_data* extr)
+{
+	int error = 0;
+	struct sadb_x_satype *pfkey_x_satype = (struct sadb_x_satype *)pfkey_ext;
+
+	KLIPS_PRINT(debug_pfkey,
+		    "klips_debug:pfkey_x_satype_process: .\n");
+
+	if(!extr || !extr->ips) {
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_x_satype_process: "
+			    "extr or extr->ips is NULL, fatal\n");
+		SENDERR(EINVAL);
+	}
+
+	if(extr->ips2 == NULL) {
+		extr->ips2 = ipsec_sa_alloc(&error); /* pass error var by pointer */
+	}
+	if(extr->ips2 == NULL) {
+		SENDERR(-error);
+	}
+	if(!(extr->ips2->ips_said.proto = satype2proto(pfkey_x_satype->sadb_x_satype_satype))) {
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_x_satype_process: "
+			    "proto lookup from satype=%d failed.\n",
+			    pfkey_x_satype->sadb_x_satype_satype);
+		SENDERR(EINVAL);
+	}
+	KLIPS_PRINT(debug_pfkey,
+		    "klips_debug:pfkey_x_satype_process: "
+		    "protocol==%d decoded from satype==%d(%s).\n",
+		    extr->ips2->ips_said.proto,
+		    pfkey_x_satype->sadb_x_satype_satype,
+		    satype2name(pfkey_x_satype->sadb_x_satype_satype));
+
+errlab:
+	return error;
+}
+
+
+#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
+int
+pfkey_x_nat_t_type_process(struct sadb_ext *pfkey_ext, struct pfkey_extracted_data* extr)
+{
+	int error = 0;
+	struct sadb_x_nat_t_type *pfkey_x_nat_t_type = (struct sadb_x_nat_t_type *)pfkey_ext;
+
+	if(!pfkey_x_nat_t_type) {
+		printk("klips_debug:pfkey_x_nat_t_type_process: "
+		       "null pointer passed in\n");
+		SENDERR(EINVAL);
+	}
+
+	KLIPS_PRINT(debug_pfkey,
+		    "klips_debug:pfkey_x_nat_t_type_process: %d.\n",
+			pfkey_x_nat_t_type->sadb_x_nat_t_type_type);
+
+	if(!extr || !extr->ips) {
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_nat_t_type_process: "
+			    "extr or extr->ips is NULL, fatal\n");
+		SENDERR(EINVAL);
+	}
+
+	switch(pfkey_x_nat_t_type->sadb_x_nat_t_type_type) {
+		case ESPINUDP_WITH_NON_IKE: /* with Non-IKE (older version) */
+		case ESPINUDP_WITH_NON_ESP: /* with Non-ESP */
+
+			extr->ips->ips_natt_type = pfkey_x_nat_t_type->sadb_x_nat_t_type_type;
+			break;
+		default:
+			KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_x_nat_t_type_process: "
+			    "unknown type %d.\n",
+			    pfkey_x_nat_t_type->sadb_x_nat_t_type_type);
+			SENDERR(EINVAL);
+			break;
+	}
+
+errlab:
+	return error;
+}
+
+int
+pfkey_x_nat_t_port_process(struct sadb_ext *pfkey_ext, struct pfkey_extracted_data* extr)
+{
+	int error = 0;
+	struct sadb_x_nat_t_port *pfkey_x_nat_t_port = (struct sadb_x_nat_t_port *)pfkey_ext;
+
+	if(!pfkey_x_nat_t_port) {
+		printk("klips_debug:pfkey_x_nat_t_port_process: "
+		       "null pointer passed in\n");
+		SENDERR(EINVAL);
+	}
+
+	KLIPS_PRINT(debug_pfkey,
+		    "klips_debug:pfkey_x_nat_t_port_process: %d/%d.\n",
+			pfkey_x_nat_t_port->sadb_x_nat_t_port_exttype,
+			pfkey_x_nat_t_port->sadb_x_nat_t_port_port);
+
+	if(!extr || !extr->ips) {
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_nat_t_type_process: "
+			    "extr or extr->ips is NULL, fatal\n");
+		SENDERR(EINVAL);
+	}
+
+	switch(pfkey_x_nat_t_port->sadb_x_nat_t_port_exttype) {
+		case SADB_X_EXT_NAT_T_SPORT:
+			extr->ips->ips_natt_sport = pfkey_x_nat_t_port->sadb_x_nat_t_port_port;
+			break;
+		case SADB_X_EXT_NAT_T_DPORT:
+			extr->ips->ips_natt_dport = pfkey_x_nat_t_port->sadb_x_nat_t_port_port;
+			break;
+		default:
+			KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_x_nat_t_port_process: "
+			    "unknown exttype %d.\n",
+			    pfkey_x_nat_t_port->sadb_x_nat_t_port_exttype);
+			SENDERR(EINVAL);
+			break;
+	}
+
+errlab:
+	return error;
+}
+#endif
+
+int
+pfkey_x_debug_process(struct sadb_ext *pfkey_ext, struct pfkey_extracted_data* extr)
+{
+	int error = 0;
+	struct sadb_x_debug *pfkey_x_debug = (struct sadb_x_debug *)pfkey_ext;
+
+	if(!pfkey_x_debug) {
+		printk("klips_debug:pfkey_x_debug_process: "
+		       "null pointer passed in\n");
+		SENDERR(EINVAL);
+	}
+
+	KLIPS_PRINT(debug_pfkey,
+		    "klips_debug:pfkey_x_debug_process: .\n");
+
+#ifdef CONFIG_KLIPS_DEBUG
+		if(pfkey_x_debug->sadb_x_debug_netlink >>
+		   (sizeof(pfkey_x_debug->sadb_x_debug_netlink) * 8 - 1)) {
+			pfkey_x_debug->sadb_x_debug_netlink &=
+				~(1 << (sizeof(pfkey_x_debug->sadb_x_debug_netlink) * 8 -1));
+			debug_tunnel  |= pfkey_x_debug->sadb_x_debug_tunnel;
+			debug_netlink |= pfkey_x_debug->sadb_x_debug_netlink;
+			debug_xform   |= pfkey_x_debug->sadb_x_debug_xform;
+			debug_eroute  |= pfkey_x_debug->sadb_x_debug_eroute;
+			debug_spi     |= pfkey_x_debug->sadb_x_debug_spi;
+			debug_radij   |= pfkey_x_debug->sadb_x_debug_radij;
+			debug_esp     |= pfkey_x_debug->sadb_x_debug_esp;
+			debug_ah      |= pfkey_x_debug->sadb_x_debug_ah;
+			debug_rcv     |= pfkey_x_debug->sadb_x_debug_rcv;
+			debug_pfkey   |= pfkey_x_debug->sadb_x_debug_pfkey;
+#ifdef CONFIG_KLIPS_IPCOMP
+			sysctl_ipsec_debug_ipcomp  |= pfkey_x_debug->sadb_x_debug_ipcomp;
+#endif /* CONFIG_KLIPS_IPCOMP */
+			sysctl_ipsec_debug_verbose |= pfkey_x_debug->sadb_x_debug_verbose;
+			KLIPS_PRINT(debug_pfkey,
+				    "klips_debug:pfkey_x_debug_process: "
+				    "set\n");
+		} else {
+			KLIPS_PRINT(debug_pfkey,
+				    "klips_debug:pfkey_x_debug_process: "
+				    "unset\n");
+			debug_tunnel  &= pfkey_x_debug->sadb_x_debug_tunnel;
+			debug_netlink &= pfkey_x_debug->sadb_x_debug_netlink;
+			debug_xform   &= pfkey_x_debug->sadb_x_debug_xform;
+			debug_eroute  &= pfkey_x_debug->sadb_x_debug_eroute;
+			debug_spi     &= pfkey_x_debug->sadb_x_debug_spi;
+			debug_radij   &= pfkey_x_debug->sadb_x_debug_radij;
+			debug_esp     &= pfkey_x_debug->sadb_x_debug_esp;
+			debug_ah      &= pfkey_x_debug->sadb_x_debug_ah;
+			debug_rcv     &= pfkey_x_debug->sadb_x_debug_rcv;
+			debug_pfkey   &= pfkey_x_debug->sadb_x_debug_pfkey;
+#ifdef CONFIG_KLIPS_IPCOMP
+			sysctl_ipsec_debug_ipcomp  &= pfkey_x_debug->sadb_x_debug_ipcomp;
+#endif /* CONFIG_KLIPS_IPCOMP */
+			sysctl_ipsec_debug_verbose &= pfkey_x_debug->sadb_x_debug_verbose;
+		}
+#else /* CONFIG_KLIPS_DEBUG */
+		printk("klips_debug:pfkey_x_debug_process: "
+		       "debugging not enabled\n");
+		SENDERR(EINVAL);
+#endif /* CONFIG_KLIPS_DEBUG */
+	
+errlab:
+	return error;
+}
+
+/*
+ * $Log: pfkey_v2_ext_process.c,v $
+ * Revision 1.20.2.2  2006/10/06 21:39:26  paul
+ * Fix for 2.6.18+ only include linux/config.h if AUTOCONF_INCLUDED is not
+ * set. This is defined through autoconf.h which is included through the
+ * linux kernel build macros.
+ *
+ * Revision 1.20.2.1  2006/04/20 16:33:07  mcr
+ * remove all of CONFIG_KLIPS_ALG --- one can no longer build without it.
+ * Fix in-kernel module compilation. Sub-makefiles do not work.
+ *
+ * Revision 1.20  2005/04/29 05:10:22  mcr
+ * 	removed from extraenous includes to make unit testing easier.
+ *
+ * Revision 1.19  2004/12/04 07:14:18  mcr
+ * 	resolution to gcc3-ism was wrong. fixed to assign correct
+ * 	variable.
+ *
+ * Revision 1.18  2004/12/03 21:25:57  mcr
+ * 	compile time fixes for running on 2.6.
+ * 	still experimental.
+ *
+ * Revision 1.17  2004/08/21 00:45:04  mcr
+ * 	CONFIG_KLIPS_NAT was wrong, also need to include udp.h.
+ *
+ * Revision 1.16  2004/07/10 19:11:18  mcr
+ * 	CONFIG_IPSEC -> CONFIG_KLIPS.
+ *
+ * Revision 1.15  2004/04/06 02:49:26  mcr
+ * 	pullup of algo code from alg-branch.
+ *
+ * Revision 1.14  2004/02/03 03:13:59  mcr
+ * 	no longer #ifdef out NON_ESP mode. That was a mistake.
+ *
+ * Revision 1.13  2003/12/15 18:13:12  mcr
+ * 	when compiling with NAT traversal, don't assume that the
+ * 	kernel has been patched, unless CONFIG_IPSEC_NAT_NON_ESP
+ * 	is set.
+ *
+ * Revision 1.12.2.1  2003/12/22 15:25:52  jjo
+ *      Merged algo-0.8.1-rc11-test1 into alg-branch
+ *
+ * Revision 1.12  2003/12/10 01:14:27  mcr
+ * 	NAT-traversal patches to KLIPS.
+ *
+ * Revision 1.11  2003/10/31 02:27:55  mcr
+ * 	pulled up port-selector patches and sa_id elimination.
+ *
+ * Revision 1.10.4.2  2003/10/29 01:30:41  mcr
+ * 	elimited "struct sa_id".
+ *
+ * Revision 1.10.4.1  2003/09/21 13:59:56  mcr
+ * 	pre-liminary X.509 patch - does not yet pass tests.
+ *
+ * Revision 1.10  2003/02/06 01:51:41  rgb
+ * Removed no longer relevant comment
+ *
+ * Revision 1.9  2003/01/30 02:32:44  rgb
+ *
+ * Transmit error code through to caller from callee for better diagnosis of problems.
+ *
+ * Revision 1.8  2002/12/13 22:42:22  mcr
+ * 	restored sa_ref code
+ *
+ * Revision 1.7  2002/12/13 22:40:48  mcr
+ * 	temporarily removed sadb_x_sa_ref reference for 2.xx
+ *
+ * Revision 1.6  2002/10/05 05:02:58  dhr
+ *
+ * C labels go on statements
+ *
+ * Revision 1.5  2002/09/20 15:41:08  rgb
+ * Switch from pfkey_alloc_ipsec_sa() to ipsec_sa_alloc().
+ * Added sadb_x_sa_ref to struct sadb_sa.
+ *
+ * Revision 1.4  2002/09/20 05:02:02  rgb
+ * Added memory allocation debugging.
+ *
+ * Revision 1.3  2002/07/24 18:44:54  rgb
+ * Type fiddling to tame ia64 compiler.
+ *
+ * Revision 1.2  2002/05/27 18:55:03  rgb
+ * Remove final vistiges of tdb references via IPSEC_KLIPS1_COMPAT.
+ *
+ * Revision 1.1  2002/05/14 02:33:51  rgb
+ * Moved all the extension processing functions to pfkey_v2_ext_process.c.
+ *
+ *
+ * Local variables:
+ * c-file-style: "linux"
+ * End:
+ *
+ */
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/pfkey_v2_parse.c     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,1846 @@
+/*
+ * RFC2367 PF_KEYv2 Key management API message parser
+ * Copyright (C) 1999, 2000, 2001  Richard Guy Briggs.
+ * 
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ * 
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: pfkey_v2_parse.c,v 1.65 2005/04/06 17:46:05 mcr Exp $
+ */
+
+/*
+ *		Template from klips/net/ipsec/ipsec/ipsec_parser.c.
+ */
+
+char pfkey_v2_parse_c_version[] = "$Id: pfkey_v2_parse.c,v 1.65 2005/04/06 17:46:05 mcr Exp $";
+
+/*
+ * Some ugly stuff to allow consistent debugging code for use in the
+ * kernel and in user space
+*/
+
+#ifdef __KERNEL__
+
+# include <linux/kernel.h>  /* for printk */
+
+#include "openswan/ipsec_kversion.h" /* for malloc switch */
+
+# ifdef MALLOC_SLAB
+#  include <linux/slab.h> /* kmalloc() */
+# else /* MALLOC_SLAB */
+#  include <linux/malloc.h> /* kmalloc() */
+# endif /* MALLOC_SLAB */
+# include <linux/errno.h>  /* error codes */
+# include <linux/types.h>  /* size_t */
+# include <linux/interrupt.h> /* mark_bh */
+
+# include <linux/netdevice.h>   /* struct device, and other headers */
+# include <linux/etherdevice.h> /* eth_type_trans */
+# include <linux/ip.h>          /* struct iphdr */ 
+# if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
+#  include <linux/ipv6.h>        /* struct ipv6hdr */
+# endif /* if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) */
+extern int debug_pfkey;
+
+# include <openswan.h>
+
+#include "openswan/ipsec_encap.h"
+
+#else /* __KERNEL__ */
+
+# include <sys/types.h>
+# include <linux/types.h>
+# include <linux/errno.h>
+
+# include <openswan.h>
+# include "constants.h" 
+# include "programs/pluto/defs.h"  /* for PRINTF_LIKE */
+
+#endif /* __KERNEL__ */
+
+
+#include <pfkeyv2.h>
+#include <pfkey.h>
+
+#include "openswan/ipsec_sa.h"  /* IPSEC_SAREF_NULL, IPSEC_SA_REF_TABLE_IDX_WIDTH */
+
+/* 
+ * how to handle debugging for pfkey.
+ */
+#include <openswan/pfkey_debug.h>
+
+unsigned int pfkey_lib_debug = PF_KEY_DEBUG_PARSE_NONE;
+void (*pfkey_debug_func)(const char *message, ...) PRINTF_LIKE(1);
+void (*pfkey_error_func)(const char *message, ...) PRINTF_LIKE(1);
+
+
+#define SENDERR(_x) do { error = -(_x); goto errlab; } while (0)
+
+struct satype_tbl {
+	uint8_t proto;
+	uint8_t satype;
+	char* name;
+} static satype_tbl[] = {
+#ifdef __KERNEL__
+	{ IPPROTO_ESP,	SADB_SATYPE_ESP,	"ESP"  },
+	{ IPPROTO_AH,	SADB_SATYPE_AH,		"AH"   },
+	{ IPPROTO_IPIP,	SADB_X_SATYPE_IPIP,	"IPIP" },
+#ifdef CONFIG_KLIPS_IPCOMP
+	{ IPPROTO_COMP,	SADB_X_SATYPE_COMP,	"COMP" },
+#endif /* CONFIG_KLIPS_IPCOMP */
+	{ IPPROTO_INT,	SADB_X_SATYPE_INT,	"INT" },
+#else /* __KERNEL__ */
+	{ SA_ESP,	SADB_SATYPE_ESP,	"ESP"  },
+	{ SA_AH,	SADB_SATYPE_AH,		"AH"   },
+	{ SA_IPIP,	SADB_X_SATYPE_IPIP,	"IPIP" },
+	{ SA_COMP,	SADB_X_SATYPE_COMP,	"COMP" },
+	{ SA_INT,	SADB_X_SATYPE_INT,	"INT" },
+#endif /* __KERNEL__ */
+	{ 0,		0,			"UNKNOWN" }
+};
+
+uint8_t
+satype2proto(uint8_t satype)
+{
+	int i =0;
+
+	while(satype_tbl[i].satype != satype && satype_tbl[i].satype != 0) {
+		i++;
+	}
+	return satype_tbl[i].proto;
+}
+
+uint8_t
+proto2satype(uint8_t proto)
+{
+	int i = 0;
+
+	while(satype_tbl[i].proto != proto && satype_tbl[i].proto != 0) {
+		i++;
+	}
+	return satype_tbl[i].satype;
+}
+
+char*
+satype2name(uint8_t satype)
+{
+	int i = 0;
+
+	while(satype_tbl[i].satype != satype && satype_tbl[i].satype != 0) {
+		i++;
+	}
+	return satype_tbl[i].name;
+}
+
+char*
+proto2name(uint8_t proto)
+{
+	int i = 0;
+
+	while(satype_tbl[i].proto != proto && satype_tbl[i].proto != 0) {
+		i++;
+	}
+	return satype_tbl[i].name;
+}
+
+/* Default extension parsers taken from the KLIPS code */
+
+DEBUG_NO_STATIC int
+pfkey_sa_parse(struct sadb_ext *pfkey_ext)
+{
+	int error = 0;
+	struct sadb_sa *pfkey_sa = (struct sadb_sa *)pfkey_ext;
+#if 0
+	struct sadb_sa sav2;
+#endif
+	
+	/* sanity checks... */
+	if(!pfkey_sa) {
+		ERROR("pfkey_sa_parse: "
+			  "NULL pointer passed in.\n");
+		SENDERR(EINVAL);
+	}
+	
+#if 0
+	/* check if this structure is short, and if so, fix it up.
+	 * XXX this is NOT the way to do things.
+	 */
+	if(pfkey_sa->sadb_sa_len == sizeof(struct sadb_sa_v1)/IPSEC_PFKEYv2_ALIGN) {
+
+		/* yes, so clear out a temporary structure, and copy first */
+		memset(&sav2, 0, sizeof(sav2));
+		memcpy(&sav2, pfkey_sa, sizeof(struct sadb_sa_v1));
+		sav2.sadb_x_sa_ref=-1;
+		sav2.sadb_sa_len = sizeof(struct sadb_sa) / IPSEC_PFKEYv2_ALIGN;
+		
+		pfkey_sa = &sav2;
+	}
+#endif
+
+
+	if(pfkey_sa->sadb_sa_len != sizeof(struct sadb_sa) / IPSEC_PFKEYv2_ALIGN) {
+		ERROR(
+			  "pfkey_sa_parse: "
+			  "length wrong pfkey_sa->sadb_sa_len=%d sizeof(struct sadb_sa)=%d.\n",
+			  pfkey_sa->sadb_sa_len,
+			  (int)sizeof(struct sadb_sa));
+		SENDERR(EINVAL);
+	}
+
+#if SADB_EALG_MAX < 255	
+	if(pfkey_sa->sadb_sa_encrypt > SADB_EALG_MAX) {
+		ERROR(
+			  "pfkey_sa_parse: "
+			  "pfkey_sa->sadb_sa_encrypt=%d > SADB_EALG_MAX=%d.\n",
+			  pfkey_sa->sadb_sa_encrypt,
+			  SADB_EALG_MAX);
+		SENDERR(EINVAL);
+	}
+#endif
+	
+#if SADB_AALG_MAX < 255	
+	if(pfkey_sa->sadb_sa_auth > SADB_AALG_MAX) {
+		ERROR(
+			  "pfkey_sa_parse: "
+			  "pfkey_sa->sadb_sa_auth=%d > SADB_AALG_MAX=%d.\n",
+			  pfkey_sa->sadb_sa_auth,
+			  SADB_AALG_MAX);
+		SENDERR(EINVAL);
+	}
+#endif
+	
+#if SADB_SASTATE_MAX < 255	
+	if(pfkey_sa->sadb_sa_state > SADB_SASTATE_MAX) {
+		ERROR(
+			  "pfkey_sa_parse: "
+			  "state=%d exceeds MAX=%d.\n",
+			  pfkey_sa->sadb_sa_state,
+			  SADB_SASTATE_MAX);
+		SENDERR(EINVAL);
+	}
+#endif
+	
+	if(pfkey_sa->sadb_sa_state == SADB_SASTATE_DEAD) {
+		ERROR(
+			  "pfkey_sa_parse: "
+			  "state=%d is DEAD=%d.\n",
+			  pfkey_sa->sadb_sa_state,
+			  SADB_SASTATE_DEAD);
+		SENDERR(EINVAL);
+	}
+	
+	if(pfkey_sa->sadb_sa_replay > 64) {
+		ERROR(
+			  "pfkey_sa_parse: "
+			  "replay window size: %d -- must be 0 <= size <= 64\n",
+			  pfkey_sa->sadb_sa_replay);
+		SENDERR(EINVAL);
+	}
+	
+	if(! ((pfkey_sa->sadb_sa_exttype ==  SADB_EXT_SA) ||
+	      (pfkey_sa->sadb_sa_exttype ==  SADB_X_EXT_SA2)))
+	{
+		ERROR(
+			  "pfkey_sa_parse: "
+			  "unknown exttype=%d, expecting SADB_EXT_SA=%d or SADB_X_EXT_SA2=%d.\n",
+			  pfkey_sa->sadb_sa_exttype,
+			  SADB_EXT_SA,
+			  SADB_X_EXT_SA2);
+		SENDERR(EINVAL);
+	}
+
+	if((IPSEC_SAREF_NULL != pfkey_sa->sadb_x_sa_ref) && (pfkey_sa->sadb_x_sa_ref >= (1 << IPSEC_SA_REF_TABLE_IDX_WIDTH))) {
+		ERROR(
+			  "pfkey_sa_parse: "
+			  "SAref=%d must be (SAref == IPSEC_SAREF_NULL(%d) || SAref < IPSEC_SA_REF_TABLE_NUM_ENTRIES(%d)).\n",
+			  pfkey_sa->sadb_x_sa_ref,
+			  IPSEC_SAREF_NULL,
+			  IPSEC_SA_REF_TABLE_NUM_ENTRIES);
+		SENDERR(EINVAL);
+	}
+	
+	DEBUGGING(PF_KEY_DEBUG_PARSE_STRUCT,
+		  "pfkey_sa_parse: "
+		  "successfully found len=%d exttype=%d(%s) spi=%08lx replay=%d state=%d auth=%d encrypt=%d flags=%d ref=%d.\n",
+		  pfkey_sa->sadb_sa_len,
+		  pfkey_sa->sadb_sa_exttype,
+		  pfkey_v2_sadb_ext_string(pfkey_sa->sadb_sa_exttype),
+		  (long unsigned int)ntohl(pfkey_sa->sadb_sa_spi),
+		  pfkey_sa->sadb_sa_replay,
+		  pfkey_sa->sadb_sa_state,
+		  pfkey_sa->sadb_sa_auth,
+		  pfkey_sa->sadb_sa_encrypt,
+		  pfkey_sa->sadb_sa_flags,
+		  pfkey_sa->sadb_x_sa_ref);
+	
+ errlab:
+	return error;
+}	
+
+DEBUG_NO_STATIC int
+pfkey_lifetime_parse(struct sadb_ext  *pfkey_ext)
+{
+	int error = 0;
+	struct sadb_lifetime *pfkey_lifetime = (struct sadb_lifetime *)pfkey_ext;
+
+	DEBUGGING(PF_KEY_DEBUG_PARSE_FLOW,
+		  "pfkey_lifetime_parse:enter\n");
+	/* sanity checks... */
+	if(!pfkey_lifetime) {
+		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
+			  "pfkey_lifetime_parse: "
+			  "NULL pointer passed in.\n");
+		SENDERR(EINVAL);
+	}
+
+	if(pfkey_lifetime->sadb_lifetime_len !=
+	   sizeof(struct sadb_lifetime) / IPSEC_PFKEYv2_ALIGN) {
+		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
+			  "pfkey_lifetime_parse: "
+			  "length wrong pfkey_lifetime->sadb_lifetime_len=%d sizeof(struct sadb_lifetime)=%d.\n",
+			  pfkey_lifetime->sadb_lifetime_len,
+			  (int)sizeof(struct sadb_lifetime));
+		SENDERR(EINVAL);
+	}
+
+	if((pfkey_lifetime->sadb_lifetime_exttype != SADB_EXT_LIFETIME_HARD) &&
+	   (pfkey_lifetime->sadb_lifetime_exttype != SADB_EXT_LIFETIME_SOFT) &&
+	   (pfkey_lifetime->sadb_lifetime_exttype != SADB_EXT_LIFETIME_CURRENT)) {
+		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
+			  "pfkey_lifetime_parse: "
+			  "unexpected ext_type=%d.\n", 
+			  pfkey_lifetime->sadb_lifetime_exttype); 
+		SENDERR(EINVAL);
+	}
+
+	DEBUGGING(PF_KEY_DEBUG_PARSE_STRUCT,
+		  "pfkey_lifetime_parse: "
+		  "life_type=%d(%s) alloc=%u bytes=%u add=%u use=%u pkts=%u.\n", 
+		  pfkey_lifetime->sadb_lifetime_exttype,
+		  pfkey_v2_sadb_ext_string(pfkey_lifetime->sadb_lifetime_exttype),
+		  pfkey_lifetime->sadb_lifetime_allocations,
+		  (unsigned)pfkey_lifetime->sadb_lifetime_bytes,
+		  (unsigned)pfkey_lifetime->sadb_lifetime_addtime,
+		  (unsigned)pfkey_lifetime->sadb_lifetime_usetime,
+		  pfkey_lifetime->sadb_x_lifetime_packets); 
+errlab:
+	return error;
+}
+
+DEBUG_NO_STATIC int
+pfkey_address_parse(struct sadb_ext *pfkey_ext)
+{
+	int error = 0;
+	int saddr_len = 0;
+	struct sadb_address *pfkey_address = (struct sadb_address *)pfkey_ext;
+	struct sockaddr* s = (struct sockaddr*)((char*)pfkey_address + sizeof(*pfkey_address));
+	char ipaddr_txt[ADDRTOT_BUF];
+	
+	/* sanity checks... */
+	if(!pfkey_address) {
+		ERROR(
+			"pfkey_address_parse: "
+			"NULL pointer passed in.\n");
+		SENDERR(EINVAL);
+	}
+	
+	if(pfkey_address->sadb_address_len <
+	   (sizeof(struct sadb_address) + sizeof(struct sockaddr))/
+	   IPSEC_PFKEYv2_ALIGN) {
+		ERROR("pfkey_address_parse: "
+			  "size wrong 1 ext_len=%d, adr_ext_len=%d, saddr_len=%d.\n",
+			  pfkey_address->sadb_address_len,
+			  (int)sizeof(struct sadb_address),
+			  (int)sizeof(struct sockaddr));
+		SENDERR(EINVAL);
+	}
+	
+	if(pfkey_address->sadb_address_reserved) {
+		ERROR("pfkey_address_parse: "
+			  "res=%d, must be zero.\n",
+			  pfkey_address->sadb_address_reserved);
+		SENDERR(EINVAL);
+	}
+	
+	switch(pfkey_address->sadb_address_exttype) {	
+	case SADB_EXT_ADDRESS_SRC:
+	case SADB_EXT_ADDRESS_DST:
+	case SADB_EXT_ADDRESS_PROXY:
+	case SADB_X_EXT_ADDRESS_DST2:
+	case SADB_X_EXT_ADDRESS_SRC_FLOW:
+	case SADB_X_EXT_ADDRESS_DST_FLOW:
+	case SADB_X_EXT_ADDRESS_SRC_MASK:
+	case SADB_X_EXT_ADDRESS_DST_MASK:
+#ifdef NAT_TRAVERSAL
+	case SADB_X_EXT_NAT_T_OA:
+#endif
+		break;
+	default:
+		ERROR(
+			"pfkey_address_parse: "
+			"unexpected ext_type=%d.\n",
+			pfkey_address->sadb_address_exttype);
+		SENDERR(ENOPKG);
+	}
+
+	switch(s->sa_family) {
+	case AF_INET:
+		saddr_len = sizeof(struct sockaddr_in);
+		sprintf(ipaddr_txt, "%d.%d.%d.%d"
+			, (((struct sockaddr_in*)s)->sin_addr.s_addr >>  0) & 0xFF
+			, (((struct sockaddr_in*)s)->sin_addr.s_addr >>  8) & 0xFF
+			, (((struct sockaddr_in*)s)->sin_addr.s_addr >> 16) & 0xFF
+			, (((struct sockaddr_in*)s)->sin_addr.s_addr >> 24) & 0xFF);
+		DEBUGGING(PF_KEY_DEBUG_PARSE_STRUCT,
+			  "pfkey_address_parse: "
+			  "found exttype=%u(%s) family=%d(AF_INET) address=%s proto=%u port=%u.\n",
+			  pfkey_address->sadb_address_exttype,
+			  pfkey_v2_sadb_ext_string(pfkey_address->sadb_address_exttype),
+			  s->sa_family,
+			  ipaddr_txt,
+			  pfkey_address->sadb_address_proto,
+			  ntohs(((struct sockaddr_in*)s)->sin_port));
+		break;
+	case AF_INET6:
+		saddr_len = sizeof(struct sockaddr_in6);
+		sprintf(ipaddr_txt, "%x:%x:%x:%x:%x:%x:%x:%x"
+			, ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr16[0])
+			, ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr16[1])
+			, ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr16[2])
+			, ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr16[3])
+			, ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr16[4])
+			, ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr16[5])
+			, ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr16[6])
+			, ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr16[7]));
+		DEBUGGING(PF_KEY_DEBUG_PARSE_STRUCT,
+			  "pfkey_address_parse: "
+			  "found exttype=%u(%s) family=%d(AF_INET6) address=%s proto=%u port=%u.\n",
+			  pfkey_address->sadb_address_exttype,
+			  pfkey_v2_sadb_ext_string(pfkey_address->sadb_address_exttype),
+			  s->sa_family,
+			  ipaddr_txt,
+			  pfkey_address->sadb_address_proto,
+			  ((struct sockaddr_in6*)s)->sin6_port);
+		break;
+	default:
+		ERROR(
+			"pfkey_address_parse: "
+			"s->sa_family=%d not supported.\n",
+			s->sa_family);
+		SENDERR(EPFNOSUPPORT);
+	}
+	
+	if(pfkey_address->sadb_address_len !=
+	   DIVUP(sizeof(struct sadb_address) + saddr_len, IPSEC_PFKEYv2_ALIGN)) {
+		ERROR(
+			  "pfkey_address_parse: "
+			  "size wrong 2 ext_len=%d, adr_ext_len=%d, saddr_len=%d.\n",
+			  pfkey_address->sadb_address_len,
+			  (int)sizeof(struct sadb_address),
+			  saddr_len);
+		SENDERR(EINVAL);
+	}
+	
+	if(pfkey_address->sadb_address_prefixlen != 0) {
+		ERROR(
+			"pfkey_address_parse: "
+			"address prefixes not supported yet.\n");
+		SENDERR(EAFNOSUPPORT); /* not supported yet */
+	}
+	
+	/* XXX check if port!=0 */
+	
+	DEBUGGING(PF_KEY_DEBUG_PARSE_FLOW,
+		"pfkey_address_parse: successful.\n");
+ errlab:
+	return error;
+}
+
+DEBUG_NO_STATIC int
+pfkey_key_parse(struct sadb_ext *pfkey_ext)
+{
+	int error = 0;
+	struct sadb_key *pfkey_key = (struct sadb_key *)pfkey_ext;
+
+	/* sanity checks... */
+
+	if(!pfkey_key) {
+		ERROR(
+			"pfkey_key_parse: "
+			"NULL pointer passed in.\n");
+		SENDERR(EINVAL);
+	}
+
+	if(pfkey_key->sadb_key_len < sizeof(struct sadb_key) / IPSEC_PFKEYv2_ALIGN) {
+		ERROR(
+			  "pfkey_key_parse: "
+			  "size wrong ext_len=%d, key_ext_len=%d.\n",
+			  pfkey_key->sadb_key_len,
+			  (int)sizeof(struct sadb_key));
+		SENDERR(EINVAL);
+	}
+
+	if(!pfkey_key->sadb_key_bits) {
+		ERROR(
+			"pfkey_key_parse: "
+			"key length set to zero, must be non-zero.\n");
+		SENDERR(EINVAL);
+	}
+
+	if(pfkey_key->sadb_key_len !=
+	   DIVUP(sizeof(struct sadb_key) * OCTETBITS + pfkey_key->sadb_key_bits,
+		 PFKEYBITS)) {
+		ERROR(
+			"pfkey_key_parse: "
+			"key length=%d does not agree with extension length=%d.\n",
+			pfkey_key->sadb_key_bits,
+			pfkey_key->sadb_key_len);
+		SENDERR(EINVAL);
+	}
+	
+	if(pfkey_key->sadb_key_reserved) {
+		ERROR(
+			"pfkey_key_parse: "
+			"res=%d, must be zero.\n",
+			pfkey_key->sadb_key_reserved);
+		SENDERR(EINVAL);
+	}
+
+	if(! ( (pfkey_key->sadb_key_exttype == SADB_EXT_KEY_AUTH) ||
+	       (pfkey_key->sadb_key_exttype == SADB_EXT_KEY_ENCRYPT))) {
+		ERROR(
+			"pfkey_key_parse: "
+			"expecting extension type AUTH or ENCRYPT, got %d.\n",
+			pfkey_key->sadb_key_exttype);
+		SENDERR(EINVAL);
+	}
+
+	DEBUGGING(PF_KEY_DEBUG_PARSE_STRUCT,
+		  "pfkey_key_parse: "
+		  "success, found len=%d exttype=%d(%s) bits=%d reserved=%d.\n",
+		  pfkey_key->sadb_key_len,
+		  pfkey_key->sadb_key_exttype,
+		  pfkey_v2_sadb_ext_string(pfkey_key->sadb_key_exttype),
+		  pfkey_key->sadb_key_bits,
+		  pfkey_key->sadb_key_reserved);
+
+errlab:
+	return error;
+}
+
+DEBUG_NO_STATIC int
+pfkey_ident_parse(struct sadb_ext *pfkey_ext)
+{
+	int error = 0;
+	struct sadb_ident *pfkey_ident = (struct sadb_ident *)pfkey_ext;
+
+	/* sanity checks... */
+	if(pfkey_ident->sadb_ident_len < sizeof(struct sadb_ident) / IPSEC_PFKEYv2_ALIGN) {
+		ERROR(
+			  "pfkey_ident_parse: "
+			  "size wrong ext_len=%d, key_ext_len=%d.\n",
+			  pfkey_ident->sadb_ident_len,
+			  (int)sizeof(struct sadb_ident));
+		SENDERR(EINVAL);
+	}
+
+	if(pfkey_ident->sadb_ident_type > SADB_IDENTTYPE_MAX) {
+		ERROR(
+			"pfkey_ident_parse: "
+			"ident_type=%d out of range, must be less than %d.\n",
+			pfkey_ident->sadb_ident_type,
+			SADB_IDENTTYPE_MAX);
+		SENDERR(EINVAL);
+	}
+
+	if(pfkey_ident->sadb_ident_reserved) {
+		ERROR(
+			"pfkey_ident_parse: "
+			"res=%d, must be zero.\n",
+			pfkey_ident->sadb_ident_reserved);
+		SENDERR(EINVAL);
+	}
+
+	/* string terminator/padding must be zero */
+	if(pfkey_ident->sadb_ident_len > sizeof(struct sadb_ident) / IPSEC_PFKEYv2_ALIGN) {
+		if(*((char*)pfkey_ident + pfkey_ident->sadb_ident_len * IPSEC_PFKEYv2_ALIGN - 1)) {
+			ERROR(
+				"pfkey_ident_parse: "
+				"string padding must be zero, last is 0x%02x.\n",
+				*((char*)pfkey_ident +
+				  pfkey_ident->sadb_ident_len * IPSEC_PFKEYv2_ALIGN - 1));
+			SENDERR(EINVAL);
+		}
+	}
+	
+	if( ! ((pfkey_ident->sadb_ident_exttype == SADB_EXT_IDENTITY_SRC) ||
+	       (pfkey_ident->sadb_ident_exttype == SADB_EXT_IDENTITY_DST))) {
+		ERROR(
+			"pfkey_key_parse: "
+			"expecting extension type IDENTITY_SRC or IDENTITY_DST, got %d.\n",
+			pfkey_ident->sadb_ident_exttype);
+		SENDERR(EINVAL);
+	}
+
+errlab:
+	return error;
+}
+
+DEBUG_NO_STATIC int
+pfkey_sens_parse(struct sadb_ext *pfkey_ext)
+{
+	int error = 0;
+	struct sadb_sens *pfkey_sens = (struct sadb_sens *)pfkey_ext;
+
+	/* sanity checks... */
+	if(pfkey_sens->sadb_sens_len < sizeof(struct sadb_sens) / IPSEC_PFKEYv2_ALIGN) {
+		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
+			  "pfkey_sens_parse: "
+			  "size wrong ext_len=%d, key_ext_len=%d.\n",
+			  pfkey_sens->sadb_sens_len,
+			  (int)sizeof(struct sadb_sens));
+		SENDERR(EINVAL);
+	}
+
+	DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
+		"pfkey_sens_parse: "
+		"Sorry, I can't parse exttype=%d yet.\n",
+		pfkey_ext->sadb_ext_type);
+#if 0
+	SENDERR(EINVAL); /* don't process these yet */
+#endif
+
+errlab:
+	return error;
+}
+
+DEBUG_NO_STATIC int
+pfkey_prop_parse(struct sadb_ext *pfkey_ext)
+{
+	int error = 0;
+	int i, num_comb;
+	struct sadb_prop *pfkey_prop = (struct sadb_prop *)pfkey_ext;
+	struct sadb_comb *pfkey_comb = (struct sadb_comb *)((char*)pfkey_ext + sizeof(struct sadb_prop));
+
+	/* sanity checks... */
+	if((pfkey_prop->sadb_prop_len < sizeof(struct sadb_prop) / IPSEC_PFKEYv2_ALIGN) || 
+	   (((pfkey_prop->sadb_prop_len * IPSEC_PFKEYv2_ALIGN) - sizeof(struct sadb_prop)) % sizeof(struct sadb_comb))) {
+		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
+			  "pfkey_prop_parse: "
+			  "size wrong ext_len=%d, prop_ext_len=%d comb_ext_len=%d.\n",
+			  pfkey_prop->sadb_prop_len,
+			  (int)sizeof(struct sadb_prop),
+			  (int)sizeof(struct sadb_comb));
+		SENDERR(EINVAL);
+	}
+
+	if(pfkey_prop->sadb_prop_replay > 64) {
+		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
+			"pfkey_prop_parse: "
+			"replay window size: %d -- must be 0 <= size <= 64\n",
+			pfkey_prop->sadb_prop_replay);
+		SENDERR(EINVAL);
+	}
+	
+	for(i=0; i<3; i++) {
+		if(pfkey_prop->sadb_prop_reserved[i]) {
+			DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
+				"pfkey_prop_parse: "
+				"res[%d]=%d, must be zero.\n",
+				i, pfkey_prop->sadb_prop_reserved[i]);
+			SENDERR(EINVAL);
+		}
+	}
+
+	num_comb = ((pfkey_prop->sadb_prop_len * IPSEC_PFKEYv2_ALIGN) - sizeof(struct sadb_prop)) / sizeof(struct sadb_comb);
+
+	for(i = 0; i < num_comb; i++) {
+		if(pfkey_comb->sadb_comb_auth > SADB_AALG_MAX) {
+			DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
+				"pfkey_prop_parse: "
+				"pfkey_comb[%d]->sadb_comb_auth=%d > SADB_AALG_MAX=%d.\n",
+				i,
+				pfkey_comb->sadb_comb_auth,
+				SADB_AALG_MAX);
+			SENDERR(EINVAL);
+		}
+
+		if(pfkey_comb->sadb_comb_auth) {
+			if(!pfkey_comb->sadb_comb_auth_minbits) {
+				DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
+					"pfkey_prop_parse: "
+					"pfkey_comb[%d]->sadb_comb_auth_minbits=0, fatal.\n",
+					i);
+				SENDERR(EINVAL);
+			}
+			if(!pfkey_comb->sadb_comb_auth_maxbits) {
+				DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
+					"pfkey_prop_parse: "
+					"pfkey_comb[%d]->sadb_comb_auth_maxbits=0, fatal.\n",
+					i);
+				SENDERR(EINVAL);
+			}
+			if(pfkey_comb->sadb_comb_auth_minbits > pfkey_comb->sadb_comb_auth_maxbits) {
+				DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
+					"pfkey_prop_parse: "
+					"pfkey_comb[%d]->sadb_comb_auth_minbits=%d > maxbits=%d, fatal.\n",
+					i,
+					pfkey_comb->sadb_comb_auth_minbits,
+					pfkey_comb->sadb_comb_auth_maxbits);
+				SENDERR(EINVAL);
+			}
+		} else {
+			if(pfkey_comb->sadb_comb_auth_minbits) {
+				DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
+					"pfkey_prop_parse: "
+					"pfkey_comb[%d]->sadb_comb_auth_minbits=%d != 0, fatal.\n",
+					i,
+					pfkey_comb->sadb_comb_auth_minbits);
+				SENDERR(EINVAL);
+			}
+			if(pfkey_comb->sadb_comb_auth_maxbits) {
+				DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
+					"pfkey_prop_parse: "
+					"pfkey_comb[%d]->sadb_comb_auth_maxbits=%d != 0, fatal.\n",
+					i,
+					pfkey_comb->sadb_comb_auth_maxbits);
+				SENDERR(EINVAL);
+			}
+		}
+
+#if SADB_EALG_MAX < 255	
+		if(pfkey_comb->sadb_comb_encrypt > SADB_EALG_MAX) {
+			DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
+				"pfkey_comb_parse: "
+				"pfkey_comb[%d]->sadb_comb_encrypt=%d > SADB_EALG_MAX=%d.\n",
+				i,
+				pfkey_comb->sadb_comb_encrypt,
+				SADB_EALG_MAX);
+			SENDERR(EINVAL);
+		}
+#endif
+
+		if(pfkey_comb->sadb_comb_encrypt) {
+			if(!pfkey_comb->sadb_comb_encrypt_minbits) {
+				DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
+					"pfkey_prop_parse: "
+					"pfkey_comb[%d]->sadb_comb_encrypt_minbits=0, fatal.\n",
+					i);
+				SENDERR(EINVAL);
+			}
+			if(!pfkey_comb->sadb_comb_encrypt_maxbits) {
+				DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
+					"pfkey_prop_parse: "
+					"pfkey_comb[%d]->sadb_comb_encrypt_maxbits=0, fatal.\n",
+					i);
+				SENDERR(EINVAL);
+			}
+			if(pfkey_comb->sadb_comb_encrypt_minbits > pfkey_comb->sadb_comb_encrypt_maxbits) {
+				DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
+					"pfkey_prop_parse: "
+					"pfkey_comb[%d]->sadb_comb_encrypt_minbits=%d > maxbits=%d, fatal.\n",
+					i,
+					pfkey_comb->sadb_comb_encrypt_minbits,
+					pfkey_comb->sadb_comb_encrypt_maxbits);
+				SENDERR(EINVAL);
+			}
+		} else {
+			if(pfkey_comb->sadb_comb_encrypt_minbits) {
+				DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
+					"pfkey_prop_parse: "
+					"pfkey_comb[%d]->sadb_comb_encrypt_minbits=%d != 0, fatal.\n",
+					i,
+					pfkey_comb->sadb_comb_encrypt_minbits);
+				SENDERR(EINVAL);
+			}
+			if(pfkey_comb->sadb_comb_encrypt_maxbits) {
+				DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
+					"pfkey_prop_parse: "
+					"pfkey_comb[%d]->sadb_comb_encrypt_maxbits=%d != 0, fatal.\n",
+					i,
+					pfkey_comb->sadb_comb_encrypt_maxbits);
+				SENDERR(EINVAL);
+			}
+		}
+
+		/* XXX do sanity check on flags */
+
+		if(pfkey_comb->sadb_comb_hard_allocations && pfkey_comb->sadb_comb_soft_allocations > pfkey_comb->sadb_comb_hard_allocations) {
+			DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
+				  "pfkey_prop_parse: "
+				  "pfkey_comb[%d]->sadb_comb_soft_allocations=%d > hard_allocations=%d, fatal.\n",
+				  i,
+				  pfkey_comb->sadb_comb_soft_allocations,
+				  pfkey_comb->sadb_comb_hard_allocations);
+			SENDERR(EINVAL);
+		}
+
+		if(pfkey_comb->sadb_comb_hard_bytes && pfkey_comb->sadb_comb_soft_bytes > pfkey_comb->sadb_comb_hard_bytes) {
+			DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
+				  "pfkey_prop_parse: "
+				  "pfkey_comb[%d]->sadb_comb_soft_bytes=%Ld > hard_bytes=%Ld, fatal.\n",
+				  i,
+				  (unsigned long long int)pfkey_comb->sadb_comb_soft_bytes,
+				  (unsigned long long int)pfkey_comb->sadb_comb_hard_bytes);
+			SENDERR(EINVAL);
+		}
+
+		if(pfkey_comb->sadb_comb_hard_addtime && pfkey_comb->sadb_comb_soft_addtime > pfkey_comb->sadb_comb_hard_addtime) {
+			DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
+				  "pfkey_prop_parse: "
+				  "pfkey_comb[%d]->sadb_comb_soft_addtime=%Ld > hard_addtime=%Ld, fatal.\n",
+				  i,
+				  (unsigned long long int)pfkey_comb->sadb_comb_soft_addtime,
+				  (unsigned long long int)pfkey_comb->sadb_comb_hard_addtime);
+			SENDERR(EINVAL);
+		}
+
+		if(pfkey_comb->sadb_comb_hard_usetime && pfkey_comb->sadb_comb_soft_usetime > pfkey_comb->sadb_comb_hard_usetime) {
+			DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
+				  "pfkey_prop_parse: "
+				  "pfkey_comb[%d]->sadb_comb_soft_usetime=%Ld > hard_usetime=%Ld, fatal.\n",
+				  i,
+				  (unsigned long long int)pfkey_comb->sadb_comb_soft_usetime,
+				  (unsigned long long int)pfkey_comb->sadb_comb_hard_usetime);
+			SENDERR(EINVAL);
+		}
+
+		if(pfkey_comb->sadb_x_comb_hard_packets && pfkey_comb->sadb_x_comb_soft_packets > pfkey_comb->sadb_x_comb_hard_packets) {
+			DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
+				"pfkey_prop_parse: "
+				"pfkey_comb[%d]->sadb_x_comb_soft_packets=%d > hard_packets=%d, fatal.\n",
+				i,
+				pfkey_comb->sadb_x_comb_soft_packets,
+				pfkey_comb->sadb_x_comb_hard_packets);
+			SENDERR(EINVAL);
+		}
+
+		if(pfkey_comb->sadb_comb_reserved) {
+			DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
+				"pfkey_prop_parse: "
+				"comb[%d].res=%d, must be zero.\n",
+				i,
+				pfkey_comb->sadb_comb_reserved);
+			SENDERR(EINVAL);
+		}
+		pfkey_comb++;
+	}
+
+errlab:
+	return error;
+}
+
+DEBUG_NO_STATIC int
+pfkey_supported_parse(struct sadb_ext *pfkey_ext)
+{
+	int error = 0;
+	unsigned int i, num_alg;
+	struct sadb_supported *pfkey_supported = (struct sadb_supported *)pfkey_ext;
+	struct sadb_alg *pfkey_alg = (struct sadb_alg*)((char*)pfkey_ext + sizeof(struct sadb_supported));
+
+	/* sanity checks... */
+	if((pfkey_supported->sadb_supported_len <
+	   sizeof(struct sadb_supported) / IPSEC_PFKEYv2_ALIGN) ||
+	   (((pfkey_supported->sadb_supported_len * IPSEC_PFKEYv2_ALIGN) -
+	     sizeof(struct sadb_supported)) % sizeof(struct sadb_alg))) {
+
+		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
+			  "pfkey_supported_parse: "
+			  "size wrong ext_len=%d, supported_ext_len=%d alg_ext_len=%d.\n",
+			  pfkey_supported->sadb_supported_len,
+			  (int)sizeof(struct sadb_supported),
+			  (int)sizeof(struct sadb_alg));
+		SENDERR(EINVAL);
+	}
+
+	if(pfkey_supported->sadb_supported_reserved) {
+		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
+			"pfkey_supported_parse: "
+			"res=%d, must be zero.\n",
+			pfkey_supported->sadb_supported_reserved);
+		SENDERR(EINVAL);
+	}
+
+	num_alg = ((pfkey_supported->sadb_supported_len * IPSEC_PFKEYv2_ALIGN) - sizeof(struct sadb_supported)) / sizeof(struct sadb_alg);
+
+	for(i = 0; i < num_alg; i++) {
+		/* process algo description */
+		if(pfkey_alg->sadb_alg_reserved) {
+			DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
+				"pfkey_supported_parse: "
+				"alg[%d], id=%d, ivlen=%d, minbits=%d, maxbits=%d, res=%d, must be zero.\n",
+				i,
+				pfkey_alg->sadb_alg_id,
+				pfkey_alg->sadb_alg_ivlen,
+				pfkey_alg->sadb_alg_minbits,
+				pfkey_alg->sadb_alg_maxbits,
+				pfkey_alg->sadb_alg_reserved);
+			SENDERR(EINVAL);
+		}
+
+		/* XXX can alg_id auth/enc be determined from info given?
+		   Yes, but OpenBSD's method does not iteroperate with rfc2367.
+		   rgb, 2000-04-06 */
+
+		switch(pfkey_supported->sadb_supported_exttype) {
+		case SADB_EXT_SUPPORTED_AUTH:
+			if(pfkey_alg->sadb_alg_id > SADB_AALG_MAX) {
+				DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
+					"pfkey_supported_parse: "
+					"alg[%d], alg_id=%d > SADB_AALG_MAX=%d, fatal.\n",
+					i,
+					pfkey_alg->sadb_alg_id,
+					SADB_AALG_MAX);
+				SENDERR(EINVAL);
+			}
+			break;
+		case SADB_EXT_SUPPORTED_ENCRYPT:
+#if SADB_EALG_MAX < 255	
+			if(pfkey_alg->sadb_alg_id > SADB_EALG_MAX) {
+				DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
+					"pfkey_supported_parse: "
+					"alg[%d], alg_id=%d > SADB_EALG_MAX=%d, fatal.\n",
+					i,
+					pfkey_alg->sadb_alg_id,
+					SADB_EALG_MAX);
+				SENDERR(EINVAL);
+			}
+#endif
+			break;
+		default:
+			DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
+				"pfkey_supported_parse: "
+				"alg[%d], alg_id=%d > SADB_EALG_MAX=%d, fatal.\n",
+				i,
+				pfkey_alg->sadb_alg_id,
+				SADB_EALG_MAX);
+			SENDERR(EINVAL);
+		}
+		pfkey_alg++;
+	}
+	
+ errlab:
+	return error;
+}
+
+DEBUG_NO_STATIC int
+pfkey_spirange_parse(struct sadb_ext *pfkey_ext)
+{
+	int error = 0;
+	struct sadb_spirange *pfkey_spirange = (struct sadb_spirange *)pfkey_ext;
+	
+	/* sanity checks... */
+        if(pfkey_spirange->sadb_spirange_len !=
+	   sizeof(struct sadb_spirange) / IPSEC_PFKEYv2_ALIGN) {
+		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
+			  "pfkey_spirange_parse: "
+			  "size wrong ext_len=%d, key_ext_len=%d.\n",
+			  pfkey_spirange->sadb_spirange_len,
+			  (int)sizeof(struct sadb_spirange));
+                SENDERR(EINVAL);
+        }
+	
+        if(pfkey_spirange->sadb_spirange_reserved) {
+		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
+			"pfkey_spirange_parse: "
+			"reserved=%d must be set to zero.\n",
+			pfkey_spirange->sadb_spirange_reserved);
+                SENDERR(EINVAL);
+        }
+	
+        if(ntohl(pfkey_spirange->sadb_spirange_max) < ntohl(pfkey_spirange->sadb_spirange_min)) {
+		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
+			"pfkey_spirange_parse: "
+			"minspi=%08x must be < maxspi=%08x.\n",
+			ntohl(pfkey_spirange->sadb_spirange_min),
+			ntohl(pfkey_spirange->sadb_spirange_max));
+                SENDERR(EINVAL);
+        }
+	
+	if(ntohl(pfkey_spirange->sadb_spirange_min) <= 255) {
+		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
+			"pfkey_spirange_parse: "
+			"minspi=%08x must be > 255.\n",
+			ntohl(pfkey_spirange->sadb_spirange_min));
+		SENDERR(EEXIST);
+	}
+	
+	DEBUGGING(PF_KEY_DEBUG_PARSE_STRUCT,
+		  "pfkey_spirange_parse: "
+		  "ext_len=%u ext_type=%u(%s) min=%u max=%u res=%u.\n",
+		  pfkey_spirange->sadb_spirange_len,
+		  pfkey_spirange->sadb_spirange_exttype,
+		  pfkey_v2_sadb_ext_string(pfkey_spirange->sadb_spirange_exttype),
+		  pfkey_spirange->sadb_spirange_min,
+		  pfkey_spirange->sadb_spirange_max,
+		  pfkey_spirange->sadb_spirange_reserved);
+ errlab:
+	return error;
+}
+
+DEBUG_NO_STATIC int
+pfkey_x_kmprivate_parse(struct sadb_ext *pfkey_ext)
+{
+	int error = 0;
+	struct sadb_x_kmprivate *pfkey_x_kmprivate = (struct sadb_x_kmprivate *)pfkey_ext;
+
+	/* sanity checks... */
+	if(pfkey_x_kmprivate->sadb_x_kmprivate_len <
+	   sizeof(struct sadb_x_kmprivate) / IPSEC_PFKEYv2_ALIGN) {
+		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
+			  "pfkey_x_kmprivate_parse: "
+			  "size wrong ext_len=%d, key_ext_len=%d.\n",
+			  pfkey_x_kmprivate->sadb_x_kmprivate_len,
+			  (int)sizeof(struct sadb_x_kmprivate));
+		SENDERR(EINVAL);
+	}
+
+	if(pfkey_x_kmprivate->sadb_x_kmprivate_reserved) {
+		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
+			  "pfkey_x_kmprivate_parse: "
+			  "reserved=%d must be set to zero.\n",
+			  pfkey_x_kmprivate->sadb_x_kmprivate_reserved);
+		SENDERR(EINVAL);
+	}
+
+	DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
+		  "pfkey_x_kmprivate_parse: "
+		  "Sorry, I can't parse exttype=%d yet.\n",
+		  pfkey_ext->sadb_ext_type);
+	SENDERR(EINVAL); /* don't process these yet */
+
+errlab:
+	return error;
+}
+
+DEBUG_NO_STATIC int
+pfkey_x_satype_parse(struct sadb_ext *pfkey_ext)
+{
+	int error = 0;
+	int i;
+	struct sadb_x_satype *pfkey_x_satype = (struct sadb_x_satype *)pfkey_ext;
+
+	DEBUGGING(PF_KEY_DEBUG_PARSE_FLOW,
+		"pfkey_x_satype_parse: enter\n");
+	/* sanity checks... */
+	if(pfkey_x_satype->sadb_x_satype_len !=
+	   sizeof(struct sadb_x_satype) / IPSEC_PFKEYv2_ALIGN) {
+		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
+			  "pfkey_x_satype_parse: "
+			  "size wrong ext_len=%d, key_ext_len=%d.\n",
+			  pfkey_x_satype->sadb_x_satype_len,
+			  (int)sizeof(struct sadb_x_satype));
+		SENDERR(EINVAL);
+	}
+	
+	if(!pfkey_x_satype->sadb_x_satype_satype) {
+		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
+			"pfkey_x_satype_parse: "
+			"satype is zero, must be non-zero.\n");
+		SENDERR(EINVAL);
+	}
+
+	if(pfkey_x_satype->sadb_x_satype_satype > SADB_SATYPE_MAX) {
+		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
+			"pfkey_x_satype_parse: "
+			"satype %d > max %d, invalid.\n", 
+			pfkey_x_satype->sadb_x_satype_satype, SADB_SATYPE_MAX);
+		SENDERR(EINVAL);
+	}
+
+	if(!(satype2proto(pfkey_x_satype->sadb_x_satype_satype))) {
+		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
+			"pfkey_x_satype_parse: "
+			"proto lookup from satype=%d failed.\n",
+			pfkey_x_satype->sadb_x_satype_satype);
+		SENDERR(EINVAL);
+	}
+
+	for(i = 0; i < 3; i++) {
+		if(pfkey_x_satype->sadb_x_satype_reserved[i]) {
+			DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
+				"pfkey_x_satype_parse: "
+				"reserved[%d]=%d must be set to zero.\n",
+				i, pfkey_x_satype->sadb_x_satype_reserved[i]);
+			SENDERR(EINVAL);
+		}
+	}
+	
+	DEBUGGING(PF_KEY_DEBUG_PARSE_STRUCT,
+		  "pfkey_x_satype_parse: "
+		  "len=%u ext=%u(%s) satype=%u(%s) res=%u,%u,%u.\n",
+		  pfkey_x_satype->sadb_x_satype_len,
+		  pfkey_x_satype->sadb_x_satype_exttype,
+		  pfkey_v2_sadb_ext_string(pfkey_x_satype->sadb_x_satype_exttype),
+		  pfkey_x_satype->sadb_x_satype_satype,
+		  satype2name(pfkey_x_satype->sadb_x_satype_satype),
+		  pfkey_x_satype->sadb_x_satype_reserved[0],
+		  pfkey_x_satype->sadb_x_satype_reserved[1],
+		  pfkey_x_satype->sadb_x_satype_reserved[2]);
+errlab:
+	return error;
+}
+
+DEBUG_NO_STATIC int
+pfkey_x_ext_debug_parse(struct sadb_ext *pfkey_ext)
+{
+	int error = 0;
+	int i;
+	struct sadb_x_debug *pfkey_x_debug = (struct sadb_x_debug *)pfkey_ext;
+
+	DEBUGGING(PF_KEY_DEBUG_PARSE_FLOW,
+		"pfkey_x_debug_parse: enter\n");
+	/* sanity checks... */
+	if(pfkey_x_debug->sadb_x_debug_len !=
+	   sizeof(struct sadb_x_debug) / IPSEC_PFKEYv2_ALIGN) {
+		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
+			  "pfkey_x_debug_parse: "
+			  "size wrong ext_len=%d, key_ext_len=%d.\n",
+			  pfkey_x_debug->sadb_x_debug_len,
+			  (int)sizeof(struct sadb_x_debug));
+		SENDERR(EINVAL);
+	}
+	
+	for(i = 0; i < 4; i++) {
+		if(pfkey_x_debug->sadb_x_debug_reserved[i]) {
+			DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
+				"pfkey_x_debug_parse: "
+				"reserved[%d]=%d must be set to zero.\n",
+				i, pfkey_x_debug->sadb_x_debug_reserved[i]);
+			SENDERR(EINVAL);
+		}
+	}
+	
+errlab:
+	return error;
+}
+
+DEBUG_NO_STATIC int
+pfkey_x_ext_protocol_parse(struct sadb_ext *pfkey_ext)
+{
+	int error = 0;
+	struct sadb_protocol *p = (struct sadb_protocol *)pfkey_ext;
+	
+	DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM, "pfkey_x_protocol_parse:\n");
+	/* sanity checks... */
+	
+	if (p->sadb_protocol_len != sizeof(*p)/IPSEC_PFKEYv2_ALIGN) {
+		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
+			  "pfkey_x_protocol_parse: size wrong ext_len=%d, key_ext_len=%d.\n",
+			  p->sadb_protocol_len, (int)sizeof(*p));
+		SENDERR(EINVAL);
+	}
+	
+	if (p->sadb_protocol_reserved2 != 0) {
+		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
+			  "pfkey_protocol_parse: res=%d, must be zero.\n",
+			  p->sadb_protocol_reserved2);
+		SENDERR(EINVAL);
+	}
+
+ errlab:
+	return error;
+}
+
+#ifdef NAT_TRAVERSAL
+DEBUG_NO_STATIC int
+pfkey_x_ext_nat_t_type_parse(struct sadb_ext *pfkey_ext)
+{
+	return 0;
+}
+DEBUG_NO_STATIC int
+pfkey_x_ext_nat_t_port_parse(struct sadb_ext *pfkey_ext)
+{
+	return 0;
+}
+#endif
+
+#define DEFINEPARSER(NAME) static struct pf_key_ext_parsers_def NAME##_def={NAME, #NAME};
+
+DEFINEPARSER(pfkey_sa_parse);
+DEFINEPARSER(pfkey_lifetime_parse);
+DEFINEPARSER(pfkey_address_parse);
+DEFINEPARSER(pfkey_key_parse);
+DEFINEPARSER(pfkey_ident_parse);
+DEFINEPARSER(pfkey_sens_parse);
+DEFINEPARSER(pfkey_prop_parse);
+DEFINEPARSER(pfkey_supported_parse);
+DEFINEPARSER(pfkey_spirange_parse);
+DEFINEPARSER(pfkey_x_kmprivate_parse);
+DEFINEPARSER(pfkey_x_satype_parse);
+DEFINEPARSER(pfkey_x_ext_debug_parse);
+DEFINEPARSER(pfkey_x_ext_protocol_parse);
+#ifdef NAT_TRAVERSAL
+DEFINEPARSER(pfkey_x_ext_nat_t_type_parse);
+DEFINEPARSER(pfkey_x_ext_nat_t_port_parse);
+#endif
+
+struct pf_key_ext_parsers_def *ext_default_parsers[]=
+{
+	NULL,                 /* pfkey_msg_parse, */
+	&pfkey_sa_parse_def,
+	&pfkey_lifetime_parse_def,
+	&pfkey_lifetime_parse_def,
+	&pfkey_lifetime_parse_def,
+	&pfkey_address_parse_def,
+	&pfkey_address_parse_def,
+	&pfkey_address_parse_def,
+	&pfkey_key_parse_def,
+	&pfkey_key_parse_def,
+	&pfkey_ident_parse_def,
+	&pfkey_ident_parse_def,
+	&pfkey_sens_parse_def,
+	&pfkey_prop_parse_def,
+	&pfkey_supported_parse_def,
+	&pfkey_supported_parse_def,
+	&pfkey_spirange_parse_def,
+	&pfkey_x_kmprivate_parse_def,
+	&pfkey_x_satype_parse_def,
+	&pfkey_sa_parse_def,
+	&pfkey_address_parse_def,
+	&pfkey_address_parse_def,
+	&pfkey_address_parse_def,
+	&pfkey_address_parse_def,
+	&pfkey_address_parse_def,
+	&pfkey_x_ext_debug_parse_def,
+	&pfkey_x_ext_protocol_parse_def
+#ifdef NAT_TRAVERSAL
+	,
+	&pfkey_x_ext_nat_t_type_parse_def,
+	&pfkey_x_ext_nat_t_port_parse_def,
+	&pfkey_x_ext_nat_t_port_parse_def,
+	&pfkey_address_parse_def
+#endif
+};
+
+int
+pfkey_msg_parse(struct sadb_msg *pfkey_msg,
+		struct pf_key_ext_parsers_def *ext_parsers[],
+		struct sadb_ext *extensions[],
+		int dir)
+{
+	int error = 0;
+	int remain;
+	struct sadb_ext *pfkey_ext;
+	int extensions_seen = 0;
+	
+	DEBUGGING(PF_KEY_DEBUG_PARSE_STRUCT,
+		  "pfkey_msg_parse: "
+		  "parsing message ver=%d, type=%d(%s), errno=%d, satype=%d(%s), len=%d, res=%d, seq=%d, pid=%d.\n", 
+		  pfkey_msg->sadb_msg_version,
+		  pfkey_msg->sadb_msg_type,
+		  pfkey_v2_sadb_type_string(pfkey_msg->sadb_msg_type),
+		  pfkey_msg->sadb_msg_errno,
+		  pfkey_msg->sadb_msg_satype,
+		  satype2name(pfkey_msg->sadb_msg_satype),
+		  pfkey_msg->sadb_msg_len,
+		  pfkey_msg->sadb_msg_reserved,
+		  pfkey_msg->sadb_msg_seq,
+		  pfkey_msg->sadb_msg_pid);
+	
+	if(ext_parsers == NULL) ext_parsers = ext_default_parsers;
+	
+	pfkey_extensions_init(extensions);
+	
+	remain = pfkey_msg->sadb_msg_len;
+	remain -= sizeof(struct sadb_msg) / IPSEC_PFKEYv2_ALIGN;
+	
+	pfkey_ext = (struct sadb_ext*)((char*)pfkey_msg +
+				       sizeof(struct sadb_msg));
+	
+	extensions[0] = (struct sadb_ext *) pfkey_msg;
+	
+	
+	if(pfkey_msg->sadb_msg_version != PF_KEY_V2) {
+		ERROR("pfkey_msg_parse: "
+			"not PF_KEY_V2 msg, found %d, should be %d.\n",
+			pfkey_msg->sadb_msg_version,
+			PF_KEY_V2);
+		SENDERR(EINVAL);
+	}
+
+	if(!pfkey_msg->sadb_msg_type) {
+		ERROR("pfkey_msg_parse: "
+			"msg type not set, must be non-zero..\n");
+		SENDERR(EINVAL);
+	}
+
+	if(pfkey_msg->sadb_msg_type > SADB_MAX) {
+		ERROR("pfkey_msg_parse: "
+			"msg type=%d > max=%d.\n",
+			pfkey_msg->sadb_msg_type,
+			SADB_MAX);
+		SENDERR(EINVAL);
+	}
+
+	switch(pfkey_msg->sadb_msg_type) {
+	case SADB_GETSPI:
+	case SADB_UPDATE:
+	case SADB_ADD:
+	case SADB_DELETE:
+	case SADB_GET:
+	case SADB_X_GRPSA:
+	case SADB_X_ADDFLOW:
+		if(!satype2proto(pfkey_msg->sadb_msg_satype)) {
+			ERROR("pfkey_msg_parse: "
+				  "satype %d conversion to proto failed for msg_type %d (%s).\n",
+				  pfkey_msg->sadb_msg_satype,
+				  pfkey_msg->sadb_msg_type,
+				  pfkey_v2_sadb_type_string(pfkey_msg->sadb_msg_type));
+			SENDERR(EINVAL);
+		} else {
+			DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
+				  "pfkey_msg_parse: "
+				  "satype %d(%s) conversion to proto gives %d for msg_type %d(%s).\n",
+				  pfkey_msg->sadb_msg_satype,
+				  satype2name(pfkey_msg->sadb_msg_satype),
+				  satype2proto(pfkey_msg->sadb_msg_satype),
+				  pfkey_msg->sadb_msg_type,
+				  pfkey_v2_sadb_type_string(pfkey_msg->sadb_msg_type));
+		}
+	case SADB_ACQUIRE:
+	case SADB_REGISTER:
+	case SADB_EXPIRE:
+		if(!pfkey_msg->sadb_msg_satype) {
+			DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
+				  "pfkey_msg_parse: "
+				  "satype is zero, must be non-zero for msg_type %d(%s).\n",
+				  pfkey_msg->sadb_msg_type,
+				  pfkey_v2_sadb_type_string(pfkey_msg->sadb_msg_type));
+			SENDERR(EINVAL);
+		}
+	default:
+		break;
+	}
+	
+	/* errno must not be set in downward messages */
+	/* this is not entirely true... a response to an ACQUIRE could return an error */
+	if((dir == EXT_BITS_IN) && (pfkey_msg->sadb_msg_type != SADB_ACQUIRE) && pfkey_msg->sadb_msg_errno) {
+		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
+			    "pfkey_msg_parse: "
+			    "errno set to %d.\n",
+			    pfkey_msg->sadb_msg_errno);
+		SENDERR(EINVAL);
+	}
+
+	DEBUGGING(PF_KEY_DEBUG_PARSE_FLOW,
+		  "pfkey_msg_parse: "
+		  "remain=%d\n", 
+		  remain
+		  );
+
+	DEBUGGING(PF_KEY_DEBUG_PARSE_FLOW,
+		"pfkey_msg_parse: "
+		"extensions permitted=%08x, required=%08x.\n",
+		extensions_bitmaps[dir][EXT_BITS_PERM][pfkey_msg->sadb_msg_type],
+		extensions_bitmaps[dir][EXT_BITS_REQ][pfkey_msg->sadb_msg_type]);
+	
+	extensions_seen = 1;
+	
+	while( (remain * IPSEC_PFKEYv2_ALIGN) >= sizeof(struct sadb_ext) ) {
+		/* Is there enough message left to support another extension header? */
+		if(remain < pfkey_ext->sadb_ext_len) {
+			DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
+				"pfkey_msg_parse: "
+				"remain %d less than ext len %d.\n", 
+				remain, pfkey_ext->sadb_ext_len);
+			SENDERR(EINVAL);
+		}
+		
+		DEBUGGING(PF_KEY_DEBUG_PARSE_FLOW,
+			"pfkey_msg_parse: "
+			"parsing ext type=%d(%s) remain=%d.\n",
+			pfkey_ext->sadb_ext_type,
+			pfkey_v2_sadb_ext_string(pfkey_ext->sadb_ext_type),
+			remain);
+		
+		/* Is the extension header type valid? */
+		if((pfkey_ext->sadb_ext_type > SADB_EXT_MAX) || (!pfkey_ext->sadb_ext_type)) {
+			DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
+				"pfkey_msg_parse: "
+				"ext type %d(%s) invalid, SADB_EXT_MAX=%d.\n", 
+				pfkey_ext->sadb_ext_type,
+				pfkey_v2_sadb_ext_string(pfkey_ext->sadb_ext_type),
+				SADB_EXT_MAX);
+			SENDERR(EINVAL);
+		}
+		
+		/* Have we already seen this type of extension? */
+		if((extensions_seen & ( 1 << pfkey_ext->sadb_ext_type )) != 0)
+		{
+			DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
+				"pfkey_msg_parse: "
+				"ext type %d(%s) already seen.\n", 
+				pfkey_ext->sadb_ext_type,
+				pfkey_v2_sadb_ext_string(pfkey_ext->sadb_ext_type));
+			SENDERR(EINVAL);
+		}
+
+		/* Do I even know about this type of extension? */
+		if(ext_parsers[pfkey_ext->sadb_ext_type]==NULL) {
+			ERROR("pfkey_msg_parse: "
+				"ext type %d(%s) unknown, ignoring.\n", 
+				pfkey_ext->sadb_ext_type,
+				pfkey_v2_sadb_ext_string(pfkey_ext->sadb_ext_type));
+			goto next_ext;
+		}
+
+		/* Is this type of extension permitted for this type of message? */
+		if(!(extensions_bitmaps[dir][EXT_BITS_PERM][pfkey_msg->sadb_msg_type] &
+		     1<<pfkey_ext->sadb_ext_type)) {
+			DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
+				"pfkey_msg_parse: "
+				"ext type %d(%s) not permitted, exts_perm_in=%08x, 1<<type=%08x\n", 
+				pfkey_ext->sadb_ext_type, 
+				pfkey_v2_sadb_ext_string(pfkey_ext->sadb_ext_type),
+				extensions_bitmaps[dir][EXT_BITS_PERM][pfkey_msg->sadb_msg_type],
+				1<<pfkey_ext->sadb_ext_type);
+			SENDERR(EINVAL);
+		}
+
+		DEBUGGING(PF_KEY_DEBUG_PARSE_STRUCT,
+			  "pfkey_msg_parse: "
+			  "remain=%d ext_type=%d(%s) ext_len=%d parsing ext 0p%p with parser %s.\n",
+			  remain,
+			  pfkey_ext->sadb_ext_type,
+			  pfkey_v2_sadb_ext_string(pfkey_ext->sadb_ext_type),
+			  pfkey_ext->sadb_ext_len,
+			  pfkey_ext,
+			  ext_parsers[pfkey_ext->sadb_ext_type]->parser_name);
+		
+		/* Parse the extension */
+		if((error =
+		    (*ext_parsers[pfkey_ext->sadb_ext_type]->parser)(pfkey_ext))) {
+			DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
+				"pfkey_msg_parse: "
+				"extension parsing for type %d(%s) failed with error %d.\n",
+				pfkey_ext->sadb_ext_type,
+				pfkey_v2_sadb_ext_string(pfkey_ext->sadb_ext_type),
+				error); 
+			SENDERR(-error);
+		}
+		DEBUGGING(PF_KEY_DEBUG_PARSE_FLOW,
+			"pfkey_msg_parse: "
+			"Extension %d(%s) parsed.\n",
+			pfkey_ext->sadb_ext_type,
+			pfkey_v2_sadb_ext_string(pfkey_ext->sadb_ext_type));
+		
+		/* Mark that we have seen this extension and remember the header location */
+		extensions_seen |= ( 1 << pfkey_ext->sadb_ext_type );
+		extensions[pfkey_ext->sadb_ext_type] = pfkey_ext;
+
+	next_ext:		
+		/* Calculate how much message remains */
+		remain -= pfkey_ext->sadb_ext_len;
+
+		if(!remain) {
+			break;
+		}
+		/* Find the next extension header */
+		pfkey_ext = (struct sadb_ext*)((char*)pfkey_ext +
+			pfkey_ext->sadb_ext_len * IPSEC_PFKEYv2_ALIGN);
+	}
+
+	if(remain) {
+		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
+			"pfkey_msg_parse: "
+			"unexpected remainder of %d.\n", 
+			remain);
+		/* why is there still something remaining? */
+		SENDERR(EINVAL);
+	}
+
+	/* check required extensions */
+	DEBUGGING(PF_KEY_DEBUG_PARSE_STRUCT,
+		"pfkey_msg_parse: "
+		"extensions permitted=%08x, seen=%08x, required=%08x.\n",
+		extensions_bitmaps[dir][EXT_BITS_PERM][pfkey_msg->sadb_msg_type],
+		extensions_seen,
+		extensions_bitmaps[dir][EXT_BITS_REQ][pfkey_msg->sadb_msg_type]);
+
+	/* don't check further if it is an error return message since it
+	   may not have a body */
+	if(pfkey_msg->sadb_msg_errno) {
+		SENDERR(-error);
+	}
+
+	if((extensions_seen &
+	    extensions_bitmaps[dir][EXT_BITS_REQ][pfkey_msg->sadb_msg_type]) !=
+	   extensions_bitmaps[dir][EXT_BITS_REQ][pfkey_msg->sadb_msg_type]) {
+		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
+			"pfkey_msg_parse: "
+			"required extensions missing:%08x.\n",
+			extensions_bitmaps[dir][EXT_BITS_REQ][pfkey_msg->sadb_msg_type] -
+			(extensions_seen &
+			 extensions_bitmaps[dir][EXT_BITS_REQ][pfkey_msg->sadb_msg_type]));
+		SENDERR(EINVAL);
+	}
+	
+	if((dir == EXT_BITS_IN) && (pfkey_msg->sadb_msg_type == SADB_X_DELFLOW)
+	   && ((extensions_seen	& SADB_X_EXT_ADDRESS_DELFLOW)
+	       != SADB_X_EXT_ADDRESS_DELFLOW)
+	   && (((extensions_seen & (1<<SADB_EXT_SA)) != (1<<SADB_EXT_SA))
+	   || ((((struct sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_flags
+		& SADB_X_SAFLAGS_CLEARFLOW)
+	       != SADB_X_SAFLAGS_CLEARFLOW))) {
+		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
+			"pfkey_msg_parse: "
+			"required SADB_X_DELFLOW extensions missing: either %08x must be present or %08x must be present with SADB_X_SAFLAGS_CLEARFLOW set.\n",
+			SADB_X_EXT_ADDRESS_DELFLOW
+			- (extensions_seen & SADB_X_EXT_ADDRESS_DELFLOW),
+			(1<<SADB_EXT_SA) - (extensions_seen & (1<<SADB_EXT_SA)));
+		SENDERR(EINVAL);
+	}
+	
+	switch(pfkey_msg->sadb_msg_type) {
+	case SADB_ADD:
+	case SADB_UPDATE:
+		/* check maturity */
+		if(((struct sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_state !=
+		   SADB_SASTATE_MATURE) {
+			DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
+				"pfkey_msg_parse: "
+				"state=%d for add or update should be MATURE=%d.\n",
+				((struct sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_state,
+				SADB_SASTATE_MATURE);
+			SENDERR(EINVAL);
+		}
+		
+		/* check AH and ESP */
+		switch(((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_satype) {
+		case SADB_SATYPE_AH:
+			if(!(((struct sadb_sa*)extensions[SADB_EXT_SA]) &&
+			     ((struct sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_auth !=
+			     SADB_AALG_NONE)) {
+				DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
+					"pfkey_msg_parse: "
+					"auth alg is zero, must be non-zero for AH SAs.\n");
+				SENDERR(EINVAL);
+			}
+			if(((struct sadb_sa*)(extensions[SADB_EXT_SA]))->sadb_sa_encrypt !=
+			   SADB_EALG_NONE) {
+				DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
+					"pfkey_msg_parse: "
+					"AH handed encalg=%d, must be zero.\n",
+					((struct sadb_sa*)(extensions[SADB_EXT_SA]))->sadb_sa_encrypt);
+				SENDERR(EINVAL);
+			}
+			break;
+		case SADB_SATYPE_ESP:
+			if(!(((struct sadb_sa*)extensions[SADB_EXT_SA]) &&
+			     ((struct sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_encrypt !=
+			     SADB_EALG_NONE)) {
+				DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
+					"pfkey_msg_parse: "
+					"encrypt alg=%d is zero, must be non-zero for ESP=%d SAs.\n",
+					((struct sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_encrypt,
+					((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_satype);
+				SENDERR(EINVAL);
+			}
+			if((((struct sadb_sa*)(extensions[SADB_EXT_SA]))->sadb_sa_encrypt ==
+			    SADB_EALG_NULL) &&
+			   (((struct sadb_sa*)(extensions[SADB_EXT_SA]))->sadb_sa_auth ==
+			    SADB_AALG_NONE) ) {
+				DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
+					"pfkey_msg_parse: "
+					"ESP handed encNULL+authNONE, illegal combination.\n");
+				SENDERR(EINVAL);
+			}
+			break;
+		case SADB_X_SATYPE_COMP:
+			if(!(((struct sadb_sa*)extensions[SADB_EXT_SA]) &&
+			     ((struct sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_encrypt !=
+			     SADB_EALG_NONE)) {
+				DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
+					"pfkey_msg_parse: "
+					"encrypt alg=%d is zero, must be non-zero for COMP=%d SAs.\n",
+					((struct sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_encrypt,
+					((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_satype);
+				SENDERR(EINVAL);
+			}
+			if(((struct sadb_sa*)(extensions[SADB_EXT_SA]))->sadb_sa_auth !=
+			   SADB_AALG_NONE) {
+				DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
+					"pfkey_msg_parse: "
+					"COMP handed auth=%d, must be zero.\n",
+					((struct sadb_sa*)(extensions[SADB_EXT_SA]))->sadb_sa_auth);
+				SENDERR(EINVAL);
+			}
+			break;
+		default:
+			break;
+		}
+		if(ntohl(((struct sadb_sa*)(extensions[SADB_EXT_SA]))->sadb_sa_spi) <= 255) {
+			DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
+				"pfkey_msg_parse: "
+				"spi=%08x must be > 255.\n",
+				ntohl(((struct sadb_sa*)(extensions[SADB_EXT_SA]))->sadb_sa_spi));
+			SENDERR(EINVAL);
+		}
+	default:	
+		break;
+	}
+errlab:
+
+	return error;
+}
+
+/*
+ * $Log: pfkey_v2_parse.c,v $
+ * Revision 1.65  2005/04/06 17:46:05  mcr
+ * 	failure to recognize an extension is considered an error.
+ * 	This could be a problem in the future, but we need some kind
+ * 	of logging. This should be rate limited, probably.
+ *
+ * Revision 1.64  2005/01/26 00:50:35  mcr
+ * 	adjustment of confusion of CONFIG_IPSEC_NAT vs CONFIG_KLIPS_NAT,
+ * 	and make sure that NAT_TRAVERSAL is set as well to match
+ * 	userspace compiles of code.
+ *
+ * Revision 1.63  2004/10/28 22:54:10  mcr
+ * 	results from valgrind, thanks to: Harald Hoyer <harald@redhat.com>
+ *
+ * Revision 1.62  2004/10/03 01:26:36  mcr
+ * 	fixes for gcc 3.4 compilation.
+ *
+ * Revision 1.61  2004/07/10 19:11:18  mcr
+ * 	CONFIG_IPSEC -> CONFIG_KLIPS.
+ *
+ * Revision 1.59  2004/04/18 03:03:49  mcr
+ * 	renamed common include files from pluto directory.
+ *
+ * Revision 1.58  2004/03/08 01:59:08  ken
+ * freeswan.h -> openswan.h
+ *
+ * Revision 1.57  2003/12/10 01:20:19  mcr
+ * 	NAT-traversal patches to KLIPS.
+ *
+ * Revision 1.56  2003/12/04 23:01:12  mcr
+ * 	removed ipsec_netlink.h
+ *
+ * Revision 1.55  2003/11/07 01:30:37  ken
+ * Cast sizeof() to int to keep things 64bit clean
+ *
+ * Revision 1.54  2003/10/31 02:27:12  mcr
+ * 	pulled up port-selector patches and sa_id elimination.
+ *
+ * Revision 1.53.20.2  2003/10/29 01:11:32  mcr
+ * 	added debugging for pfkey library.
+ *
+ * Revision 1.53.20.1  2003/09/21 13:59:44  mcr
+ * 	pre-liminary X.509 patch - does not yet pass tests.
+ *
+ * Revision 1.53  2003/01/30 02:32:09  rgb
+ *
+ * Rename SAref table macro names for clarity.
+ * Convert IPsecSAref_t from signed to unsigned to fix apparent SAref exhaustion bug.
+ *
+ * Revision 1.52  2002/12/30 06:53:07  mcr
+ * 	deal with short SA structures... #if 0 out for now. Probably
+ * 	not quite the right way.
+ *
+ * Revision 1.51  2002/12/13 18:16:02  mcr
+ * 	restored sa_ref code
+ *
+ * Revision 1.50  2002/12/13 18:06:52  mcr
+ * 	temporarily removed sadb_x_sa_ref reference for 2.xx
+ *
+ * Revision 1.49  2002/10/05 05:02:58  dhr
+ *
+ * C labels go on statements
+ *
+ * Revision 1.48  2002/09/20 15:40:45  rgb
+ * Added sadb_x_sa_ref to struct sadb_sa.
+ *
+ * Revision 1.47  2002/09/20 05:01:31  rgb
+ * Fixed usage of pfkey_lib_debug.
+ * Format for function declaration style consistency.
+ * Added text labels to elucidate numeric values presented.
+ * Re-organised debug output to reduce noise in output.
+ *
+ * Revision 1.46  2002/07/24 18:44:54  rgb
+ * Type fiddling to tame ia64 compiler.
+ *
+ * Revision 1.45  2002/05/23 07:14:11  rgb
+ * Cleaned up %p variants to 0p%p for test suite cleanup.
+ *
+ * Revision 1.44  2002/04/24 07:55:32  mcr
+ * 	#include patches and Makefiles for post-reorg compilation.
+ *
+ * Revision 1.43  2002/04/24 07:36:40  mcr
+ * Moved from ./lib/pfkey_v2_parse.c,v
+ *
+ * Revision 1.42  2002/01/29 22:25:36  rgb
+ * Re-add ipsec_kversion.h to keep MALLOC happy.
+ *
+ * Revision 1.41  2002/01/29 01:59:10  mcr
+ * 	removal of kversions.h - sources that needed it now use ipsec_param.h.
+ * 	updating of IPv6 structures to match latest in6.h version.
+ * 	removed dead code from openswan.h that also duplicated kversions.h
+ * 	code.
+ *
+ * Revision 1.40  2002/01/20 20:34:50  mcr
+ * 	added pfkey_v2_sadb_type_string to decode sadb_type to string.
+ *
+ * Revision 1.39  2001/11/27 05:29:22  mcr
+ * 	pfkey parses are now maintained by a structure
+ * 	that includes their name for debug purposes.
+ * 	DEBUGGING() macro changed so that it takes a debug
+ * 	level so that pf_key() can use this to decode the
+ * 	structures without innundanting humans.
+ * 	Also uses pfkey_v2_sadb_ext_string() in messages.
+ *
+ * Revision 1.38  2001/11/06 19:47:47  rgb
+ * Added packet parameter to lifetime and comb structures.
+ *
+ * Revision 1.37  2001/10/18 04:45:24  rgb
+ * 2.4.9 kernel deprecates linux/malloc.h in favour of linux/slab.h,
+ * lib/openswan.h version macros moved to lib/kversions.h.
+ * Other compiler directive cleanups.
+ *
+ * Revision 1.36  2001/06/14 19:35:16  rgb
+ * Update copyright date.
+ *
+ * Revision 1.35  2001/05/03 19:44:51  rgb
+ * Standardise on SENDERR() macro.
+ *
+ * Revision 1.34  2001/03/16 07:41:51  rgb
+ * Put openswan.h include before pluto includes.
+ *
+ * Revision 1.33  2001/02/27 07:13:51  rgb
+ * Added satype2name() function.
+ * Added text to default satype_tbl entry.
+ * Added satype2name() conversions for most satype debug output.
+ *
+ * Revision 1.32  2001/02/26 20:01:09  rgb
+ * Added internal IP protocol 61 for magic SAs.
+ * Ditch unused sadb_satype2proto[], replaced by satype2proto().
+ * Re-formatted debug output (split lines, consistent spacing).
+ * Removed acquire, register and expire requirements for a known satype.
+ * Changed message type checking to a switch structure.
+ * Verify expected NULL auth for IPCOMP.
+ * Enforced spi > 0x100 requirement, now that pass uses a magic SA for
+ * appropriate message types.
+ *
+ * Revision 1.31  2000/12/01 07:09:00  rgb
+ * Added ipcomp sanity check to require encalgo is set.
+ *
+ * Revision 1.30  2000/11/17 18:10:30  rgb
+ * Fixed bugs mostly relating to spirange, to treat all spi variables as
+ * network byte order since this is the way PF_KEYv2 stored spis.
+ *
+ * Revision 1.29  2000/10/12 00:02:39  rgb
+ * Removed 'format, ##' nonsense from debug macros for RH7.0.
+ *
+ * Revision 1.28  2000/09/20 16:23:04  rgb
+ * Remove over-paranoid extension check in the presence of sadb_msg_errno.
+ *
+ * Revision 1.27  2000/09/20 04:04:21  rgb
+ * Changed static functions to DEBUG_NO_STATIC to reveal function names in
+ * oopsen.
+ *
+ * Revision 1.26  2000/09/15 11:37:02  rgb
+ * Merge in heavily modified Svenning Soerensen's <svenning@post5.tele.dk>
+ * IPCOMP zlib deflate code.
+ *
+ * Revision 1.25  2000/09/12 22:35:37  rgb
+ * Restructured to remove unused extensions from CLEARFLOW messages.
+ *
+ * Revision 1.24  2000/09/12 18:59:54  rgb
+ * Added Gerhard's IPv6 support to pfkey parts of libopenswan.
+ *
+ * Revision 1.23  2000/09/12 03:27:00  rgb
+ * Moved DEBUGGING definition to compile kernel with debug off.
+ *
+ * Revision 1.22  2000/09/09 06:39:27  rgb
+ * Restrict pfkey errno check to downward messages only.
+ *
+ * Revision 1.21  2000/09/08 19:22:34  rgb
+ * Enabled pfkey_sens_parse().
+ * Added check for errno on downward acquire messages only.
+ *
+ * Revision 1.20  2000/09/01 18:48:23  rgb
+ * Fixed reserved check bug and added debug output in
+ * pfkey_supported_parse().
+ * Fixed debug output label bug in pfkey_ident_parse().
+ *
+ * Revision 1.19  2000/08/27 01:55:26  rgb
+ * Define OCTETBITS and PFKEYBITS to avoid using 'magic' numbers in code.
+ *
+ * Revision 1.18  2000/08/24 17:00:36  rgb
+ * Ignore unknown extensions instead of failing.
+ *
+ * Revision 1.17  2000/06/02 22:54:14  rgb
+ * Added Gerhard Gessler's struct sockaddr_storage mods for IPv6 support.
+ *
+ * Revision 1.16  2000/05/10 19:25:11  rgb
+ * Fleshed out proposal and supported extensions.
+ *
+ * Revision 1.15  2000/01/24 21:15:31  rgb
+ * Added disabled pluto pfkey lib debug flag.
+ * Added algo debugging reporting.
+ *
+ * Revision 1.14  2000/01/22 23:24:29  rgb
+ * Added new functions proto2satype() and satype2proto() and lookup
+ * table satype_tbl.  Also added proto2name() since it was easy.
+ *
+ * Revision 1.13  2000/01/21 09:43:59  rgb
+ * Cast ntohl(spi) as (unsigned long int) to shut up compiler.
+ *
+ * Revision 1.12  2000/01/21 06:28:19  rgb
+ * Added address cases for eroute flows.
+ * Indented compiler directives for readability.
+ * Added klipsdebug switching capability.
+ *
+ * Revision 1.11  1999/12/29 21:14:59  rgb
+ * Fixed debug text cut and paste typo.
+ *
+ * Revision 1.10  1999/12/10 17:45:24  rgb
+ * Added address debugging.
+ *
+ * Revision 1.9  1999/12/09 23:11:42  rgb
+ * Ditched <string.h> include since we no longer use memset().
+ * Use new pfkey_extensions_init() instead of memset().
+ * Added check for SATYPE in pfkey_msg_build().
+ * Tidy up comments and debugging comments.
+ *
+ * Revision 1.8  1999/12/07 19:55:26  rgb
+ * Removed unused first argument from extension parsers.
+ * Removed static pluto debug flag.
+ * Moved message type and state checking to pfkey_msg_parse().
+ * Changed print[fk] type from lx to x to quiet compiler.
+ * Removed redundant remain check.
+ * Changed __u* types to uint* to avoid use of asm/types.h and
+ * sys/types.h in userspace code.
+ *
+ * Revision 1.7  1999/12/01 22:20:51  rgb
+ * Moved pfkey_lib_debug variable into the library.
+ * Added pfkey version check into header parsing.
+ * Added check for SATYPE only for those extensions that require a
+ * non-zero value.
+ *
+ * Revision 1.6  1999/11/27 11:58:05  rgb
+ * Added ipv6 headers.
+ * Moved sadb_satype2proto protocol lookup table from
+ * klips/net/ipsec/pfkey_v2_parser.c.
+ * Enable lifetime_current checking.
+ * Debugging error messages added.
+ * Add argument to pfkey_msg_parse() for direction.
+ * Consolidated the 4 1-d extension bitmap arrays into one 4-d array.
+ * Add CVS log entry to bottom of file.
+ * Moved auth and enc alg check to pfkey_msg_parse().
+ * Enable accidentally disabled spirange parsing.
+ * Moved protocol/algorithm checks from klips/net/ipsec/pfkey_v2_parser.c
+ *
+ * Local variables:
+ * c-file-style: "linux"
+ * End:
+ *
+ */
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/pfkey_v2_parser.c     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,3520 @@
+/*
+ * @(#) RFC2367 PF_KEYv2 Key management API message parser
+ * Copyright (C) 1999, 2000, 2001  Richard Guy Briggs <rgb@freeswan.org>
+ * 
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ * 
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: pfkey_v2_parser.c,v 1.134.2.2 2006/10/06 21:39:26 paul Exp $
+ */
+
+/*
+ *		Template from klips/net/ipsec/ipsec/ipsec_netlink.c.
+ */
+
+char pfkey_v2_parser_c_version[] = "$Id: pfkey_v2_parser.c,v 1.134.2.2 2006/10/06 21:39:26 paul Exp $";
+
+#ifndef AUTOCONF_INCLUDED
+#include <linux/config.h>
+#endif
+#include <linux/version.h>
+#include <linux/kernel.h> /* printk() */
+
+#include "openswan/ipsec_param.h"
+
+#ifdef MALLOC_SLAB
+# include <linux/slab.h> /* kmalloc() */
+#else /* MALLOC_SLAB */
+# include <linux/malloc.h> /* kmalloc() */
+#endif /* MALLOC_SLAB */
+#include <linux/errno.h>  /* error codes */
+#include <linux/types.h>  /* size_t */
+#include <linux/interrupt.h> /* mark_bh */
+
+#include <linux/netdevice.h>   /* struct device, and other headers */
+#include <linux/etherdevice.h> /* eth_type_trans */
+#include <linux/ip.h>          /* struct iphdr */
+#include <linux/skbuff.h>
+
+#include <openswan.h>
+
+#include <crypto/des.h>
+
+#ifdef SPINLOCK
+# ifdef SPINLOCK_23
+#  include <linux/spinlock.h> /* *lock* */
+# else /* SPINLOCK_23 */
+#  include <asm/spinlock.h> /* *lock* */
+# endif /* SPINLOCK_23 */
+#endif /* SPINLOCK */
+
+#include <linux/in6.h>
+#include <net/route.h>
+
+#include <net/ip.h>
+#ifdef NETLINK_SOCK
+# include <linux/netlink.h>
+#else
+# include <net/netlink.h>
+#endif
+
+#include <linux/random.h>	/* get_random_bytes() */
+
+#include "openswan/radij.h"
+#include "openswan/ipsec_encap.h"
+#include "openswan/ipsec_sa.h"
+
+#include "openswan/ipsec_radij.h"
+#include "openswan/ipsec_xform.h"
+#include "openswan/ipsec_ah.h"
+#include "openswan/ipsec_esp.h"
+#include "openswan/ipsec_tunnel.h"
+#include "openswan/ipsec_rcv.h"
+#include "openswan/ipcomp.h"
+
+#include <pfkeyv2.h>
+#include <pfkey.h>
+
+#include "openswan/ipsec_proto.h"
+#include "openswan/ipsec_alg.h"
+
+#include "openswan/ipsec_kern24.h"
+
+#define SENDERR(_x) do { error = -(_x); goto errlab; } while (0)
+
+struct sklist_t {
+	struct socket *sk;
+	struct sklist_t* next;
+} pfkey_sklist_head, *pfkey_sklist, *pfkey_sklist_prev;
+
+__u32 pfkey_msg_seq = 0;
+
+
+#if 0
+#define DUMP_SAID dump_said(&extr->ips->ips_said, __LINE__)
+#define DUMP_SAID2 dump_said(&extr.ips->ips_said, __LINE__)
+static void dump_said(ip_said *s, int line)
+{ 
+	char msa[SATOT_BUF];
+	size_t msa_len;
+	
+	msa_len = satot(s, 0, msa, sizeof(msa));
+	
+	printk("line: %d msa: %s\n", line, msa);
+}
+#endif
+
+
+int
+pfkey_alloc_eroute(struct eroute** eroute)
+{
+	int error = 0;
+	if(*eroute) {
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_alloc_eroute: "
+			    "eroute struct already allocated\n");
+		SENDERR(EEXIST);
+	}
+
+	if((*eroute = kmalloc(sizeof(**eroute), GFP_ATOMIC) ) == NULL) {
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_alloc_eroute: "
+			    "memory allocation error\n");
+		SENDERR(ENOMEM);
+	}
+
+	KLIPS_PRINT(debug_pfkey,
+		    "klips_debug:pfkey_alloc_eroute: "
+		    "allocating %lu bytes for an eroute at 0p%p\n",
+		    (unsigned long) sizeof(**eroute), *eroute);
+
+	memset((caddr_t)*eroute, 0, sizeof(**eroute));
+	(*eroute)->er_eaddr.sen_len =
+		(*eroute)->er_emask.sen_len = sizeof(struct sockaddr_encap);
+	(*eroute)->er_eaddr.sen_family =
+		(*eroute)->er_emask.sen_family = AF_ENCAP;
+	(*eroute)->er_eaddr.sen_type = SENT_IP4;
+	(*eroute)->er_emask.sen_type = 255;
+	(*eroute)->er_pid = 0;
+	(*eroute)->er_count = 0;
+	(*eroute)->er_lasttime = jiffies/HZ;
+
+ errlab:
+	return(error);
+}
+
+DEBUG_NO_STATIC int
+pfkey_x_protocol_process(struct sadb_ext *pfkey_ext,
+			 struct pfkey_extracted_data *extr)
+{
+	int error = 0;
+	struct sadb_protocol * p = (struct sadb_protocol *)pfkey_ext;
+
+	KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_x_protocol_process: %p\n", extr);
+
+	if (extr == 0) {
+		KLIPS_PRINT(debug_pfkey,
+                         "klips_debug:pfkey_x_protocol_process:"
+			    "extr is NULL, fatal\n");
+		SENDERR(EINVAL);
+	}
+	if (extr->eroute == 0) {
+		KLIPS_PRINT(debug_pfkey,
+                        "klips_debug:pfkey_x_protocol_process:"
+			    "extr->eroute is NULL, fatal\n");
+		SENDERR(EINVAL);
+	}
+
+	extr->eroute->er_eaddr.sen_proto = p->sadb_protocol_proto;
+	extr->eroute->er_emask.sen_proto = p->sadb_protocol_proto ? ~0:0;
+	KLIPS_PRINT(debug_pfkey,
+		    "klips_debug:pfkey_x_protocol_process: protocol = %d.\n",
+		    p->sadb_protocol_proto);
+ errlab:
+	return error;
+}
+
+DEBUG_NO_STATIC int
+pfkey_ipsec_sa_init(struct ipsec_sa *ipsp)
+{
+
+	return ipsec_sa_init(ipsp);
+}
+
+int
+pfkey_safe_build(int error, struct sadb_ext *extensions[SADB_MAX+1])
+{
+	KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_safe_build: "
+		    "error=%d\n",
+		    error);
+	if (!error) {
+		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_safe_build:"
+			    "success.\n");
+		return 1;
+	} else {
+		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_safe_build:"
+			    "caught error %d\n",
+			    error);
+		pfkey_extensions_free(extensions);
+		return 0;
+	}
+}
+
+
+DEBUG_NO_STATIC int
+pfkey_getspi_parse(struct sock *sk, struct sadb_ext **extensions, struct pfkey_extracted_data* extr)
+{
+	int error = 0;
+	ipsec_spi_t minspi = htonl(256), maxspi = htonl(-1L);
+	int found_avail = 0;
+	struct ipsec_sa *ipsq;
+	char sa[SATOT_BUF];
+	size_t sa_len;
+	struct sadb_ext *extensions_reply[SADB_EXT_MAX+1];
+	struct sadb_msg *pfkey_reply = NULL;
+	struct socket_list *pfkey_socketsp;
+	uint8_t satype = ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_satype;
+
+	KLIPS_PRINT(debug_pfkey,
+		    "klips_debug:pfkey_getspi_parse: .\n");
+
+	pfkey_extensions_init(extensions_reply);
+
+	if(extr == NULL || extr->ips == NULL) {
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_getspi_parse: "
+			    "error, extr or extr->ipsec_sa pointer NULL\n");
+		SENDERR(EINVAL);
+	}
+
+	if(extensions[SADB_EXT_SPIRANGE]) {
+		minspi = ((struct sadb_spirange *)extensions[SADB_EXT_SPIRANGE])->sadb_spirange_min;
+		maxspi = ((struct sadb_spirange *)extensions[SADB_EXT_SPIRANGE])->sadb_spirange_max;
+	}
+
+	if(maxspi == minspi) {
+		extr->ips->ips_said.spi = maxspi;
+		ipsq = ipsec_sa_getbyid(&(extr->ips->ips_said));
+		if(ipsq != NULL) {
+			sa_len = satot(&extr->ips->ips_said, 0, sa, sizeof(sa));
+			ipsec_sa_put(ipsq);
+			KLIPS_PRINT(debug_pfkey,
+				    "klips_debug:pfkey_getspi_parse: "
+				    "EMT_GETSPI found an old ipsec_sa for SA: %s, delete it first.\n",
+				    sa_len ? sa : " (error)");
+			SENDERR(EEXIST);
+		} else {
+			found_avail = 1;
+		}
+	} else {
+		int i = 0;
+		__u32 rand_val;
+		__u32 spi_diff;
+		while( ( i < (spi_diff = (ntohl(maxspi) - ntohl(minspi)))) && !found_avail ) {
+			prng_bytes(&ipsec_prng, (char *) &(rand_val),
+					 ( (spi_diff < (2^8))  ? 1 :
+					   ( (spi_diff < (2^16)) ? 2 :
+					     ( (spi_diff < (2^24)) ? 3 :
+					   4 ) ) ) );
+			extr->ips->ips_said.spi = htonl(ntohl(minspi) +
+					      (rand_val %
+					      (spi_diff + 1)));
+			i++;
+			ipsq = ipsec_sa_getbyid(&(extr->ips->ips_said));
+			if(ipsq == NULL) {
+				found_avail = 1;
+			} else {
+				ipsec_sa_put(ipsq);
+			}
+		}
+	}
+
+	sa_len = satot(&extr->ips->ips_said, 0, sa, sizeof(sa));
+
+	if (!found_avail) {
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_getspi_parse: "
+			    "found an old ipsec_sa for SA: %s, delete it first.\n",
+			    sa_len ? sa : " (error)");
+		SENDERR(EEXIST);
+	}
+
+	if(inet_addr_type((unsigned long)extr->ips->ips_said.dst.u.v4.sin_addr.s_addr) == RTN_LOCAL) {
+		extr->ips->ips_flags |= EMT_INBOUND;
+	}
+	
+	KLIPS_PRINT(debug_pfkey,
+		    "klips_debug:pfkey_getspi_parse: "
+		    "existing ipsec_sa not found (this is good) for SA: %s, %s-bound, allocating.\n",
+		    sa_len ? sa : " (error)",
+		    extr->ips->ips_flags & EMT_INBOUND ? "in" : "out");
+	
+	/* XXX extr->ips->ips_rcvif = &(enc_softc[em->em_if].enc_if);*/
+	extr->ips->ips_rcvif = NULL;
+	extr->ips->ips_life.ipl_addtime.ipl_count = jiffies/HZ;
+
+	extr->ips->ips_state = SADB_SASTATE_LARVAL;
+
+	if(!extr->ips->ips_life.ipl_allocations.ipl_count) {
+		extr->ips->ips_life.ipl_allocations.ipl_count += 1;
+	}
+
+	if(!(pfkey_safe_build(error = pfkey_msg_hdr_build(&extensions_reply[0],
+							  SADB_GETSPI,
+							  satype,
+							  0,
+							  ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_seq,
+							  ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_pid),
+			      extensions_reply)
+	     && pfkey_safe_build(error = pfkey_sa_ref_build(&extensions_reply[SADB_EXT_SA],
+							SADB_EXT_SA,
+							extr->ips->ips_said.spi,
+							0,
+							SADB_SASTATE_LARVAL,
+							0,
+							0,
+							0,
+							extr->ips->ips_ref),
+				 extensions_reply)
+	     && pfkey_safe_build(error = pfkey_address_build(&extensions_reply[SADB_EXT_ADDRESS_SRC],
+						     SADB_EXT_ADDRESS_SRC,
+						     0, /*extr->ips->ips_said.proto,*/
+						     0,
+						     extr->ips->ips_addr_s),
+				 extensions_reply)
+	     && pfkey_safe_build(error = pfkey_address_build(&extensions_reply[SADB_EXT_ADDRESS_DST],
+						     SADB_EXT_ADDRESS_DST,
+						     0, /*extr->ips->ips_said.proto,*/
+						     0,
+						     extr->ips->ips_addr_d),
+				 extensions_reply) )) {
+		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_getspi_parse: "
+			    "failed to build the getspi reply message extensions\n");
+		goto errlab;
+	}
+	
+	if((error = pfkey_msg_build(&pfkey_reply, extensions_reply, EXT_BITS_OUT))) {
+		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_getspi_parse: "
+			    "failed to build the getspi reply message\n");
+		SENDERR(-error);
+	}
+	for(pfkey_socketsp = pfkey_open_sockets;
+	    pfkey_socketsp;
+	    pfkey_socketsp = pfkey_socketsp->next) {
+		if((error = pfkey_upmsg(pfkey_socketsp->socketp, pfkey_reply))) {
+			KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_getspi_parse: "
+				    "sending up getspi reply message for satype=%d(%s) to socket=0p%p failed with error=%d.\n",
+				    satype,
+				    satype2name(satype),
+				    pfkey_socketsp->socketp,
+				    error);
+			SENDERR(-error);
+		}
+		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_getspi_parse: "
+			    "sending up getspi reply message for satype=%d(%s) to socket=0p%p succeeded.\n",
+			    satype,
+			    satype2name(satype),
+			    pfkey_socketsp->socketp);
+	}
+	
+	if((error = ipsec_sa_add(extr->ips))) {
+		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_getspi_parse: "
+			    "failed to add the larval SA=%s with error=%d.\n",
+			    sa_len ? sa : " (error)",
+			    error);
+		SENDERR(-error);
+	}
+	extr->ips = NULL;
+	
+	KLIPS_PRINT(debug_pfkey,
+		    "klips_debug:pfkey_getspi_parse: "
+		    "successful for SA: %s\n",
+		    sa_len ? sa : " (error)");
+	
+ errlab:
+	if (pfkey_reply) {
+		pfkey_msg_free(&pfkey_reply);
+	}
+	pfkey_extensions_free(extensions_reply);
+	return error;
+}
+
+DEBUG_NO_STATIC int
+pfkey_update_parse(struct sock *sk, struct sadb_ext **extensions, struct pfkey_extracted_data* extr)
+{
+	int error = 0;
+	struct ipsec_sa* ipsq;
+	char sa[SATOT_BUF];
+	size_t sa_len;
+	struct sadb_ext *extensions_reply[SADB_EXT_MAX+1];
+	struct sadb_msg *pfkey_reply = NULL;
+	struct socket_list *pfkey_socketsp;
+	uint8_t satype = ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_satype;
+#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
+	struct ipsec_sa *nat_t_ips_saved = NULL;
+#endif
+	KLIPS_PRINT(debug_pfkey,
+		    "klips_debug:pfkey_update_parse: .\n");
+
+	pfkey_extensions_init(extensions_reply);
+
+	if(((struct sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_state != SADB_SASTATE_MATURE) {
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_update_parse: "
+			    "error, sa_state=%d must be MATURE=%d\n",
+			    ((struct sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_state,
+			    SADB_SASTATE_MATURE);
+		SENDERR(EINVAL);
+	}
+
+	if(extr == NULL || extr->ips == NULL) {
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_update_parse: "
+			    "error, extr or extr->ips pointer NULL\n");
+		SENDERR(EINVAL);
+	}
+
+	sa_len = satot(&extr->ips->ips_said, 0, sa, sizeof(sa));
+
+	spin_lock_bh(&tdb_lock);
+
+	ipsq = ipsec_sa_getbyid(&(extr->ips->ips_said));
+	if (ipsq == NULL) {
+		spin_unlock_bh(&tdb_lock);
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_update_parse: "
+			    "reserved ipsec_sa for SA: %s not found.  Call SADB_GETSPI first or call SADB_ADD instead.\n",
+			    sa_len ? sa : " (error)");
+		SENDERR(ENOENT);
+	}
+
+	if(inet_addr_type((unsigned long)extr->ips->ips_said.dst.u.v4.sin_addr.s_addr) == RTN_LOCAL) {
+		extr->ips->ips_flags |= EMT_INBOUND;
+	}
+
+	KLIPS_PRINT(debug_pfkey,
+		    "klips_debug:pfkey_update_parse: "
+		    "existing ipsec_sa found (this is good) for SA: %s, %s-bound, updating.\n",
+		    sa_len ? sa : " (error)",
+		    extr->ips->ips_flags & EMT_INBOUND ? "in" : "out");
+
+#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
+	if (extr->ips->ips_natt_sport || extr->ips->ips_natt_dport) {
+		KLIPS_PRINT(debug_pfkey,
+			"klips_debug:pfkey_update_parse: only updating NAT-T ports "
+			"(%u:%u -> %u:%u)\n", 
+			ipsq->ips_natt_sport, ipsq->ips_natt_dport,
+			extr->ips->ips_natt_sport, extr->ips->ips_natt_dport);
+
+		if (extr->ips->ips_natt_sport) {
+			ipsq->ips_natt_sport = extr->ips->ips_natt_sport;
+			if (ipsq->ips_addr_s->sa_family == AF_INET) {
+				((struct sockaddr_in *)(ipsq->ips_addr_s))->sin_port = htons(extr->ips->ips_natt_sport);
+			}
+		}
+
+		if (extr->ips->ips_natt_dport) {
+			ipsq->ips_natt_dport = extr->ips->ips_natt_dport;
+			if (ipsq->ips_addr_d->sa_family == AF_INET) {
+				((struct sockaddr_in *)(ipsq->ips_addr_d))->sin_port = htons(extr->ips->ips_natt_dport);
+			}
+		}
+
+		nat_t_ips_saved = extr->ips;
+		extr->ips = ipsq;
+	}
+	else {
+#endif
+	
+	/* XXX extr->ips->ips_rcvif = &(enc_softc[em->em_if].enc_if);*/
+	extr->ips->ips_rcvif = NULL;
+	if ((error = pfkey_ipsec_sa_init(extr->ips))) {
+		ipsec_sa_put(ipsq);
+		spin_unlock_bh(&tdb_lock);
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_update_parse: "
+			    "not successful for SA: %s, deleting.\n",
+			    sa_len ? sa : " (error)");
+		SENDERR(-error);
+	}
+
+	extr->ips->ips_life.ipl_addtime.ipl_count = ipsq->ips_life.ipl_addtime.ipl_count;
+	ipsec_sa_put(ipsq);
+	if((error = ipsec_sa_delchain(ipsq))) {
+		spin_unlock_bh(&tdb_lock);
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_update_parse: "
+			    "error=%d, trouble deleting intermediate ipsec_sa for SA=%s.\n",
+			    error,
+			    sa_len ? sa : " (error)");
+		SENDERR(-error);
+	}
+#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
+	}
+#endif
+
+	spin_unlock_bh(&tdb_lock);
+	
+	if(!(pfkey_safe_build(error = pfkey_msg_hdr_build(&extensions_reply[0],
+							  SADB_UPDATE,
+							  satype,
+							  0,
+							  ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_seq,
+							  ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_pid),
+			      extensions_reply)
+	     && pfkey_safe_build(error = pfkey_sa_ref_build(&extensions_reply[SADB_EXT_SA],
+							SADB_EXT_SA,
+							extr->ips->ips_said.spi,
+							extr->ips->ips_replaywin,
+							extr->ips->ips_state,
+							extr->ips->ips_authalg,
+							extr->ips->ips_encalg,
+							extr->ips->ips_flags,
+							extr->ips->ips_ref),
+				 extensions_reply)
+	     /* The 3 lifetime extentions should only be sent if non-zero. */
+	     && (extensions[SADB_EXT_LIFETIME_HARD]
+		 ? pfkey_safe_build(error = pfkey_lifetime_build(&extensions_reply[SADB_EXT_LIFETIME_HARD],
+								 SADB_EXT_LIFETIME_HARD,
+								 extr->ips->ips_life.ipl_allocations.ipl_hard,
+								 extr->ips->ips_life.ipl_bytes.ipl_hard,
+								 extr->ips->ips_life.ipl_addtime.ipl_hard,
+								 extr->ips->ips_life.ipl_usetime.ipl_hard,
+								 extr->ips->ips_life.ipl_packets.ipl_hard),
+				    extensions_reply) : 1)
+	     && (extensions[SADB_EXT_LIFETIME_SOFT]
+		 ? pfkey_safe_build(error = pfkey_lifetime_build(&extensions_reply[SADB_EXT_LIFETIME_SOFT],
+								 SADB_EXT_LIFETIME_SOFT,
+								 extr->ips->ips_life.ipl_allocations.ipl_count,
+								 extr->ips->ips_life.ipl_bytes.ipl_count,
+								 extr->ips->ips_life.ipl_addtime.ipl_count,
+								 extr->ips->ips_life.ipl_usetime.ipl_count,
+								 extr->ips->ips_life.ipl_packets.ipl_count),
+				    extensions_reply) : 1)
+	     && (extr->ips->ips_life.ipl_allocations.ipl_count
+		 || extr->ips->ips_life.ipl_bytes.ipl_count
+		 || extr->ips->ips_life.ipl_addtime.ipl_count
+		 || extr->ips->ips_life.ipl_usetime.ipl_count
+		 || extr->ips->ips_life.ipl_packets.ipl_count
+
+		 ? pfkey_safe_build(error = pfkey_lifetime_build(&extensions_reply[SADB_EXT_LIFETIME_CURRENT],
+								 SADB_EXT_LIFETIME_CURRENT,
+								 extr->ips->ips_life.ipl_allocations.ipl_count,
+								 extr->ips->ips_life.ipl_bytes.ipl_count,
+								 extr->ips->ips_life.ipl_addtime.ipl_count,
+								 extr->ips->ips_life.ipl_usetime.ipl_count,
+								 extr->ips->ips_life.ipl_packets.ipl_count),
+				    extensions_reply) : 1)
+	     && pfkey_safe_build(error = pfkey_address_build(&extensions_reply[SADB_EXT_ADDRESS_SRC],
+							     SADB_EXT_ADDRESS_SRC,
+							     0, /*extr->ips->ips_said.proto,*/
+							     0,
+							     extr->ips->ips_addr_s),
+				 extensions_reply)
+	     && pfkey_safe_build(error = pfkey_address_build(&extensions_reply[SADB_EXT_ADDRESS_DST],
+							     SADB_EXT_ADDRESS_DST,
+							     0, /*extr->ips->ips_said.proto,*/
+							     0,
+							     extr->ips->ips_addr_d),
+				 extensions_reply)
+	     && (extr->ips->ips_ident_s.data
+                 ? pfkey_safe_build(error = pfkey_ident_build(&extensions_reply[SADB_EXT_IDENTITY_SRC],
+                                                              SADB_EXT_IDENTITY_SRC,
+							      extr->ips->ips_ident_s.type,
+							      extr->ips->ips_ident_s.id,
+                                                              extr->ips->ips_ident_s.len,
+							      extr->ips->ips_ident_s.data),
+                                    extensions_reply) : 1)
+	     && (extr->ips->ips_ident_d.data
+                 ? pfkey_safe_build(error = pfkey_ident_build(&extensions_reply[SADB_EXT_IDENTITY_DST],
+                                                              SADB_EXT_IDENTITY_DST,
+							      extr->ips->ips_ident_d.type,
+							      extr->ips->ips_ident_d.id,
+                                                              extr->ips->ips_ident_d.len,
+							      extr->ips->ips_ident_d.data),
+                                    extensions_reply) : 1)
+#if 0
+	     /* FIXME: This won't work yet because I have not finished
+		it. */
+	     && (extr->ips->ips_sens_
+		 ? pfkey_safe_build(error = pfkey_sens_build(&extensions_reply[SADB_EXT_SENSITIVITY],
+							     extr->ips->ips_sens_dpd,
+							     extr->ips->ips_sens_sens_level,
+							     extr->ips->ips_sens_sens_len,
+							     extr->ips->ips_sens_sens_bitmap,
+							     extr->ips->ips_sens_integ_level,
+							     extr->ips->ips_sens_integ_len,
+							     extr->ips->ips_sens_integ_bitmap),
+				    extensions_reply) : 1)
+#endif
+		)) {
+		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_update_parse: "
+			    "failed to build the update reply message extensions\n");
+		SENDERR(-error);
+	}
+		
+	if((error = pfkey_msg_build(&pfkey_reply, extensions_reply, EXT_BITS_OUT))) {
+		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_update_parse: "
+			    "failed to build the update reply message\n");
+		SENDERR(-error);
+	}
+	for(pfkey_socketsp = pfkey_open_sockets;
+	    pfkey_socketsp;
+	    pfkey_socketsp = pfkey_socketsp->next) {
+		if((error = pfkey_upmsg(pfkey_socketsp->socketp, pfkey_reply))) {
+			KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_update_parse: "
+				    "sending up update reply message for satype=%d(%s) to socket=0p%p failed with error=%d.\n",
+				    satype,
+				    satype2name(satype),
+				    pfkey_socketsp->socketp,
+				    error);
+			SENDERR(-error);
+		}
+		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_update_parse: "
+			    "sending up update reply message for satype=%d(%s) to socket=0p%p succeeded.\n",
+			    satype,
+			    satype2name(satype),
+			    pfkey_socketsp->socketp);
+	}
+
+#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
+	if (nat_t_ips_saved) {
+		/**
+		 * As we _really_ update existing SA, we keep tdbq and need to delete
+		 * parsed ips (nat_t_ips_saved, was extr->ips).
+		 *
+		 * goto errlab with extr->ips = nat_t_ips_saved will free it.
+		 */
+
+		extr->ips = nat_t_ips_saved;
+
+		error = 0;
+		KLIPS_PRINT(debug_pfkey,
+		    "klips_debug:pfkey_update_parse (NAT-T ports): "
+		    "successful for SA: %s\n",
+		    sa_len ? sa : " (error)");
+
+		goto errlab;
+	}
+#endif
+
+	if((error = ipsec_sa_add(extr->ips))) {
+		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_update_parse: "
+			    "failed to update the mature SA=%s with error=%d.\n",
+			    sa_len ? sa : " (error)",
+			    error);
+		SENDERR(-error);
+	}
+	extr->ips = NULL;
+	
+	KLIPS_PRINT(debug_pfkey,
+		    "klips_debug:pfkey_update_parse: "
+		    "successful for SA: %s\n",
+		    sa_len ? sa : " (error)");
+	
+ errlab:
+	if (pfkey_reply) {
+		pfkey_msg_free(&pfkey_reply);
+	}
+	pfkey_extensions_free(extensions_reply);
+	return error;
+}
+
+DEBUG_NO_STATIC int
+pfkey_add_parse(struct sock *sk, struct sadb_ext **extensions, struct pfkey_extracted_data* extr)
+{
+	int error = 0;
+	struct ipsec_sa* ipsq;
+	char sa[SATOT_BUF];
+	size_t sa_len;
+	struct sadb_ext *extensions_reply[SADB_EXT_MAX+1];
+	struct sadb_msg *pfkey_reply = NULL;
+	struct socket_list *pfkey_socketsp;
+	uint8_t satype = ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_satype;
+
+	KLIPS_PRINT(debug_pfkey,
+		    "klips_debug:pfkey_add_parse: .\n");
+
+	pfkey_extensions_init(extensions_reply);
+
+	if(((struct sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_state != SADB_SASTATE_MATURE) {
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_add_parse: "
+			    "error, sa_state=%d must be MATURE=%d\n",
+			    ((struct sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_state,
+			    SADB_SASTATE_MATURE);
+		SENDERR(EINVAL);
+	}
+
+	if(!extr || !extr->ips) {
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_add_parse: "
+			    "extr or extr->ips pointer NULL\n");
+		SENDERR(EINVAL);
+	}
+
+	sa_len = satot(&extr->ips->ips_said, 0, sa, sizeof(sa));
+
+	ipsq = ipsec_sa_getbyid(&(extr->ips->ips_said));
+	if(ipsq != NULL) {
+		ipsec_sa_put(ipsq);
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_add_parse: "
+			    "found an old ipsec_sa for SA%s, delete it first.\n",
+			    sa_len ? sa : " (error)");
+		SENDERR(EEXIST);
+	}
+
+	if(inet_addr_type((unsigned long)extr->ips->ips_said.dst.u.v4.sin_addr.s_addr) == RTN_LOCAL) {
+		extr->ips->ips_flags |= EMT_INBOUND;
+	}
+
+	KLIPS_PRINT(debug_pfkey,
+		    "klips_debug:pfkey_add_parse: "
+		    "existing ipsec_sa not found (this is good) for SA%s, %s-bound, allocating.\n",
+		    sa_len ? sa : " (error)",
+		    extr->ips->ips_flags & EMT_INBOUND ? "in" : "out");
+	
+	/* XXX extr->ips->ips_rcvif = &(enc_softc[em->em_if].enc_if);*/
+	extr->ips->ips_rcvif = NULL;
+	
+	if ((error = pfkey_ipsec_sa_init(extr->ips))) {
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_add_parse: "
+			    "not successful for SA: %s, deleting.\n",
+			    sa_len ? sa : " (error)");
+		SENDERR(-error);
+	}
+
+	extr->ips->ips_life.ipl_addtime.ipl_count = jiffies / HZ;
+	if(!extr->ips->ips_life.ipl_allocations.ipl_count) {
+		extr->ips->ips_life.ipl_allocations.ipl_count += 1;
+	}
+
+	if(!(pfkey_safe_build(error = pfkey_msg_hdr_build(&extensions_reply[0],
+							  SADB_ADD,
+							  satype,
+							  0,
+							  ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_seq,
+							  ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_pid),
+			      extensions_reply)
+	     && pfkey_safe_build(error = pfkey_sa_ref_build(&extensions_reply[SADB_EXT_SA],
+							SADB_EXT_SA,
+							extr->ips->ips_said.spi,
+							extr->ips->ips_replaywin,
+							extr->ips->ips_state,
+							extr->ips->ips_authalg,
+							extr->ips->ips_encalg,
+							extr->ips->ips_flags,
+							extr->ips->ips_ref),
+				 extensions_reply)
+	     /* The 3 lifetime extentions should only be sent if non-zero. */
+	     && (extensions[SADB_EXT_LIFETIME_HARD]
+		 ? pfkey_safe_build(error = pfkey_lifetime_build(&extensions_reply[SADB_EXT_LIFETIME_HARD],
+								 SADB_EXT_LIFETIME_HARD,
+								 extr->ips->ips_life.ipl_allocations.ipl_hard,
+								 extr->ips->ips_life.ipl_bytes.ipl_hard,
+								 extr->ips->ips_life.ipl_addtime.ipl_hard,
+								 extr->ips->ips_life.ipl_usetime.ipl_hard,
+								 extr->ips->ips_life.ipl_packets.ipl_hard),
+				    extensions_reply) : 1)
+	     && (extensions[SADB_EXT_LIFETIME_SOFT]
+		 ? pfkey_safe_build(error = pfkey_lifetime_build(&extensions_reply[SADB_EXT_LIFETIME_SOFT],
+								 SADB_EXT_LIFETIME_SOFT,
+								 extr->ips->ips_life.ipl_allocations.ipl_soft,
+								 extr->ips->ips_life.ipl_bytes.ipl_soft,
+								 extr->ips->ips_life.ipl_addtime.ipl_soft,
+								 extr->ips->ips_life.ipl_usetime.ipl_soft,
+								 extr->ips->ips_life.ipl_packets.ipl_soft),
+				    extensions_reply) : 1)
+	     && pfkey_safe_build(error = pfkey_address_build(&extensions_reply[SADB_EXT_ADDRESS_SRC],
+							     SADB_EXT_ADDRESS_SRC,
+							     0, /*extr->ips->ips_said.proto,*/
+							     0,
+							     extr->ips->ips_addr_s),
+				 extensions_reply)
+	     && pfkey_safe_build(error = pfkey_address_build(&extensions_reply[SADB_EXT_ADDRESS_DST],
+							     SADB_EXT_ADDRESS_DST,
+							     0, /*extr->ips->ips_said.proto,*/
+							     0,
+							     extr->ips->ips_addr_d),
+				 extensions_reply)
+            && (extr->ips->ips_ident_s.data
+                 ? pfkey_safe_build(error = pfkey_ident_build(&extensions_reply[SADB_EXT_IDENTITY_SRC],
+                                                              SADB_EXT_IDENTITY_SRC,
+							      extr->ips->ips_ident_s.type,
+							      extr->ips->ips_ident_s.id,
+                                                              extr->ips->ips_ident_s.len,
+							      extr->ips->ips_ident_s.data),
+                                    extensions_reply) : 1)
+            && (extr->ips->ips_ident_d.data
+                 ? pfkey_safe_build(error = pfkey_ident_build(&extensions_reply[SADB_EXT_IDENTITY_DST],
+                                                              SADB_EXT_IDENTITY_DST,
+							      extr->ips->ips_ident_d.type,
+							      extr->ips->ips_ident_d.id,
+                                                              extr->ips->ips_ident_d.len,
+							      extr->ips->ips_ident_d.data),
+                                    extensions_reply) : 1)
+#if 0
+	     /* FIXME: This won't work yet because I have not finished
+		it. */
+	     && (extr->ips->ips_sens_
+		 ? pfkey_safe_build(error = pfkey_sens_build(&extensions_reply[SADB_EXT_SENSITIVITY],
+							     extr->ips->ips_sens_dpd,
+							     extr->ips->ips_sens_sens_level,
+							     extr->ips->ips_sens_sens_len,
+							     extr->ips->ips_sens_sens_bitmap,
+							     extr->ips->ips_sens_integ_level,
+							     extr->ips->ips_sens_integ_len,
+							     extr->ips->ips_sens_integ_bitmap),
+				    extensions_reply) : 1)
+#endif
+		)) {
+		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_add_parse: "
+			    "failed to build the add reply message extensions\n");
+		SENDERR(-error);
+	}
+		
+	if((error = pfkey_msg_build(&pfkey_reply, extensions_reply, EXT_BITS_OUT))) {
+		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_add_parse: "
+			    "failed to build the add reply message\n");
+		SENDERR(-error);
+	}
+	for(pfkey_socketsp = pfkey_open_sockets;
+	    pfkey_socketsp;
+	    pfkey_socketsp = pfkey_socketsp->next) {
+		if((error = pfkey_upmsg(pfkey_socketsp->socketp, pfkey_reply))) {
+			KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_add_parse: "
+				    "sending up add reply message for satype=%d(%s) to socket=0p%p failed with error=%d.\n",
+				    satype,
+				    satype2name(satype),
+				    pfkey_socketsp->socketp,
+				    error);
+			SENDERR(-error);
+		}
+		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_add_parse: "
+			    "sending up add reply message for satype=%d(%s) to socket=0p%p succeeded.\n",
+			    satype,
+			    satype2name(satype),
+			    pfkey_socketsp->socketp);
+	}
+
+	if((error = ipsec_sa_add(extr->ips))) {
+		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_add_parse: "
+			    "failed to add the mature SA=%s with error=%d.\n",
+			    sa_len ? sa : " (error)",
+			    error);
+		SENDERR(-error);
+	}
+	extr->ips = NULL;
+	
+	KLIPS_PRINT(debug_pfkey,
+		    "klips_debug:pfkey_add_parse: "
+		    "successful for SA: %s\n",
+		    sa_len ? sa : " (error)");
+	
+ errlab:
+	if (pfkey_reply) {
+		pfkey_msg_free(&pfkey_reply);
+	}
+	pfkey_extensions_free(extensions_reply);
+	return error;
+}
+
+DEBUG_NO_STATIC int
+pfkey_delete_parse(struct sock *sk, struct sadb_ext **extensions, struct pfkey_extracted_data* extr)
+{
+	struct ipsec_sa *ipsp;
+	char sa[SATOT_BUF];
+	size_t sa_len;
+	int error = 0;
+	struct sadb_ext *extensions_reply[SADB_EXT_MAX+1];
+	struct sadb_msg *pfkey_reply = NULL;
+	struct socket_list *pfkey_socketsp;
+	uint8_t satype = ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_satype;
+
+	KLIPS_PRINT(debug_pfkey,
+		    "klips_debug:pfkey_delete_parse: .\n");
+
+	pfkey_extensions_init(extensions_reply);
+
+	if(!extr || !extr->ips) {
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_delete_parse: "
+			    "extr or extr->ips pointer NULL, fatal\n");
+		SENDERR(EINVAL);
+	}
+
+	sa_len = satot(&extr->ips->ips_said, 0, sa, sizeof(sa));
+
+	spin_lock_bh(&tdb_lock);
+
+	ipsp = ipsec_sa_getbyid(&(extr->ips->ips_said));
+	if (ipsp == NULL) {
+		spin_unlock_bh(&tdb_lock);
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_delete_parse: "
+			    "ipsec_sa not found for SA:%s, could not delete.\n",
+			    sa_len ? sa : " (error)");
+		SENDERR(ESRCH);
+	}
+
+	ipsec_sa_put(ipsp);
+	if((error = ipsec_sa_delchain(ipsp))) {
+		spin_unlock_bh(&tdb_lock);
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_delete_parse: "
+			    "error=%d returned trying to delete ipsec_sa for SA:%s.\n",
+			    error,
+			    sa_len ? sa : " (error)");
+		SENDERR(-error);
+	}
+	spin_unlock_bh(&tdb_lock);
+
+	if(!(pfkey_safe_build(error = pfkey_msg_hdr_build(&extensions_reply[0],
+							  SADB_DELETE,
+							  satype,
+							  0,
+							  ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_seq,
+							  ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_pid),
+			      extensions_reply)
+	     && pfkey_safe_build(error = pfkey_sa_ref_build(&extensions_reply[SADB_EXT_SA],
+							SADB_EXT_SA,
+							extr->ips->ips_said.spi,
+							0,
+							0,
+							0,
+							0,
+							0,
+							extr->ips->ips_ref),
+				 extensions_reply)
+	     && pfkey_safe_build(error = pfkey_address_build(&extensions_reply[SADB_EXT_ADDRESS_SRC],
+							     SADB_EXT_ADDRESS_SRC,
+							     0, /*extr->ips->ips_said.proto,*/
+							     0,
+							     extr->ips->ips_addr_s),
+				 extensions_reply)
+	     && pfkey_safe_build(error = pfkey_address_build(&extensions_reply[SADB_EXT_ADDRESS_DST],
+							     SADB_EXT_ADDRESS_DST,
+							     0, /*extr->ips->ips_said.proto,*/
+							     0,
+							     extr->ips->ips_addr_d),
+				 extensions_reply)
+		)) {
+		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_delete_parse: "
+			    "failed to build the delete reply message extensions\n");
+		SENDERR(-error);
+	}
+	
+	if((error = pfkey_msg_build(&pfkey_reply, extensions_reply, EXT_BITS_OUT))) {
+		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_delete_parse: "
+			    "failed to build the delete reply message\n");
+		SENDERR(-error);
+	}
+	for(pfkey_socketsp = pfkey_open_sockets;
+	    pfkey_socketsp;
+	    pfkey_socketsp = pfkey_socketsp->next) {
+		if((error = pfkey_upmsg(pfkey_socketsp->socketp, pfkey_reply))) {
+			KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_delete_parse: "
+				    "sending up delete reply message for satype=%d(%s) to socket=0p%p failed with error=%d.\n",
+				    satype,
+				    satype2name(satype),
+				    pfkey_socketsp->socketp,
+				    error);
+			SENDERR(-error);
+		}
+		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_delete_parse: "
+			    "sending up delete reply message for satype=%d(%s) to socket=0p%p succeeded.\n",
+			    satype,
+			    satype2name(satype),
+			    pfkey_socketsp->socketp);
+	}
+	
+ errlab:
+	if (pfkey_reply) {
+		pfkey_msg_free(&pfkey_reply);
+	}
+	pfkey_extensions_free(extensions_reply);
+	return error;
+}
+
+DEBUG_NO_STATIC int
+pfkey_get_parse(struct sock *sk, struct sadb_ext **extensions, struct pfkey_extracted_data* extr)
+{
+	int error = 0;
+	struct ipsec_sa *ipsp;
+	char sa[SATOT_BUF];
+	size_t sa_len;
+	struct sadb_ext *extensions_reply[SADB_EXT_MAX+1];
+	struct sadb_msg *pfkey_reply = NULL;
+
+	KLIPS_PRINT(debug_pfkey,
+		    "klips_debug:pfkey_get_parse: .\n");
+
+	pfkey_extensions_init(extensions_reply);
+
+	if(!extr || !extr->ips) {
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_get_parse: "
+			    "extr or extr->ips pointer NULL, fatal\n");
+		SENDERR(EINVAL);
+	}
+
+	sa_len = satot(&extr->ips->ips_said, 0, sa, sizeof(sa));
+
+	spin_lock_bh(&tdb_lock);
+
+	ipsp = ipsec_sa_getbyid(&(extr->ips->ips_said));
+	if (ipsp == NULL) {
+		spin_unlock_bh(&tdb_lock);
+		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_get_parse: "
+			    "ipsec_sa not found for SA=%s, could not get.\n",
+			    sa_len ? sa : " (error)");
+		SENDERR(ESRCH);
+	}
+	
+	if(!(pfkey_safe_build(error = pfkey_msg_hdr_build(&extensions_reply[0],
+							  SADB_GET,
+							  ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_satype,
+							  0,
+							  ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_seq,
+							  ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_pid),
+			      extensions_reply)
+	     && pfkey_safe_build(error = pfkey_sa_ref_build(&extensions_reply[SADB_EXT_SA],
+							SADB_EXT_SA,
+							extr->ips->ips_said.spi,
+							extr->ips->ips_replaywin,
+							extr->ips->ips_state,
+							extr->ips->ips_authalg,
+							extr->ips->ips_encalg,
+							extr->ips->ips_flags,
+							extr->ips->ips_ref),
+				 extensions_reply)
+	     /* The 3 lifetime extentions should only be sent if non-zero. */
+	     && (ipsp->ips_life.ipl_allocations.ipl_count
+		 || ipsp->ips_life.ipl_bytes.ipl_count
+		 || ipsp->ips_life.ipl_addtime.ipl_count
+		 || ipsp->ips_life.ipl_usetime.ipl_count
+		 || ipsp->ips_life.ipl_packets.ipl_count
+		 ? pfkey_safe_build(error = pfkey_lifetime_build(&extensions_reply[SADB_EXT_LIFETIME_CURRENT],
+								 SADB_EXT_LIFETIME_CURRENT,
+								 ipsp->ips_life.ipl_allocations.ipl_count,
+								 ipsp->ips_life.ipl_bytes.ipl_count,
+								 ipsp->ips_life.ipl_addtime.ipl_count,
+								 ipsp->ips_life.ipl_usetime.ipl_count,
+								 ipsp->ips_life.ipl_packets.ipl_count),
+				    extensions_reply) : 1)
+	     && (ipsp->ips_life.ipl_allocations.ipl_hard
+		 || ipsp->ips_life.ipl_bytes.ipl_hard
+		 || ipsp->ips_life.ipl_addtime.ipl_hard
+		 || ipsp->ips_life.ipl_usetime.ipl_hard
+		 || ipsp->ips_life.ipl_packets.ipl_hard
+		 ? pfkey_safe_build(error = pfkey_lifetime_build(&extensions_reply[SADB_EXT_LIFETIME_HARD],
+								 SADB_EXT_LIFETIME_HARD,
+								 ipsp->ips_life.ipl_allocations.ipl_hard,
+								 ipsp->ips_life.ipl_bytes.ipl_hard,
+								 ipsp->ips_life.ipl_addtime.ipl_hard,
+								 ipsp->ips_life.ipl_usetime.ipl_hard,
+								 ipsp->ips_life.ipl_packets.ipl_hard),
+				    extensions_reply) : 1)
+	     && (ipsp->ips_life.ipl_allocations.ipl_soft
+		 || ipsp->ips_life.ipl_bytes.ipl_soft
+		 || ipsp->ips_life.ipl_addtime.ipl_soft
+		 || ipsp->ips_life.ipl_usetime.ipl_soft
+		 || ipsp->ips_life.ipl_packets.ipl_soft
+		 ? pfkey_safe_build(error = pfkey_lifetime_build(&extensions_reply[SADB_EXT_LIFETIME_SOFT],
+								 SADB_EXT_LIFETIME_SOFT,
+								 ipsp->ips_life.ipl_allocations.ipl_soft,
+								 ipsp->ips_life.ipl_bytes.ipl_soft,
+								 ipsp->ips_life.ipl_addtime.ipl_soft,
+								 ipsp->ips_life.ipl_usetime.ipl_soft,
+								 ipsp->ips_life.ipl_packets.ipl_soft),
+				    extensions_reply) : 1)
+	     && pfkey_safe_build(error = pfkey_address_build(&extensions_reply[SADB_EXT_ADDRESS_SRC],
+							     SADB_EXT_ADDRESS_SRC,
+							     0, /*extr->ips->ips_said.proto,*/
+							     0,
+							     extr->ips->ips_addr_s),
+				 extensions_reply)
+	     && pfkey_safe_build(error = pfkey_address_build(&extensions_reply[SADB_EXT_ADDRESS_DST],
+							     SADB_EXT_ADDRESS_DST,
+							     0, /*extr->ips->ips_said.proto,*/
+							     0,
+							     extr->ips->ips_addr_d),
+				 extensions_reply)
+	     && (extr->ips->ips_addr_p
+		 ? pfkey_safe_build(error = pfkey_address_build(&extensions_reply[SADB_EXT_ADDRESS_PROXY],
+								SADB_EXT_ADDRESS_PROXY,
+								0, /*extr->ips->ips_said.proto,*/
+								0,
+								extr->ips->ips_addr_p),
+				    extensions_reply) : 1)
+#if 0
+	     /* FIXME: This won't work yet because the keys are not
+		stored directly in the ipsec_sa.  They are stored as
+		contexts. */
+	     && (extr->ips->ips_key_a_size
+		 ? pfkey_safe_build(error = pfkey_key_build(&extensions_reply[SADB_EXT_KEY_AUTH],
+							    SADB_EXT_KEY_AUTH,
+							    extr->ips->ips_key_a_size * 8,
+							    extr->ips->ips_key_a),
+				    extensions_reply) : 1)
+	     /* FIXME: This won't work yet because the keys are not
+		stored directly in the ipsec_sa.  They are stored as
+		key schedules. */
+	     && (extr->ips->ips_key_e_size
+		 ? pfkey_safe_build(error = pfkey_key_build(&extensions_reply[SADB_EXT_KEY_ENCRYPT],
+							    SADB_EXT_KEY_ENCRYPT,
+							    extr->ips->ips_key_e_size * 8,
+							    extr->ips->ips_key_e),
+				    extensions_reply) : 1)
+#endif
+	     && (extr->ips->ips_ident_s.data
+                 ? pfkey_safe_build(error = pfkey_ident_build(&extensions_reply[SADB_EXT_IDENTITY_SRC],
+                                                              SADB_EXT_IDENTITY_SRC,
+							      extr->ips->ips_ident_s.type,
+							      extr->ips->ips_ident_s.id,
+                                                              extr->ips->ips_ident_s.len,
+							      extr->ips->ips_ident_s.data),
+                                    extensions_reply) : 1)
+	     && (extr->ips->ips_ident_d.data
+                 ? pfkey_safe_build(error = pfkey_ident_build(&extensions_reply[SADB_EXT_IDENTITY_DST],
+                                                              SADB_EXT_IDENTITY_DST,
+							      extr->ips->ips_ident_d.type,
+							      extr->ips->ips_ident_d.id,
+                                                              extr->ips->ips_ident_d.len,
+							      extr->ips->ips_ident_d.data),
+                                    extensions_reply) : 1)
+#if 0
+	     /* FIXME: This won't work yet because I have not finished
+		it. */
+	     && (extr->ips->ips_sens_
+		 ? pfkey_safe_build(error = pfkey_sens_build(&extensions_reply[SADB_EXT_SENSITIVITY],
+							     extr->ips->ips_sens_dpd,
+							     extr->ips->ips_sens_sens_level,
+							     extr->ips->ips_sens_sens_len,
+							     extr->ips->ips_sens_sens_bitmap,
+							     extr->ips->ips_sens_integ_level,
+							     extr->ips->ips_sens_integ_len,
+							     extr->ips->ips_sens_integ_bitmap),
+				    extensions_reply) : 1)
+#endif
+		     )) {
+		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_get_parse: "
+			    "failed to build the get reply message extensions\n");
+		ipsec_sa_put(ipsp);
+		spin_unlock_bh(&tdb_lock);
+		SENDERR(-error);
+	}
+		
+	ipsec_sa_put(ipsp);
+	spin_unlock_bh(&tdb_lock);
+	
+	if((error = pfkey_msg_build(&pfkey_reply, extensions_reply, EXT_BITS_OUT))) {
+		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_get_parse: "
+			    "failed to build the get reply message\n");
+		SENDERR(-error);
+	}
+	
+	if((error = pfkey_upmsg(sk->sk_socket, pfkey_reply))) {
+		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_get_parse: "
+			    "failed to send the get reply message\n");
+		SENDERR(-error);
+	}
+	
+	KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_get_parse: "
+		    "succeeded in sending get reply message.\n");
+	
+ errlab:
+	if (pfkey_reply) {
+		pfkey_msg_free(&pfkey_reply);
+	}
+	pfkey_extensions_free(extensions_reply);
+	return error;
+}
+
+DEBUG_NO_STATIC int
+pfkey_acquire_parse(struct sock *sk, struct sadb_ext **extensions, struct pfkey_extracted_data* extr)
+{
+	int error = 0;
+	struct socket_list *pfkey_socketsp;
+	uint8_t satype = ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_satype;
+
+	KLIPS_PRINT(debug_pfkey,
+		    "klips_debug:pfkey_acquire_parse: .\n");
+
+	/* XXX I don't know if we want an upper bound, since userspace may
+	   want to register itself for an satype > SADB_SATYPE_MAX. */
+	if((satype == 0) || (satype > SADB_SATYPE_MAX)) {
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_acquire_parse: "
+			    "SATYPE=%d invalid.\n",
+			    satype);
+		SENDERR(EINVAL);
+	}
+
+	if(!(pfkey_registered_sockets[satype])) {
+		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_acquire_parse: "
+			    "no sockets registered for SAtype=%d(%s).\n",
+			    satype,
+			    satype2name(satype));
+		SENDERR(EPROTONOSUPPORT);
+	}
+
+	for(pfkey_socketsp = pfkey_registered_sockets[satype];
+	    pfkey_socketsp;
+	    pfkey_socketsp = pfkey_socketsp->next) {
+		if((error = pfkey_upmsg(pfkey_socketsp->socketp,
+					((struct sadb_msg*)extensions[SADB_EXT_RESERVED])))) {
+			KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_acquire_parse: "
+				    "sending up acquire reply message for satype=%d(%s) to socket=0p%p failed with error=%d.\n",
+				    satype,
+				    satype2name(satype),
+				    pfkey_socketsp->socketp,
+				    error);
+			SENDERR(-error);
+		}
+		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_acquire_parse: "
+			    "sending up acquire reply message for satype=%d(%s) to socket=0p%p succeeded.\n",
+			    satype,
+			    satype2name(satype),
+			    pfkey_socketsp->socketp);
+	}
+	
+ errlab:
+	return error;
+}
+
+DEBUG_NO_STATIC int
+pfkey_register_parse(struct sock *sk, struct sadb_ext **extensions, struct pfkey_extracted_data* extr)
+{
+	int error = 0;
+	uint8_t satype = ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_satype;
+
+	KLIPS_PRINT(debug_pfkey,
+		    "klips_debug:pfkey_register_parse: .\n");
+
+	/* XXX I don't know if we want an upper bound, since userspace may
+	   want to register itself for an satype > SADB_SATYPE_MAX. */
+	if((satype == 0) || (satype > SADB_SATYPE_MAX)) {
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_register_parse: "
+			    "SATYPE=%d invalid.\n",
+			    satype);
+		SENDERR(EINVAL);
+	}
+
+	if(!pfkey_list_insert_socket(sk->sk_socket,
+				 &(pfkey_registered_sockets[satype]))) {
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_register_parse: "
+			    "SATYPE=%02d(%s) successfully registered by KMd (pid=%d).\n",
+			    satype,
+			    satype2name(satype),
+			    key_pid(sk));
+	};
+	
+	/* send up register msg with supported SATYPE algos */
+
+	error=pfkey_register_reply(satype, (struct sadb_msg*)extensions[SADB_EXT_RESERVED]);
+ errlab:
+	return error;
+}
+
+int
+pfkey_register_reply(int satype, struct sadb_msg *sadb_msg)
+{
+	struct sadb_ext *extensions_reply[SADB_EXT_MAX+1];
+	struct sadb_msg *pfkey_reply = NULL;
+	struct socket_list *pfkey_socketsp;
+	struct supported_list *pfkey_supported_listp;
+	unsigned int alg_num_a = 0, alg_num_e = 0;
+	struct sadb_alg *alg_a = NULL, *alg_e = NULL, *alg_ap = NULL, *alg_ep = NULL;
+	int error = 0;
+
+	pfkey_extensions_init(extensions_reply);
+
+	if((satype == 0) || (satype > SADB_SATYPE_MAX)) {
+		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_register_reply: "
+			    "SAtype=%d unspecified or unknown.\n",
+			    satype);
+		SENDERR(EINVAL);
+	}
+	if(!(pfkey_registered_sockets[satype])) {
+		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_register_reply: "
+			    "no sockets registered for SAtype=%d(%s).\n",
+			    satype,
+			    satype2name(satype));
+		SENDERR(EPROTONOSUPPORT);
+	}
+	/* send up register msg with supported SATYPE algos */
+	pfkey_supported_listp = pfkey_supported_list[satype];
+	KLIPS_PRINT(debug_pfkey,
+		    "klips_debug:pfkey_register_reply: "
+		    "pfkey_supported_list[%d]=0p%p\n",
+		    satype,
+		    pfkey_supported_list[satype]);
+	while(pfkey_supported_listp) {
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_register_reply: "
+			    "checking supported=0p%p\n",
+			    pfkey_supported_listp);
+		if(pfkey_supported_listp->supportedp->ias_exttype == SADB_EXT_SUPPORTED_AUTH) {
+			KLIPS_PRINT(debug_pfkey,
+				    "klips_debug:pfkey_register_reply: "
+				    "adding auth alg.\n");
+			alg_num_a++;
+		}
+		if(pfkey_supported_listp->supportedp->ias_exttype == SADB_EXT_SUPPORTED_ENCRYPT) {
+			KLIPS_PRINT(debug_pfkey,
+				    "klips_debug:pfkey_register_reply: "
+				    "adding encrypt alg.\n");
+			alg_num_e++;
+		}
+		pfkey_supported_listp = pfkey_supported_listp->next;
+	}
+	
+	if(alg_num_a) {
+		KLIPS_PRINT(debug_pfkey,
+		            "klips_debug:pfkey_register_reply: "
+		            "allocating %lu bytes for auth algs.\n",
+		            (unsigned long) (alg_num_a * sizeof(struct sadb_alg)));
+		if((alg_a = kmalloc(alg_num_a * sizeof(struct sadb_alg), GFP_ATOMIC) ) == NULL) {
+			KLIPS_PRINT(debug_pfkey,
+				    "klips_debug:pfkey_register_reply: "
+				    "auth alg memory allocation error\n");
+			SENDERR(ENOMEM);
+		}
+		alg_ap = alg_a;
+	}
+	
+	if(alg_num_e) {
+		KLIPS_PRINT(debug_pfkey,
+		            "klips_debug:pfkey_register_reply: "
+		            "allocating %lu bytes for enc algs.\n",
+		            (unsigned long) (alg_num_e * sizeof(struct sadb_alg)));
+		if((alg_e = kmalloc(alg_num_e * sizeof(struct sadb_alg), GFP_ATOMIC) ) == NULL) {
+			KLIPS_PRINT(debug_pfkey,
+				    "klips_debug:pfkey_register_reply: "
+				    "enc alg memory allocation error\n");
+			SENDERR(ENOMEM);
+		}
+		alg_ep = alg_e;
+	}
+	
+	pfkey_supported_listp = pfkey_supported_list[satype];
+	while(pfkey_supported_listp) {
+		if(alg_num_a) {
+			if(pfkey_supported_listp->supportedp->ias_exttype == SADB_EXT_SUPPORTED_AUTH) {
+				alg_ap->sadb_alg_id = pfkey_supported_listp->supportedp->ias_id;
+				alg_ap->sadb_alg_ivlen = pfkey_supported_listp->supportedp->ias_ivlen;
+				alg_ap->sadb_alg_minbits = pfkey_supported_listp->supportedp->ias_keyminbits;
+				alg_ap->sadb_alg_maxbits = pfkey_supported_listp->supportedp->ias_keymaxbits;
+				alg_ap->sadb_alg_reserved = 0;
+				KLIPS_PRINT(debug_pfkey && sysctl_ipsec_debug_verbose,
+					    "klips_debug:pfkey_register_reply: "
+					    "adding auth=0p%p\n",
+					    alg_ap);
+				alg_ap++;
+			}
+		}
+		if(alg_num_e) {
+			if(pfkey_supported_listp->supportedp->ias_exttype == SADB_EXT_SUPPORTED_ENCRYPT) {
+				alg_ep->sadb_alg_id = pfkey_supported_listp->supportedp->ias_id;
+				alg_ep->sadb_alg_ivlen = pfkey_supported_listp->supportedp->ias_ivlen;
+				alg_ep->sadb_alg_minbits = pfkey_supported_listp->supportedp->ias_keyminbits;
+				alg_ep->sadb_alg_maxbits = pfkey_supported_listp->supportedp->ias_keymaxbits;
+				alg_ep->sadb_alg_reserved = 0;
+				KLIPS_PRINT(debug_pfkey && sysctl_ipsec_debug_verbose,
+					    "klips_debug:pfkey_register_reply: "
+					    "adding encrypt=0p%p\n",
+					    alg_ep);
+				alg_ep++;
+			}
+		}
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_register_reply: "
+			    "found satype=%d(%s) exttype=%d id=%d ivlen=%d minbits=%d maxbits=%d.\n",
+			    satype,
+			    satype2name(satype),
+			    pfkey_supported_listp->supportedp->ias_exttype,
+			    pfkey_supported_listp->supportedp->ias_id,
+			    pfkey_supported_listp->supportedp->ias_ivlen,
+			    pfkey_supported_listp->supportedp->ias_keyminbits,
+			    pfkey_supported_listp->supportedp->ias_keymaxbits);
+		pfkey_supported_listp = pfkey_supported_listp->next;
+	}
+	
+	if(!(pfkey_safe_build(error = pfkey_msg_hdr_build(&extensions_reply[0],
+							  SADB_REGISTER,
+							  satype,
+							  0,
+							  sadb_msg? sadb_msg->sadb_msg_seq : ++pfkey_msg_seq,
+							  sadb_msg? sadb_msg->sadb_msg_pid: current->pid),
+			      extensions_reply) &&
+	     (alg_num_a ? pfkey_safe_build(error = pfkey_supported_build(&extensions_reply[SADB_EXT_SUPPORTED_AUTH],
+									SADB_EXT_SUPPORTED_AUTH,
+									alg_num_a,
+									alg_a),
+					  extensions_reply) : 1) &&
+	     (alg_num_e ? pfkey_safe_build(error = pfkey_supported_build(&extensions_reply[SADB_EXT_SUPPORTED_ENCRYPT],
+									SADB_EXT_SUPPORTED_ENCRYPT,
+									alg_num_e,
+									alg_e),
+					  extensions_reply) : 1))) {
+		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_register_reply: "
+			    "failed to build the register message extensions_reply\n");
+		SENDERR(-error);
+	}
+	
+	if((error = pfkey_msg_build(&pfkey_reply, extensions_reply, EXT_BITS_OUT))) {
+		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_register_reply: "
+			    "failed to build the register message\n");
+		SENDERR(-error);
+	}
+	/* this should go to all registered sockets for that satype only */
+	for(pfkey_socketsp = pfkey_registered_sockets[satype];
+	    pfkey_socketsp;
+	    pfkey_socketsp = pfkey_socketsp->next) {
+		if((error = pfkey_upmsg(pfkey_socketsp->socketp, pfkey_reply))) {
+			KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_register_reply: "
+				    "sending up acquire message for satype=%d(%s) to socket=0p%p failed with error=%d.\n",
+				    satype,
+				    satype2name(satype),
+				    pfkey_socketsp->socketp,
+				    error);
+			SENDERR(-error);
+		}
+		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_register_reply: "
+			    "sending up register message for satype=%d(%s) to socket=0p%p succeeded.\n",
+			    satype,
+			    satype2name(satype),
+			    pfkey_socketsp->socketp);
+	}
+	
+ errlab:
+	if(alg_a) {
+		kfree(alg_a);
+	}
+	if(alg_e) {
+		kfree(alg_e);
+	}
+
+	if (pfkey_reply) {
+		pfkey_msg_free(&pfkey_reply);
+	}
+	pfkey_extensions_free(extensions_reply);
+	return error;
+}
+
+DEBUG_NO_STATIC int
+pfkey_expire_parse(struct sock *sk, struct sadb_ext **extensions, struct pfkey_extracted_data* extr)
+{
+	int error = 0;
+	struct socket_list *pfkey_socketsp;
+#ifdef CONFIG_KLIPS_DEBUG
+	uint8_t satype = ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_satype;
+#endif /* CONFIG_KLIPS_DEBUG */
+
+	KLIPS_PRINT(debug_pfkey,
+		    "klips_debug:pfkey_expire_parse: .\n");
+
+	if(pfkey_open_sockets) {
+		for(pfkey_socketsp = pfkey_open_sockets;
+		    pfkey_socketsp;
+		    pfkey_socketsp = pfkey_socketsp->next) {
+			if((error = pfkey_upmsg(pfkey_socketsp->socketp,
+						((struct sadb_msg*)extensions[SADB_EXT_RESERVED])))) {
+				KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_expire_parse: "
+					    "sending up expire reply message for satype=%d(%s) to socket=0p%p failed with error=%d.\n",
+					    satype,
+					    satype2name(satype),
+					    pfkey_socketsp->socketp,
+					    error);
+				SENDERR(-error);
+			}
+			KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_expire_parse: "
+				    "sending up expire reply message for satype=%d(%s) to socket=0p%p succeeded.\n",
+				    satype,
+				    satype2name(satype),
+				    pfkey_socketsp->socketp);
+		}
+	}
+
+ errlab:
+	return error;
+}
+
+DEBUG_NO_STATIC int
+pfkey_flush_parse(struct sock *sk, struct sadb_ext **extensions, struct pfkey_extracted_data* extr)
+{
+	int error = 0;
+	struct socket_list *pfkey_socketsp;
+	uint8_t satype = ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_satype;
+	uint8_t proto = 0;
+
+	KLIPS_PRINT(debug_pfkey,
+		    "klips_debug:pfkey_flush_parse: "
+		    "flushing type %d SAs\n",
+		    satype);
+
+	if(satype && !(proto = satype2proto(satype))) {
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_flush_parse: "
+			    "satype %d lookup failed.\n", 
+			    ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_satype);
+		SENDERR(EINVAL);
+	}
+
+	if ((error = ipsec_sadb_cleanup(proto))) {
+		SENDERR(-error);
+	}
+
+	if(pfkey_open_sockets) {
+		for(pfkey_socketsp = pfkey_open_sockets;
+		    pfkey_socketsp;
+		    pfkey_socketsp = pfkey_socketsp->next) {
+			if((error = pfkey_upmsg(pfkey_socketsp->socketp,
+						((struct sadb_msg*)extensions[SADB_EXT_RESERVED])))) {
+				KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_flush_parse: "
+					    "sending up flush reply message for satype=%d(%s) (proto=%d) to socket=0p%p failed with error=%d.\n",
+					    satype,
+					    satype2name(satype),
+					    proto,
+					    pfkey_socketsp->socketp,
+					    error);
+				SENDERR(-error);
+			}
+			KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_flush_parse: "
+				    "sending up flush reply message for satype=%d(%s) to socket=0p%p succeeded.\n",
+				    satype,
+				    satype2name(satype),
+				    pfkey_socketsp->socketp);
+		}
+	}
+
+ errlab:
+	return error;
+}
+
+DEBUG_NO_STATIC int
+pfkey_dump_parse(struct sock *sk, struct sadb_ext **extensions, struct pfkey_extracted_data* extr)
+{
+	int error = 0;
+
+	KLIPS_PRINT(debug_pfkey,
+		    "klips_debug:pfkey_dump_parse: .\n");
+
+	SENDERR(ENOSYS);
+ errlab:
+	return error;
+}
+
+DEBUG_NO_STATIC int
+pfkey_x_promisc_parse(struct sock *sk, struct sadb_ext **extensions, struct pfkey_extracted_data* extr)
+{
+	int error = 0;
+
+	KLIPS_PRINT(debug_pfkey,
+		    "klips_debug:pfkey_promisc_parse: .\n");
+
+	SENDERR(ENOSYS);
+ errlab:
+	return error;
+}
+
+DEBUG_NO_STATIC int
+pfkey_x_pchange_parse(struct sock *sk, struct sadb_ext **extensions, struct pfkey_extracted_data* extr)
+{
+	int error = 0;
+
+	KLIPS_PRINT(debug_pfkey,
+		    "klips_debug:pfkey_x_pchange_parse: .\n");
+
+	SENDERR(ENOSYS);
+ errlab:
+	return error;
+}
+
+DEBUG_NO_STATIC int
+pfkey_x_grpsa_parse(struct sock *sk, struct sadb_ext **extensions, struct pfkey_extracted_data* extr)
+{
+	struct ipsec_sa *ips1p, *ips2p, *ipsp;
+	struct sadb_ext *extensions_reply[SADB_EXT_MAX+1];
+	struct sadb_msg *pfkey_reply = NULL;
+	struct socket_list *pfkey_socketsp;
+	uint8_t satype = ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_satype;
+	char sa1[SATOT_BUF], sa2[SATOT_BUF];
+	size_t sa_len1, sa_len2 = 0;
+	int error = 0;
+
+	KLIPS_PRINT(debug_pfkey,
+		    "klips_debug:pfkey_x_grpsa_parse: .\n");
+
+	pfkey_extensions_init(extensions_reply);
+
+	if(extr == NULL || extr->ips == NULL) {
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_x_grpsa_parse: "
+			    "extr or extr->ips is NULL, fatal.\n");
+		SENDERR(EINVAL);
+	}
+
+	sa_len1 = satot(&extr->ips->ips_said, 0, sa1, sizeof(sa1));
+	if(extr->ips2 != NULL) {
+		sa_len2 = satot(&extr->ips2->ips_said, 0, sa2, sizeof(sa2));
+	}
+
+	spin_lock_bh(&tdb_lock);
+
+	ips1p = ipsec_sa_getbyid(&(extr->ips->ips_said));
+	if(ips1p == NULL) {
+		spin_unlock_bh(&tdb_lock);
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_x_grpsa_parse: "
+			    "reserved ipsec_sa for SA1: %s not found.  Call SADB_ADD/UPDATE first.\n",
+			    sa_len1 ? sa1 : " (error)");
+		SENDERR(ENOENT);
+	}
+	if(extr->ips2) { /* GRPSA */
+		ips2p = ipsec_sa_getbyid(&(extr->ips2->ips_said));
+		if(ips2p == NULL) {
+			ipsec_sa_put(ips1p);
+			spin_unlock_bh(&tdb_lock);
+			KLIPS_PRINT(debug_pfkey,
+				    "klips_debug:pfkey_x_grpsa_parse: "
+				    "reserved ipsec_sa for SA2: %s not found.  Call SADB_ADD/UPDATE first.\n",
+				    sa_len2 ? sa2 : " (error)");
+			SENDERR(ENOENT);
+		}
+
+		/* Is either one already linked? */
+		if(ips1p->ips_onext) {
+			ipsec_sa_put(ips1p);
+			ipsec_sa_put(ips2p);
+			spin_unlock_bh(&tdb_lock);
+			KLIPS_PRINT(debug_pfkey,
+				    "klips_debug:pfkey_x_grpsa_parse: "
+				    "ipsec_sa for SA: %s is already linked.\n",
+				    sa_len1 ? sa1 : " (error)");
+			SENDERR(EEXIST);
+		}
+		if(ips2p->ips_inext) {
+			ipsec_sa_put(ips1p);
+			ipsec_sa_put(ips2p);
+			spin_unlock_bh(&tdb_lock);
+			KLIPS_PRINT(debug_pfkey,
+				    "klips_debug:pfkey_x_grpsa_parse: "
+				    "ipsec_sa for SA: %s is already linked.\n",
+				    sa_len2 ? sa2 : " (error)");
+			SENDERR(EEXIST);
+		}
+		
+		/* Is extr->ips already linked to extr->ips2? */
+		ipsp = ips2p;
+		while(ipsp) {
+			if(ipsp == ips1p) {
+				ipsec_sa_put(ips1p);
+				ipsec_sa_put(ips2p);
+				spin_unlock_bh(&tdb_lock);
+				KLIPS_PRINT(debug_pfkey,
+					    "klips_debug:pfkey_x_grpsa_parse: "
+					    "ipsec_sa for SA: %s is already linked to %s.\n",
+					    sa_len1 ? sa1 : " (error)",
+					    sa_len2 ? sa2 : " (error)");
+				SENDERR(EEXIST);
+			}
+			ipsp = ipsp->ips_onext;
+		}
+		
+		/* link 'em */
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_x_grpsa_parse: "
+			    "linking ipsec_sa SA: %s with %s.\n",
+			    sa_len1 ? sa1 : " (error)",
+			    sa_len2 ? sa2 : " (error)");
+		ips1p->ips_onext = ips2p;
+		ips2p->ips_inext = ips1p;
+	} else { /* UNGRPSA */
+		ipsec_sa_put(ips1p);
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_x_grpsa_parse: "
+			    "unlinking ipsec_sa SA: %s.\n",
+			    sa_len1 ? sa1 : " (error)");
+		while(ips1p->ips_onext) {
+			ips1p = ips1p->ips_onext;
+		}
+		while(ips1p->ips_inext) {
+			ipsp = ips1p;
+			ips1p = ips1p->ips_inext;
+			ipsec_sa_put(ips1p);
+			ipsp->ips_inext = NULL;
+			ipsec_sa_put(ipsp);
+			ips1p->ips_onext = NULL;
+		}
+	}
+
+	spin_unlock_bh(&tdb_lock);
+
+	if(!(pfkey_safe_build(error = pfkey_msg_hdr_build(&extensions_reply[0],
+							  SADB_X_GRPSA,
+							  satype,
+							  0,
+							  ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_seq,
+							  ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_pid),
+			      extensions_reply)
+	     && pfkey_safe_build(error = pfkey_sa_ref_build(&extensions_reply[SADB_EXT_SA],
+							SADB_EXT_SA,
+							extr->ips->ips_said.spi,
+							extr->ips->ips_replaywin,
+							extr->ips->ips_state,
+							extr->ips->ips_authalg,
+							extr->ips->ips_encalg,
+							extr->ips->ips_flags,
+							extr->ips->ips_ref),
+				 extensions_reply)
+	     && pfkey_safe_build(error = pfkey_address_build(&extensions_reply[SADB_EXT_ADDRESS_DST],
+							     SADB_EXT_ADDRESS_DST,
+							     0, /*extr->ips->ips_said.proto,*/
+							     0,
+							     extr->ips->ips_addr_d),
+				 extensions_reply)
+	     && (extr->ips2
+		 ? (pfkey_safe_build(error = pfkey_x_satype_build(&extensions_reply[SADB_X_EXT_SATYPE2],
+								  ((struct sadb_x_satype*)extensions[SADB_X_EXT_SATYPE2])->sadb_x_satype_satype
+								  /* proto2satype(extr->ips2->ips_said.proto) */),
+								  extensions_reply)
+				     && pfkey_safe_build(error = pfkey_sa_ref_build(&extensions_reply[SADB_X_EXT_SA2],
+										SADB_X_EXT_SA2,
+										extr->ips2->ips_said.spi,
+										extr->ips2->ips_replaywin,
+										extr->ips2->ips_state,
+										extr->ips2->ips_authalg,
+										extr->ips2->ips_encalg,
+										extr->ips2->ips_flags,
+										extr->ips2->ips_ref),
+							 extensions_reply)
+				     && pfkey_safe_build(error = pfkey_address_build(&extensions_reply[SADB_X_EXT_ADDRESS_DST2],
+										     SADB_X_EXT_ADDRESS_DST2,
+										     0, /*extr->ips->ips_said.proto,*/
+										     0,
+										     extr->ips2->ips_addr_d),
+							 extensions_reply) ) : 1 )
+		     )) {
+		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_x_grpsa_parse: "
+			    "failed to build the x_grpsa reply message extensions\n");
+		SENDERR(-error);
+	}
+	   
+	if((error = pfkey_msg_build(&pfkey_reply, extensions_reply, EXT_BITS_OUT))) {
+		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_x_grpsa_parse: "
+			    "failed to build the x_grpsa reply message\n");
+		SENDERR(-error);
+	}
+	
+	for(pfkey_socketsp = pfkey_open_sockets;
+	    pfkey_socketsp;
+	    pfkey_socketsp = pfkey_socketsp->next) {
+		if((error = pfkey_upmsg(pfkey_socketsp->socketp, pfkey_reply))) {
+			KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_x_grpsa_parse: "
+				    "sending up x_grpsa reply message for satype=%d(%s) to socket=0p%p failed with error=%d.\n",
+				    satype,
+				    satype2name(satype),
+				    pfkey_socketsp->socketp,
+				    error);
+			SENDERR(-error);
+		}
+		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_x_grpsa_parse: "
+			    "sending up x_grpsa reply message for satype=%d(%s) to socket=0p%p succeeded.\n",
+			    satype,
+			    satype2name(satype),
+			    pfkey_socketsp->socketp);
+	}
+	
+	KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_x_grpsa_parse: "
+		    "succeeded in sending x_grpsa reply message.\n");
+	
+ errlab:
+	if (pfkey_reply) {
+		pfkey_msg_free(&pfkey_reply);
+	}
+	pfkey_extensions_free(extensions_reply);
+	return error;
+}
+
+DEBUG_NO_STATIC int
+pfkey_x_addflow_parse(struct sock *sk, struct sadb_ext **extensions, struct pfkey_extracted_data* extr)
+{
+	int error = 0;
+#ifdef CONFIG_KLIPS_DEBUG
+	char buf1[64], buf2[64];
+#endif /* CONFIG_KLIPS_DEBUG */
+	struct sadb_ext *extensions_reply[SADB_EXT_MAX+1];
+	struct sadb_msg *pfkey_reply = NULL;
+	struct socket_list *pfkey_socketsp;
+	uint8_t satype = ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_satype;
+	ip_address srcflow, dstflow, srcmask, dstmask;
+
+	KLIPS_PRINT(debug_pfkey,
+		    "klips_debug:pfkey_x_addflow_parse: .\n");
+
+	pfkey_extensions_init(extensions_reply);
+
+	memset((caddr_t)&srcflow, 0, sizeof(srcflow));
+	memset((caddr_t)&dstflow, 0, sizeof(dstflow));
+	memset((caddr_t)&srcmask, 0, sizeof(srcmask));
+	memset((caddr_t)&dstmask, 0, sizeof(dstmask));
+
+	if(!extr || !(extr->ips) || !(extr->eroute)) {
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_x_addflow_parse: "
+			    "missing extr, ipsec_sa or eroute data.\n");
+		SENDERR(EINVAL);
+	}
+
+	srcflow.u.v4.sin_family = AF_INET;
+	dstflow.u.v4.sin_family = AF_INET;
+	srcmask.u.v4.sin_family = AF_INET;
+	dstmask.u.v4.sin_family = AF_INET;
+	srcflow.u.v4.sin_addr = extr->eroute->er_eaddr.sen_ip_src;
+	dstflow.u.v4.sin_addr = extr->eroute->er_eaddr.sen_ip_dst;
+	srcmask.u.v4.sin_addr = extr->eroute->er_emask.sen_ip_src;
+	dstmask.u.v4.sin_addr = extr->eroute->er_emask.sen_ip_dst;
+
+#ifdef CONFIG_KLIPS_DEBUG
+	if (debug_pfkey) {
+		subnettoa(extr->eroute->er_eaddr.sen_ip_src,
+			  extr->eroute->er_emask.sen_ip_src, 0, buf1, sizeof(buf1));
+		subnettoa(extr->eroute->er_eaddr.sen_ip_dst,
+			  extr->eroute->er_emask.sen_ip_dst, 0, buf2, sizeof(buf2));
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_x_addflow_parse: "
+			    "calling breakeroute and/or makeroute for %s->%s\n",
+			    buf1, buf2);
+	}
+#endif /* CONFIG_KLIPS_DEBUG */
+
+	if(extr->ips->ips_flags & SADB_X_SAFLAGS_INFLOW) {
+		struct ipsec_sa *ipsp, *ipsq;
+		char sa[SATOT_BUF];
+		size_t sa_len;
+
+		ipsq = ipsec_sa_getbyid(&(extr->ips->ips_said));
+		if(ipsq == NULL) {
+			KLIPS_PRINT(debug_pfkey,
+				    "klips_debug:pfkey_x_addflow_parse: "
+				    "ipsec_sa not found, cannot set incoming policy.\n");
+			SENDERR(ENOENT);
+		}
+
+		ipsp = ipsq;
+		while(ipsp && ipsp->ips_said.proto != IPPROTO_IPIP) {
+			ipsp = ipsp->ips_inext;
+		}
+
+		if(ipsp == NULL) {
+			ipsec_sa_put(ipsq);
+			KLIPS_PRINT(debug_pfkey,
+				    "klips_debug:pfkey_x_addflow_parse: "
+				    "SA chain does not have an IPIP SA, cannot set incoming policy.\n");
+			SENDERR(ENOENT);
+		}
+		
+		sa_len = satot(&extr->ips->ips_said, 0, sa, sizeof(sa));
+
+		ipsp->ips_flags |= SADB_X_SAFLAGS_INFLOW;
+		ipsp->ips_flow_s = srcflow;
+		ipsp->ips_flow_d = dstflow;
+		ipsp->ips_mask_s = srcmask;
+		ipsp->ips_mask_d = dstmask;
+
+		ipsec_sa_put(ipsq);
+
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_x_addflow_parse: "
+			    "inbound eroute, setting incoming policy information in IPIP ipsec_sa for SA: %s.\n",
+			    sa_len ? sa : " (error)");
+	} else {
+		struct sk_buff *first = NULL, *last = NULL;
+
+		if(extr->ips->ips_flags & SADB_X_SAFLAGS_REPLACEFLOW) {
+			KLIPS_PRINT(debug_pfkey,
+				    "klips_debug:pfkey_x_addflow_parse: "
+				    "REPLACEFLOW flag set, calling breakeroute.\n");
+			if ((error = ipsec_breakroute(&(extr->eroute->er_eaddr),
+						      &(extr->eroute->er_emask),
+						      &first, &last))) {
+				KLIPS_PRINT(debug_pfkey,
+					    "klips_debug:pfkey_x_addflow_parse: "
+					    "breakeroute returned %d.  first=0p%p, last=0p%p\n",
+					    error,
+					    first,
+					    last);
+				if(first != NULL) {
+					ipsec_kfree_skb(first);
+				}
+				if(last != NULL) {
+					ipsec_kfree_skb(last);
+				}
+				SENDERR(-error);
+			}
+		}
+		
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_x_addflow_parse: "
+			    "calling makeroute.\n");
+		
+		if ((error = ipsec_makeroute(&(extr->eroute->er_eaddr),
+					     &(extr->eroute->er_emask),
+					     extr->ips->ips_said,
+					     ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_pid,
+					     NULL,
+					     &(extr->ips->ips_ident_s),
+					     &(extr->ips->ips_ident_d)))) {
+			KLIPS_PRINT(debug_pfkey,
+				    "klips_debug:pfkey_x_addflow_parse: "
+				    "makeroute returned %d.\n", error);
+			SENDERR(-error);
+		}
+		if(first != NULL) {
+			KLIPS_PRINT(debug_eroute,
+				    "klips_debug:pfkey_x_addflow_parse: "
+				    "first=0p%p HOLD packet re-injected.\n",
+				    first);
+			DEV_QUEUE_XMIT(first, first->dev, SOPRI_NORMAL);
+		}
+		if(last != NULL) {
+			KLIPS_PRINT(debug_eroute,
+				    "klips_debug:pfkey_x_addflow_parse: "
+				    "last=0p%p HOLD packet re-injected.\n",
+				    last);
+			DEV_QUEUE_XMIT(last, last->dev, SOPRI_NORMAL);
+		}
+	}
+
+	KLIPS_PRINT(debug_pfkey,
+		    "klips_debug:pfkey_x_addflow_parse: "
+		    "makeroute call successful.\n");
+
+	if(!(pfkey_safe_build(error = pfkey_msg_hdr_build(&extensions_reply[0],
+							  SADB_X_ADDFLOW,
+							  satype,
+							  0,
+							  ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_seq,
+							  ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_pid),
+			      extensions_reply)
+	     && pfkey_safe_build(error = pfkey_sa_ref_build(&extensions_reply[SADB_EXT_SA],
+							SADB_EXT_SA,
+							extr->ips->ips_said.spi,
+							extr->ips->ips_replaywin,
+							extr->ips->ips_state,
+							extr->ips->ips_authalg,
+							extr->ips->ips_encalg,
+							extr->ips->ips_flags,
+							extr->ips->ips_ref),
+				 extensions_reply)
+	     && (extensions[SADB_EXT_ADDRESS_SRC]
+		 ? pfkey_safe_build(error = pfkey_address_build(&extensions_reply[SADB_EXT_ADDRESS_SRC],
+								SADB_EXT_ADDRESS_SRC,
+								0, /*extr->ips->ips_said.proto,*/
+								0,
+								extr->ips->ips_addr_s),
+				    extensions_reply) : 1)
+	     && (extensions[SADB_EXT_ADDRESS_DST]
+		 ? pfkey_safe_build(error = pfkey_address_build(&extensions_reply[SADB_EXT_ADDRESS_DST],
+								SADB_EXT_ADDRESS_DST,
+								0, /*extr->ips->ips_said.proto,*/
+								0,
+								extr->ips->ips_addr_d),
+				    extensions_reply) : 1)
+	     && pfkey_safe_build(error = pfkey_address_build(&extensions_reply[SADB_X_EXT_ADDRESS_SRC_FLOW],
+							     SADB_X_EXT_ADDRESS_SRC_FLOW,
+							     0, /*extr->ips->ips_said.proto,*/
+							     0,
+							     (struct sockaddr*)&srcflow),
+				 extensions_reply)
+	     && pfkey_safe_build(error = pfkey_address_build(&extensions_reply[SADB_X_EXT_ADDRESS_DST_FLOW],
+							     SADB_X_EXT_ADDRESS_DST_FLOW,
+							     0, /*extr->ips->ips_said.proto,*/
+							     0,
+							     (struct sockaddr*)&dstflow),
+				 extensions_reply)
+	     && pfkey_safe_build(error = pfkey_address_build(&extensions_reply[SADB_X_EXT_ADDRESS_SRC_MASK],
+							     SADB_X_EXT_ADDRESS_SRC_MASK,
+							     0, /*extr->ips->ips_said.proto,*/
+							     0,
+							     (struct sockaddr*)&srcmask),
+				 extensions_reply)
+	     && pfkey_safe_build(error = pfkey_address_build(&extensions_reply[SADB_X_EXT_ADDRESS_DST_MASK],
+							     SADB_X_EXT_ADDRESS_DST_MASK,
+							     0, /*extr->ips->ips_said.proto,*/
+							     0,
+							     (struct sockaddr*)&dstmask),
+				 extensions_reply)
+		)) {
+		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_x_addflow_parse: "
+			    "failed to build the x_addflow reply message extensions\n");
+		SENDERR(-error);
+	}
+		
+	if((error = pfkey_msg_build(&pfkey_reply, extensions_reply, EXT_BITS_OUT))) {
+		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_x_addflow_parse: "
+			    "failed to build the x_addflow reply message\n");
+		SENDERR(-error);
+	}
+	
+	for(pfkey_socketsp = pfkey_open_sockets;
+	    pfkey_socketsp;
+	    pfkey_socketsp = pfkey_socketsp->next) {
+		if((error = pfkey_upmsg(pfkey_socketsp->socketp, pfkey_reply))) {
+			KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_x_addflow_parse: "
+				    "sending up x_addflow reply message for satype=%d(%s) to socket=0p%p failed with error=%d.\n",
+				    satype,
+				    satype2name(satype),
+				    pfkey_socketsp->socketp,
+				    error);
+			SENDERR(-error);
+		}
+		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_x_addflow_parse: "
+			    "sending up x_addflow reply message for satype=%d(%s) (proto=%d) to socket=0p%p succeeded.\n",
+			    satype,
+			    satype2name(satype),
+			    extr->ips->ips_said.proto,
+			    pfkey_socketsp->socketp);
+	}
+	
+	KLIPS_PRINT(debug_pfkey,
+		    "klips_debug:pfkey_x_addflow_parse: "
+		    "extr->ips cleaned up and freed.\n");
+
+ errlab:
+	if (pfkey_reply) {
+		pfkey_msg_free(&pfkey_reply);
+	}
+	pfkey_extensions_free(extensions_reply);
+	return error;
+}
+
+DEBUG_NO_STATIC int
+pfkey_x_delflow_parse(struct sock *sk, struct sadb_ext **extensions, struct pfkey_extracted_data* extr)
+{
+	int error = 0;
+#ifdef CONFIG_KLIPS_DEBUG
+	char buf1[64], buf2[64];
+#endif /* CONFIG_KLIPS_DEBUG */
+	struct sadb_ext *extensions_reply[SADB_EXT_MAX+1];
+	struct sadb_msg *pfkey_reply = NULL;
+	struct socket_list *pfkey_socketsp;
+	uint8_t satype = ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_satype;
+	ip_address srcflow, dstflow, srcmask, dstmask;
+
+	KLIPS_PRINT(debug_pfkey,
+		    "klips_debug:pfkey_x_delflow_parse: .\n");
+
+	pfkey_extensions_init(extensions_reply);
+
+	memset((caddr_t)&srcflow, 0, sizeof(srcflow));
+	memset((caddr_t)&dstflow, 0, sizeof(dstflow));
+	memset((caddr_t)&srcmask, 0, sizeof(srcmask));
+	memset((caddr_t)&dstmask, 0, sizeof(dstmask));
+
+	if(!extr || !(extr->ips)) {
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_x_delflow_parse: "
+			    "extr, or extr->ips is NULL, fatal\n");
+		SENDERR(EINVAL);
+	}
+
+	if(extr->ips->ips_flags & SADB_X_SAFLAGS_CLEARFLOW) {
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_x_delflow_parse: "
+			    "CLEARFLOW flag set, calling cleareroutes.\n");
+		if ((error = ipsec_cleareroutes()))
+			KLIPS_PRINT(debug_pfkey,
+				    "klips_debug:pfkey_x_delflow_parse: "
+				    "cleareroutes returned %d.\n", error);
+			SENDERR(-error);
+	} else {
+		struct sk_buff *first = NULL, *last = NULL;
+
+		if(!(extr->eroute)) {
+			KLIPS_PRINT(debug_pfkey,
+				    "klips_debug:pfkey_x_delflow_parse: "
+				    "extr->eroute is NULL, fatal.\n");
+			SENDERR(EINVAL);
+		}
+		
+		srcflow.u.v4.sin_family = AF_INET;
+		dstflow.u.v4.sin_family = AF_INET;
+		srcmask.u.v4.sin_family = AF_INET;
+		dstmask.u.v4.sin_family = AF_INET;
+		srcflow.u.v4.sin_addr = extr->eroute->er_eaddr.sen_ip_src;
+		dstflow.u.v4.sin_addr = extr->eroute->er_eaddr.sen_ip_dst;
+		srcmask.u.v4.sin_addr = extr->eroute->er_emask.sen_ip_src;
+		dstmask.u.v4.sin_addr = extr->eroute->er_emask.sen_ip_dst;
+
+#ifdef CONFIG_KLIPS_DEBUG
+		if (debug_pfkey) {
+			subnettoa(extr->eroute->er_eaddr.sen_ip_src,
+				  extr->eroute->er_emask.sen_ip_src, 0, buf1, sizeof(buf1));
+			subnettoa(extr->eroute->er_eaddr.sen_ip_dst,
+				  extr->eroute->er_emask.sen_ip_dst, 0, buf2, sizeof(buf2));
+			KLIPS_PRINT(debug_pfkey,
+				    "klips_debug:pfkey_x_delflow_parse: "
+				    "calling breakeroute for %s->%s\n",
+				    buf1, buf2);
+		}
+#endif /* CONFIG_KLIPS_DEBUG */
+		error = ipsec_breakroute(&(extr->eroute->er_eaddr),
+					     &(extr->eroute->er_emask),
+					     &first, &last);
+		if(error) {
+			KLIPS_PRINT(debug_pfkey,
+				    "klips_debug:pfkey_x_delflow_parse: "
+				    "breakeroute returned %d.  first=0p%p, last=0p%p\n",
+				    error,
+				    first,
+				    last);
+		}
+		if(first != NULL) {
+			ipsec_kfree_skb(first);
+		}
+		if(last != NULL) {
+			ipsec_kfree_skb(last);
+		}
+		if(error) {
+			SENDERR(-error);
+		}
+	}
+	
+	if(!(pfkey_safe_build(error = pfkey_msg_hdr_build(&extensions_reply[0],
+							  SADB_X_DELFLOW,
+							  satype,
+							  0,
+							  ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_seq,
+							  ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_pid),
+			      extensions_reply)
+	     && pfkey_safe_build(error = pfkey_sa_ref_build(&extensions_reply[SADB_EXT_SA],
+							SADB_EXT_SA,
+							extr->ips->ips_said.spi,
+							extr->ips->ips_replaywin,
+							extr->ips->ips_state,
+							extr->ips->ips_authalg,
+							extr->ips->ips_encalg,
+							extr->ips->ips_flags,
+							extr->ips->ips_ref),
+				 extensions_reply)
+	     && pfkey_safe_build(error = pfkey_address_build(&extensions_reply[SADB_X_EXT_ADDRESS_SRC_FLOW],
+							     SADB_X_EXT_ADDRESS_SRC_FLOW,
+							     0, /*extr->ips->ips_said.proto,*/
+							     0,
+							     (struct sockaddr*)&srcflow),
+				 extensions_reply)
+	     && pfkey_safe_build(error = pfkey_address_build(&extensions_reply[SADB_X_EXT_ADDRESS_DST_FLOW],
+							     SADB_X_EXT_ADDRESS_DST_FLOW,
+							     0, /*extr->ips->ips_said.proto,*/
+							     0,
+							     (struct sockaddr*)&dstflow),
+				 extensions_reply)
+	     && pfkey_safe_build(error = pfkey_address_build(&extensions_reply[SADB_X_EXT_ADDRESS_SRC_MASK],
+							     SADB_X_EXT_ADDRESS_SRC_MASK,
+							     0, /*extr->ips->ips_said.proto,*/
+							     0,
+							     (struct sockaddr*)&srcmask),
+				 extensions_reply)
+	     && pfkey_safe_build(error = pfkey_address_build(&extensions_reply[SADB_X_EXT_ADDRESS_DST_MASK],
+							     SADB_X_EXT_ADDRESS_DST_MASK,
+							     0, /*extr->ips->ips_said.proto,*/
+							     0,
+							     (struct sockaddr*)&dstmask),
+				 extensions_reply)
+		)) {
+		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_x_delflow_parse: "
+			    "failed to build the x_delflow reply message extensions\n");
+		SENDERR(-error);
+	}
+		
+	if((error = pfkey_msg_build(&pfkey_reply, extensions_reply, EXT_BITS_OUT))) {
+		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_x_delflow_parse: "
+			    "failed to build the x_delflow reply message\n");
+		SENDERR(-error);
+	}
+	
+	for(pfkey_socketsp = pfkey_open_sockets;
+	    pfkey_socketsp;
+	    pfkey_socketsp = pfkey_socketsp->next) {
+		if((error = pfkey_upmsg(pfkey_socketsp->socketp, pfkey_reply))) {
+			KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_x_delflow_parse: "
+				    "sending up x_delflow reply message for satype=%d(%s) to socket=0p%p failed with error=%d.\n",
+				    satype,
+				    satype2name(satype),
+				    pfkey_socketsp->socketp,
+				    error);
+			SENDERR(-error);
+		}
+		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_x_delflow_parse: "
+			    "sending up x_delflow reply message for satype=%d(%s) to socket=0p%p succeeded.\n",
+			    satype,
+			    satype2name(satype),
+			    pfkey_socketsp->socketp);
+	}
+	
+	KLIPS_PRINT(debug_pfkey,
+		    "klips_debug:pfkey_x_delflow_parse: "
+		    "extr->ips cleaned up and freed.\n");
+
+ errlab:
+	if (pfkey_reply) {
+		pfkey_msg_free(&pfkey_reply);
+	}
+	pfkey_extensions_free(extensions_reply);
+	return error;
+}
+
+DEBUG_NO_STATIC int
+pfkey_x_msg_debug_parse(struct sock *sk, struct sadb_ext **extensions, struct pfkey_extracted_data* extr)
+{
+	int error = 0;
+
+	KLIPS_PRINT(debug_pfkey,
+		    "klips_debug:pfkey_x_msg_debug_parse: .\n");
+
+/* errlab:*/
+	return error;
+}
+
+/* pfkey_expire expects the ipsec_sa table to be locked before being called. */
+int
+pfkey_expire(struct ipsec_sa *ipsp, int hard)
+{
+	struct sadb_ext *extensions[SADB_EXT_MAX+1];
+	struct sadb_msg *pfkey_msg = NULL;
+	struct socket_list *pfkey_socketsp;
+	int error = 0;
+	uint8_t satype;
+
+	pfkey_extensions_init(extensions);
+
+	if(!(satype = proto2satype(ipsp->ips_said.proto))) {
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_expire: "
+			    "satype lookup for protocol %d lookup failed.\n", 
+			    ipsp->ips_said.proto);
+		SENDERR(EINVAL);
+	}
+	
+	if(!pfkey_open_sockets) {
+		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_expire: "
+			    "no sockets listening.\n");
+		SENDERR(EPROTONOSUPPORT);
+	}
+
+	if (!(pfkey_safe_build(error = pfkey_msg_hdr_build(&extensions[0],
+							   SADB_EXPIRE,
+							   satype,
+							   0,
+							   ++pfkey_msg_seq,
+							   0),
+			       extensions)
+	      && pfkey_safe_build(error = pfkey_sa_ref_build(&extensions[SADB_EXT_SA],
+							 SADB_EXT_SA,
+							 ipsp->ips_said.spi,
+							 ipsp->ips_replaywin,
+							 ipsp->ips_state,
+							 ipsp->ips_authalg,
+							 ipsp->ips_encalg,
+							 ipsp->ips_flags,
+							 ipsp->ips_ref),
+				  extensions)
+	      && pfkey_safe_build(error = pfkey_lifetime_build(&extensions[SADB_EXT_LIFETIME_CURRENT],
+							       SADB_EXT_LIFETIME_CURRENT,
+							       ipsp->ips_life.ipl_allocations.ipl_count,
+							       ipsp->ips_life.ipl_bytes.ipl_count,
+							       ipsp->ips_life.ipl_addtime.ipl_count,
+							       ipsp->ips_life.ipl_usetime.ipl_count,
+							       ipsp->ips_life.ipl_packets.ipl_count),
+				  extensions)
+	      && (hard ? 
+		  pfkey_safe_build(error = pfkey_lifetime_build(&extensions[SADB_EXT_LIFETIME_HARD],
+								SADB_EXT_LIFETIME_HARD,
+								ipsp->ips_life.ipl_allocations.ipl_hard,
+								ipsp->ips_life.ipl_bytes.ipl_hard,
+								ipsp->ips_life.ipl_addtime.ipl_hard,
+								ipsp->ips_life.ipl_usetime.ipl_hard,
+								ipsp->ips_life.ipl_packets.ipl_hard),
+				   extensions)
+		  : pfkey_safe_build(error = pfkey_lifetime_build(&extensions[SADB_EXT_LIFETIME_SOFT],
+								  SADB_EXT_LIFETIME_SOFT,
+								  ipsp->ips_life.ipl_allocations.ipl_soft,
+								  ipsp->ips_life.ipl_bytes.ipl_soft,
+								  ipsp->ips_life.ipl_addtime.ipl_soft,
+								  ipsp->ips_life.ipl_usetime.ipl_soft,
+								  ipsp->ips_life.ipl_packets.ipl_soft),
+				     extensions))
+	      && pfkey_safe_build(error = pfkey_address_build(&extensions[SADB_EXT_ADDRESS_SRC],
+							      SADB_EXT_ADDRESS_SRC,
+							      0, /* ipsp->ips_said.proto, */
+							      0,
+							      ipsp->ips_addr_s),
+				  extensions)
+	      && pfkey_safe_build(error = pfkey_address_build(&extensions[SADB_EXT_ADDRESS_DST],
+							      SADB_EXT_ADDRESS_DST,
+							      0, /* ipsp->ips_said.proto, */
+							      0,
+							      ipsp->ips_addr_d),
+				  extensions))) {
+		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_expire: "
+			    "failed to build the expire message extensions\n");
+		spin_unlock(&tdb_lock);
+		goto errlab;
+	}
+	
+	if ((error = pfkey_msg_build(&pfkey_msg, extensions, EXT_BITS_OUT))) {
+		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_expire: "
+			    "failed to build the expire message\n");
+		SENDERR(-error);
+	}
+	
+	for(pfkey_socketsp = pfkey_open_sockets;
+	    pfkey_socketsp;
+	    pfkey_socketsp = pfkey_socketsp->next) {
+		if((error = pfkey_upmsg(pfkey_socketsp->socketp, pfkey_msg))) {
+			KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_expire: "
+				    "sending up expire message for satype=%d(%s) to socket=0p%p failed with error=%d.\n",
+				    satype,
+				    satype2name(satype),
+				    pfkey_socketsp->socketp,
+				    error);
+			SENDERR(-error);
+		}
+		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_expire: "
+			    "sending up expire message for satype=%d(%s) (proto=%d) to socket=0p%p succeeded.\n",
+			    satype,
+			    satype2name(satype),
+			    ipsp->ips_said.proto,
+			    pfkey_socketsp->socketp);
+	}
+	
+ errlab:
+	if (pfkey_msg) {
+		pfkey_msg_free(&pfkey_msg);
+	}
+	pfkey_extensions_free(extensions);
+	return error;
+}
+
+int
+pfkey_acquire(struct ipsec_sa *ipsp)
+{
+	struct sadb_ext *extensions[SADB_EXT_MAX+1];
+	struct sadb_msg *pfkey_msg = NULL;
+	struct socket_list *pfkey_socketsp;
+	int error = 0;
+	struct sadb_comb comb[] = {
+		/* auth; encrypt; flags; */
+		/* auth_minbits; auth_maxbits; encrypt_minbits; encrypt_maxbits; */
+		/* reserved; soft_allocations; hard_allocations; soft_bytes; hard_bytes; */
+		/* soft_addtime; hard_addtime; soft_usetime; hard_usetime; */
+		/* soft_packets; hard_packets; */
+		{ SADB_AALG_MD5HMAC,  SADB_EALG_3DESCBC, SADB_SAFLAGS_PFS,
+		  128, 128, 168, 168,
+		  0, 0, 0, 0, 0,
+		  57600, 86400, 57600, 86400,
+		  0, 0 },
+		{ SADB_AALG_SHA1HMAC, SADB_EALG_3DESCBC, SADB_SAFLAGS_PFS,
+		  160, 160, 168, 168,
+		  0, 0, 0, 0, 0,
+		  57600, 86400, 57600, 86400,
+		  0, 0 }
+	};
+       
+	/* XXX This should not be hard-coded.  It should be taken from the spdb */
+	uint8_t satype = SADB_SATYPE_ESP;
+
+	pfkey_extensions_init(extensions);
+
+	if((satype == 0) || (satype > SADB_SATYPE_MAX)) {
+		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_acquire: "
+			    "SAtype=%d unspecified or unknown.\n",
+			    satype);
+		SENDERR(EINVAL);
+	}
+
+	if(!(pfkey_registered_sockets[satype])) {
+		KLIPS_PRINT(1|debug_pfkey, "klips_debug:pfkey_acquire: "
+			    "no sockets registered for SAtype=%d(%s).\n",
+			    satype,
+			    satype2name(satype));
+		SENDERR(EPROTONOSUPPORT);
+	}
+	
+	if (!(pfkey_safe_build(error = pfkey_msg_hdr_build(&extensions[0],
+							  SADB_ACQUIRE,
+							  satype,
+							  0,
+							  ++pfkey_msg_seq,
+							  0),
+			      extensions)
+	      && pfkey_safe_build(error = pfkey_address_build(&extensions[SADB_EXT_ADDRESS_SRC],
+							      SADB_EXT_ADDRESS_SRC,
+							      ipsp->ips_transport_protocol,
+							      0,
+							      ipsp->ips_addr_s),
+				  extensions)
+	      && pfkey_safe_build(error = pfkey_address_build(&extensions[SADB_EXT_ADDRESS_DST],
+							      SADB_EXT_ADDRESS_DST,
+							      ipsp->ips_transport_protocol,
+							      0,
+							      ipsp->ips_addr_d),
+				  extensions)
+#if 0
+	      && (ipsp->ips_addr_p
+		  ? pfkey_safe_build(error = pfkey_address_build(&extensions[SADB_EXT_ADDRESS_PROXY],
+								 SADB_EXT_ADDRESS_PROXY,
+								 ipsp->ips_transport_protocol,
+								 0,
+								 ipsp->ips_addr_p),
+				     extensions) : 1)
+#endif
+	      && (ipsp->ips_ident_s.type != SADB_IDENTTYPE_RESERVED
+		  ? pfkey_safe_build(error = pfkey_ident_build(&extensions[SADB_EXT_IDENTITY_SRC],
+							       SADB_EXT_IDENTITY_SRC,
+							       ipsp->ips_ident_s.type,
+							       ipsp->ips_ident_s.id,
+							       ipsp->ips_ident_s.len,
+							       ipsp->ips_ident_s.data),
+				     extensions) : 1)
+
+	      && (ipsp->ips_ident_d.type != SADB_IDENTTYPE_RESERVED
+		  ? pfkey_safe_build(error = pfkey_ident_build(&extensions[SADB_EXT_IDENTITY_DST],
+							       SADB_EXT_IDENTITY_DST,
+							       ipsp->ips_ident_d.type,
+							       ipsp->ips_ident_d.id,
+							       ipsp->ips_ident_d.len,
+							       ipsp->ips_ident_d.data),
+				     extensions) : 1)
+#if 0
+	      /* FIXME: This won't work yet because I have not finished
+		 it. */
+	      && (ipsp->ips_sens_
+		  ? pfkey_safe_build(error = pfkey_sens_build(&extensions[SADB_EXT_SENSITIVITY],
+							      ipsp->ips_sens_dpd,
+							      ipsp->ips_sens_sens_level,
+							      ipsp->ips_sens_sens_len,
+							      ipsp->ips_sens_sens_bitmap,
+							      ipsp->ips_sens_integ_level,
+							      ipsp->ips_sens_integ_len,
+							      ipsp->ips_sens_integ_bitmap),
+				     extensions) : 1)
+#endif
+	      && pfkey_safe_build(error = pfkey_prop_build(&extensions[SADB_EXT_PROPOSAL],
+							   64, /* replay */
+							   sizeof(comb)/sizeof(struct sadb_comb),
+							   &(comb[0])),
+				  extensions)
+		)) {
+		KLIPS_PRINT(1|debug_pfkey, "klips_debug:pfkey_acquire: "
+			    "failed to build the acquire message extensions\n");
+		SENDERR(-error);
+	}
+	
+	if ((error = pfkey_msg_build(&pfkey_msg, extensions, EXT_BITS_OUT))) {
+		KLIPS_PRINT(1|debug_pfkey, "klips_debug:pfkey_acquire: "
+			    "failed to build the acquire message\n");
+		SENDERR(-error);
+	}
+
+#if KLIPS_PFKEY_ACQUIRE_LOSSAGE > 0
+	if(sysctl_ipsec_regress_pfkey_lossage) {
+		return(0);
+	}
+#endif	
+	
+	/* this should go to all registered sockets for that satype only */
+	for(pfkey_socketsp = pfkey_registered_sockets[satype];
+	    pfkey_socketsp;
+	    pfkey_socketsp = pfkey_socketsp->next) {
+		if((error = pfkey_upmsg(pfkey_socketsp->socketp, pfkey_msg))) {
+			KLIPS_PRINT(1|debug_pfkey, "klips_debug:pfkey_acquire: "
+				    "sending up acquire message for satype=%d(%s) to socket=0p%p failed with error=%d.\n",
+				    satype,
+				    satype2name(satype),
+				    pfkey_socketsp->socketp,
+				    error);
+			SENDERR(-error);
+		}
+		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_acquire: "
+			    "sending up acquire message for satype=%d(%s) to socket=0p%p succeeded.\n",
+			    satype,
+			    satype2name(satype),
+			    pfkey_socketsp->socketp);
+	}
+	
+ errlab:
+	if (pfkey_msg) {
+		pfkey_msg_free(&pfkey_msg);
+	}
+	pfkey_extensions_free(extensions);
+	return error;
+}
+
+#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
+int
+pfkey_nat_t_new_mapping(struct ipsec_sa *ipsp, struct sockaddr *ipaddr,
+	__u16 sport)
+{
+	struct sadb_ext *extensions[SADB_EXT_MAX+1];
+	struct sadb_msg *pfkey_msg = NULL;
+	struct socket_list *pfkey_socketsp;
+	int error = 0;
+	uint8_t satype = (ipsp->ips_said.proto==IPPROTO_ESP) ? SADB_SATYPE_ESP : 0;
+
+	/* Construct SADB_X_NAT_T_NEW_MAPPING message */
+
+	pfkey_extensions_init(extensions);
+
+	if((satype == 0) || (satype > SADB_SATYPE_MAX)) {
+		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_nat_t_new_mapping: "
+			    "SAtype=%d unspecified or unknown.\n",
+			    satype);
+		SENDERR(EINVAL);
+	}
+
+	if(!(pfkey_registered_sockets[satype])) {
+		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_nat_t_new_mapping: "
+			    "no sockets registered for SAtype=%d(%s).\n",
+			    satype,
+			    satype2name(satype));
+		SENDERR(EPROTONOSUPPORT);
+	}
+
+	if (!(pfkey_safe_build
+		(error = pfkey_msg_hdr_build(&extensions[0], SADB_X_NAT_T_NEW_MAPPING,
+			satype, 0, ++pfkey_msg_seq, 0), extensions)
+		/* SA */
+		&& pfkey_safe_build
+		(error = pfkey_sa_build(&extensions[SADB_EXT_SA],
+			SADB_EXT_SA, ipsp->ips_said.spi, 0, 0, 0, 0, 0), extensions)
+		/* ADDRESS_SRC = old addr */
+		&& pfkey_safe_build
+		(error = pfkey_address_build(&extensions[SADB_EXT_ADDRESS_SRC],
+			SADB_EXT_ADDRESS_SRC, ipsp->ips_said.proto, 0, ipsp->ips_addr_s),
+			extensions)
+		/* NAT_T_SPORT = old port */
+	    && pfkey_safe_build
+		(error = pfkey_x_nat_t_port_build(&extensions[SADB_X_EXT_NAT_T_SPORT],
+			SADB_X_EXT_NAT_T_SPORT, ipsp->ips_natt_sport), extensions)
+		/* ADDRESS_DST = new addr */
+		&& pfkey_safe_build
+		(error = pfkey_address_build(&extensions[SADB_EXT_ADDRESS_DST],
+			SADB_EXT_ADDRESS_DST, ipsp->ips_said.proto, 0, ipaddr), extensions)
+		/* NAT_T_DPORT = new port */
+	    && pfkey_safe_build
+		(error = pfkey_x_nat_t_port_build(&extensions[SADB_X_EXT_NAT_T_DPORT],
+			SADB_X_EXT_NAT_T_DPORT, sport), extensions)
+		)) {
+		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_nat_t_new_mapping: "
+			    "failed to build the nat_t_new_mapping message extensions\n");
+		SENDERR(-error);
+	}
+	
+	if ((error = pfkey_msg_build(&pfkey_msg, extensions, EXT_BITS_OUT))) {
+		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_nat_t_new_mapping: "
+			    "failed to build the nat_t_new_mapping message\n");
+		SENDERR(-error);
+	}
+
+	/* this should go to all registered sockets for that satype only */
+	for(pfkey_socketsp = pfkey_registered_sockets[satype];
+	    pfkey_socketsp;
+	    pfkey_socketsp = pfkey_socketsp->next) {
+		if((error = pfkey_upmsg(pfkey_socketsp->socketp, pfkey_msg))) {
+			KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_nat_t_new_mapping: "
+				    "sending up nat_t_new_mapping message for satype=%d(%s) to socket=%p failed with error=%d.\n",
+				    satype,
+				    satype2name(satype),
+				    pfkey_socketsp->socketp,
+				    error);
+			SENDERR(-error);
+		}
+		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_nat_t_new_mapping: "
+			    "sending up nat_t_new_mapping message for satype=%d(%s) to socket=%p succeeded.\n",
+			    satype,
+			    satype2name(satype),
+			    pfkey_socketsp->socketp);
+	}
+	
+ errlab:
+	if (pfkey_msg) {
+		pfkey_msg_free(&pfkey_msg);
+	}
+	pfkey_extensions_free(extensions);
+	return error;
+}
+
+DEBUG_NO_STATIC int
+pfkey_x_nat_t_new_mapping_parse(struct sock *sk, struct sadb_ext **extensions, struct pfkey_extracted_data* extr)
+{
+	/* SADB_X_NAT_T_NEW_MAPPING not used in kernel */
+	return -EINVAL;
+}
+#endif
+
+DEBUG_NO_STATIC int (*ext_processors[SADB_EXT_MAX+1])(struct sadb_ext *pfkey_ext, struct pfkey_extracted_data* extr) =
+{
+  NULL, /* pfkey_msg_process, */
+        pfkey_sa_process,
+        pfkey_lifetime_process,
+        pfkey_lifetime_process,
+        pfkey_lifetime_process,
+        pfkey_address_process,
+        pfkey_address_process,
+        pfkey_address_process,
+        pfkey_key_process,
+        pfkey_key_process,
+        pfkey_ident_process,
+        pfkey_ident_process,
+        pfkey_sens_process,
+        pfkey_prop_process,
+        pfkey_supported_process,
+        pfkey_supported_process,
+        pfkey_spirange_process,
+        pfkey_x_kmprivate_process,
+        pfkey_x_satype_process,
+        pfkey_sa_process,
+        pfkey_address_process,
+        pfkey_address_process,
+        pfkey_address_process,
+        pfkey_address_process,
+        pfkey_address_process,
+	pfkey_x_debug_process,
+	pfkey_x_protocol_process
+#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
+	,
+	pfkey_x_nat_t_type_process,
+	pfkey_x_nat_t_port_process,
+	pfkey_x_nat_t_port_process,
+	pfkey_address_process
+#endif	
+};
+
+
+DEBUG_NO_STATIC int (*msg_parsers[SADB_MAX +1])(struct sock *sk, struct sadb_ext *extensions[], struct pfkey_extracted_data* extr)
+ =
+{
+	NULL, /* RESERVED */
+	pfkey_getspi_parse,
+	pfkey_update_parse,
+	pfkey_add_parse,
+	pfkey_delete_parse,
+	pfkey_get_parse,
+	pfkey_acquire_parse,
+	pfkey_register_parse,
+	pfkey_expire_parse,
+	pfkey_flush_parse,
+	pfkey_dump_parse,
+	pfkey_x_promisc_parse,
+	pfkey_x_pchange_parse,
+	pfkey_x_grpsa_parse,
+	pfkey_x_addflow_parse,
+	pfkey_x_delflow_parse,
+	pfkey_x_msg_debug_parse
+#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
+	, pfkey_x_nat_t_new_mapping_parse
+#endif	
+};
+
+int
+pfkey_build_reply(struct sadb_msg *pfkey_msg,
+		  struct pfkey_extracted_data *extr,
+		  struct sadb_msg **pfkey_reply)
+{
+	struct sadb_ext *extensions[SADB_EXT_MAX+1];
+	int error = 0;
+	int msg_type = pfkey_msg->sadb_msg_type;
+	int seq = pfkey_msg->sadb_msg_seq;
+
+	KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_build_reply: "
+		    "building reply with type: %d\n",
+		    msg_type);
+	pfkey_extensions_init(extensions);
+	if (!extr || !extr->ips) {
+			KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_build_reply: "
+				    "bad ipsec_sa passed\n");
+			return EINVAL;
+	}
+	error = pfkey_safe_build(pfkey_msg_hdr_build(&extensions[0],
+						     msg_type,
+						     proto2satype(extr->ips->ips_said.proto),
+						     0,
+						     seq,
+						     pfkey_msg->sadb_msg_pid),
+				 extensions) &&
+		(!(extensions_bitmaps[EXT_BITS_OUT][EXT_BITS_REQ][msg_type] &
+		   1 << SADB_EXT_SA)
+		 || pfkey_safe_build(pfkey_sa_ref_build(&extensions[SADB_EXT_SA],
+						    SADB_EXT_SA,
+						    extr->ips->ips_said.spi,
+						    extr->ips->ips_replaywin,
+						    extr->ips->ips_state,
+						    extr->ips->ips_authalg,
+						    extr->ips->ips_encalg,
+						    extr->ips->ips_flags,
+						    extr->ips->ips_ref),
+				     extensions)) &&
+		(!(extensions_bitmaps[EXT_BITS_OUT][EXT_BITS_REQ][msg_type] &
+		   1 << SADB_EXT_LIFETIME_CURRENT)
+		 || pfkey_safe_build(pfkey_lifetime_build(&extensions
+							  [SADB_EXT_LIFETIME_CURRENT],
+							  SADB_EXT_LIFETIME_CURRENT,
+							  extr->ips->ips_life.ipl_allocations.ipl_count,
+							  extr->ips->ips_life.ipl_bytes.ipl_count,
+							  extr->ips->ips_life.ipl_addtime.ipl_count,
+							  extr->ips->ips_life.ipl_usetime.ipl_count,
+							  extr->ips->ips_life.ipl_packets.ipl_count),
+				     extensions)) &&
+		(!(extensions_bitmaps[EXT_BITS_OUT][EXT_BITS_REQ][msg_type] &
+		   1 << SADB_EXT_ADDRESS_SRC)
+		 || pfkey_safe_build(pfkey_address_build(&extensions[SADB_EXT_ADDRESS_SRC],
+							 SADB_EXT_ADDRESS_SRC,
+							 extr->ips->ips_said.proto,
+							 0,
+							 extr->ips->ips_addr_s),
+				     extensions)) &&
+		(!(extensions_bitmaps[EXT_BITS_OUT][EXT_BITS_REQ][msg_type] &
+		   1 << SADB_EXT_ADDRESS_DST)
+		 || pfkey_safe_build(pfkey_address_build(&extensions[SADB_EXT_ADDRESS_DST],
+							 SADB_EXT_ADDRESS_DST,
+							 extr->ips->ips_said.proto,
+							 0,
+							 extr->ips->ips_addr_d),
+				     extensions));
+
+	if (error == 0) {
+		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_build_reply: "
+			    "building extensions failed\n");
+		return EINVAL;
+	}
+
+	KLIPS_PRINT(debug_pfkey,
+		    "klips_debug:pfkey_build_reply: "
+		    "built extensions, proceed to build the message\n");
+	KLIPS_PRINT(debug_pfkey,
+		    "klips_debug:pfkey_build_reply: "
+		    "extensions[1]=0p%p\n",
+		    extensions[1]);
+	error = pfkey_msg_build(pfkey_reply, extensions, EXT_BITS_OUT);
+	pfkey_extensions_free(extensions);
+
+	return error;
+}
+
+int
+pfkey_msg_interp(struct sock *sk, struct sadb_msg *pfkey_msg,
+				struct sadb_msg **pfkey_reply)
+{
+	int error = 0;
+	int i;
+	struct sadb_ext *extensions[SADB_EXT_MAX+1];
+	struct pfkey_extracted_data extr = {NULL, NULL, NULL};
+	
+	pfkey_extensions_init(extensions);
+	KLIPS_PRINT(debug_pfkey,
+		    "klips_debug:pfkey_msg_interp: "
+		    "parsing message ver=%d, type=%d, errno=%d, satype=%d(%s), len=%d, res=%d, seq=%d, pid=%d.\n", 
+		    pfkey_msg->sadb_msg_version,
+		    pfkey_msg->sadb_msg_type,
+		    pfkey_msg->sadb_msg_errno,
+		    pfkey_msg->sadb_msg_satype,
+		    satype2name(pfkey_msg->sadb_msg_satype),
+		    pfkey_msg->sadb_msg_len,
+		    pfkey_msg->sadb_msg_reserved,
+		    pfkey_msg->sadb_msg_seq,
+		    pfkey_msg->sadb_msg_pid);
+	
+	extr.ips = ipsec_sa_alloc(&error); /* pass in error var by pointer */
+	if(extr.ips == NULL) {
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_msg_interp: "
+			    "memory allocation error.\n");
+		SENDERR(-error);
+	}
+
+	KLIPS_PRINT(debug_pfkey,
+		    "klips_debug:pfkey_msg_interp: "
+		    "allocated extr->ips=0p%p.\n",
+		    extr.ips);
+	
+	if(pfkey_msg->sadb_msg_satype > SADB_SATYPE_MAX) {
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_msg_interp: "
+			    "satype %d > max %d\n", 
+			    pfkey_msg->sadb_msg_satype,
+			    SADB_SATYPE_MAX);
+		SENDERR(EINVAL);
+	}
+	
+	switch(pfkey_msg->sadb_msg_type) {
+	case SADB_GETSPI:
+	case SADB_UPDATE:
+	case SADB_ADD:
+	case SADB_DELETE:
+	case SADB_X_GRPSA:
+	case SADB_X_ADDFLOW:
+		if(!(extr.ips->ips_said.proto = satype2proto(pfkey_msg->sadb_msg_satype))) {
+			KLIPS_PRINT(debug_pfkey,
+				    "klips_debug:pfkey_msg_interp: "
+				    "satype %d lookup failed.\n", 
+				    pfkey_msg->sadb_msg_satype);
+			SENDERR(EINVAL);
+		} else {
+			KLIPS_PRINT(debug_pfkey,
+				    "klips_debug:pfkey_msg_interp: "
+				    "satype %d lookups to proto=%d.\n", 
+				    pfkey_msg->sadb_msg_satype,
+				    extr.ips->ips_said.proto);
+		}
+		break;
+	default:
+		break;
+	}
+	
+	/* The NULL below causes the default extension parsers to be used */
+	/* Parse the extensions */
+	if((error = pfkey_msg_parse(pfkey_msg, NULL, extensions, EXT_BITS_IN)))
+	{
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_msg_interp: "
+			    "message parsing failed with error %d.\n",
+			    error); 
+		SENDERR(-error);
+	}
+	
+	/* Process the extensions */
+	for(i=1; i <= SADB_EXT_MAX;i++)	{
+		if(extensions[i] != NULL) {
+			KLIPS_PRINT(debug_pfkey,
+				    "klips_debug:pfkey_msg_interp: "
+				    "processing ext %d 0p%p with processor 0p%p.\n", 
+				    i, extensions[i], ext_processors[i]);
+			if((error = ext_processors[i](extensions[i], &extr))) {
+				KLIPS_PRINT(debug_pfkey,
+					    "klips_debug:pfkey_msg_interp: "
+					    "extension processing for type %d failed with error %d.\n",
+					    i,
+					    error); 
+				SENDERR(-error);
+			}
+			
+		}
+		
+	}
+	
+	/* Parse the message types */
+	KLIPS_PRINT(debug_pfkey,
+		    "klips_debug:pfkey_msg_interp: "
+		    "parsing message type %d(%s) with msg_parser 0p%p.\n",
+		    pfkey_msg->sadb_msg_type,
+		    pfkey_v2_sadb_type_string(pfkey_msg->sadb_msg_type),
+		    msg_parsers[pfkey_msg->sadb_msg_type]); 
+	if((error = msg_parsers[pfkey_msg->sadb_msg_type](sk, extensions, &extr))) {
+		KLIPS_PRINT(debug_pfkey,
+			    "klips_debug:pfkey_msg_interp: "
+			    "message parsing failed with error %d.\n",
+			    error); 
+		SENDERR(-error);
+	}
+
+#if 0
+	error = pfkey_build_reply(pfkey_msg, &extr, pfkey_reply);
+	if (error) {
+		*pfkey_reply = NULL;
+	}
+#endif	
+ errlab:
+	if(extr.ips != NULL) {
+		ipsec_sa_wipe(extr.ips);
+	}
+	if(extr.ips2 != NULL) {
+		ipsec_sa_wipe(extr.ips2);
+	}
+	if (extr.eroute != NULL) {
+		kfree(extr.eroute);
+	}
+	return(error);
+}
+
+/*
+ * $Log: pfkey_v2_parser.c,v $
+ * Revision 1.134.2.2  2006/10/06 21:39:26  paul
+ * Fix for 2.6.18+ only include linux/config.h if AUTOCONF_INCLUDED is not
+ * set. This is defined through autoconf.h which is included through the
+ * linux kernel build macros.
+ *
+ * Revision 1.134.2.1  2006/05/01 14:37:25  mcr
+ * ip_chk_addr -> inet_addr_type for more direct 2.4/2.6 support.
+ *
+ * Revision 1.134  2005/05/11 01:48:20  mcr
+ * 	removed "poor-man"s OOP in favour of proper C structures.
+ *
+ * Revision 1.133  2005/04/29 05:10:22  mcr
+ * 	removed from extraenous includes to make unit testing easier.
+ *
+ * Revision 1.132  2005/04/14 20:56:24  mcr
+ * 	moved (pfkey_)ipsec_sa_init to ipsec_sa.c.
+ *
+ * Revision 1.131  2005/01/26 00:50:35  mcr
+ * 	adjustment of confusion of CONFIG_IPSEC_NAT vs CONFIG_KLIPS_NAT,
+ * 	and make sure that NAT_TRAVERSAL is set as well to match
+ * 	userspace compiles of code.
+ *
+ * Revision 1.130  2004/09/08 17:21:36  ken
+ * Rename MD5* -> osMD5 functions to prevent clashes with other symbols exported by kernel modules (CIFS in 2.6 initiated this)
+ *
+ * Revision 1.129  2004/09/06 18:36:30  mcr
+ * 	if a protocol can not be found, then log it. This is not
+ * 	debugging.
+ *
+ * Revision 1.128  2004/08/21 00:45:19  mcr
+ * 	CONFIG_KLIPS_NAT was wrong, also need to include udp.h.
+ *
+ * Revision 1.127  2004/08/20 21:45:45  mcr
+ * 	CONFIG_KLIPS_NAT_TRAVERSAL is not used in an attempt to
+ * 	be 26sec compatible. But, some defines where changed.
+ *
+ * Revision 1.126  2004/08/17 03:27:23  mcr
+ * 	klips 2.6 edits.
+ *
+ * Revision 1.125  2004/08/04 15:57:07  mcr
+ * 	moved des .h files to include/des/ *
+ * 	included 2.6 protocol specific things
+ * 	started at NAT-T support, but it will require a kernel patch.
+ *
+ * Revision 1.124  2004/07/10 19:11:18  mcr
+ * 	CONFIG_IPSEC -> CONFIG_KLIPS.
+ *
+ * Revision 1.123  2004/04/06 02:49:26  mcr
+ * 	pullup of algo code from alg-branch.
+ *
+ * Revision 1.122.2.2  2004/04/05 04:30:46  mcr
+ * 	patches for alg-branch to compile/work with 2.x openswan
+ *
+ * Revision 1.122.2.1  2003/12/22 15:25:52  jjo
+ * . Merged algo-0.8.1-rc11-test1 into alg-branch
+ *
+ * Revision 1.122  2003/12/10 01:14:27  mcr
+ * 	NAT-traversal patches to KLIPS.
+ *
+ * Revision 1.121  2003/10/31 02:27:55  mcr
+ * 	pulled up port-selector patches and sa_id elimination.
+ *
+ * Revision 1.120.4.2  2003/10/29 01:30:41  mcr
+ * 	elimited "struct sa_id".
+ *
+ * Revision 1.120.4.1  2003/09/21 13:59:56  mcr
+ * 	pre-liminary X.509 patch - does not yet pass tests.
+ *
+ * Revision 1.120  2003/04/03 17:38:09  rgb
+ * Centralised ipsec_kfree_skb and ipsec_dev_{get,put}.
+ *
+ * Revision 1.119  2003/02/06 01:52:37  rgb
+ * Removed no longer relevant comment
+ *
+ * Revision 1.118  2003/01/30 02:32:44  rgb
+ *
+ * Transmit error code through to caller from callee for better diagnosis of problems.
+ *
+ * Revision 1.117  2003/01/16 18:48:13  rgb
+ *
+ * Fixed sign bug in error return from an sa allocation call in
+ * pfkey_msg_interp.
+ *
+ * Revision 1.116  2002/10/17 16:38:01  rgb
+ * Change pfkey_alloc_eroute() to never static since its consumers
+ * have been moved outside the file.
+ *
+ * Revision 1.115  2002/10/12 23:11:53  dhr
+ *
+ * [KenB + DHR] more 64-bit cleanup
+ *
+ * Revision 1.114  2002/10/05 05:02:58  dhr
+ *
+ * C labels go on statements
+ *
+ * Revision 1.113  2002/09/30 19:11:22  rgb
+ * 	Turn on debugging for upgoing acquire messages to test for reliability.
+ *
+ * Revision 1.112  2002/09/20 15:41:16  rgb
+ * Switch from pfkey_alloc_ipsec_sa() to ipsec_sa_alloc().
+ * Added sadb_x_sa_ref to struct sadb_sa.
+ * Added ref parameter to pfkey_sa_build().
+ *
+ * Revision 1.111  2002/09/20 05:02:08  rgb
+ * Added memory allocation debugging.
+ * Convert to switch to divulge hmac keys for debugging.
+ * Added text labels to elucidate numeric values presented.
+ *
+ * Revision 1.110  2002/08/03 18:03:05  mcr
+ * 	loop that checks for SPI's to have been already linked
+ * 	fails to actually step to next pointer, but continuously
+ * 	resets to head of list. Wrong pointer used.
+ * 	test east-icmp-02 revealed this.
+ *
+ * Revision 1.109  2002/07/26 08:48:31  rgb
+ * Added SA ref table code.
+ *
+ * Revision 1.108  2002/05/27 18:55:03  rgb
+ * Remove final vistiges of tdb references via IPSEC_KLIPS1_COMPAT.
+ *
+ * Revision 1.107  2002/05/23 07:16:08  rgb
+ * Added ipsec_sa_put() for releasing an ipsec_sa refcount.
+ * Pointer clean-up.
+ * Added refcount code.
+ *
+ * Revision 1.106  2002/05/14 02:34:13  rgb
+ * Converted reference from ipsec_sa_put to ipsec_sa_add to avoid confusion
+ * with "put" usage in the kernel.
+ * Change all references to tdb, TDB or Tunnel Descriptor Block to ips,
+ * ipsec_sa or ipsec_sa.
+ * Moved all the extension parsing functions to pfkey_v2_ext_process.c.
+ *
+ * Revision 1.105  2002/04/24 07:55:32  mcr
+ * 	#include patches and Makefiles for post-reorg compilation.
+ *
+ * Revision 1.104  2002/04/24 07:36:34  mcr
+ * Moved from ./klips/net/ipsec/pfkey_v2_parser.c,v
+ *
+ * Revision 1.103  2002/04/20 00:12:25  rgb
+ * Added esp IV CBC attack fix, disabled.
+ *
+ * Revision 1.102  2002/03/08 01:15:17  mcr
+ * 	put some internal structure only debug messages behind
+ * 	&& sysctl_ipsec_debug_verbose.
+ *
+ * Revision 1.101  2002/01/29 17:17:57  mcr
+ * 	moved include of ipsec_param.h to after include of linux/kernel.h
+ * 	otherwise, it seems that some option that is set in ipsec_param.h
+ * 	screws up something subtle in the include path to kernel.h, and
+ * 	it complains on the snprintf() prototype.
+ *
+ * Revision 1.100  2002/01/29 04:00:54  mcr
+ * 	more excise of kversions.h header.
+ *
+ * Revision 1.99  2002/01/29 02:13:19  mcr
+ * 	introduction of ipsec_kversion.h means that include of
+ * 	ipsec_param.h must preceed any decisions about what files to
+ * 	include to deal with differences in kernel source.
+ *
+ * Revision 1.98  2002/01/12 02:57:57  mcr
+ * 	first regression test causes acquire messages to be lost
+ * 	100% of the time. This is to help testing of pluto.
+ *
+ * Revision 1.97  2001/11/26 09:23:52  rgb
+ * Merge MCR's ipsec_sa, eroute, proc and struct lifetime changes.
+ *
+ * Revision 1.93.2.4  2001/10/23 04:20:27  mcr
+ * 	parity was forced on wrong structure! prototypes help here.
+ *
+ * Revision 1.93.2.3  2001/10/22 21:14:59  mcr
+ * 	include des.h, removed phony prototypes and fixed calling
+ * 	conventions to match real prototypes.
+ *
+ * Revision 1.93.2.2  2001/10/15 05:39:03  mcr
+ * 	%08lx is not the right format for u32. Use %08x. 64-bit safe? ha.
+ *
+ * Revision 1.93.2.1  2001/09/25 02:30:14  mcr
+ * 	struct tdb -> struct ipsec_sa.
+ * 	use new lifetime structure. common format routines for debug.
+ *
+ * Revision 1.96  2001/11/06 20:47:54  rgb
+ * Fixed user context call to ipsec_dev_start_xmit() bug.  Call
+ * dev_queue_xmit() instead.
+ *
+ * Revision 1.95  2001/11/06 19:47:46  rgb
+ * Added packet parameter to lifetime and comb structures.
+ *
+ * Revision 1.94  2001/10/18 04:45:23  rgb
+ * 2.4.9 kernel deprecates linux/malloc.h in favour of linux/slab.h,
+ * lib/freeswan.h version macros moved to lib/kversions.h.
+ * Other compiler directive cleanups.
+ *
+ * Revision 1.93  2001/09/20 15:32:59  rgb
+ * Min/max cleanup.
+ *
+ * Revision 1.92  2001/09/19 16:35:48  rgb
+ * PF_KEY ident fix for getspi from NetCelo (puttdb duplication).
+ *
+ * Revision 1.91  2001/09/15 16:24:06  rgb
+ * Re-inject first and last HOLD packet when an eroute REPLACE is done.
+ *
+ * Revision 1.90  2001/09/14 16:58:38  rgb
+ * Added support for storing the first and last packets through a HOLD.
+ *
+ * Revision 1.89  2001/09/08 21:14:07  rgb
+ * Added pfkey ident extension support for ISAKMPd. (NetCelo)
+ * Better state coherency (error management) between pf_key and IKE daemon.
+ * (NetCelo)
+ *
+ * Revision 1.88  2001/08/27 19:42:44  rgb
+ * Fix memory leak of encrypt and auth structs in pfkey register.
+ *
+ * Revision 1.87  2001/07/06 19:50:46  rgb
+ * Removed unused debugging code.
+ * Added inbound policy checking code for IPIP SAs.
+ *
+ * Revision 1.86  2001/06/20 06:26:04  rgb
+ * Changed missing SA errors from EEXIST to ENOENT and added debug output
+ * for already linked SAs.
+ *
+ * Revision 1.85  2001/06/15 04:57:02  rgb
+ * Remove single error return condition check and check for all errors in
+ * the case of a replace eroute delete operation.  This means that
+ * applications must expect to be deleting something before replacing it
+ * and if nothing is found, complain.
+ *
+ * Revision 1.84  2001/06/14 19:35:12  rgb
+ * Update copyright date.
+ *
+ * Revision 1.83  2001/06/12 00:03:19  rgb
+ * Silence debug set/unset under normal conditions.
+ *
+ * Revision 1.82  2001/05/30 08:14:04  rgb
+ * Removed vestiges of esp-null transforms.
+ *
+ * Revision 1.81  2001/05/27 06:12:12  rgb
+ * Added structures for pid, packet count and last access time to eroute.
+ * Added packet count to beginning of /proc/net/ipsec_eroute.
+ *
+ * Revision 1.80  2001/05/03 19:43:59  rgb
+ * Check error return codes for all build function calls.
+ * Standardise on SENDERR() macro.
+ *
+ * Revision 1.79  2001/04/20 21:09:16  rgb
+ * Cleaned up fixed tdbwipes.
+ * Free pfkey_reply and clean up extensions_reply for grpsa, addflow and
+ * delflow (Per Cederqvist) plugging memleaks.
+ *
+ * Revision 1.78  2001/04/19 19:02:39  rgb
+ * Fixed extr.tdb freeing, stealing it for getspi, update and add.
+ * Refined a couple of spinlocks, fixed the one in update.
+ *
+ * Revision 1.77  2001/04/18 20:26:16  rgb
+ * Wipe/free eroute and both tdbs from extr at end of pfkey_msg_interp()
+ * instead of inside each message type parser.  This fixes two memleaks.
+ *
+ * Revision 1.76  2001/04/17 23:51:18  rgb
+ * Quiet down pfkey_x_debug_process().
+ *
+ * Revision 1.75  2001/03/29 01:55:05  rgb
+ * Fixed pfkey key init memleak.
+ * Fixed pfkey encryption key debug output.
+ *
+ * Revision 1.74  2001/03/27 05:29:14  rgb
+ * Debug output cleanup/silencing.
+ *
+ * Revision 1.73  2001/02/28 05:03:28  rgb
+ * Clean up and rationalise startup messages.
+ *
+ * Revision 1.72  2001/02/27 22:24:56  rgb
+ * Re-formatting debug output (line-splitting, joining, 1arg/line).
+ * Check for satoa() return codes.
+ *
+ * Revision 1.71  2001/02/27 06:59:30  rgb
+ * Added satype2name() conversions most places satype is debug printed.
+ *
+ * Revision 1.70  2001/02/26 22:37:08  rgb
+ * Fixed 'unknown proto' INT bug in new code.
+ * Added satype to protocol debugging instrumentation.
+ *
+ * Revision 1.69  2001/02/26 19:57:51  rgb
+ * Re-formatted debug output (split lines, consistent spacing).
+ * Fixed as yet undetected FLUSH bug which called ipsec_tdbcleanup()
+ * with an satype instead of proto.
+ * Checked for satype consistency and fixed minor bugs.
+ * Fixed undetected ungrpspi bug that tried to upmsg a second tdb.
+ * Check for satype sanity in pfkey_expire().
+ * Added satype sanity check to addflow.
+ *
+ * Revision 1.68  2001/02/12 23:14:40  rgb
+ * Remove double spin lock in pfkey_expire().
+ *
+ * Revision 1.67  2001/01/31 19:23:40  rgb
+ * Fixed double-unlock bug introduced by grpsa upmsg (found by Lars Heete).
+ *
+ * Revision 1.66  2001/01/29 22:20:04  rgb
+ * Fix minor add upmsg lifetime bug.
+ *
+ * Revision 1.65  2001/01/24 06:12:33  rgb
+ * Fixed address extension compile bugs just introduced.
+ *
+ * Revision 1.64  2001/01/24 00:31:15  rgb
+ * Added upmsg for addflow/delflow.
+ *
+ * Revision 1.63  2001/01/23 22:02:55  rgb
+ * Added upmsg to x_grpsa.
+ * Fixed lifetimes extentions to add/update/get upmsg.
+ *
+ * Revision 1.62  2000/11/30 21:47:51  rgb
+ * Fix error return bug after returning from pfkey_tdb_init().
+ *
+ * Revision 1.61  2000/11/17 18:10:29  rgb
+ * Fixed bugs mostly relating to spirange, to treat all spi variables as
+ * network byte order since this is the way PF_KEYv2 stored spis.
+ *
+ * Revision 1.60  2000/11/06 04:34:53  rgb
+ * Changed non-exported functions to DEBUG_NO_STATIC.
+ * Add Svenning's adaptive content compression.
+ * Ditched spin_lock_irqsave in favour of spin_lock/_bh.
+ * Fixed double unlock bug (Svenning).
+ * Fixed pfkey_msg uninitialized bug in pfkey_{expire,acquire}().
+ * Fixed incorrect extension type (prop) in pfkey)acquire().
+ *
+ * Revision 1.59  2000/10/11 15:25:12  rgb
+ * Fixed IPCOMP disabled compile bug.
+ *
+ * Revision 1.58  2000/10/11 14:54:03  rgb
+ * Fixed pfkey_acquire() satype to SADB_SATYPE_ESP and removed pfkey
+ * protocol violations of setting pfkey_address_build() protocol parameter
+ * to non-zero except in the case of pfkey_acquire().
+ *
+ * Revision 1.57  2000/10/10 20:10:18  rgb
+ * Added support for debug_ipcomp and debug_verbose to klipsdebug.
+ *
+ * Revision 1.56  2000/10/06 20:24:36  rgb
+ * Fixes to pfkey_acquire to initialize extensions[] and use correct
+ * ipproto.
+ *
+ * Revision 1.55  2000/10/03 03:20:57  rgb
+ * Added brackets to get a?b:c scope right for pfkey_register reply.
+ *
+ * Revision 1.54  2000/09/29 19:49:30  rgb
+ * As-yet-unused-bits cleanup.
+ *
+ * Revision 1.53  2000/09/28 00:35:45  rgb
+ * Padded SATYPE printout in pfkey_register for vertical alignment.
+ *
+ * Revision 1.52  2000/09/20 16:21:58  rgb
+ * Cleaned up ident string alloc/free.
+ *
+ * Revision 1.51  2000/09/20 04:04:20  rgb
+ * Changed static functions to DEBUG_NO_STATIC to reveal function names in
+ * oopsen.
+ *
+ * Revision 1.50  2000/09/16 01:10:53  rgb
+ * Fixed unused var warning with debug off.
+ *
+ * Revision 1.49  2000/09/15 11:37:02  rgb
+ * Merge in heavily modified Svenning Soerensen's <svenning@post5.tele.dk>
+ * IPCOMP zlib deflate code.
+ *
+ * Revision 1.48  2000/09/15 04:57:57  rgb
+ * Cleaned up existing IPCOMP code before svenning addition.
+ * Initialize pfkey_reply and extensions_reply in case of early error in
+ * message parsing functions (thanks Kai!).
+ *
+ * Revision 1.47  2000/09/13 08:02:56  rgb
+ * Added KMd registration notification.
+ *
+ * Revision 1.46  2000/09/12 22:35:36  rgb
+ * Restructured to remove unused extensions from CLEARFLOW messages.
+ *
+ * Revision 1.45  2000/09/12 03:24:23  rgb
+ * Converted #if0 debugs to sysctl.
+ *
+ * Revision 1.44  2000/09/09 06:38:39  rgb
+ * Correct SADB message type for update, add and delete.
+ *
+ * Revision 1.43  2000/09/08 19:19:56  rgb
+ * Change references from DEBUG_IPSEC to CONFIG_IPSEC_DEBUG.
+ * Removed all references to CONFIG_IPSEC_PFKEYv2.
+ * Put in sanity checks in most msg type parsers to catch invalid satypes
+ * and empty socket lists.
+ * Moved spin-locks in pfkey_get_parse() to simplify.
+ * Added pfkey_acquire().
+ * Added upwards messages to update, add, delete, acquire_parse,
+ * expire_parse and flush.
+ * Fix pfkey_prop_build() parameter to be only single indirection.
+ * Changed all replies to use pfkey_reply.
+ * Check return code on puttdb() and deltdbchain() in getspi, update,
+ * add, delete.
+ * Fixed up all pfkey replies to open and registered sockets.
+ *
+ * Revision 1.42  2000/09/01 18:50:26  rgb
+ * Added a supported algorithms array lists, one per satype and registered
+ * existing algorithms.
+ * Fixed pfkey_list_{insert,remove}_{socket,support}() to allow change to
+ * list.
+ * Only send pfkey_expire() messages to sockets registered for that satype.
+ * Added reply to pfkey_getspi_parse().
+ * Added reply to pfkey_get_parse().
+ * Fixed debug output label bug in pfkey_lifetime_process().
+ * Cleaned up pfkey_sa_process a little.
+ * Moved pfkey_safe_build() above message type parsers to make it available
+ * for creating replies.
+ * Added comments for future work in pfkey_acquire_parse().
+ * Fleshed out guts of pfkey_register_parse().
+ *
+ * Revision 1.41  2000/08/24 16:58:11  rgb
+ * Fixed key debugging variables.
+ * Fixed error return code for a failed search.
+ * Changed order of pfkey_get operations.
+ *
+ * Revision 1.40  2000/08/21 16:32:27  rgb
+ * Re-formatted for cosmetic consistency and readability.
+ *
+ * Revision 1.39  2000/08/20 21:38:57  rgb
+ * Bugfixes to as-yet-unused pfkey_update_parse() and
+ * pfkey_register_parse(). (Momchil)
+ * Added functions pfkey_safe_build(), pfkey_expire() and
+ * pfkey_build_reply(). (Momchil)
+ * Added a pfkey_reply parameter to pfkey_msg_interp(). (Momchil)
+ *
+ * Revision 1.38  2000/08/18 21:30:41  rgb
+ * Purged all tdb_spi, tdb_proto and tdb_dst macros.  They are unclear.
+ *
+ * Revision 1.37  2000/08/18 18:18:02  rgb
+ * Cosmetic and descriptive changes made to debug test.
+ * getspi and update fixes from Momchil.
+ *
+ * Revision 1.36  2000/08/15 15:41:55  rgb
+ * Fixed the (as yet unused and untested) pfkey_getspi() routine.
+ *
+ * Revision 1.35  2000/08/01 14:51:52  rgb
+ * Removed _all_ remaining traces of DES.
+ *
+ * Revision 1.34  2000/07/28 14:58:32  rgb
+ * Changed kfree_s to kfree, eliminating extra arg to fix 2.4.0-test5.
+ *
+ * Revision 1.33  2000/06/28 05:50:11  rgb
+ * Actually set iv_bits.
+ *
+ * Revision 1.32  2000/05/30 18:36:56  rgb
+ * Fix AH auth hash setup bug.  This breaks interop with previous PF_KEY
+ * FreeS/WAN, but fixes interop with other implementations.
+ *
+ * Revision 1.31  2000/03/16 14:05:48  rgb
+ * Fixed brace scope preventing non-debug compile.
+ * Added null parameter check for pfkey_x_debug().
+ *
+ * Revision 1.30  2000/01/22 23:21:13  rgb
+ * Use new function satype2proto().
+ *
+ * Revision 1.29  2000/01/22 08:40:21  rgb
+ * Invert condition to known value to avoid AF_INET6 in 2.0.36.
+ *
+ * Revision 1.28  2000/01/22 07:58:57  rgb
+ * Fixed REPLACEFLOW bug, missing braces around KLIPS_PRINT *and* SENDERR.
+ *
+ * Revision 1.27  2000/01/22 03:48:01  rgb
+ * Added extr pointer component debugging.
+ *
+ * Revision 1.26  2000/01/21 09:41:25  rgb
+ * Changed a (void*) to (char*) cast to do proper pointer math.
+ * Don't call tdbwipe if tdb2 is NULL.
+ *
+ * Revision 1.25  2000/01/21 06:21:01  rgb
+ * Added address cases for eroute flows.
+ * Tidied up compiler directive indentation for readability.
+ * Added ictx,octx vars for simplification.
+ * Added macros for HMAC padding magic numbers.
+ * Converted from double tdb arguments to one structure (extr)
+ * containing pointers to all temporary information structures
+ * and checking for valid arguments to all ext processors and
+ * msg type parsers.
+ * Added spiungrp'ing.
+ * Added klipsdebug switching capability.
+ * Removed sa_process() check for zero protocol.
+ * Added address case for DST2 for grouping.
+ * Added/changed minor debugging instrumentation.
+ * Fixed spigrp for single said, ungrouping case.
+ * Added code to parse addflow and delflow messages.
+ * Removed redundant statements duplicating tdbwipe() functionality
+ * and causing double kfrees.
+ * Permit addflow to have a protocol of 0.
+ *
+ * Revision 1.24  1999/12/09 23:23:00  rgb
+ * Added check to pfkey_sa_process() to do eroutes.
+ * Converted to DIVUP() macro.
+ * Converted if() to switch() in pfkey_register_parse().
+ * Use new pfkey_extensions_init() instead of memset().
+ *
+ * Revision 1.23  1999/12/01 22:18:13  rgb
+ * Preset minspi and maxspi values in case and spirange extension is not
+ * included and check for the presence of an spirange extension before
+ * using it.  Initialise tdb_sastate to LARVAL.
+ * Fixed debugging output typo.
+ * Fixed authentication context initialisation bugs (4 places).
+ *
+ * Revision 1.22  1999/11/27 11:53:08  rgb
+ * Moved pfkey_msg_parse prototype to pfkey.h
+ * Moved exts_permitted/required prototype to pfkey.h.
+ * Moved sadb_satype2proto protocol lookup table to lib/pfkey_v2_parse.c.
+ * Deleted SADB_X_EXT_SA2 code from pfkey_sa_process() since it will never
+ * be called.
+ * Moved protocol/algorithm checks to lib/pfkey_v2_parse.c
+ * Debugging error messages added.
+ * Enable lifetime_current checking.
+ * Remove illegal requirement for SA extension to be present in an
+ * originating GETSPI call.
+ * Re-instate requirement for UPDATE or ADD message to be MATURE.
+ * Add argument to pfkey_msg_parse() for direction.
+ * Fixed IPIP dst address bug and purged redundant, leaky code.
+ *
+ * Revision 1.21  1999/11/24 05:24:20  rgb
+ * hanged 'void*extensions' to 'struct sadb_ext*extensions'.
+ * Fixed indention.
+ * Ditched redundant replay check.
+ * Fixed debug message text from 'parse' to 'process'.
+ * Added more debug output.
+ * Forgot to zero extensions array causing bug, fixed.
+ *
+ * Revision 1.20  1999/11/23 23:08:13  rgb
+ * Move all common parsing code to lib/pfkey_v2_parse.c and rename
+ * remaining bits to *_process. (PJO)
+ * Add macros for dealing with alignment and rounding up more opaquely.
+ * Use provided macro ADDRTOA_BUF instead of hardcoded value.
+ * Sort out pfkey and freeswan headers, putting them in a library path.
+ * Corrected a couple of bugs in as-yet-inactive code.
+ *
+ * Revision 1.19  1999/11/20 22:01:10  rgb
+ * Add more descriptive error messages for non-zero reserved fields.
+ * Add more descriptive error message for spirange parsing.
+ * Start on supported extension parsing.
+ * Start on register and get message parsing.
+ *
+ * Revision 1.18  1999/11/18 04:09:20  rgb
+ * Replaced all kernel version macros to shorter, readable form.
+ *
+ * Revision 1.17  1999/11/17 15:53:41  rgb
+ * Changed all occurrences of #include "../../../lib/freeswan.h"
+ * to #include <freeswan.h> which works due to -Ilibfreeswan in the
+ * klips/net/ipsec/Makefile.
+ *
+ * Revision 1.16  1999/10/26 16:57:43  rgb
+ * Add shorter macros for compiler directives to visually clean-up.
+ * Give ipv6 code meaningful compiler directive.
+ * Add comments to other #if 0 debug code.
+ * Remove unused *_bh_atomic() calls.
+ * Fix mis-placed spinlock.
+ *
+ * Revision 1.15  1999/10/16 18:27:10  rgb
+ * Clean-up unused cruft.
+ * Fix-up lifetime_allocations_c and lifetime_addtime_c initialisations.
+ *
+ * Revision 1.14  1999/10/08 18:37:34  rgb
+ * Fix end-of-line spacing to sate whining PHMs.
+ *
+ * Revision 1.13  1999/10/03 18:49:12  rgb
+ * Spinlock fixes for 2.0.xx and 2.3.xx.
+ *
+ * Revision 1.12  1999/10/01 15:44:54  rgb
+ * Move spinlock header include to 2.1> scope.
+ *
+ * Revision 1.11  1999/10/01 00:05:45  rgb
+ * Added tdb structure locking.
+ * Use 'jiffies' instead of do_get_timeofday().
+ * Fix lifetime assignments.
+ *
+ * Revision 1.10  1999/09/21 15:24:45  rgb
+ * Rework spirange code to save entropy and prevent endless loops.
+ *
+ * Revision 1.9  1999/09/16 12:10:21  rgb
+ * Minor fixes to random spi selection for correctness and entropy conservation.
+ *
+ * Revision 1.8  1999/05/25 22:54:46  rgb
+ * Fix comparison that should be an assignment in an if.
+ *
+ * Revision 1.7  1999/05/09 03:25:37  rgb
+ * Fix bug introduced by 2.2 quick-and-dirty patch.
+ *
+ * Revision 1.6  1999/05/08 21:32:30  rgb
+ * Fix error return reporting.
+ *
+ * Revision 1.5  1999/05/05 22:02:33  rgb
+ * Add a quick and dirty port to 2.2 kernels by Marc Boucher <marc@mbsi.ca>.
+ *
+ * Revision 1.4  1999/04/29 15:22:40  rgb
+ * Standardise an error return method.
+ * Add debugging instrumentation.
+ * Add check for existence of macros min/max.
+ * Add extensions permitted/required in/out filters.
+ * Add satype-to-protocol table.
+ * Add a second tdb pointer to each parser to accomodate GRPSA.
+ * Move AH & no_algo_set to GETSPI, UPDATE and ADD.
+ * Add OOO window check.
+ * Add support for IPPROTO_IPIP and hooks for IPPROTO_COMP.
+ * Add timestamp to lifetime parse.
+ * Fix address structure length checking bug.
+ * Fix address structure allocation bug (forgot to kmalloc!).
+ * Add checks for extension lengths.
+ * Add checks for extension reserved illegal values.
+ * Add check for spirange legal values.
+ * Add an extension type for parsing a second satype, SA and
+ * DST_ADDRESS.
+ * Make changes to tdb_init() template to get pfkey_tdb_init(),
+ * eliminating any mention of xformsw.
+ * Implement getspi, update and grpsa (not tested).
+ * Add stubs for as yet unimplemented message types.
+ * Add table of message parsers to substitute for msg_parse switch.
+ *
+ * Revision 1.3  1999/04/15 17:58:07  rgb
+ * Add RCSID labels.
+ *
+ * Revision 1.2  1999/04/15 15:37:26  rgb
+ * Forward check changes from POST1_00 branch.
+ *
+ * Revision 1.1.2.1  1999/03/26 20:58:56  rgb
+ * Add pfkeyv2 support to KLIPS.
+ *
+ * Local variables:
+ * c-file-style: "linux"
+ * End:
+ *
+ */
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/prng.c     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,201 @@
+/*
+ * crypto-class pseudorandom number generator
+ * currently uses same algorithm as RC4(TM), from Schneier 2nd ed p397
+ * Copyright (C) 2002  Henry Spencer.
+ * 
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Library General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
+ * 
+ * This library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
+ * License for more details.
+ *
+ * RCSID $Id: prng.c,v 1.7 2004/07/10 07:48:36 mcr Exp $
+ */
+#include "openswan.h"
+
+/*
+ - prng_init - initialize PRNG from a key
+ */
+void
+prng_init(prng, key, keylen)
+struct prng *prng;
+const unsigned char *key;
+size_t keylen;
+{
+	unsigned char k[256];
+	int i, j;
+	unsigned const char *p;
+	unsigned const char *keyend = key + keylen;
+	unsigned char t;
+
+	for (i = 0; i <= 255; i++)
+		prng->sbox[i] = i;
+	p = key;
+	for (i = 0; i <= 255; i++) {
+		k[i] = *p++;
+		if (p >= keyend)
+			p = key;
+	}
+	j = 0;
+	for (i = 0; i <= 255; i++) {
+		j = (j + prng->sbox[i] + k[i]) & 0xff;
+		t = prng->sbox[i];
+		prng->sbox[i] = prng->sbox[j];
+		prng->sbox[j] = t;
+		k[i] = 0;	/* clear out key memory */
+	}
+	prng->i = 0;
+	prng->j = 0;
+	prng->count = 0;
+}
+
+/*
+ - prng_bytes - get some pseudorandom bytes from PRNG
+ */
+void
+prng_bytes(prng, dst, dstlen)
+struct prng *prng;
+unsigned char *dst;
+size_t dstlen;
+{
+	int i, j, t;
+	unsigned char *p = dst;
+	size_t remain = dstlen;
+#	define	MAX	4000000000ul
+
+	while (remain > 0) {
+		i = (prng->i + 1) & 0xff;
+		prng->i = i;
+		j = (prng->j + prng->sbox[i]) & 0xff;
+		prng->j = j;
+		t = prng->sbox[i];
+		prng->sbox[i] = prng->sbox[j];
+		prng->sbox[j] = t;
+		t = (t + prng->sbox[i]) & 0xff;
+		*p++ = prng->sbox[t];
+		remain--;
+	}
+	if (prng->count < MAX - dstlen)
+		prng->count += dstlen;
+	else
+		prng->count = MAX;
+}
+
+/*
+ - prnt_count - how many bytes have been extracted from PRNG so far?
+ */
+unsigned long
+prng_count(prng)
+struct prng *prng;
+{
+	return prng->count;
+}
+
+/*
+ - prng_final - clear out PRNG to ensure nothing left in memory
+ */
+void
+prng_final(prng)
+struct prng *prng;
+{
+	int i;
+
+	for (i = 0; i <= 255; i++)
+		prng->sbox[i] = 0;
+	prng->i = 0;
+	prng->j = 0;
+	prng->count = 0;	/* just for good measure */
+}
+
+
+
+#ifdef PRNG_MAIN
+
+#include <stdio.h>
+
+void regress();
+
+int
+main(argc, argv)
+int argc;
+char *argv[];
+{
+	struct prng pr;
+	unsigned char buf[100];
+	unsigned char *p;
+	size_t n;
+
+	if (argc < 2) {
+		fprintf(stderr, "Usage: %s {key|-r}\n", argv[0]);
+		exit(2);
+	}
+
+	if (strcmp(argv[1], "-r") == 0) {
+		regress();
+		fprintf(stderr, "regress() returned?!?\n");
+		exit(1);
+	}
+
+	prng_init(&pr, argv[1], strlen(argv[1]));
+	prng_bytes(&pr, buf, 32);
+	printf("0x");
+	for (p = buf, n = 32; n > 0; p++, n--)
+		printf("%02x", *p);
+	printf("\n%lu bytes\n", prng_count(&pr));
+	prng_final(&pr);
+	exit(0);
+}
+
+void
+regress()
+{
+	struct prng pr;
+	unsigned char buf[100];
+	unsigned char *p;
+	size_t n;
+	/* somewhat non-random sample key */
+	unsigned char key[] = "here we go gathering nuts in May";
+	/* first thirty bytes of output from that key */
+	unsigned char good[] = "\x3f\x02\x8e\x4a\x2a\xea\x23\x18\x92\x7c"
+				"\x09\x52\x83\x61\xaa\x26\xce\xbb\x9d\x71"
+				"\x71\xe5\x10\x22\xaf\x60\x54\x8d\x5b\x28";
+	int nzero, none;
+	int show = 0;
+
+	prng_init(&pr, key, strlen(key));
+	prng_bytes(&pr, buf, sizeof(buf));
+	for (p = buf, n = sizeof(buf); n > 0; p++, n--) {
+		if (*p == 0)
+			nzero++;
+		if (*p == 255)
+			none++;
+	}
+	if (nzero > 3 || none > 3) {
+		fprintf(stderr, "suspiciously non-random output!\n");
+		show = 1;
+	}
+	if (memcmp(buf, good, strlen(good)) != 0) {
+		fprintf(stderr, "incorrect output!\n");
+		show = 1;
+	}
+	if (show) {
+		fprintf(stderr, "0x");
+		for (p = buf, n = sizeof(buf); n > 0; p++, n--)
+			fprintf(stderr, "%02x", *p);
+		fprintf(stderr, "\n");
+		exit(1);
+	}
+	if (prng_count(&pr) != sizeof(buf)) {
+		fprintf(stderr, "got %u bytes, but count is %lu\n",
+					sizeof(buf), prng_count(&pr));
+		exit(1);
+	}
+	prng_final(&pr);
+	exit(0);
+}
+
+#endif /* PRNG_MAIN */
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/radij.c     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,1237 @@
+char radij_c_version[] = "RCSID $Id: radij.c,v 1.48.2.1 2006/10/06 21:39:27 paul Exp $";
+
+/*
+ * This file is defived from ${SRC}/sys/net/radix.c of BSD 4.4lite
+ *
+ * Variable and procedure names have been modified so that they don't
+ * conflict with the original BSD code, as a small number of modifications
+ * have been introduced and we may want to reuse this code in BSD.
+ * 
+ * The `j' in `radij' is pronounced as a voiceless guttural (like a Greek
+ * chi or a German ch sound (as `doch', not as in `milch'), or even a 
+ * spanish j as in Juan.  It is not as far back in the throat like
+ * the corresponding Hebrew sound, nor is it a soft breath like the English h.
+ * It has nothing to do with the Dutch ij sound.
+ * 
+ * Here is the appropriate copyright notice:
+ */
+
+/*
+ * Copyright (c) 1988, 1989, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)radix.c	8.2 (Berkeley) 1/4/94
+ */
+
+/*
+ * Routines to build and maintain radix trees for routing lookups.
+ */
+
+#ifndef AUTOCONF_INCLUDED
+#include <linux/config.h>
+#endif
+#include <linux/version.h>
+#include <linux/kernel.h> /* printk() */
+
+#include "openswan/ipsec_param.h"
+
+#ifdef MALLOC_SLAB
+# include <linux/slab.h> /* kmalloc() */
+#else /* MALLOC_SLAB */
+# include <linux/malloc.h> /* kmalloc() */
+#endif /* MALLOC_SLAB */
+#include <linux/errno.h>  /* error codes */
+#include <linux/types.h>  /* size_t */
+#include <linux/interrupt.h> /* mark_bh */
+
+#include <linux/netdevice.h>   /* struct device, and other headers */
+#include <linux/etherdevice.h> /* eth_type_trans */
+#include <linux/ip.h>          /* struct iphdr */
+#include <linux/skbuff.h>
+#ifdef NET_21
+# include <linux/in6.h>
+#endif /* NET_21 */
+
+#include <net/ip.h>
+
+#include <openswan.h>
+
+#include "openswan/radij.h"
+#include "openswan/ipsec_encap.h"
+#include "openswan/ipsec_radij.h"
+
+int	maj_keylen;
+struct radij_mask *rj_mkfreelist;
+struct radij_node_head *mask_rjhead;
+static int gotOddMasks;
+static char *maskedKey;
+static char *rj_zeroes, *rj_ones;
+
+#define rj_masktop (mask_rjhead->rnh_treetop)
+#ifdef Bcmp
+# undef Bcmp
+#endif /* Bcmp */
+#define Bcmp(a, b, l) (l == 0 ? 0 : memcmp((caddr_t)(b), (caddr_t)(a), (size_t)l))
+/*
+ * The data structure for the keys is a radix tree with one way
+ * branching removed.  The index rj_b at an internal node n represents a bit
+ * position to be tested.  The tree is arranged so that all descendants
+ * of a node n have keys whose bits all agree up to position rj_b - 1.
+ * (We say the index of n is rj_b.)
+ *
+ * There is at least one descendant which has a one bit at position rj_b,
+ * and at least one with a zero there.
+ *
+ * A route is determined by a pair of key and mask.  We require that the
+ * bit-wise logical and of the key and mask to be the key.
+ * We define the index of a route to associated with the mask to be
+ * the first bit number in the mask where 0 occurs (with bit number 0
+ * representing the highest order bit).
+ * 
+ * We say a mask is normal if every bit is 0, past the index of the mask.
+ * If a node n has a descendant (k, m) with index(m) == index(n) == rj_b,
+ * and m is a normal mask, then the route applies to every descendant of n.
+ * If the index(m) < rj_b, this implies the trailing last few bits of k
+ * before bit b are all 0, (and hence consequently true of every descendant
+ * of n), so the route applies to all descendants of the node as well.
+ *
+ * The present version of the code makes no use of normal routes,
+ * but similar logic shows that a non-normal mask m such that
+ * index(m) <= index(n) could potentially apply to many children of n.
+ * Thus, for each non-host route, we attach its mask to a list at an internal
+ * node as high in the tree as we can go. 
+ */
+
+struct radij_node *
+rj_search(v_arg, head)
+	void *v_arg;
+	struct radij_node *head;
+{
+	register struct radij_node *x;
+	register caddr_t v;
+
+	for (x = head, v = v_arg; x->rj_b >= 0;) {
+		if (x->rj_bmask & v[x->rj_off])
+			x = x->rj_r;
+		else
+			x = x->rj_l;
+	}
+	return (x);
+};
+
+struct radij_node *
+rj_search_m(v_arg, head, m_arg)
+	struct radij_node *head;
+	void *v_arg, *m_arg;
+{
+	register struct radij_node *x;
+	register caddr_t v = v_arg, m = m_arg;
+
+	for (x = head; x->rj_b >= 0;) {
+		if ((x->rj_bmask & m[x->rj_off]) &&
+		    (x->rj_bmask & v[x->rj_off]))
+			x = x->rj_r;
+		else
+			x = x->rj_l;
+	}
+	return x;
+};
+
+int
+rj_refines(m_arg, n_arg)
+	void *m_arg, *n_arg;
+{
+	register caddr_t m = m_arg, n = n_arg;
+	register caddr_t lim, lim2 = lim = n + *(u_char *)n;
+	int longer = (*(u_char *)n++) - (int)(*(u_char *)m++);
+	int masks_are_equal = 1;
+
+	if (longer > 0)
+		lim -= longer;
+	while (n < lim) {
+		if (*n & ~(*m))
+			return 0;
+		if (*n++ != *m++)
+			masks_are_equal = 0;
+			
+	}
+	while (n < lim2)
+		if (*n++)
+			return 0;
+	if (masks_are_equal && (longer < 0))
+		for (lim2 = m - longer; m < lim2; )
+			if (*m++)
+				return 1;
+	return (!masks_are_equal);
+}
+
+
+struct radij_node *
+rj_match(v_arg, head)
+	void *v_arg;
+	struct radij_node_head *head;
+{
+	caddr_t v = v_arg;
+	register struct radij_node *t = head->rnh_treetop, *x;
+	register caddr_t cp = v, cp2, cp3;
+	caddr_t cplim, mstart;
+	struct radij_node *saved_t, *top = t;
+	int off = t->rj_off, vlen = *(u_char *)cp, matched_off;
+
+	/*
+	 * Open code rj_search(v, top) to avoid overhead of extra
+	 * subroutine call.
+	 */
+	for (; t->rj_b >= 0; ) {
+		if (t->rj_bmask & cp[t->rj_off])
+			t = t->rj_r;
+		else
+			t = t->rj_l;
+	}
+	/*
+	 * See if we match exactly as a host destination
+	 */
+	KLIPS_PRINT(debug_radij,
+		    "klips_debug:rj_match: "
+		    "* See if we match exactly as a host destination\n");
+	
+	cp += off; cp2 = t->rj_key + off; cplim = v + vlen;
+	for (; cp < cplim; cp++, cp2++)
+		if (*cp != *cp2)
+			goto on1;
+	/*
+	 * This extra grot is in case we are explicitly asked
+	 * to look up the default.  Ugh!
+	 */
+	if ((t->rj_flags & RJF_ROOT) && t->rj_dupedkey)
+		t = t->rj_dupedkey;
+	return t;
+on1:
+	matched_off = cp - v;
+	saved_t = t;
+	KLIPS_PRINT(debug_radij,
+		    "klips_debug:rj_match: "
+		    "** try to match a leaf, t=0p%p\n", t);
+	do {
+	    if (t->rj_mask) {
+		/*
+		 * Even if we don't match exactly as a hosts;
+		 * we may match if the leaf we wound up at is
+		 * a route to a net.
+		 */
+		cp3 = matched_off + t->rj_mask;
+		cp2 = matched_off + t->rj_key;
+		for (; cp < cplim; cp++)
+			if ((*cp2++ ^ *cp) & *cp3++)
+				break;
+		if (cp == cplim)
+			return t;
+		cp = matched_off + v;
+	    }
+	} while ((t = t->rj_dupedkey));
+	t = saved_t;
+	/* start searching up the tree */
+	KLIPS_PRINT(debug_radij,
+		    "klips_debug:rj_match: "
+		    "*** start searching up the tree, t=0p%p\n",
+		    t);
+	do {
+		register struct radij_mask *m;
+		
+		t = t->rj_p;
+		KLIPS_PRINT(debug_radij,
+			    "klips_debug:rj_match: "
+			    "**** t=0p%p\n",
+			    t);
+		if ((m = t->rj_mklist)) {
+			/*
+			 * After doing measurements here, it may
+			 * turn out to be faster to open code
+			 * rj_search_m here instead of always
+			 * copying and masking.
+			 */
+			/* off = min(t->rj_off, matched_off); */
+			off = t->rj_off;
+			if (matched_off < off)
+				off = matched_off;
+			mstart = maskedKey + off;
+			do {
+				cp2 = mstart;
+				cp3 = m->rm_mask + off;
+				KLIPS_PRINT(debug_radij,
+					    "klips_debug:rj_match: "
+					    "***** cp2=0p%p cp3=0p%p\n",
+					    cp2, cp3);
+				for (cp = v + off; cp < cplim;)
+					*cp2++ =  *cp++ & *cp3++;
+				x = rj_search(maskedKey, t);
+				while (x && x->rj_mask != m->rm_mask)
+					x = x->rj_dupedkey;
+				if (x &&
+				    (Bcmp(mstart, x->rj_key + off,
+					vlen - off) == 0))
+					    return x;
+			} while ((m = m->rm_mklist));
+		}
+	} while (t != top);
+	KLIPS_PRINT(debug_radij,
+		    "klips_debug:rj_match: "
+		    "***** not found.\n");
+	return 0;
+};
+		
+#ifdef RJ_DEBUG
+int	rj_nodenum;
+struct	radij_node *rj_clist;
+int	rj_saveinfo;
+DEBUG_NO_STATIC void traverse(struct radij_node *);
+#ifdef RJ_DEBUG2
+int	rj_debug =  1;
+#else
+int	rj_debug =  0;
+#endif /* RJ_DEBUG2 */
+#endif /* RJ_DEBUG */
+
+struct radij_node *
+rj_newpair(v, b, nodes)
+	void *v;
+	int b;
+	struct radij_node nodes[2];
+{
+	register struct radij_node *tt = nodes, *t = tt + 1;
+	t->rj_b = b; t->rj_bmask = 0x80 >> (b & 7);
+	t->rj_l = tt; t->rj_off = b >> 3;
+	tt->rj_b = -1; tt->rj_key = (caddr_t)v; tt->rj_p = t;
+	tt->rj_flags = t->rj_flags = RJF_ACTIVE;
+#ifdef RJ_DEBUG
+	tt->rj_info = rj_nodenum++; t->rj_info = rj_nodenum++;
+	tt->rj_twin = t; tt->rj_ybro = rj_clist; rj_clist = tt;
+#endif /* RJ_DEBUG */
+	return t;
+}
+
+struct radij_node *
+rj_insert(v_arg, head, dupentry, nodes)
+	void *v_arg;
+	struct radij_node_head *head;
+	int *dupentry;
+	struct radij_node nodes[2];
+{
+	caddr_t v = v_arg;
+	struct radij_node *top = head->rnh_treetop;
+	int head_off = top->rj_off, vlen = (int)*((u_char *)v);
+	register struct radij_node *t = rj_search(v_arg, top);
+	register caddr_t cp = v + head_off;
+	register int b;
+	struct radij_node *tt;
+    	/*
+	 *find first bit at which v and t->rj_key differ
+	 */
+    {
+	register caddr_t cp2 = t->rj_key + head_off;
+	register int cmp_res;
+	caddr_t cplim = v + vlen;
+
+	while (cp < cplim)
+		if (*cp2++ != *cp++)
+			goto on1;
+	*dupentry = 1;
+	return t;
+on1:
+	*dupentry = 0;
+	cmp_res = (cp[-1] ^ cp2[-1]) & 0xff;
+	for (b = (cp - v) << 3; cmp_res; b--)
+		cmp_res >>= 1;
+    }
+    {
+	register struct radij_node *p, *x = top;
+	cp = v;
+	do {
+		p = x;
+		if (cp[x->rj_off] & x->rj_bmask) 
+			x = x->rj_r;
+		else x = x->rj_l;
+	} while (b > (unsigned) x->rj_b); /* x->rj_b < b && x->rj_b >= 0 */
+#ifdef RJ_DEBUG
+	if (rj_debug)
+		printk("klips_debug:rj_insert: Going In:\n"), traverse(p);
+#endif /* RJ_DEBUG */
+	t = rj_newpair(v_arg, b, nodes); tt = t->rj_l;
+	if ((cp[p->rj_off] & p->rj_bmask) == 0)
+		p->rj_l = t;
+	else
+		p->rj_r = t;
+	x->rj_p = t; t->rj_p = p; /* frees x, p as temp vars below */
+	if ((cp[t->rj_off] & t->rj_bmask) == 0) {
+		t->rj_r = x;
+	} else {
+		t->rj_r = tt; t->rj_l = x;
+	}
+#ifdef RJ_DEBUG
+	if (rj_debug)
+		printk("klips_debug:rj_insert: Coming out:\n"), traverse(p);
+#endif /* RJ_DEBUG */
+    }
+	return (tt);
+}
+
+struct radij_node *
+rj_addmask(n_arg, search, skip)
+	int search, skip;
+	void *n_arg;
+{
+	caddr_t netmask = (caddr_t)n_arg;
+	register struct radij_node *x;
+	register caddr_t cp, cplim;
+	register int b, mlen, j;
+	int maskduplicated;
+
+	mlen = *(u_char *)netmask;
+	if (search) {
+		x = rj_search(netmask, rj_masktop);
+		mlen = *(u_char *)netmask;
+		if (Bcmp(netmask, x->rj_key, mlen) == 0)
+			return (x);
+	}
+	R_Malloc(x, struct radij_node *, maj_keylen + 2 * sizeof (*x));
+	if (x == 0)
+		return (0);
+	Bzero(x, maj_keylen + 2 * sizeof (*x));
+	cp = (caddr_t)(x + 2);
+	Bcopy(netmask, cp, mlen);
+	netmask = cp;
+	x = rj_insert(netmask, mask_rjhead, &maskduplicated, x);
+	/*
+	 * Calculate index of mask.
+	 */
+	cplim = netmask + mlen;
+	for (cp = netmask + skip; cp < cplim; cp++)
+		if (*(u_char *)cp != 0xff)
+			break;
+	b = (cp - netmask) << 3;
+	if (cp != cplim) {
+		if (*cp != 0) {
+			gotOddMasks = 1;
+			for (j = 0x80; j; b++, j >>= 1)  
+				if ((j & *cp) == 0)
+					break;
+		}
+	}
+	x->rj_b = -1 - b;
+	return (x);
+}
+
+#if 0
+struct radij_node *
+#endif
+int
+rj_addroute(v_arg, n_arg, head, treenodes)
+	void *v_arg, *n_arg;
+	struct radij_node_head *head;
+	struct radij_node treenodes[2];
+{
+	caddr_t v = (caddr_t)v_arg, netmask = (caddr_t)n_arg;
+	register struct radij_node *t, *x=NULL, *tt;
+	struct radij_node *saved_tt, *top = head->rnh_treetop;
+	short b = 0, b_leaf;
+	int mlen, keyduplicated;
+	caddr_t cplim;
+	struct radij_mask *m, **mp;
+
+	/*
+	 * In dealing with non-contiguous masks, there may be
+	 * many different routes which have the same mask.
+	 * We will find it useful to have a unique pointer to
+	 * the mask to speed avoiding duplicate references at
+	 * nodes and possibly save time in calculating indices.
+	 */
+	if (netmask)  {
+		x = rj_search(netmask, rj_masktop);
+		mlen = *(u_char *)netmask;
+		if (Bcmp(netmask, x->rj_key, mlen) != 0) {
+			x = rj_addmask(netmask, 0, top->rj_off);
+			if (x == 0)
+				return -ENOMEM; /* (0) rgb */
+		}
+		netmask = x->rj_key;
+		b = -1 - x->rj_b;
+	}
+	/*
+	 * Deal with duplicated keys: attach node to previous instance
+	 */
+	saved_tt = tt = rj_insert(v, head, &keyduplicated, treenodes);
+#ifdef RJ_DEBUG
+	printk("addkey: duplicated: %d\n", keyduplicated);
+#endif
+	if (keyduplicated) {
+		do {
+			if (tt->rj_mask == netmask)
+				return -EEXIST; /* -ENXIO; (0) rgb */
+			t = tt;
+			if (netmask == 0 ||
+			    (tt->rj_mask && rj_refines(netmask, tt->rj_mask)))
+				break;
+		} while ((tt = tt->rj_dupedkey));
+		/*
+		 * If the mask is not duplicated, we wouldn't
+		 * find it among possible duplicate key entries
+		 * anyway, so the above test doesn't hurt.
+		 *
+		 * We sort the masks for a duplicated key the same way as
+		 * in a masklist -- most specific to least specific.
+		 * This may require the unfortunate nuisance of relocating
+		 * the head of the list.
+		 */
+		if (tt && t == saved_tt) {
+			struct	radij_node *xx = x;
+			/* link in at head of list */
+			(tt = treenodes)->rj_dupedkey = t;
+			tt->rj_flags = t->rj_flags;
+			tt->rj_p = x = t->rj_p;
+			if (x->rj_l == t) x->rj_l = tt; else x->rj_r = tt;
+			saved_tt = tt; x = xx;
+		} else {
+			(tt = treenodes)->rj_dupedkey = t->rj_dupedkey;
+			t->rj_dupedkey = tt;
+		}
+#ifdef RJ_DEBUG
+		t=tt+1; tt->rj_info = rj_nodenum++; t->rj_info = rj_nodenum++;
+		tt->rj_twin = t; tt->rj_ybro = rj_clist; rj_clist = tt;
+#endif /* RJ_DEBUG */
+		t = saved_tt;
+		tt->rj_key = (caddr_t) v;
+		tt->rj_b = -1;
+		tt->rj_flags = t->rj_flags & ~RJF_ROOT;
+	}
+	/*
+	 * Put mask in tree.
+	 */
+	if (netmask) {
+		tt->rj_mask = netmask;
+		tt->rj_b = x->rj_b;
+	}
+	t = saved_tt->rj_p;
+	b_leaf = -1 - t->rj_b;
+	if (t->rj_r == saved_tt) x = t->rj_l; else x = t->rj_r;
+	/* Promote general routes from below */
+	if (x->rj_b < 0) { 
+		if (x->rj_mask && (x->rj_b >= b_leaf) && x->rj_mklist == 0) {
+			MKGet(m);
+			if (m) {
+				Bzero(m, sizeof *m);
+				m->rm_b = x->rj_b;
+				m->rm_mask = x->rj_mask;
+				x->rj_mklist = t->rj_mklist = m;
+			}
+		}
+	} else if (x->rj_mklist) {
+		/*
+		 * Skip over masks whose index is > that of new node
+		 */
+		for (mp = &x->rj_mklist; (m = *mp); mp = &m->rm_mklist)
+			if (m->rm_b >= b_leaf)
+				break;
+		t->rj_mklist = m; *mp = 0;
+	}
+	/* Add new route to highest possible ancestor's list */
+	if ((netmask == 0) || (b > t->rj_b )) {
+#ifdef RJ_DEBUG
+	        printk("klips:radij.c: netmask = %p or b(%d)>t->rjb(%d)\n", netmask, b, t->rj_b);
+#endif
+		return 0; /* tt rgb */ /* can't lift at all */
+	}
+	b_leaf = tt->rj_b;
+	do {
+		x = t;
+		t = t->rj_p;
+	} while (b <= t->rj_b && x != top);
+	/*
+	 * Search through routes associated with node to
+	 * insert new route according to index.
+	 * For nodes of equal index, place more specific
+	 * masks first.
+	 */
+	cplim = netmask + mlen;
+	for (mp = &x->rj_mklist; (m = *mp); mp = &m->rm_mklist) {
+		if (m->rm_b < b_leaf)
+			continue;
+		if (m->rm_b > b_leaf)
+			break;
+		if (m->rm_mask == netmask) {
+			m->rm_refs++;
+			tt->rj_mklist = m;
+#ifdef RJ_DEBUG
+			printk("klips:radij.c: m->rm_mask %p == netmask\n", netmask);
+#endif
+			return 0; /* tt rgb */
+		}
+		if (rj_refines(netmask, m->rm_mask))
+			break;
+	}
+	MKGet(m);
+	if (m == 0) {
+		printk("klips_debug:rj_addroute: "
+		       "Mask for route not entered\n");
+		return 0; /* (tt) rgb */
+	}
+	Bzero(m, sizeof *m);
+	m->rm_b = b_leaf;
+	m->rm_mask = netmask;
+	m->rm_mklist = *mp;
+	*mp = m;
+	tt->rj_mklist = m;
+#ifdef RJ_DEBUG
+	printk("klips:radij.c: addroute done\n");
+#endif
+	return 0; /* tt rgb */
+}
+
+int
+rj_delete(v_arg, netmask_arg, head, node)
+	void *v_arg, *netmask_arg;
+	struct radij_node_head *head;
+	struct radij_node **node;
+{
+	register struct radij_node *t, *p, *x, *tt;
+	struct radij_mask *m, *saved_m, **mp;
+	struct radij_node *dupedkey, *saved_tt, *top;
+	caddr_t v, netmask;
+	int b, head_off, vlen;
+
+	v = v_arg;
+	netmask = netmask_arg;
+	x = head->rnh_treetop;
+	tt = rj_search(v, x);
+	head_off = x->rj_off;
+	vlen =  *(u_char *)v;
+	saved_tt = tt;
+	top = x;
+	if (tt == 0 ||
+	    Bcmp(v + head_off, tt->rj_key + head_off, vlen - head_off))
+		return -EFAULT; /* (0) rgb */
+	/*
+	 * Delete our route from mask lists.
+	 */
+	if ((dupedkey = tt->rj_dupedkey)) {
+		if (netmask) 
+			netmask = rj_search(netmask, rj_masktop)->rj_key;
+		while (tt->rj_mask != netmask)
+			if ((tt = tt->rj_dupedkey) == 0)
+				return -ENOENT; /* -ENXIO; (0) rgb */
+	}
+	if (tt->rj_mask == 0 || (saved_m = m = tt->rj_mklist) == 0)
+		goto on1;
+	if (m->rm_mask != tt->rj_mask) {
+		printk("klips_debug:rj_delete: "
+		       "inconsistent annotation\n");
+		goto on1;
+	}
+	if (--m->rm_refs >= 0)
+		goto on1;
+	b = -1 - tt->rj_b;
+	t = saved_tt->rj_p;
+	if (b > t->rj_b)
+		goto on1; /* Wasn't lifted at all */
+	do {
+		x = t;
+		t = t->rj_p;
+	} while (b <= t->rj_b && x != top);
+	for (mp = &x->rj_mklist; (m = *mp); mp = &m->rm_mklist)
+		if (m == saved_m) {
+			*mp = m->rm_mklist;
+			MKFree(m);
+			break;
+		}
+	if (m == 0)
+		printk("klips_debug:rj_delete: "
+		       "couldn't find our annotation\n");
+on1:
+	/*
+	 * Eliminate us from tree
+	 */
+	if (tt->rj_flags & RJF_ROOT)
+		return -EFAULT; /* (0) rgb */
+#ifdef RJ_DEBUG
+	/* Get us out of the creation list */
+	for (t = rj_clist; t && t->rj_ybro != tt; t = t->rj_ybro) {}
+	if (t) t->rj_ybro = tt->rj_ybro;
+#endif /* RJ_DEBUG */
+	t = tt->rj_p;
+	if (dupedkey) {
+		if (tt == saved_tt) {
+			x = dupedkey; x->rj_p = t;
+			if (t->rj_l == tt) t->rj_l = x; else t->rj_r = x;
+		} else {
+			for (x = p = saved_tt; p && p->rj_dupedkey != tt;)
+				p = p->rj_dupedkey;
+			if (p) p->rj_dupedkey = tt->rj_dupedkey;
+			else printk("klips_debug:rj_delete: "
+				       "couldn't find node that we started with\n");
+		}
+		t = tt + 1;
+		if  (t->rj_flags & RJF_ACTIVE) {
+#ifndef RJ_DEBUG
+			*++x = *t; p = t->rj_p;
+#else
+			b = t->rj_info; *++x = *t; t->rj_info = b; p = t->rj_p;
+#endif /* RJ_DEBUG */
+			if (p->rj_l == t) p->rj_l = x; else p->rj_r = x;
+			x->rj_l->rj_p = x; x->rj_r->rj_p = x;
+		}
+		goto out;
+	}
+	if (t->rj_l == tt) x = t->rj_r; else x = t->rj_l;
+	p = t->rj_p;
+	if (p->rj_r == t) p->rj_r = x; else p->rj_l = x;
+	x->rj_p = p;
+	/*
+	 * Demote routes attached to us.
+	 */
+	if (t->rj_mklist) {
+		if (x->rj_b >= 0) {
+			for (mp = &x->rj_mklist; (m = *mp);)
+				mp = &m->rm_mklist;
+			*mp = t->rj_mklist;
+		} else {
+			for (m = t->rj_mklist; m;) {
+				struct radij_mask *mm = m->rm_mklist;
+				if (m == x->rj_mklist && (--(m->rm_refs) < 0)) {
+					x->rj_mklist = 0;
+					MKFree(m);
+				} else 
+					printk("klips_debug:rj_delete: "
+					    "Orphaned Mask 0p%p at 0p%p\n", m, x);
+				m = mm;
+			}
+		}
+	}
+	/*
+	 * We may be holding an active internal node in the tree.
+	 */
+	x = tt + 1;
+	if (t != x) {
+#ifndef RJ_DEBUG
+		*t = *x;
+#else
+		b = t->rj_info; *t = *x; t->rj_info = b;
+#endif /* RJ_DEBUG */
+		t->rj_l->rj_p = t; t->rj_r->rj_p = t;
+		p = x->rj_p;
+		if (p->rj_l == x) p->rj_l = t; else p->rj_r = t;
+	}
+out:
+	tt->rj_flags &= ~RJF_ACTIVE;
+	tt[1].rj_flags &= ~RJF_ACTIVE;
+	*node = tt;
+	return 0; /* (tt) rgb */
+}
+
+int
+rj_walktree(h, f, w)
+	struct radij_node_head *h;
+	register int (*f)(struct radij_node *,void *);
+	void *w;
+{
+	int error;
+	struct radij_node *base, *next;
+	register struct radij_node *rn;
+
+	if(!h || !f /* || !w */) {
+		return -ENODATA;
+	}
+
+	rn = h->rnh_treetop;
+	/*
+	 * This gets complicated because we may delete the node
+	 * while applying the function f to it, so we need to calculate
+	 * the successor node in advance.
+	 */
+	/* First time through node, go left */
+	while (rn->rj_b >= 0)
+		rn = rn->rj_l;
+	for (;;) {
+#ifdef CONFIG_KLIPS_DEBUG
+		if(debug_radij) {
+			printk("klips_debug:rj_walktree: "
+			       "for: rn=0p%p rj_b=%d rj_flags=%x",
+			       rn,
+			       rn->rj_b,
+			       rn->rj_flags);
+			rn->rj_b >= 0 ?
+				printk(" node off=%x\n",
+				       rn->rj_off) :
+				printk(" leaf key = %08x->%08x\n",
+				       (u_int)ntohl(((struct sockaddr_encap *)rn->rj_key)->sen_ip_src.s_addr),
+				       (u_int)ntohl(((struct sockaddr_encap *)rn->rj_key)->sen_ip_dst.s_addr))
+				;
+		}
+#endif /* CONFIG_KLIPS_DEBUG */
+		base = rn;
+		/* If at right child go back up, otherwise, go right */
+		while (rn->rj_p->rj_r == rn && (rn->rj_flags & RJF_ROOT) == 0)
+			rn = rn->rj_p;
+		/* Find the next *leaf* since next node might vanish, too */
+		for (rn = rn->rj_p->rj_r; rn->rj_b >= 0;)
+			rn = rn->rj_l;
+		next = rn;
+#ifdef CONFIG_KLIPS_DEBUG
+		if(debug_radij) {
+			printk("klips_debug:rj_walktree: "
+			       "processing leaves, rn=0p%p rj_b=%d rj_flags=%x",
+			       rn,
+			       rn->rj_b,
+			       rn->rj_flags);
+			rn->rj_b >= 0 ?
+				printk(" node off=%x\n",
+				       rn->rj_off) :
+				printk(" leaf key = %08x->%08x\n",
+				       (u_int)ntohl(((struct sockaddr_encap *)rn->rj_key)->sen_ip_src.s_addr),
+				       (u_int)ntohl(((struct sockaddr_encap *)rn->rj_key)->sen_ip_dst.s_addr))
+				;
+		}
+#endif /* CONFIG_KLIPS_DEBUG */
+		/* Process leaves */
+		while ((rn = base)) {
+			base = rn->rj_dupedkey;
+#ifdef CONFIG_KLIPS_DEBUG
+			if(debug_radij) {
+				printk("klips_debug:rj_walktree: "
+				       "while: base=0p%p rn=0p%p rj_b=%d rj_flags=%x",
+				       base,
+				       rn,
+				       rn->rj_b,
+				       rn->rj_flags);
+				rn->rj_b >= 0 ?
+					printk(" node off=%x\n",
+					       rn->rj_off) :
+					printk(" leaf key = %08x->%08x\n",
+					       (u_int)ntohl(((struct sockaddr_encap *)rn->rj_key)->sen_ip_src.s_addr),
+					       (u_int)ntohl(((struct sockaddr_encap *)rn->rj_key)->sen_ip_dst.s_addr))
+					;
+			}
+#endif /* CONFIG_KLIPS_DEBUG */
+			if (!(rn->rj_flags & RJF_ROOT) && (error = (*f)(rn, w)))
+				return (-error);
+		}
+		rn = next;
+		if (rn->rj_flags & RJF_ROOT)
+			return (0);
+	}
+	/* NOTREACHED */
+}
+
+int
+rj_inithead(head, off)
+	void **head;
+	int off;
+{
+	register struct radij_node_head *rnh;
+	register struct radij_node *t, *tt, *ttt;
+	if (*head)
+		return (1);
+	R_Malloc(rnh, struct radij_node_head *, sizeof (*rnh));
+	if (rnh == NULL)
+		return (0);
+	Bzero(rnh, sizeof (*rnh));
+	*head = rnh;
+	t = rj_newpair(rj_zeroes, off, rnh->rnh_nodes);
+	ttt = rnh->rnh_nodes + 2;
+	t->rj_r = ttt;
+	t->rj_p = t;
+	tt = t->rj_l;
+	tt->rj_flags = t->rj_flags = RJF_ROOT | RJF_ACTIVE;
+	tt->rj_b = -1 - off;
+	*ttt = *tt;
+	ttt->rj_key = rj_ones;
+	rnh->rnh_addaddr = rj_addroute;
+	rnh->rnh_deladdr = rj_delete;
+	rnh->rnh_matchaddr = rj_match;
+	rnh->rnh_walktree = rj_walktree;
+	rnh->rnh_treetop = t;
+	return (1);
+}
+
+void
+rj_init()
+{
+	char *cp, *cplim;
+
+	if (maj_keylen == 0) {
+		printk("klips_debug:rj_init: "
+		       "radij functions require maj_keylen be set\n");
+		return;
+	}
+	R_Malloc(rj_zeroes, char *, 3 * maj_keylen);
+	if (rj_zeroes == NULL)
+		panic("rj_init");
+	Bzero(rj_zeroes, 3 * maj_keylen);
+	rj_ones = cp = rj_zeroes + maj_keylen;
+	maskedKey = cplim = rj_ones + maj_keylen;
+	while (cp < cplim)
+		*cp++ = -1;
+	if (rj_inithead((void **)&mask_rjhead, 0) == 0)
+		panic("rj_init 2");
+}
+
+void
+rj_preorder(struct radij_node *rn, int l)
+{
+	int i;
+	
+	if (rn == NULL){
+		printk("klips_debug:rj_preorder: "
+		       "NULL pointer\n");
+		return;
+	}
+	
+	if (rn->rj_b >= 0){
+		rj_preorder(rn->rj_l, l+1);
+		rj_preorder(rn->rj_r, l+1);
+		printk("klips_debug:");
+		for (i=0; i<l; i++)
+			printk("*");
+		printk(" off = %d\n",
+		       rn->rj_off);
+	} else {
+		printk("klips_debug:");
+		for (i=0; i<l; i++)
+			printk("@");
+		printk(" flags = %x",
+		       (u_int)rn->rj_flags);
+		if (rn->rj_flags & RJF_ACTIVE) {
+			printk(" @key=0p%p",
+			       rn->rj_key);
+			printk(" key = %08x->%08x",
+			       (u_int)ntohl(((struct sockaddr_encap *)rn->rj_key)->sen_ip_src.s_addr),
+			       (u_int)ntohl(((struct sockaddr_encap *)rn->rj_key)->sen_ip_dst.s_addr));
+			printk(" @mask=0p%p",
+			       rn->rj_mask);
+			if (rn->rj_mask)
+				printk(" mask = %08x->%08x",
+				       (u_int)ntohl(((struct sockaddr_encap *)rn->rj_mask)->sen_ip_src.s_addr),
+				       (u_int)ntohl(((struct sockaddr_encap *)rn->rj_mask)->sen_ip_dst.s_addr));
+			if (rn->rj_dupedkey)
+				printk(" dupedkey = 0p%p",
+				       rn->rj_dupedkey);
+		}
+		printk("\n");
+	}
+}
+
+#ifdef RJ_DEBUG
+DEBUG_NO_STATIC void traverse(struct radij_node *p)
+{
+  rj_preorder(p, 0);
+}
+#endif /* RJ_DEBUG */
+
+void
+rj_dumptrees(void)
+{
+	rj_preorder(rnh->rnh_treetop, 0);
+}
+
+void
+rj_free_mkfreelist(void)
+{
+	struct radij_mask *mknp, *mknp2;
+
+	mknp = rj_mkfreelist;
+	while(mknp)
+	{
+		mknp2 = mknp;
+		mknp = mknp->rm_mklist;
+		kfree(mknp2);
+	}
+}
+
+int
+radijcleartree(void)
+{
+	return rj_walktree(rnh, ipsec_rj_walker_delete, NULL);
+}
+
+int
+radijcleanup(void)
+{
+	int error = 0;
+
+	error = radijcleartree();
+
+	rj_free_mkfreelist();
+
+/*	rj_walktree(mask_rjhead, ipsec_rj_walker_delete, NULL); */
+  	if(mask_rjhead) {
+		kfree(mask_rjhead);
+	}
+
+	if(rj_zeroes) {
+		kfree(rj_zeroes);
+	}
+
+	if(rnh) {
+		kfree(rnh);
+	}
+
+	return error;
+}
+
+/*
+ * $Log: radij.c,v $
+ * Revision 1.48.2.1  2006/10/06 21:39:27  paul
+ * Fix for 2.6.18+ only include linux/config.h if AUTOCONF_INCLUDED is not
+ * set. This is defined through autoconf.h which is included through the
+ * linux kernel build macros.
+ *
+ * Revision 1.48  2005/04/29 05:10:22  mcr
+ * 	removed from extraenous includes to make unit testing easier.
+ *
+ * Revision 1.47  2004/07/10 19:11:18  mcr
+ * 	CONFIG_IPSEC -> CONFIG_KLIPS.
+ *
+ * Revision 1.46  2004/04/06 02:49:26  mcr
+ * 	pullup of algo code from alg-branch.
+ *
+ * Revision 1.45  2003/10/31 02:27:55  mcr
+ * 	pulled up port-selector patches and sa_id elimination.
+ *
+ * Revision 1.44.30.1  2003/10/29 01:30:41  mcr
+ * 	elimited "struct sa_id".
+ *
+ * Revision 1.44  2002/07/24 18:44:54  rgb
+ * Type fiddling to tame ia64 compiler.
+ *
+ * Revision 1.43  2002/05/23 07:14:11  rgb
+ * Cleaned up %p variants to 0p%p for test suite cleanup.
+ *
+ * Revision 1.42  2002/04/24 07:55:32  mcr
+ * 	#include patches and Makefiles for post-reorg compilation.
+ *
+ * Revision 1.41  2002/04/24 07:36:35  mcr
+ * Moved from ./klips/net/ipsec/radij.c,v
+ *
+ * Revision 1.40  2002/01/29 17:17:58  mcr
+ * 	moved include of ipsec_param.h to after include of linux/kernel.h
+ * 	otherwise, it seems that some option that is set in ipsec_param.h
+ * 	screws up something subtle in the include path to kernel.h, and
+ * 	it complains on the snprintf() prototype.
+ *
+ * Revision 1.39  2002/01/29 04:00:55  mcr
+ * 	more excise of kversions.h header.
+ *
+ * Revision 1.38  2002/01/29 02:13:19  mcr
+ * 	introduction of ipsec_kversion.h means that include of
+ * 	ipsec_param.h must preceed any decisions about what files to
+ * 	include to deal with differences in kernel source.
+ *
+ * Revision 1.37  2001/10/18 04:45:23  rgb
+ * 2.4.9 kernel deprecates linux/malloc.h in favour of linux/slab.h,
+ * lib/freeswan.h version macros moved to lib/kversions.h.
+ * Other compiler directive cleanups.
+ *
+ * Revision 1.36  2001/08/22 13:43:51  henry
+ * eliminate the single use of min() to avoid problems with Linus changing it
+ *
+ * Revision 1.35  2001/06/15 04:57:29  rgb
+ * Clarified error return codes.
+ * Changed mask add already exists to EEXIST.
+ * Changed mask delete did not exist to ENOENT.
+ *
+ * Revision 1.34  2001/05/03 19:44:26  rgb
+ * Fix sign of error return codes for rj_addroute().
+ *
+ * Revision 1.33  2001/02/27 22:24:56  rgb
+ * Re-formatting debug output (line-splitting, joining, 1arg/line).
+ * Check for satoa() return codes.
+ *
+ * Revision 1.32  2001/02/27 06:23:15  rgb
+ * Debug line splitting.
+ *
+ * Revision 1.31  2000/11/06 04:35:21  rgb
+ * Clear table *before* releasing other items in radijcleanup.
+ *
+ * Revision 1.30  2000/09/20 04:07:40  rgb
+ * Changed static functions to DEBUG_NO_STATIC to reveal function names in
+ * oopsen.
+ *
+ * Revision 1.29  2000/09/12 03:25:02  rgb
+ * Moved radij_c_version printing to ipsec_version_get_info().
+ *
+ * Revision 1.28  2000/09/08 19:12:56  rgb
+ * Change references from DEBUG_IPSEC to CONFIG_IPSEC_DEBUG.
+ *
+ * Revision 1.27  2000/07/28 14:58:32  rgb
+ * Changed kfree_s to kfree, eliminating extra arg to fix 2.4.0-test5.
+ *
+ * Revision 1.26  2000/05/10 23:11:37  rgb
+ * Comment out most of the startup version information.
+ *
+ * Revision 1.25  2000/01/21 06:21:47  rgb
+ * Change return codes to negative on error.
+ *
+ * Revision 1.24  1999/11/18 04:09:20  rgb
+ * Replaced all kernel version macros to shorter, readable form.
+ *
+ * Revision 1.23  1999/11/17 15:53:41  rgb
+ * Changed all occurrences of #include "../../../lib/freeswan.h"
+ * to #include <freeswan.h> which works due to -Ilibfreeswan in the
+ * klips/net/ipsec/Makefile.
+ *
+ * Revision 1.22  1999/10/15 22:17:28  rgb
+ * Modify radijcleanup() to call radijcleartree().
+ *
+ * Revision 1.21  1999/10/08 18:37:34  rgb
+ * Fix end-of-line spacing to sate whining PHMs.
+ *
+ * Revision 1.20  1999/10/01 15:44:54  rgb
+ * Move spinlock header include to 2.1> scope.
+ *
+ * Revision 1.19  1999/10/01 08:35:52  rgb
+ * Add spinlock include to shut up compiler for 2.0.38.
+ *
+ * Revision 1.18  1999/09/23 18:02:52  rgb
+ * De-alarm the search failure message so it doesn't sound so grave.
+ *
+ * Revision 1.17  1999/05/25 21:26:01  rgb
+ * Fix rj_walktree() sanity checking bug.
+ *
+ * Revision 1.16  1999/05/09 03:25:38  rgb
+ * Fix bug introduced by 2.2 quick-and-dirty patch.
+ *
+ * Revision 1.15  1999/05/05 22:02:33  rgb
+ * Add a quick and dirty port to 2.2 kernels by Marc Boucher <marc@mbsi.ca>.
+ *
+ * Revision 1.14  1999/04/29 15:24:15  rgb
+ * Add sanity checking for null pointer arguments.
+ * Standardise an error return method.
+ *
+ * Revision 1.13  1999/04/11 00:29:02  henry
+ * GPL boilerplate
+ *
+ * Revision 1.12  1999/04/06 04:54:28  rgb
+ * Fix/Add RCSID Id: and Log: bits to make PHMDs happy.  This includes
+ * patch shell fixes.
+ *
+ * Revision 1.11  1999/02/17 16:52:53  rgb
+ * Convert DEBUG_IPSEC to KLIPS_PRINT
+ * Clean out unused cruft.
+ *
+ * Revision 1.10  1999/01/22 06:30:05  rgb
+ * Cruft clean-out.
+ * 64-bit clean-up.
+ *
+ * Revision 1.9  1998/12/01 13:22:04  rgb
+ * Added support for debug printing of version info.
+ *
+ * Revision 1.8  1998/11/30 13:22:55  rgb
+ * Rationalised all the klips kernel file headers.  They are much shorter
+ * now and won't conflict under RH5.2.
+ *
+ * Revision 1.7  1998/10/25 02:43:26  rgb
+ * Change return type on rj_addroute and rj_delete and add and argument
+ * to the latter to be able to transmit more infomation about errors.
+ *
+ * Revision 1.6  1998/10/19 14:30:06  rgb
+ * Added inclusion of freeswan.h.
+ *
+ * Revision 1.5  1998/10/09 04:33:27  rgb
+ * Added 'klips_debug' prefix to all klips printk debug statements.
+ * Fixed output formatting slightly.
+ *
+ * Revision 1.4  1998/07/28 00:06:59  rgb
+ * Add debug detail to tree traversing.
+ *
+ * Revision 1.3  1998/07/14 18:07:58  rgb
+ * Add a routine to clear the eroute tree.
+ *
+ * Revision 1.2  1998/06/25 20:03:22  rgb
+ * Cleanup #endif comments.  Debug output for rj_init.
+ *
+ * Revision 1.1  1998/06/18 21:30:22  henry
+ * move sources from klips/src to klips/net/ipsec to keep stupid kernel
+ * build scripts happier about symlinks
+ *
+ * Revision 1.8  1998/05/25 20:34:15  rgb
+ * Remove temporary ipsec_walk, rj_deltree and rj_delnodes functions.
+ *
+ * Rename ipsec_rj_walker (ipsec_walk) to ipsec_rj_walker_procprint and
+ * add ipsec_rj_walker_delete.
+ *
+ * Recover memory for eroute table on unload of module.
+ *
+ * Revision 1.7  1998/05/21 12:58:58  rgb
+ * Moved 'extern' definitions to ipsec_radij.h to support /proc 3k limit fix.
+ *
+ * Revision 1.6  1998/04/23 20:57:29  rgb
+ * Cleaned up compiler warnings for unused debugging functions.
+ *
+ * Revision 1.5  1998/04/22 16:51:38  rgb
+ * Tidy up radij debug code from recent rash of modifications to debug code.
+ *
+ * Revision 1.4  1998/04/21 21:28:56  rgb
+ * Rearrange debug switches to change on the fly debug output from user
+ * space.  Only kernel changes checked in at this time.  radij.c was also
+ * changed to temporarily remove buggy debugging code in rj_delete causing
+ * an OOPS and hence, netlink device open errors.
+ *
+ * Revision 1.3  1998/04/14 17:30:37  rgb
+ * Fix up compiling errors for radij tree memory reclamation.
+ *
+ * Revision 1.2  1998/04/12 22:03:25  rgb
+ * Updated ESP-3DES-HMAC-MD5-96,
+ * 	ESP-DES-HMAC-MD5-96,
+ * 	AH-HMAC-MD5-96,
+ * 	AH-HMAC-SHA1-96 since Henry started freeswan cvs repository
+ * from old standards (RFC182[5-9] to new (as of March 1998) drafts.
+ *
+ * Fixed eroute references in /proc/net/ipsec*.
+ *
+ * Started to patch module unloading memory leaks in ipsec_netlink and
+ * radij tree unloading.
+ *
+ * Revision 1.1  1998/04/09 03:06:15  henry
+ * sources moved up from linux/net/ipsec
+ *
+ * Revision 1.1.1.1  1998/04/08 05:35:03  henry
+ * RGB's ipsec-0.8pre2.tar.gz ipsec-0.8
+ *
+ * Revision 0.4  1997/01/15 01:28:15  ji
+ * No changes.
+ *
+ * Revision 0.3  1996/11/20 14:39:04  ji
+ * Minor cleanups.
+ * Rationalized debugging code.
+ *
+ * Revision 0.2  1996/11/02 00:18:33  ji
+ * First limited release.
+ *
+ *
+ */
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/rangetoa.c     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,60 @@
+/*
+ * convert binary form of address range to ASCII
+ * Copyright (C) 1998, 1999  Henry Spencer.
+ * 
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Library General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
+ * 
+ * This library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
+ * License for more details.
+ *
+ * RCSID $Id: rangetoa.c,v 1.9 2004/07/10 07:48:37 mcr Exp $
+ */
+#include "openswan.h"
+
+/*
+ - rangetoa - convert address range to ASCII
+ */
+size_t				/* space needed for full conversion */
+rangetoa(addrs, format, dst, dstlen)
+struct in_addr addrs[2];
+int format;			/* character */
+char *dst;			/* need not be valid if dstlen is 0 */
+size_t dstlen;
+{
+	size_t len;
+	size_t rest;
+	int n;
+	char *p;
+
+	switch (format) {
+	case 0:
+		break;
+	default:
+		return 0;
+		break;
+	}
+
+	len = addrtoa(addrs[0], 0, dst, dstlen);
+	if (len < dstlen)
+		for (p = dst + len - 1, n = 3; len < dstlen && n > 0;
+								p++, len++, n--)
+			*p = '.';
+	else
+		p = NULL;
+	if (len < dstlen)
+		rest = dstlen - len;
+	else {
+		if (dstlen > 0)
+			*(dst + dstlen - 1) = '\0';
+		rest = 0;
+	}
+
+	len += addrtoa(addrs[1], 0, p, rest);
+
+	return len;
+}
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/satot.c     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,133 @@
+/*
+ * convert from binary form of SA ID to text
+ * Copyright (C) 2000, 2001  Henry Spencer.
+ * 
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Library General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
+ * 
+ * This library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
+ * License for more details.
+ *
+ * RCSID $Id: satot.c,v 1.13 2004/07/10 07:48:37 mcr Exp $
+ */
+#include "openswan.h"
+
+static struct typename {
+	char type;
+	char *name;
+} typenames[] = {
+	{ SA_AH,	"ah" },
+	{ SA_ESP,	"esp" },
+	{ SA_IPIP,	"tun" },
+	{ SA_COMP,	"comp" },
+	{ SA_INT,	"int" },
+	{ 0,		NULL }
+};
+
+/*
+ - satot - convert SA to text "ah507@1.2.3.4"
+ */
+size_t				/* space needed for full conversion */
+satot(sa, format, dst, dstlen)
+const ip_said *sa;
+int format;			/* character */
+char *dst;			/* need not be valid if dstlen is 0 */
+size_t dstlen;
+{
+	size_t len = 0;		/* 0 means "not recognized yet" */
+	int base;
+	int showversion;	/* use delimiter to show IP version? */
+	struct typename *tn;
+	char *p;
+	char *pre;
+	char buf[10+1+ULTOT_BUF+ADDRTOT_BUF];
+	char unk[10];
+
+	switch (format) {
+	case 0:
+		base = 16;
+		showversion = 1;
+		break;
+	case 'f':
+		base = 17;
+		showversion = 1;
+		break;
+	case 'x':
+		base = 'x';
+		showversion = 0;
+		break;
+	case 'd':
+		base = 10;
+		showversion = 0;
+		break;
+	default:
+		return 0;
+		break;
+	}
+
+	memset(buf, 0, sizeof(buf));
+
+	pre = NULL;
+	for (tn = typenames; tn->name != NULL; tn++)
+		if (sa->proto == tn->type) {
+			pre = tn->name;
+			break;			/* NOTE BREAK OUT */
+		}
+	if (pre == NULL) {		/* unknown protocol */
+		strcpy(unk, "unk");
+		(void) ultot((unsigned char)sa->proto, 10, unk+strlen(unk),
+						sizeof(unk)-strlen(unk));
+		pre = unk;
+	}
+
+	if (strcmp(pre, PASSTHROUGHTYPE) == 0 &&
+					sa->spi == PASSTHROUGHSPI &&
+					isunspecaddr(&sa->dst)) {
+		strcpy(buf, (addrtypeof(&sa->dst) == AF_INET) ?
+							PASSTHROUGH4NAME :
+							PASSTHROUGH6NAME);
+		len = strlen(buf);
+	}
+
+	if (sa->proto == SA_INT) {
+		switch (ntohl(sa->spi)) {
+		case SPI_PASS:	p = "%pass";	break;
+		case SPI_DROP:	p = "%drop";	break;
+		case SPI_REJECT:	p = "%reject";	break;
+		case SPI_HOLD:	p = "%hold";	break;
+		case SPI_TRAP:	p = "%trap";	break;
+		case SPI_TRAPSUBNET:	p = "%trapsubnet";	break;
+		default:	p = NULL;	break;
+		}
+		if (p != NULL) {
+			strcpy(buf, p);
+			len = strlen(buf);
+		}
+	}
+
+	if (len == 0) {			/* general case needed */
+		strcpy(buf, pre);
+		len = strlen(buf);
+		if (showversion) {
+			*(buf+len) = (addrtypeof(&sa->dst) == AF_INET) ? '.' :
+									':';
+			len++;
+			*(buf+len) = '\0';
+		}
+		len += ultot(ntohl(sa->spi), base, buf+len, sizeof(buf)-len);
+		*(buf+len-1) = '@';
+		len += addrtot(&sa->dst, 0, buf+len, sizeof(buf)-len);
+		*(buf+len) = '\0';
+	}
+
+	if (dst != NULL) {
+		if (len > dstlen)
+			*(buf+dstlen-1) = '\0';
+		strcpy(dst, buf);
+	}
+	return len;
+}
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/subnetof.c     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,59 @@
+/*
+ * minor network-address manipulation utilities
+ * Copyright (C) 1998, 1999  Henry Spencer.
+ * 
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Library General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
+ * 
+ * This library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
+ * License for more details.
+ *
+ * RCSID $Id: subnetof.c,v 1.8 2004/07/10 07:48:37 mcr Exp $
+ */
+#include "openswan.h"
+
+/*
+ - subnetof - given address and mask, return subnet part
+ */
+struct in_addr
+subnetof(addr, mask)
+struct in_addr addr;
+struct in_addr mask;
+{
+	struct in_addr result;
+
+	result.s_addr = addr.s_addr & mask.s_addr;
+	return result;
+}
+
+/*
+ - hostof - given address and mask, return host part
+ */
+struct in_addr
+hostof(addr, mask)
+struct in_addr addr;
+struct in_addr mask;
+{
+	struct in_addr result;
+
+	result.s_addr = addr.s_addr & ~mask.s_addr;
+	return result;
+}
+
+/*
+ - broadcastof - given (network) address and mask, return broadcast address
+ */
+struct in_addr
+broadcastof(addr, mask)
+struct in_addr addr;
+struct in_addr mask;
+{
+	struct in_addr result;
+
+	result.s_addr = addr.s_addr | ~mask.s_addr;
+	return result;
+}
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/subnettoa.c     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,61 @@
+/*
+ * convert binary form of subnet description to ASCII
+ * Copyright (C) 1998, 1999  Henry Spencer.
+ * 
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Library General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
+ * 
+ * This library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
+ * License for more details.
+ *
+ * RCSID $Id: subnettoa.c,v 1.11 2004/07/10 07:48:37 mcr Exp $
+ */
+#include "openswan.h"
+
+/*
+ - subnettoa - convert address and mask to ASCII "addr/mask"
+ * Output expresses the mask as a bit count if possible, else dotted decimal.
+ */
+size_t				/* space needed for full conversion */
+subnettoa(addr, mask, format, dst, dstlen)
+struct in_addr addr;
+struct in_addr mask;
+int format;			/* character */
+char *dst;			/* need not be valid if dstlen is 0 */
+size_t dstlen;
+{
+	size_t len;
+	size_t rest;
+	int n;
+	char *p;
+
+	switch (format) {
+	case 0:
+		break;
+	default:
+		return 0;
+		break;
+	}
+
+	len = addrtoa(addr, 0, dst, dstlen);
+	if (len < dstlen) {
+		dst[len - 1] = '/';
+		p = dst + len;
+		rest = dstlen - len;
+	} else {
+		p = NULL;
+		rest = 0;
+	}
+
+	n = masktobits(mask);
+	if (n >= 0)
+		len += ultoa((unsigned long)n, 10, p, rest);
+	else
+		len += addrtoa(mask, 0, p, rest);
+
+	return len;
+}
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/sysctl_net_ipsec.c     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,199 @@
+/*
+ * sysctl interface to net IPSEC subsystem.
+ * Copyright (C) 1998, 1999, 2000, 2001	  Richard Guy Briggs.
+ * 
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ * 
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: sysctl_net_ipsec.c,v 1.17 2004/07/10 19:11:18 mcr Exp $
+ */
+
+/* -*- linux-c -*-
+ *
+ * Initiated April 3, 1998, Richard Guy Briggs <rgb@conscoop.ottawa.on.ca>
+ */
+
+#include <linux/mm.h>
+#include <linux/sysctl.h>
+
+#include "openswan/ipsec_param.h"
+
+#ifdef CONFIG_SYSCTL
+
+#define NET_IPSEC 2112 /* Random number */                                        
+#ifdef CONFIG_KLIPS_DEBUG
+extern int       debug_ah;
+extern int       debug_esp;
+extern int       debug_tunnel;
+extern int       debug_eroute;
+extern int       debug_spi;
+extern int       debug_radij;
+extern int       debug_netlink;
+extern int       debug_xform;
+extern int       debug_rcv;
+extern int       debug_pfkey;
+extern int sysctl_ipsec_debug_verbose;
+#ifdef CONFIG_KLIPS_IPCOMP
+extern int sysctl_ipsec_debug_ipcomp;
+#endif /* CONFIG_KLIPS_IPCOMP */
+#endif /* CONFIG_KLIPS_DEBUG */
+
+extern int sysctl_ipsec_icmp;
+extern int sysctl_ipsec_inbound_policy_check;
+extern int sysctl_ipsec_tos;
+int sysctl_ipsec_regress_pfkey_lossage;
+
+enum {
+#ifdef CONFIG_KLIPS_DEBUG
+	NET_IPSEC_DEBUG_AH=1,
+	NET_IPSEC_DEBUG_ESP=2,
+	NET_IPSEC_DEBUG_TUNNEL=3,
+	NET_IPSEC_DEBUG_EROUTE=4,
+	NET_IPSEC_DEBUG_SPI=5,
+	NET_IPSEC_DEBUG_RADIJ=6,
+	NET_IPSEC_DEBUG_NETLINK=7,
+	NET_IPSEC_DEBUG_XFORM=8,
+	NET_IPSEC_DEBUG_RCV=9,
+	NET_IPSEC_DEBUG_PFKEY=10,
+	NET_IPSEC_DEBUG_VERBOSE=11,
+	NET_IPSEC_DEBUG_IPCOMP=12,
+#endif /* CONFIG_KLIPS_DEBUG */
+	NET_IPSEC_ICMP=13,
+	NET_IPSEC_INBOUND_POLICY_CHECK=14,
+	NET_IPSEC_TOS=15,
+	NET_IPSEC_REGRESS_PFKEY_LOSSAGE=16,
+};
+
+static ctl_table ipsec_table[] = {
+#ifdef CONFIG_KLIPS_DEBUG
+	{ NET_IPSEC_DEBUG_AH, "debug_ah", &debug_ah,
+	  sizeof(int), 0644, NULL, &proc_dointvec},    
+	{ NET_IPSEC_DEBUG_ESP, "debug_esp", &debug_esp,
+	  sizeof(int), 0644, NULL, &proc_dointvec},    
+	{ NET_IPSEC_DEBUG_TUNNEL, "debug_tunnel", &debug_tunnel,
+	  sizeof(int), 0644, NULL, &proc_dointvec},    
+	{ NET_IPSEC_DEBUG_EROUTE, "debug_eroute", &debug_eroute,
+	  sizeof(int), 0644, NULL, &proc_dointvec},    
+	{ NET_IPSEC_DEBUG_SPI, "debug_spi", &debug_spi,
+	  sizeof(int), 0644, NULL, &proc_dointvec},    
+	{ NET_IPSEC_DEBUG_RADIJ, "debug_radij", &debug_radij,
+	  sizeof(int), 0644, NULL, &proc_dointvec},    
+	{ NET_IPSEC_DEBUG_NETLINK, "debug_netlink", &debug_netlink,
+	  sizeof(int), 0644, NULL, &proc_dointvec},    
+	{ NET_IPSEC_DEBUG_XFORM, "debug_xform", &debug_xform,
+	  sizeof(int), 0644, NULL, &proc_dointvec},    
+	{ NET_IPSEC_DEBUG_RCV, "debug_rcv", &debug_rcv,
+	  sizeof(int), 0644, NULL, &proc_dointvec},    
+	{ NET_IPSEC_DEBUG_PFKEY, "debug_pfkey", &debug_pfkey,
+	  sizeof(int), 0644, NULL, &proc_dointvec},    
+	{ NET_IPSEC_DEBUG_VERBOSE, "debug_verbose",&sysctl_ipsec_debug_verbose,
+	  sizeof(int), 0644, NULL, &proc_dointvec},    
+#ifdef CONFIG_KLIPS_IPCOMP
+	{ NET_IPSEC_DEBUG_IPCOMP, "debug_ipcomp", &sysctl_ipsec_debug_ipcomp,
+	  sizeof(int), 0644, NULL, &proc_dointvec},    
+#endif /* CONFIG_KLIPS_IPCOMP */
+
+#ifdef CONFIG_KLIPS_REGRESS
+	{ NET_IPSEC_REGRESS_PFKEY_LOSSAGE, "pfkey_lossage",
+	  &sysctl_ipsec_regress_pfkey_lossage,
+	  sizeof(int), 0644, NULL, &proc_dointvec},
+#endif /* CONFIG_KLIPS_REGRESS */
+
+#endif /* CONFIG_KLIPS_DEBUG */
+	{ NET_IPSEC_ICMP, "icmp", &sysctl_ipsec_icmp,
+	  sizeof(int), 0644, NULL, &proc_dointvec},    
+	{ NET_IPSEC_INBOUND_POLICY_CHECK, "inbound_policy_check", &sysctl_ipsec_inbound_policy_check,
+	  sizeof(int), 0644, NULL, &proc_dointvec},    
+	{ NET_IPSEC_TOS, "tos", &sysctl_ipsec_tos,
+	  sizeof(int), 0644, NULL, &proc_dointvec},    
+	{0}
+};
+
+static ctl_table ipsec_net_table[] = {
+        { NET_IPSEC, "ipsec", NULL, 0, 0555, ipsec_table },
+        { 0 }
+};
+ 
+static ctl_table ipsec_root_table[] = {
+        { CTL_NET, "net", NULL, 0, 0555, ipsec_net_table },
+        { 0 }
+};
+ 
+static struct ctl_table_header *ipsec_table_header;
+
+int ipsec_sysctl_register(void)
+{
+        ipsec_table_header = register_sysctl_table(ipsec_root_table, 0);
+        if (!ipsec_table_header) {
+                return -ENOMEM;
+	}
+        return 0;
+}
+ 
+void ipsec_sysctl_unregister(void)
+{
+        unregister_sysctl_table(ipsec_table_header);
+}
+
+#endif /* CONFIG_SYSCTL */
+
+/*
+ * $Log: sysctl_net_ipsec.c,v $
+ * Revision 1.17  2004/07/10 19:11:18  mcr
+ * 	CONFIG_IPSEC -> CONFIG_KLIPS.
+ *
+ * Revision 1.16  2004/04/06 02:49:26  mcr
+ * 	pullup of algo code from alg-branch.
+ *
+ * Revision 1.15  2002/04/24 07:55:32  mcr
+ * 	#include patches and Makefiles for post-reorg compilation.
+ *
+ * Revision 1.14  2002/04/24 07:36:35  mcr
+ * Moved from ./klips/net/ipsec/sysctl_net_ipsec.c,v
+ *
+ * Revision 1.13  2002/01/12 02:58:32  mcr
+ * 	first regression test causes acquire messages to be lost
+ * 	100% of the time. This is to help testing of pluto.
+ *
+ * Revision 1.12  2001/06/14 19:35:13  rgb
+ * Update copyright date.
+ *
+ * Revision 1.11  2001/02/26 19:58:13  rgb
+ * Drop sysctl_ipsec_{no_eroute_pass,opportunistic}, replaced by magic SAs.
+ *
+ * Revision 1.10  2000/09/16 01:50:15  rgb
+ * Protect sysctl_ipsec_debug_ipcomp with compiler defines too so that the
+ * linker won't blame rj_delete() for missing symbols.  ;->  Damn statics...
+ *
+ * Revision 1.9  2000/09/15 23:17:51  rgb
+ * Moved stuff around to compile with debug off.
+ *
+ * Revision 1.8  2000/09/15 11:37:02  rgb
+ * Merge in heavily modified Svenning Soerensen's <svenning@post5.tele.dk>
+ * IPCOMP zlib deflate code.
+ *
+ * Revision 1.7  2000/09/15 07:37:15  rgb
+ * Munged silly log comment that was causing a warning.
+ *
+ * Revision 1.6  2000/09/15 04:58:23  rgb
+ * Added tos runtime switch.
+ * Removed 'sysctl_ipsec_' prefix from /proc/sys/net/ipsec/ filenames.
+ *
+ * Revision 1.5  2000/09/12 03:25:28  rgb
+ * Filled in and implemented sysctl.
+ *
+ * Revision 1.4  1999/04/11 00:29:03  henry
+ * GPL boilerplate
+ *
+ * Revision 1.3  1999/04/06 04:54:29  rgb
+ * Fix/Add RCSID Id: and Log: bits to make PHMDs happy.  This includes
+ * patch shell fixes.
+ *
+ */
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/trees.c     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,1214 @@
+/* trees.c -- output deflated data using Huffman coding
+ * Copyright (C) 1995-2002 Jean-loup Gailly
+ * For conditions of distribution and use, see copyright notice in zlib.h 
+ */
+
+/*
+ *  ALGORITHM
+ *
+ *      The "deflation" process uses several Huffman trees. The more
+ *      common source values are represented by shorter bit sequences.
+ *
+ *      Each code tree is stored in a compressed form which is itself
+ * a Huffman encoding of the lengths of all the code strings (in
+ * ascending order by source values).  The actual code strings are
+ * reconstructed from the lengths in the inflate process, as described
+ * in the deflate specification.
+ *
+ *  REFERENCES
+ *
+ *      Deutsch, L.P.,"'Deflate' Compressed Data Format Specification".
+ *      Available in ftp.uu.net:/pub/archiving/zip/doc/deflate-1.1.doc
+ *
+ *      Storer, James A.
+ *          Data Compression:  Methods and Theory, pp. 49-50.
+ *          Computer Science Press, 1988.  ISBN 0-7167-8156-5.
+ *
+ *      Sedgewick, R.
+ *          Algorithms, p290.
+ *          Addison-Wesley, 1983. ISBN 0-201-06672-6.
+ */
+
+/* @(#) $Id: trees.c,v 1.4 2004/07/10 07:48:39 mcr Exp $ */
+
+/* #define GEN_TREES_H */
+
+#include "deflate.h"
+
+#ifdef DEBUG
+#  include <ctype.h>
+#endif
+
+/* ===========================================================================
+ * Constants
+ */
+
+#define MAX_BL_BITS 7
+/* Bit length codes must not exceed MAX_BL_BITS bits */
+
+#define END_BLOCK 256
+/* end of block literal code */
+
+#define REP_3_6      16
+/* repeat previous bit length 3-6 times (2 bits of repeat count) */
+
+#define REPZ_3_10    17
+/* repeat a zero length 3-10 times  (3 bits of repeat count) */
+
+#define REPZ_11_138  18
+/* repeat a zero length 11-138 times  (7 bits of repeat count) */
+
+local const int extra_lbits[LENGTH_CODES] /* extra bits for each length code */
+   = {0,0,0,0,0,0,0,0,1,1,1,1,2,2,2,2,3,3,3,3,4,4,4,4,5,5,5,5,0};
+
+local const int extra_dbits[D_CODES] /* extra bits for each distance code */
+   = {0,0,0,0,1,1,2,2,3,3,4,4,5,5,6,6,7,7,8,8,9,9,10,10,11,11,12,12,13,13};
+
+local const int extra_blbits[BL_CODES]/* extra bits for each bit length code */
+   = {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,3,7};
+
+local const uch bl_order[BL_CODES]
+   = {16,17,18,0,8,7,9,6,10,5,11,4,12,3,13,2,14,1,15};
+/* The lengths of the bit length codes are sent in order of decreasing
+ * probability, to avoid transmitting the lengths for unused bit length codes.
+ */
+
+#define Buf_size (8 * 2*sizeof(char))
+/* Number of bits used within bi_buf. (bi_buf might be implemented on
+ * more than 16 bits on some systems.)
+ */
+
+/* ===========================================================================
+ * Local data. These are initialized only once.
+ */
+
+#define DIST_CODE_LEN  512 /* see definition of array dist_code below */
+
+#if defined(GEN_TREES_H) || !defined(STDC)
+/* non ANSI compilers may not accept trees.h */
+
+local ct_data static_ltree[L_CODES+2];
+/* The static literal tree. Since the bit lengths are imposed, there is no
+ * need for the L_CODES extra codes used during heap construction. However
+ * The codes 286 and 287 are needed to build a canonical tree (see _tr_init
+ * below).
+ */
+
+local ct_data static_dtree[D_CODES];
+/* The static distance tree. (Actually a trivial tree since all codes use
+ * 5 bits.)
+ */
+
+uch _dist_code[DIST_CODE_LEN];
+/* Distance codes. The first 256 values correspond to the distances
+ * 3 .. 258, the last 256 values correspond to the top 8 bits of
+ * the 15 bit distances.
+ */
+
+uch _length_code[MAX_MATCH-MIN_MATCH+1];
+/* length code for each normalized match length (0 == MIN_MATCH) */
+
+local int base_length[LENGTH_CODES];
+/* First normalized length for each code (0 = MIN_MATCH) */
+
+local int base_dist[D_CODES];
+/* First normalized distance for each code (0 = distance of 1) */
+
+#else
+#  include "trees.h"
+#endif /* GEN_TREES_H */
+
+struct static_tree_desc_s {
+    const ct_data *static_tree;  /* static tree or NULL */
+    const intf *extra_bits;      /* extra bits for each code or NULL */
+    int     extra_base;          /* base index for extra_bits */
+    int     elems;               /* max number of elements in the tree */
+    int     max_length;          /* max bit length for the codes */
+};
+
+local static_tree_desc  static_l_desc =
+{static_ltree, extra_lbits, LITERALS+1, L_CODES, MAX_BITS};
+
+local static_tree_desc  static_d_desc =
+{static_dtree, extra_dbits, 0,          D_CODES, MAX_BITS};
+
+local static_tree_desc  static_bl_desc =
+{(const ct_data *)0, extra_blbits, 0,   BL_CODES, MAX_BL_BITS};
+
+/* ===========================================================================
+ * Local (static) routines in this file.
+ */
+
+local void tr_static_init OF((void));
+local void init_block     OF((deflate_state *s));
+local void pqdownheap     OF((deflate_state *s, ct_data *tree, int k));
+local void gen_bitlen     OF((deflate_state *s, tree_desc *desc));
+local void gen_codes      OF((ct_data *tree, int max_code, ushf *bl_count));
+local void build_tree     OF((deflate_state *s, tree_desc *desc));
+local void scan_tree      OF((deflate_state *s, ct_data *tree, int max_code));
+local void send_tree      OF((deflate_state *s, ct_data *tree, int max_code));
+local int  build_bl_tree  OF((deflate_state *s));
+local void send_all_trees OF((deflate_state *s, int lcodes, int dcodes,
+                              int blcodes));
+local void compress_block OF((deflate_state *s, const ct_data *ltree,
+                              const ct_data *dtree));
+local void set_data_type  OF((deflate_state *s));
+local unsigned bi_reverse OF((unsigned value, int length));
+local void bi_windup      OF((deflate_state *s));
+local void bi_flush       OF((deflate_state *s));
+local void copy_block     OF((deflate_state *s, charf *buf, unsigned len,
+                              int header));
+
+#ifdef GEN_TREES_H
+local void gen_trees_header OF((void));
+#endif
+
+#ifndef DEBUG
+#  define send_code(s, c, tree) send_bits(s, tree[c].Code, tree[c].Len)
+   /* Send a code of the given tree. c and tree must not have side effects */
+
+#else /* DEBUG */
+#  define send_code(s, c, tree) \
+     { if (z_verbose>2) fprintf(stderr,"\ncd %3d ",(c)); \
+       send_bits(s, tree[c].Code, tree[c].Len); }
+#endif
+
+/* ===========================================================================
+ * Output a short LSB first on the stream.
+ * IN assertion: there is enough room in pendingBuf.
+ */
+#define put_short(s, w) { \
+    put_byte(s, (uch)((w) & 0xff)); \
+    put_byte(s, (uch)((ush)(w) >> 8)); \
+}
+
+/* ===========================================================================
+ * Send a value on a given number of bits.
+ * IN assertion: length <= 16 and value fits in length bits.
+ */
+#ifdef DEBUG
+local void send_bits      OF((deflate_state *s, int value, int length));
+
+local void send_bits(s, value, length)
+    deflate_state *s;
+    int value;  /* value to send */
+    int length; /* number of bits */
+{
+    Tracevv((stderr," l %2d v %4x ", length, value));
+    Assert(length > 0 && length <= 15, "invalid length");
+    s->bits_sent += (ulg)length;
+
+    /* If not enough room in bi_buf, use (valid) bits from bi_buf and
+     * (16 - bi_valid) bits from value, leaving (width - (16-bi_valid))
+     * unused bits in value.
+     */
+    if (s->bi_valid > (int)Buf_size - length) {
+        s->bi_buf |= (value << s->bi_valid);
+        put_short(s, s->bi_buf);
+        s->bi_buf = (ush)value >> (Buf_size - s->bi_valid);
+        s->bi_valid += length - Buf_size;
+    } else {
+        s->bi_buf |= value << s->bi_valid;
+        s->bi_valid += length;
+    }
+}
+#else /* !DEBUG */
+
+#define send_bits(s, value, length) \
+{ int len = length;\
+  if (s->bi_valid > (int)Buf_size - len) {\
+    int val = value;\
+    s->bi_buf |= (val << s->bi_valid);\
+    put_short(s, s->bi_buf);\
+    s->bi_buf = (ush)val >> (Buf_size - s->bi_valid);\
+    s->bi_valid += len - Buf_size;\
+  } else {\
+    s->bi_buf |= (value) << s->bi_valid;\
+    s->bi_valid += len;\
+  }\
+}
+#endif /* DEBUG */
+
+
+#define MAX(a,b) (a >= b ? a : b)
+/* the arguments must not have side effects */
+
+/* ===========================================================================
+ * Initialize the various 'constant' tables.
+ */
+local void tr_static_init()
+{
+#if defined(GEN_TREES_H) || !defined(STDC)
+    static int static_init_done = 0;
+    int n;        /* iterates over tree elements */
+    int bits;     /* bit counter */
+    int length;   /* length value */
+    int code;     /* code value */
+    int dist;     /* distance index */
+    ush bl_count[MAX_BITS+1];
+    /* number of codes at each bit length for an optimal tree */
+
+    if (static_init_done) return;
+
+    /* For some embedded targets, global variables are not initialized: */
+    static_l_desc.static_tree = static_ltree;
+    static_l_desc.extra_bits = extra_lbits;
+    static_d_desc.static_tree = static_dtree;
+    static_d_desc.extra_bits = extra_dbits;
+    static_bl_desc.extra_bits = extra_blbits;
+
+    /* Initialize the mapping length (0..255) -> length code (0..28) */
+    length = 0;
+    for (code = 0; code < LENGTH_CODES-1; code++) {
+        base_length[code] = length;
+        for (n = 0; n < (1<<extra_lbits[code]); n++) {
+            _length_code[length++] = (uch)code;
+        }
+    }
+    Assert (length == 256, "tr_static_init: length != 256");
+    /* Note that the length 255 (match length 258) can be represented
+     * in two different ways: code 284 + 5 bits or code 285, so we
+     * overwrite length_code[255] to use the best encoding:
+     */
+    _length_code[length-1] = (uch)code;
+
+    /* Initialize the mapping dist (0..32K) -> dist code (0..29) */
+    dist = 0;
+    for (code = 0 ; code < 16; code++) {
+        base_dist[code] = dist;
+        for (n = 0; n < (1<<extra_dbits[code]); n++) {
+            _dist_code[dist++] = (uch)code;
+        }
+    }
+    Assert (dist == 256, "tr_static_init: dist != 256");
+    dist >>= 7; /* from now on, all distances are divided by 128 */
+    for ( ; code < D_CODES; code++) {
+        base_dist[code] = dist << 7;
+        for (n = 0; n < (1<<(extra_dbits[code]-7)); n++) {
+            _dist_code[256 + dist++] = (uch)code;
+        }
+    }
+    Assert (dist == 256, "tr_static_init: 256+dist != 512");
+
+    /* Construct the codes of the static literal tree */
+    for (bits = 0; bits <= MAX_BITS; bits++) bl_count[bits] = 0;
+    n = 0;
+    while (n <= 143) static_ltree[n++].Len = 8, bl_count[8]++;
+    while (n <= 255) static_ltree[n++].Len = 9, bl_count[9]++;
+    while (n <= 279) static_ltree[n++].Len = 7, bl_count[7]++;
+    while (n <= 287) static_ltree[n++].Len = 8, bl_count[8]++;
+    /* Codes 286 and 287 do not exist, but we must include them in the
+     * tree construction to get a canonical Huffman tree (longest code
+     * all ones)
+     */
+    gen_codes((ct_data *)static_ltree, L_CODES+1, bl_count);
+
+    /* The static distance tree is trivial: */
+    for (n = 0; n < D_CODES; n++) {
+        static_dtree[n].Len = 5;
+        static_dtree[n].Code = bi_reverse((unsigned)n, 5);
+    }
+    static_init_done = 1;
+
+#  ifdef GEN_TREES_H
+    gen_trees_header();
+#  endif
+#endif /* defined(GEN_TREES_H) || !defined(STDC) */
+}
+
+/* ===========================================================================
+ * Genererate the file trees.h describing the static trees.
+ */
+#ifdef GEN_TREES_H
+#  ifndef DEBUG
+#    include <stdio.h>
+#  endif
+
+#  define SEPARATOR(i, last, width) \
+      ((i) == (last)? "\n};\n\n" :    \
+       ((i) % (width) == (width)-1 ? ",\n" : ", "))
+
+void gen_trees_header()
+{
+    FILE *header = fopen("trees.h", "w");
+    int i;
+
+    Assert (header != NULL, "Can't open trees.h");
+    fprintf(header,
+	    "/* header created automatically with -DGEN_TREES_H */\n\n");
+
+    fprintf(header, "local const ct_data static_ltree[L_CODES+2] = {\n");
+    for (i = 0; i < L_CODES+2; i++) {
+	fprintf(header, "{{%3u},{%3u}}%s", static_ltree[i].Code,
+		static_ltree[i].Len, SEPARATOR(i, L_CODES+1, 5));
+    }
+
+    fprintf(header, "local const ct_data static_dtree[D_CODES] = {\n");
+    for (i = 0; i < D_CODES; i++) {
+	fprintf(header, "{{%2u},{%2u}}%s", static_dtree[i].Code,
+		static_dtree[i].Len, SEPARATOR(i, D_CODES-1, 5));
+    }
+
+    fprintf(header, "const uch _dist_code[DIST_CODE_LEN] = {\n");
+    for (i = 0; i < DIST_CODE_LEN; i++) {
+	fprintf(header, "%2u%s", _dist_code[i],
+		SEPARATOR(i, DIST_CODE_LEN-1, 20));
+    }
+
+    fprintf(header, "const uch _length_code[MAX_MATCH-MIN_MATCH+1]= {\n");
+    for (i = 0; i < MAX_MATCH-MIN_MATCH+1; i++) {
+	fprintf(header, "%2u%s", _length_code[i],
+		SEPARATOR(i, MAX_MATCH-MIN_MATCH, 20));
+    }
+
+    fprintf(header, "local const int base_length[LENGTH_CODES] = {\n");
+    for (i = 0; i < LENGTH_CODES; i++) {
+	fprintf(header, "%1u%s", base_length[i],
+		SEPARATOR(i, LENGTH_CODES-1, 20));
+    }
+
+    fprintf(header, "local const int base_dist[D_CODES] = {\n");
+    for (i = 0; i < D_CODES; i++) {
+	fprintf(header, "%5u%s", base_dist[i],
+		SEPARATOR(i, D_CODES-1, 10));
+    }
+
+    fclose(header);
+}
+#endif /* GEN_TREES_H */
+
+/* ===========================================================================
+ * Initialize the tree data structures for a new zlib stream.
+ */
+void _tr_init(s)
+    deflate_state *s;
+{
+    tr_static_init();
+
+    s->l_desc.dyn_tree = s->dyn_ltree;
+    s->l_desc.stat_desc = &static_l_desc;
+
+    s->d_desc.dyn_tree = s->dyn_dtree;
+    s->d_desc.stat_desc = &static_d_desc;
+
+    s->bl_desc.dyn_tree = s->bl_tree;
+    s->bl_desc.stat_desc = &static_bl_desc;
+
+    s->bi_buf = 0;
+    s->bi_valid = 0;
+    s->last_eob_len = 8; /* enough lookahead for inflate */
+#ifdef DEBUG
+    s->compressed_len = 0L;
+    s->bits_sent = 0L;
+#endif
+
+    /* Initialize the first block of the first file: */
+    init_block(s);
+}
+
+/* ===========================================================================
+ * Initialize a new block.
+ */
+local void init_block(s)
+    deflate_state *s;
+{
+    int n; /* iterates over tree elements */
+
+    /* Initialize the trees. */
+    for (n = 0; n < L_CODES;  n++) s->dyn_ltree[n].Freq = 0;
+    for (n = 0; n < D_CODES;  n++) s->dyn_dtree[n].Freq = 0;
+    for (n = 0; n < BL_CODES; n++) s->bl_tree[n].Freq = 0;
+
+    s->dyn_ltree[END_BLOCK].Freq = 1;
+    s->opt_len = s->static_len = 0L;
+    s->last_lit = s->matches = 0;
+}
+
+#define SMALLEST 1
+/* Index within the heap array of least frequent node in the Huffman tree */
+
+
+/* ===========================================================================
+ * Remove the smallest element from the heap and recreate the heap with
+ * one less element. Updates heap and heap_len.
+ */
+#define pqremove(s, tree, top) \
+{\
+    top = s->heap[SMALLEST]; \
+    s->heap[SMALLEST] = s->heap[s->heap_len--]; \
+    pqdownheap(s, tree, SMALLEST); \
+}
+
+/* ===========================================================================
+ * Compares to subtrees, using the tree depth as tie breaker when
+ * the subtrees have equal frequency. This minimizes the worst case length.
+ */
+#define smaller(tree, n, m, depth) \
+   (tree[n].Freq < tree[m].Freq || \
+   (tree[n].Freq == tree[m].Freq && depth[n] <= depth[m]))
+
+/* ===========================================================================
+ * Restore the heap property by moving down the tree starting at node k,
+ * exchanging a node with the smallest of its two sons if necessary, stopping
+ * when the heap property is re-established (each father smaller than its
+ * two sons).
+ */
+local void pqdownheap(s, tree, k)
+    deflate_state *s;
+    ct_data *tree;  /* the tree to restore */
+    int k;               /* node to move down */
+{
+    int v = s->heap[k];
+    int j = k << 1;  /* left son of k */
+    while (j <= s->heap_len) {
+        /* Set j to the smallest of the two sons: */
+        if (j < s->heap_len &&
+            smaller(tree, s->heap[j+1], s->heap[j], s->depth)) {
+            j++;
+        }
+        /* Exit if v is smaller than both sons */
+        if (smaller(tree, v, s->heap[j], s->depth)) break;
+
+        /* Exchange v with the smallest son */
+        s->heap[k] = s->heap[j];  k = j;
+
+        /* And continue down the tree, setting j to the left son of k */
+        j <<= 1;
+    }
+    s->heap[k] = v;
+}
+
+/* ===========================================================================
+ * Compute the optimal bit lengths for a tree and update the total bit length
+ * for the current block.
+ * IN assertion: the fields freq and dad are set, heap[heap_max] and
+ *    above are the tree nodes sorted by increasing frequency.
+ * OUT assertions: the field len is set to the optimal bit length, the
+ *     array bl_count contains the frequencies for each bit length.
+ *     The length opt_len is updated; static_len is also updated if stree is
+ *     not null.
+ */
+local void gen_bitlen(s, desc)
+    deflate_state *s;
+    tree_desc *desc;    /* the tree descriptor */
+{
+    ct_data *tree        = desc->dyn_tree;
+    int max_code         = desc->max_code;
+    const ct_data *stree = desc->stat_desc->static_tree;
+    const intf *extra    = desc->stat_desc->extra_bits;
+    int base             = desc->stat_desc->extra_base;
+    int max_length       = desc->stat_desc->max_length;
+    int h;              /* heap index */
+    int n, m;           /* iterate over the tree elements */
+    int bits;           /* bit length */
+    int xbits;          /* extra bits */
+    ush f;              /* frequency */
+    int overflow = 0;   /* number of elements with bit length too large */
+
+    for (bits = 0; bits <= MAX_BITS; bits++) s->bl_count[bits] = 0;
+
+    /* In a first pass, compute the optimal bit lengths (which may
+     * overflow in the case of the bit length tree).
+     */
+    tree[s->heap[s->heap_max]].Len = 0; /* root of the heap */
+
+    for (h = s->heap_max+1; h < HEAP_SIZE; h++) {
+        n = s->heap[h];
+        bits = tree[tree[n].Dad].Len + 1;
+        if (bits > max_length) bits = max_length, overflow++;
+        tree[n].Len = (ush)bits;
+        /* We overwrite tree[n].Dad which is no longer needed */
+
+        if (n > max_code) continue; /* not a leaf node */
+
+        s->bl_count[bits]++;
+        xbits = 0;
+        if (n >= base) xbits = extra[n-base];
+        f = tree[n].Freq;
+        s->opt_len += (ulg)f * (bits + xbits);
+        if (stree) s->static_len += (ulg)f * (stree[n].Len + xbits);
+    }
+    if (overflow == 0) return;
+
+    Trace((stderr,"\nbit length overflow\n"));
+    /* This happens for example on obj2 and pic of the Calgary corpus */
+
+    /* Find the first bit length which could increase: */
+    do {
+        bits = max_length-1;
+        while (s->bl_count[bits] == 0) bits--;
+        s->bl_count[bits]--;      /* move one leaf down the tree */
+        s->bl_count[bits+1] += 2; /* move one overflow item as its brother */
+        s->bl_count[max_length]--;
+        /* The brother of the overflow item also moves one step up,
+         * but this does not affect bl_count[max_length]
+         */
+        overflow -= 2;
+    } while (overflow > 0);
+
+    /* Now recompute all bit lengths, scanning in increasing frequency.
+     * h is still equal to HEAP_SIZE. (It is simpler to reconstruct all
+     * lengths instead of fixing only the wrong ones. This idea is taken
+     * from 'ar' written by Haruhiko Okumura.)
+     */
+    for (bits = max_length; bits != 0; bits--) {
+        n = s->bl_count[bits];
+        while (n != 0) {
+            m = s->heap[--h];
+            if (m > max_code) continue;
+            if (tree[m].Len != (unsigned) bits) {
+                Trace((stderr,"code %d bits %d->%d\n", m, tree[m].Len, bits));
+                s->opt_len += ((long)bits - (long)tree[m].Len)
+                              *(long)tree[m].Freq;
+                tree[m].Len = (ush)bits;
+            }
+            n--;
+        }
+    }
+}
+
+/* ===========================================================================
+ * Generate the codes for a given tree and bit counts (which need not be
+ * optimal).
+ * IN assertion: the array bl_count contains the bit length statistics for
+ * the given tree and the field len is set for all tree elements.
+ * OUT assertion: the field code is set for all tree elements of non
+ *     zero code length.
+ */
+local void gen_codes (tree, max_code, bl_count)
+    ct_data *tree;             /* the tree to decorate */
+    int max_code;              /* largest code with non zero frequency */
+    ushf *bl_count;            /* number of codes at each bit length */
+{
+    ush next_code[MAX_BITS+1]; /* next code value for each bit length */
+    ush code = 0;              /* running code value */
+    int bits;                  /* bit index */
+    int n;                     /* code index */
+
+    /* The distribution counts are first used to generate the code values
+     * without bit reversal.
+     */
+    for (bits = 1; bits <= MAX_BITS; bits++) {
+        next_code[bits] = code = (code + bl_count[bits-1]) << 1;
+    }
+    /* Check that the bit counts in bl_count are consistent. The last code
+     * must be all ones.
+     */
+    Assert (code + bl_count[MAX_BITS]-1 == (1<<MAX_BITS)-1,
+            "inconsistent bit counts");
+    Tracev((stderr,"\ngen_codes: max_code %d ", max_code));
+
+    for (n = 0;  n <= max_code; n++) {
+        int len = tree[n].Len;
+        if (len == 0) continue;
+        /* Now reverse the bits */
+        tree[n].Code = bi_reverse(next_code[len]++, len);
+
+        Tracecv(tree != static_ltree, (stderr,"\nn %3d %c l %2d c %4x (%x) ",
+             n, (isgraph(n) ? n : ' '), len, tree[n].Code, next_code[len]-1));
+    }
+}
+
+/* ===========================================================================
+ * Construct one Huffman tree and assigns the code bit strings and lengths.
+ * Update the total bit length for the current block.
+ * IN assertion: the field freq is set for all tree elements.
+ * OUT assertions: the fields len and code are set to the optimal bit length
+ *     and corresponding code. The length opt_len is updated; static_len is
+ *     also updated if stree is not null. The field max_code is set.
+ */
+local void build_tree(s, desc)
+    deflate_state *s;
+    tree_desc *desc; /* the tree descriptor */
+{
+    ct_data *tree         = desc->dyn_tree;
+    const ct_data *stree  = desc->stat_desc->static_tree;
+    int elems             = desc->stat_desc->elems;
+    int n, m;          /* iterate over heap elements */
+    int max_code = -1; /* largest code with non zero frequency */
+    int node;          /* new node being created */
+
+    /* Construct the initial heap, with least frequent element in
+     * heap[SMALLEST]. The sons of heap[n] are heap[2*n] and heap[2*n+1].
+     * heap[0] is not used.
+     */
+    s->heap_len = 0, s->heap_max = HEAP_SIZE;
+
+    for (n = 0; n < elems; n++) {
+        if (tree[n].Freq != 0) {
+            s->heap[++(s->heap_len)] = max_code = n;
+            s->depth[n] = 0;
+        } else {
+            tree[n].Len = 0;
+        }
+    }
+
+    /* The pkzip format requires that at least one distance code exists,
+     * and that at least one bit should be sent even if there is only one
+     * possible code. So to avoid special checks later on we force at least
+     * two codes of non zero frequency.
+     */
+    while (s->heap_len < 2) {
+        node = s->heap[++(s->heap_len)] = (max_code < 2 ? ++max_code : 0);
+        tree[node].Freq = 1;
+        s->depth[node] = 0;
+        s->opt_len--; if (stree) s->static_len -= stree[node].Len;
+        /* node is 0 or 1 so it does not have extra bits */
+    }
+    desc->max_code = max_code;
+
+    /* The elements heap[heap_len/2+1 .. heap_len] are leaves of the tree,
+     * establish sub-heaps of increasing lengths:
+     */
+    for (n = s->heap_len/2; n >= 1; n--) pqdownheap(s, tree, n);
+
+    /* Construct the Huffman tree by repeatedly combining the least two
+     * frequent nodes.
+     */
+    node = elems;              /* next internal node of the tree */
+    do {
+        pqremove(s, tree, n);  /* n = node of least frequency */
+        m = s->heap[SMALLEST]; /* m = node of next least frequency */
+
+        s->heap[--(s->heap_max)] = n; /* keep the nodes sorted by frequency */
+        s->heap[--(s->heap_max)] = m;
+
+        /* Create a new node father of n and m */
+        tree[node].Freq = tree[n].Freq + tree[m].Freq;
+        s->depth[node] = (uch) (MAX(s->depth[n], s->depth[m]) + 1);
+        tree[n].Dad = tree[m].Dad = (ush)node;
+#ifdef DUMP_BL_TREE
+        if (tree == s->bl_tree) {
+            fprintf(stderr,"\nnode %d(%d), sons %d(%d) %d(%d)",
+                    node, tree[node].Freq, n, tree[n].Freq, m, tree[m].Freq);
+        }
+#endif
+        /* and insert the new node in the heap */
+        s->heap[SMALLEST] = node++;
+        pqdownheap(s, tree, SMALLEST);
+
+    } while (s->heap_len >= 2);
+
+    s->heap[--(s->heap_max)] = s->heap[SMALLEST];
+
+    /* At this point, the fields freq and dad are set. We can now
+     * generate the bit lengths.
+     */
+    gen_bitlen(s, (tree_desc *)desc);
+
+    /* The field len is now set, we can generate the bit codes */
+    gen_codes ((ct_data *)tree, max_code, s->bl_count);
+}
+
+/* ===========================================================================
+ * Scan a literal or distance tree to determine the frequencies of the codes
+ * in the bit length tree.
+ */
+local void scan_tree (s, tree, max_code)
+    deflate_state *s;
+    ct_data *tree;   /* the tree to be scanned */
+    int max_code;    /* and its largest code of non zero frequency */
+{
+    int n;                     /* iterates over all tree elements */
+    int prevlen = -1;          /* last emitted length */
+    int curlen;                /* length of current code */
+    int nextlen = tree[0].Len; /* length of next code */
+    int count = 0;             /* repeat count of the current code */
+    int max_count = 7;         /* max repeat count */
+    int min_count = 4;         /* min repeat count */
+
+    if (nextlen == 0) max_count = 138, min_count = 3;
+    tree[max_code+1].Len = (ush)0xffff; /* guard */
+
+    for (n = 0; n <= max_code; n++) {
+        curlen = nextlen; nextlen = tree[n+1].Len;
+        if (++count < max_count && curlen == nextlen) {
+            continue;
+        } else if (count < min_count) {
+            s->bl_tree[curlen].Freq += count;
+        } else if (curlen != 0) {
+            if (curlen != prevlen) s->bl_tree[curlen].Freq++;
+            s->bl_tree[REP_3_6].Freq++;
+        } else if (count <= 10) {
+            s->bl_tree[REPZ_3_10].Freq++;
+        } else {
+            s->bl_tree[REPZ_11_138].Freq++;
+        }
+        count = 0; prevlen = curlen;
+        if (nextlen == 0) {
+            max_count = 138, min_count = 3;
+        } else if (curlen == nextlen) {
+            max_count = 6, min_count = 3;
+        } else {
+            max_count = 7, min_count = 4;
+        }
+    }
+}
+
+/* ===========================================================================
+ * Send a literal or distance tree in compressed form, using the codes in
+ * bl_tree.
+ */
+local void send_tree (s, tree, max_code)
+    deflate_state *s;
+    ct_data *tree; /* the tree to be scanned */
+    int max_code;       /* and its largest code of non zero frequency */
+{
+    int n;                     /* iterates over all tree elements */
+    int prevlen = -1;          /* last emitted length */
+    int curlen;                /* length of current code */
+    int nextlen = tree[0].Len; /* length of next code */
+    int count = 0;             /* repeat count of the current code */
+    int max_count = 7;         /* max repeat count */
+    int min_count = 4;         /* min repeat count */
+
+    /* tree[max_code+1].Len = -1; */  /* guard already set */
+    if (nextlen == 0) max_count = 138, min_count = 3;
+
+    for (n = 0; n <= max_code; n++) {
+        curlen = nextlen; nextlen = tree[n+1].Len;
+        if (++count < max_count && curlen == nextlen) {
+            continue;
+        } else if (count < min_count) {
+            do { send_code(s, curlen, s->bl_tree); } while (--count != 0);
+
+        } else if (curlen != 0) {
+            if (curlen != prevlen) {
+                send_code(s, curlen, s->bl_tree); count--;
+            }
+            Assert(count >= 3 && count <= 6, " 3_6?");
+            send_code(s, REP_3_6, s->bl_tree); send_bits(s, count-3, 2);
+
+        } else if (count <= 10) {
+            send_code(s, REPZ_3_10, s->bl_tree); send_bits(s, count-3, 3);
+
+        } else {
+            send_code(s, REPZ_11_138, s->bl_tree); send_bits(s, count-11, 7);
+        }
+        count = 0; prevlen = curlen;
+        if (nextlen == 0) {
+            max_count = 138, min_count = 3;
+        } else if (curlen == nextlen) {
+            max_count = 6, min_count = 3;
+        } else {
+            max_count = 7, min_count = 4;
+        }
+    }
+}
+
+/* ===========================================================================
+ * Construct the Huffman tree for the bit lengths and return the index in
+ * bl_order of the last bit length code to send.
+ */
+local int build_bl_tree(s)
+    deflate_state *s;
+{
+    int max_blindex;  /* index of last bit length code of non zero freq */
+
+    /* Determine the bit length frequencies for literal and distance trees */
+    scan_tree(s, (ct_data *)s->dyn_ltree, s->l_desc.max_code);
+    scan_tree(s, (ct_data *)s->dyn_dtree, s->d_desc.max_code);
+
+    /* Build the bit length tree: */
+    build_tree(s, (tree_desc *)(&(s->bl_desc)));
+    /* opt_len now includes the length of the tree representations, except
+     * the lengths of the bit lengths codes and the 5+5+4 bits for the counts.
+     */
+
+    /* Determine the number of bit length codes to send. The pkzip format
+     * requires that at least 4 bit length codes be sent. (appnote.txt says
+     * 3 but the actual value used is 4.)
+     */
+    for (max_blindex = BL_CODES-1; max_blindex >= 3; max_blindex--) {
+        if (s->bl_tree[bl_order[max_blindex]].Len != 0) break;
+    }
+    /* Update opt_len to include the bit length tree and counts */
+    s->opt_len += 3*(max_blindex+1) + 5+5+4;
+    Tracev((stderr, "\ndyn trees: dyn %ld, stat %ld",
+            s->opt_len, s->static_len));
+
+    return max_blindex;
+}
+
+/* ===========================================================================
+ * Send the header for a block using dynamic Huffman trees: the counts, the
+ * lengths of the bit length codes, the literal tree and the distance tree.
+ * IN assertion: lcodes >= 257, dcodes >= 1, blcodes >= 4.
+ */
+local void send_all_trees(s, lcodes, dcodes, blcodes)
+    deflate_state *s;
+    int lcodes, dcodes, blcodes; /* number of codes for each tree */
+{
+    int rank;                    /* index in bl_order */
+
+    Assert (lcodes >= 257 && dcodes >= 1 && blcodes >= 4, "not enough codes");
+    Assert (lcodes <= L_CODES && dcodes <= D_CODES && blcodes <= BL_CODES,
+            "too many codes");
+    Tracev((stderr, "\nbl counts: "));
+    send_bits(s, lcodes-257, 5); /* not +255 as stated in appnote.txt */
+    send_bits(s, dcodes-1,   5);
+    send_bits(s, blcodes-4,  4); /* not -3 as stated in appnote.txt */
+    for (rank = 0; rank < blcodes; rank++) {
+        Tracev((stderr, "\nbl code %2d ", bl_order[rank]));
+        send_bits(s, s->bl_tree[bl_order[rank]].Len, 3);
+    }
+    Tracev((stderr, "\nbl tree: sent %ld", s->bits_sent));
+
+    send_tree(s, (ct_data *)s->dyn_ltree, lcodes-1); /* literal tree */
+    Tracev((stderr, "\nlit tree: sent %ld", s->bits_sent));
+
+    send_tree(s, (ct_data *)s->dyn_dtree, dcodes-1); /* distance tree */
+    Tracev((stderr, "\ndist tree: sent %ld", s->bits_sent));
+}
+
+/* ===========================================================================
+ * Send a stored block
+ */
+void _tr_stored_block(s, buf, stored_len, eof)
+    deflate_state *s;
+    charf *buf;       /* input block */
+    ulg stored_len;   /* length of input block */
+    int eof;          /* true if this is the last block for a file */
+{
+    send_bits(s, (STORED_BLOCK<<1)+eof, 3);  /* send block type */
+#ifdef DEBUG
+    s->compressed_len = (s->compressed_len + 3 + 7) & (ulg)~7L;
+    s->compressed_len += (stored_len + 4) << 3;
+#endif
+    copy_block(s, buf, (unsigned)stored_len, 1); /* with header */
+}
+
+/* ===========================================================================
+ * Send one empty static block to give enough lookahead for inflate.
+ * This takes 10 bits, of which 7 may remain in the bit buffer.
+ * The current inflate code requires 9 bits of lookahead. If the
+ * last two codes for the previous block (real code plus EOB) were coded
+ * on 5 bits or less, inflate may have only 5+3 bits of lookahead to decode
+ * the last real code. In this case we send two empty static blocks instead
+ * of one. (There are no problems if the previous block is stored or fixed.)
+ * To simplify the code, we assume the worst case of last real code encoded
+ * on one bit only.
+ */
+void _tr_align(s)
+    deflate_state *s;
+{
+    send_bits(s, STATIC_TREES<<1, 3);
+    send_code(s, END_BLOCK, static_ltree);
+#ifdef DEBUG
+    s->compressed_len += 10L; /* 3 for block type, 7 for EOB */
+#endif
+    bi_flush(s);
+    /* Of the 10 bits for the empty block, we have already sent
+     * (10 - bi_valid) bits. The lookahead for the last real code (before
+     * the EOB of the previous block) was thus at least one plus the length
+     * of the EOB plus what we have just sent of the empty static block.
+     */
+    if (1 + s->last_eob_len + 10 - s->bi_valid < 9) {
+        send_bits(s, STATIC_TREES<<1, 3);
+        send_code(s, END_BLOCK, static_ltree);
+#ifdef DEBUG
+        s->compressed_len += 10L;
+#endif
+        bi_flush(s);
+    }
+    s->last_eob_len = 7;
+}
+
+/* ===========================================================================
+ * Determine the best encoding for the current block: dynamic trees, static
+ * trees or store, and output the encoded block to the zip file.
+ */
+void _tr_flush_block(s, buf, stored_len, eof)
+    deflate_state *s;
+    charf *buf;       /* input block, or NULL if too old */
+    ulg stored_len;   /* length of input block */
+    int eof;          /* true if this is the last block for a file */
+{
+    ulg opt_lenb, static_lenb; /* opt_len and static_len in bytes */
+    int max_blindex = 0;  /* index of last bit length code of non zero freq */
+
+    /* Build the Huffman trees unless a stored block is forced */
+    if (s->level > 0) {
+
+	 /* Check if the file is ascii or binary */
+	if (s->data_type == Z_UNKNOWN) set_data_type(s);
+
+	/* Construct the literal and distance trees */
+	build_tree(s, (tree_desc *)(&(s->l_desc)));
+	Tracev((stderr, "\nlit data: dyn %ld, stat %ld", s->opt_len,
+		s->static_len));
+
+	build_tree(s, (tree_desc *)(&(s->d_desc)));
+	Tracev((stderr, "\ndist data: dyn %ld, stat %ld", s->opt_len,
+		s->static_len));
+	/* At this point, opt_len and static_len are the total bit lengths of
+	 * the compressed block data, excluding the tree representations.
+	 */
+
+	/* Build the bit length tree for the above two trees, and get the index
+	 * in bl_order of the last bit length code to send.
+	 */
+	max_blindex = build_bl_tree(s);
+
+	/* Determine the best encoding. Compute first the block length in bytes*/
+	opt_lenb = (s->opt_len+3+7)>>3;
+	static_lenb = (s->static_len+3+7)>>3;
+
+	Tracev((stderr, "\nopt %lu(%lu) stat %lu(%lu) stored %lu lit %u ",
+		opt_lenb, s->opt_len, static_lenb, s->static_len, stored_len,
+		s->last_lit));
+
+	if (static_lenb <= opt_lenb) opt_lenb = static_lenb;
+
+    } else {
+        Assert(buf != (char*)0, "lost buf");
+	opt_lenb = static_lenb = stored_len + 5; /* force a stored block */
+    }
+
+#ifdef FORCE_STORED
+    if (buf != (char*)0) { /* force stored block */
+#else
+    if (stored_len+4 <= opt_lenb && buf != (char*)0) {
+                       /* 4: two words for the lengths */
+#endif
+        /* The test buf != NULL is only necessary if LIT_BUFSIZE > WSIZE.
+         * Otherwise we can't have processed more than WSIZE input bytes since
+         * the last block flush, because compression would have been
+         * successful. If LIT_BUFSIZE <= WSIZE, it is never too late to
+         * transform a block into a stored block.
+         */
+        _tr_stored_block(s, buf, stored_len, eof);
+
+#ifdef FORCE_STATIC
+    } else if (static_lenb >= 0) { /* force static trees */
+#else
+    } else if (static_lenb == opt_lenb) {
+#endif
+        send_bits(s, (STATIC_TREES<<1)+eof, 3);
+        compress_block(s, static_ltree, static_dtree);
+#ifdef DEBUG
+        s->compressed_len += 3 + s->static_len;
+#endif
+    } else {
+        send_bits(s, (DYN_TREES<<1)+eof, 3);
+        send_all_trees(s, s->l_desc.max_code+1, s->d_desc.max_code+1,
+                       max_blindex+1);
+        compress_block(s, s->dyn_ltree, s->dyn_dtree);
+#ifdef DEBUG
+        s->compressed_len += 3 + s->opt_len;
+#endif
+    }
+    Assert (s->compressed_len == s->bits_sent, "bad compressed size");
+    /* The above check is made mod 2^32, for files larger than 512 MB
+     * and uLong implemented on 32 bits.
+     */
+    init_block(s);
+
+    if (eof) {
+        bi_windup(s);
+#ifdef DEBUG
+        s->compressed_len += 7;  /* align on byte boundary */
+#endif
+    }
+    Tracev((stderr,"\ncomprlen %lu(%lu) ", s->compressed_len>>3,
+           s->compressed_len-7*eof));
+}
+
+/* ===========================================================================
+ * Save the match info and tally the frequency counts. Return true if
+ * the current block must be flushed.
+ */
+int _tr_tally (s, dist, lc)
+    deflate_state *s;
+    unsigned dist;  /* distance of matched string */
+    unsigned lc;    /* match length-MIN_MATCH or unmatched char (if dist==0) */
+{
+    s->d_buf[s->last_lit] = (ush)dist;
+    s->l_buf[s->last_lit++] = (uch)lc;
+    if (dist == 0) {
+        /* lc is the unmatched char */
+        s->dyn_ltree[lc].Freq++;
+    } else {
+        s->matches++;
+        /* Here, lc is the match length - MIN_MATCH */
+        dist--;             /* dist = match distance - 1 */
+        Assert((ush)dist < (ush)MAX_DIST(s) &&
+               (ush)lc <= (ush)(MAX_MATCH-MIN_MATCH) &&
+               (ush)d_code(dist) < (ush)D_CODES,  "_tr_tally: bad match");
+
+        s->dyn_ltree[_length_code[lc]+LITERALS+1].Freq++;
+        s->dyn_dtree[d_code(dist)].Freq++;
+    }
+
+#ifdef TRUNCATE_BLOCK
+    /* Try to guess if it is profitable to stop the current block here */
+    if ((s->last_lit & 0x1fff) == 0 && s->level > 2) {
+        /* Compute an upper bound for the compressed length */
+        ulg out_length = (ulg)s->last_lit*8L;
+        ulg in_length = (ulg)((long)s->strstart - s->block_start);
+        int dcode;
+        for (dcode = 0; dcode < D_CODES; dcode++) {
+            out_length += (ulg)s->dyn_dtree[dcode].Freq *
+                (5L+extra_dbits[dcode]);
+        }
+        out_length >>= 3;
+        Tracev((stderr,"\nlast_lit %u, in %ld, out ~%ld(%ld%%) ",
+               s->last_lit, in_length, out_length,
+               100L - out_length*100L/in_length));
+        if (s->matches < s->last_lit/2 && out_length < in_length/2) return 1;
+    }
+#endif
+    return (s->last_lit == s->lit_bufsize-1);
+    /* We avoid equality with lit_bufsize because of wraparound at 64K
+     * on 16 bit machines and because stored blocks are restricted to
+     * 64K-1 bytes.
+     */
+}
+
+/* ===========================================================================
+ * Send the block data compressed using the given Huffman trees
+ */
+local void compress_block(s, ltree, dtree)
+    deflate_state *s;
+    const ct_data *ltree; /* literal tree */
+    const ct_data *dtree; /* distance tree */
+{
+    unsigned dist;      /* distance of matched string */
+    int lc;             /* match length or unmatched char (if dist == 0) */
+    unsigned lx = 0;    /* running index in l_buf */
+    unsigned code;      /* the code to send */
+    int extra;          /* number of extra bits to send */
+
+    if (s->last_lit != 0) do {
+        dist = s->d_buf[lx];
+        lc = s->l_buf[lx++];
+        if (dist == 0) {
+            send_code(s, lc, ltree); /* send a literal byte */
+            Tracecv(isgraph(lc), (stderr," '%c' ", lc));
+        } else {
+            /* Here, lc is the match length - MIN_MATCH */
+            code = _length_code[lc];
+            send_code(s, code+LITERALS+1, ltree); /* send the length code */
+            extra = extra_lbits[code];
+            if (extra != 0) {
+                lc -= base_length[code];
+                send_bits(s, lc, extra);       /* send the extra length bits */
+            }
+            dist--; /* dist is now the match distance - 1 */
+            code = d_code(dist);
+            Assert (code < D_CODES, "bad d_code");
+
+            send_code(s, code, dtree);       /* send the distance code */
+            extra = extra_dbits[code];
+            if (extra != 0) {
+                dist -= base_dist[code];
+                send_bits(s, dist, extra);   /* send the extra distance bits */
+            }
+        } /* literal or match pair ? */
+
+        /* Check that the overlay between pending_buf and d_buf+l_buf is ok: */
+        Assert(s->pending < s->lit_bufsize + 2*lx, "pendingBuf overflow");
+
+    } while (lx < s->last_lit);
+
+    send_code(s, END_BLOCK, ltree);
+    s->last_eob_len = ltree[END_BLOCK].Len;
+}
+
+/* ===========================================================================
+ * Set the data type to ASCII or BINARY, using a crude approximation:
+ * binary if more than 20% of the bytes are <= 6 or >= 128, ascii otherwise.
+ * IN assertion: the fields freq of dyn_ltree are set and the total of all
+ * frequencies does not exceed 64K (to fit in an int on 16 bit machines).
+ */
+local void set_data_type(s)
+    deflate_state *s;
+{
+    int n = 0;
+    unsigned ascii_freq = 0;
+    unsigned bin_freq = 0;
+    while (n < 7)        bin_freq += s->dyn_ltree[n++].Freq;
+    while (n < 128)    ascii_freq += s->dyn_ltree[n++].Freq;
+    while (n < LITERALS) bin_freq += s->dyn_ltree[n++].Freq;
+    s->data_type = (Byte)(bin_freq > (ascii_freq >> 2) ? Z_BINARY : Z_ASCII);
+}
+
+/* ===========================================================================
+ * Reverse the first len bits of a code, using straightforward code (a faster
+ * method would use a table)
+ * IN assertion: 1 <= len <= 15
+ */
+local unsigned bi_reverse(code, len)
+    unsigned code; /* the value to invert */
+    int len;       /* its bit length */
+{
+    register unsigned res = 0;
+    do {
+        res |= code & 1;
+        code >>= 1, res <<= 1;
+    } while (--len > 0);
+    return res >> 1;
+}
+
+/* ===========================================================================
+ * Flush the bit buffer, keeping at most 7 bits in it.
+ */
+local void bi_flush(s)
+    deflate_state *s;
+{
+    if (s->bi_valid == 16) {
+        put_short(s, s->bi_buf);
+        s->bi_buf = 0;
+        s->bi_valid = 0;
+    } else if (s->bi_valid >= 8) {
+        put_byte(s, (Byte)s->bi_buf);
+        s->bi_buf >>= 8;
+        s->bi_valid -= 8;
+    }
+}
+
+/* ===========================================================================
+ * Flush the bit buffer and align the output on a byte boundary
+ */
+local void bi_windup(s)
+    deflate_state *s;
+{
+    if (s->bi_valid > 8) {
+        put_short(s, s->bi_buf);
+    } else if (s->bi_valid > 0) {
+        put_byte(s, (Byte)s->bi_buf);
+    }
+    s->bi_buf = 0;
+    s->bi_valid = 0;
+#ifdef DEBUG
+    s->bits_sent = (s->bits_sent+7) & ~7;
+#endif
+}
+
+/* ===========================================================================
+ * Copy a stored block, storing first the length and its
+ * one's complement if requested.
+ */
+local void copy_block(s, buf, len, header)
+    deflate_state *s;
+    charf    *buf;    /* the input data */
+    unsigned len;     /* its length */
+    int      header;  /* true if block header must be written */
+{
+    bi_windup(s);        /* align on byte boundary */
+    s->last_eob_len = 8; /* enough lookahead for inflate */
+
+    if (header) {
+        put_short(s, (ush)len);   
+        put_short(s, (ush)~len);
+#ifdef DEBUG
+        s->bits_sent += 2*16;
+#endif
+    }
+#ifdef DEBUG
+    s->bits_sent += (ulg)len<<3;
+#endif
+    while (len--) {
+        put_byte(s, *buf++);
+    }
+}
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/trees.h     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,128 @@
+/* header created automatically with -DGEN_TREES_H */
+
+local const ct_data static_ltree[L_CODES+2] = {
+{{ 12},{  8}}, {{140},{  8}}, {{ 76},{  8}}, {{204},{  8}}, {{ 44},{  8}},
+{{172},{  8}}, {{108},{  8}}, {{236},{  8}}, {{ 28},{  8}}, {{156},{  8}},
+{{ 92},{  8}}, {{220},{  8}}, {{ 60},{  8}}, {{188},{  8}}, {{124},{  8}},
+{{252},{  8}}, {{  2},{  8}}, {{130},{  8}}, {{ 66},{  8}}, {{194},{  8}},
+{{ 34},{  8}}, {{162},{  8}}, {{ 98},{  8}}, {{226},{  8}}, {{ 18},{  8}},
+{{146},{  8}}, {{ 82},{  8}}, {{210},{  8}}, {{ 50},{  8}}, {{178},{  8}},
+{{114},{  8}}, {{242},{  8}}, {{ 10},{  8}}, {{138},{  8}}, {{ 74},{  8}},
+{{202},{  8}}, {{ 42},{  8}}, {{170},{  8}}, {{106},{  8}}, {{234},{  8}},
+{{ 26},{  8}}, {{154},{  8}}, {{ 90},{  8}}, {{218},{  8}}, {{ 58},{  8}},
+{{186},{  8}}, {{122},{  8}}, {{250},{  8}}, {{  6},{  8}}, {{134},{  8}},
+{{ 70},{  8}}, {{198},{  8}}, {{ 38},{  8}}, {{166},{  8}}, {{102},{  8}},
+{{230},{  8}}, {{ 22},{  8}}, {{150},{  8}}, {{ 86},{  8}}, {{214},{  8}},
+{{ 54},{  8}}, {{182},{  8}}, {{118},{  8}}, {{246},{  8}}, {{ 14},{  8}},
+{{142},{  8}}, {{ 78},{  8}}, {{206},{  8}}, {{ 46},{  8}}, {{174},{  8}},
+{{110},{  8}}, {{238},{  8}}, {{ 30},{  8}}, {{158},{  8}}, {{ 94},{  8}},
+{{222},{  8}}, {{ 62},{  8}}, {{190},{  8}}, {{126},{  8}}, {{254},{  8}},
+{{  1},{  8}}, {{129},{  8}}, {{ 65},{  8}}, {{193},{  8}}, {{ 33},{  8}},
+{{161},{  8}}, {{ 97},{  8}}, {{225},{  8}}, {{ 17},{  8}}, {{145},{  8}},
+{{ 81},{  8}}, {{209},{  8}}, {{ 49},{  8}}, {{177},{  8}}, {{113},{  8}},
+{{241},{  8}}, {{  9},{  8}}, {{137},{  8}}, {{ 73},{  8}}, {{201},{  8}},
+{{ 41},{  8}}, {{169},{  8}}, {{105},{  8}}, {{233},{  8}}, {{ 25},{  8}},
+{{153},{  8}}, {{ 89},{  8}}, {{217},{  8}}, {{ 57},{  8}}, {{185},{  8}},
+{{121},{  8}}, {{249},{  8}}, {{  5},{  8}}, {{133},{  8}}, {{ 69},{  8}},
+{{197},{  8}}, {{ 37},{  8}}, {{165},{  8}}, {{101},{  8}}, {{229},{  8}},
+{{ 21},{  8}}, {{149},{  8}}, {{ 85},{  8}}, {{213},{  8}}, {{ 53},{  8}},
+{{181},{  8}}, {{117},{  8}}, {{245},{  8}}, {{ 13},{  8}}, {{141},{  8}},
+{{ 77},{  8}}, {{205},{  8}}, {{ 45},{  8}}, {{173},{  8}}, {{109},{  8}},
+{{237},{  8}}, {{ 29},{  8}}, {{157},{  8}}, {{ 93},{  8}}, {{221},{  8}},
+{{ 61},{  8}}, {{189},{  8}}, {{125},{  8}}, {{253},{  8}}, {{ 19},{  9}},
+{{275},{  9}}, {{147},{  9}}, {{403},{  9}}, {{ 83},{  9}}, {{339},{  9}},
+{{211},{  9}}, {{467},{  9}}, {{ 51},{  9}}, {{307},{  9}}, {{179},{  9}},
+{{435},{  9}}, {{115},{  9}}, {{371},{  9}}, {{243},{  9}}, {{499},{  9}},
+{{ 11},{  9}}, {{267},{  9}}, {{139},{  9}}, {{395},{  9}}, {{ 75},{  9}},
+{{331},{  9}}, {{203},{  9}}, {{459},{  9}}, {{ 43},{  9}}, {{299},{  9}},
+{{171},{  9}}, {{427},{  9}}, {{107},{  9}}, {{363},{  9}}, {{235},{  9}},
+{{491},{  9}}, {{ 27},{  9}}, {{283},{  9}}, {{155},{  9}}, {{411},{  9}},
+{{ 91},{  9}}, {{347},{  9}}, {{219},{  9}}, {{475},{  9}}, {{ 59},{  9}},
+{{315},{  9}}, {{187},{  9}}, {{443},{  9}}, {{123},{  9}}, {{379},{  9}},
+{{251},{  9}}, {{507},{  9}}, {{  7},{  9}}, {{263},{  9}}, {{135},{  9}},
+{{391},{  9}}, {{ 71},{  9}}, {{327},{  9}}, {{199},{  9}}, {{455},{  9}},
+{{ 39},{  9}}, {{295},{  9}}, {{167},{  9}}, {{423},{  9}}, {{103},{  9}},
+{{359},{  9}}, {{231},{  9}}, {{487},{  9}}, {{ 23},{  9}}, {{279},{  9}},
+{{151},{  9}}, {{407},{  9}}, {{ 87},{  9}}, {{343},{  9}}, {{215},{  9}},
+{{471},{  9}}, {{ 55},{  9}}, {{311},{  9}}, {{183},{  9}}, {{439},{  9}},
+{{119},{  9}}, {{375},{  9}}, {{247},{  9}}, {{503},{  9}}, {{ 15},{  9}},
+{{271},{  9}}, {{143},{  9}}, {{399},{  9}}, {{ 79},{  9}}, {{335},{  9}},
+{{207},{  9}}, {{463},{  9}}, {{ 47},{  9}}, {{303},{  9}}, {{175},{  9}},
+{{431},{  9}}, {{111},{  9}}, {{367},{  9}}, {{239},{  9}}, {{495},{  9}},
+{{ 31},{  9}}, {{287},{  9}}, {{159},{  9}}, {{415},{  9}}, {{ 95},{  9}},
+{{351},{  9}}, {{223},{  9}}, {{479},{  9}}, {{ 63},{  9}}, {{319},{  9}},
+{{191},{  9}}, {{447},{  9}}, {{127},{  9}}, {{383},{  9}}, {{255},{  9}},
+{{511},{  9}}, {{  0},{  7}}, {{ 64},{  7}}, {{ 32},{  7}}, {{ 96},{  7}},
+{{ 16},{  7}}, {{ 80},{  7}}, {{ 48},{  7}}, {{112},{  7}}, {{  8},{  7}},
+{{ 72},{  7}}, {{ 40},{  7}}, {{104},{  7}}, {{ 24},{  7}}, {{ 88},{  7}},
+{{ 56},{  7}}, {{120},{  7}}, {{  4},{  7}}, {{ 68},{  7}}, {{ 36},{  7}},
+{{100},{  7}}, {{ 20},{  7}}, {{ 84},{  7}}, {{ 52},{  7}}, {{116},{  7}},
+{{  3},{  8}}, {{131},{  8}}, {{ 67},{  8}}, {{195},{  8}}, {{ 35},{  8}},
+{{163},{  8}}, {{ 99},{  8}}, {{227},{  8}}
+};
+
+local const ct_data static_dtree[D_CODES] = {
+{{ 0},{ 5}}, {{16},{ 5}}, {{ 8},{ 5}}, {{24},{ 5}}, {{ 4},{ 5}},
+{{20},{ 5}}, {{12},{ 5}}, {{28},{ 5}}, {{ 2},{ 5}}, {{18},{ 5}},
+{{10},{ 5}}, {{26},{ 5}}, {{ 6},{ 5}}, {{22},{ 5}}, {{14},{ 5}},
+{{30},{ 5}}, {{ 1},{ 5}}, {{17},{ 5}}, {{ 9},{ 5}}, {{25},{ 5}},
+{{ 5},{ 5}}, {{21},{ 5}}, {{13},{ 5}}, {{29},{ 5}}, {{ 3},{ 5}},
+{{19},{ 5}}, {{11},{ 5}}, {{27},{ 5}}, {{ 7},{ 5}}, {{23},{ 5}}
+};
+
+const uch _dist_code[DIST_CODE_LEN] = {
+ 0,  1,  2,  3,  4,  4,  5,  5,  6,  6,  6,  6,  7,  7,  7,  7,  8,  8,  8,  8,
+ 8,  8,  8,  8,  9,  9,  9,  9,  9,  9,  9,  9, 10, 10, 10, 10, 10, 10, 10, 10,
+10, 10, 10, 10, 10, 10, 10, 10, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11,
+11, 11, 11, 11, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12,
+12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 13, 13, 13, 13,
+13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13,
+13, 13, 13, 13, 13, 13, 13, 13, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14,
+14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14,
+14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14,
+14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 15, 15, 15, 15, 15, 15, 15, 15,
+15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15,
+15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15,
+15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15,  0,  0, 16, 17,
+18, 18, 19, 19, 20, 20, 20, 20, 21, 21, 21, 21, 22, 22, 22, 22, 22, 22, 22, 22,
+23, 23, 23, 23, 23, 23, 23, 23, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24,
+24, 24, 24, 24, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25,
+26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26,
+26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 27, 27, 27, 27, 27, 27, 27, 27,
+27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27,
+27, 27, 27, 27, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28,
+28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28,
+28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28,
+28, 28, 28, 28, 28, 28, 28, 28, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29,
+29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29,
+29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29,
+29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29
+};
+
+const uch _length_code[MAX_MATCH-MIN_MATCH+1]= {
+ 0,  1,  2,  3,  4,  5,  6,  7,  8,  8,  9,  9, 10, 10, 11, 11, 12, 12, 12, 12,
+13, 13, 13, 13, 14, 14, 14, 14, 15, 15, 15, 15, 16, 16, 16, 16, 16, 16, 16, 16,
+17, 17, 17, 17, 17, 17, 17, 17, 18, 18, 18, 18, 18, 18, 18, 18, 19, 19, 19, 19,
+19, 19, 19, 19, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20,
+21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 22, 22, 22, 22,
+22, 22, 22, 22, 22, 22, 22, 22, 22, 22, 22, 22, 23, 23, 23, 23, 23, 23, 23, 23,
+23, 23, 23, 23, 23, 23, 23, 23, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24,
+24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24,
+25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25,
+25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 26, 26, 26, 26, 26, 26, 26, 26,
+26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26,
+26, 26, 26, 26, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27,
+27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 28
+};
+
+local const int base_length[LENGTH_CODES] = {
+0, 1, 2, 3, 4, 5, 6, 7, 8, 10, 12, 14, 16, 20, 24, 28, 32, 40, 48, 56,
+64, 80, 96, 112, 128, 160, 192, 224, 0
+};
+
+local const int base_dist[D_CODES] = {
+    0,     1,     2,     3,     4,     6,     8,    12,    16,    24,
+   32,    48,    64,    96,   128,   192,   256,   384,   512,   768,
+ 1024,  1536,  2048,  3072,  4096,  6144,  8192, 12288, 16384, 24576
+};
+
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/ultoa.c     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,66 @@
+/*
+ * convert unsigned long to ASCII
+ * Copyright (C) 1998, 1999  Henry Spencer.
+ * 
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Library General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
+ * 
+ * This library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
+ * License for more details.
+ *
+ * RCSID $Id: ultoa.c,v 1.10 2004/07/10 07:48:37 mcr Exp $
+ */
+#include "openswan.h"
+
+/*
+ - ultoa - convert unsigned long to decimal ASCII
+ */
+size_t				/* length required for full conversion */
+ultoa(n, base, dst, dstlen)
+unsigned long n;
+int base;
+char *dst;			/* need not be valid if dstlen is 0 */
+size_t dstlen;
+{
+	char buf[3*sizeof(unsigned long) + 1];
+	char *bufend = buf + sizeof(buf);
+	size_t len;
+	char *p;
+	static char hex[] = "0123456789abcdef";
+
+	p = bufend;
+	*--p = '\0';
+	if (base == 10) {
+		do {
+			*--p = n%10 + '0';
+			n /= 10;
+		} while (n != 0);
+	} else if (base == 16) {
+		do {
+			*--p = hex[n&0xf];
+			n >>= 4;
+		} while (n != 0);
+		*--p = 'x';
+		*--p = '0';
+	} else if (base == 8) {
+		do {
+			*--p = (n&07) + '0';
+			n >>= 3;
+		} while (n != 0);
+		*--p = '0';
+	} else
+		*--p = '?';
+
+	len = bufend - p;
+
+	if (dstlen > 0) {
+		if (len > dstlen)
+			*(p + dstlen - 1) = '\0';
+		strcpy(dst, p);
+	}
+	return len;
+}
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/ultot.c     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,82 @@
+/*
+ * convert unsigned long to text
+ * Copyright (C) 2000  Henry Spencer.
+ * 
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Library General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
+ * 
+ * This library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
+ * License for more details.
+ *
+ * RCSID $Id: ultot.c,v 1.5 2004/07/10 07:48:37 mcr Exp $
+ */
+#include "openswan.h"
+
+/*
+ - ultot - convert unsigned long to text
+ */
+size_t				/* length required for full conversion */
+ultot(n, base, dst, dstlen)
+unsigned long n;
+int base;
+char *dst;			/* need not be valid if dstlen is 0 */
+size_t dstlen;
+{
+	char buf[3*sizeof(unsigned long) + 1];
+	char *bufend = buf + sizeof(buf);
+	size_t len;
+	char *p;
+	static char hex[] = "0123456789abcdef";
+#	define	HEX32	(32/4)
+
+	p = bufend;
+	*--p = '\0';
+	switch (base) {
+	case 10:
+	case 'd':
+		do {
+			*--p = n%10 + '0';
+			n /= 10;
+		} while (n != 0);
+		break;
+	case 16:
+	case 17:
+	case 'x':
+		do {
+			*--p = hex[n&0xf];
+			n >>= 4;
+		} while (n != 0);
+		if (base == 17)
+			while (bufend - p < HEX32 + 1)
+				*--p = '0';
+		if (base == 'x') {
+			*--p = 'x';
+			*--p = '0';
+		}
+		break;
+	case 8:
+	case 'o':
+		do {
+			*--p = (n&07) + '0';
+			n >>= 3;
+		} while (n != 0);
+		if (base == 'o')
+			*--p = '0';
+		break;
+	default:
+		return 0;
+		break;
+	}
+
+	len = bufend - p;
+	if (dstlen > 0) {
+		if (len > dstlen)
+			*(p + dstlen - 1) = '\0';
+		strcpy(dst, p);
+	}
+	return len;
+}
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/version.c     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,44 @@
+/*
+ * return IPsec version information
+ * Copyright (C) 2001  Henry Spencer.
+ * 
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Library General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
+ * 
+ * This library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
+ * License for more details.
+ *
+ * RCSID $Id: version.in.c,v 1.2 2004/04/14 05:09:46 ken Exp $
+ */
+
+#ifdef __KERNEL__
+#include <linux/netdevice.h>
+#endif
+
+#include "openswan.h"
+
+#define	V	"2.4.9"		/* substituted in by Makefile */
+static const char openswan_number[] = V;
+static const char openswan_string[] = "Openswan " V;
+
+/*
+ - ipsec_version_code - return IPsec version number/code, as string
+ */
+const char *
+ipsec_version_code()
+{
+	return openswan_number;
+}
+
+/*
+ - ipsec_version_string - return full version string
+ */
+const char *
+ipsec_version_string()
+{
+	return openswan_string;
+}
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/zutil.c     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,227 @@
+/* zutil.c -- target dependent utility functions for the compression library
+ * Copyright (C) 1995-2002 Jean-loup Gailly.
+ * For conditions of distribution and use, see copyright notice in zlib.h 
+ */
+
+/* @(#) $Id: zutil.c,v 1.5 2004/07/10 07:48:40 mcr Exp $ */
+
+#include <zlib/zutil.h>
+
+#define MY_ZCALLOC
+
+struct internal_state      {int dummy;}; /* for buggy compilers */
+
+#ifndef STDC
+extern void exit OF((int));
+#endif
+
+const char *z_errmsg[10] = {
+"need dictionary",     /* Z_NEED_DICT       2  */
+"stream end",          /* Z_STREAM_END      1  */
+"",                    /* Z_OK              0  */
+"file error",          /* Z_ERRNO         (-1) */
+"stream error",        /* Z_STREAM_ERROR  (-2) */
+"data error",          /* Z_DATA_ERROR    (-3) */
+"insufficient memory", /* Z_MEM_ERROR     (-4) */
+"buffer error",        /* Z_BUF_ERROR     (-5) */
+"incompatible version",/* Z_VERSION_ERROR (-6) */
+""};
+
+
+const char * ZEXPORT zlibVersion()
+{
+    return ZLIB_VERSION;
+}
+
+#ifdef DEBUG
+
+#  ifndef verbose
+#    define verbose 0
+#  endif
+int z_verbose = verbose;
+
+void z_error (m)
+    char *m;
+{
+    fprintf(stderr, "%s\n", m);
+    exit(1);
+}
+#endif
+
+/* exported to allow conversion of error code to string for compress() and
+ * uncompress()
+ */
+const char * ZEXPORT zError(err)
+    int err;
+{
+    return ERR_MSG(err);
+}
+
+
+#ifndef HAVE_MEMCPY
+
+void zmemcpy(dest, source, len)
+    Bytef* dest;
+    const Bytef* source;
+    uInt  len;
+{
+    if (len == 0) return;
+    do {
+        *dest++ = *source++; /* ??? to be unrolled */
+    } while (--len != 0);
+}
+
+int zmemcmp(s1, s2, len)
+    const Bytef* s1;
+    const Bytef* s2;
+    uInt  len;
+{
+    uInt j;
+
+    for (j = 0; j < len; j++) {
+        if (s1[j] != s2[j]) return 2*(s1[j] > s2[j])-1;
+    }
+    return 0;
+}
+
+void zmemzero(dest, len)
+    Bytef* dest;
+    uInt  len;
+{
+    if (len == 0) return;
+    do {
+        *dest++ = 0;  /* ??? to be unrolled */
+    } while (--len != 0);
+}
+#endif
+
+#ifdef __TURBOC__
+#if (defined( __BORLANDC__) || !defined(SMALL_MEDIUM)) && !defined(__32BIT__)
+/* Small and medium model in Turbo C are for now limited to near allocation
+ * with reduced MAX_WBITS and MAX_MEM_LEVEL
+ */
+#  define MY_ZCALLOC
+
+/* Turbo C malloc() does not allow dynamic allocation of 64K bytes
+ * and farmalloc(64K) returns a pointer with an offset of 8, so we
+ * must fix the pointer. Warning: the pointer must be put back to its
+ * original form in order to free it, use zcfree().
+ */
+
+#define MAX_PTR 10
+/* 10*64K = 640K */
+
+local int next_ptr = 0;
+
+typedef struct ptr_table_s {
+    voidpf org_ptr;
+    voidpf new_ptr;
+} ptr_table;
+
+local ptr_table table[MAX_PTR];
+/* This table is used to remember the original form of pointers
+ * to large buffers (64K). Such pointers are normalized with a zero offset.
+ * Since MSDOS is not a preemptive multitasking OS, this table is not
+ * protected from concurrent access. This hack doesn't work anyway on
+ * a protected system like OS/2. Use Microsoft C instead.
+ */
+
+voidpf zcalloc (voidpf opaque, unsigned items, unsigned size)
+{
+    voidpf buf = opaque; /* just to make some compilers happy */
+    ulg bsize = (ulg)items*size;
+
+    /* If we allocate less than 65520 bytes, we assume that farmalloc
+     * will return a usable pointer which doesn't have to be normalized.
+     */
+    if (bsize < 65520L) {
+        buf = farmalloc(bsize);
+        if (*(ush*)&buf != 0) return buf;
+    } else {
+        buf = farmalloc(bsize + 16L);
+    }
+    if (buf == NULL || next_ptr >= MAX_PTR) return NULL;
+    table[next_ptr].org_ptr = buf;
+
+    /* Normalize the pointer to seg:0 */
+    *((ush*)&buf+1) += ((ush)((uch*)buf-0) + 15) >> 4;
+    *(ush*)&buf = 0;
+    table[next_ptr++].new_ptr = buf;
+    return buf;
+}
+
+void  zcfree (voidpf opaque, voidpf ptr)
+{
+    int n;
+    if (*(ush*)&ptr != 0) { /* object < 64K */
+        farfree(ptr);
+        return;
+    }
+    /* Find the original pointer */
+    for (n = 0; n < next_ptr; n++) {
+        if (ptr != table[n].new_ptr) continue;
+
+        farfree(table[n].org_ptr);
+        while (++n < next_ptr) {
+            table[n-1] = table[n];
+        }
+        next_ptr--;
+        return;
+    }
+    ptr = opaque; /* just to make some compilers happy */
+    Assert(0, "zcfree: ptr not found");
+}
+#endif
+#endif /* __TURBOC__ */
+
+
+#if defined(M_I86) && !defined(__32BIT__)
+/* Microsoft C in 16-bit mode */
+
+#  define MY_ZCALLOC
+
+#if (!defined(_MSC_VER) || (_MSC_VER <= 600))
+#  define _halloc  halloc
+#  define _hfree   hfree
+#endif
+
+voidpf zcalloc (voidpf opaque, unsigned items, unsigned size)
+{
+    if (opaque) opaque = 0; /* to make compiler happy */
+    return _halloc((long)items, size);
+}
+
+void  zcfree (voidpf opaque, voidpf ptr)
+{
+    if (opaque) opaque = 0; /* to make compiler happy */
+    _hfree(ptr);
+}
+
+#endif /* MSC */
+
+
+#ifndef MY_ZCALLOC /* Any system without a special alloc function */
+
+#ifndef STDC
+extern voidp  calloc OF((uInt items, uInt size));
+extern void   free   OF((voidpf ptr));
+#endif
+
+voidpf zcalloc (opaque, items, size)
+    voidpf opaque;
+    unsigned items;
+    unsigned size;
+{
+    if (opaque) items += size - size; /* make compiler happy */
+    return (voidpf)calloc(items, size);
+}
+
+void  zcfree (opaque, ptr)
+    voidpf opaque;
+    voidpf ptr;
+{
+    free(ptr);
+    if (opaque) return; /* make compiler happy */
+}
+
+#endif /* MY_ZCALLOC */
--- swan26/net/ipv4/af_inet.c.orig	Wed Jun 16 01:18:58 2004
+++ swan26/net/ipv4/af_inet.c	Fri Aug 13 23:09:27 2004
@@ -1169,6 +1169,18 @@
 #if defined(CONFIG_IP_MROUTE)
 	ip_mr_init();
 #endif
+
+#if defined(CONFIG_KLIPS)
+	{
+               extern int ipsec_klips_init(void);
+		/*
+		 *  Initialise AF_INET ESP and AH protocol support including 
+		 *  e-routing and SA tables
+		 */
+		ipsec_klips_init();
+	}
+#endif /* CONFIG_IPSEC */
+
 	/*
 	 *	Initialise per-cpu ipv4 mibs
 	 */ 
--- /dev/null   Fri May 10 13:59:54 2002
+++ linux/net/ipsec/Makefile.ver  Sun Jul 28 22:10:40 2002
@@ -0,0 +1 @@
+IPSECVERSION=2.4.9