13 files changed, 4647 insertions, 0 deletions
diff --git a/lib/libipsec/Makefile b/lib/libipsec/Makefile
new file mode 100644
index 0000000..23a10cc
--- /dev/null
+++ b/lib/libipsec/Makefile
@@ -0,0 +1,53 @@
+# Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+# 3. Neither the name of the project nor the names of its contributors
+#    may be used to endorse or promote products derived from this software
+#    without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+# $FreeBSD$
+
+LIB=	ipsec
+SHLIB_MAJOR= 1
+CFLAGS+=-I. -I${.CURDIR}
+CFLAGS+=-DIPSEC_DEBUG -DIPSEC
+.if !defined(NOINET6)
+CFLAGS+=-DINET6
+.endif
+
+#.PATH:	${.CURDIR}/../../sys/netkey
+#SRCS=	pfkey.c pfkey_dump.c
+SRCS+=	ipsec_strerror.c policy_parse.y policy_token.l
+SRCS+=	ipsec_dump_policy.c ipsec_get_policylen.c
+#SRCS+=	key_debug.c
+CLEANFILES+=	y.tab.c y.tab.h
+YFLAGS+=-d -p __libipsecyy
+LFLAGS+=-P__libipsecyy
+
+MAN=	ipsec_set_policy.3 ipsec_strerror.3
+MLINKS+=ipsec_set_policy.3 ipsec_get_policylen.3 \
+	ipsec_set_policy.3 ipsec_dump_policy.3
+
+SRCS+= y.tab.h
+y.tab.h:	policy_parse.y
+
+.include <bsd.lib.mk>
diff --git a/lib/libipsec/ipsec_dump_policy.c b/lib/libipsec/ipsec_dump_policy.c
new file mode 100644
index 0000000..721ff20
--- /dev/null
+++ b/lib/libipsec/ipsec_dump_policy.c
@@ -0,0 +1,308 @@
+/*	$KAME: ipsec_dump_policy.c,v 1.11 2000/05/07 05:29:47 itojun Exp $	*/
+
+/*
+ * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the project nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <sys/cdefs.h>
+__FBSDID("$FreeBSD$");
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/socket.h>
+
+#include <netkey/key_var.h>
+#include <netinet/in.h>
+#include <netinet6/ipsec.h>
+
+#include <arpa/inet.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <netdb.h>
+
+#include "ipsec_strerror.h"
+
+static const char *ipsp_dir_strs[] = {
+	"any", "in", "out",
+};
+
+static const char *ipsp_policy_strs[] = {
+	"discard", "none", "ipsec", "entrust", "bypass",
+};
+
+static char *ipsec_dump_ipsecrequest(char *, size_t,
+	struct sadb_x_ipsecrequest *, size_t);
+static int set_addresses(char *, size_t, struct sockaddr *, struct sockaddr *);
+static char *set_address(char *, size_t, struct sockaddr *);
+
+/*
+ * policy is sadb_x_policy buffer.
+ * Must call free() later.
+ * When delimiter == NULL, alternatively ' '(space) is applied.
+ */
+char *
+ipsec_dump_policy(policy, delimiter)
+	caddr_t policy;
+	char *delimiter;
+{
+	struct sadb_x_policy *xpl = (struct sadb_x_policy *)policy;
+	struct sadb_x_ipsecrequest *xisr;
+	size_t off, buflen;
+	char *buf;
+	char isrbuf[1024];
+	char *newbuf;
+
+	/* sanity check */
+	if (policy == NULL)
+		return NULL;
+	if (xpl->sadb_x_policy_exttype != SADB_X_EXT_POLICY) {
+		__ipsec_errcode = EIPSEC_INVAL_EXTTYPE;
+		return NULL;
+	}
+
+	/* set delimiter */
+	if (delimiter == NULL)
+		delimiter = " ";
+
+	switch (xpl->sadb_x_policy_dir) {
+	case IPSEC_DIR_ANY:
+	case IPSEC_DIR_INBOUND:
+	case IPSEC_DIR_OUTBOUND:
+		break;
+	default:
+		__ipsec_errcode = EIPSEC_INVAL_DIR;
+		return NULL;
+	}
+
+	switch (xpl->sadb_x_policy_type) {
+	case IPSEC_POLICY_DISCARD:
+	case IPSEC_POLICY_NONE:
+	case IPSEC_POLICY_IPSEC:
+	case IPSEC_POLICY_BYPASS:
+	case IPSEC_POLICY_ENTRUST:
+		break;
+	default:
+		__ipsec_errcode = EIPSEC_INVAL_POLICY;
+		return NULL;
+	}
+
+	buflen = strlen(ipsp_dir_strs[xpl->sadb_x_policy_dir])
+		+ 1	/* space */
+		+ strlen(ipsp_policy_strs[xpl->sadb_x_policy_type])
+		+ 1;	/* NUL */
+
+	if ((buf = malloc(buflen)) == NULL) {
+		__ipsec_errcode = EIPSEC_NO_BUFS;
+		return NULL;
+	}
+	snprintf(buf, buflen, "%s %s", ipsp_dir_strs[xpl->sadb_x_policy_dir],
+	    ipsp_policy_strs[xpl->sadb_x_policy_type]);
+
+	if (xpl->sadb_x_policy_type != IPSEC_POLICY_IPSEC) {
+		__ipsec_errcode = EIPSEC_NO_ERROR;
+		return buf;
+	}
+
+	/* count length of buffer for use */
+	off = sizeof(*xpl);
+	while (off < PFKEY_EXTLEN(xpl)) {
+		xisr = (struct sadb_x_ipsecrequest *)((caddr_t)xpl + off);
+		off += xisr->sadb_x_ipsecrequest_len;
+	}
+
+	/* validity check */
+	if (off != PFKEY_EXTLEN(xpl)) {
+		__ipsec_errcode = EIPSEC_INVAL_SADBMSG;
+		free(buf);
+		return NULL;
+	}
+
+	off = sizeof(*xpl);
+	while (off < PFKEY_EXTLEN(xpl)) {
+		xisr = (struct sadb_x_ipsecrequest *)((caddr_t)xpl + off);
+
+		if (ipsec_dump_ipsecrequest(isrbuf, sizeof(isrbuf), xisr,
+		    PFKEY_EXTLEN(xpl) - off) == NULL) {
+			free(buf);
+			return NULL;
+		}
+
+		buflen = strlen(buf) + strlen(delimiter) + strlen(isrbuf) + 1;
+		newbuf = (char *)realloc(buf, buflen);
+		if (newbuf == NULL) {
+			__ipsec_errcode = EIPSEC_NO_BUFS;
+			free(buf);
+			return NULL;
+		}
+		buf = newbuf;
+		snprintf(buf, buflen, "%s%s%s", buf, delimiter, isrbuf);
+
+		off += xisr->sadb_x_ipsecrequest_len;
+	}
+
+	__ipsec_errcode = EIPSEC_NO_ERROR;
+	return buf;
+}
+
+static char *
+ipsec_dump_ipsecrequest(buf, len, xisr, bound)
+	char *buf;
+	size_t len;
+	struct sadb_x_ipsecrequest *xisr;
+	size_t bound;	/* boundary */
+{
+	const char *proto, *mode, *level;
+	char abuf[NI_MAXHOST * 2 + 2];
+
+	if (xisr->sadb_x_ipsecrequest_len > bound) {
+		__ipsec_errcode = EIPSEC_INVAL_PROTO;
+		return NULL;
+	}
+
+	switch (xisr->sadb_x_ipsecrequest_proto) {
+	case IPPROTO_ESP:
+		proto = "esp";
+		break;
+	case IPPROTO_AH:
+		proto = "ah";
+		break;
+	case IPPROTO_IPCOMP:
+		proto = "ipcomp";
+		break;
+	default:
+		__ipsec_errcode = EIPSEC_INVAL_PROTO;
+		return NULL;
+	}
+
+	switch (xisr->sadb_x_ipsecrequest_mode) {
+	case IPSEC_MODE_ANY:
+		mode = "any";
+		break;
+	case IPSEC_MODE_TRANSPORT:
+		mode = "transport";
+		break;
+	case IPSEC_MODE_TUNNEL:
+		mode = "tunnel";
+		break;
+	default:
+		__ipsec_errcode = EIPSEC_INVAL_MODE;
+		return NULL;
+	}
+
+	abuf[0] = '\0';
+	if (xisr->sadb_x_ipsecrequest_len > sizeof(*xisr)) {
+		struct sockaddr *sa1, *sa2;
+		caddr_t p;
+
+		p = (caddr_t)(xisr + 1);
+		sa1 = (struct sockaddr *)p;
+		sa2 = (struct sockaddr *)(p + sa1->sa_len);
+		if (sizeof(*xisr) + sa1->sa_len + sa2->sa_len !=
+		    xisr->sadb_x_ipsecrequest_len) {
+			__ipsec_errcode = EIPSEC_INVAL_ADDRESS;
+			return NULL;
+		}
+		if (set_addresses(abuf, sizeof(abuf), sa1, sa2) != 0) {
+			__ipsec_errcode = EIPSEC_INVAL_ADDRESS;
+			return NULL;
+		}
+	}
+
+	switch (xisr->sadb_x_ipsecrequest_level) {
+	case IPSEC_LEVEL_DEFAULT:
+		level = "default";
+		break;
+	case IPSEC_LEVEL_USE:
+		level = "use";
+		break;
+	case IPSEC_LEVEL_REQUIRE:
+		level = "require";
+		break;
+	case IPSEC_LEVEL_UNIQUE:
+		level = "unique";
+		break;
+	default:
+		__ipsec_errcode = EIPSEC_INVAL_LEVEL;
+		return NULL;
+	}
+
+	if (xisr->sadb_x_ipsecrequest_reqid == 0)
+		snprintf(buf, len, "%s/%s/%s/%s", proto, mode, abuf, level);
+	else {
+		int ch;
+
+		if (xisr->sadb_x_ipsecrequest_reqid > IPSEC_MANUAL_REQID_MAX)
+			ch = '#';
+		else
+			ch = ':';
+		snprintf(buf, len, "%s/%s/%s/%s%c%d", proto, mode, abuf, level,
+		    ch, xisr->sadb_x_ipsecrequest_reqid);
+	}
+
+	return buf;
+}
+
+static int
+set_addresses(buf, len, sa1, sa2)
+	char *buf;
+	size_t len;
+	struct sockaddr *sa1;
+	struct sockaddr *sa2;
+{
+	char tmp1[NI_MAXHOST], tmp2[NI_MAXHOST];
+
+	if (set_address(tmp1, sizeof(tmp1), sa1) == NULL ||
+	    set_address(tmp2, sizeof(tmp2), sa2) == NULL)
+		return -1;
+	if (strlen(tmp1) + 1 + strlen(tmp2) + 1 > len)
+		return -1;
+	snprintf(buf, len, "%s-%s", tmp1, tmp2);
+	return 0;
+}
+
+static char *
+set_address(buf, len, sa)
+	char *buf;
+	size_t len;
+	struct sockaddr *sa;
+{
+#ifdef NI_WITHSCOPEID
+	const int niflags = NI_NUMERICHOST | NI_WITHSCOPEID;
+#else
+	const int niflags = NI_NUMERICHOST;
+#endif
+
+	if (len < 1)
+		return NULL;
+	buf[0] = '\0';
+	if (getnameinfo(sa, sa->sa_len, buf, len, NULL, 0, niflags) != 0)
+		return NULL;
+	return buf;
+}
diff --git a/lib/libipsec/ipsec_get_policylen.c b/lib/libipsec/ipsec_get_policylen.c
new file mode 100644
index 0000000..911b2ce
--- /dev/null
+++ b/lib/libipsec/ipsec_get_policylen.c
@@ -0,0 +1,49 @@
+/*	$KAME: ipsec_get_policylen.c,v 1.5 2000/05/07 05:25:03 itojun Exp $	*/
+
+/*
+ * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the project nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <sys/cdefs.h>
+__FBSDID("$FreeBSD$");
+
+#include <sys/types.h>
+#include <sys/param.h>
+
+#include <netinet6/ipsec.h>
+
+#include <net/pfkeyv2.h>
+
+#include "ipsec_strerror.h"
+
+int
+ipsec_get_policylen(policy)
+	caddr_t policy;
+{
+	return policy ? PFKEY_EXTLEN(policy) : -1;
+}
diff --git a/lib/libipsec/ipsec_set_policy.3 b/lib/libipsec/ipsec_set_policy.3
new file mode 100644
index 0000000..00c3a6d
--- /dev/null
+++ b/lib/libipsec/ipsec_set_policy.3
@@ -0,0 +1,283 @@
+.\"	$KAME: ipsec_set_policy.3,v 1.15 2001/08/17 07:21:36 itojun Exp $
+.\"     $FreeBSD$
+.\"
+.\" Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. Neither the name of the project nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.Dd May 5, 1998
+.Dt IPSEC_SET_POLICY 3
+.Os
+.Sh NAME
+.Nm ipsec_set_policy ,
+.Nm ipsec_get_policylen ,
+.Nm ipsec_dump_policy
+.Nd manipulate IPsec policy specification structure from readable string
+.\"
+.Sh LIBRARY
+.Lb libipsec
+.Sh SYNOPSIS
+.In netinet6/ipsec.h
+.Ft "char *"
+.Fn ipsec_set_policy "char *policy" "int len"
+.Ft int
+.Fn ipsec_get_policylen "char *buf"
+.Ft "char *"
+.Fn ipsec_dump_policy "char *buf" "char *delim"
+.Sh DESCRIPTION
+The
+.Fn ipsec_set_policy
+function generates IPsec policy specification structure, namely
+.Li struct sadb_x_policy
+and/or
+.Li struct sadb_x_ipsecrequest
+from human-readable policy specification.
+Policy specification must be given as C string
+.Fa policy
+and length
+.Fa len
+of
+.Fa policy .
+The
+.Fn ipsec_set_policy
+function will return the buffer of IPsec policy specification structure.
+The buffer is dynamically allocated, and must be freed by the caller by calling
+.Xr free 3 .
+.Pp
+You may want the length of the generated buffer such when calling
+.Xr setsockopt 2 .
+The
+.Fn ipsec_get_policylen
+function will return the length.
+.Pp
+The
+.Fn ipsec_dump_policy
+function converts IPsec policy structure into readable form.
+Therefore,
+.Fn ipsec_dump_policy
+can be regarded as inverse conversion of
+.Fn ipsec_set_policy .
+.Fa buf
+points to an IPsec policy structure,
+.Li struct sadb_x_policy .
+.Fa delim
+is a delimiter string, which is usually a blank character.
+If you set
+.Fa delim
+to
+.Dv NULL ,
+single whitespace is assumed.
+The
+.Fn ipsec_dump_policy
+function returns a pointer to dynamically allocated string.
+It is caller's responsibility to reclaim the region, by using
+.Xr free 3 .
+.Pp
+.Fa policy
+is formatted as either of the following:
+.Bl -tag  -width "discard"
+.It Ar direction Li discard
+.Ar direction
+must be
+.Li in
+or
+.Li out .
+.Ar direction
+specifies which direction the policy needs to be applied.
+With
+.Li discard
+policy, packets will be dropped if they match the policy.
+.It Ar direction Li entrust
+.Li entrust
+means to consult to SPD defined by
+.Xr setkey 8 .
+.It Ar direction Li bypass
+.Li bypass
+means to be bypassed the IPsec processing.
+(packet will be transmitted in clear).
+This is for privileged socket.
+.It Xo
+.Ar direction
+.Li ipsec
+.Ar request ...
+.Xc
+.Li ipsec
+means that the matching packets are subject to IPsec processing.
+.Li ipsec
+can be followed by one or more
+.Ar request
+string, which is formatted as below:
+.Bl -tag  -width "discard"
+.It Xo
+.Ar protocol
+.Li /
+.Ar mode
+.Li /
+.Ar src
+.Li -
+.Ar dst
+.Op Ar /level
+.Xc
+.Ar protocol
+is either
+.Li ah ,
+.Li esp
+or
+.Li ipcomp .
+.Pp
+.Ar mode
+is either
+.Li transport
+or
+.Li tunnel .
+.Pp
+.Ar src
+and
+.Ar dst
+specifies IPsec endpoint.
+.Ar src
+always means
+.Dq sending node
+and
+.Ar dst
+always means
+.Dq receiving node .
+Therefore, when
+.Ar direction
+is
+.Li in ,
+.Ar dst
+is this node
+and
+.Ar src
+is the other node
+(peer).
+If
+.Ar mode
+is
+.Li transport ,
+Both
+.Ar src
+and
+.Ar dst
+can be omitted.
+.Pp
+.Ar level
+must be set to one of the following:
+.Li default , use , require
+or
+.Li unique .
+.Li default
+means that the kernel should consult the system default policy
+defined by
+.Xr sysctl 8 ,
+such as
+.Li net.inet.ipsec.esp_trans_deflev .
+See
+.Xr ipsec 4
+regarding the system default.
+.Li use
+means that a relevant SA can be used when available,
+since the kernel may perform IPsec operation against packets when possible.
+In this case, packets can be transmitted in clear
+(when SA is not available),
+or encrypted
+(when SA is available).
+.Li require
+means that a relevant SA is required,
+since the kernel must perform IPsec operation against packets.
+.Li unique
+is the same as
+.Li require ,
+but adds the restriction that the SA for outbound traffic is used
+only for this policy.
+You may need the identifier in order to relate the policy and the SA
+when you define the SA by manual keying.
+You can put the decimal number as the identifier after
+.Li unique
+like
+.Li unique : number .
+.Li number
+must be between 1 and 32767 .
+If the
+.Ar request
+string is kept unambiguous,
+.Ar level
+and slash prior to
+.Ar level
+can be omitted.
+However, it is encouraged to specify them explicitly
+to avoid unintended behaviors.
+If
+.Ar level
+is omitted, it will be interpreted as
+.Li default .
+.El
+.El
+.Pp
+Note that there is a bit difference of specification from
+.Xr setkey 8 .
+In specification by
+.Xr setkey 8 ,
+both entrust and bypass are not used.
+Refer to
+.Xr setkey 8
+for detail.
+.Pp
+Here are several examples
+(long lines are wrapped for readability):
+.Bd -literal -offset indent
+in discard
+out ipsec esp/transport//require
+in ipsec ah/transport//require
+out ipsec esp/tunnel/10.1.1.2-10.1.1.1/use
+in ipsec ipcomp/transport//use
+        esp/transport//use
+.Ed
+.Sh RETURN VALUES
+The
+.Fn ipsec_set_policy
+function returns a pointer to the allocated buffer of policy specification if
+successful; otherwise a NULL pointer is returned.
+.Fn ipsec_get_policylen
+returns with positive value
+(meaning the buffer size)
+on success, and negative value on errors.
+.Fn ipsec_dump_policy
+returns a pointer to dynamically allocated region on success,
+and
+.Dv NULL
+on errors.
+.Sh SEE ALSO
+.Xr ipsec_strerror 3 ,
+.Xr ipsec 4 ,
+.Xr setkey 8
+.Sh HISTORY
+The functions first appeared in WIDE/KAME IPv6 protocol stack kit.
+.Pp
+IPv6 and IPsec support based on the KAME Project (http://www.kame.net/) stack
+was initially integrated into
+.Fx 4.0
diff --git a/lib/libipsec/ipsec_strerror.3 b/lib/libipsec/ipsec_strerror.3
new file mode 100644
index 0000000..bdddbd5
--- /dev/null
+++ b/lib/libipsec/ipsec_strerror.3
@@ -0,0 +1,89 @@
+.\"	$KAME: ipsec_strerror.3,v 1.9 2001/08/17 07:21:36 itojun Exp $
+.\"     $FreeBSD$
+.\"
+.\" Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. Neither the name of the project nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.Dd May 6, 1998
+.Dt IPSEC_STRERROR 3
+.Os
+.\"
+.Sh NAME
+.Nm ipsec_strerror
+.Nd error message for IPsec policy manipulation library
+.\"
+.Sh SYNOPSIS
+.In netinet6/ipsec.h
+.Ft "const char *"
+.Fn ipsec_strerror
+.\"
+.Sh DESCRIPTION
+.Pa netinet6/ipsec.h
+declares
+.Pp
+.Dl extern int ipsec_errcode;
+.Pp
+which is used to pass an error code from IPsec policy manipulation library
+to an user program.
+The
+.Fn ipsec_strerror
+function can be used to obtain the error message string for the error code.
+.Pp
+The array pointed to is not to be modified by the program.
+Since
+.Fn ipsec_strerror
+uses
+.Xr strerror 3
+as underlying function, calling
+.Xr strerror 3
+after
+.Fn ipsec_strerror
+would make the return value from
+.Fn ipsec_strerror
+invalid, or overwritten.
+.\"
+.Sh RETURN VALUES
+The
+.Fn ipsec_strerror
+function always returns a pointer to C string.
+The C string must not be overwritten by user programs.
+.\"
+.Sh SEE ALSO
+.Xr ipsec_set_policy 3
+.\"
+.Sh HISTORY
+The
+.Fn ipsec_strerror
+function first appeared in WIDE/KAME IPv6 protocol stack kit.
+.\"
+.Sh BUGS
+The
+.Fn ipsec_strerror
+function will return its result which may be overwritten by subsequent calls.
+.Pp
+.Va ipsec_errcode
+is not thread safe.
diff --git a/lib/libipsec/ipsec_strerror.c b/lib/libipsec/ipsec_strerror.c
new file mode 100644
index 0000000..203b651
--- /dev/null
+++ b/lib/libipsec/ipsec_strerror.c
@@ -0,0 +1,90 @@
+/*	$KAME: ipsec_strerror.c,v 1.7 2000/07/30 00:45:12 itojun Exp $	*/
+
+/*
+ * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the project nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <sys/cdefs.h>
+__FBSDID("$FreeBSD$");
+
+#include <sys/types.h>
+#include <sys/param.h>
+
+#include <string.h>
+#include <netinet6/ipsec.h>
+
+#include "ipsec_strerror.h"
+
+int __ipsec_errcode;
+
+static const char *ipsec_errlist[] = {
+"Success",					/*EIPSEC_NO_ERROR*/
+"Not supported",				/*EIPSEC_NOT_SUPPORTED*/
+"Invalid argument",				/*EIPSEC_INVAL_ARGUMENT*/
+"Invalid sadb message",				/*EIPSEC_INVAL_SADBMSG*/
+"Invalid version",				/*EIPSEC_INVAL_VERSION*/
+"Invalid security policy",			/*EIPSEC_INVAL_POLICY*/
+"Invalid address specification",		/*EIPSEC_INVAL_ADDRESS*/
+"Invalid ipsec protocol",			/*EIPSEC_INVAL_PROTO*/
+"Invalid ipsec mode",				/*EIPSEC_INVAL_MODE*/
+"Invalid ipsec level",				/*EIPSEC_INVAL_LEVEL*/
+"Invalid SA type",				/*EIPSEC_INVAL_SATYPE*/
+"Invalid message type",				/*EIPSEC_INVAL_MSGTYPE*/
+"Invalid extension type",			/*EIPSEC_INVAL_EXTTYPE*/
+"Invalid algorithm type",			/*EIPSEC_INVAL_ALGS*/
+"Invalid key length",				/*EIPSEC_INVAL_KEYLEN*/
+"Invalid address family",			/*EIPSEC_INVAL_FAMILY*/
+"Invalid prefix length",			/*EIPSEC_INVAL_PREFIXLEN*/
+"Invalid direciton",				/*EIPSEC_INVAL_DIR*/
+"SPI range violation",				/*EIPSEC_INVAL_SPI*/
+"No protocol specified",			/*EIPSEC_NO_PROTO*/
+"No algorithm specified",			/*EIPSEC_NO_ALGS*/
+"No buffers available",				/*EIPSEC_NO_BUFS*/
+"Must get supported algorithms list first",	/*EIPSEC_DO_GET_SUPP_LIST*/
+"Protocol mismatch",				/*EIPSEC_PROTO_MISMATCH*/
+"Family mismatch",				/*EIPSEC_FAMILY_MISMATCH*/
+"Too few arguments",				/*EIPSEC_FEW_ARGUMENTS*/
+NULL,						/*EIPSEC_SYSTEM_ERROR*/
+"Unknown error",				/*EIPSEC_MAX*/
+};
+
+const char *ipsec_strerror(void)
+{
+	if (__ipsec_errcode < 0 || __ipsec_errcode > EIPSEC_MAX)
+		__ipsec_errcode = EIPSEC_MAX;
+
+	return ipsec_errlist[__ipsec_errcode];
+}
+
+void __ipsec_set_strerror(const char *str)
+{
+	__ipsec_errcode = EIPSEC_SYSTEM_ERROR;
+	ipsec_errlist[EIPSEC_SYSTEM_ERROR] = str;
+
+	return;
+}
diff --git a/lib/libipsec/ipsec_strerror.h b/lib/libipsec/ipsec_strerror.h
new file mode 100644
index 0000000..d9a1f0d
--- /dev/null
+++ b/lib/libipsec/ipsec_strerror.h
@@ -0,0 +1,63 @@
+/*	$FreeBSD$	*/
+/*	$KAME: ipsec_strerror.h,v 1.8 2000/07/30 00:45:12 itojun Exp $	*/
+
+/*
+ * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the project nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+extern int __ipsec_errcode;
+extern void __ipsec_set_strerror(const char *);
+
+#define EIPSEC_NO_ERROR		0	/*success*/
+#define EIPSEC_NOT_SUPPORTED	1	/*not supported*/
+#define EIPSEC_INVAL_ARGUMENT	2	/*invalid argument*/
+#define EIPSEC_INVAL_SADBMSG	3	/*invalid sadb message*/
+#define EIPSEC_INVAL_VERSION	4	/*invalid version*/
+#define EIPSEC_INVAL_POLICY	5	/*invalid security policy*/
+#define EIPSEC_INVAL_ADDRESS	6	/*invalid address specification*/
+#define EIPSEC_INVAL_PROTO	7	/*invalid ipsec protocol*/
+#define EIPSEC_INVAL_MODE	8	/*Invalid ipsec mode*/
+#define EIPSEC_INVAL_LEVEL	9	/*invalid ipsec level*/
+#define EIPSEC_INVAL_SATYPE	10	/*invalid SA type*/
+#define EIPSEC_INVAL_MSGTYPE	11	/*invalid message type*/
+#define EIPSEC_INVAL_EXTTYPE	12	/*invalid extension type*/
+#define EIPSEC_INVAL_ALGS	13	/*Invalid algorithm type*/
+#define EIPSEC_INVAL_KEYLEN	14	/*invalid key length*/
+#define EIPSEC_INVAL_FAMILY	15	/*invalid address family*/
+#define EIPSEC_INVAL_PREFIXLEN	16	/*SPI range violation*/
+#define EIPSEC_INVAL_DIR	17	/*Invalid direciton*/
+#define EIPSEC_INVAL_SPI	18	/*invalid prefixlen*/
+#define EIPSEC_NO_PROTO		19	/*no protocol specified*/
+#define EIPSEC_NO_ALGS		20	/*No algorithm specified*/
+#define EIPSEC_NO_BUFS		21	/*no buffers available*/
+#define EIPSEC_DO_GET_SUPP_LIST	22	/*must get supported algorithm first*/
+#define EIPSEC_PROTO_MISMATCH	23	/*protocol mismatch*/
+#define EIPSEC_FAMILY_MISMATCH	24	/*family mismatch*/
+#define EIPSEC_FEW_ARGUMENTS	25	/*Too few arguments*/
+#define EIPSEC_SYSTEM_ERROR	26	/*system error*/
+#define EIPSEC_MAX		27	/*unknown error*/
diff --git a/lib/libipsec/libpfkey.h b/lib/libipsec/libpfkey.h
new file mode 100644
index 0000000..07ff582
--- /dev/null
+++ b/lib/libipsec/libpfkey.h
@@ -0,0 +1,86 @@
+/*	$FreeBSD$	*/
+/*	$KAME: libpfkey.h,v 1.6 2001/03/05 18:22:17 thorpej Exp $	*/
+
+/*
+ * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the project nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+struct sadb_msg;
+extern void pfkey_sadump(struct sadb_msg *);
+extern void pfkey_spdump(struct sadb_msg *);
+
+struct sockaddr;
+struct sadb_alg;
+int ipsec_check_keylen(u_int, u_int, u_int);
+int ipsec_check_keylen2(u_int, u_int, u_int);
+int ipsec_get_keylen(u_int, u_int, struct sadb_alg *);
+u_int pfkey_set_softrate(u_int, u_int);
+u_int pfkey_get_softrate(u_int);
+int pfkey_send_getspi(int, u_int, u_int, struct sockaddr *, struct sockaddr *,
+	u_int32_t, u_int32_t, u_int32_t, u_int32_t);
+int pfkey_send_update(int, u_int, u_int, struct sockaddr *, struct sockaddr *,
+	u_int32_t, u_int32_t, u_int, caddr_t, u_int, u_int, u_int, u_int,
+	u_int, u_int32_t, u_int64_t, u_int64_t, u_int64_t, u_int32_t);
+int pfkey_send_add(int, u_int, u_int, struct sockaddr *, struct sockaddr *,
+	u_int32_t, u_int32_t, u_int, caddr_t, u_int, u_int, u_int, u_int,
+	u_int, u_int32_t, u_int64_t, u_int64_t, u_int64_t, u_int32_t);
+int pfkey_send_delete(int, u_int, u_int, struct sockaddr *, struct sockaddr *,
+	u_int32_t);
+int pfkey_send_delete_all(int, u_int, u_int, struct sockaddr *,
+	struct sockaddr *);
+int pfkey_send_get(int, u_int, u_int, struct sockaddr *, struct sockaddr *,
+	u_int32_t);
+int pfkey_send_register(int, u_int);
+int pfkey_recv_register(int);
+int pfkey_set_supported(struct sadb_msg *, int);
+int pfkey_send_flush(int, u_int);
+int pfkey_send_dump(int, u_int);
+int pfkey_send_promisc_toggle(int, int);
+int pfkey_send_spdadd(int, struct sockaddr *, u_int, struct sockaddr *, u_int,
+	u_int, caddr_t, int, u_int32_t);
+int pfkey_send_spdadd2(int, struct sockaddr *, u_int, struct sockaddr *, u_int,
+	u_int, u_int64_t, u_int64_t, caddr_t, int, u_int32_t);
+int pfkey_send_spdupdate(int, struct sockaddr *, u_int, struct sockaddr *,
+	u_int, u_int, caddr_t, int, u_int32_t);
+int pfkey_send_spdupdate2(int, struct sockaddr *, u_int, struct sockaddr *,
+	u_int, u_int, u_int64_t, u_int64_t, caddr_t, int, u_int32_t);
+int pfkey_send_spddelete(int, struct sockaddr *, u_int, struct sockaddr *,
+	u_int, u_int, caddr_t, int, u_int32_t);
+int pfkey_send_spddelete2(int, u_int32_t);
+int pfkey_send_spdget(int, u_int32_t);
+int pfkey_send_spdsetidx(int, struct sockaddr *, u_int, struct sockaddr *,
+	u_int, u_int, caddr_t, int, u_int32_t);
+int pfkey_send_spdflush(int);
+int pfkey_send_spddump(int);
+
+int pfkey_open(void);
+void pfkey_close(int);
+struct sadb_msg *pfkey_recv(int);
+int pfkey_send(int, struct sadb_msg *, int);
+int pfkey_align(struct sadb_msg *, caddr_t *);
+int pfkey_check(caddr_t *);
diff --git a/lib/libipsec/pfkey.c b/lib/libipsec/pfkey.c
new file mode 100644
index 0000000..42137f9
--- /dev/null
+++ b/lib/libipsec/pfkey.c
@@ -0,0 +1,2110 @@
+/*	$KAME: pfkey.c,v 1.39 2001/03/05 18:22:17 thorpej Exp $	*/
+
+/*
+ * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the project nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <sys/cdefs.h>
+__FBSDID("$FreeBSD$");
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/socket.h>
+#include <net/pfkeyv2.h>
+#include <netkey/key_var.h>
+#include <netinet/in.h>
+#include <netinet6/ipsec.h>
+
+#include <stdlib.h>
+#include <unistd.h>
+#include <string.h>
+#include <errno.h>
+#include <stdio.h>
+
+#include "ipsec_strerror.h"
+#include "libpfkey.h"
+
+#define CALLOC(size, cast) (cast)calloc(1, (size))
+
+static int findsupportedmap(int);
+static int setsupportedmap(struct sadb_supported *);
+static struct sadb_alg *findsupportedalg(u_int, u_int);
+static int pfkey_send_x1(int, u_int, u_int, u_int, struct sockaddr *,
+	struct sockaddr *, u_int32_t, u_int32_t, u_int, caddr_t,
+	u_int, u_int, u_int, u_int, u_int, u_int32_t, u_int32_t,
+	u_int32_t, u_int32_t, u_int32_t);
+static int pfkey_send_x2(int, u_int, u_int, u_int,
+	struct sockaddr *, struct sockaddr *, u_int32_t);
+static int pfkey_send_x3(int, u_int, u_int);
+static int pfkey_send_x4(int, u_int, struct sockaddr *, u_int,
+	struct sockaddr *, u_int, u_int, u_int64_t, u_int64_t,
+	char *, int, u_int32_t);
+static int pfkey_send_x5(int, u_int, u_int32_t);
+
+static caddr_t pfkey_setsadbmsg(caddr_t, caddr_t, u_int, u_int,
+	u_int, u_int32_t, pid_t);
+static caddr_t pfkey_setsadbsa(caddr_t, caddr_t, u_int32_t, u_int,
+	u_int, u_int, u_int32_t);
+static caddr_t pfkey_setsadbaddr(caddr_t, caddr_t, u_int,
+	struct sockaddr *, u_int, u_int);
+static caddr_t pfkey_setsadbkey(caddr_t, caddr_t, u_int, caddr_t, u_int);
+static caddr_t pfkey_setsadblifetime(caddr_t, caddr_t, u_int, u_int32_t,
+	u_int32_t, u_int32_t, u_int32_t);
+static caddr_t pfkey_setsadbxsa2(caddr_t, caddr_t, u_int32_t, u_int32_t);
+
+/*
+ * make and search supported algorithm structure.
+ */
+static struct sadb_supported *ipsec_supported[] = { NULL, NULL, NULL, };
+
+static int supported_map[] = {
+	SADB_SATYPE_AH,
+	SADB_SATYPE_ESP,
+	SADB_X_SATYPE_IPCOMP,
+};
+
+static int
+findsupportedmap(satype)
+	int satype;
+{
+	int i;
+
+	for (i = 0; i < sizeof(supported_map)/sizeof(supported_map[0]); i++)
+		if (supported_map[i] == satype)
+			return i;
+	return -1;
+}
+
+static struct sadb_alg *
+findsupportedalg(satype, alg_id)
+	u_int satype, alg_id;
+{
+	int algno;
+	int tlen;
+	caddr_t p;
+
+	/* validity check */
+	algno = findsupportedmap(satype);
+	if (algno == -1) {
+		__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
+		return NULL;
+	}
+	if (ipsec_supported[algno] == NULL) {
+		__ipsec_errcode = EIPSEC_DO_GET_SUPP_LIST;
+		return NULL;
+	}
+
+	tlen = ipsec_supported[algno]->sadb_supported_len
+		- sizeof(struct sadb_supported);
+	p = (caddr_t)(ipsec_supported[algno] + 1);
+	while (tlen > 0) {
+		if (tlen < sizeof(struct sadb_alg)) {
+			/* invalid format */
+			break;
+		}
+		if (((struct sadb_alg *)p)->sadb_alg_id == alg_id)
+			return (struct sadb_alg *)p;
+
+		tlen -= sizeof(struct sadb_alg);
+		p += sizeof(struct sadb_alg);
+	}
+
+	__ipsec_errcode = EIPSEC_NOT_SUPPORTED;
+	return NULL;
+}
+
+static int
+setsupportedmap(sup)
+	struct sadb_supported *sup;
+{
+	struct sadb_supported **ipsup;
+
+	switch (sup->sadb_supported_exttype) {
+	case SADB_EXT_SUPPORTED_AUTH:
+		ipsup = &ipsec_supported[findsupportedmap(SADB_SATYPE_AH)];
+		break;
+	case SADB_EXT_SUPPORTED_ENCRYPT:
+		ipsup = &ipsec_supported[findsupportedmap(SADB_SATYPE_ESP)];
+		break;
+	default:
+		__ipsec_errcode = EIPSEC_INVAL_SATYPE;
+		return -1;
+	}
+
+	if (*ipsup)
+		free(*ipsup);
+
+	*ipsup = malloc(sup->sadb_supported_len);
+	if (!*ipsup) {
+		__ipsec_set_strerror(strerror(errno));
+		return -1;
+	}
+	memcpy(*ipsup, sup, sup->sadb_supported_len);
+
+	return 0;
+}
+
+/*
+ * check key length against algorithm specified.
+ * This function is called with SADB_EXT_SUPPORTED_{AUTH,ENCRYPT} as the
+ * augument, and only calls to ipsec_check_keylen2();
+ * keylen is the unit of bit.
+ * OUT:
+ *	-1: invalid.
+ *	 0: valid.
+ */
+int
+ipsec_check_keylen(supported, alg_id, keylen)
+	u_int supported;
+	u_int alg_id;
+	u_int keylen;
+{
+	int satype;
+
+	/* validity check */
+	switch (supported) {
+	case SADB_EXT_SUPPORTED_AUTH:
+		satype = SADB_SATYPE_AH;
+		break;
+	case SADB_EXT_SUPPORTED_ENCRYPT:
+		satype = SADB_SATYPE_ESP;
+		break;
+	default:
+		__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
+		return -1;
+	}
+
+	return ipsec_check_keylen2(satype, alg_id, keylen);
+}
+
+/*
+ * check key length against algorithm specified.
+ * satype is one of satype defined at pfkeyv2.h.
+ * keylen is the unit of bit.
+ * OUT:
+ *	-1: invalid.
+ *	 0: valid.
+ */
+int
+ipsec_check_keylen2(satype, alg_id, keylen)
+	u_int satype;
+	u_int alg_id;
+	u_int keylen;
+{
+	struct sadb_alg *alg;
+
+	alg = findsupportedalg(satype, alg_id);
+	if (!alg)
+		return -1;
+
+	if (keylen < alg->sadb_alg_minbits || keylen > alg->sadb_alg_maxbits) {
+		__ipsec_errcode = EIPSEC_INVAL_KEYLEN;
+		return -1;
+	}
+
+	__ipsec_errcode = EIPSEC_NO_ERROR;
+	return 0;
+}
+
+/*
+ * get max/min key length against algorithm specified.
+ * satype is one of satype defined at pfkeyv2.h.
+ * keylen is the unit of bit.
+ * OUT:
+ *	-1: invalid.
+ *	 0: valid.
+ */
+int
+ipsec_get_keylen(supported, alg_id, alg0)
+	u_int supported, alg_id;
+	struct sadb_alg *alg0;
+{
+	struct sadb_alg *alg;
+	u_int satype;
+
+	/* validity check */
+	if (!alg0) {
+		__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
+		return -1;
+	}
+
+	switch (supported) {
+	case SADB_EXT_SUPPORTED_AUTH:
+		satype = SADB_SATYPE_AH;
+		break;
+	case SADB_EXT_SUPPORTED_ENCRYPT:
+		satype = SADB_SATYPE_ESP;
+		break;
+	default:
+		__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
+		return -1;
+	}
+
+	alg = findsupportedalg(satype, alg_id);
+	if (!alg)
+		return -1;
+
+	memcpy(alg0, alg, sizeof(*alg0));
+
+	__ipsec_errcode = EIPSEC_NO_ERROR;
+	return 0;
+}
+
+/*
+ * set the rate for SOFT lifetime against HARD one.
+ * If rate is more than 100 or equal to zero, then set to 100.
+ */
+static u_int soft_lifetime_allocations_rate = PFKEY_SOFT_LIFETIME_RATE;
+static u_int soft_lifetime_bytes_rate = PFKEY_SOFT_LIFETIME_RATE;
+static u_int soft_lifetime_addtime_rate = PFKEY_SOFT_LIFETIME_RATE;
+static u_int soft_lifetime_usetime_rate = PFKEY_SOFT_LIFETIME_RATE;
+
+u_int
+pfkey_set_softrate(type, rate)
+	u_int type, rate;
+{
+	__ipsec_errcode = EIPSEC_NO_ERROR;
+
+	if (rate > 100 || rate == 0)
+		rate = 100;
+
+	switch (type) {
+	case SADB_X_LIFETIME_ALLOCATIONS:
+		soft_lifetime_allocations_rate = rate;
+		return 0;
+	case SADB_X_LIFETIME_BYTES:
+		soft_lifetime_bytes_rate = rate;
+		return 0;
+	case SADB_X_LIFETIME_ADDTIME:
+		soft_lifetime_addtime_rate = rate;
+		return 0;
+	case SADB_X_LIFETIME_USETIME:
+		soft_lifetime_usetime_rate = rate;
+		return 0;
+	}
+
+	__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
+	return 1;
+}
+
+/*
+ * get current rate for SOFT lifetime against HARD one.
+ * ATTENTION: ~0 is returned if invalid type was passed.
+ */
+u_int
+pfkey_get_softrate(type)
+	u_int type;
+{
+	switch (type) {
+	case SADB_X_LIFETIME_ALLOCATIONS:
+		return soft_lifetime_allocations_rate;
+	case SADB_X_LIFETIME_BYTES:
+		return soft_lifetime_bytes_rate;
+	case SADB_X_LIFETIME_ADDTIME:
+		return soft_lifetime_addtime_rate;
+	case SADB_X_LIFETIME_USETIME:
+		return soft_lifetime_usetime_rate;
+	}
+
+	return ~0;
+}
+
+/*
+ * sending SADB_GETSPI message to the kernel.
+ * OUT:
+ *	positive: success and return length sent.
+ *	-1	: error occured, and set errno.
+ */
+int
+pfkey_send_getspi(so, satype, mode, src, dst, min, max, reqid, seq)
+	int so;
+	u_int satype, mode;
+	struct sockaddr *src, *dst;
+	u_int32_t min, max, reqid, seq;
+{
+	struct sadb_msg *newmsg;
+	caddr_t ep;
+	int len;
+	int need_spirange = 0;
+	caddr_t p;
+	int plen;
+
+	/* validity check */
+	if (src == NULL || dst == NULL) {
+		__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
+		return -1;
+	}
+	if (src->sa_family != dst->sa_family) {
+		__ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
+		return -1;
+	}
+	if (min > max || (min > 0 && min <= 255)) {
+		__ipsec_errcode = EIPSEC_INVAL_SPI;
+		return -1;
+	}
+	switch (src->sa_family) {
+	case AF_INET:
+		plen = sizeof(struct in_addr) << 3;
+		break;
+	case AF_INET6:
+		plen = sizeof(struct in6_addr) << 3;
+		break;
+	default:
+		__ipsec_errcode = EIPSEC_INVAL_FAMILY;
+		return -1;
+	}
+
+	/* create new sadb_msg to send. */
+	len = sizeof(struct sadb_msg)
+		+ sizeof(struct sadb_x_sa2)
+		+ sizeof(struct sadb_address)
+		+ PFKEY_ALIGN8(src->sa_len)
+		+ sizeof(struct sadb_address)
+		+ PFKEY_ALIGN8(dst->sa_len);
+
+	if (min > 255 && max < ~0) {
+		need_spirange++;
+		len += sizeof(struct sadb_spirange);
+	}
+
+	if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) {
+		__ipsec_set_strerror(strerror(errno));
+		return -1;
+	}
+	ep = ((caddr_t)newmsg) + len;
+
+	p = pfkey_setsadbmsg((caddr_t)newmsg, ep, SADB_GETSPI,
+	    len, satype, seq, getpid());
+	if (!p) {
+		free(newmsg);
+		return -1;
+	}
+
+	p = pfkey_setsadbxsa2(p, ep, mode, reqid);
+	if (!p) {
+		free(newmsg);
+		return -1;
+	}
+
+	/* set sadb_address for source */
+	p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, plen,
+	    IPSEC_ULPROTO_ANY);
+	if (!p) {
+		free(newmsg);
+		return -1;
+	}
+
+	/* set sadb_address for destination */
+	p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, plen,
+	    IPSEC_ULPROTO_ANY);
+	if (!p) {
+		free(newmsg);
+		return -1;
+	}
+
+	/* proccessing spi range */
+	if (need_spirange) {
+		struct sadb_spirange spirange;
+
+		if (p + sizeof(spirange) > ep) {
+			free(newmsg);
+			return -1;
+		}
+
+		memset(&spirange, 0, sizeof(spirange));
+		spirange.sadb_spirange_len = PFKEY_UNIT64(sizeof(spirange));
+		spirange.sadb_spirange_exttype = SADB_EXT_SPIRANGE;
+		spirange.sadb_spirange_min = min;
+		spirange.sadb_spirange_max = max;
+
+		memcpy(p, &spirange, sizeof(spirange));
+
+		p += sizeof(spirange);
+	}
+	if (p != ep) {
+		free(newmsg);
+		return -1;
+	}
+
+	/* send message */
+	len = pfkey_send(so, newmsg, len);
+	free(newmsg);
+
+	if (len < 0)
+		return -1;
+
+	__ipsec_errcode = EIPSEC_NO_ERROR;
+	return len;
+}
+
+/*
+ * sending SADB_UPDATE message to the kernel.
+ * The length of key material is a_keylen + e_keylen.
+ * OUT:
+ *	positive: success and return length sent.
+ *	-1	: error occured, and set errno.
+ */
+int
+pfkey_send_update(so, satype, mode, src, dst, spi, reqid, wsize,
+		keymat, e_type, e_keylen, a_type, a_keylen, flags,
+		l_alloc, l_bytes, l_addtime, l_usetime, seq)
+	int so;
+	u_int satype, mode, wsize;
+	struct sockaddr *src, *dst;
+	u_int32_t spi, reqid;
+	caddr_t keymat;
+	u_int e_type, e_keylen, a_type, a_keylen, flags;
+	u_int32_t l_alloc;
+	u_int64_t l_bytes, l_addtime, l_usetime;
+	u_int32_t seq;
+{
+	int len;
+	if ((len = pfkey_send_x1(so, SADB_UPDATE, satype, mode, src, dst, spi,
+			reqid, wsize,
+			keymat, e_type, e_keylen, a_type, a_keylen, flags,
+			l_alloc, l_bytes, l_addtime, l_usetime, seq)) < 0)
+		return -1;
+
+	return len;
+}
+
+/*
+ * sending SADB_ADD message to the kernel.
+ * The length of key material is a_keylen + e_keylen.
+ * OUT:
+ *	positive: success and return length sent.
+ *	-1	: error occured, and set errno.
+ */
+int
+pfkey_send_add(so, satype, mode, src, dst, spi, reqid, wsize,
+		keymat, e_type, e_keylen, a_type, a_keylen, flags,
+		l_alloc, l_bytes, l_addtime, l_usetime, seq)
+	int so;
+	u_int satype, mode, wsize;
+	struct sockaddr *src, *dst;
+	u_int32_t spi, reqid;
+	caddr_t keymat;
+	u_int e_type, e_keylen, a_type, a_keylen, flags;
+	u_int32_t l_alloc;
+	u_int64_t l_bytes, l_addtime, l_usetime;
+	u_int32_t seq;
+{
+	int len;
+	if ((len = pfkey_send_x1(so, SADB_ADD, satype, mode, src, dst, spi,
+			reqid, wsize,
+			keymat, e_type, e_keylen, a_type, a_keylen, flags,
+			l_alloc, l_bytes, l_addtime, l_usetime, seq)) < 0)
+		return -1;
+
+	return len;
+}
+
+/*
+ * sending SADB_DELETE message to the kernel.
+ * OUT:
+ *	positive: success and return length sent.
+ *	-1	: error occured, and set errno.
+ */
+int
+pfkey_send_delete(so, satype, mode, src, dst, spi)
+	int so;
+	u_int satype, mode;
+	struct sockaddr *src, *dst;
+	u_int32_t spi;
+{
+	int len;
+	if ((len = pfkey_send_x2(so, SADB_DELETE, satype, mode, src, dst, spi)) < 0)
+		return -1;
+
+	return len;
+}
+
+/*
+ * sending SADB_DELETE without spi to the kernel.  This is
+ * the "delete all" request (an extension also present in
+ * Solaris).
+ *
+ * OUT:
+ *	positive: success and return length sent
+ *	-1	: error occured, and set errno
+ */
+int
+pfkey_send_delete_all(so, satype, mode, src, dst)
+	int so;
+	u_int satype, mode;
+	struct sockaddr *src, *dst;
+{
+	struct sadb_msg *newmsg;
+	int len;
+	caddr_t p;
+	int plen;
+	caddr_t ep;
+
+	/* validity check */
+	if (src == NULL || dst == NULL) {
+		__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
+		return -1;
+	}
+	if (src->sa_family != dst->sa_family) {
+		__ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
+		return -1;
+	}
+	switch (src->sa_family) {
+	case AF_INET:
+		plen = sizeof(struct in_addr) << 3;
+		break;
+	case AF_INET6:
+		plen = sizeof(struct in6_addr) << 3;
+		break;
+	default:
+		__ipsec_errcode = EIPSEC_INVAL_FAMILY;
+		return -1;
+	}
+
+	/* create new sadb_msg to reply. */
+	len = sizeof(struct sadb_msg)
+		+ sizeof(struct sadb_address)
+		+ PFKEY_ALIGN8(src->sa_len)
+		+ sizeof(struct sadb_address)
+		+ PFKEY_ALIGN8(dst->sa_len);
+
+	if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) {
+		__ipsec_set_strerror(strerror(errno));
+		return -1;
+	}
+	ep = ((caddr_t)newmsg) + len;
+
+	p = pfkey_setsadbmsg((caddr_t)newmsg, ep, SADB_DELETE, len, satype, 0,
+	    getpid());
+	if (!p) {
+		free(newmsg);
+		return -1;
+	}
+	p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, plen,
+	    IPSEC_ULPROTO_ANY);
+	if (!p) {
+		free(newmsg);
+		return -1;
+	}
+	p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, plen,
+	    IPSEC_ULPROTO_ANY);
+	if (!p || p != ep) {
+		free(newmsg);
+		return -1;
+	}
+
+	/* send message */
+	len = pfkey_send(so, newmsg, len);
+	free(newmsg);
+
+	if (len < 0)
+		return -1;
+
+	__ipsec_errcode = EIPSEC_NO_ERROR;
+	return len;
+}
+
+/*
+ * sending SADB_GET message to the kernel.
+ * OUT:
+ *	positive: success and return length sent.
+ *	-1	: error occured, and set errno.
+ */
+int
+pfkey_send_get(so, satype, mode, src, dst, spi)
+	int so;
+	u_int satype, mode;
+	struct sockaddr *src, *dst;
+	u_int32_t spi;
+{
+	int len;
+	if ((len = pfkey_send_x2(so, SADB_GET, satype, mode, src, dst, spi)) < 0)
+		return -1;
+
+	return len;
+}
+
+/*
+ * sending SADB_REGISTER message to the kernel.
+ * OUT:
+ *	positive: success and return length sent.
+ *	-1	: error occured, and set errno.
+ */
+int
+pfkey_send_register(so, satype)
+	int so;
+	u_int satype;
+{
+	int len, algno;
+
+	if (satype == PF_UNSPEC) {
+		for (algno = 0;
+		     algno < sizeof(supported_map)/sizeof(supported_map[0]);
+		     algno++) {
+			if (ipsec_supported[algno]) {
+				free(ipsec_supported[algno]);
+				ipsec_supported[algno] = NULL;
+			}
+		}
+	} else {
+		algno = findsupportedmap(satype);
+		if (algno == -1) {
+			__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
+			return -1;
+		}
+
+		if (ipsec_supported[algno]) {
+			free(ipsec_supported[algno]);
+			ipsec_supported[algno] = NULL;
+		}
+	}
+
+	if ((len = pfkey_send_x3(so, SADB_REGISTER, satype)) < 0)
+		return -1;
+
+	return len;
+}
+
+/*
+ * receiving SADB_REGISTER message from the kernel, and copy buffer for
+ * sadb_supported returned into ipsec_supported.
+ * OUT:
+ *	 0: success and return length sent.
+ *	-1: error occured, and set errno.
+ */
+int
+pfkey_recv_register(so)
+	int so;
+{
+	pid_t pid = getpid();
+	struct sadb_msg *newmsg;
+	int error = -1;
+
+	/* receive message */
+	do {
+		if ((newmsg = pfkey_recv(so)) == NULL)
+			return -1;
+	} while (newmsg->sadb_msg_type != SADB_REGISTER
+	    || newmsg->sadb_msg_pid != pid);
+
+	/* check and fix */
+	newmsg->sadb_msg_len = PFKEY_UNUNIT64(newmsg->sadb_msg_len);
+
+	error = pfkey_set_supported(newmsg, newmsg->sadb_msg_len);
+	free(newmsg);
+
+	if (error == 0)
+		__ipsec_errcode = EIPSEC_NO_ERROR;
+
+	return error;
+}
+
+/*
+ * receiving SADB_REGISTER message from the kernel, and copy buffer for
+ * sadb_supported returned into ipsec_supported.
+ * NOTE: sadb_msg_len must be host order.
+ * IN:
+ *	tlen: msg length, it's to makeing sure.
+ * OUT:
+ *	 0: success and return length sent.
+ *	-1: error occured, and set errno.
+ */
+int
+pfkey_set_supported(msg, tlen)
+	struct sadb_msg *msg;
+	int tlen;
+{
+	struct sadb_supported *sup;
+	caddr_t p;
+	caddr_t ep;
+
+	/* validity */
+	if (msg->sadb_msg_len != tlen) {
+		__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
+		return -1;
+	}
+
+	p = (caddr_t)msg;
+	ep = p + tlen;
+
+	p += sizeof(struct sadb_msg);
+
+	while (p < ep) {
+		sup = (struct sadb_supported *)p;
+		if (ep < p + sizeof(*sup) ||
+		    PFKEY_EXTLEN(sup) < sizeof(*sup) ||
+		    ep < p + sup->sadb_supported_len) {
+			/* invalid format */
+			break;
+		}
+
+		switch (sup->sadb_supported_exttype) {
+		case SADB_EXT_SUPPORTED_AUTH:
+		case SADB_EXT_SUPPORTED_ENCRYPT:
+			break;
+		default:
+			__ipsec_errcode = EIPSEC_INVAL_SATYPE;
+			return -1;
+		}
+
+		/* fixed length */
+		sup->sadb_supported_len = PFKEY_EXTLEN(sup);
+
+		/* set supported map */
+		if (setsupportedmap(sup) != 0)
+			return -1;
+
+		p += sup->sadb_supported_len;
+	}
+
+	if (p != ep) {
+		__ipsec_errcode = EIPSEC_INVAL_SATYPE;
+		return -1;
+	}
+
+	__ipsec_errcode = EIPSEC_NO_ERROR;
+
+	return 0;
+}
+
+/*
+ * sending SADB_FLUSH message to the kernel.
+ * OUT:
+ *	positive: success and return length sent.
+ *	-1	: error occured, and set errno.
+ */
+int
+pfkey_send_flush(so, satype)
+	int so;
+	u_int satype;
+{
+	int len;
+
+	if ((len = pfkey_send_x3(so, SADB_FLUSH, satype)) < 0)
+		return -1;
+
+	return len;
+}
+
+/*
+ * sending SADB_DUMP message to the kernel.
+ * OUT:
+ *	positive: success and return length sent.
+ *	-1	: error occured, and set errno.
+ */
+int
+pfkey_send_dump(so, satype)
+	int so;
+	u_int satype;
+{
+	int len;
+
+	if ((len = pfkey_send_x3(so, SADB_DUMP, satype)) < 0)
+		return -1;
+
+	return len;
+}
+
+/*
+ * sending SADB_X_PROMISC message to the kernel.
+ * NOTE that this function handles promisc mode toggle only.
+ * IN:
+ *	flag:	set promisc off if zero, set promisc on if non-zero.
+ * OUT:
+ *	positive: success and return length sent.
+ *	-1	: error occured, and set errno.
+ *	0     : error occured, and set errno.
+ *	others: a pointer to new allocated buffer in which supported
+ *	        algorithms is.
+ */
+int
+pfkey_send_promisc_toggle(so, flag)
+	int so;
+	int flag;
+{
+	int len;
+
+	if ((len = pfkey_send_x3(so, SADB_X_PROMISC, (flag ? 1 : 0))) < 0)
+		return -1;
+
+	return len;
+}
+
+/*
+ * sending SADB_X_SPDADD message to the kernel.
+ * OUT:
+ *	positive: success and return length sent.
+ *	-1	: error occured, and set errno.
+ */
+int
+pfkey_send_spdadd(so, src, prefs, dst, prefd, proto, policy, policylen, seq)
+	int so;
+	struct sockaddr *src, *dst;
+	u_int prefs, prefd, proto;
+	caddr_t policy;
+	int policylen;
+	u_int32_t seq;
+{
+	int len;
+
+	if ((len = pfkey_send_x4(so, SADB_X_SPDADD,
+				src, prefs, dst, prefd, proto,
+				0, 0,
+				policy, policylen, seq)) < 0)
+		return -1;
+
+	return len;
+}
+
+/*
+ * sending SADB_X_SPDADD message to the kernel.
+ * OUT:
+ *	positive: success and return length sent.
+ *	-1	: error occured, and set errno.
+ */
+int
+pfkey_send_spdadd2(so, src, prefs, dst, prefd, proto, ltime, vtime,
+		policy, policylen, seq)
+	int so;
+	struct sockaddr *src, *dst;
+	u_int prefs, prefd, proto;
+	u_int64_t ltime, vtime;
+	caddr_t policy;
+	int policylen;
+	u_int32_t seq;
+{
+	int len;
+
+	if ((len = pfkey_send_x4(so, SADB_X_SPDADD,
+				src, prefs, dst, prefd, proto,
+				ltime, vtime,
+				policy, policylen, seq)) < 0)
+		return -1;
+
+	return len;
+}
+
+/*
+ * sending SADB_X_SPDUPDATE message to the kernel.
+ * OUT:
+ *	positive: success and return length sent.
+ *	-1	: error occured, and set errno.
+ */
+int
+pfkey_send_spdupdate(so, src, prefs, dst, prefd, proto, policy, policylen, seq)
+	int so;
+	struct sockaddr *src, *dst;
+	u_int prefs, prefd, proto;
+	caddr_t policy;
+	int policylen;
+	u_int32_t seq;
+{
+	int len;
+
+	if ((len = pfkey_send_x4(so, SADB_X_SPDUPDATE,
+				src, prefs, dst, prefd, proto,
+				0, 0,
+				policy, policylen, seq)) < 0)
+		return -1;
+
+	return len;
+}
+
+/*
+ * sending SADB_X_SPDUPDATE message to the kernel.
+ * OUT:
+ *	positive: success and return length sent.
+ *	-1	: error occured, and set errno.
+ */
+int
+pfkey_send_spdupdate2(so, src, prefs, dst, prefd, proto, ltime, vtime,
+		policy, policylen, seq)
+	int so;
+	struct sockaddr *src, *dst;
+	u_int prefs, prefd, proto;
+	u_int64_t ltime, vtime;
+	caddr_t policy;
+	int policylen;
+	u_int32_t seq;
+{
+	int len;
+
+	if ((len = pfkey_send_x4(so, SADB_X_SPDUPDATE,
+				src, prefs, dst, prefd, proto,
+				ltime, vtime,
+				policy, policylen, seq)) < 0)
+		return -1;
+
+	return len;
+}
+
+/*
+ * sending SADB_X_SPDDELETE message to the kernel.
+ * OUT:
+ *	positive: success and return length sent.
+ *	-1	: error occured, and set errno.
+ */
+int
+pfkey_send_spddelete(so, src, prefs, dst, prefd, proto, policy, policylen, seq)
+	int so;
+	struct sockaddr *src, *dst;
+	u_int prefs, prefd, proto;
+	caddr_t policy;
+	int policylen;
+	u_int32_t seq;
+{
+	int len;
+
+	if (policylen != sizeof(struct sadb_x_policy)) {
+		__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
+		return -1;
+	}
+
+	if ((len = pfkey_send_x4(so, SADB_X_SPDDELETE,
+				src, prefs, dst, prefd, proto,
+				0, 0,
+				policy, policylen, seq)) < 0)
+		return -1;
+
+	return len;
+}
+
+/*
+ * sending SADB_X_SPDDELETE message to the kernel.
+ * OUT:
+ *	positive: success and return length sent.
+ *	-1	: error occured, and set errno.
+ */
+int
+pfkey_send_spddelete2(so, spid)
+	int so;
+	u_int32_t spid;
+{
+	int len;
+
+	if ((len = pfkey_send_x5(so, SADB_X_SPDDELETE2, spid)) < 0)
+		return -1;
+
+	return len;
+}
+
+/*
+ * sending SADB_X_SPDGET message to the kernel.
+ * OUT:
+ *	positive: success and return length sent.
+ *	-1	: error occured, and set errno.
+ */
+int
+pfkey_send_spdget(so, spid)
+	int so;
+	u_int32_t spid;
+{
+	int len;
+
+	if ((len = pfkey_send_x5(so, SADB_X_SPDGET, spid)) < 0)
+		return -1;
+
+	return len;
+}
+
+/*
+ * sending SADB_X_SPDSETIDX message to the kernel.
+ * OUT:
+ *	positive: success and return length sent.
+ *	-1	: error occured, and set errno.
+ */
+int
+pfkey_send_spdsetidx(so, src, prefs, dst, prefd, proto, policy, policylen, seq)
+	int so;
+	struct sockaddr *src, *dst;
+	u_int prefs, prefd, proto;
+	caddr_t policy;
+	int policylen;
+	u_int32_t seq;
+{
+	int len;
+
+	if (policylen != sizeof(struct sadb_x_policy)) {
+		__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
+		return -1;
+	}
+
+	if ((len = pfkey_send_x4(so, SADB_X_SPDSETIDX,
+				src, prefs, dst, prefd, proto,
+				0, 0,
+				policy, policylen, seq)) < 0)
+		return -1;
+
+	return len;
+}
+
+/*
+ * sending SADB_SPDFLUSH message to the kernel.
+ * OUT:
+ *	positive: success and return length sent.
+ *	-1	: error occured, and set errno.
+ */
+int
+pfkey_send_spdflush(so)
+	int so;
+{
+	int len;
+
+	if ((len = pfkey_send_x3(so, SADB_X_SPDFLUSH, SADB_SATYPE_UNSPEC)) < 0)
+		return -1;
+
+	return len;
+}
+
+/*
+ * sending SADB_SPDDUMP message to the kernel.
+ * OUT:
+ *	positive: success and return length sent.
+ *	-1	: error occured, and set errno.
+ */
+int
+pfkey_send_spddump(so)
+	int so;
+{
+	int len;
+
+	if ((len = pfkey_send_x3(so, SADB_X_SPDDUMP, SADB_SATYPE_UNSPEC)) < 0)
+		return -1;
+
+	return len;
+}
+
+/* sending SADB_ADD or SADB_UPDATE message to the kernel */
+static int
+pfkey_send_x1(so, type, satype, mode, src, dst, spi, reqid, wsize,
+		keymat, e_type, e_keylen, a_type, a_keylen, flags,
+		l_alloc, l_bytes, l_addtime, l_usetime, seq)
+	int so;
+	u_int type, satype, mode;
+	struct sockaddr *src, *dst;
+	u_int32_t spi, reqid;
+	u_int wsize;
+	caddr_t keymat;
+	u_int e_type, e_keylen, a_type, a_keylen, flags;
+	u_int32_t l_alloc, l_bytes, l_addtime, l_usetime, seq;
+{
+	struct sadb_msg *newmsg;
+	int len;
+	caddr_t p;
+	int plen;
+	caddr_t ep;
+
+	/* validity check */
+	if (src == NULL || dst == NULL) {
+		__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
+		return -1;
+	}
+	if (src->sa_family != dst->sa_family) {
+		__ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
+		return -1;
+	}
+	switch (src->sa_family) {
+	case AF_INET:
+		plen = sizeof(struct in_addr) << 3;
+		break;
+	case AF_INET6:
+		plen = sizeof(struct in6_addr) << 3;
+		break;
+	default:
+		__ipsec_errcode = EIPSEC_INVAL_FAMILY;
+		return -1;
+	}
+
+	switch (satype) {
+	case SADB_SATYPE_ESP:
+		if (e_type == SADB_EALG_NONE) {
+			__ipsec_errcode = EIPSEC_NO_ALGS;
+			return -1;
+		}
+		break;
+	case SADB_SATYPE_AH:
+		if (e_type != SADB_EALG_NONE) {
+			__ipsec_errcode = EIPSEC_INVAL_ALGS;
+			return -1;
+		}
+		if (a_type == SADB_AALG_NONE) {
+			__ipsec_errcode = EIPSEC_NO_ALGS;
+			return -1;
+		}
+		break;
+	case SADB_X_SATYPE_IPCOMP:
+		if (e_type == SADB_X_CALG_NONE) {
+			__ipsec_errcode = EIPSEC_INVAL_ALGS;
+			return -1;
+		}
+		if (a_type != SADB_AALG_NONE) {
+			__ipsec_errcode = EIPSEC_NO_ALGS;
+			return -1;
+		}
+		break;
+	default:
+		__ipsec_errcode = EIPSEC_INVAL_SATYPE;
+		return -1;
+	}
+
+	/* create new sadb_msg to reply. */
+	len = sizeof(struct sadb_msg)
+		+ sizeof(struct sadb_sa)
+		+ sizeof(struct sadb_x_sa2)
+		+ sizeof(struct sadb_address)
+		+ PFKEY_ALIGN8(src->sa_len)
+		+ sizeof(struct sadb_address)
+		+ PFKEY_ALIGN8(dst->sa_len)
+		+ sizeof(struct sadb_lifetime)
+		+ sizeof(struct sadb_lifetime);
+
+	if (e_type != SADB_EALG_NONE)
+		len += (sizeof(struct sadb_key) + PFKEY_ALIGN8(e_keylen));
+	if (a_type != SADB_AALG_NONE)
+		len += (sizeof(struct sadb_key) + PFKEY_ALIGN8(a_keylen));
+
+	if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) {
+		__ipsec_set_strerror(strerror(errno));
+		return -1;
+	}
+	ep = ((caddr_t)newmsg) + len;
+
+	p = pfkey_setsadbmsg((caddr_t)newmsg, ep, type, len,
+	                     satype, seq, getpid());
+	if (!p) {
+		free(newmsg);
+		return -1;
+	}
+	p = pfkey_setsadbsa(p, ep, spi, wsize, a_type, e_type, flags);
+	if (!p) {
+		free(newmsg);
+		return -1;
+	}
+	p = pfkey_setsadbxsa2(p, ep, mode, reqid);
+	if (!p) {
+		free(newmsg);
+		return -1;
+	}
+	p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, plen,
+	    IPSEC_ULPROTO_ANY);
+	if (!p) {
+		free(newmsg);
+		return -1;
+	}
+	p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, plen,
+	    IPSEC_ULPROTO_ANY);
+	if (!p) {
+		free(newmsg);
+		return -1;
+	}
+
+	if (e_type != SADB_EALG_NONE) {
+		p = pfkey_setsadbkey(p, ep, SADB_EXT_KEY_ENCRYPT,
+		                   keymat, e_keylen);
+		if (!p) {
+			free(newmsg);
+			return -1;
+		}
+	}
+	if (a_type != SADB_AALG_NONE) {
+		p = pfkey_setsadbkey(p, ep, SADB_EXT_KEY_AUTH,
+		                   keymat + e_keylen, a_keylen);
+		if (!p) {
+			free(newmsg);
+			return -1;
+		}
+	}
+
+	/* set sadb_lifetime for destination */
+	p = pfkey_setsadblifetime(p, ep, SADB_EXT_LIFETIME_HARD,
+			l_alloc, l_bytes, l_addtime, l_usetime);
+	if (!p) {
+		free(newmsg);
+		return -1;
+	}
+	p = pfkey_setsadblifetime(p, ep, SADB_EXT_LIFETIME_SOFT,
+			l_alloc, l_bytes, l_addtime, l_usetime);
+	if (!p || p != ep) {
+		free(newmsg);
+		return -1;
+	}
+
+	/* send message */
+	len = pfkey_send(so, newmsg, len);
+	free(newmsg);
+
+	if (len < 0)
+		return -1;
+
+	__ipsec_errcode = EIPSEC_NO_ERROR;
+	return len;
+}
+
+/* sending SADB_DELETE or SADB_GET message to the kernel */
+static int
+pfkey_send_x2(so, type, satype, mode, src, dst, spi)
+	int so;
+	u_int type, satype, mode;
+	struct sockaddr *src, *dst;
+	u_int32_t spi;
+{
+	struct sadb_msg *newmsg;
+	int len;
+	caddr_t p;
+	int plen;
+	caddr_t ep;
+
+	/* validity check */
+	if (src == NULL || dst == NULL) {
+		__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
+		return -1;
+	}
+	if (src->sa_family != dst->sa_family) {
+		__ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
+		return -1;
+	}
+	switch (src->sa_family) {
+	case AF_INET:
+		plen = sizeof(struct in_addr) << 3;
+		break;
+	case AF_INET6:
+		plen = sizeof(struct in6_addr) << 3;
+		break;
+	default:
+		__ipsec_errcode = EIPSEC_INVAL_FAMILY;
+		return -1;
+	}
+
+	/* create new sadb_msg to reply. */
+	len = sizeof(struct sadb_msg)
+		+ sizeof(struct sadb_sa)
+		+ sizeof(struct sadb_address)
+		+ PFKEY_ALIGN8(src->sa_len)
+		+ sizeof(struct sadb_address)
+		+ PFKEY_ALIGN8(dst->sa_len);
+
+	if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) {
+		__ipsec_set_strerror(strerror(errno));
+		return -1;
+	}
+	ep = ((caddr_t)newmsg) + len;
+
+	p = pfkey_setsadbmsg((caddr_t)newmsg, ep, type, len, satype, 0,
+	    getpid());
+	if (!p) {
+		free(newmsg);
+		return -1;
+	}
+	p = pfkey_setsadbsa(p, ep, spi, 0, 0, 0, 0);
+	if (!p) {
+		free(newmsg);
+		return -1;
+	}
+	p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, plen,
+	    IPSEC_ULPROTO_ANY);
+	if (!p) {
+		free(newmsg);
+		return -1;
+	}
+	p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, plen,
+	    IPSEC_ULPROTO_ANY);
+	if (!p || p != ep) {
+		free(newmsg);
+		return -1;
+	}
+
+	/* send message */
+	len = pfkey_send(so, newmsg, len);
+	free(newmsg);
+
+	if (len < 0)
+		return -1;
+
+	__ipsec_errcode = EIPSEC_NO_ERROR;
+	return len;
+}
+
+/*
+ * sending SADB_REGISTER, SADB_FLUSH, SADB_DUMP or SADB_X_PROMISC message
+ * to the kernel
+ */
+static int
+pfkey_send_x3(so, type, satype)
+	int so;
+	u_int type, satype;
+{
+	struct sadb_msg *newmsg;
+	int len;
+	caddr_t p;
+	caddr_t ep;
+
+	/* validity check */
+	switch (type) {
+	case SADB_X_PROMISC:
+		if (satype != 0 && satype != 1) {
+			__ipsec_errcode = EIPSEC_INVAL_SATYPE;
+			return -1;
+		}
+		break;
+	default:
+		switch (satype) {
+		case SADB_SATYPE_UNSPEC:
+		case SADB_SATYPE_AH:
+		case SADB_SATYPE_ESP:
+		case SADB_X_SATYPE_IPCOMP:
+			break;
+		default:
+			__ipsec_errcode = EIPSEC_INVAL_SATYPE;
+			return -1;
+		}
+	}
+
+	/* create new sadb_msg to send. */
+	len = sizeof(struct sadb_msg);
+
+	if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) {
+		__ipsec_set_strerror(strerror(errno));
+		return -1;
+	}
+	ep = ((caddr_t)newmsg) + len;
+
+	p = pfkey_setsadbmsg((caddr_t)newmsg, ep, type, len, satype, 0,
+	    getpid());
+	if (!p || p != ep) {
+		free(newmsg);
+		return -1;
+	}
+
+	/* send message */
+	len = pfkey_send(so, newmsg, len);
+	free(newmsg);
+
+	if (len < 0)
+		return -1;
+
+	__ipsec_errcode = EIPSEC_NO_ERROR;
+	return len;
+}
+
+/* sending SADB_X_SPDADD message to the kernel */
+static int
+pfkey_send_x4(so, type, src, prefs, dst, prefd, proto,
+		ltime, vtime, policy, policylen, seq)
+	int so;
+	struct sockaddr *src, *dst;
+	u_int type, prefs, prefd, proto;
+	u_int64_t ltime, vtime;
+	char *policy;
+	int policylen;
+	u_int32_t seq;
+{
+	struct sadb_msg *newmsg;
+	int len;
+	caddr_t p;
+	int plen;
+	caddr_t ep;
+
+	/* validity check */
+	if (src == NULL || dst == NULL) {
+		__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
+		return -1;
+	}
+	if (src->sa_family != dst->sa_family) {
+		__ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
+		return -1;
+	}
+
+	switch (src->sa_family) {
+	case AF_INET:
+		plen = sizeof(struct in_addr) << 3;
+		break;
+	case AF_INET6:
+		plen = sizeof(struct in6_addr) << 3;
+		break;
+	default:
+		__ipsec_errcode = EIPSEC_INVAL_FAMILY;
+		return -1;
+	}
+	if (prefs > plen || prefd > plen) {
+		__ipsec_errcode = EIPSEC_INVAL_PREFIXLEN;
+		return -1;
+	}
+
+	/* create new sadb_msg to reply. */
+	len = sizeof(struct sadb_msg)
+		+ sizeof(struct sadb_address)
+		+ PFKEY_ALIGN8(src->sa_len)
+		+ sizeof(struct sadb_address)
+		+ PFKEY_ALIGN8(src->sa_len)
+		+ sizeof(struct sadb_lifetime)
+		+ policylen;
+
+	if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) {
+		__ipsec_set_strerror(strerror(errno));
+		return -1;
+	}
+	ep = ((caddr_t)newmsg) + len;
+
+	p = pfkey_setsadbmsg((caddr_t)newmsg, ep, type, len,
+	    SADB_SATYPE_UNSPEC, seq, getpid());
+	if (!p) {
+		free(newmsg);
+		return -1;
+	}
+	p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, prefs, proto);
+	if (!p) {
+		free(newmsg);
+		return -1;
+	}
+	p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, prefd, proto);
+	if (!p) {
+		free(newmsg);
+		return -1;
+	}
+	p = pfkey_setsadblifetime(p, ep, SADB_EXT_LIFETIME_HARD,
+			0, 0, ltime, vtime);
+	if (!p || p + policylen != ep) {
+		free(newmsg);
+		return -1;
+	}
+	memcpy(p, policy, policylen);
+
+	/* send message */
+	len = pfkey_send(so, newmsg, len);
+	free(newmsg);
+
+	if (len < 0)
+		return -1;
+
+	__ipsec_errcode = EIPSEC_NO_ERROR;
+	return len;
+}
+
+/* sending SADB_X_SPDGET or SADB_X_SPDDELETE message to the kernel */
+static int
+pfkey_send_x5(so, type, spid)
+	int so;
+	u_int type;
+	u_int32_t spid;
+{
+	struct sadb_msg *newmsg;
+	struct sadb_x_policy xpl;
+	int len;
+	caddr_t p;
+	caddr_t ep;
+
+	/* create new sadb_msg to reply. */
+	len = sizeof(struct sadb_msg)
+		+ sizeof(xpl);
+
+	if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) {
+		__ipsec_set_strerror(strerror(errno));
+		return -1;
+	}
+	ep = ((caddr_t)newmsg) + len;
+
+	p = pfkey_setsadbmsg((caddr_t)newmsg, ep, type, len,
+	    SADB_SATYPE_UNSPEC, 0, getpid());
+	if (!p) {
+		free(newmsg);
+		return -1;
+	}
+
+	if (p + sizeof(xpl) != ep) {
+		free(newmsg);
+		return -1;
+	}
+	memset(&xpl, 0, sizeof(xpl));
+	xpl.sadb_x_policy_len = PFKEY_UNUNIT64(sizeof(xpl));
+	xpl.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
+	xpl.sadb_x_policy_id = spid;
+	memcpy(p, &xpl, sizeof(xpl));
+
+	/* send message */
+	len = pfkey_send(so, newmsg, len);
+	free(newmsg);
+
+	if (len < 0)
+		return -1;
+
+	__ipsec_errcode = EIPSEC_NO_ERROR;
+	return len;
+}
+
+/*
+ * open a socket.
+ * OUT:
+ *	-1: fail.
+ *	others : success and return value of socket.
+ */
+int
+pfkey_open()
+{
+	int so;
+	const int bufsiz = 128 * 1024;	/*is 128K enough?*/
+
+	if ((so = socket(PF_KEY, SOCK_RAW, PF_KEY_V2)) < 0) {
+		__ipsec_set_strerror(strerror(errno));
+		return -1;
+	}
+
+	/*
+	 * This is a temporary workaround for KAME PR 154.
+	 * Don't really care even if it fails.
+	 */
+	(void)setsockopt(so, SOL_SOCKET, SO_SNDBUF, &bufsiz, sizeof(bufsiz));
+	(void)setsockopt(so, SOL_SOCKET, SO_RCVBUF, &bufsiz, sizeof(bufsiz));
+
+	__ipsec_errcode = EIPSEC_NO_ERROR;
+	return so;
+}
+
+/*
+ * close a socket.
+ * OUT:
+ *	 0: success.
+ *	-1: fail.
+ */
+void
+pfkey_close(so)
+	int so;
+{
+	(void)close(so);
+
+	__ipsec_errcode = EIPSEC_NO_ERROR;
+	return;
+}
+
+/*
+ * receive sadb_msg data, and return pointer to new buffer allocated.
+ * Must free this buffer later.
+ * OUT:
+ *	NULL	: error occured.
+ *	others	: a pointer to sadb_msg structure.
+ *
+ * XXX should be rewritten to pass length explicitly
+ */
+struct sadb_msg *
+pfkey_recv(so)
+	int so;
+{
+	struct sadb_msg buf, *newmsg;
+	int len, reallen;
+
+	while ((len = recv(so, (caddr_t)&buf, sizeof(buf), MSG_PEEK)) < 0) {
+		if (errno == EINTR)
+			continue;
+		__ipsec_set_strerror(strerror(errno));
+		return NULL;
+	}
+
+	if (len < sizeof(buf)) {
+		recv(so, (caddr_t)&buf, sizeof(buf), 0);
+		__ipsec_errcode = EIPSEC_MAX;
+		return NULL;
+	}
+
+	/* read real message */
+	reallen = PFKEY_UNUNIT64(buf.sadb_msg_len);
+	if ((newmsg = CALLOC(reallen, struct sadb_msg *)) == 0) {
+		__ipsec_set_strerror(strerror(errno));
+		return NULL;
+	}
+
+	while ((len = recv(so, (caddr_t)newmsg, reallen, 0)) < 0) {
+		if (errno == EINTR)
+			continue;
+		__ipsec_set_strerror(strerror(errno));
+		free(newmsg);
+		return NULL;
+	}
+
+	if (len != reallen) {
+		__ipsec_errcode = EIPSEC_SYSTEM_ERROR;
+		free(newmsg);
+		return NULL;
+	}
+
+	/* don't trust what the kernel says, validate! */
+	if (PFKEY_UNUNIT64(newmsg->sadb_msg_len) != len) {
+		__ipsec_errcode = EIPSEC_SYSTEM_ERROR;
+		free(newmsg);
+		return NULL;
+	}
+
+	__ipsec_errcode = EIPSEC_NO_ERROR;
+	return newmsg;
+}
+
+/*
+ * send message to a socket.
+ * OUT:
+ *	 others: success and return length sent.
+ *	-1     : fail.
+ */
+int
+pfkey_send(so, msg, len)
+	int so;
+	struct sadb_msg *msg;
+	int len;
+{
+	if ((len = send(so, (caddr_t)msg, len, 0)) < 0) {
+		__ipsec_set_strerror(strerror(errno));
+		return -1;
+	}
+
+	__ipsec_errcode = EIPSEC_NO_ERROR;
+	return len;
+}
+
+/*
+ * %%% Utilities
+ * NOTE: These functions are derived from netkey/key.c in KAME.
+ */
+/*
+ * set the pointer to each header in this message buffer.
+ * IN:	msg: pointer to message buffer.
+ *	mhp: pointer to the buffer initialized like below:
+ *		caddr_t mhp[SADB_EXT_MAX + 1];
+ * OUT:	-1: invalid.
+ *	 0: valid.
+ *
+ * XXX should be rewritten to obtain length explicitly
+ */
+int
+pfkey_align(msg, mhp)
+	struct sadb_msg *msg;
+	caddr_t *mhp;
+{
+	struct sadb_ext *ext;
+	int i;
+	caddr_t p;
+	caddr_t ep;	/* XXX should be passed from upper layer */
+
+	/* validity check */
+	if (msg == NULL || mhp == NULL) {
+		__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
+		return -1;
+	}
+
+	/* initialize */
+	for (i = 0; i < SADB_EXT_MAX + 1; i++)
+		mhp[i] = NULL;
+
+	mhp[0] = (caddr_t)msg;
+
+	/* initialize */
+	p = (caddr_t) msg;
+	ep = p + PFKEY_UNUNIT64(msg->sadb_msg_len);
+
+	/* skip base header */
+	p += sizeof(struct sadb_msg);
+
+	while (p < ep) {
+		ext = (struct sadb_ext *)p;
+		if (ep < p + sizeof(*ext) || PFKEY_EXTLEN(ext) < sizeof(*ext) ||
+		    ep < p + PFKEY_EXTLEN(ext)) {
+			/* invalid format */
+			break;
+		}
+
+		/* duplicate check */
+		/* XXX Are there duplication either KEY_AUTH or KEY_ENCRYPT ?*/
+		if (mhp[ext->sadb_ext_type] != NULL) {
+			__ipsec_errcode = EIPSEC_INVAL_EXTTYPE;
+			return -1;
+		}
+
+		/* set pointer */
+		switch (ext->sadb_ext_type) {
+		case SADB_EXT_SA:
+		case SADB_EXT_LIFETIME_CURRENT:
+		case SADB_EXT_LIFETIME_HARD:
+		case SADB_EXT_LIFETIME_SOFT:
+		case SADB_EXT_ADDRESS_SRC:
+		case SADB_EXT_ADDRESS_DST:
+		case SADB_EXT_ADDRESS_PROXY:
+		case SADB_EXT_KEY_AUTH:
+			/* XXX should to be check weak keys. */
+		case SADB_EXT_KEY_ENCRYPT:
+			/* XXX should to be check weak keys. */
+		case SADB_EXT_IDENTITY_SRC:
+		case SADB_EXT_IDENTITY_DST:
+		case SADB_EXT_SENSITIVITY:
+		case SADB_EXT_PROPOSAL:
+		case SADB_EXT_SUPPORTED_AUTH:
+		case SADB_EXT_SUPPORTED_ENCRYPT:
+		case SADB_EXT_SPIRANGE:
+		case SADB_X_EXT_POLICY:
+		case SADB_X_EXT_SA2:
+			mhp[ext->sadb_ext_type] = (caddr_t)ext;
+			break;
+		default:
+			__ipsec_errcode = EIPSEC_INVAL_EXTTYPE;
+			return -1;
+		}
+
+		p += PFKEY_EXTLEN(ext);
+	}
+
+	if (p != ep) {
+		__ipsec_errcode = EIPSEC_INVAL_SADBMSG;
+		return -1;
+	}
+
+	__ipsec_errcode = EIPSEC_NO_ERROR;
+	return 0;
+}
+
+/*
+ * check basic usage for sadb_msg,
+ * NOTE: This routine is derived from netkey/key.c in KAME.
+ * IN:	msg: pointer to message buffer.
+ *	mhp: pointer to the buffer initialized like below:
+ *
+ *		caddr_t mhp[SADB_EXT_MAX + 1];
+ *
+ * OUT:	-1: invalid.
+ *	 0: valid.
+ */
+int
+pfkey_check(mhp)
+	caddr_t *mhp;
+{
+	struct sadb_msg *msg;
+
+	/* validity check */
+	if (mhp == NULL || mhp[0] == NULL) {
+		__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
+		return -1;
+	}
+
+	msg = (struct sadb_msg *)mhp[0];
+
+	/* check version */
+	if (msg->sadb_msg_version != PF_KEY_V2) {
+		__ipsec_errcode = EIPSEC_INVAL_VERSION;
+		return -1;
+	}
+
+	/* check type */
+	if (msg->sadb_msg_type > SADB_MAX) {
+		__ipsec_errcode = EIPSEC_INVAL_MSGTYPE;
+		return -1;
+	}
+
+	/* check SA type */
+	switch (msg->sadb_msg_satype) {
+	case SADB_SATYPE_UNSPEC:
+		switch (msg->sadb_msg_type) {
+		case SADB_GETSPI:
+		case SADB_UPDATE:
+		case SADB_ADD:
+		case SADB_DELETE:
+		case SADB_GET:
+		case SADB_ACQUIRE:
+		case SADB_EXPIRE:
+			__ipsec_errcode = EIPSEC_INVAL_SATYPE;
+			return -1;
+		}
+		break;
+	case SADB_SATYPE_ESP:
+	case SADB_SATYPE_AH:
+	case SADB_X_SATYPE_IPCOMP:
+		switch (msg->sadb_msg_type) {
+		case SADB_X_SPDADD:
+		case SADB_X_SPDDELETE:
+		case SADB_X_SPDGET:
+		case SADB_X_SPDDUMP:
+		case SADB_X_SPDFLUSH:
+			__ipsec_errcode = EIPSEC_INVAL_SATYPE;
+			return -1;
+		}
+		break;
+	case SADB_SATYPE_RSVP:
+	case SADB_SATYPE_OSPFV2:
+	case SADB_SATYPE_RIPV2:
+	case SADB_SATYPE_MIP:
+		__ipsec_errcode = EIPSEC_NOT_SUPPORTED;
+		return -1;
+	case 1:	/* XXX: What does it do ? */
+		if (msg->sadb_msg_type == SADB_X_PROMISC)
+			break;
+		/*FALLTHROUGH*/
+	default:
+		__ipsec_errcode = EIPSEC_INVAL_SATYPE;
+		return -1;
+	}
+
+	/* check field of upper layer protocol and address family */
+	if (mhp[SADB_EXT_ADDRESS_SRC] != NULL
+	 && mhp[SADB_EXT_ADDRESS_DST] != NULL) {
+		struct sadb_address *src0, *dst0;
+
+		src0 = (struct sadb_address *)(mhp[SADB_EXT_ADDRESS_SRC]);
+		dst0 = (struct sadb_address *)(mhp[SADB_EXT_ADDRESS_DST]);
+
+		if (src0->sadb_address_proto != dst0->sadb_address_proto) {
+			__ipsec_errcode = EIPSEC_PROTO_MISMATCH;
+			return -1;
+		}
+
+		if (PFKEY_ADDR_SADDR(src0)->sa_family
+		 != PFKEY_ADDR_SADDR(dst0)->sa_family) {
+			__ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
+			return -1;
+		}
+
+		switch (PFKEY_ADDR_SADDR(src0)->sa_family) {
+		case AF_INET:
+		case AF_INET6:
+			break;
+		default:
+			__ipsec_errcode = EIPSEC_INVAL_FAMILY;
+			return -1;
+		}
+
+		/*
+		 * prefixlen == 0 is valid because there must be the case
+		 * all addresses are matched.
+		 */
+	}
+
+	__ipsec_errcode = EIPSEC_NO_ERROR;
+	return 0;
+}
+
+/*
+ * set data into sadb_msg.
+ * `buf' must has been allocated sufficiently.
+ */
+static caddr_t
+pfkey_setsadbmsg(buf, lim, type, tlen, satype, seq, pid)
+	caddr_t buf;
+	caddr_t lim;
+	u_int type, satype;
+	u_int tlen;
+	u_int32_t seq;
+	pid_t pid;
+{
+	struct sadb_msg *p;
+	u_int len;
+
+	p = (struct sadb_msg *)buf;
+	len = sizeof(struct sadb_msg);
+
+	if (buf + len > lim)
+		return NULL;
+
+	memset(p, 0, len);
+	p->sadb_msg_version = PF_KEY_V2;
+	p->sadb_msg_type = type;
+	p->sadb_msg_errno = 0;
+	p->sadb_msg_satype = satype;
+	p->sadb_msg_len = PFKEY_UNIT64(tlen);
+	p->sadb_msg_reserved = 0;
+	p->sadb_msg_seq = seq;
+	p->sadb_msg_pid = (u_int32_t)pid;
+
+	return(buf + len);
+}
+
+/*
+ * copy secasvar data into sadb_address.
+ * `buf' must has been allocated sufficiently.
+ */
+static caddr_t
+pfkey_setsadbsa(buf, lim, spi, wsize, auth, enc, flags)
+	caddr_t buf;
+	caddr_t lim;
+	u_int32_t spi, flags;
+	u_int wsize, auth, enc;
+{
+	struct sadb_sa *p;
+	u_int len;
+
+	p = (struct sadb_sa *)buf;
+	len = sizeof(struct sadb_sa);
+
+	if (buf + len > lim)
+		return NULL;
+
+	memset(p, 0, len);
+	p->sadb_sa_len = PFKEY_UNIT64(len);
+	p->sadb_sa_exttype = SADB_EXT_SA;
+	p->sadb_sa_spi = spi;
+	p->sadb_sa_replay = wsize;
+	p->sadb_sa_state = SADB_SASTATE_LARVAL;
+	p->sadb_sa_auth = auth;
+	p->sadb_sa_encrypt = enc;
+	p->sadb_sa_flags = flags;
+
+	return(buf + len);
+}
+
+/*
+ * set data into sadb_address.
+ * `buf' must has been allocated sufficiently.
+ * prefixlen is in bits.
+ */
+static caddr_t
+pfkey_setsadbaddr(buf, lim, exttype, saddr, prefixlen, ul_proto)
+	caddr_t buf;
+	caddr_t lim;
+	u_int exttype;
+	struct sockaddr *saddr;
+	u_int prefixlen;
+	u_int ul_proto;
+{
+	struct sadb_address *p;
+	u_int len;
+
+	p = (struct sadb_address *)buf;
+	len = sizeof(struct sadb_address) + PFKEY_ALIGN8(saddr->sa_len);
+
+	if (buf + len > lim)
+		return NULL;
+
+	memset(p, 0, len);
+	p->sadb_address_len = PFKEY_UNIT64(len);
+	p->sadb_address_exttype = exttype & 0xffff;
+	p->sadb_address_proto = ul_proto & 0xff;
+	p->sadb_address_prefixlen = prefixlen;
+	p->sadb_address_reserved = 0;
+
+	memcpy(p + 1, saddr, saddr->sa_len);
+
+	return(buf + len);
+}
+
+/*
+ * set sadb_key structure after clearing buffer with zero.
+ * OUT: the pointer of buf + len.
+ */
+static caddr_t
+pfkey_setsadbkey(buf, lim, type, key, keylen)
+	caddr_t buf;
+	caddr_t lim;
+	caddr_t key;
+	u_int type, keylen;
+{
+	struct sadb_key *p;
+	u_int len;
+
+	p = (struct sadb_key *)buf;
+	len = sizeof(struct sadb_key) + PFKEY_ALIGN8(keylen);
+
+	if (buf + len > lim)
+		return NULL;
+
+	memset(p, 0, len);
+	p->sadb_key_len = PFKEY_UNIT64(len);
+	p->sadb_key_exttype = type;
+	p->sadb_key_bits = keylen << 3;
+	p->sadb_key_reserved = 0;
+
+	memcpy(p + 1, key, keylen);
+
+	return buf + len;
+}
+
+/*
+ * set sadb_lifetime structure after clearing buffer with zero.
+ * OUT: the pointer of buf + len.
+ */
+static caddr_t
+pfkey_setsadblifetime(buf, lim, type, l_alloc, l_bytes, l_addtime, l_usetime)
+	caddr_t buf;
+	caddr_t lim;
+	u_int type;
+	u_int32_t l_alloc, l_bytes, l_addtime, l_usetime;
+{
+	struct sadb_lifetime *p;
+	u_int len;
+
+	p = (struct sadb_lifetime *)buf;
+	len = sizeof(struct sadb_lifetime);
+
+	if (buf + len > lim)
+		return NULL;
+
+	memset(p, 0, len);
+	p->sadb_lifetime_len = PFKEY_UNIT64(len);
+	p->sadb_lifetime_exttype = type;
+
+	switch (type) {
+	case SADB_EXT_LIFETIME_SOFT:
+		p->sadb_lifetime_allocations
+			= (l_alloc * soft_lifetime_allocations_rate) /100;
+		p->sadb_lifetime_bytes
+			= (l_bytes * soft_lifetime_bytes_rate) /100;
+		p->sadb_lifetime_addtime
+			= (l_addtime * soft_lifetime_addtime_rate) /100;
+		p->sadb_lifetime_usetime
+			= (l_usetime * soft_lifetime_usetime_rate) /100;
+		break;
+	case SADB_EXT_LIFETIME_HARD:
+		p->sadb_lifetime_allocations = l_alloc;
+		p->sadb_lifetime_bytes = l_bytes;
+		p->sadb_lifetime_addtime = l_addtime;
+		p->sadb_lifetime_usetime = l_usetime;
+		break;
+	}
+
+	return buf + len;
+}
+
+/*
+ * copy secasvar data into sadb_address.
+ * `buf' must has been allocated sufficiently.
+ */
+static caddr_t
+pfkey_setsadbxsa2(buf, lim, mode0, reqid)
+	caddr_t buf;
+	caddr_t lim;
+	u_int32_t mode0;
+	u_int32_t reqid;
+{
+	struct sadb_x_sa2 *p;
+	u_int8_t mode = mode0 & 0xff;
+	u_int len;
+
+	p = (struct sadb_x_sa2 *)buf;
+	len = sizeof(struct sadb_x_sa2);
+
+	if (buf + len > lim)
+		return NULL;
+
+	memset(p, 0, len);
+	p->sadb_x_sa2_len = PFKEY_UNIT64(len);
+	p->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
+	p->sadb_x_sa2_mode = mode;
+	p->sadb_x_sa2_reqid = reqid;
+
+	return(buf + len);
+}
diff --git a/lib/libipsec/pfkey_dump.c b/lib/libipsec/pfkey_dump.c
new file mode 100644
index 0000000..2ea6246
--- /dev/null
+++ b/lib/libipsec/pfkey_dump.c
@@ -0,0 +1,600 @@
+/*	$KAME: pfkey_dump.c,v 1.28 2001/06/27 10:46:51 sakane Exp $	*/
+
+/*
+ * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the project nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <sys/cdefs.h>
+__FBSDID("$FreeBSD$");
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/socket.h>
+#include <netinet6/ipsec.h>
+#include <net/pfkeyv2.h>
+#include <netkey/key_var.h>
+#include <netkey/key_debug.h>
+
+#include <netinet/in.h>
+#include <netinet6/ipsec.h>
+#include <arpa/inet.h>
+
+#include <stdlib.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <string.h>
+#include <time.h>
+#include <netdb.h>
+
+#include "ipsec_strerror.h"
+#include "libpfkey.h"
+
+/* cope with old kame headers - ugly */
+#ifndef SADB_X_AALG_MD5
+#define SADB_X_AALG_MD5		SADB_AALG_MD5	
+#endif
+#ifndef SADB_X_AALG_SHA
+#define SADB_X_AALG_SHA		SADB_AALG_SHA
+#endif
+#ifndef SADB_X_AALG_NULL
+#define SADB_X_AALG_NULL	SADB_AALG_NULL
+#endif
+
+#ifndef SADB_X_EALG_BLOWFISHCBC
+#define SADB_X_EALG_BLOWFISHCBC	SADB_EALG_BLOWFISHCBC
+#endif
+#ifndef SADB_X_EALG_CAST128CBC
+#define SADB_X_EALG_CAST128CBC	SADB_EALG_CAST128CBC
+#endif
+#ifndef SADB_X_EALG_RC5CBC
+#ifdef SADB_EALG_RC5CBC
+#define SADB_X_EALG_RC5CBC	SADB_EALG_RC5CBC
+#endif
+#endif
+
+#define GETMSGSTR(str, num) \
+do { \
+	if (sizeof((str)[0]) == 0 \
+	 || num >= sizeof(str)/sizeof((str)[0])) \
+		printf("%d ", (num)); \
+	else if (strlen((str)[(num)]) == 0) \
+		printf("%d ", (num)); \
+	else \
+		printf("%s ", (str)[(num)]); \
+} while (0)
+
+#define GETMSGV2S(v2s, num) \
+do { \
+	struct val2str *p;  \
+	for (p = (v2s); p && p->str; p++) { \
+		if (p->val == (num)) \
+			break; \
+	} \
+	if (p && p->str) \
+		printf("%s ", p->str); \
+	else \
+		printf("%d ", (num)); \
+} while (0)
+
+static char *str_ipaddr(struct sockaddr *);
+static char *str_prefport(u_int, u_int, u_int);
+static char *str_time(time_t);
+static void str_lifetime_byte(struct sadb_lifetime *, char *);
+
+struct val2str {
+	int val;
+	const char *str;
+};
+
+/*
+ * Must to be re-written about following strings.
+ */
+static char *str_satype[] = {
+	"unspec",
+	"unknown",
+	"ah",
+	"esp",
+	"unknown",
+	"rsvp",
+	"ospfv2",
+	"ripv2",
+	"mip",
+	"ipcomp",
+};
+
+static char *str_mode[] = {
+	"any",
+	"transport",
+	"tunnel",
+};
+
+static char *str_upper[] = {
+/*0*/	"ip", "icmp", "igmp", "ggp", "ip4",
+	"", "tcp", "", "egp", "",
+/*10*/	"", "", "", "", "",
+	"", "", "udp", "", "",
+/*20*/	"", "", "idp", "", "",
+	"", "", "", "", "tp",
+/*30*/	"", "", "", "", "",
+	"", "", "", "", "",
+/*40*/	"", "ip6", "", "rt6", "frag6",
+	"", "rsvp", "gre", "", "",
+/*50*/	"esp", "ah", "", "", "",
+	"", "", "", "icmp6", "none",
+/*60*/	"dst6",
+};
+
+static char *str_state[] = {
+	"larval",
+	"mature",
+	"dying",
+	"dead",
+};
+
+static struct val2str str_alg_auth[] = {
+	{ SADB_AALG_NONE, "none", },
+	{ SADB_AALG_MD5HMAC, "hmac-md5", },
+	{ SADB_AALG_SHA1HMAC, "hmac-sha1", },
+	{ SADB_X_AALG_MD5, "md5", },
+	{ SADB_X_AALG_SHA, "sha", },
+	{ SADB_X_AALG_NULL, "null", },
+#ifdef SADB_X_AALG_SHA2_256
+	{ SADB_X_AALG_SHA2_256, "hmac-sha2-256", },
+#endif
+#ifdef SADB_X_AALG_SHA2_384
+	{ SADB_X_AALG_SHA2_384, "hmac-sha2-384", },
+#endif
+#ifdef SADB_X_AALG_SHA2_512
+	{ SADB_X_AALG_SHA2_512, "hmac-sha2-512", },
+#endif
+	{ -1, NULL, },
+};
+
+static struct val2str str_alg_enc[] = {
+	{ SADB_EALG_NONE, "none", },
+	{ SADB_EALG_DESCBC, "des-cbc", },
+	{ SADB_EALG_3DESCBC, "3des-cbc", },
+	{ SADB_EALG_NULL, "null", },
+#ifdef SADB_X_EALG_RC5CBC
+	{ SADB_X_EALG_RC5CBC, "rc5-cbc", },
+#endif
+	{ SADB_X_EALG_CAST128CBC, "cast128-cbc", },
+	{ SADB_X_EALG_BLOWFISHCBC, "blowfish-cbc", },
+#ifdef SADB_X_EALG_RIJNDAELCBC
+	{ SADB_X_EALG_RIJNDAELCBC, "rijndael-cbc", },
+#endif
+#ifdef SADB_X_EALG_TWOFISHCBC
+	{ SADB_X_EALG_TWOFISHCBC, "twofish-cbc", },
+#endif
+	{ -1, NULL, },
+};
+
+static struct val2str str_alg_comp[] = {
+	{ SADB_X_CALG_NONE, "none", },
+	{ SADB_X_CALG_OUI, "oui", },
+	{ SADB_X_CALG_DEFLATE, "deflate", },
+	{ SADB_X_CALG_LZS, "lzs", },
+	{ -1, NULL, },
+};
+
+/*
+ * dump SADB_MSG formated.  For debugging, you should use kdebug_sadb().
+ */
+void
+pfkey_sadump(m)
+	struct sadb_msg *m;
+{
+	caddr_t mhp[SADB_EXT_MAX + 1];
+	struct sadb_sa *m_sa;
+	struct sadb_x_sa2 *m_sa2;
+	struct sadb_lifetime *m_lftc, *m_lfth, *m_lfts;
+	struct sadb_address *m_saddr, *m_daddr, *m_paddr;
+	struct sadb_key *m_auth, *m_enc;
+	struct sadb_ident *m_sid, *m_did;
+	struct sadb_sens *m_sens;
+
+	/* check pfkey message. */
+	if (pfkey_align(m, mhp)) {
+		printf("%s\n", ipsec_strerror());
+		return;
+	}
+	if (pfkey_check(mhp)) {
+		printf("%s\n", ipsec_strerror());
+		return;
+	}
+
+	m_sa = (struct sadb_sa *)mhp[SADB_EXT_SA];
+	m_sa2 = (struct sadb_x_sa2 *)mhp[SADB_X_EXT_SA2];
+	m_lftc = (struct sadb_lifetime *)mhp[SADB_EXT_LIFETIME_CURRENT];
+	m_lfth = (struct sadb_lifetime *)mhp[SADB_EXT_LIFETIME_HARD];
+	m_lfts = (struct sadb_lifetime *)mhp[SADB_EXT_LIFETIME_SOFT];
+	m_saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC];
+	m_daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST];
+	m_paddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_PROXY];
+	m_auth = (struct sadb_key *)mhp[SADB_EXT_KEY_AUTH];
+	m_enc = (struct sadb_key *)mhp[SADB_EXT_KEY_ENCRYPT];
+	m_sid = (struct sadb_ident *)mhp[SADB_EXT_IDENTITY_SRC];
+	m_did = (struct sadb_ident *)mhp[SADB_EXT_IDENTITY_DST];
+	m_sens = (struct sadb_sens *)mhp[SADB_EXT_SENSITIVITY];
+
+	/* source address */
+	if (m_saddr == NULL) {
+		printf("no ADDRESS_SRC extension.\n");
+		return;
+	}
+	printf("%s ", str_ipaddr((struct sockaddr *)(m_saddr + 1)));
+
+	/* destination address */
+	if (m_daddr == NULL) {
+		printf("no ADDRESS_DST extension.\n");
+		return;
+	}
+	printf("%s ", str_ipaddr((struct sockaddr *)(m_daddr + 1)));
+
+	/* SA type */
+	if (m_sa == NULL) {
+		printf("no SA extension.\n");
+		return;
+	}
+	if (m_sa2 == NULL) {
+		printf("no SA2 extension.\n");
+		return;
+	}
+	printf("\n\t");
+
+	GETMSGSTR(str_satype, m->sadb_msg_satype);
+
+	printf("mode=");
+	GETMSGSTR(str_mode, m_sa2->sadb_x_sa2_mode);
+
+	printf("spi=%u(0x%08x) reqid=%u(0x%08x)\n",
+		(u_int32_t)ntohl(m_sa->sadb_sa_spi),
+		(u_int32_t)ntohl(m_sa->sadb_sa_spi),
+		(u_int32_t)m_sa2->sadb_x_sa2_reqid,
+		(u_int32_t)m_sa2->sadb_x_sa2_reqid);
+
+	/* encryption key */
+	if (m->sadb_msg_satype == SADB_X_SATYPE_IPCOMP) {
+		printf("\tC: ");
+		GETMSGV2S(str_alg_comp, m_sa->sadb_sa_encrypt);
+	} else if (m->sadb_msg_satype == SADB_SATYPE_ESP) {
+		if (m_enc != NULL) {
+			printf("\tE: ");
+			GETMSGV2S(str_alg_enc, m_sa->sadb_sa_encrypt);
+			ipsec_hexdump((caddr_t)m_enc + sizeof(*m_enc),
+				      m_enc->sadb_key_bits / 8);
+			printf("\n");
+		}
+	}
+
+	/* authentication key */
+	if (m_auth != NULL) {
+		printf("\tA: ");
+		GETMSGV2S(str_alg_auth, m_sa->sadb_sa_auth);
+		ipsec_hexdump((caddr_t)m_auth + sizeof(*m_auth),
+		              m_auth->sadb_key_bits / 8);
+		printf("\n");
+	}
+
+	/* replay windoe size & flags */
+	printf("\tseq=0x%08x replay=%u flags=0x%08x ",
+		m_sa2->sadb_x_sa2_sequence,
+		m_sa->sadb_sa_replay,
+		m_sa->sadb_sa_flags);
+
+	/* state */
+	printf("state=");
+	GETMSGSTR(str_state, m_sa->sadb_sa_state);
+	printf("\n");
+
+	/* lifetime */
+	if (m_lftc != NULL) {
+		time_t tmp_time = time(0);
+
+		printf("\tcreated: %s",
+			str_time(m_lftc->sadb_lifetime_addtime));
+		printf("\tcurrent: %s\n", str_time(tmp_time));
+		printf("\tdiff: %lu(s)",
+			(u_long)(m_lftc->sadb_lifetime_addtime == 0 ?
+			0 : (tmp_time - m_lftc->sadb_lifetime_addtime)));
+
+		printf("\thard: %lu(s)",
+			(u_long)(m_lfth == NULL ?
+			0 : m_lfth->sadb_lifetime_addtime));
+		printf("\tsoft: %lu(s)\n",
+			(u_long)(m_lfts == NULL ?
+			0 : m_lfts->sadb_lifetime_addtime));
+
+		printf("\tlast: %s",
+			str_time(m_lftc->sadb_lifetime_usetime));
+		printf("\thard: %lu(s)",
+			(u_long)(m_lfth == NULL ?
+			0 : m_lfth->sadb_lifetime_usetime));
+		printf("\tsoft: %lu(s)\n",
+			(u_long)(m_lfts == NULL ?
+			0 : m_lfts->sadb_lifetime_usetime));
+
+		str_lifetime_byte(m_lftc, "current");
+		str_lifetime_byte(m_lfth, "hard");
+		str_lifetime_byte(m_lfts, "soft");
+		printf("\n");
+
+		printf("\tallocated: %lu",
+			(unsigned long)m_lftc->sadb_lifetime_allocations);
+		printf("\thard: %lu",
+			(u_long)(m_lfth == NULL ?
+			0 : m_lfth->sadb_lifetime_allocations));
+		printf("\tsoft: %lu\n",
+			(u_long)(m_lfts == NULL ?
+			0 : m_lfts->sadb_lifetime_allocations));
+	}
+
+	printf("\tsadb_seq=%lu pid=%lu ",
+		(u_long)m->sadb_msg_seq,
+		(u_long)m->sadb_msg_pid);
+
+	/* XXX DEBUG */
+	printf("refcnt=%u\n", m->sadb_msg_reserved);
+
+	return;
+}
+
+void
+pfkey_spdump(m)
+	struct sadb_msg *m;
+{
+	char pbuf[NI_MAXSERV];
+	caddr_t mhp[SADB_EXT_MAX + 1];
+	struct sadb_address *m_saddr, *m_daddr;
+	struct sadb_x_policy *m_xpl;
+	struct sadb_lifetime *m_lft = NULL;
+	struct sockaddr *sa;
+	u_int16_t port;
+
+	/* check pfkey message. */
+	if (pfkey_align(m, mhp)) {
+		printf("%s\n", ipsec_strerror());
+		return;
+	}
+	if (pfkey_check(mhp)) {
+		printf("%s\n", ipsec_strerror());
+		return;
+	}
+
+	m_saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC];
+	m_daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST];
+	m_xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY];
+	m_lft = (struct sadb_lifetime *)mhp[SADB_EXT_LIFETIME_HARD];
+
+	/* source address */
+	if (m_saddr == NULL) {
+		printf("no ADDRESS_SRC extension.\n");
+		return;
+	}
+	sa = (struct sockaddr *)(m_saddr + 1);
+	switch (sa->sa_family) {
+	case AF_INET:
+	case AF_INET6:
+		if (getnameinfo(sa, sa->sa_len, NULL, 0, pbuf, sizeof(pbuf),
+		    NI_NUMERICSERV) != 0)
+			port = 0;	/*XXX*/
+		else
+			port = atoi(pbuf);
+		printf("%s%s ", str_ipaddr(sa),
+			str_prefport(sa->sa_family,
+			    m_saddr->sadb_address_prefixlen, port));
+		break;
+	default:
+		printf("unknown-af ");
+		break;
+	}
+
+	/* destination address */
+	if (m_daddr == NULL) {
+		printf("no ADDRESS_DST extension.\n");
+		return;
+	}
+	sa = (struct sockaddr *)(m_daddr + 1);
+	switch (sa->sa_family) {
+	case AF_INET:
+	case AF_INET6:
+		if (getnameinfo(sa, sa->sa_len, NULL, 0, pbuf, sizeof(pbuf),
+		    NI_NUMERICSERV) != 0)
+			port = 0;	/*XXX*/
+		else
+			port = atoi(pbuf);
+		printf("%s%s ", str_ipaddr(sa),
+			str_prefport(sa->sa_family,
+			    m_daddr->sadb_address_prefixlen, port));
+		break;
+	default:
+		printf("unknown-af ");
+		break;
+	}
+
+	/* upper layer protocol */
+	if (m_saddr->sadb_address_proto != m_daddr->sadb_address_proto) {
+		printf("upper layer protocol mismatched.\n");
+		return;
+	}
+	if (m_saddr->sadb_address_proto == IPSEC_ULPROTO_ANY)
+		printf("any");
+	else
+		GETMSGSTR(str_upper, m_saddr->sadb_address_proto);
+
+	/* policy */
+    {
+	char *d_xpl;
+
+	if (m_xpl == NULL) {
+		printf("no X_POLICY extension.\n");
+		return;
+	}
+	d_xpl = ipsec_dump_policy((char *)m_xpl, "\n\t");
+
+	/* dump SPD */
+	printf("\n\t%s\n", d_xpl);
+	free(d_xpl);
+    }
+
+	/* lifetime */
+	if (m_lft) {
+		printf("\tlifetime:%lu validtime:%lu\n",
+			(u_long)m_lft->sadb_lifetime_addtime,
+			(u_long)m_lft->sadb_lifetime_usetime);
+	}
+
+	printf("\tspid=%ld seq=%ld pid=%ld\n",
+		(u_long)m_xpl->sadb_x_policy_id,
+		(u_long)m->sadb_msg_seq,
+		(u_long)m->sadb_msg_pid);
+
+	/* XXX TEST */
+	printf("\trefcnt=%u\n", m->sadb_msg_reserved);
+
+	return;
+}
+
+/*
+ * set "ipaddress" to buffer.
+ */
+static char *
+str_ipaddr(sa)
+	struct sockaddr *sa;
+{
+	static char buf[NI_MAXHOST];
+#ifdef NI_WITHSCOPEID
+	const int niflag = NI_NUMERICHOST | NI_WITHSCOPEID;
+#else
+	const int niflag = NI_NUMERICHOST;
+#endif
+
+	if (sa == NULL)
+		return "";
+
+	if (getnameinfo(sa, sa->sa_len, buf, sizeof(buf), NULL, 0, niflag) == 0)
+		return buf;
+	return NULL;
+}
+
+/*
+ * set "/prefix[port number]" to buffer.
+ */
+static char *
+str_prefport(family, pref, port)
+	u_int family, pref, port;
+{
+	static char buf[128];
+	char prefbuf[10];
+	char portbuf[10];
+	int plen;
+
+	switch (family) {
+	case AF_INET:
+		plen = sizeof(struct in_addr) << 3;
+		break;
+	case AF_INET6:
+		plen = sizeof(struct in6_addr) << 3;
+		break;
+	default:
+		return "?";
+	}
+
+	if (pref == plen)
+		prefbuf[0] = '\0';
+	else
+		snprintf(prefbuf, sizeof(prefbuf), "/%u", pref);
+
+	if (port == IPSEC_PORT_ANY)
+		snprintf(portbuf, sizeof(portbuf), "[%s]", "any");
+	else
+		snprintf(portbuf, sizeof(portbuf), "[%u]", port);
+
+	snprintf(buf, sizeof(buf), "%s%s", prefbuf, portbuf);
+
+	return buf;
+}
+
+/*
+ * set "Mon Day Time Year" to buffer
+ */
+static char *
+str_time(t)
+	time_t t;
+{
+	static char buf[128];
+
+	if (t == 0) {
+		int i = 0;
+		for (;i < 20;) buf[i++] = ' ';
+	} else {
+		char *t0;
+		t0 = ctime(&t);
+		memcpy(buf, t0 + 4, 20);
+	}
+
+	buf[20] = '\0';
+
+	return(buf);
+}
+
+static void
+str_lifetime_byte(x, str)
+	struct sadb_lifetime *x;
+	char *str;
+{
+	double y;
+	char *unit;
+	int w;
+
+	if (x == NULL) {
+		printf("\t%s: 0(bytes)", str);
+		return;
+	}
+
+#if 0
+	if ((x->sadb_lifetime_bytes) / 1024 / 1024) {
+		y = (x->sadb_lifetime_bytes) * 1.0 / 1024 / 1024;
+		unit = "M";
+		w = 1;
+	} else if ((x->sadb_lifetime_bytes) / 1024) {
+		y = (x->sadb_lifetime_bytes) * 1.0 / 1024;
+		unit = "K";
+		w = 1;
+	} else {
+		y = (x->sadb_lifetime_bytes) * 1.0;
+		unit = "";
+		w = 0;
+	}
+#else
+	y = (x->sadb_lifetime_bytes) * 1.0;
+	unit = "";
+	w = 0;
+#endif
+	printf("\t%s: %.*f(%sbytes)", str, w, y, unit);
+}
diff --git a/lib/libipsec/policy_parse.y b/lib/libipsec/policy_parse.y
new file mode 100644
index 0000000..c7788f5
--- /dev/null
+++ b/lib/libipsec/policy_parse.y
@@ -0,0 +1,432 @@
+/*	$FreeBSD$	*/
+/*	$KAME: policy_parse.y,v 1.10 2000/05/07 05:25:03 itojun Exp $	*/
+
+/*
+ * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the project nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * IN/OUT bound policy configuration take place such below:
+ *	in <policy>
+ *	out <policy>
+ *
+ * <policy> is one of following:
+ *	"discard", "none", "ipsec <requests>", "entrust", "bypass",
+ *
+ * The following requests are accepted as <requests>:
+ *
+ *	protocol/mode/src-dst/level
+ *	protocol/mode/src-dst		parsed as protocol/mode/src-dst/default
+ *	protocol/mode/src-dst/		parsed as protocol/mode/src-dst/default
+ *	protocol/transport		parsed as protocol/mode/any-any/default
+ *	protocol/transport//level	parsed as protocol/mode/any-any/level
+ *
+ * You can concatenate these requests with either ' '(single space) or '\n'.
+ */
+
+%{
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/socket.h>
+
+#include <netinet/in.h>
+#include <netinet6/ipsec.h>
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <netdb.h>
+
+#include "ipsec_strerror.h"
+
+#define ATOX(c) \
+  (isdigit(c) ? (c - '0') : (isupper(c) ? (c - 'A' + 10) : (c - 'a' + 10) ))
+
+static caddr_t pbuf = NULL;		/* sadb_x_policy buffer */
+static int tlen = 0;			/* total length of pbuf */
+static int offset = 0;			/* offset of pbuf */
+static int p_dir, p_type, p_protocol, p_mode, p_level, p_reqid;
+static struct sockaddr *p_src = NULL;
+static struct sockaddr *p_dst = NULL;
+
+struct _val;
+extern void yyerror(char *msg);
+static struct sockaddr *parse_sockaddr(struct _val *buf);
+static int rule_check(void);
+static int init_x_policy(void);
+static int set_x_request(struct sockaddr *src, struct sockaddr *dst);
+static int set_sockaddr(struct sockaddr *addr);
+static void policy_parse_request_init(void);
+static caddr_t policy_parse(char *msg, int msglen);
+
+extern void __policy__strbuffer__init__(char *msg);
+extern int yyparse(void);
+extern int yylex(void);
+
+%}
+
+%union {
+	u_int num;
+	struct _val {
+		int len;
+		char *buf;
+	} val;
+}
+
+%token DIR ACTION PROTOCOL MODE LEVEL LEVEL_SPECIFY
+%token IPADDRESS
+%token ME ANY
+%token SLASH HYPHEN
+%type <num> DIR ACTION PROTOCOL MODE LEVEL
+%type <val> IPADDRESS LEVEL_SPECIFY
+
+%%
+policy_spec
+	:	DIR ACTION
+		{
+			p_dir = $1;
+			p_type = $2;
+
+			if (init_x_policy())
+				return -1;
+		}
+		rules
+	|	DIR
+		{
+			p_dir = $1;
+			p_type = 0;	/* ignored it by kernel */
+
+			if (init_x_policy())
+				return -1;
+		}
+	;
+
+rules
+	:	/*NOTHING*/
+	|	rules rule {
+			if (rule_check() < 0)
+				return -1;
+
+			if (set_x_request(p_src, p_dst) < 0)
+				return -1;
+
+			policy_parse_request_init();
+		}
+	;
+
+rule
+	:	protocol SLASH mode SLASH addresses SLASH level
+	|	protocol SLASH mode SLASH addresses SLASH
+	|	protocol SLASH mode SLASH addresses
+	|	protocol SLASH mode SLASH
+	|	protocol SLASH mode SLASH SLASH level
+	|	protocol SLASH mode
+	|	protocol SLASH {
+			__ipsec_errcode = EIPSEC_FEW_ARGUMENTS;
+			return -1;
+		}
+	|	protocol {
+			__ipsec_errcode = EIPSEC_FEW_ARGUMENTS;
+			return -1;
+		}
+	;
+
+protocol
+	:	PROTOCOL { p_protocol = $1; }
+	;
+
+mode
+	:	MODE { p_mode = $1; }
+	;
+
+level
+	:	LEVEL {
+			p_level = $1;
+			p_reqid = 0;
+		}
+	|	LEVEL_SPECIFY {
+			p_level = IPSEC_LEVEL_UNIQUE;
+			p_reqid = atol($1.buf);	/* atol() is good. */
+		}
+	;
+
+addresses
+	:	IPADDRESS {
+			p_src = parse_sockaddr(&$1);
+			if (p_src == NULL)
+				return -1;
+		}
+		HYPHEN
+		IPADDRESS {
+			p_dst = parse_sockaddr(&$4);
+			if (p_dst == NULL)
+				return -1;
+		}
+	|	ME HYPHEN ANY {
+			if (p_dir != IPSEC_DIR_OUTBOUND) {
+				__ipsec_errcode = EIPSEC_INVAL_DIR;
+				return -1;
+			}
+		}
+	|	ANY HYPHEN ME {
+			if (p_dir != IPSEC_DIR_INBOUND) {
+				__ipsec_errcode = EIPSEC_INVAL_DIR;
+				return -1;
+			}
+		}
+		/*
+	|	ME HYPHEN ME
+		*/
+	;
+
+%%
+
+void
+yyerror(msg)
+	char *msg;
+{
+	extern char *__libipsecyytext;	/*XXX*/
+
+	fprintf(stderr, "libipsec: %s while parsing \"%s\"\n",
+		msg, __libipsecyytext);
+
+	return;
+}
+
+static struct sockaddr *
+parse_sockaddr(buf)
+	struct _val *buf;
+{
+	struct addrinfo hints, *res;
+	char *serv = NULL;
+	int error;
+	struct sockaddr *newaddr = NULL;
+
+	memset(&hints, 0, sizeof(hints));
+	hints.ai_family = PF_UNSPEC;
+	hints.ai_flags = AI_NUMERICHOST;
+	error = getaddrinfo(buf->buf, serv, &hints, &res);
+	if (error != 0) {
+		yyerror("invalid IP address");
+		__ipsec_set_strerror(gai_strerror(error));
+		return NULL;
+	}
+
+	if (res->ai_addr == NULL) {
+		yyerror("invalid IP address");
+		__ipsec_set_strerror(gai_strerror(error));
+		return NULL;
+	}
+
+	newaddr = malloc(res->ai_addr->sa_len);
+	if (newaddr == NULL) {
+		__ipsec_errcode = EIPSEC_NO_BUFS;
+		freeaddrinfo(res);
+		return NULL;
+	}
+	memcpy(newaddr, res->ai_addr, res->ai_addr->sa_len);
+
+	freeaddrinfo(res);
+
+	__ipsec_errcode = EIPSEC_NO_ERROR;
+	return newaddr;
+}
+
+static int
+rule_check()
+{
+	if (p_type == IPSEC_POLICY_IPSEC) {
+		if (p_protocol == IPPROTO_IP) {
+			__ipsec_errcode = EIPSEC_NO_PROTO;
+			return -1;
+		}
+
+		if (p_mode != IPSEC_MODE_TRANSPORT
+		 && p_mode != IPSEC_MODE_TUNNEL) {
+			__ipsec_errcode = EIPSEC_INVAL_MODE;
+			return -1;
+		}
+
+		if (p_src == NULL && p_dst == NULL) {
+			 if (p_mode != IPSEC_MODE_TRANSPORT) {
+				__ipsec_errcode = EIPSEC_INVAL_ADDRESS;
+				return -1;
+			}
+		}
+		else if (p_src->sa_family != p_dst->sa_family) {
+			__ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
+			return -1;
+		}
+	}
+
+	__ipsec_errcode = EIPSEC_NO_ERROR;
+	return 0;
+}
+
+static int
+init_x_policy()
+{
+	struct sadb_x_policy *p;
+
+	tlen = sizeof(struct sadb_x_policy);
+
+	pbuf = malloc(tlen);
+	if (pbuf == NULL) {
+		__ipsec_errcode = EIPSEC_NO_BUFS;
+		return -1;
+	}
+	p = (struct sadb_x_policy *)pbuf;
+	p->sadb_x_policy_len = 0;	/* must update later */
+	p->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
+	p->sadb_x_policy_type = p_type;
+	p->sadb_x_policy_dir = p_dir;
+	p->sadb_x_policy_reserved = 0;
+	offset = tlen;
+
+	__ipsec_errcode = EIPSEC_NO_ERROR;
+	return 0;
+}
+
+static int
+set_x_request(src, dst)
+	struct sockaddr *src, *dst;
+{
+	struct sadb_x_ipsecrequest *p;
+	int reqlen;
+
+	reqlen = sizeof(*p)
+		+ (src ? src->sa_len : 0)
+		+ (dst ? dst->sa_len : 0);
+	tlen += reqlen;		/* increment to total length */
+
+	pbuf = realloc(pbuf, tlen);
+	if (pbuf == NULL) {
+		__ipsec_errcode = EIPSEC_NO_BUFS;
+		return -1;
+	}
+	p = (struct sadb_x_ipsecrequest *)&pbuf[offset];
+	p->sadb_x_ipsecrequest_len = reqlen;
+	p->sadb_x_ipsecrequest_proto = p_protocol;
+	p->sadb_x_ipsecrequest_mode = p_mode;
+	p->sadb_x_ipsecrequest_level = p_level;
+	p->sadb_x_ipsecrequest_reqid = p_reqid;
+	offset += sizeof(*p);
+
+	if (set_sockaddr(src) || set_sockaddr(dst))
+		return -1;
+
+	__ipsec_errcode = EIPSEC_NO_ERROR;
+	return 0;
+}
+
+static int
+set_sockaddr(addr)
+	struct sockaddr *addr;
+{
+	if (addr == NULL) {
+		__ipsec_errcode = EIPSEC_NO_ERROR;
+		return 0;
+	}
+
+	/* tlen has already incremented */
+
+	memcpy(&pbuf[offset], addr, addr->sa_len);
+
+	offset += addr->sa_len;
+
+	__ipsec_errcode = EIPSEC_NO_ERROR;
+	return 0;
+}
+
+static void
+policy_parse_request_init()
+{
+	p_protocol = IPPROTO_IP;
+	p_mode = IPSEC_MODE_ANY;
+	p_level = IPSEC_LEVEL_DEFAULT;
+	p_reqid = 0;
+	if (p_src != NULL) {
+		free(p_src);
+		p_src = NULL;
+	}
+	if (p_dst != NULL) {
+		free(p_dst);
+		p_dst = NULL;
+	}
+
+	return;
+}
+
+static caddr_t
+policy_parse(msg, msglen)
+	char *msg;
+	int msglen;
+{
+	int error;
+	pbuf = NULL;
+	tlen = 0;
+
+	/* initialize */
+	p_dir = IPSEC_DIR_INVALID;
+	p_type = IPSEC_POLICY_DISCARD;
+	policy_parse_request_init();
+	__policy__strbuffer__init__(msg);
+
+	error = yyparse();	/* it must be set errcode. */
+	if (error) {
+		if (pbuf != NULL)
+			free(pbuf);
+		return NULL;
+	}
+
+	/* update total length */
+	((struct sadb_x_policy *)pbuf)->sadb_x_policy_len = PFKEY_UNIT64(tlen);
+
+	__ipsec_errcode = EIPSEC_NO_ERROR;
+
+	return pbuf;
+}
+
+caddr_t
+ipsec_set_policy(msg, msglen)
+	char *msg;
+	int msglen;
+{
+	caddr_t policy;
+
+	policy = policy_parse(msg, msglen);
+	if (policy == NULL) {
+		if (__ipsec_errcode == EIPSEC_NO_ERROR)
+			__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
+		return NULL;
+	}
+
+	__ipsec_errcode = EIPSEC_NO_ERROR;
+	return policy;
+}
+
diff --git a/lib/libipsec/policy_token.l b/lib/libipsec/policy_token.l
new file mode 100644
index 0000000..11e0c06
--- /dev/null
+++ b/lib/libipsec/policy_token.l
@@ -0,0 +1,148 @@
+/*	$FreeBSD$	*/
+/*	$KAME: policy_token.l,v 1.11 2000/12/01 10:08:29 sakane Exp $	*/
+
+/*
+ * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the project nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+%{
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/socket.h>
+#include <net/route.h>
+#include <net/pfkeyv2.h>
+#include <netkey/keydb.h>
+#include <netinet/in.h>
+#include <netinet6/ipsec.h>
+
+#include <stdlib.h>
+#include <limits.h>
+#include <string.h>
+#include <unistd.h>
+#include <errno.h>
+
+#ifndef __NetBSD__
+#include "y.tab.h"
+#else
+#include "policy_parse.h"
+#endif
+#define yylval __libipsecyylval	/* XXX */
+
+int yylex(void);
+%}
+
+%option noyywrap
+%option nounput
+
+/* common section */
+nl		\n
+ws		[ \t]+
+digit		[0-9]
+hexdigit	[0-9A-Fa-f]
+special		[()+\|\?\*,]
+dot		\.
+comma		\,
+hyphen		\-
+colon		\:
+slash		\/
+bcl		\{
+ecl		\}
+blcl		\[
+elcl		\]
+percent		\%
+semi		\;
+usec		{dot}{digit}{1,6}
+comment		\#.*
+ccomment	"/*"
+bracketstring	\<[^>]*\>
+quotedstring	\"[^"]*\"
+decstring	{digit}+
+hexpair		{hexdigit}{hexdigit}
+hexstring	0[xX]{hexdigit}+
+octetstring	{octet}({dot}{octet})+
+ipaddress	[a-zA-Z0-9:\._][a-zA-Z0-9:\._]*(%[a-zA-Z0-9]+)?
+
+%%
+
+in		{ yylval.num = IPSEC_DIR_INBOUND; return(DIR); }
+out		{ yylval.num = IPSEC_DIR_OUTBOUND; return(DIR); }
+
+discard		{ yylval.num = IPSEC_POLICY_DISCARD; return(ACTION); }
+none		{ yylval.num = IPSEC_POLICY_NONE; return(ACTION); }
+ipsec		{ yylval.num = IPSEC_POLICY_IPSEC; return(ACTION); }
+bypass		{ yylval.num = IPSEC_POLICY_BYPASS; return(ACTION); }
+entrust		{ yylval.num = IPSEC_POLICY_ENTRUST; return(ACTION); }
+
+esp		{ yylval.num = IPPROTO_ESP; return(PROTOCOL); }
+ah		{ yylval.num = IPPROTO_AH; return(PROTOCOL); }
+ipcomp		{ yylval.num = IPPROTO_IPCOMP; return(PROTOCOL); }
+
+transport	{ yylval.num = IPSEC_MODE_TRANSPORT; return(MODE); }
+tunnel		{ yylval.num = IPSEC_MODE_TUNNEL; return(MODE); }
+
+me		{ return(ME); }
+any		{ return(ANY); }
+
+default		{ yylval.num = IPSEC_LEVEL_DEFAULT; return(LEVEL); }
+use		{ yylval.num = IPSEC_LEVEL_USE; return(LEVEL); }
+require		{ yylval.num = IPSEC_LEVEL_REQUIRE; return(LEVEL); }
+unique{colon}{decstring} {
+			yylval.val.len = strlen(yytext + 7);
+			yylval.val.buf = yytext + 7;
+			return(LEVEL_SPECIFY);
+		}
+unique		{ yylval.num = IPSEC_LEVEL_UNIQUE; return(LEVEL); }
+{slash}		{ return(SLASH); }
+
+{ipaddress}	{
+			yylval.val.len = strlen(yytext);
+			yylval.val.buf = yytext;
+			return(IPADDRESS);
+		}
+
+{hyphen}	{ return(HYPHEN); }
+
+{ws}		{ ; }
+{nl}		{ ; }
+
+%%
+
+void __policy__strbuffer__init__(char *);
+
+void
+__policy__strbuffer__init__(msg)
+	char *msg;
+{
+	YY_BUFFER_STATE yyb;
+
+	yyb = (YY_BUFFER_STATE)yy_scan_string(msg);
+	yy_switch_to_buffer(yyb);
+
+	return;
+}
+
diff --git a/lib/libipsec/test-policy.c b/lib/libipsec/test-policy.c
new file mode 100644
index 0000000..7909b66
--- /dev/null
+++ b/lib/libipsec/test-policy.c
@@ -0,0 +1,336 @@
+/*	$KAME: test-policy.c,v 1.14 2000/12/27 11:38:11 sakane Exp $	*/
+
+/*
+ * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the project nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <sys/cdefs.h>
+__FBSDID("$FreeBSD$");
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/socket.h>
+
+#include <netinet/in.h>
+#include <net/pfkeyv2.h>
+#include <netkey/key_debug.h>
+#include <netinet6/ipsec.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <string.h>
+#include <errno.h>
+#include <err.h>
+
+#include "libpfkey.h"
+
+struct req_t {
+	int result;	/* expected result; 0:ok 1:ng */
+	char *str;
+} reqs[] = {
+{ 0, "out ipsec" },
+{ 1, "must_error" },
+{ 1, "in ipsec must_error" },
+{ 1, "out ipsec esp/must_error" },
+{ 1, "out discard" },
+{ 1, "out none" },
+{ 0, "in entrust" },
+{ 0, "out entrust" },
+{ 1, "out ipsec esp" },
+{ 0, "in ipsec ah/transport" },
+{ 1, "in ipsec ah/tunnel" },
+{ 0, "out ipsec ah/transport/" },
+{ 1, "out ipsec ah/tunnel/" },
+{ 0, "in ipsec esp / transport / 10.0.0.1-10.0.0.2" },
+{ 0, "in ipsec esp/tunnel/::1-::2" },
+{ 1, "in ipsec esp/tunnel/10.0.0.1-::2" },
+{ 0, "in ipsec esp/tunnel/::1-::2/require" },
+{ 0, "out ipsec ah/transport//use" },
+{ 1, "out ipsec ah/transport esp/use" },
+{ 1, "in ipsec ah/transport esp/tunnel" },
+{ 0, "in ipsec ah/transport esp/tunnel/::1-::1" },
+{ 0, "in ipsec
+	ah / transport
+	esp / tunnel / ::1-::2" },
+{ 0, "out ipsec
+	ah/transport/::1-::2 esp/tunnel/::3-::4/use ah/transport/::5-::6/require
+	ah/transport/::1-::2 esp/tunnel/::3-::4/use ah/transport/::5-::6/require
+	ah/transport/::1-::2 esp/tunnel/::3-::4/use ah/transport/::5-::6/require
+	" },
+{ 0, "out ipsec esp/transport/fec0::10-fec0::11/use" },
+};
+
+int test1(void);
+int test1sub1(struct req_t *);
+int test1sub2(char *, int);
+int test2(void);
+int test2sub(int);
+
+int
+main(ac, av)
+	int ac;
+	char **av;
+{
+	test1();
+	test2();
+
+	exit(0);
+}
+
+int
+test1()
+{
+	int i;
+	int result;
+
+	printf("TEST1\n");
+	for (i = 0; i < sizeof(reqs)/sizeof(reqs[0]); i++) {
+		printf("#%d [%s]\n", i + 1, reqs[i].str);
+
+		result = test1sub1(&reqs[i]);
+		if (result == 0 && reqs[i].result == 1) {
+			warnx("ERROR: expecting failure.\n");
+		} else if (result == 1 && reqs[i].result == 0) {
+			warnx("ERROR: expecting success.\n");
+		}
+	}
+
+	return 0;
+}
+
+int
+test1sub1(req)
+	struct req_t *req;
+{
+	char *buf;
+
+	buf = ipsec_set_policy(req->str, strlen(req->str));
+	if (buf == NULL) {
+		printf("ipsec_set_policy: %s\n", ipsec_strerror());
+		return 1;
+	}
+
+	if (test1sub2(buf, PF_INET) != 0
+	 || test1sub2(buf, PF_INET6) != 0) {
+		free(buf);
+		return 1;
+	}
+#if 0
+	kdebug_sadb_x_policy((struct sadb_ext *)buf);
+#endif
+
+	free(buf);
+	return 0;
+}
+
+int
+test1sub2(policy, family)
+	char *policy;
+	int family;
+{
+	int so;
+	int proto = 0, optname = 0;
+	int len;
+	char getbuf[1024];
+
+	switch (family) {
+	case PF_INET:
+		proto = IPPROTO_IP;
+		optname = IP_IPSEC_POLICY;
+		break;
+	case PF_INET6:
+		proto = IPPROTO_IPV6;
+		optname = IPV6_IPSEC_POLICY;
+		break;
+	}
+
+	if ((so = socket(family, SOCK_DGRAM, 0)) < 0)
+		err(1, "socket");
+
+	len = ipsec_get_policylen(policy);
+#if 0
+	printf("\tsetlen:%d\n", len);
+#endif
+
+	if (setsockopt(so, proto, optname, policy, len) < 0) {
+		printf("fail to set sockopt; %s\n", strerror(errno));
+		close(so);
+		return 1;
+	}
+
+	memset(getbuf, 0, sizeof(getbuf));
+	memcpy(getbuf, policy, sizeof(struct sadb_x_policy));
+	if (getsockopt(so, proto, optname, getbuf, &len) < 0) {
+		printf("fail to get sockopt; %s\n", strerror(errno));
+		close(so);
+		return 1;
+	}
+
+    {
+	char *buf = NULL;
+
+#if 0
+	printf("\tgetlen:%d\n", len);
+#endif
+
+	if ((buf = ipsec_dump_policy(getbuf, NULL)) == NULL) {
+		printf("%s\n", ipsec_strerror());
+		close(so);
+		return 1;
+	}
+#if 0
+	printf("\t[%s]\n", buf);
+#endif
+	free(buf);
+    }
+
+	close (so);
+	return 0;
+}
+
+char addr[] = {
+	28, 28, 0, 0,
+	0, 0, 0, 0,
+	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1,
+	0, 0, 0, 0,
+};
+
+int
+test2()
+{
+	int so;
+	char *pol1 = "out ipsec";
+	char *pol2 = "out ipsec ah/transport//use";
+	char *sp1, *sp2;
+	int splen1, splen2;
+	int spid;
+	struct sadb_msg *m;
+
+	printf("TEST2\n");
+	if (getuid() != 0)
+		errx(1, "root privilege required.\n");
+
+	sp1 = ipsec_set_policy(pol1, strlen(pol1));
+	splen1 = ipsec_get_policylen(sp1);
+	sp2 = ipsec_set_policy(pol2, strlen(pol2));
+	splen2 = ipsec_get_policylen(sp2);
+
+	if ((so = pfkey_open()) < 0)
+		errx(1, "ERROR: %s\n", ipsec_strerror());
+
+	printf("spdflush()\n");
+	if (pfkey_send_spdflush(so) < 0)
+		errx(1, "ERROR: %s\n", ipsec_strerror());
+	m = pfkey_recv(so);
+	free(m);
+
+#if 0
+	printf("spdsetidx()\n");
+	if (pfkey_send_spdsetidx(so, (struct sockaddr *)addr, 128,
+				(struct sockaddr *)addr, 128,
+				255, sp1, splen1, 0) < 0)
+		errx(1, "ERROR: %s\n", ipsec_strerror());
+	m = pfkey_recv(so);
+	free(m);
+	
+	printf("spdupdate()\n");
+	if (pfkey_send_spdupdate(so, (struct sockaddr *)addr, 128,
+				(struct sockaddr *)addr, 128,
+				255, sp2, splen2, 0) < 0)
+		errx(1, "ERROR: %s\n", ipsec_strerror());
+	m = pfkey_recv(so);
+	free(m);
+
+	sleep(4);
+
+	printf("spddelete()\n");
+	if (pfkey_send_spddelete(so, (struct sockaddr *)addr, 128,
+				(struct sockaddr *)addr, 128,
+				255, sp1, splen1, 0) < 0)
+		errx(1, "ERROR: %s\n", ipsec_strerror());
+	m = pfkey_recv(so);
+	free(m);
+
+	printf("spdadd()\n");
+	if (pfkey_send_spdadd(so, (struct sockaddr *)addr, 128,
+				(struct sockaddr *)addr, 128,
+				255, sp2, splen2, 0) < 0)
+		errx(1, "ERROR: %s\n", ipsec_strerror());
+	spid = test2sub(so);
+
+	printf("spdget(%u)\n", spid);
+	if (pfkey_send_spdget(so, spid) < 0)
+		errx(1, "ERROR: %s\n", ipsec_strerror());
+	m = pfkey_recv(so);
+	free(m);
+
+	sleep(4);
+
+	printf("spddelete2()\n");
+	if (pfkey_send_spddelete2(so, spid) < 0)
+		errx(1, "ERROR: %s\n", ipsec_strerror());
+	m = pfkey_recv(so);
+	free(m);
+#endif
+
+	printf("spdadd() with lifetime's 10(s)\n");
+	if (pfkey_send_spdadd2(so, (struct sockaddr *)addr, 128,
+				(struct sockaddr *)addr, 128,
+				255, 0, 10, sp2, splen2, 0) < 0)
+		errx(1, "ERROR: %s\n", ipsec_strerror());
+	spid = test2sub(so);
+
+#if 0
+	/* expecting failure */
+	printf("spdupdate()\n");
+	if (pfkey_send_spdupdate(so, (struct sockaddr *)addr, 128,
+				(struct sockaddr *)addr, 128,
+				255, sp2, splen2, 0) == 0) {
+		warnx("ERROR: expecting failure.\n");
+	}
+#endif
+
+	return 0;
+}
+
+int
+test2sub(so)
+	int so;
+{
+	struct sadb_msg *msg;
+	caddr_t mhp[SADB_EXT_MAX + 1];
+
+	if ((msg = pfkey_recv(so)) == NULL)
+		errx(1, "ERROR: pfkey_recv failure.\n");
+	if (pfkey_align(msg, mhp) < 0)
+		errx(1, "ERROR: pfkey_align failure.\n");
+
+	return ((struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY])->sadb_x_policy_id;
+}
+