Move in foreign OS support. The OpenBSD repository is now the official

isakmpd home.

32 files changed, 4540 insertions, 0 deletions

diff --git a/sbin/isakmpd/sysdep/common/blf.h b/sbin/isakmpd/sysdep/common/blf.h
new file mode 100644
index 00000000000..042668138bc
--- /dev/null
+++ b/sbin/isakmpd/sysdep/common/blf.h
@@ -0,0 +1,79 @@
+/* $OpenBSD: blf.h,v 1.1 2001/01/26 11:33:59 niklas Exp $ */
+/*
+ * Blowfish - a fast block cipher designed by Bruce Schneier
+ *
+ * Copyright 1997 Niels Provos <provos@physnet.uni-hamburg.de>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by Niels Provos.
+ * 4. The name of the author may not be used to endorse or promote products
+ *    derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef _BLF_H_
+#define _BLF_H_
+
+#ifndef __P
+#define __P(args) args
+#endif
+
+/* Schneier states the maximum key length to be 56 bytes.
+ * The way how the subkeys are initalized by the key up
+ * to (N+2)*4 i.e. 72 bytes are utilized.
+ * Warning: For normal blowfish encryption only 56 bytes
+ * of the key affect all cipherbits.
+ */
+
+#define BLF_N	16			/* Number of Subkeys */
+#define BLF_MAXKEYLEN ((BLF_N-2)*4)	/* 448 bits */
+
+/* Blowfish context */
+typedef struct BlowfishContext {
+	u_int32_t S[4][256];	/* S-Boxes */
+	u_int32_t P[BLF_N + 2];	/* Subkeys */
+} blf_ctx;
+
+/* Raw access to customized Blowfish
+ *	blf_key is just:
+ *	Blowfish_initstate( state )
+ *	Blowfish_expand0state( state, key, keylen )
+ */
+
+void Blowfish_encipher __P((blf_ctx *, u_int32_t *, u_int32_t *));
+void Blowfish_decipher __P((blf_ctx *, u_int32_t *, u_int32_t *));
+void Blowfish_initstate __P((blf_ctx *));
+void Blowfish_expand0state __P((blf_ctx *, const u_int8_t *, u_int16_t));
+void Blowfish_expandstate
+    __P((blf_ctx *, const u_int8_t *, u_int16_t, const u_int8_t *, u_int16_t));
+
+/* Standard Blowfish */
+
+void blf_key __P((blf_ctx *, const u_int8_t *, u_int16_t));
+void blf_enc __P((blf_ctx *, u_int32_t *, u_int16_t));
+void blf_dec __P((blf_ctx *, u_int32_t *, u_int16_t));
+
+/* Converts u_int8_t to u_int32_t */
+u_int32_t Blowfish_stream2word __P((const u_int8_t *, u_int16_t , u_int16_t *));
+
+#endif
diff --git a/sbin/isakmpd/sysdep/common/cast.h b/sbin/isakmpd/sysdep/common/cast.h
new file mode 100644
index 00000000000..c130986ee64
--- /dev/null
+++ b/sbin/isakmpd/sysdep/common/cast.h
@@ -0,0 +1,22 @@
+/*      $OpenBSD: cast.h,v 1.1 2001/01/26 11:34:00 niklas Exp $       */
+/*
+ *	CAST-128 in C
+ *	Written by Steve Reid <sreid@sea-to-sky.net>
+ *	100% Public Domain - no warranty
+ *	Released 1997.10.11
+ */
+
+#ifndef _CAST_H_
+#define _CAST_H_
+
+typedef struct {
+	u_int32_t xkey[32];	/* Key, after expansion */
+	int rounds;		/* Number of rounds to use, 12 or 16 */
+} cast_key;
+
+void cast_setkey(cast_key* key, u_int8_t* rawkey, int keybytes);
+void cast_encrypt(cast_key* key, u_int8_t* inblock, u_int8_t* outblock);
+void cast_decrypt(cast_key* key, u_int8_t* inblock, u_int8_t* outblock);
+
+#endif /* ifndef _CAST_H_ */
+
diff --git a/sbin/isakmpd/sysdep/common/libsysdep/GNUmakefile b/sbin/isakmpd/sysdep/common/libsysdep/GNUmakefile
new file mode 100644
index 00000000000..88874133a7b
--- /dev/null
+++ b/sbin/isakmpd/sysdep/common/libsysdep/GNUmakefile
@@ -0,0 +1,62 @@
+#	$Id: GNUmakefile,v 1.1 2001/01/26 11:34:00 niklas Exp $
+
+#
+# Copyright (c) 1999 Niklas Hallqvist.  All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+# 3. All advertising materials mentioning features or use of this software
+#    must display the following acknowledgement:
+#	This product includes software developed by Ericsson Radio Systems.
+# 4. The name of the author may not be used to endorse or promote products
+#    derived from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+#
+
+#
+# This code was written under funding by Ericsson Radio Systems.
+#
+
+.CURDIR:=	$(shell pwd)
+
+LIB=		sysdep
+SRCS=		arc4random.c blowfish.c cast.c md5.c sha1.c
+NOMAN=
+CFLAGS+=	-I${.CURDIR}/.. -I/usr/include/machine
+
+lib${LIB}.a: ${SRCS:%.c=%.o}
+	ar cq $@ ${SRCS:%.c=%.o}
+
+clean:
+	rm -f lib${LIB}.a ${SRCS:%.c=%.o}
+
+cleandir: clean cleandepend
+
+depend: .depend
+
+.depend: ${SRCS}
+	@rm -f .depend
+	${MKDEP} ${CFLAGS} ${SRCS} > .depend
+
+cleandepend:
+	rm -f .depend
+
+ifneq ($(findstring clean,$(MAKECMDGOALS)),clean)
+-include .depend
+endif
diff --git a/sbin/isakmpd/sysdep/common/libsysdep/Makefile b/sbin/isakmpd/sysdep/common/libsysdep/Makefile
new file mode 100644
index 00000000000..3604b6059ad
--- /dev/null
+++ b/sbin/isakmpd/sysdep/common/libsysdep/Makefile
@@ -0,0 +1,48 @@
+#	$Id: Makefile,v 1.1 2001/01/26 11:34:00 niklas Exp $
+
+#
+# Copyright (c) 1999 Niklas Hallqvist.  All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+# 3. All advertising materials mentioning features or use of this software
+#    must display the following acknowledgement:
+#	This product includes software developed by Ericsson Radio Systems.
+# 4. The name of the author may not be used to endorse or promote products
+#    derived from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+#
+
+#
+# This code was written under funding by Ericsson Radio Systems.
+#
+OPSYS!=	uname -s
+
+LIB=		sysdep
+SRCS=		arc4random.c blowfish.c cast.c md5.c sha1.c
+NOPROFILE=	
+NOPIC=
+NOMAN=
+.if ${OPSYS} == "NetBSD"
+CPPFLAGS+=	-I${.CURDIR}/.. -I/usr/include/machine
+.else
+CFLAGS+=	-I${.CURDIR}/.. -I/usr/include/machine
+.endif
+
+.include <bsd.lib.mk>
diff --git a/sbin/isakmpd/sysdep/common/libsysdep/arc4random.c b/sbin/isakmpd/sysdep/common/libsysdep/arc4random.c
new file mode 100644
index 00000000000..fffc2c1d8b2
--- /dev/null
+++ b/sbin/isakmpd/sysdep/common/libsysdep/arc4random.c
@@ -0,0 +1,176 @@
+/*	$OpenBSD: arc4random.c,v 1.1 2001/01/26 11:34:00 niklas Exp $	*/
+
+/*
+ * Arc4 random number generator for OpenBSD.
+ * Copyright 1996 David Mazieres <dm@lcs.mit.edu>.
+ *
+ * Modification and redistribution in source and binary forms is
+ * permitted provided that due credit is given to the author and the
+ * OpenBSD project (for instance by leaving this copyright notice
+ * intact).
+ */
+
+/*
+ * This code is derived from section 17.1 of Applied Cryptography,
+ * second edition, which describes a stream cipher allegedly
+ * compatible with RSA Labs "RC4" cipher (the actual description of
+ * which is a trade secret).  The same algorithm is used as a stream
+ * cipher called "arcfour" in Tatu Ylonen's ssh package.
+ *
+ * Here the stream cipher has been modified always to include the time
+ * when initializing the state.  That makes it impossible to
+ * regenerate the same random sequence twice, so this can't be used
+ * for encryption, but will generate good random numbers.
+ *
+ * RC4 is a registered trademark of RSA Laboratories.
+ */
+
+#include <fcntl.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/time.h>
+
+#ifdef __GNUC__
+#define inline __inline
+#else				/* !__GNUC__ */
+#define inline
+#endif				/* !__GNUC__ */
+
+struct arc4_stream {
+	u_int8_t i;
+	u_int8_t j;
+	u_int8_t s[256];
+};
+
+int     rs_initialized;
+static struct arc4_stream rs;
+
+static inline void
+arc4_init(as)
+	struct arc4_stream *as;
+{
+	int     n;
+
+	for (n = 0; n < 256; n++)
+		as->s[n] = n;
+	as->i = 0;
+	as->j = 0;
+}
+
+static inline void
+arc4_addrandom(as, dat, datlen)
+	struct arc4_stream *as;
+	u_char *dat;
+	int     datlen;
+{
+	int     n;
+	u_int8_t si;
+
+	as->i--;
+	for (n = 0; n < 256; n++) {
+		as->i = (as->i + 1);
+		si = as->s[as->i];
+		as->j = (as->j + si + dat[n % datlen]);
+		as->s[as->i] = as->s[as->j];
+		as->s[as->j] = si;
+	}
+}
+
+static void
+arc4_stir(as)
+	struct arc4_stream *as;
+{
+	int     fd;
+	struct {
+		struct timeval tv;
+		u_int8_t rnd[128 - sizeof(struct timeval)];
+	}       rdat;
+
+	gettimeofday(&rdat.tv, NULL);
+	fd = open("/dev/arandom", O_RDONLY);
+	if (fd >= 0) {
+		read(fd, rdat.rnd, sizeof(rdat.rnd));
+		close(fd);
+	}
+	/* fd < 0?  Ah, what the heck. We'll just take whatever was on the
+	 * stack... */
+
+	arc4_addrandom(as, (void *) &rdat, sizeof(rdat));
+}
+
+static inline u_int8_t
+arc4_getbyte(as)
+	struct arc4_stream *as;
+{
+	u_int8_t si, sj;
+
+	as->i = (as->i + 1);
+	si = as->s[as->i];
+	as->j = (as->j + si);
+	sj = as->s[as->j];
+	as->s[as->i] = sj;
+	as->s[as->j] = si;
+	return (as->s[(si + sj) & 0xff]);
+}
+
+static inline u_int32_t
+arc4_getword(as)
+	struct arc4_stream *as;
+{
+	u_int32_t val;
+	val = arc4_getbyte(as) << 24;
+	val |= arc4_getbyte(as) << 16;
+	val |= arc4_getbyte(as) << 8;
+	val |= arc4_getbyte(as);
+	return val;
+}
+
+void
+arc4random_stir()
+{
+	if (!rs_initialized) {
+		arc4_init(&rs);
+		rs_initialized = 1;
+	}
+	arc4_stir(&rs);
+}
+
+void
+arc4random_addrandom(dat, datlen)
+	u_char *dat;
+	int     datlen;
+{
+	if (!rs_initialized)
+		arc4random_stir();
+	arc4_addrandom(&rs, dat, datlen);
+}
+
+u_int32_t
+arc4random()
+{
+	if (!rs_initialized)
+		arc4random_stir();
+	return arc4_getword(&rs);
+}
+
+#if 0
+/*-------- Test code for i386 --------*/
+#include <stdio.h>
+#include <machine/pctr.h>
+int
+main(int argc, char **argv)
+{
+	const int iter = 1000000;
+	int     i;
+	pctrval v;
+
+	v = rdtsc();
+	for (i = 0; i < iter; i++)
+		arc4random();
+	v = rdtsc() - v;
+	v /= iter;
+
+	printf("%qd cycles\n", v);
+}
+#endif
diff --git a/sbin/isakmpd/sysdep/common/libsysdep/blowfish.c b/sbin/isakmpd/sysdep/common/libsysdep/blowfish.c
new file mode 100644
index 00000000000..d2ce5dfcea4
--- /dev/null
+++ b/sbin/isakmpd/sysdep/common/libsysdep/blowfish.c
@@ -0,0 +1,774 @@
+/* $OpenBSD: blowfish.c,v 1.1 2001/01/26 11:34:01 niklas Exp $ */
+/*
+ * Blowfish block cipher for OpenBSD
+ * Copyright 1997 Niels Provos <provos@physnet.uni-hamburg.de>
+ * All rights reserved.
+ *
+ * Implementation advice by David Mazieres <dm@lcs.mit.edu>.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by Niels Provos.
+ * 4. The name of the author may not be used to endorse or promote products
+ *    derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * This code is derived from section 14.3 and the given source
+ * in section V of Applied Cryptography, second edition.
+ * Blowfish is an unpatented fast block cipher designed by
+ * Bruce Schneier.
+ */
+
+#if 0
+#include <stdio.h>		/* used for debugging */
+#include <string.h>
+#endif
+
+#include <sys/types.h>
+#include <blf.h>
+
+#undef inline
+#ifdef __GNUC__
+#define inline __inline
+#else				/* !__GNUC__ */
+#define inline
+#endif				/* !__GNUC__ */
+
+/* Function for Feistel Networks */
+
+#define F(bc, x) ((((bc)->S[0][((x) & 0xFF000000) >> 24] \
+		    + (bc)->S[1][((x) &0xFF0000 ) >> 16]) \
+		   ^ (bc)->S[2][((x) & 0xFF00) >> 8]) \
+		  + (bc)->S[3][(x) & 0x00FF])
+
+#define BLFRND(bc,i,j,n) (i ^= F(bc,j) ^ (bc)->P[n])
+
+void
+Blowfish_encipher(c, xl, xr)
+	blf_ctx *c;
+	u_int32_t *xl;
+	u_int32_t *xr;
+{
+	u_int32_t Xl;
+	u_int32_t Xr;
+
+	Xl = *xl;
+	Xr = *xr;
+
+	Xl ^= c->P[0];
+	BLFRND(c, Xr, Xl, 1); BLFRND(c, Xl, Xr, 2);
+	BLFRND(c, Xr, Xl, 3); BLFRND(c, Xl, Xr, 4);
+	BLFRND(c, Xr, Xl, 5); BLFRND(c, Xl, Xr, 6);
+	BLFRND(c, Xr, Xl, 7); BLFRND(c, Xl, Xr, 8);
+	BLFRND(c, Xr, Xl, 9); BLFRND(c, Xl, Xr, 10);
+	BLFRND(c, Xr, Xl, 11); BLFRND(c, Xl, Xr, 12);
+	BLFRND(c, Xr, Xl, 13); BLFRND(c, Xl, Xr, 14);
+	BLFRND(c, Xr, Xl, 15); BLFRND(c, Xl, Xr, 16);
+
+	*xl = Xr ^ c->P[17];
+	*xr = Xl;
+}
+
+void
+Blowfish_decipher(c, xl, xr)
+	blf_ctx *c;
+	u_int32_t *xl;
+	u_int32_t *xr;
+{
+	u_int32_t Xl;
+	u_int32_t Xr;
+
+	Xl = *xl;
+	Xr = *xr;
+
+	Xl ^= c->P[17];
+	BLFRND(c, Xr, Xl, 16); BLFRND(c, Xl, Xr, 15);
+	BLFRND(c, Xr, Xl, 14); BLFRND(c, Xl, Xr, 13);
+	BLFRND(c, Xr, Xl, 12); BLFRND(c, Xl, Xr, 11);
+	BLFRND(c, Xr, Xl, 10); BLFRND(c, Xl, Xr, 9);
+	BLFRND(c, Xr, Xl, 8); BLFRND(c, Xl, Xr, 7);
+	BLFRND(c, Xr, Xl, 6); BLFRND(c, Xl, Xr, 5);
+	BLFRND(c, Xr, Xl, 4); BLFRND(c, Xl, Xr, 3);
+	BLFRND(c, Xr, Xl, 2); BLFRND(c, Xl, Xr, 1);
+
+	*xl = Xr ^ c->P[0];
+	*xr = Xl;
+}
+
+void
+Blowfish_initstate(c)
+	blf_ctx *c;
+{
+
+/* P-box and S-box tables initialized with digits of Pi */
+
+	const blf_ctx initstate =
+
+	{ {
+		{
+			0xd1310ba6, 0x98dfb5ac, 0x2ffd72db, 0xd01adfb7,
+			0xb8e1afed, 0x6a267e96, 0xba7c9045, 0xf12c7f99,
+			0x24a19947, 0xb3916cf7, 0x0801f2e2, 0x858efc16,
+			0x636920d8, 0x71574e69, 0xa458fea3, 0xf4933d7e,
+			0x0d95748f, 0x728eb658, 0x718bcd58, 0x82154aee,
+			0x7b54a41d, 0xc25a59b5, 0x9c30d539, 0x2af26013,
+			0xc5d1b023, 0x286085f0, 0xca417918, 0xb8db38ef,
+			0x8e79dcb0, 0x603a180e, 0x6c9e0e8b, 0xb01e8a3e,
+			0xd71577c1, 0xbd314b27, 0x78af2fda, 0x55605c60,
+			0xe65525f3, 0xaa55ab94, 0x57489862, 0x63e81440,
+			0x55ca396a, 0x2aab10b6, 0xb4cc5c34, 0x1141e8ce,
+			0xa15486af, 0x7c72e993, 0xb3ee1411, 0x636fbc2a,
+			0x2ba9c55d, 0x741831f6, 0xce5c3e16, 0x9b87931e,
+			0xafd6ba33, 0x6c24cf5c, 0x7a325381, 0x28958677,
+			0x3b8f4898, 0x6b4bb9af, 0xc4bfe81b, 0x66282193,
+			0x61d809cc, 0xfb21a991, 0x487cac60, 0x5dec8032,
+			0xef845d5d, 0xe98575b1, 0xdc262302, 0xeb651b88,
+			0x23893e81, 0xd396acc5, 0x0f6d6ff3, 0x83f44239,
+			0x2e0b4482, 0xa4842004, 0x69c8f04a, 0x9e1f9b5e,
+			0x21c66842, 0xf6e96c9a, 0x670c9c61, 0xabd388f0,
+			0x6a51a0d2, 0xd8542f68, 0x960fa728, 0xab5133a3,
+			0x6eef0b6c, 0x137a3be4, 0xba3bf050, 0x7efb2a98,
+			0xa1f1651d, 0x39af0176, 0x66ca593e, 0x82430e88,
+			0x8cee8619, 0x456f9fb4, 0x7d84a5c3, 0x3b8b5ebe,
+			0xe06f75d8, 0x85c12073, 0x401a449f, 0x56c16aa6,
+			0x4ed3aa62, 0x363f7706, 0x1bfedf72, 0x429b023d,
+			0x37d0d724, 0xd00a1248, 0xdb0fead3, 0x49f1c09b,
+			0x075372c9, 0x80991b7b, 0x25d479d8, 0xf6e8def7,
+			0xe3fe501a, 0xb6794c3b, 0x976ce0bd, 0x04c006ba,
+			0xc1a94fb6, 0x409f60c4, 0x5e5c9ec2, 0x196a2463,
+			0x68fb6faf, 0x3e6c53b5, 0x1339b2eb, 0x3b52ec6f,
+			0x6dfc511f, 0x9b30952c, 0xcc814544, 0xaf5ebd09,
+			0xbee3d004, 0xde334afd, 0x660f2807, 0x192e4bb3,
+			0xc0cba857, 0x45c8740f, 0xd20b5f39, 0xb9d3fbdb,
+			0x5579c0bd, 0x1a60320a, 0xd6a100c6, 0x402c7279,
+			0x679f25fe, 0xfb1fa3cc, 0x8ea5e9f8, 0xdb3222f8,
+			0x3c7516df, 0xfd616b15, 0x2f501ec8, 0xad0552ab,
+			0x323db5fa, 0xfd238760, 0x53317b48, 0x3e00df82,
+			0x9e5c57bb, 0xca6f8ca0, 0x1a87562e, 0xdf1769db,
+			0xd542a8f6, 0x287effc3, 0xac6732c6, 0x8c4f5573,
+			0x695b27b0, 0xbbca58c8, 0xe1ffa35d, 0xb8f011a0,
+			0x10fa3d98, 0xfd2183b8, 0x4afcb56c, 0x2dd1d35b,
+			0x9a53e479, 0xb6f84565, 0xd28e49bc, 0x4bfb9790,
+			0xe1ddf2da, 0xa4cb7e33, 0x62fb1341, 0xcee4c6e8,
+			0xef20cada, 0x36774c01, 0xd07e9efe, 0x2bf11fb4,
+			0x95dbda4d, 0xae909198, 0xeaad8e71, 0x6b93d5a0,
+			0xd08ed1d0, 0xafc725e0, 0x8e3c5b2f, 0x8e7594b7,
+			0x8ff6e2fb, 0xf2122b64, 0x8888b812, 0x900df01c,
+			0x4fad5ea0, 0x688fc31c, 0xd1cff191, 0xb3a8c1ad,
+			0x2f2f2218, 0xbe0e1777, 0xea752dfe, 0x8b021fa1,
+			0xe5a0cc0f, 0xb56f74e8, 0x18acf3d6, 0xce89e299,
+			0xb4a84fe0, 0xfd13e0b7, 0x7cc43b81, 0xd2ada8d9,
+			0x165fa266, 0x80957705, 0x93cc7314, 0x211a1477,
+			0xe6ad2065, 0x77b5fa86, 0xc75442f5, 0xfb9d35cf,
+			0xebcdaf0c, 0x7b3e89a0, 0xd6411bd3, 0xae1e7e49,
+			0x00250e2d, 0x2071b35e, 0x226800bb, 0x57b8e0af,
+			0x2464369b, 0xf009b91e, 0x5563911d, 0x59dfa6aa,
+			0x78c14389, 0xd95a537f, 0x207d5ba2, 0x02e5b9c5,
+			0x83260376, 0x6295cfa9, 0x11c81968, 0x4e734a41,
+			0xb3472dca, 0x7b14a94a, 0x1b510052, 0x9a532915,
+			0xd60f573f, 0xbc9bc6e4, 0x2b60a476, 0x81e67400,
+			0x08ba6fb5, 0x571be91f, 0xf296ec6b, 0x2a0dd915,
+			0xb6636521, 0xe7b9f9b6, 0xff34052e, 0xc5855664,
+		0x53b02d5d, 0xa99f8fa1, 0x08ba4799, 0x6e85076a},
+		{
+			0x4b7a70e9, 0xb5b32944, 0xdb75092e, 0xc4192623,
+			0xad6ea6b0, 0x49a7df7d, 0x9cee60b8, 0x8fedb266,
+			0xecaa8c71, 0x699a17ff, 0x5664526c, 0xc2b19ee1,
+			0x193602a5, 0x75094c29, 0xa0591340, 0xe4183a3e,
+			0x3f54989a, 0x5b429d65, 0x6b8fe4d6, 0x99f73fd6,
+			0xa1d29c07, 0xefe830f5, 0x4d2d38e6, 0xf0255dc1,
+			0x4cdd2086, 0x8470eb26, 0x6382e9c6, 0x021ecc5e,
+			0x09686b3f, 0x3ebaefc9, 0x3c971814, 0x6b6a70a1,
+			0x687f3584, 0x52a0e286, 0xb79c5305, 0xaa500737,
+			0x3e07841c, 0x7fdeae5c, 0x8e7d44ec, 0x5716f2b8,
+			0xb03ada37, 0xf0500c0d, 0xf01c1f04, 0x0200b3ff,
+			0xae0cf51a, 0x3cb574b2, 0x25837a58, 0xdc0921bd,
+			0xd19113f9, 0x7ca92ff6, 0x94324773, 0x22f54701,
+			0x3ae5e581, 0x37c2dadc, 0xc8b57634, 0x9af3dda7,
+			0xa9446146, 0x0fd0030e, 0xecc8c73e, 0xa4751e41,
+			0xe238cd99, 0x3bea0e2f, 0x3280bba1, 0x183eb331,
+			0x4e548b38, 0x4f6db908, 0x6f420d03, 0xf60a04bf,
+			0x2cb81290, 0x24977c79, 0x5679b072, 0xbcaf89af,
+			0xde9a771f, 0xd9930810, 0xb38bae12, 0xdccf3f2e,
+			0x5512721f, 0x2e6b7124, 0x501adde6, 0x9f84cd87,
+			0x7a584718, 0x7408da17, 0xbc9f9abc, 0xe94b7d8c,
+			0xec7aec3a, 0xdb851dfa, 0x63094366, 0xc464c3d2,
+			0xef1c1847, 0x3215d908, 0xdd433b37, 0x24c2ba16,
+			0x12a14d43, 0x2a65c451, 0x50940002, 0x133ae4dd,
+			0x71dff89e, 0x10314e55, 0x81ac77d6, 0x5f11199b,
+			0x043556f1, 0xd7a3c76b, 0x3c11183b, 0x5924a509,
+			0xf28fe6ed, 0x97f1fbfa, 0x9ebabf2c, 0x1e153c6e,
+			0x86e34570, 0xeae96fb1, 0x860e5e0a, 0x5a3e2ab3,
+			0x771fe71c, 0x4e3d06fa, 0x2965dcb9, 0x99e71d0f,
+			0x803e89d6, 0x5266c825, 0x2e4cc978, 0x9c10b36a,
+			0xc6150eba, 0x94e2ea78, 0xa5fc3c53, 0x1e0a2df4,
+			0xf2f74ea7, 0x361d2b3d, 0x1939260f, 0x19c27960,
+			0x5223a708, 0xf71312b6, 0xebadfe6e, 0xeac31f66,
+			0xe3bc4595, 0xa67bc883, 0xb17f37d1, 0x018cff28,
+			0xc332ddef, 0xbe6c5aa5, 0x65582185, 0x68ab9802,
+			0xeecea50f, 0xdb2f953b, 0x2aef7dad, 0x5b6e2f84,
+			0x1521b628, 0x29076170, 0xecdd4775, 0x619f1510,
+			0x13cca830, 0xeb61bd96, 0x0334fe1e, 0xaa0363cf,
+			0xb5735c90, 0x4c70a239, 0xd59e9e0b, 0xcbaade14,
+			0xeecc86bc, 0x60622ca7, 0x9cab5cab, 0xb2f3846e,
+			0x648b1eaf, 0x19bdf0ca, 0xa02369b9, 0x655abb50,
+			0x40685a32, 0x3c2ab4b3, 0x319ee9d5, 0xc021b8f7,
+			0x9b540b19, 0x875fa099, 0x95f7997e, 0x623d7da8,
+			0xf837889a, 0x97e32d77, 0x11ed935f, 0x16681281,
+			0x0e358829, 0xc7e61fd6, 0x96dedfa1, 0x7858ba99,
+			0x57f584a5, 0x1b227263, 0x9b83c3ff, 0x1ac24696,
+			0xcdb30aeb, 0x532e3054, 0x8fd948e4, 0x6dbc3128,
+			0x58ebf2ef, 0x34c6ffea, 0xfe28ed61, 0xee7c3c73,
+			0x5d4a14d9, 0xe864b7e3, 0x42105d14, 0x203e13e0,
+			0x45eee2b6, 0xa3aaabea, 0xdb6c4f15, 0xfacb4fd0,
+			0xc742f442, 0xef6abbb5, 0x654f3b1d, 0x41cd2105,
+			0xd81e799e, 0x86854dc7, 0xe44b476a, 0x3d816250,
+			0xcf62a1f2, 0x5b8d2646, 0xfc8883a0, 0xc1c7b6a3,
+			0x7f1524c3, 0x69cb7492, 0x47848a0b, 0x5692b285,
+			0x095bbf00, 0xad19489d, 0x1462b174, 0x23820e00,
+			0x58428d2a, 0x0c55f5ea, 0x1dadf43e, 0x233f7061,
+			0x3372f092, 0x8d937e41, 0xd65fecf1, 0x6c223bdb,
+			0x7cde3759, 0xcbee7460, 0x4085f2a7, 0xce77326e,
+			0xa6078084, 0x19f8509e, 0xe8efd855, 0x61d99735,
+			0xa969a7aa, 0xc50c06c2, 0x5a04abfc, 0x800bcadc,
+			0x9e447a2e, 0xc3453484, 0xfdd56705, 0x0e1e9ec9,
+			0xdb73dbd3, 0x105588cd, 0x675fda79, 0xe3674340,
+			0xc5c43465, 0x713e38d8, 0x3d28f89e, 0xf16dff20,
+		0x153e21e7, 0x8fb03d4a, 0xe6e39f2b, 0xdb83adf7},
+		{
+			0xe93d5a68, 0x948140f7, 0xf64c261c, 0x94692934,
+			0x411520f7, 0x7602d4f7, 0xbcf46b2e, 0xd4a20068,
+			0xd4082471, 0x3320f46a, 0x43b7d4b7, 0x500061af,
+			0x1e39f62e, 0x97244546, 0x14214f74, 0xbf8b8840,
+			0x4d95fc1d, 0x96b591af, 0x70f4ddd3, 0x66a02f45,
+			0xbfbc09ec, 0x03bd9785, 0x7fac6dd0, 0x31cb8504,
+			0x96eb27b3, 0x55fd3941, 0xda2547e6, 0xabca0a9a,
+			0x28507825, 0x530429f4, 0x0a2c86da, 0xe9b66dfb,
+			0x68dc1462, 0xd7486900, 0x680ec0a4, 0x27a18dee,
+			0x4f3ffea2, 0xe887ad8c, 0xb58ce006, 0x7af4d6b6,
+			0xaace1e7c, 0xd3375fec, 0xce78a399, 0x406b2a42,
+			0x20fe9e35, 0xd9f385b9, 0xee39d7ab, 0x3b124e8b,
+			0x1dc9faf7, 0x4b6d1856, 0x26a36631, 0xeae397b2,
+			0x3a6efa74, 0xdd5b4332, 0x6841e7f7, 0xca7820fb,
+			0xfb0af54e, 0xd8feb397, 0x454056ac, 0xba489527,
+			0x55533a3a, 0x20838d87, 0xfe6ba9b7, 0xd096954b,
+			0x55a867bc, 0xa1159a58, 0xcca92963, 0x99e1db33,
+			0xa62a4a56, 0x3f3125f9, 0x5ef47e1c, 0x9029317c,
+			0xfdf8e802, 0x04272f70, 0x80bb155c, 0x05282ce3,
+			0x95c11548, 0xe4c66d22, 0x48c1133f, 0xc70f86dc,
+			0x07f9c9ee, 0x41041f0f, 0x404779a4, 0x5d886e17,
+			0x325f51eb, 0xd59bc0d1, 0xf2bcc18f, 0x41113564,
+			0x257b7834, 0x602a9c60, 0xdff8e8a3, 0x1f636c1b,
+			0x0e12b4c2, 0x02e1329e, 0xaf664fd1, 0xcad18115,
+			0x6b2395e0, 0x333e92e1, 0x3b240b62, 0xeebeb922,
+			0x85b2a20e, 0xe6ba0d99, 0xde720c8c, 0x2da2f728,
+			0xd0127845, 0x95b794fd, 0x647d0862, 0xe7ccf5f0,
+			0x5449a36f, 0x877d48fa, 0xc39dfd27, 0xf33e8d1e,
+			0x0a476341, 0x992eff74, 0x3a6f6eab, 0xf4f8fd37,
+			0xa812dc60, 0xa1ebddf8, 0x991be14c, 0xdb6e6b0d,
+			0xc67b5510, 0x6d672c37, 0x2765d43b, 0xdcd0e804,
+			0xf1290dc7, 0xcc00ffa3, 0xb5390f92, 0x690fed0b,
+			0x667b9ffb, 0xcedb7d9c, 0xa091cf0b, 0xd9155ea3,
+			0xbb132f88, 0x515bad24, 0x7b9479bf, 0x763bd6eb,
+			0x37392eb3, 0xcc115979, 0x8026e297, 0xf42e312d,
+			0x6842ada7, 0xc66a2b3b, 0x12754ccc, 0x782ef11c,
+			0x6a124237, 0xb79251e7, 0x06a1bbe6, 0x4bfb6350,
+			0x1a6b1018, 0x11caedfa, 0x3d25bdd8, 0xe2e1c3c9,
+			0x44421659, 0x0a121386, 0xd90cec6e, 0xd5abea2a,
+			0x64af674e, 0xda86a85f, 0xbebfe988, 0x64e4c3fe,
+			0x9dbc8057, 0xf0f7c086, 0x60787bf8, 0x6003604d,
+			0xd1fd8346, 0xf6381fb0, 0x7745ae04, 0xd736fccc,
+			0x83426b33, 0xf01eab71, 0xb0804187, 0x3c005e5f,
+			0x77a057be, 0xbde8ae24, 0x55464299, 0xbf582e61,
+			0x4e58f48f, 0xf2ddfda2, 0xf474ef38, 0x8789bdc2,
+			0x5366f9c3, 0xc8b38e74, 0xb475f255, 0x46fcd9b9,
+			0x7aeb2661, 0x8b1ddf84, 0x846a0e79, 0x915f95e2,
+			0x466e598e, 0x20b45770, 0x8cd55591, 0xc902de4c,
+			0xb90bace1, 0xbb8205d0, 0x11a86248, 0x7574a99e,
+			0xb77f19b6, 0xe0a9dc09, 0x662d09a1, 0xc4324633,
+			0xe85a1f02, 0x09f0be8c, 0x4a99a025, 0x1d6efe10,
+			0x1ab93d1d, 0x0ba5a4df, 0xa186f20f, 0x2868f169,
+			0xdcb7da83, 0x573906fe, 0xa1e2ce9b, 0x4fcd7f52,
+			0x50115e01, 0xa70683fa, 0xa002b5c4, 0x0de6d027,
+			0x9af88c27, 0x773f8641, 0xc3604c06, 0x61a806b5,
+			0xf0177a28, 0xc0f586e0, 0x006058aa, 0x30dc7d62,
+			0x11e69ed7, 0x2338ea63, 0x53c2dd94, 0xc2c21634,
+			0xbbcbee56, 0x90bcb6de, 0xebfc7da1, 0xce591d76,
+			0x6f05e409, 0x4b7c0188, 0x39720a3d, 0x7c927c24,
+			0x86e3725f, 0x724d9db9, 0x1ac15bb4, 0xd39eb8fc,
+			0xed545578, 0x08fca5b5, 0xd83d7cd3, 0x4dad0fc4,
+			0x1e50ef5e, 0xb161e6f8, 0xa28514d9, 0x6c51133c,
+			0x6fd5c7e7, 0x56e14ec4, 0x362abfce, 0xddc6c837,
+		0xd79a3234, 0x92638212, 0x670efa8e, 0x406000e0},
+		{
+			0x3a39ce37, 0xd3faf5cf, 0xabc27737, 0x5ac52d1b,
+			0x5cb0679e, 0x4fa33742, 0xd3822740, 0x99bc9bbe,
+			0xd5118e9d, 0xbf0f7315, 0xd62d1c7e, 0xc700c47b,
+			0xb78c1b6b, 0x21a19045, 0xb26eb1be, 0x6a366eb4,
+			0x5748ab2f, 0xbc946e79, 0xc6a376d2, 0x6549c2c8,
+			0x530ff8ee, 0x468dde7d, 0xd5730a1d, 0x4cd04dc6,
+			0x2939bbdb, 0xa9ba4650, 0xac9526e8, 0xbe5ee304,
+			0xa1fad5f0, 0x6a2d519a, 0x63ef8ce2, 0x9a86ee22,
+			0xc089c2b8, 0x43242ef6, 0xa51e03aa, 0x9cf2d0a4,
+			0x83c061ba, 0x9be96a4d, 0x8fe51550, 0xba645bd6,
+			0x2826a2f9, 0xa73a3ae1, 0x4ba99586, 0xef5562e9,
+			0xc72fefd3, 0xf752f7da, 0x3f046f69, 0x77fa0a59,
+			0x80e4a915, 0x87b08601, 0x9b09e6ad, 0x3b3ee593,
+			0xe990fd5a, 0x9e34d797, 0x2cf0b7d9, 0x022b8b51,
+			0x96d5ac3a, 0x017da67d, 0xd1cf3ed6, 0x7c7d2d28,
+			0x1f9f25cf, 0xadf2b89b, 0x5ad6b472, 0x5a88f54c,
+			0xe029ac71, 0xe019a5e6, 0x47b0acfd, 0xed93fa9b,
+			0xe8d3c48d, 0x283b57cc, 0xf8d56629, 0x79132e28,
+			0x785f0191, 0xed756055, 0xf7960e44, 0xe3d35e8c,
+			0x15056dd4, 0x88f46dba, 0x03a16125, 0x0564f0bd,
+			0xc3eb9e15, 0x3c9057a2, 0x97271aec, 0xa93a072a,
+			0x1b3f6d9b, 0x1e6321f5, 0xf59c66fb, 0x26dcf319,
+			0x7533d928, 0xb155fdf5, 0x03563482, 0x8aba3cbb,
+			0x28517711, 0xc20ad9f8, 0xabcc5167, 0xccad925f,
+			0x4de81751, 0x3830dc8e, 0x379d5862, 0x9320f991,
+			0xea7a90c2, 0xfb3e7bce, 0x5121ce64, 0x774fbe32,
+			0xa8b6e37e, 0xc3293d46, 0x48de5369, 0x6413e680,
+			0xa2ae0810, 0xdd6db224, 0x69852dfd, 0x09072166,
+			0xb39a460a, 0x6445c0dd, 0x586cdecf, 0x1c20c8ae,
+			0x5bbef7dd, 0x1b588d40, 0xccd2017f, 0x6bb4e3bb,
+			0xdda26a7e, 0x3a59ff45, 0x3e350a44, 0xbcb4cdd5,
+			0x72eacea8, 0xfa6484bb, 0x8d6612ae, 0xbf3c6f47,
+			0xd29be463, 0x542f5d9e, 0xaec2771b, 0xf64e6370,
+			0x740e0d8d, 0xe75b1357, 0xf8721671, 0xaf537d5d,
+			0x4040cb08, 0x4eb4e2cc, 0x34d2466a, 0x0115af84,
+			0xe1b00428, 0x95983a1d, 0x06b89fb4, 0xce6ea048,
+			0x6f3f3b82, 0x3520ab82, 0x011a1d4b, 0x277227f8,
+			0x611560b1, 0xe7933fdc, 0xbb3a792b, 0x344525bd,
+			0xa08839e1, 0x51ce794b, 0x2f32c9b7, 0xa01fbac9,
+			0xe01cc87e, 0xbcc7d1f6, 0xcf0111c3, 0xa1e8aac7,
+			0x1a908749, 0xd44fbd9a, 0xd0dadecb, 0xd50ada38,
+			0x0339c32a, 0xc6913667, 0x8df9317c, 0xe0b12b4f,
+			0xf79e59b7, 0x43f5bb3a, 0xf2d519ff, 0x27d9459c,
+			0xbf97222c, 0x15e6fc2a, 0x0f91fc71, 0x9b941525,
+			0xfae59361, 0xceb69ceb, 0xc2a86459, 0x12baa8d1,
+			0xb6c1075e, 0xe3056a0c, 0x10d25065, 0xcb03a442,
+			0xe0ec6e0e, 0x1698db3b, 0x4c98a0be, 0x3278e964,
+			0x9f1f9532, 0xe0d392df, 0xd3a0342b, 0x8971f21e,
+			0x1b0a7441, 0x4ba3348c, 0xc5be7120, 0xc37632d8,
+			0xdf359f8d, 0x9b992f2e, 0xe60b6f47, 0x0fe3f11d,
+			0xe54cda54, 0x1edad891, 0xce6279cf, 0xcd3e7e6f,
+			0x1618b166, 0xfd2c1d05, 0x848fd2c5, 0xf6fb2299,
+			0xf523f357, 0xa6327623, 0x93a83531, 0x56cccd02,
+			0xacf08162, 0x5a75ebb5, 0x6e163697, 0x88d273cc,
+			0xde966292, 0x81b949d0, 0x4c50901b, 0x71c65614,
+			0xe6c6c7bd, 0x327a140a, 0x45e1d006, 0xc3f27b9a,
+			0xc9aa53fd, 0x62a80f00, 0xbb25bfe2, 0x35bdd2f6,
+			0x71126905, 0xb2040222, 0xb6cbcf7c, 0xcd769c2b,
+			0x53113ec0, 0x1640e3d3, 0x38abbd60, 0x2547adf0,
+			0xba38209c, 0xf746ce76, 0x77afa1c5, 0x20756060,
+			0x85cbfe4e, 0x8ae88dd8, 0x7aaaf9b0, 0x4cf9aa7e,
+			0x1948c25c, 0x02fb8a8c, 0x01c36ae4, 0xd6ebe1f9,
+			0x90d4f869, 0xa65cdea0, 0x3f09252d, 0xc208e69f,
+		0xb74e6132, 0xce77e25b, 0x578fdfe3, 0x3ac372e6}
+	},
+	{
+		0x243f6a88, 0x85a308d3, 0x13198a2e, 0x03707344,
+		0xa4093822, 0x299f31d0, 0x082efa98, 0xec4e6c89,
+		0x452821e6, 0x38d01377, 0xbe5466cf, 0x34e90c6c,
+		0xc0ac29b7, 0xc97c50dd, 0x3f84d5b5, 0xb5470917,
+		0x9216d5d9, 0x8979fb1b
+	} };
+
+	*c = initstate;
+
+}
+
+#ifdef __STDC__
+u_int32_t
+Blowfish_stream2word(const u_int8_t *data, u_int16_t databytes, u_int16_t *current)
+#else
+u_int32_t
+Blowfish_stream2word(data, databytes, current)
+	const u_int8_t *data;
+	u_int16_t databytes;
+	u_int16_t *current;
+#endif
+{
+	u_int8_t i;
+	u_int16_t j;
+	u_int32_t temp;
+
+	temp = 0x00000000;
+	j = *current;
+
+	for (i = 0; i < 4; i++, j++) {
+		if (j >= databytes)
+			j = 0;
+		temp = (temp << 8) | data[j];
+	}
+
+	*current = j;
+	return temp;
+}
+
+#if __STDC__
+void
+Blowfish_expand0state(blf_ctx *c, const u_int8_t *key, u_int16_t keybytes)
+#else
+void
+Blowfish_expand0state(c, key, keybytes)
+	blf_ctx *c;
+	const u_int8_t *key;
+	u_int16_t keybytes;
+#endif
+{
+	u_int16_t i;
+	u_int16_t j;
+	u_int16_t k;
+	u_int32_t temp;
+	u_int32_t datal;
+	u_int32_t datar;
+
+	j = 0;
+	for (i = 0; i < BLF_N + 2; i++) {
+		/* Extract 4 int8 to 1 int32 from keystream */
+		temp = Blowfish_stream2word(key, keybytes, &j);
+		c->P[i] = c->P[i] ^ temp;
+	}
+
+	j = 0;
+	datal = 0x00000000;
+	datar = 0x00000000;
+	for (i = 0; i < BLF_N + 2; i += 2) {
+		Blowfish_encipher(c, &datal, &datar);
+
+		c->P[i] = datal;
+		c->P[i + 1] = datar;
+	}
+
+	for (i = 0; i < 4; i++) {
+		for (k = 0; k < 256; k += 2) {
+			Blowfish_encipher(c, &datal, &datar);
+
+			c->S[i][k] = datal;
+			c->S[i][k + 1] = datar;
+		}
+	}
+}
+
+
+#if __STDC__
+void
+Blowfish_expandstate(blf_ctx *c, const u_int8_t *data, u_int16_t databytes,
+		     const u_int8_t *key, u_int16_t keybytes)
+#else
+void
+Blowfish_expandstate(c, data, databytes, key, keybytes)
+	blf_ctx *c;
+	const u_int8_t *data;
+	u_int16_t databytes;
+	const u_int8_t *key;
+	u_int16_t keybytes;
+#endif
+{
+	u_int16_t i;
+	u_int16_t j;
+	u_int16_t k;
+	u_int32_t temp;
+	u_int32_t datal;
+	u_int32_t datar;
+
+	j = 0;
+	for (i = 0; i < BLF_N + 2; i++) {
+		/* Extract 4 int8 to 1 int32 from keystream */
+		temp = Blowfish_stream2word(key, keybytes, &j);
+		c->P[i] = c->P[i] ^ temp;
+	}
+
+	j = 0;
+	datal = 0x00000000;
+	datar = 0x00000000;
+	for (i = 0; i < BLF_N + 2; i += 2) {
+		datal ^= Blowfish_stream2word(data, databytes, &j);
+		datar ^= Blowfish_stream2word(data, databytes, &j);
+		Blowfish_encipher(c, &datal, &datar);
+
+		c->P[i] = datal;
+		c->P[i + 1] = datar;
+	}
+
+	for (i = 0; i < 4; i++) {
+		for (k = 0; k < 256; k += 2) {
+			datal ^= Blowfish_stream2word(data, databytes, &j);
+			datar ^= Blowfish_stream2word(data, databytes, &j);
+			Blowfish_encipher(c, &datal, &datar);
+
+			c->S[i][k] = datal;
+			c->S[i][k + 1] = datar;
+		}
+	}
+
+}
+
+#if __STDC__
+void
+blf_key(blf_ctx *c, const u_int8_t *k, u_int16_t len)
+#else
+void
+blf_key(c, k, len)
+	blf_ctx *c;
+	const u_int8_t *k;
+	u_int16_t len;
+#endif
+{
+	/* Initalize S-boxes and subkeys with Pi */
+	Blowfish_initstate(c);
+
+	/* Transform S-boxes and subkeys with key */
+	Blowfish_expand0state(c, k, len);
+}
+
+#if __STDC__
+void
+blf_enc(blf_ctx *c, u_int32_t *data, u_int16_t blocks)
+#else
+void
+blf_enc(c, data, blocks)
+	blf_ctx *c;
+	u_int32_t *data;
+	u_int16_t blocks;
+#endif
+{
+	u_int32_t *d;
+	u_int16_t i;
+
+	d = data;
+	for (i = 0; i < blocks; i++) {
+		Blowfish_encipher(c, d, d + 1);
+		d += 2;
+	}
+}
+
+#if __STDC__
+void
+blf_dec(blf_ctx *c, u_int32_t *data, u_int16_t blocks)
+#else
+void
+blf_dec(c, data, blocks)
+	blf_ctx *c;
+	u_int32_t *data;
+	u_int16_t blocks;
+#endif
+{
+	u_int32_t *d;
+	u_int16_t i;
+
+	d = data;
+	for (i = 0; i < blocks; i++) {
+		Blowfish_decipher(c, d, d + 1);
+		d += 2;
+	}
+}
+
+#if __STDC__
+void
+blf_ecb_encrypt(blf_ctx *c, u_int8_t *data, u_int32_t len)
+#else
+void
+blf_ecb_encrypt(c, data, len)
+     blf_ctx *c;
+     u_int8_t *data;
+     u_int32_t len;
+#endif
+{
+	u_int32_t l, r;
+	u_int32_t i;
+
+	for (i = 0; i < len; i += 8) {
+		l = data[0] << 24 | data[1] << 16 | data[2] << 8 | data[3];
+		r = data[4] << 24 | data[5] << 16 | data[6] << 8 | data[7];
+		Blowfish_encipher(c, &l, &r);
+		data[0] = l >> 24 & 0xff;
+		data[1] = l >> 16 & 0xff;
+		data[2] = l >> 8 & 0xff;
+		data[3] = l & 0xff;
+		data[4] = r >> 24 & 0xff;
+		data[5] = r >> 16 & 0xff;
+		data[6] = r >> 8 & 0xff;
+		data[7] = r & 0xff;
+		data += 8;
+	}
+}
+
+#if __STDC__
+void
+blf_ecb_decrypt(blf_ctx *c, u_int8_t *data, u_int32_t len)
+#else
+void
+blf_ecb_decrypt(c, data, len)
+     blf_ctx *c;
+     u_int8_t *data;
+     u_int32_t len;
+#endif
+{
+	u_int32_t l, r;
+	u_int32_t i;
+
+	for (i = 0; i < len; i += 8) {
+		l = data[0] << 24 | data[1] << 16 | data[2] << 8 | data[3];
+		r = data[4] << 24 | data[5] << 16 | data[6] << 8 | data[7];
+		Blowfish_decipher(c, &l, &r);
+		data[0] = l >> 24 & 0xff;
+		data[1] = l >> 16 & 0xff;
+		data[2] = l >> 8 & 0xff;
+		data[3] = l & 0xff;
+		data[4] = r >> 24 & 0xff;
+		data[5] = r >> 16 & 0xff;
+		data[6] = r >> 8 & 0xff;
+		data[7] = r & 0xff;
+		data += 8;
+	}
+}
+
+#if __STDC__
+void
+blf_cbc_encrypt(blf_ctx *c, u_int8_t *iv, u_int8_t *data, u_int32_t len)
+#else
+void
+blf_cbc_encrypt(c, iv, data, len)
+     blf_ctx *c;
+     u_int8_t *iv;
+     u_int8_t *data;
+     u_int32_t len;
+#endif
+{
+	u_int32_t l, r;
+	u_int32_t i, j;
+
+	for (i = 0; i < len; i += 8) {
+		for (j = 0; j < 8; j++)
+			data[j] ^= iv[j];
+		l = data[0] << 24 | data[1] << 16 | data[2] << 8 | data[3];
+		r = data[4] << 24 | data[5] << 16 | data[6] << 8 | data[7];
+		Blowfish_encipher(c, &l, &r);
+		data[0] = l >> 24 & 0xff;
+		data[1] = l >> 16 & 0xff;
+		data[2] = l >> 8 & 0xff;
+		data[3] = l & 0xff;
+		data[4] = r >> 24 & 0xff;
+		data[5] = r >> 16 & 0xff;
+		data[6] = r >> 8 & 0xff;
+		data[7] = r & 0xff;
+		iv = data;
+		data += 8;
+	}
+}
+
+#if __STDC__
+void
+blf_cbc_decrypt(blf_ctx *c, u_int8_t *iva, u_int8_t *data, u_int32_t len)
+#else
+void
+blf_cbc_decrypt(c, iva, data, len)
+     blf_ctx *c;
+     u_int8_t *iva;
+     u_int8_t *data;
+     u_int32_t len;
+#endif
+{
+	u_int32_t l, r;
+	u_int8_t *iv;
+	u_int32_t i, j;
+
+	iv = data + len - 16;
+	data = data + len - 8;
+	for (i = len - 8; i >= 8; i -= 8) {
+		l = data[0] << 24 | data[1] << 16 | data[2] << 8 | data[3];
+		r = data[4] << 24 | data[5] << 16 | data[6] << 8 | data[7];
+		Blowfish_decipher(c, &l, &r);
+		data[0] = l >> 24 & 0xff;
+		data[1] = l >> 16 & 0xff;
+		data[2] = l >> 8 & 0xff;
+		data[3] = l & 0xff;
+		data[4] = r >> 24 & 0xff;
+		data[5] = r >> 16 & 0xff;
+		data[6] = r >> 8 & 0xff;
+		data[7] = r & 0xff;
+		for (j = 0; j < 8; j++)
+			data[j] ^= iv[j];
+		iv -= 8;
+		data -= 8;
+	}
+	l = data[0] << 24 | data[1] << 16 | data[2] << 8 | data[3];
+	r = data[4] << 24 | data[5] << 16 | data[6] << 8 | data[7];
+	Blowfish_decipher(c, &l, &r);
+	data[0] = l >> 24 & 0xff;
+	data[1] = l >> 16 & 0xff;
+	data[2] = l >> 8 & 0xff;
+	data[3] = l & 0xff;
+	data[4] = r >> 24 & 0xff;
+	data[5] = r >> 16 & 0xff;
+	data[6] = r >> 8 & 0xff;
+	data[7] = r & 0xff;
+	for (j = 0; j < 8; j++)
+		data[j] ^= iva[j];
+}
+
+#if 0
+void
+report(u_int32_t data[], u_int16_t len)
+{
+	u_int16_t i;
+	for (i = 0; i < len; i += 2)
+		printf("Block %0hd: %08lx %08lx.\n",
+		    i / 2, data[i], data[i + 1]);
+}
+void
+main(void)
+{
+
+	blf_ctx c;
+	char    key[] = "AAAAA";
+	char    key2[] = "abcdefghijklmnopqrstuvwxyz";
+
+	u_int32_t data[10];
+	u_int32_t data2[] =
+	{0x424c4f57l, 0x46495348l};
+
+	u_int16_t i;
+
+	/* First test */
+	for (i = 0; i < 10; i++)
+		data[i] = i;
+
+	blf_key(&c, (u_int8_t *) key, 5);
+	blf_enc(&c, data, 5);
+	blf_dec(&c, data, 1);
+	blf_dec(&c, data + 2, 4);
+	printf("Should read as 0 - 9.\n");
+	report(data, 10);
+
+	/* Second test */
+	blf_key(&c, (u_int8_t *) key2, strlen(key2));
+	blf_enc(&c, data2, 1);
+	printf("\nShould read as: 0x324ed0fe 0xf413a203.\n");
+	report(data2, 2);
+	blf_dec(&c, data2, 1);
+	report(data2, 2);
+}
+#endif
diff --git a/sbin/isakmpd/sysdep/common/libsysdep/cast.c b/sbin/isakmpd/sysdep/common/libsysdep/cast.c
new file mode 100644
index 00000000000..35509546ab7
--- /dev/null
+++ b/sbin/isakmpd/sysdep/common/libsysdep/cast.c
@@ -0,0 +1,29 @@
+/* 
+ * Created by Martin Rinman, rinman@erlang.ericsson.se 
+ * Copyright (C) 1998 Ericsson Radio Systems AB 
+ */
+
+
+#include <assert.h>
+#include <sys/types.h>
+
+#include "cast.h"
+
+
+void
+cast_setkey(cast_key* key, u_int8_t* rawkey, int keybytes) {
+	assert("cast_setkey not implemented yet");
+}
+
+void
+cast_encrypt(cast_key* key, u_int8_t* inblock, u_int8_t* outblock) {
+	assert("cast_encrypt not implemented yet");
+}
+
+void
+cast_decrypt(cast_key* key, u_int8_t* inblock, u_int8_t* outblock) {
+	assert("cast_decrypt not implemented yet");
+}
+
+
+
diff --git a/sbin/isakmpd/sysdep/common/libsysdep/md5.c b/sbin/isakmpd/sysdep/common/libsysdep/md5.c
new file mode 100644
index 00000000000..34e89fc2fed
--- /dev/null
+++ b/sbin/isakmpd/sysdep/common/libsysdep/md5.c
@@ -0,0 +1,390 @@
+/*
+ * The rest of the code is derived from MD5C.C by RSADSI. Minor cosmetic
+ * changes to accomodate it in the kernel by ji.
+ */
+
+/* MD5C.C - RSA Data Security, Inc., MD5 message-digest algorithm
+ */
+
+/* Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All
+rights reserved.
+
+License to copy and use this software is granted provided that it
+is identified as the "RSA Data Security, Inc. MD5 Message-Digest
+Algorithm" in all material mentioning or referencing this software
+or this function.
+
+License is also granted to make and use derivative works provided
+that such works are identified as "derived from the RSA Data
+Security, Inc. MD5 Message-Digest Algorithm" in all material
+mentioning or referencing the derived work.
+
+RSA Data Security, Inc. makes no representations concerning either
+the merchantability of this software or the suitability of this
+software for any particular purpose. It is provided "as is"
+without express or implied warranty of any kind.
+
+These notices must be retained in any copies of any part of this
+documentation and/or software.
+ */
+
+/*
+ * Additions by JI
+ *
+ * HAVEMEMCOPY is defined if mem* routines are available
+ *
+ * HAVEHTON is defined if htons() and htonl() can be used
+ * for big/little endian conversions
+ *
+ */
+
+#include <stddef.h>
+#include <string.h>
+
+#include "md5.h"
+
+#ifndef WIN32
+#include "endian.h"   /* sets BYTE_ORDER, LITTLE_ENDIAN, and BIG_ENDIAN */
+#endif
+
+#define HAVEMEMCOPY 1	/* use ISO C's memcpy and memset */
+
+/* Constants for MD5Transform routine.
+ */
+
+#define S11 7
+#define S12 12
+#define S13 17
+#define S14 22
+#define S21 5
+#define S22 9
+#define S23 14
+#define S24 20
+#define S31 4
+#define S32 11
+#define S33 16
+#define S34 23
+#define S41 6
+#define S42 10
+#define S43 15
+#define S44 21
+
+#define MD5Transform _MD5Transform
+
+static void MD5Transform PROTO_LIST ((UINT4 [4], unsigned char [64]));
+
+#if BYTE_ORDER == LITTLE_ENDIAN
+#define Encode MD5_memcpy
+#define Decode MD5_memcpy
+#else
+static void Encode PROTO_LIST
+  ((unsigned char *, UINT4 *, unsigned int));
+static void Decode PROTO_LIST
+  ((UINT4 *, unsigned char *, unsigned int));
+#endif
+
+#ifdef HAVEMEMCOPY
+#include <memory.h>
+#define MD5_memcpy	memcpy
+#define MD5_memset	memset
+#else
+#ifdef HAVEBCOPY
+#define MD5_memcpy(_a,_b,_c) memcpy((_a), (_b),(_c))
+#define MD5_memset(_a,_b,_c) memset((_a), '\0',(_c))
+#else
+static void MD5_memcpy PROTO_LIST ((POINTER, POINTER, unsigned int));
+static void MD5_memset PROTO_LIST ((POINTER, int, unsigned int));
+#endif
+#endif
+static unsigned char PADDING[64] = {
+  0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
+};
+
+/* F, G, H and I are basic MD5 functions.
+ */
+#define F(x, y, z) (((x) & (y)) | ((~x) & (z)))
+#define G(x, y, z) (((x) & (z)) | ((y) & (~z)))
+#define H(x, y, z) ((x) ^ (y) ^ (z))
+#define I(x, y, z) ((y) ^ ((x) | (~z)))
+
+/* ROTATE_LEFT rotates x left n bits.
+ */
+#define ROTATE_LEFT(x, n) (((x) << (n)) | ((x) >> (32-(n))))
+
+/* FF, GG, HH, and II transformations for rounds 1, 2, 3, and 4.
+Rotation is separate from addition to prevent recomputation.
+ */
+#define FF(a, b, c, d, x, s, ac) { \
+ (a) += F ((b), (c), (d)) + (x) + (UINT4)(ac); \
+ (a) = ROTATE_LEFT ((a), (s)); \
+ (a) += (b); \
+  }
+#define GG(a, b, c, d, x, s, ac) { \
+ (a) += G ((b), (c), (d)) + (x) + (UINT4)(ac); \
+ (a) = ROTATE_LEFT ((a), (s)); \
+ (a) += (b); \
+  }
+#define HH(a, b, c, d, x, s, ac) { \
+ (a) += H ((b), (c), (d)) + (x) + (UINT4)(ac); \
+ (a) = ROTATE_LEFT ((a), (s)); \
+ (a) += (b); \
+  }
+#define II(a, b, c, d, x, s, ac) { \
+ (a) += I ((b), (c), (d)) + (x) + (UINT4)(ac); \
+ (a) = ROTATE_LEFT ((a), (s)); \
+ (a) += (b); \
+  }
+
+/* MD5 initialization. Begins an MD5 operation, writing a new context.
+ */
+void MD5Init (context)
+MD5_CTX *context;                                        /* context */
+{
+  context->count[0] = context->count[1] = 0;
+  /* Load magic initialization constants.
+*/
+  context->state[0] = 0x67452301;
+  context->state[1] = 0xefcdab89;
+  context->state[2] = 0x98badcfe;
+  context->state[3] = 0x10325476;
+}
+
+/* MD5 block update operation. Continues an MD5 message-digest
+  operation, processing another message block, and updating the
+  context.
+ */
+void MD5Update (context, input, inputLen)
+MD5_CTX *context;                                        /* context */
+unsigned char *input;                                /* input block */
+unsigned int inputLen;                     /* length of input block */
+{
+  unsigned int i, index, partLen;
+
+  /* Compute number of bytes mod 64 */
+  index = (unsigned int)((context->count[0] >> 3) & 0x3F);
+
+  /* Update number of bits */
+  if ((context->count[0] += ((UINT4)inputLen << 3))
+   < ((UINT4)inputLen << 3))
+ context->count[1]++;
+  context->count[1] += ((UINT4)inputLen >> 29);
+
+  partLen = 64 - index;
+
+  /* Transform as many times as possible.
+*/
+  if (inputLen >= partLen) {
+ MD5_memcpy
+   ((POINTER)&context->buffer[index], (POINTER)input, partLen);
+ MD5Transform (context->state, context->buffer);
+
+ for (i = partLen; i + 63 < inputLen; i += 64)
+   MD5Transform (context->state, &input[i]);
+
+ index = 0;
+  }
+  else
+ i = 0;
+
+  /* Buffer remaining input */
+  MD5_memcpy
+ ((POINTER)&context->buffer[index], (POINTER)&input[i],
+  inputLen-i);
+}
+
+/* MD5 finalization. Ends an MD5 message-digest operation, writing the
+  the message digest and zeroizing the context.
+ */
+void MD5Final (digest, context)
+unsigned char digest[16];                         /* message digest */
+MD5_CTX *context;                                       /* context */
+{
+  unsigned char bits[8];
+  unsigned int index, padLen;
+
+  /* Save number of bits */
+  Encode (bits, context->count, 8);
+
+  /* Pad out to 56 mod 64.
+*/
+  index = (unsigned int)((context->count[0] >> 3) & 0x3f);
+  padLen = (index < 56) ? (56 - index) : (120 - index);
+  MD5Update (context, PADDING, padLen);
+
+  /* Append length (before padding) */
+  MD5Update (context, bits, 8);
+
+  if (digest != NULL)			/* Bill Simpson's padding */
+  {
+	  /* store state in digest */
+	  Encode (digest, context->state, 16);
+
+	  /* Zeroize sensitive information.
+	   */
+	  MD5_memset ((POINTER)context, 0, sizeof (*context));
+  }
+}
+
+/* MD5 basic transformation. Transforms state based on block.
+ */
+static void MD5Transform (state, block)
+UINT4 state[4];
+unsigned char block[64];
+{
+  UINT4 a = state[0], b = state[1], c = state[2], d = state[3], x[16];
+
+  Decode (x, block, 64);
+
+  /* Round 1 */
+  FF (a, b, c, d, x[ 0], S11, 0xd76aa478); /* 1 */
+  FF (d, a, b, c, x[ 1], S12, 0xe8c7b756); /* 2 */
+  FF (c, d, a, b, x[ 2], S13, 0x242070db); /* 3 */
+  FF (b, c, d, a, x[ 3], S14, 0xc1bdceee); /* 4 */
+  FF (a, b, c, d, x[ 4], S11, 0xf57c0faf); /* 5 */
+  FF (d, a, b, c, x[ 5], S12, 0x4787c62a); /* 6 */
+  FF (c, d, a, b, x[ 6], S13, 0xa8304613); /* 7 */
+  FF (b, c, d, a, x[ 7], S14, 0xfd469501); /* 8 */
+  FF (a, b, c, d, x[ 8], S11, 0x698098d8); /* 9 */
+  FF (d, a, b, c, x[ 9], S12, 0x8b44f7af); /* 10 */
+  FF (c, d, a, b, x[10], S13, 0xffff5bb1); /* 11 */
+  FF (b, c, d, a, x[11], S14, 0x895cd7be); /* 12 */
+  FF (a, b, c, d, x[12], S11, 0x6b901122); /* 13 */
+  FF (d, a, b, c, x[13], S12, 0xfd987193); /* 14 */
+  FF (c, d, a, b, x[14], S13, 0xa679438e); /* 15 */
+  FF (b, c, d, a, x[15], S14, 0x49b40821); /* 16 */
+
+ /* Round 2 */
+  GG (a, b, c, d, x[ 1], S21, 0xf61e2562); /* 17 */
+  GG (d, a, b, c, x[ 6], S22, 0xc040b340); /* 18 */
+  GG (c, d, a, b, x[11], S23, 0x265e5a51); /* 19 */
+  GG (b, c, d, a, x[ 0], S24, 0xe9b6c7aa); /* 20 */
+  GG (a, b, c, d, x[ 5], S21, 0xd62f105d); /* 21 */
+  GG (d, a, b, c, x[10], S22,  0x2441453); /* 22 */
+  GG (c, d, a, b, x[15], S23, 0xd8a1e681); /* 23 */
+  GG (b, c, d, a, x[ 4], S24, 0xe7d3fbc8); /* 24 */
+  GG (a, b, c, d, x[ 9], S21, 0x21e1cde6); /* 25 */
+  GG (d, a, b, c, x[14], S22, 0xc33707d6); /* 26 */
+  GG (c, d, a, b, x[ 3], S23, 0xf4d50d87); /* 27 */
+  GG (b, c, d, a, x[ 8], S24, 0x455a14ed); /* 28 */
+  GG (a, b, c, d, x[13], S21, 0xa9e3e905); /* 29 */
+  GG (d, a, b, c, x[ 2], S22, 0xfcefa3f8); /* 30 */
+  GG (c, d, a, b, x[ 7], S23, 0x676f02d9); /* 31 */
+  GG (b, c, d, a, x[12], S24, 0x8d2a4c8a); /* 32 */
+
+  /* Round 3 */
+  HH (a, b, c, d, x[ 5], S31, 0xfffa3942); /* 33 */
+  HH (d, a, b, c, x[ 8], S32, 0x8771f681); /* 34 */
+  HH (c, d, a, b, x[11], S33, 0x6d9d6122); /* 35 */
+  HH (b, c, d, a, x[14], S34, 0xfde5380c); /* 36 */
+  HH (a, b, c, d, x[ 1], S31, 0xa4beea44); /* 37 */
+  HH (d, a, b, c, x[ 4], S32, 0x4bdecfa9); /* 38 */
+  HH (c, d, a, b, x[ 7], S33, 0xf6bb4b60); /* 39 */
+  HH (b, c, d, a, x[10], S34, 0xbebfbc70); /* 40 */
+  HH (a, b, c, d, x[13], S31, 0x289b7ec6); /* 41 */
+  HH (d, a, b, c, x[ 0], S32, 0xeaa127fa); /* 42 */
+  HH (c, d, a, b, x[ 3], S33, 0xd4ef3085); /* 43 */
+  HH (b, c, d, a, x[ 6], S34,  0x4881d05); /* 44 */
+  HH (a, b, c, d, x[ 9], S31, 0xd9d4d039); /* 45 */
+  HH (d, a, b, c, x[12], S32, 0xe6db99e5); /* 46 */
+  HH (c, d, a, b, x[15], S33, 0x1fa27cf8); /* 47 */
+  HH (b, c, d, a, x[ 2], S34, 0xc4ac5665); /* 48 */
+
+  /* Round 4 */
+  II (a, b, c, d, x[ 0], S41, 0xf4292244); /* 49 */
+  II (d, a, b, c, x[ 7], S42, 0x432aff97); /* 50 */
+  II (c, d, a, b, x[14], S43, 0xab9423a7); /* 51 */
+  II (b, c, d, a, x[ 5], S44, 0xfc93a039); /* 52 */
+  II (a, b, c, d, x[12], S41, 0x655b59c3); /* 53 */
+  II (d, a, b, c, x[ 3], S42, 0x8f0ccc92); /* 54 */
+  II (c, d, a, b, x[10], S43, 0xffeff47d); /* 55 */
+  II (b, c, d, a, x[ 1], S44, 0x85845dd1); /* 56 */
+  II (a, b, c, d, x[ 8], S41, 0x6fa87e4f); /* 57 */
+  II (d, a, b, c, x[15], S42, 0xfe2ce6e0); /* 58 */
+  II (c, d, a, b, x[ 6], S43, 0xa3014314); /* 59 */
+  II (b, c, d, a, x[13], S44, 0x4e0811a1); /* 60 */
+  II (a, b, c, d, x[ 4], S41, 0xf7537e82); /* 61 */
+  II (d, a, b, c, x[11], S42, 0xbd3af235); /* 62 */
+  II (c, d, a, b, x[ 2], S43, 0x2ad7d2bb); /* 63 */
+  II (b, c, d, a, x[ 9], S44, 0xeb86d391); /* 64 */
+
+  state[0] += a;
+  state[1] += b;
+  state[2] += c;
+  state[3] += d;
+
+  /* Zeroize sensitive information.
+*/
+  MD5_memset ((POINTER)x, 0, sizeof (x));
+}
+
+#if BYTE_ORDER != LITTLE_ENDIAN
+
+/* Encodes input (UINT4) into output (unsigned char). Assumes len is
+  a multiple of 4.
+ */
+static void Encode (output, input, len)
+unsigned char *output;
+UINT4 *input;
+unsigned int len;
+{
+  unsigned int i, j;
+
+  for (i = 0, j = 0; j < len; i++, j += 4) {
+ output[j] = (unsigned char)(input[i] & 0xff);
+ output[j+1] = (unsigned char)((input[i] >> 8) & 0xff);
+ output[j+2] = (unsigned char)((input[i] >> 16) & 0xff);
+ output[j+3] = (unsigned char)((input[i] >> 24) & 0xff);
+  }
+}
+
+/* Decodes input (unsigned char) into output (UINT4). Assumes len is
+  a multiple of 4.
+ */
+static void Decode (output, input, len)
+UINT4 *output;
+unsigned char *input;
+unsigned int len;
+{
+  unsigned int i, j;
+
+  for (i = 0, j = 0; j < len; i++, j += 4)
+ output[i] = ((UINT4)input[j]) | (((UINT4)input[j+1]) << 8) |
+   (((UINT4)input[j+2]) << 16) | (((UINT4)input[j+3]) << 24);
+}
+
+#endif
+
+#ifndef HAVEMEMCOPY
+#ifndef HAVEBCOPY
+/* Note: Replace "for loop" with standard memcpy if possible.
+ */
+
+static void MD5_memcpy (output, input, len)
+POINTER output;
+POINTER input;
+unsigned int len;
+{
+  unsigned int i;
+
+  for (i = 0; i < len; i++)
+
+ output[i] = input[i];
+}
+
+/* Note: Replace "for loop" with standard memset if possible.
+ */
+static void MD5_memset (output, value, len)
+POINTER output;
+int value;
+unsigned int len;
+{
+  unsigned int i;
+
+  for (i = 0; i < len; i++)
+ ((char *)output)[i] = (char)value;
+}
+#endif
+#endif
+
diff --git a/sbin/isakmpd/sysdep/common/libsysdep/sha1.c b/sbin/isakmpd/sysdep/common/libsysdep/sha1.c
new file mode 100644
index 00000000000..19db0c468d7
--- /dev/null
+++ b/sbin/isakmpd/sysdep/common/libsysdep/sha1.c
@@ -0,0 +1,171 @@
+/*
+SHA-1 in C
+By Steve Reid <steve@edmweb.com>
+100% Public Domain
+
+Test Vectors (from FIPS PUB 180-1)
+"abc"
+  A9993E36 4706816A BA3E2571 7850C26C 9CD0D89D
+"abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"
+  84983E44 1C3BD26E BAAE4AA1 F95129E5 E54670F1
+A million repetitions of "a"
+  34AA973C D4C4DAA4 F61EEB2B DBAD2731 6534016F
+*/
+
+/* #define LITTLE_ENDIAN * This should be #define'd already, if true. */
+/* #define SHA1HANDSOFF * Copies data before messing with it. */
+
+#define SHA1HANDSOFF
+
+#include <string.h>
+
+#include "sha1.h"
+#ifndef WIN32
+  #include "endian.h"   /* sets BYTE_ORDER, LITTLE_ENDIAN, and BIG_ENDIAN */
+#endif
+
+#define rol(value, bits) (((value) << (bits)) | ((value) >> (32 - (bits))))
+
+/* blk0() and blk() perform the initial expand. */
+/* I got the idea of expanding during the round function from SSLeay */
+#if BYTE_ORDER == LITTLE_ENDIAN
+#define blk0(i) (block->l[i] = (rol(block->l[i],24)&0xFF00FF00) \
+    |(rol(block->l[i],8)&0x00FF00FF))
+#elif BYTE_ORDER == BIG_ENDIAN
+#define blk0(i) block->l[i]
+#else
+#error "Endianness not defined!"
+#endif
+#define blk(i) (block->l[i&15] = rol(block->l[(i+13)&15]^block->l[(i+8)&15] \
+    ^block->l[(i+2)&15]^block->l[i&15],1))
+
+/* (R0+R1), R2, R3, R4 are the different operations used in SHA1 */
+#define R0(v,w,x,y,z,i) z+=((w&(x^y))^y)+blk0(i)+0x5A827999+rol(v,5);w=rol(w,30);
+#define R1(v,w,x,y,z,i) z+=((w&(x^y))^y)+blk(i)+0x5A827999+rol(v,5);w=rol(w,30);
+#define R2(v,w,x,y,z,i) z+=(w^x^y)+blk(i)+0x6ED9EBA1+rol(v,5);w=rol(w,30);
+#define R3(v,w,x,y,z,i) z+=(((w|x)&y)|(w&x))+blk(i)+0x8F1BBCDC+rol(v,5);w=rol(w,30);
+#define R4(v,w,x,y,z,i) z+=(w^x^y)+blk(i)+0xCA62C1D6+rol(v,5);w=rol(w,30);
+
+
+/* Hash a single 512-bit block. This is the core of the algorithm. */
+
+void SHA1Transform(unsigned long state[5], unsigned char buffer[64])
+{
+unsigned long a, b, c, d, e;
+typedef union {
+    unsigned char c[64];
+    unsigned long l[16];
+} CHAR64LONG16;
+CHAR64LONG16* block;
+#ifdef SHA1HANDSOFF
+static CHAR64LONG16 workspace;
+    block = &workspace;
+    memcpy(block, buffer, 64);
+#else
+    block = (CHAR64LONG16*)buffer;
+#endif
+    /* Copy context->state[] to working vars */
+    a = state[0];
+    b = state[1];
+    c = state[2];
+    d = state[3];
+    e = state[4];
+    /* 4 rounds of 20 operations each. Loop unrolled. */
+    R0(a,b,c,d,e, 0); R0(e,a,b,c,d, 1); R0(d,e,a,b,c, 2); R0(c,d,e,a,b, 3);
+    R0(b,c,d,e,a, 4); R0(a,b,c,d,e, 5); R0(e,a,b,c,d, 6); R0(d,e,a,b,c, 7);
+    R0(c,d,e,a,b, 8); R0(b,c,d,e,a, 9); R0(a,b,c,d,e,10); R0(e,a,b,c,d,11);
+    R0(d,e,a,b,c,12); R0(c,d,e,a,b,13); R0(b,c,d,e,a,14); R0(a,b,c,d,e,15);
+    R1(e,a,b,c,d,16); R1(d,e,a,b,c,17); R1(c,d,e,a,b,18); R1(b,c,d,e,a,19);
+    R2(a,b,c,d,e,20); R2(e,a,b,c,d,21); R2(d,e,a,b,c,22); R2(c,d,e,a,b,23);
+    R2(b,c,d,e,a,24); R2(a,b,c,d,e,25); R2(e,a,b,c,d,26); R2(d,e,a,b,c,27);
+    R2(c,d,e,a,b,28); R2(b,c,d,e,a,29); R2(a,b,c,d,e,30); R2(e,a,b,c,d,31);
+    R2(d,e,a,b,c,32); R2(c,d,e,a,b,33); R2(b,c,d,e,a,34); R2(a,b,c,d,e,35);
+    R2(e,a,b,c,d,36); R2(d,e,a,b,c,37); R2(c,d,e,a,b,38); R2(b,c,d,e,a,39);
+    R3(a,b,c,d,e,40); R3(e,a,b,c,d,41); R3(d,e,a,b,c,42); R3(c,d,e,a,b,43);
+    R3(b,c,d,e,a,44); R3(a,b,c,d,e,45); R3(e,a,b,c,d,46); R3(d,e,a,b,c,47);
+    R3(c,d,e,a,b,48); R3(b,c,d,e,a,49); R3(a,b,c,d,e,50); R3(e,a,b,c,d,51);
+    R3(d,e,a,b,c,52); R3(c,d,e,a,b,53); R3(b,c,d,e,a,54); R3(a,b,c,d,e,55);
+    R3(e,a,b,c,d,56); R3(d,e,a,b,c,57); R3(c,d,e,a,b,58); R3(b,c,d,e,a,59);
+    R4(a,b,c,d,e,60); R4(e,a,b,c,d,61); R4(d,e,a,b,c,62); R4(c,d,e,a,b,63);
+    R4(b,c,d,e,a,64); R4(a,b,c,d,e,65); R4(e,a,b,c,d,66); R4(d,e,a,b,c,67);
+    R4(c,d,e,a,b,68); R4(b,c,d,e,a,69); R4(a,b,c,d,e,70); R4(e,a,b,c,d,71);
+    R4(d,e,a,b,c,72); R4(c,d,e,a,b,73); R4(b,c,d,e,a,74); R4(a,b,c,d,e,75);
+    R4(e,a,b,c,d,76); R4(d,e,a,b,c,77); R4(c,d,e,a,b,78); R4(b,c,d,e,a,79);
+    /* Add the working vars back into context.state[] */
+    state[0] += a;
+    state[1] += b;
+    state[2] += c;
+    state[3] += d;
+    state[4] += e;
+    /* Wipe variables */
+    a = b = c = d = e = 0;
+}
+
+
+/* SHA1Init - Initialize new context */
+
+void SHA1Init(SHA1_CTX* context)
+{
+    /* SHA1 initialization constants */
+    context->state[0] = 0x67452301;
+    context->state[1] = 0xEFCDAB89;
+    context->state[2] = 0x98BADCFE;
+    context->state[3] = 0x10325476;
+    context->state[4] = 0xC3D2E1F0;
+    context->count[0] = context->count[1] = 0;
+}
+
+
+/* Run your data through this. */
+
+void SHA1Update(SHA1_CTX* context, unsigned char* data, unsigned int len)
+{
+unsigned int i;
+unsigned long j;
+
+    j = context->count[0];
+    if ((context->count[0] += len << 3) < j) context->count[1] += (len>>29)+1;
+    j = (j >> 3) & 63;
+    if ((j + len) > 63) {
+        memcpy(&context->buffer[j], data, (i = 64-j));
+        SHA1Transform(context->state, context->buffer);
+        for ( ; i + 63 < len; i += 64) {
+            SHA1Transform(context->state, &data[i]);
+        }
+        j = 0;
+    }
+    else i = 0;
+    memcpy(&context->buffer[j], &data[i], len - i);
+}
+
+
+/* Add padding and return the message digest. */
+
+void SHA1Final(unsigned char digest[20], SHA1_CTX* context)
+{
+unsigned long i, j;
+unsigned char finalcount[8];
+
+    for (i = 0; i < 8; i++) {
+        finalcount[i] = (unsigned char)((context->count[(i >= 4 ? 0 : 1)]
+         >> ((3-(i & 3)) * 8) ) & 255);  /* Endian independent */
+    }
+    SHA1Update(context, (unsigned char *)"\200", 1);
+    while ((context->count[0] & 504) != 448) {
+        SHA1Update(context, (unsigned char *)"\0", 1);
+    }
+    SHA1Update(context, finalcount, 8);  /* Should cause a SHA1Transform() */
+    for (i = 0; i < 20; i++) {
+        digest[i] = (unsigned char)
+         ((context->state[i>>2] >> ((3-(i & 3)) * 8) ) & 255);
+    }
+    /* Wipe variables */
+    i = j = 0;
+    memset(context->buffer, '\0', 64);
+    memset(context->state, '\0', 20);
+    memset(context->count, '\0', 8);
+    memset(&finalcount, '\0', 8);
+#ifdef SHA1HANDSOFF  /* make SHA1Transform overwrite it's own static vars */
+    SHA1Transform(context->state, context->buffer);
+#endif
+}
diff --git a/sbin/isakmpd/sysdep/common/md5.h b/sbin/isakmpd/sysdep/common/md5.h
new file mode 100644
index 00000000000..88b24ff94f8
--- /dev/null
+++ b/sbin/isakmpd/sysdep/common/md5.h
@@ -0,0 +1,71 @@
+/* GLOBAL.H - RSAREF types and constants
+ */
+
+/* PROTOTYPES should be set to one if and only if the compiler supports
+     function argument prototyping.
+   The following makes PROTOTYPES default to 0 if it has not already
+     been defined with C compiler flags.
+ */
+#ifndef PROTOTYPES
+#define PROTOTYPES 1
+#endif
+
+/* POINTER defines a generic pointer type */
+typedef unsigned char *POINTER;
+
+/* UINT2 defines a two byte word */
+typedef unsigned short int UINT2;
+
+/* UINT4 defines a four byte word */
+typedef unsigned long int UINT4;
+
+/* PROTO_LIST is defined depending on how PROTOTYPES is defined above.
+   If using PROTOTYPES, then PROTO_LIST returns the list, otherwise it
+     returns an empty list.
+ */
+
+#if PROTOTYPES
+#define PROTO_LIST(list) list
+#else
+#define PROTO_LIST(list) ()
+#endif
+
+
+/* MD5.H - header file for MD5C.C
+ */
+
+/* Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All
+rights reserved.
+
+License to copy and use this software is granted provided that it
+is identified as the "RSA Data Security, Inc. MD5 Message-Digest
+Algorithm" in all material mentioning or referencing this software
+or this function.
+
+License is also granted to make and use derivative works provided
+that such works are identified as "derived from the RSA Data
+Security, Inc. MD5 Message-Digest Algorithm" in all material
+mentioning or referencing the derived work.
+
+RSA Data Security, Inc. makes no representations concerning either
+the merchantability of this software or the suitability of this
+software for any particular purpose. It is provided "as is"
+without express or implied warranty of any kind.
+
+These notices must be retained in any copies of any part of this
+documentation and/or software.
+ */
+
+/* MD5 context. */
+typedef struct {
+  UINT4 state[4];                                   /* state (ABCD) */
+  UINT4 count[2];        /* number of bits, modulo 2^64 (lsb first) */
+  unsigned char buffer[64];                         /* input buffer */
+} MD5_CTX;
+
+void MD5Init PROTO_LIST ((MD5_CTX *));
+void MD5Update PROTO_LIST
+  ((MD5_CTX *, unsigned char *, unsigned int));
+void MD5Final PROTO_LIST ((unsigned char [16], MD5_CTX *));
+
+#define _MD5_H_
diff --git a/sbin/isakmpd/sysdep/common/sha1.h b/sbin/isakmpd/sysdep/common/sha1.h
new file mode 100644
index 00000000000..fb675715ef8
--- /dev/null
+++ b/sbin/isakmpd/sysdep/common/sha1.h
@@ -0,0 +1,16 @@
+/*
+SHA-1 in C
+By Steve Reid <steve@edmweb.com>
+100% Public Domain
+*/
+
+typedef struct {
+    unsigned long state[5];
+    unsigned long count[2];
+    unsigned char buffer[64];
+} SHA1_CTX;
+
+void SHA1Transform(unsigned long state[5], unsigned char buffer[64]);
+void SHA1Init(SHA1_CTX* context);
+void SHA1Update(SHA1_CTX* context, unsigned char* data, unsigned int len);
+void SHA1Final(unsigned char digest[20], SHA1_CTX* context);
diff --git a/sbin/isakmpd/sysdep/freebsd/GNUmakefile.sysdep b/sbin/isakmpd/sysdep/freebsd/GNUmakefile.sysdep
new file mode 100644
index 00000000000..eba18c46c3d
--- /dev/null
+++ b/sbin/isakmpd/sysdep/freebsd/GNUmakefile.sysdep
@@ -0,0 +1,66 @@
+#	$Id: GNUmakefile.sysdep,v 1.1 2001/01/26 11:34:01 niklas Exp $
+
+#
+# Copyright (c) 1999 Håkan Olsson.  All rights reserved.
+# Copyright (c) 1999 Niklas Hallqvist.  All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+# 3. All advertising materials mentioning features or use of this software
+#    must display the following acknowledgement:
+#	This product includes software developed by Ericsson Radio Systems.
+# 4. The name of the author may not be used to endorse or promote products
+#    derived from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+#
+
+#
+# This code was written under funding by Ericsson Radio Systems.
+#
+
+LIBGMP:=	/usr/lib/libgmp.a
+LIBCRYPTO:=	/usr/lib/libcrypto.a
+LIBSYSDEPDIR:=	${.CURDIR}/sysdep/common/libsysdep
+LIBSYSDEP:=	${LIBSYSDEPDIR}/libsysdep.a
+
+LDADD+=		-lgmp ${LIBSYSDEP}
+DPADD+=		${LIBGMP} ${LIBSYSDEP}
+
+FEATURES=	debug tripledes blowdish cast ec aggressive
+# Not yet
+#FEATURES+=	policy x509
+
+IPSEC_SRCS=	pf_key_v2.c
+IPSEC_CFLAGS=	-DUSE_PF_KEY_V2
+
+USE_LIBCRYPTO=	defined
+
+# hack libsysdep.a dependency
+${LIBSYSDEPDIR}/.depend ${LIBSYSDEP}:
+		cd ${LIBSYSDEPDIR} &&
+			${MAKE} --no-print-directory ${MAKEFLAGS} \
+			    CFLAGS="${CFLAGS}" MKDEP="${MKDEP}" ${MAKECMDGOALS}
+
+depend: ${LIBSYSDEPDIR}/.depend
+
+ifeq ($(findstring clean, $(MAKECMDGOALS)), clean)
+SUBDIR+=	sysdep/common/libsysdep
+MAKEFLAGS+=	--no-print-directory
+endif
+
diff --git a/sbin/isakmpd/sysdep/freebsd/Makefile.sysdep b/sbin/isakmpd/sysdep/freebsd/Makefile.sysdep
new file mode 100644
index 00000000000..ff3064c1872
--- /dev/null
+++ b/sbin/isakmpd/sysdep/freebsd/Makefile.sysdep
@@ -0,0 +1,78 @@
+#	$Id: Makefile.sysdep,v 1.1 2001/01/26 11:34:03 niklas Exp $
+
+#
+# Copyright (c) 1999 Niklas Hallqvist.  All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+# 3. All advertising materials mentioning features or use of this software
+#    must display the following acknowledgement:
+#	This product includes software developed by Ericsson Radio Systems.
+# 4. The name of the author may not be used to endorse or promote products
+#    derived from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER INN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+#
+
+#
+# This code was written under funding by Ericsson Radio Systems.
+#
+
+# Override default features
+FEATURES=	tripledes blowfish cast ec aggressive debug
+
+.if defined(TOPDIR)
+LIBSYSDEPDIR=	${TOPDIR}/sysdep/common/libsysdep
+.else
+LIBSYSDEPDIR=	${.CURDIR}/sysdep/common/libsysdep
+.endif
+
+LDADD+=		-lgmp ${LIBSYSDEPDIR}/libsysdep.a -L/usr/local/lib 
+DPADD+=		${LIBGMP} ${LIBSYSDEPDIR}/libsysdep.a
+
+CFLAGS+=	-I${.CURDIR}/sysdep/common -I/usr/include \
+		-I/usr/local/include -I/usr/local/include/openssl
+
+IPSEC_SRCS=	pf_key_v2.c
+IPSEC_CFLAGS=	-DUSE_PF_KEY_V2
+
+USE_LIBCRYPTO=	defined
+
+# This is a hack in order to make sure libsysdep is built before the
+# linkstage of isakmpd.  As a side effect the link is always done even if
+# not necessary.  Well, I just don't care.
+GENERATED+=	sysdep-target
+sysdep-target:
+		cd ${.CURDIR}/sysdep/common/libsysdep; ${MAKE} ${.MAKEFLAGS}
+
+# Kludge around much strange behaviour in /usr/share/mk/bsd.*/mk, don't build certpatch
+SUBDIR=		
+
+.if make(clean)
+SUBDIR+=	sysdep/common/libsysdep
+.endif
+
+# Kludge around bug in /usr/share/mk/bsd.subdir.mk
+NO_REGRESS=	defined
+
+# Kludge around bug/feature in /usr/share/mk/bsd.man.mk
+MAN8=		isakmpd.8
+MAN5=		isakmpd.conf.5 isakmpd.policy.5
+
+obj:
+	mkdir obj
diff --git a/sbin/isakmpd/sysdep/freebsd/sysdep-os.h b/sbin/isakmpd/sysdep/freebsd/sysdep-os.h
new file mode 100644
index 00000000000..23809ef5bed
--- /dev/null
+++ b/sbin/isakmpd/sysdep/freebsd/sysdep-os.h
@@ -0,0 +1,68 @@
+/*	$Id: sysdep-os.h,v 1.1 2001/01/26 11:34:03 niklas Exp $	*/
+
+/*
+ * Copyright (c) 1998, 1999 Niklas Hallqvist.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by Ericsson Radio Systems.
+ * 4. The name of the author may not be used to endorse or promote products
+ *    derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * This code was written under funding by Ericsson Radio Systems.
+ */
+
+#ifndef _SYSDEP_OS_H_
+
+#define _SYSDEP_OS_H_
+
+#define KAME
+
+#include <netinet6/ipsec.h>
+
+/* We need in_addr_t, in_port_t & socklen_t.  */
+typedef u_int32_t in_addr_t;
+typedef u_int16_t in_port_t;
+typedef u_int32_t socklen_t;
+
+#if 0
+/* OpenSSL differs from OpenBSD very slightly... */
+
+#define SHA1Init SHA1_Init
+#define SHA1Update SHA1_Update
+#define SHA1Final SHA1_Final
+
+#define cast_key CAST_KEY
+#define cast_setkey(k, d, l) CAST_set_key ((k), (l), (d))
+#define cast_encrypt(k, i, o) do { \
+  memcpy ((o), (i), BLOCKSIZE); \
+  CAST_encrypt ((CAST_LONG *)(o), (k)); \
+}
+#define cast_decrypt(k, i, o) do { \
+  memcpy ((o), (i), BLOCKSIZE); \
+  CAST_decrypt ((CAST_LONG *)(o), (k)); \
+}
+#endif
+
+#endif /* _SYSDEP_OS_H_ */
diff --git a/sbin/isakmpd/sysdep/freebsd/sysdep.c b/sbin/isakmpd/sysdep/freebsd/sysdep.c
new file mode 100644
index 00000000000..257401acf83
--- /dev/null
+++ b/sbin/isakmpd/sysdep/freebsd/sysdep.c
@@ -0,0 +1,205 @@
+/*	$Id: sysdep.c,v 1.1 2001/01/26 11:34:03 niklas Exp $	*/
+
+/*
+ * Copyright (c) 1998, 1999 Niklas Hallqvist.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by Ericsson Radio Systems.
+ * 4. The name of the author may not be used to endorse or promote products
+ *    derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * This code was written under funding by Ericsson Radio Systems.
+ */
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "sysdep.h"
+
+#include "util.h"
+
+#ifdef NEED_SYSDEP_APP
+#include "app.h"
+#include "conf.h"
+#include "ipsec.h"
+
+#ifdef USE_PF_KEY_V2
+#include "pf_key_v2.h"
+#define KEY_API(x) pf_key_v2_##x
+#else
+#include <net/encap.h>
+#include "pf_encap.h"
+#define KEY_API(x) pf_encap_##x
+#endif
+
+#endif NEED_SYSDEP_APP
+#include "log.h"
+
+extern char *__progname;
+
+/*
+ * An as strong as possible random number generator, reverting to a
+ * deterministic pseudo-random one if regrand is set.
+ */
+u_int32_t
+sysdep_random ()
+{
+  return random();
+}
+
+/* Return the basename of the command used to invoke us.  */
+char *
+sysdep_progname ()
+{
+  return __progname;
+}
+
+/* As regress/ use this file I protect the sysdep_app_* stuff like this.  */
+#ifdef NEED_SYSDEP_APP
+/*
+ * Prepare the application we negotiate SAs for (i.e. the IPsec stack)
+ * for communication.  We return a file descriptor useable to select(2) on.
+ */
+int
+sysdep_app_open ()
+{
+  return KEY_API(open) ();
+}
+
+/*
+ * When select(2) has noticed our application needs attendance, this is what
+ * gets called.  FD is the file descriptor causing the alarm.
+ */
+void
+sysdep_app_handler (int fd)
+{
+  KEY_API (handler) (fd);
+}
+
+/* Check that the connection named NAME is active, or else make it active.  */
+void
+sysdep_connection_check (char *name)
+{
+  KEY_API (connection_check) (name);
+}
+
+/*
+ * Generate a SPI for protocol PROTO and the source/destination pair given by
+ * SRC, SRCLEN, DST & DSTLEN.  Stash the SPI size in SZ.
+ */
+u_int8_t *
+sysdep_ipsec_get_spi (size_t *sz, u_int8_t proto, struct sockaddr *src,
+		      int srclen, struct sockaddr *dst, int dstlen)
+{
+  if (app_none)
+    {
+      *sz = IPSEC_SPI_SIZE;
+      /* XXX should be random instead I think.  */
+      return strdup ("\x12\x34\x56\x78");
+    }
+  return KEY_API (get_spi) (sz, proto, src, srclen, dst, dstlen);
+}
+
+/* Force communication on socket FD to go in the clear.  */
+int
+sysdep_cleartext (int fd)
+{
+#if 0
+  int level;
+#endif
+
+  if (app_none)
+    return 0;
+
+#if 0
+  /*
+   * Need to bypass system security policy, so I can send and
+   * receive key management datagrams in the clear.
+   */
+  level = IPSEC_LEVEL_BYPASS;
+  if (setsockopt (fd, IPPROTO_IP, IP_AUTH_LEVEL, (char *)&level, sizeof level)
+      == -1)
+    {
+      log_error ("sysdep_cleartext: "
+		 "setsockopt (%d, IPPROTO_IP, IP_AUTH_LEVEL, ...) failed", fd);
+      return -1;
+    }
+  if (setsockopt (fd, IPPROTO_IP, IP_ESP_TRANS_LEVEL, (char *)&level,
+		  sizeof level) == -1)
+    {
+      log_error ("sysdep_cleartext: "
+		 "setsockopt (%d, IPPROTO_IP, IP_ESP_TRANS_LEVEL, ...) "
+		 "failed", fd);
+      return -1;
+    }
+  if (setsockopt (fd, IPPROTO_IP, IP_ESP_NETWORK_LEVEL, (char *)&level,
+		  sizeof level) == -1)
+    {
+      log_error("sysdep_cleartext: "
+		"setsockopt (%d, IPPROTO_IP, IP_ESP_NETWORK_LEVEL, ...) "
+		 "failed", fd);
+      return -1;
+    }
+#endif
+  return 0;
+}
+
+int
+sysdep_ipsec_delete_spi (struct sa *sa, struct proto *proto, int incoming)
+{
+  if (app_none)
+    return 0;
+  return KEY_API (delete_spi) (sa, proto, incoming);
+}
+
+int
+sysdep_ipsec_enable_sa (struct sa *sa, struct sa *isakmp_sa)
+{
+  if (app_none)
+    return 0;
+  return KEY_API (enable_sa) (sa, isakmp_sa);
+}
+
+int
+sysdep_ipsec_group_spis (struct sa *sa, struct proto *proto1,
+			 struct proto *proto2, int incoming)
+{
+  if (app_none)
+    return 0;
+  return KEY_API (group_spis) (sa, proto1, proto2, incoming);
+}
+
+int
+sysdep_ipsec_set_spi (struct sa *sa, struct proto *proto, int incoming)
+{
+  if (app_none)
+    return 0;
+  return KEY_API (set_spi) (sa, proto, incoming);
+}
+#endif
diff --git a/sbin/isakmpd/sysdep/linux/GNUmakefile.sysdep b/sbin/isakmpd/sysdep/linux/GNUmakefile.sysdep
new file mode 100644
index 00000000000..6c694f49a28
--- /dev/null
+++ b/sbin/isakmpd/sysdep/linux/GNUmakefile.sysdep
@@ -0,0 +1,77 @@
+#	$Id: GNUmakefile.sysdep,v 1.1 2001/01/26 11:34:04 niklas Exp $
+
+#
+# Copyright (c) 1999 Niklas Hallqvist.  All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+# 3. All advertising materials mentioning features or use of this software
+#    must display the following acknowledgement:
+#	This product includes software developed by Ericsson Radio Systems.
+# 4. The name of the author may not be used to endorse or promote products
+#    derived from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+#
+
+#
+# This code was written under funding by Ericsson Radio Systems.
+#
+
+# In order for this to work, invocations need to set FREESWAN to the
+# directory where FreeS/WAN is installed.
+
+ifndef FREESWAN
+FREESWAN=	/usr/src/freeswan
+endif
+
+BINDIR=		/usr/local/sbin
+# Partly good for RedHat 5.2, but man(1) does not find them so I have it
+# disabled for now.
+#MANDIR=		/var/catman/cat
+#MAN5=		isakmpd.conf.0
+#MAN8=		isakmpd.0
+NOMAN=
+
+LIBGMP=		${FREESWAN}/gmp/libgmp.a
+LIBDES=		${FREESWAN}/libdes/libdes.a
+LIBSYSDEPDIR=	${.CURDIR}/sysdep/common/libsysdep
+LIBSYSDEP=	${LIBSYSDEPDIR}/libsysdep.a
+
+FEATURES=	tripledes blowfish cast ec aggressive debug
+
+SRCS+=		klips.c
+
+LDADD+=		${LIBSYSDEP} ${LIBGMP} ${LIBDES} -ldl
+DPADD+=		${LIBSYSDEP} ${LIBGMP} ${LIBDES}
+
+CFLAGS+=	-I${FREESWAN}/gmp -I${FREESWAN}/libdes \
+		-I${FREESWAN}/klips -I${FREESWAN}/lib -DUSE_OLD_SOCKADDR \
+		-I${.CURDIR}/sysdep/common -DSYMBOL_PREFIX='"_"'
+
+HAVE_DLOPEN=	defined
+
+${LIBSYSDEP}:
+	cd ${LIBSYSDEPDIR}; \
+		${MAKE} --no-print-directory ${MAKEFLAGS} CFLAGS="${CFLAGS}" MKDEP="${MKDEP}"
+
+ifneq ($(findstring install,$(MAKECMDGOALS)),install)
+SUBDIR+=	sysdep/common/libsysdep
+# The regress/ subdir is completely broken in the linux environment
+SUBDIR:=	$(filter-out regress,${SUBDIR})
+endif
diff --git a/sbin/isakmpd/sysdep/linux/Makefile.sysdep b/sbin/isakmpd/sysdep/linux/Makefile.sysdep
new file mode 100644
index 00000000000..94ae607a2c6
--- /dev/null
+++ b/sbin/isakmpd/sysdep/linux/Makefile.sysdep
@@ -0,0 +1,86 @@
+#	$Id: Makefile.sysdep,v 1.1 2001/01/26 11:34:04 niklas Exp $
+
+#
+# Copyright (c) 1999 Niklas Hallqvist.  All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+# 3. All advertising materials mentioning features or use of this software
+#    must display the following acknowledgement:
+#	This product includes software developed by Ericsson Radio Systems.
+# 4. The name of the author may not be used to endorse or promote products
+#    derived from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+#
+
+#
+# This code was written under funding by Ericsson Radio Systems.
+#
+
+# In order for this to work, invocations need to set FREESWAN to the
+# directory where FreeS/WAN is installed.
+
+BINDIR=		/usr/local/sbin
+# Partly good for RedHat 5.2, but man(1) does not find them so I have it
+# disabled for now.
+#MANDIR=		/var/catman/cat
+#MAN5=		isakmpd.conf.0
+#MAN8=		isakmpd.0
+NOMAN=
+
+IPSEC_SRCS=	klips.c
+
+LDADD+=		${.CURDIR}/sysdep/common/libsysdep/libsysdep.a \
+		${FREESWAN}/gmp/libgmp.a
+DPADD+=		${.CURDIR}/sysdep/common/libsysdep/libsysdep.a \
+		${FREESWAN}/gmp/libgmp.a
+
+CFLAGS+=	${DEBUG} -I${FREESWAN}/gmp -I${FREESWAN}/libdes \
+		-I${FREESWAN}/klips -I${FREESWAN}/lib -DUSE_OLD_SOCKADDR \
+		-I${.CURDIR}/sysdep/common
+
+# XXX Is this test correct?  Is the prefix "_" on ELF-systems too?
+HAVE_DLOPEN=	defined
+LDADD+=		-ldl
+DPADD+=		/usr/lib/libdl.a
+CFLAGS+=	-DSYMBOL_PREFIX='"_"'
+
+#USE_LIBCRYPTO=	defined
+#USE_KEYNOTE=	defined
+
+.ifndef USE_LIBCRYPTO
+DESLIB=		${FREESWAN}/libdes/libdes.a
+DESLIBDEP=	${FREESWAN}/libdes/libdes.a
+.endif
+
+# This is a hack in order to make sure libsysdep is built before the
+# linkstage of isakmpd.  As a side effect the link is always done even if
+# not necessary.  Well, I just don't care.
+GENERATED+=	sysdep-target
+sysdep-target:
+		cd ${.CURDIR}/sysdep/common/libsysdep; ${MAKE} ${.MAKEFLAGS}
+
+.if make(clean)
+SUBDIR+=	sysdep/common/libsysdep
+.endif
+
+# The regress/ subdir is completely broken in the linux environment
+.if !make(install)
+SUBDIR:=	${SUBDIR:Nregress}
+.endif
diff --git a/sbin/isakmpd/sysdep/linux/README b/sbin/isakmpd/sysdep/linux/README
new file mode 100644
index 00000000000..6238820e91d
--- /dev/null
+++ b/sbin/isakmpd/sysdep/linux/README
@@ -0,0 +1,16 @@
+$Id: README,v 1.1 2001/01/26 11:34:04 niklas Exp $
+
+Currently, you have to manually configure any ipsec interfaces and do the
+association betweent these and the physical ones.  This is done like
+this in FreeS/WAN:
+
+ipsec tncfg --attach --virtual ipsec0 --physical eth0
+ifconfig ipsec0 A.B.C.D netmask E.F.G.H
+
+Then there is one special configuration option in the IPSec-connection
+sections for Phase 2 of the configuration file, named Next-hop, which
+should be set to the next hop's IP address along the way to the peer:
+
+Next-hop=	I.J.K.L
+
+This is specific to the way FreeS/WAN works.
diff --git a/sbin/isakmpd/sysdep/linux/klips.c b/sbin/isakmpd/sysdep/linux/klips.c
new file mode 100644
index 00000000000..cd042d7f718
--- /dev/null
+++ b/sbin/isakmpd/sysdep/linux/klips.c
@@ -0,0 +1,687 @@
+/*	$Id: klips.c,v 1.1 2001/01/26 11:34:04 niklas Exp $	*/
+
+/*
+ * Copyright (c) 1999 Niklas Hallqvist.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by Ericsson Radio Systems.
+ * 4. The name of the author may not be used to endorse or promote products
+ *    derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * This code was written under funding by Ericsson Radio Systems.
+ */
+
+#include <asm/types.h>
+#include <sys/types.h>
+#include <sys/ioctl.h>
+#include <sys/stat.h>
+#include <sys/socket.h>
+#include <linux/sockios.h>
+#include <net/route.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <ctype.h>
+#include <unistd.h>
+
+#include <freeswan.h>
+#include <net/ipsec/radij.h>
+#include <net/ipsec/ipsec_encap.h>
+#include <net/ipsec/ipsec_netlink.h>
+#include <net/ipsec/ipsec_xform.h>
+#include <net/ipsec/ipsec_ipe4.h>
+#include <net/ipsec/ipsec_ah.h>
+#include <net/ipsec/ipsec_esp.h>
+
+#include "sysdep.h"
+
+#include "conf.h"
+#include "exchange.h"
+#include "hash.h"
+#include "ipsec.h"
+#include "ipsec_doi.h"
+#include "ipsec_num.h"
+#include "isakmp.h"
+#include "log.h"
+#include "klips.h"
+#include "sa.h"
+#include "timer.h"
+#include "transport.h"
+
+#define KLIPS_DEVICE "/dev/ipsec"
+
+#define PROC_ROUTE_FILE	"/proc/net/route"
+#define PROC_ROUTE_FMT	"%16s %128s %128s %X %d %d %d %128s %d %d %d\n"
+
+/* XXX Maybe these are available through some system-supplied define?  */
+#define AH_NEW_XENCAP_LEN (3 * sizeof(u_short) + 2 * sizeof(u_char))
+#define ESP_NEW_XENCAP_LEN sizeof (struct espblkrply_edata)
+#define EMT_GRPSPIS_COMPLEN (sizeof (((struct encap_msghdr *)0)->em_rel[0]))
+
+/* How often should we check that connections we require to be up, are up?  */
+#define KLIPS_CHECK_FREQ 60
+
+static int klips_socket;
+
+/* Open the KLIPS device.  */
+int
+klips_open ()
+{
+  int fd;
+
+  fd = open (KLIPS_DEVICE, O_RDWR);
+  if (fd == -1)
+    {
+      log_error ("klips_open: open (\"%s\", O_RDWR) failed", KLIPS_DEVICE);
+      return -1;
+    }
+  klips_socket = fd;
+  return fd;
+}
+
+/* Write a KLIPS request down to the kernel.  */
+static int
+klips_write (struct encap_msghdr *em)
+{
+  ssize_t n;
+
+  em->em_magic = EM_MAGIC;
+  em->em_version = 0;
+
+  LOG_DBG_BUF ((LOG_SYSDEP, 30, "klips_write: em", (u_int8_t *)em,
+		em->em_msglen));
+  n = write (klips_socket, em, em->em_msglen);
+  if (n == -1)
+    {
+      log_error ("write (%d, ...) failed", klips_socket);
+      return -1;
+    }
+  if ((size_t)n != em->em_msglen)
+    {
+      log_error ("write (%d, ...) returned prematurely", klips_socket);
+      return -1;
+    }
+  return 0;
+}
+
+/*
+ * Generate a SPI for protocol PROTO and the source/destination pair given by
+ * SRC, SRCLEN, DST & DSTLEN.  Stash the SPI size in SZ.
+ */
+u_int8_t *
+klips_get_spi (size_t *sz, u_int8_t proto, struct sockaddr *src, int srclen,
+	       struct sockaddr *dst, int dstlen)
+{
+  u_int8_t *spi;
+  u_int32_t spinum;
+
+  *sz = IPSEC_SPI_SIZE;
+  spi = malloc (*sz);
+  if (!spi)
+    return 0;
+  do
+    spinum = sysdep_random ();
+  while (spinum < IPSEC_SPI_LOW);
+  spinum = htonl (spinum);
+  memcpy (spi, &spinum, *sz);
+
+  LOG_DBG_BUF ((LOG_SYSDEP, 50, "klips_get_spi: spi", spi, *sz));
+
+  return spi;
+}
+
+/* Group 2 SPIs in a chain.  XXX Not fully implemented yet.  */
+int
+klips_group_spis (struct sa *sa, struct proto *proto1, struct proto *proto2,
+		  int incoming)
+{
+  struct encap_msghdr *emsg = 0;
+  struct sockaddr *dst;
+  int dstlen;
+
+  emsg = calloc (1, EMT_GRPSPIS_FLEN + 2 * EMT_GRPSPIS_COMPLEN);
+  if (!emsg)
+    return -1;
+
+  emsg->em_msglen = EMT_GRPSPIS_FLEN + 2 * EMT_GRPSPIS_COMPLEN;
+  emsg->em_type = EMT_GRPSPIS;
+
+  /*
+   * XXX The code below is wrong if we are in tunnel mode.
+   * The fix is to reorder stuff so the IP-in-IP SA will always come
+   * upfront, and if there are two such, one is dropped.
+   */
+  memcpy (&emsg->em_rel[0].emr_spi, proto1->spi[incoming],
+	  sizeof emsg->em_rel[0].emr_spi);
+  memcpy (&emsg->em_rel[1].emr_spi, proto2->spi[incoming],
+	  sizeof emsg->em_rel[1].emr_spi);
+  if (incoming)
+    sa->transport->vtbl->get_src (sa->transport, &dst, &dstlen);
+  else
+    sa->transport->vtbl->get_dst (sa->transport, &dst, &dstlen);
+  emsg->em_rel[0].emr_dst
+    = emsg->em_rel[1].emr_dst = ((struct sockaddr_in *)dst)->sin_addr;
+  /* XXX What if IPCOMP etc. comes along?  */
+  emsg->em_rel[0].emr_proto
+    = proto1->proto == IPSEC_PROTO_IPSEC_ESP ? IPPROTO_ESP : IPPROTO_AH;
+  emsg->em_rel[1].emr_proto
+    = proto2->proto == IPSEC_PROTO_IPSEC_ESP ? IPPROTO_ESP : IPPROTO_AH;
+
+  if (klips_write (emsg))
+    goto cleanup;
+  free (emsg);
+
+  LOG_DBG ((LOG_SYSDEP, 50, "klips_group_spis: done"));
+
+  return 0;
+
+ cleanup:
+  if (emsg)
+    free (emsg);
+  return -1;
+}
+
+/* Store/update a SPI with full information into the kernel.  */
+int
+klips_set_spi (struct sa *sa, struct proto *proto, int incoming)
+{
+  struct encap_msghdr *emsg = 0;
+  struct ipsec_proto *iproto = proto->data;
+  struct sockaddr *dst, *src;
+  int dstlen, srclen, keylen, hashlen;
+  size_t len;
+  struct ipe4_xdata *ip4x;
+
+  /* Actually works for all.  */
+  struct espblkrply_edata *edx;
+
+  /* Actually works for all.  */
+  struct ahhmacmd5_edata *amx;
+
+  switch (proto->proto)
+    {
+    case IPSEC_PROTO_IPSEC_ESP:
+      keylen = ipsec_esp_enckeylength (proto);
+      hashlen = ipsec_esp_authkeylength (proto);
+      len = EMT_SETSPI_FLEN + ESP_NEW_XENCAP_LEN;
+      emsg = calloc (1, len);
+      if (!emsg)
+	return -1;
+
+      emsg->em_proto = IPPROTO_ESP;
+
+      edx = (struct espblkrply_edata *)emsg->em_dat;
+
+      /* Funny expression due to I just want one switch.  */
+      switch (proto->id | (iproto->auth << 8))
+	{
+	case IPSEC_ESP_DES:
+	case IPSEC_ESP_DES_IV32:
+	case IPSEC_ESP_DES_IV64:
+	  emsg->em_alg = XF_ESPDES;
+	  break;
+
+	case IPSEC_ESP_3DES:
+	  emsg->em_alg = XF_ESP3DES;
+	  break;
+
+	case IPSEC_ESP_DES | (IPSEC_AUTH_HMAC_MD5 << 8):
+	case IPSEC_ESP_DES_IV32 | (IPSEC_AUTH_HMAC_MD5 << 8):
+	case IPSEC_ESP_DES_IV64 | (IPSEC_AUTH_HMAC_MD5 << 8):
+	  emsg->em_alg = XF_ESPDESMD596;
+	  break;
+
+	case IPSEC_ESP_3DES | (IPSEC_AUTH_HMAC_MD5 << 8):
+	  emsg->em_alg = XF_ESP3DESMD596;
+	  break;
+
+	case IPSEC_ESP_DES | (IPSEC_AUTH_HMAC_SHA << 8):
+	case IPSEC_ESP_DES_IV32 | (IPSEC_AUTH_HMAC_SHA << 8):
+	case IPSEC_ESP_DES_IV64 | (IPSEC_AUTH_HMAC_SHA << 8):
+	  emsg->em_alg = XF_ESPDESSHA196;
+	  break;
+
+	case IPSEC_ESP_3DES | (IPSEC_AUTH_HMAC_SHA << 8):
+	  emsg->em_alg = XF_ESP3DESSHA196;
+	  break;
+
+	default:
+	  LOG_DBG ((LOG_SYSDEP, 10, 
+		    "klips_set_spi: Unsupported enc/auth alg negotiated"));
+	  return -1;
+	}
+
+      /* XXX What if we have a protocol requiring IV?  */
+      edx->eme_ivlen = EMT_ESPDES_IV_SZ;
+      edx->eme_klen = keylen;
+      edx->ame_klen = hashlen;
+#if 0
+      /* I have reason to believe Shared-SADB won't work at all in KLIPS.  */
+      edx->eme_ooowin
+	= conf_get_str ("General", "Shared-SADB") ? 0 : iproto->replay_window;
+#else
+      edx->eme_ooowin = iproto->replay_window;
+#endif
+      /*
+       * XXX Pluto sets the unused by KLIPS flag EME_INITIATOR in
+       * edx->eme_flags, if the party is the initiator.  Should we too?
+       */
+      edx->eme_flags = 0;
+      memcpy (edx->eme_key, iproto->keymat[incoming], keylen);
+      if (iproto->auth)
+	memcpy (edx->ame_key, iproto->keymat[incoming] + keylen, hashlen);
+      break;
+
+    case IPSEC_PROTO_IPSEC_AH:
+      hashlen = ipsec_ah_keylength (proto);
+      len = EMT_SETSPI_FLEN + AH_NEW_XENCAP_LEN + hashlen;
+      emsg = calloc (1, len);
+      if (!emsg)
+	return -1;
+
+      emsg->em_proto = IPPROTO_AH;
+
+      amx = (struct ahhmacmd5_edata *)emsg->em_dat;
+
+      switch (proto->id)
+	{
+	case IPSEC_AH_MD5:
+	  emsg->em_alg = XF_AHHMACMD5;
+	  break;
+
+	case IPSEC_AH_SHA:
+	  emsg->em_alg = XF_AHHMACSHA1;
+	  break;
+
+	default:
+	  /* XXX Log?  */
+	  goto cleanup;
+	}
+
+      /* XXX Should we be able to send in different lengths here?  */
+      amx->ame_alen = amx->ame_klen = hashlen;
+#if 0
+      /* I have reason to believe Shared-SADB won't work at all in KLIPS.  */
+      amx->ame_ooowin
+	= conf_get_str ("General", "Shared-SADB") ? 0 : iproto->replay_window;
+#else
+      amx->ame_ooowin = iproto->replay_window;
+#endif
+      amx->ame_replayp = amx->ame_ooowin > 0;
+      memcpy (amx->ame_key, iproto->keymat[incoming], hashlen);
+      break;
+
+    default:
+      /* XXX Log?  */
+      goto cleanup;
+    }
+
+  emsg->em_msglen = len;
+  emsg->em_type = EMT_SETSPI;
+  memcpy (&emsg->em_spi, proto->spi[incoming], sizeof emsg->em_spi);
+  emsg->em_flags = incoming ? EMT_INBOUND : 0;
+
+  /*
+   * XXX Addresses has to be thought through.  Assumes IPv4.
+   */
+  sa->transport->vtbl->get_dst (sa->transport, &dst, &dstlen);
+  sa->transport->vtbl->get_src (sa->transport, &src, &srclen);
+  emsg->em_dst
+    = ((struct sockaddr_in *)(incoming ? src : dst))->sin_addr;
+
+  /*
+   * Klips does not know about expirations, thus we need to do them inside
+   * isakmpd.
+   */
+  if (sa->seconds)
+    if (sa_setup_expirations (sa))
+      goto cleanup;
+
+  LOG_DBG ((LOG_SYSDEP, 10, "klips_set_spi: proto %d dst %s SPI 0x%x",
+	    emsg->em_proto, inet_ntoa (emsg->em_dst), htonl (emsg->em_spi)));
+  if (klips_write (emsg))
+    goto cleanup;
+  free (emsg);
+
+  /* If we are tunneling we have to setup an IP in IP tunnel too.  */
+  if (iproto->encap_mode == IPSEC_ENCAP_TUNNEL)
+    {
+      len = EMT_SETSPI_FLEN + EMT_IPE4_ULEN;
+      emsg = calloc (1, len);
+      if (!emsg)
+	goto cleanup;
+
+      emsg->em_proto = IPPROTO_IPIP;
+      emsg->em_msglen = len;
+      emsg->em_type = EMT_SETSPI;
+      /*
+       * XXX Code in Pluto suggests this is not possible, but that we have
+       * to have a unique SPI for the IP4 SA.
+       */
+      memcpy (&emsg->em_spi, proto->spi[incoming], sizeof emsg->em_spi);
+      emsg->em_flags = 0;
+      emsg->em_alg = XF_IP4;
+
+      ip4x = (struct ipe4_xdata *)emsg->em_dat;
+      ip4x->i4_dst = emsg->em_dst
+	= ((struct sockaddr_in *)(incoming ? src : dst))->sin_addr;
+      ip4x->i4_src
+	= ((struct sockaddr_in *)(incoming ? dst : src))->sin_addr;
+
+      LOG_DBG ((LOG_SYSDEP, 10, "klips_set_spi: proto %d dst %s SPI 0x%x",
+		emsg->em_proto, inet_ntoa (emsg->em_dst),
+		htonl (emsg->em_spi)));
+      if (klips_write (emsg))
+	goto cleanup;
+      free (emsg);
+
+      /*
+       * Grouping the IP-in-IP SA with the IPSec one means we must be careful
+       * in klips_group_spis so that we'll remove duplicate IP-in-IP SAs
+       * and get everything grouped in the right order.
+       *
+       * XXX Could we not share code with klips_group_spis here?
+       */
+      emsg = calloc (1, EMT_GRPSPIS_FLEN + 2 * EMT_GRPSPIS_COMPLEN);
+      if (!emsg)
+	goto cleanup;
+
+      emsg->em_msglen = EMT_GRPSPIS_FLEN + 2 * EMT_GRPSPIS_COMPLEN;
+      emsg->em_type = EMT_GRPSPIS;
+
+      memcpy (&emsg->em_rel[0].emr_spi, proto->spi[incoming],
+	      sizeof emsg->em_rel[0].emr_spi);
+      memcpy (&emsg->em_rel[1].emr_spi, proto->spi[incoming],
+	      sizeof emsg->em_rel[1].emr_spi);
+      emsg->em_rel[0].emr_dst = emsg->em_rel[1].emr_dst
+	= ((struct sockaddr_in *)(incoming ? src : dst))->sin_addr;
+
+      emsg->em_rel[0].emr_proto = IPPROTO_IPIP;
+      /* XXX What if IPCOMP etc. comes along?  */
+      emsg->em_rel[1].emr_proto
+	= proto->proto == IPSEC_PROTO_IPSEC_ESP ? IPPROTO_ESP : IPPROTO_AH;
+
+      if (klips_write (emsg))
+	goto cleanup;
+      free (emsg);
+    }
+
+  LOG_DBG ((LOG_SYSDEP, 50, "klips_set_spi: done"));
+
+  return 0;
+
+ cleanup:
+  /* XXX Cleanup the potential SAs we have setup.  */
+  if (emsg)
+    free (emsg);
+  return -1;
+}
+ 
+/*
+ * Delete the IPSec SA represented by the INCOMING direction in protocol PROTO
+ * of the IKE security association SA.
+ */
+int
+klips_delete_spi (struct sa *sa, struct proto *proto, int incoming)
+{
+  struct encap_msghdr *emsg = 0;
+  struct sockaddr *dst;
+  int dstlen;
+  struct ipsec_proto *iproto = proto->data;
+
+  emsg = calloc (1, EMT_SETSPI_FLEN);
+  if (!emsg)
+    return -1;
+
+  emsg->em_msglen = EMT_SETSPI_FLEN;
+  emsg->em_type = EMT_DELSPI;
+
+  memcpy (&emsg->em_spi, proto->spi[incoming], sizeof emsg->em_spi);
+  if (incoming)
+    sa->transport->vtbl->get_src (sa->transport, &dst, &dstlen);
+  else
+    sa->transport->vtbl->get_dst (sa->transport, &dst, &dstlen);
+  emsg->em_dst = ((struct sockaddr_in *)dst)->sin_addr;
+  /* XXX What if IPCOMP etc. comes along?  */
+  emsg->em_proto
+    = (iproto->encap_mode == IPSEC_ENCAP_TUNNEL ? IPPROTO_IPIP
+       : proto->proto == IPSEC_PROTO_IPSEC_ESP ? IPPROTO_ESP : IPPROTO_AH);
+
+  if (klips_write (emsg))
+    goto cleanup;
+  free (emsg);
+
+  LOG_DBG ((LOG_SYSDEP, 50, "klips_delete_spi: done"));
+
+  return 0;
+
+ cleanup:
+  if (emsg)
+    free (emsg);
+  return -1;
+}
+
+int
+klips_hex_decode (char *src, u_char *dst, int dstsize)
+{
+  char *p, *pe;
+  u_char *q, *qe, ch, cl;
+
+  pe = src + strlen (src);
+  qe = dst + dstsize;
+
+  for (p = src, q = dst; p < pe && q < qe && isxdigit ((int)*p); p += 2)
+    {
+      ch = tolower (p[0]);
+      cl = tolower (p[1]);
+       
+      if ((ch >= '0') && (ch <= '9'))
+	ch -= '0';
+      else if ((ch >= 'a') && (ch <= 'f'))
+	ch -= 'a' - 10;
+      else
+	return -1;
+
+      if ((cl >= '0') && (cl <= '9'))
+	cl -= '0';
+      else if ((cl >= 'a') && (cl <= 'f'))
+	cl -= 'a' - 10;
+      else
+	return -1;
+
+      *q++ = (ch << 4) | cl;
+    }
+  
+  return (int)(q - dst);
+}
+
+/* Consult kernel routing table for next-hop lookup. From dugsong@monkey.org */
+u_long
+klips_route_get (u_long dst)
+{
+  FILE *f;
+  char buf[BUFSIZ];
+  char ifbuf[16], netbuf[128], gatebuf[128], maskbuf[128];
+  int i, iflags, refcnt, use, metric, mss, win, irtt;
+  u_long ret, gate, net, mask;
+
+  if ((f = fopen (PROC_ROUTE_FILE, "r")) == NULL)
+    return dst;
+
+  ret = dst;
+
+  while (fgets (buf, sizeof buf, f) != NULL)
+    {
+      i = sscanf (buf, PROC_ROUTE_FMT, ifbuf, netbuf, gatebuf, &iflags,
+		  &refcnt, &use, &metric, maskbuf, &mss, &win, &irtt);
+      if (i < 10 || !(iflags & RTF_UP))
+	continue;
+
+      klips_hex_decode (netbuf, (u_char *)&net, sizeof net);
+      klips_hex_decode (gatebuf, (u_char *)&gate, sizeof gate);
+      klips_hex_decode (maskbuf, (u_char *)&mask, sizeof mask);
+      
+      net = htonl (net);
+      gate = htonl (gate);
+      mask = htonl (mask);
+
+      if ((dst & mask) == net)
+	{
+	  if (gate != INADDR_ANY)
+	    ret = gate;
+	  break;
+	}
+    }
+
+  fclose (f);
+  return ret;
+}
+
+/* Enable a flow given a SA.  */
+int
+klips_enable_sa (struct sa *sa, struct sa *isakmp_sa)
+{
+  struct ipsec_sa *isa = sa->data;
+  struct sockaddr *dst;
+  int dstlen;
+  struct proto *proto = TAILQ_FIRST (&sa->protos);
+  struct ipsec_proto *iproto = proto->data;
+  struct encap_msghdr emsg;
+  int s = -1;
+  struct rtentry rt;
+
+  sa->transport->vtbl->get_dst (sa->transport, &dst, &dstlen);
+
+  /* XXX Is this needed?  */
+  memset (&emsg, '\0', sizeof emsg);
+
+  emsg.em_msglen = sizeof emsg;
+  emsg.em_type = EMT_RPLACEROUTE;
+
+  memcpy (&emsg.em_erspi, proto->spi[0], sizeof emsg.em_erspi);
+  emsg.em_erdst = ((struct sockaddr_in *)dst)->sin_addr;
+
+  LOG_DBG ((LOG_SYSDEP, 50, "klips_enable_sa: src %x %x dst %x %x",
+	    ntohl (isa->src_net), ntohl (isa->src_mask), ntohl (isa->dst_net),
+	    ntohl (isa->dst_mask)));
+
+  /* XXX Magic constant from Pluto (26 = AF_ISDN in BSD).  */
+  emsg.em_eaddr.sen_family = emsg.em_emask.sen_family = 26;
+  emsg.em_eaddr.sen_type = SENT_IP4;
+  /* XXX Magic constant from Pluto.  */
+  emsg.em_emask.sen_type = 255;
+  emsg.em_eaddr.sen_len = emsg.em_emask.sen_len
+    = sizeof (struct sockaddr_encap);
+
+  emsg.em_eaddr.sen_ip_src.s_addr = isa->src_net;
+  emsg.em_emask.sen_ip_src.s_addr = isa->src_mask;
+  emsg.em_eaddr.sen_ip_dst.s_addr = isa->dst_net;
+  emsg.em_emask.sen_ip_dst.s_addr = isa->dst_mask;
+
+  /* XXX What if IPCOMP etc. comes along?  */
+  emsg.em_erproto
+    = (iproto->encap_mode == IPSEC_ENCAP_TUNNEL ? IPPROTO_IPIP
+       : proto->proto == IPSEC_PROTO_IPSEC_ESP ? IPPROTO_ESP : IPPROTO_AH);
+
+  if (klips_write (&emsg))
+    {
+      emsg.em_type = EMT_SETEROUTE;
+      if (klips_write (&emsg))
+	goto cleanup;
+    }
+
+  s = socket (PF_INET, SOCK_DGRAM, AF_UNSPEC);
+  if (s == -1)
+    {
+      log_error ("klips_enable_sa: "
+		 "socket(PF_INET, SOCK_DGRAM, AF_UNSPEC) failed");
+      goto cleanup;
+    }
+
+  memset (&rt, '\0', sizeof rt);
+  rt.rt_dst.sa_family = AF_INET;
+  ((struct sockaddr_in *)&rt.rt_dst)->sin_addr.s_addr = isa->dst_net;
+  rt.rt_genmask.sa_family = AF_INET;
+  ((struct sockaddr_in *)&rt.rt_genmask)->sin_addr.s_addr = isa->dst_mask;
+  rt.rt_gateway.sa_family = AF_INET;
+
+  ((struct sockaddr_in *)&rt.rt_gateway)->sin_addr.s_addr
+    = klips_route_get (emsg.em_erdst.s_addr);
+
+  rt.rt_flags = RTF_UP | RTF_GATEWAY;
+  /* XXX What if we have multiple interfaces?  */
+  rt.rt_dev = "ipsec0";
+
+  if (ioctl (s, SIOCDELRT, &rt) == -1 && errno != ESRCH)
+    {
+      log_error ("klips_enable_sa: ioctl (%d, SIOCDELRT, %p) failed", s, &rt);
+      goto cleanup;
+    }
+
+  if (ioctl (s, SIOCADDRT, &rt) == -1)
+    {
+      log_error ("klips_enable_sa: ioctl (%d, SIOCADDRT, %p) failed", s, &rt);
+      goto cleanup;
+    }
+
+  close (s);
+  return 0;
+
+ cleanup:
+  if (s != -1)
+    close (s);
+  return -1;
+}
+
+static void
+klips_stayalive (struct exchange *exchange, void *vconn, int fail)
+{
+  char *conn = vconn;
+  struct sa *sa;
+
+  /* XXX What if it is phase 1?  */
+  sa = sa_lookup_by_name (conn, 2);
+  if (sa)
+    sa->flags |= SA_FLAG_STAYALIVE;
+}
+
+/* Establish the connection in VCONN and set the stayalive flag for it.  */
+void
+klips_connection_check (char *conn)
+{
+  if (!sa_lookup_by_name (conn, 2))
+    {
+      LOG_DBG ((LOG_SYSDEP, 70, "klips_connection_check: SA for %s missing",
+		conn));
+      exchange_establish (conn, klips_stayalive, conn);
+    }
+  else
+    LOG_DBG ((LOG_SYSDEP, 70, "klips_connection_check: SA for %s exists",
+	      conn));
+}
diff --git a/sbin/isakmpd/sysdep/linux/klips.h b/sbin/isakmpd/sysdep/linux/klips.h
new file mode 100644
index 00000000000..fdc1fcbe369
--- /dev/null
+++ b/sbin/isakmpd/sysdep/linux/klips.h
@@ -0,0 +1,56 @@
+/*	$Id: klips.h,v 1.1 2001/01/26 11:34:04 niklas Exp $	*/
+
+/*
+ * Copyright (c) 1999 Niklas Hallqvist.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by Ericsson Radio Systems.
+ * 4. The name of the author may not be used to endorse or promote products
+ *    derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * This code was written under funding by Ericsson Radio Systems.
+ */
+
+#ifndef _KLIPS_H_
+#define _KLIPS_H_
+
+#include <sys/types.h>
+#include <sys/queue.h>
+
+struct proto;
+struct sa;
+struct sockaddr;
+
+extern void klips_connection_check (char *);
+extern int klips_delete_spi (struct sa *, struct proto *, int);
+extern int klips_enable_sa (struct sa *, struct sa *);
+extern u_int8_t *klips_get_spi (size_t *, u_int8_t, struct sockaddr *, int,
+				struct sockaddr *, int);
+extern int klips_group_spis (struct sa *, struct proto *, struct proto *,
+			     int);
+extern int klips_open (void);
+extern int klips_set_spi (struct sa *, struct proto *, int);
+
+#endif /* _KLIPS_H_ */
diff --git a/sbin/isakmpd/sysdep/linux/sys/queue.h b/sbin/isakmpd/sysdep/linux/sys/queue.h
new file mode 100644
index 00000000000..6af6f7418bd
--- /dev/null
+++ b/sbin/isakmpd/sysdep/linux/sys/queue.h
@@ -0,0 +1,337 @@
+/*	$OpenBSD: queue.h,v 1.3 2001/01/26 11:34:05 niklas Exp $	*/
+/*	$NetBSD: queue.h,v 1.11 1996/05/16 05:17:14 mycroft Exp $	*/
+
+/*
+ * Copyright (c) 1991, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)queue.h	8.5 (Berkeley) 8/20/94
+ */
+
+#ifndef	_SYS_QUEUE_H_
+#define	_SYS_QUEUE_H_
+
+#ifndef NULL
+#define NULL ((void *)0)
+#endif
+
+/*
+ * This file defines four types of data structures: lists, simple queues,
+ * tail queues, and circular queues.
+ *
+ * A list is headed by a single forward pointer (or an array of forward
+ * pointers for a hash table header). The elements are doubly linked
+ * so that an arbitrary element can be removed without a need to
+ * traverse the list. New elements can be added to the list before
+ * or after an existing element or at the head of the list. A list
+ * may only be traversed in the forward direction.
+ *
+ * A simple queue is headed by a pair of pointers, one the head of the
+ * list and the other to the tail of the list. The elements are singly
+ * linked to save space, so only elements can only be removed from the
+ * head of the list. New elements can be added to the list before or after
+ * an existing element, at the head of the list, or at the end of the
+ * list. A simple queue may only be traversed in the forward direction.
+ *
+ * A tail queue is headed by a pair of pointers, one to the head of the
+ * list and the other to the tail of the list. The elements are doubly
+ * linked so that an arbitrary element can be removed without a need to
+ * traverse the list. New elements can be added to the list before or
+ * after an existing element, at the head of the list, or at the end of
+ * the list. A tail queue may be traversed in either direction.
+ *
+ * A circle queue is headed by a pair of pointers, one to the head of the
+ * list and the other to the tail of the list. The elements are doubly
+ * linked so that an arbitrary element can be removed without a need to
+ * traverse the list. New elements can be added to the list before or after
+ * an existing element, at the head of the list, or at the end of the list.
+ * A circle queue may be traversed in either direction, but has a more
+ * complex end of list detection.
+ *
+ * For details on the use of these macros, see the queue(3) manual page.
+ */
+
+/*
+ * List definitions.
+ */
+#define LIST_HEAD(name, type)						\
+struct name {								\
+	struct type *lh_first;	/* first element */			\
+} 
+
+#define LIST_ENTRY(type)						\
+struct {								\
+	struct type *le_next;	/* next element */			\
+	struct type **le_prev;	/* address of previous next element */	\
+}
+
+#define	LIST_FIRST(head)		((head)->lh_first)
+#define	LIST_NEXT(elm, field)		((elm)->field.le_next)
+#define	LIST_END(head)			NULL
+
+/*
+ * List functions.
+ */
+#define	LIST_INIT(head) do {						\
+	(head)->lh_first = NULL;					\
+} while (0)
+
+#define LIST_INSERT_AFTER(listelm, elm, field) do {			\
+	if (((elm)->field.le_next = (listelm)->field.le_next) != NULL)	\
+		(listelm)->field.le_next->field.le_prev =		\
+		    &(elm)->field.le_next;				\
+	(listelm)->field.le_next = (elm);				\
+	(elm)->field.le_prev = &(listelm)->field.le_next;		\
+} while (0)
+
+#define	LIST_INSERT_BEFORE(listelm, elm, field) do {			\
+	(elm)->field.le_prev = (listelm)->field.le_prev;		\
+	(elm)->field.le_next = (listelm);				\
+	*(listelm)->field.le_prev = (elm);				\
+	(listelm)->field.le_prev = &(elm)->field.le_next;		\
+} while (0)
+
+#define LIST_INSERT_HEAD(head, elm, field) do {				\
+	if (((elm)->field.le_next = (head)->lh_first) != NULL)		\
+		(head)->lh_first->field.le_prev = &(elm)->field.le_next;\
+	(head)->lh_first = (elm);					\
+	(elm)->field.le_prev = &(head)->lh_first;			\
+} while (0)
+
+#define LIST_REMOVE(elm, field) do {					\
+	if ((elm)->field.le_next != NULL)				\
+		(elm)->field.le_next->field.le_prev = 			\
+		    (elm)->field.le_prev;				\
+	*(elm)->field.le_prev = (elm)->field.le_next;			\
+} while (0)
+
+/*
+ * Simple queue definitions.
+ */
+#define SIMPLEQ_HEAD(name, type)					\
+struct name {								\
+	struct type *sqh_first;	/* first element */			\
+	struct type **sqh_last;	/* addr of last next element */		\
+}
+
+#define SIMPLEQ_ENTRY(type)						\
+struct {								\
+	struct type *sqe_next;	/* next element */			\
+}
+
+/*
+ * Simple queue functions.
+ */
+#define	SIMPLEQ_INIT(head) do {						\
+	(head)->sqh_first = NULL;					\
+	(head)->sqh_last = &(head)->sqh_first;				\
+} while (0)
+
+#define SIMPLEQ_INSERT_HEAD(head, elm, field) do {			\
+	if (((elm)->field.sqe_next = (head)->sqh_first) == NULL)	\
+		(head)->sqh_last = &(elm)->field.sqe_next;		\
+	(head)->sqh_first = (elm);					\
+} while (0)
+
+#define SIMPLEQ_INSERT_TAIL(head, elm, field) do {			\
+	(elm)->field.sqe_next = NULL;					\
+	*(head)->sqh_last = (elm);					\
+	(head)->sqh_last = &(elm)->field.sqe_next;			\
+} while (0)
+
+#define SIMPLEQ_INSERT_AFTER(head, listelm, elm, field) do {		\
+	if (((elm)->field.sqe_next = (listelm)->field.sqe_next) == NULL)\
+		(head)->sqh_last = &(elm)->field.sqe_next;		\
+	(listelm)->field.sqe_next = (elm);				\
+} while (0)
+
+#define SIMPLEQ_REMOVE_HEAD(head, elm, field) do {			\
+	if (((head)->sqh_first = (elm)->field.sqe_next) == NULL)	\
+		(head)->sqh_last = &(head)->sqh_first;			\
+} while (0)
+
+/*
+ * Tail queue definitions.
+ */
+#define TAILQ_HEAD(name, type)						\
+struct name {								\
+	struct type *tqh_first;	/* first element */			\
+	struct type **tqh_last;	/* addr of last next element */		\
+}
+
+#define TAILQ_ENTRY(type)						\
+struct {								\
+	struct type *tqe_next;	/* next element */			\
+	struct type **tqe_prev;	/* address of previous next element */	\
+}
+
+
+#define	TAILQ_FIRST(head)		((head)->tqh_first)
+#define	TAILQ_NEXT(elm, field)		((elm)->field.tqe_next)
+#define	TAILQ_END(head)			NULL
+#define TAILQ_LAST(head, headname) \
+	(*(((struct headname *)((head)->tqh_last))->tqh_last))
+#define TAILQ_PREV(elm, headname, field) \
+	(*(((struct headname *)((elm)->field.tqe_prev))->tqh_last))
+
+/*
+ * Tail queue functions.
+ */
+#define	TAILQ_INIT(head) do {						\
+	(head)->tqh_first = NULL;					\
+	(head)->tqh_last = &(head)->tqh_first;				\
+} while (0)
+
+#define TAILQ_INSERT_HEAD(head, elm, field) do {			\
+	if (((elm)->field.tqe_next = (head)->tqh_first) != NULL)	\
+		(head)->tqh_first->field.tqe_prev =			\
+		    &(elm)->field.tqe_next;				\
+	else								\
+		(head)->tqh_last = &(elm)->field.tqe_next;		\
+	(head)->tqh_first = (elm);					\
+	(elm)->field.tqe_prev = &(head)->tqh_first;			\
+} while (0)
+
+#define TAILQ_INSERT_TAIL(head, elm, field) do {			\
+	(elm)->field.tqe_next = NULL;					\
+	(elm)->field.tqe_prev = (head)->tqh_last;			\
+	*(head)->tqh_last = (elm);					\
+	(head)->tqh_last = &(elm)->field.tqe_next;			\
+} while (0)
+
+#define TAILQ_INSERT_AFTER(head, listelm, elm, field) do {		\
+	if (((elm)->field.tqe_next = (listelm)->field.tqe_next) != NULL)\
+		(elm)->field.tqe_next->field.tqe_prev = 		\
+		    &(elm)->field.tqe_next;				\
+	else								\
+		(head)->tqh_last = &(elm)->field.tqe_next;		\
+	(listelm)->field.tqe_next = (elm);				\
+	(elm)->field.tqe_prev = &(listelm)->field.tqe_next;		\
+} while (0)
+
+#define	TAILQ_INSERT_BEFORE(listelm, elm, field) do {			\
+	(elm)->field.tqe_prev = (listelm)->field.tqe_prev;		\
+	(elm)->field.tqe_next = (listelm);				\
+	*(listelm)->field.tqe_prev = (elm);				\
+	(listelm)->field.tqe_prev = &(elm)->field.tqe_next;		\
+} while (0)
+
+#define TAILQ_REMOVE(head, elm, field) do {				\
+	if (((elm)->field.tqe_next) != NULL)				\
+		(elm)->field.tqe_next->field.tqe_prev = 		\
+		    (elm)->field.tqe_prev;				\
+	else								\
+		(head)->tqh_last = (elm)->field.tqe_prev;		\
+	*(elm)->field.tqe_prev = (elm)->field.tqe_next;			\
+} while (0)
+
+/*
+ * Circular queue definitions.
+ */
+#define CIRCLEQ_HEAD(name, type)					\
+struct name {								\
+	struct type *cqh_first;		/* first element */		\
+	struct type *cqh_last;		/* last element */		\
+}
+
+#define CIRCLEQ_ENTRY(type)						\
+struct {								\
+	struct type *cqe_next;		/* next element */		\
+	struct type *cqe_prev;		/* previous element */		\
+}
+
+#define	CIRCLEQ_FIRST(head)		((head)->cqh_first)
+#define	CIRCLEQ_LAST(head)		((head)->cqh_last)
+#define	CIRCLEQ_END(head)		((void *)(head))
+#define	CIRCLEQ_NEXT(elm, field)	((elm)->field.cqe_next)
+#define	CIRCLEQ_PREV(elm, field)	((elm)->field.cqe_prev)
+
+/*
+ * Circular queue functions.
+ */
+#define	CIRCLEQ_INIT(head) do {						\
+	(head)->cqh_first = (void *)(head);				\
+	(head)->cqh_last = (void *)(head);				\
+} while (0)
+
+#define CIRCLEQ_INSERT_AFTER(head, listelm, elm, field) do {		\
+	(elm)->field.cqe_next = (listelm)->field.cqe_next;		\
+	(elm)->field.cqe_prev = (listelm);				\
+	if ((listelm)->field.cqe_next == (void *)(head))		\
+		(head)->cqh_last = (elm);				\
+	else								\
+		(listelm)->field.cqe_next->field.cqe_prev = (elm);	\
+	(listelm)->field.cqe_next = (elm);				\
+} while (0)
+
+#define CIRCLEQ_INSERT_BEFORE(head, listelm, elm, field) do {		\
+	(elm)->field.cqe_next = (listelm);				\
+	(elm)->field.cqe_prev = (listelm)->field.cqe_prev;		\
+	if ((listelm)->field.cqe_prev == (void *)(head))		\
+		(head)->cqh_first = (elm);				\
+	else								\
+		(listelm)->field.cqe_prev->field.cqe_next = (elm);	\
+	(listelm)->field.cqe_prev = (elm);				\
+} while (0)
+
+#define CIRCLEQ_INSERT_HEAD(head, elm, field) do {			\
+	(elm)->field.cqe_next = (head)->cqh_first;			\
+	(elm)->field.cqe_prev = (void *)(head);				\
+	if ((head)->cqh_last == (void *)(head))				\
+		(head)->cqh_last = (elm);				\
+	else								\
+		(head)->cqh_first->field.cqe_prev = (elm);		\
+	(head)->cqh_first = (elm);					\
+} while (0)
+
+#define CIRCLEQ_INSERT_TAIL(head, elm, field) do {			\
+	(elm)->field.cqe_next = (void *)(head);				\
+	(elm)->field.cqe_prev = (head)->cqh_last;			\
+	if ((head)->cqh_first == (void *)(head))			\
+		(head)->cqh_first = (elm);				\
+	else								\
+		(head)->cqh_last->field.cqe_next = (elm);		\
+	(head)->cqh_last = (elm);					\
+} while (0)
+
+#define	CIRCLEQ_REMOVE(head, elm, field) do {				\
+	if ((elm)->field.cqe_next == (void *)(head))			\
+		(head)->cqh_last = (elm)->field.cqe_prev;		\
+	else								\
+		(elm)->field.cqe_next->field.cqe_prev =			\
+		    (elm)->field.cqe_prev;				\
+	if ((elm)->field.cqe_prev == (void *)(head))			\
+		(head)->cqh_first = (elm)->field.cqe_next;		\
+	else								\
+		(elm)->field.cqe_prev->field.cqe_next =			\
+		    (elm)->field.cqe_next;				\
+} while (0)
+#endif	/* !_SYS_QUEUE_H_ */
diff --git a/sbin/isakmpd/sysdep/linux/sysdep-os.h b/sbin/isakmpd/sysdep/linux/sysdep-os.h
new file mode 100644
index 00000000000..4d5362e0d2f
--- /dev/null
+++ b/sbin/isakmpd/sysdep/linux/sysdep-os.h
@@ -0,0 +1,51 @@
+/*	$Id: sysdep-os.h,v 1.3 2001/01/26 11:34:04 niklas Exp $	*/
+
+/*
+ * Copyright (c) 1998, 1999 Niklas Hallqvist.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by Ericsson Radio Systems.
+ * 4. The name of the author may not be used to endorse or promote products
+ *    derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * This code was written under funding by Ericsson Radio Systems.
+ */
+
+#ifndef _SYSDEP_OS_H_
+#define _SYSDEP_OS_H_
+
+typedef u_int16_t in_port_t;
+typedef u_int32_t in_addr_t;
+
+#if 0
+/*
+ * Why -D__USE_GNU does not work in order to get this from stdio.h beats me.
+ */
+extern int asprintf __P((char **, const char *, ...));
+#endif
+
+#define DL_LAZY RTLD_LAZY
+
+#endif /* _SYSDEP_OS_H_ */
diff --git a/sbin/isakmpd/sysdep/linux/sysdep.c b/sbin/isakmpd/sysdep/linux/sysdep.c
new file mode 100644
index 00000000000..d96d6d86a10
--- /dev/null
+++ b/sbin/isakmpd/sysdep/linux/sysdep.c
@@ -0,0 +1,165 @@
+/*	$Id: sysdep.c,v 1.3 2001/01/26 11:34:04 niklas Exp $	*/
+
+/*
+ * Copyright (c) 1998, 1999 Niklas Hallqvist.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by Ericsson Radio Systems.
+ * 4. The name of the author may not be used to endorse or promote products
+ *    derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * This code was written under funding by Ericsson Radio Systems.
+ */
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/time.h>
+#include <netinet/in.h>
+#include <stdlib.h>
+#include <string.h>
+#include <fcntl.h>
+#include <md5.h>
+#include <unistd.h>
+
+#include "sysdep.h"
+
+#ifdef NEED_SYSDEP_APP
+#include "app.h"
+#include "conf.h"
+#include "ipsec.h"
+#include "klips.h"
+#endif NEED_SYSDEP_APP
+#include "log.h"
+#include "sysdep.h"
+
+extern char *__progname;
+
+u_int32_t
+sysdep_random ()
+{
+  u_int32_t rndval;
+  u_char sig[16];
+  MD5_CTX ctx;
+  int fd, i;
+  struct {
+    struct timeval tv;
+    u_int rnd[(128 - sizeof (struct timeval)) / sizeof (u_int)];
+  } rdat;
+
+  fd = open ("/dev/urandom", O_RDONLY);
+  if (fd != -1)
+    {
+      read (fd, rdat.rnd, sizeof(rdat.rnd));
+      close (fd);
+    }
+  MD5Init (&ctx);
+  MD5Update (&ctx, (char *)&rdat, sizeof(rdat));
+  MD5Final (sig, &ctx);
+
+  rndval = 0;	
+  for (i = 0; i < 4; i++)
+    {
+      u_int32_t *tmp = (u_int32_t *)&sig[i * 4];
+      rndval ^= *tmp;
+    }
+		 
+  return rndval; 
+}
+
+char *
+sysdep_progname ()
+{
+  return __progname;
+}
+
+/* As regress/ use this file I protect the sysdep_app_* stuff like this.  */
+#ifdef NEED_SYSDEP_APP
+int
+sysdep_app_open ()
+{
+  return klips_open ();
+}
+
+void
+sysdep_app_handler (int fd)
+{
+}
+
+/* Check that the connection named NAME is active, or else make it active.  */
+void
+sysdep_connection_check (char *name)
+{
+  klips_connection_check (name);
+}
+
+/*
+ * Generate a SPI for protocol PROTO and the source/destination pair given by
+ * SRC, SRCLEN, DST & DSTLEN.  Stash the SPI size in SZ.
+ */
+u_int8_t *
+sysdep_ipsec_get_spi (size_t *sz, u_int8_t proto, struct sockaddr *src,
+		      int srclen, struct sockaddr *dst, int dstlen)
+{
+  if (app_none)
+    {
+      *sz = IPSEC_SPI_SIZE;
+      /* XXX should be random instead I think.  */
+      return strdup ("\x12\x34\x56\x78");
+    }
+
+  return klips_get_spi (sz, proto, src, srclen, dst, dstlen);
+}
+
+int
+sysdep_cleartext (int fd)
+{
+  return 0;
+}
+
+int
+sysdep_ipsec_delete_spi (struct sa *sa, struct proto *proto, int incoming)
+{
+  return klips_delete_spi (sa, proto, incoming);
+}
+
+int
+sysdep_ipsec_enable_sa (struct sa *sa, struct sa *isakmp_sa)
+{
+  return klips_enable_sa (sa, isakmp_sa);
+}
+
+int
+sysdep_ipsec_group_spis (struct sa *sa, struct proto *proto1,
+			 struct proto *proto2, int incoming)
+{
+  return klips_group_spis (sa, proto1, proto2, incoming);
+}
+
+int
+sysdep_ipsec_set_spi (struct sa *sa, struct proto *proto, int incoming)
+{
+  return klips_set_spi (sa, proto, incoming);
+}
+#endif
diff --git a/sbin/isakmpd/sysdep/netbsd/GNUmakefile.sysdep b/sbin/isakmpd/sysdep/netbsd/GNUmakefile.sysdep
new file mode 100644
index 00000000000..ed85b505b62
--- /dev/null
+++ b/sbin/isakmpd/sysdep/netbsd/GNUmakefile.sysdep
@@ -0,0 +1,66 @@
+#	$Id: GNUmakefile.sysdep,v 1.1 2001/01/26 11:34:06 niklas Exp $
+
+#
+# Copyright (c) 1999 Niklas Hallqvist.  All rights reserved.
+# Copyright (c) 2000 Håkan Olsson.  All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+# 3. The name of the author may not be used to endorse or promote products
+#    derived from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+#
+
+LIBGMP:=	/usr/pkg/lib/libgmp.a
+LIBCRYPTO:=	/usr/lib/libcrypto.a
+
+LIBSYSDEPDIR:=	${.CURDIR}/sysdep/common/libsysdep
+LIBSYSDEP:=	${LIBSYSDEPDIR}/libsysdep.a
+
+LDADD+=		${LIBGMP} ${LIBSYSDEP}
+DPADD+=		${LIBGMP} ${LIBSYSDEP}
+
+FEATURES=	debug tripledes blowfish cast ec aggressive
+# Not yet
+#FEATURES+=	policy x509
+
+CFLAGS+=	-DNO_RSA -DNO_RC5 -DNO_IDEA \
+		-I${.CURDIR}/sysdep/common -I/usr/include/openssl \
+		-I/usr/include/machine -I/usr/pkg/include
+
+IPSEC_SRCS=	pf_key_v2.c
+IPSEC_CFLAGS=	-DUSE_PF_KEY_V2
+
+USE_LIBCRYPTO=	defined
+#HAVE_DLOPEN=	defined
+
+#
+# hack libsysdep.a dependency
+#
+${LIBSYSDEPDIR}/.depend ${LIBSYSDEP}:
+		@cd ${LIBSYSDEPDIR} && \
+		    ${MAKE} --no-print-directory ${MAKEFLAGS} \
+			CFLAGS="${CFLAGS}" MKDEP="${MKDEP}" ${MAKECMDGOALS}
+
+depend: ${LIBSYSDEPDIR}/.depend
+
+ifeq ($(findstring clean, $(MAKECMDGOALS)), clean)
+SUBDIR+=	sysdep/common/libsysdep
+MAKEFLAGS+=	--no-print-directory
+endif
diff --git a/sbin/isakmpd/sysdep/netbsd/Makefile.sysdep b/sbin/isakmpd/sysdep/netbsd/Makefile.sysdep
new file mode 100644
index 00000000000..abb13f1d74b
--- /dev/null
+++ b/sbin/isakmpd/sysdep/netbsd/Makefile.sysdep
@@ -0,0 +1,82 @@
+#	$Id: Makefile.sysdep,v 1.1 2001/01/26 11:34:06 niklas Exp $
+
+#
+# Copyright (c) 1999 Niklas Hallqvist.  All rights reserved.
+# Copyright (c) 2000 H\xe5kan Olsson.  All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+# 3. The name of the author may not be used to endorse or promote products
+#    derived from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER INN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+#
+
+# Override default features
+FEATURES=	tripledes blowfish cast ec aggressive debug
+# Not yet
+#FEATURES+=	policy x509
+
+LIBGMP=		/usr/pkg/lib/libgmp.a
+LIBCRYPTO=	/usr/lib/libcrypto.a
+LIBSYSDEPDIR=	${.CURDIR}/sysdep/common/libsysdep
+
+LDADD+=		${LIBGMP} ${LIBSYSDEPDIR}/libsysdep.a -lipsec
+DPADD+=		${LIBGMP} ${LIBSYSDEPDIR}/libsysdep.a ${LIBIPSEC}
+
+CFLAGS+=	-DNO_RSA -DNO_IDEA -DNO_RC5 \
+		-I${.CURDIR}/sysdep/common
+.if exists(/usr/pkg/include/openssl/rsa.h)
+CFLAGS+=	-I/usr/pkg/include/openssl
+.elif  exists(/usr/include/openssl/rsa.h)
+CFLAGS+=	-I/usr/include -I/usr/include/openssl
+.endif
+# mandatory for gmp
+CFLAGS+=	-I/usr/pkg/include
+LDADD+=		-L/usr/pkg/lib
+
+IPSEC_SRCS=	pf_key_v2.c
+IPSEC_CFLAGS=	-DUSE_PF_KEY_V2
+
+USE_LIBCRYPTO=	defined
+USE_GMP=	defined
+
+# This is a hack in order to make sure libsysdep is built before the
+# linkstage of isakmpd.  As a side effect the link is always done even if
+# not necessary.  Well, I just don't care.
+GENERATED+=	sysdep-target
+sysdep-target:
+		cd ${.CURDIR}/sysdep/common/libsysdep; ${MAKE} ${.MAKEFLAGS}
+
+.if make(clean) || make(cleandir)
+SUBDIR+=	sysdep/common/libsysdep
+.endif
+
+# Kludge around bug in /usr/share/mk/bsd.subdir.mk
+NO_REGRESS=	defined
+
+obj:
+	mkdir obj
+
+beforedepend:
+	rm -f ssl
+.if exists(/usr/pkg/include/openssl/rsa.h)
+	ln -sf /usr/pkg/include/openssl ssl
+.elif  exists(/usr/include/openssl/rsa.h)
+	ln -sf /usr/include/openssl ssl
+.endif
diff --git a/sbin/isakmpd/sysdep/netbsd/sysdep-os.h b/sbin/isakmpd/sysdep/netbsd/sysdep-os.h
new file mode 100644
index 00000000000..1690da4a166
--- /dev/null
+++ b/sbin/isakmpd/sysdep/netbsd/sysdep-os.h
@@ -0,0 +1,38 @@
+/*	$Id: sysdep-os.h,v 1.1 2001/01/26 11:34:06 niklas Exp $	*/
+
+/*
+ * Copyright (c) 1998, 1999 Niklas Hallqvist.  All rights reserved.
+ * Copyright (c) 2000 H\xe5kan Olsson.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote products
+ *    derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef _SYSDEP_OS_H_
+
+#define _SYSDEP_OS_H_
+
+#define KAME
+
+#include <netinet6/ipsec.h>
+
+#endif /* _SYSDEP_OS_H_ */
diff --git a/sbin/isakmpd/sysdep/netbsd/sysdep.c b/sbin/isakmpd/sysdep/netbsd/sysdep.c
new file mode 100644
index 00000000000..c1bf23dde14
--- /dev/null
+++ b/sbin/isakmpd/sysdep/netbsd/sysdep.c
@@ -0,0 +1,194 @@
+/*	$Id: sysdep.c,v 1.1 2001/01/26 11:34:06 niklas Exp $	*/
+
+/*
+ * Copyright (c) 1998, 1999 Niklas Hallqvist.  All rights reserved.
+ * Copyright (c) 2000 H\xe5kan Olsson.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote products
+ *    derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "sysdep.h"
+
+#include "util.h"
+
+#ifdef NEED_SYSDEP_APP
+#include "app.h"
+#include "conf.h"
+#include "ipsec.h"
+
+#ifdef USE_PF_KEY_V2
+#include "pf_key_v2.h"
+#define KEY_API(x) pf_key_v2_##x
+#else
+#include <net/encap.h>
+#include "pf_encap.h"
+#define KEY_API(x) pf_encap_##x
+#endif
+
+#endif NEED_SYSDEP_APP
+#include "log.h"
+
+extern char *__progname;
+
+/*
+ * An as strong as possible random number generator, reverting to a
+ * deterministic pseudo-random one if regrand is set.
+ */
+u_int32_t
+sysdep_random ()
+{
+  return random();
+}
+
+/* Return the basename of the command used to invoke us.  */
+char *
+sysdep_progname ()
+{
+  return __progname;
+}
+
+/* As regress/ use this file I protect the sysdep_app_* stuff like this.  */
+#ifdef NEED_SYSDEP_APP
+/*
+ * Prepare the application we negotiate SAs for (i.e. the IPsec stack)
+ * for communication.  We return a file descriptor useable to select(2) on.
+ */
+int
+sysdep_app_open ()
+{
+  return KEY_API(open) ();
+}
+
+/*
+ * When select(2) has noticed our application needs attendance, this is what
+ * gets called.  FD is the file descriptor causing the alarm.
+ */
+void
+sysdep_app_handler (int fd)
+{
+  KEY_API (handler) (fd);
+}
+
+/* Check that the connection named NAME is active, or else make it active.  */
+void
+sysdep_connection_check (char *name)
+{
+  KEY_API (connection_check) (name);
+}
+
+/*
+ * Generate a SPI for protocol PROTO and the source/destination pair given by
+ * SRC, SRCLEN, DST & DSTLEN.  Stash the SPI size in SZ.
+ */
+u_int8_t *
+sysdep_ipsec_get_spi (size_t *sz, u_int8_t proto, struct sockaddr *src,
+		      int srclen, struct sockaddr *dst, int dstlen)
+{
+  if (app_none)
+    {
+      *sz = IPSEC_SPI_SIZE;
+      /* XXX should be random instead I think.  */
+      return strdup ("\x12\x34\x56\x78");
+    }
+  return KEY_API (get_spi) (sz, proto, src, srclen, dst, dstlen);
+}
+
+/* Force communication on socket FD to go in the clear.  */
+int
+sysdep_cleartext (int fd)
+{
+  char *buf;
+  char *policy[] = { "in bypass", "out bypass", NULL };
+  char **p;
+
+  if (app_none)
+    return 0;
+
+  /*
+   * Need to bypass system security policy, so I can send and
+   * receive key management datagrams in the clear.
+   */
+
+  for (p = policy; p && *p; p++)
+    {
+      buf = ipsec_set_policy (*p, strlen(*p));
+      if (buf == NULL)
+	{
+	  log_error ("sysdep_cleartext: %s: %s", *p, ipsec_strerror());
+	  return -1;
+	}
+
+      if (setsockopt(fd, IPPROTO_IP, IP_IPSEC_POLICY, buf,
+		       ipsec_get_policylen(buf)) < 0)
+	{
+	  log_error ("sysdep_cleartext: "
+		     "setsockopt (%d, IPPROTO_IP, IP_IPSEC_POLICY, ...) failed",
+		     fd);
+	  return -1;
+	}
+      free(buf);
+    }
+
+  return 0;
+}
+
+int
+sysdep_ipsec_delete_spi (struct sa *sa, struct proto *proto, int incoming)
+{
+  if (app_none)
+    return 0;
+  return KEY_API (delete_spi) (sa, proto, incoming);
+}
+
+int
+sysdep_ipsec_enable_sa (struct sa *sa, struct sa *isakmp_sa)
+{
+  if (app_none)
+    return 0;
+  return KEY_API (enable_sa) (sa, isakmp_sa);
+}
+
+int
+sysdep_ipsec_group_spis (struct sa *sa, struct proto *proto1,
+			 struct proto *proto2, int incoming)
+{
+  if (app_none)
+    return 0;
+  return KEY_API (group_spis) (sa, proto1, proto2, incoming);
+}
+
+int
+sysdep_ipsec_set_spi (struct sa *sa, struct proto *proto, int incoming)
+{
+  if (app_none)
+    return 0;
+  return KEY_API (set_spi) (sa, proto, incoming);
+}
+#endif
diff --git a/sbin/isakmpd/sysdep/openbsd-encap/GNUmakefile.sysdep b/sbin/isakmpd/sysdep/openbsd-encap/GNUmakefile.sysdep
new file mode 100644
index 00000000000..27a2ec0f8d3
--- /dev/null
+++ b/sbin/isakmpd/sysdep/openbsd-encap/GNUmakefile.sysdep
@@ -0,0 +1,60 @@
+#	$Id: GNUmakefile.sysdep,v 1.1 2001/01/26 11:34:07 niklas Exp $
+
+#
+# Copyright (c) 1999 Niklas Hallqvist.  All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+# 3. All advertising materials mentioning features or use of this software
+#    must display the following acknowledgement:
+#	This product includes software developed by Ericsson Radio Systems.
+# 4. The name of the author may not be used to endorse or promote products
+#    derived from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+#
+
+#
+# This code was written under funding by Ericsson Radio Systems.
+#
+
+# Compile-time configuration of otherwise optional features
+FEATURES=	tripledes blowfish cast policy x509 ec aggressive debug
+
+LIBGMP:=	/usr/lib/libgmp.a
+LIBDES:=	/usr/lib/libdes.a
+
+LDADD+=		-lgmp
+DPADD+=		${LIBGMP}
+
+IPSEC_SRCS=	pf_encap.c
+
+# XXX This test does not work as MACHINE_ARCH does not get defined by GNU make.
+# Furthermore these defines should not happen for neither mips, powerpc nor vax
+# just like alpha.
+#ifneq (${MACHINE_ARCH},alpha)
+#HAVE_DLOPEN=	defined
+#CFLAGS+=	-DSYMBOL_PREFIX='"_"'
+#endif
+
+USE_LIBCRYPTO=	defined
+
+ifndef USE_LIBCRYPTO
+DESLIB=		-ldes
+DESLIBDEP=	${LIBDES}
+endif
diff --git a/sbin/isakmpd/sysdep/openbsd-encap/Makefile.sysdep b/sbin/isakmpd/sysdep/openbsd-encap/Makefile.sysdep
new file mode 100644
index 00000000000..b40a349f729
--- /dev/null
+++ b/sbin/isakmpd/sysdep/openbsd-encap/Makefile.sysdep
@@ -0,0 +1,57 @@
+#	$Id: Makefile.sysdep,v 1.1 2001/01/26 11:34:08 niklas Exp $
+
+#
+# Copyright (c) 1999 Niklas Hallqvist.  All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+# 3. All advertising materials mentioning features or use of this software
+#    must display the following acknowledgement:
+#	This product includes software developed by Ericsson Radio Systems.
+# 4. The name of the author may not be used to endorse or promote products
+#    derived from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+#
+
+#
+# This code was written under funding by Ericsson Radio Systems.
+#
+
+FEATURES+=	gmp
+
+IPSEC_SRCS=	pf_encap.c
+
+# Some OpenBSD systems do not provide dlopen(3).
+.if ${MACHINE_ARCH} != "alpha" && ${MACHINE_ARCH} != "mips" && ${MACHINE_ARCH} != "powerpc" && ${MACHINE_ARCH} != "vax"
+HAVE_DLOPEN=	defined
+CFLAGS+=	-DSYMBOL_PREFIX='"_"'
+.endif
+
+#USE_LIBCRYPTO=	defined
+#USE_KEYNOTE=	defined
+
+.ifndef USE_LIBCRYPTO
+DESLIB=		-ldes
+DESLIBDEP=	${LIBDES}
+
+# The apps/ and regress/ subdirs are broken in the openbsd-encap environment
+# unless libcrypto is available (and even then they are not tested).
+SUBDIR:=	${SUBDIR:Napps}
+NO_REGRESS=	defined
+.endif
diff --git a/sbin/isakmpd/sysdep/openbsd-encap/sysdep-os.h b/sbin/isakmpd/sysdep/openbsd-encap/sysdep-os.h
new file mode 100644
index 00000000000..da5b6d4ed84
--- /dev/null
+++ b/sbin/isakmpd/sysdep/openbsd-encap/sysdep-os.h
@@ -0,0 +1,42 @@
+/*	$Id: sysdep-os.h,v 1.1 2001/01/26 11:34:08 niklas Exp $	*/
+
+/*
+ * Copyright (c) 1998, 1999 Niklas Hallqvist.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by Ericsson Radio Systems.
+ * 4. The name of the author may not be used to endorse or promote products
+ *    derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * This code was written under funding by Ericsson Radio Systems.
+ */
+
+#ifndef _SYSDEP_OS_H_
+#define _SYSDEP_OS_H_
+
+/* We need socklen_t.  */
+typedef u_int32_t socklen_t;
+
+#endif /* _SYSDEP_OS_H_ */
diff --git a/sbin/isakmpd/sysdep/openbsd-encap/sysdep.c b/sbin/isakmpd/sysdep/openbsd-encap/sysdep.c
new file mode 100644
index 00000000000..1a1a1fa4832
--- /dev/null
+++ b/sbin/isakmpd/sysdep/openbsd-encap/sysdep.c
@@ -0,0 +1,204 @@
+/*	$Id: sysdep.c,v 1.1 2001/01/26 11:34:08 niklas Exp $	*/
+
+/*
+ * Copyright (c) 1998, 1999 Niklas Hallqvist.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by Ericsson Radio Systems.
+ * 4. The name of the author may not be used to endorse or promote products
+ *    derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * This code was written under funding by Ericsson Radio Systems.
+ */
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "sysdep.h"
+
+#include "util.h"
+
+#ifdef NEED_SYSDEP_APP
+#include "app.h"
+#include "conf.h"
+#include "ipsec.h"
+
+#ifdef USE_PF_KEY_V2
+#include "pf_key_v2.h"
+#define KEY_API(x) pf_key_v2_##x
+#else
+#include <net/encap.h>
+#include "pf_encap.h"
+#define KEY_API(x) pf_encap_##x
+#endif
+
+#endif NEED_SYSDEP_APP
+#include "log.h"
+
+extern char *__progname;
+
+/*
+ * An as strong as possible random number generator, reverting to a
+ * deterministic pseudo-random one if regrand is set.
+ */
+u_int32_t
+sysdep_random ()
+{
+  if (!regrand)
+    return arc4random ();
+  else
+    return random();
+}
+
+/* Return the basename of the command used to invoke us.  */
+char *
+sysdep_progname ()
+{
+  return __progname;
+}
+
+/* As regress/ use this file I protect the sysdep_app_* stuff like this.  */
+#ifdef NEED_SYSDEP_APP
+/*
+ * Prepare the application we negotiate SAs for (i.e. the IPsec stack)
+ * for communication.  We return a file descriptor useable to select(2) on.
+ */
+int
+sysdep_app_open ()
+{
+  return KEY_API(open) ();
+}
+
+/*
+ * When select(2) has noticed our application needs attendance, this is what
+ * gets called.  FD is the file descriptor causing the alarm.
+ */
+void
+sysdep_app_handler (int fd)
+{
+  KEY_API (handler) (fd);
+}
+
+/* Check that the connection named NAME is active, or else make it active.  */
+void
+sysdep_connection_check (char *name)
+{
+  KEY_API (connection_check) (name);
+}
+
+/*
+ * Generate a SPI for protocol PROTO and the source/destination pair given by
+ * SRC, SRCLEN, DST & DSTLEN.  Stash the SPI size in SZ.
+ */
+u_int8_t *
+sysdep_ipsec_get_spi (size_t *sz, u_int8_t proto, struct sockaddr *src,
+		      int srclen, struct sockaddr *dst, int dstlen)
+{
+  if (app_none)
+    {
+      *sz = IPSEC_SPI_SIZE;
+      /* XXX should be random instead I think.  */
+      return strdup ("\x12\x34\x56\x78");
+    }
+  return KEY_API (get_spi) (sz, proto, src, srclen, dst, dstlen);
+}
+
+/* Force communication on socket FD to go in the clear.  */
+int
+sysdep_cleartext (int fd)
+{
+  int level;
+
+  if (app_none)
+    return 0;
+
+  /*
+   * Need to bypass system security policy, so I can send and
+   * receive key management datagrams in the clear.
+   */
+  level = IPSEC_LEVEL_BYPASS;
+  if (setsockopt (fd, IPPROTO_IP, IP_AUTH_LEVEL, (char *)&level, sizeof level)
+      == -1)
+    {
+      log_error ("sysdep_cleartext: "
+		 "setsockopt (%d, IPPROTO_IP, IP_AUTH_LEVEL, ...) failed", fd);
+      return -1;
+    }
+  if (setsockopt (fd, IPPROTO_IP, IP_ESP_TRANS_LEVEL, (char *)&level,
+		  sizeof level) == -1)
+    {
+      log_error ("sysdep_cleartext: "
+		 "setsockopt (%d, IPPROTO_IP, IP_ESP_TRANS_LEVEL, ...) "
+		 "failed", fd);
+      return -1;
+    }
+  if (setsockopt (fd, IPPROTO_IP, IP_ESP_NETWORK_LEVEL, (char *)&level,
+		  sizeof level) == -1)
+    {
+      log_error("sysdep_cleartext: "
+		"setsockopt (%d, IPPROTO_IP, IP_ESP_NETWORK_LEVEL, ...) "
+		 "failed", fd);
+      return -1;
+    }
+  return 0;
+}
+
+int
+sysdep_ipsec_delete_spi (struct sa *sa, struct proto *proto, int incoming)
+{
+  if (app_none)
+    return 0;
+  return KEY_API (delete_spi) (sa, proto, incoming);
+}
+
+int
+sysdep_ipsec_enable_sa (struct sa *sa, struct sa *isakmp_sa)
+{
+  if (app_none)
+    return 0;
+  return KEY_API (enable_sa) (sa, isakmp_sa);
+}
+
+int
+sysdep_ipsec_group_spis (struct sa *sa, struct proto *proto1,
+			 struct proto *proto2, int incoming)
+{
+  if (app_none)
+    return 0;
+  return KEY_API (group_spis) (sa, proto1, proto2, incoming);
+}
+
+int
+sysdep_ipsec_set_spi (struct sa *sa, struct proto *proto, int incoming)
+{
+  if (app_none)
+    return 0;
+  return KEY_API (set_spi) (sa, proto, incoming);
+}
+#endif
diff --git a/sbin/isakmpd/sysdep/openbsd/GNUmakefile.sysdep b/sbin/isakmpd/sysdep/openbsd/GNUmakefile.sysdep
new file mode 100644
index 00000000000..629c9d896f3
--- /dev/null
+++ b/sbin/isakmpd/sysdep/openbsd/GNUmakefile.sysdep
@@ -0,0 +1,67 @@
+#	$Id: GNUmakefile.sysdep,v 1.1 2001/01/26 11:34:07 niklas Exp $
+
+#
+# Copyright (c) 1999 Håkan Olsson.  All rights reserved.
+# Copyright (c) 1999, 2000 Niklas Hallqvist.  All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+# 3. All advertising materials mentioning features or use of this software
+#    must display the following acknowledgement:
+#	This product includes software developed by Ericsson Radio Systems.
+# 4. The name of the author may not be used to endorse or promote products
+#    derived from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+#
+
+#
+# This code was written under funding by Ericsson Radio Systems.
+#
+
+
+LIBGMP:=	/usr/lib/libgmp.a
+LIBCRYPTO:=	/usr/lib/libcrypto.a
+
+IPSEC_SRCS=	pf_key_v2.c
+IPSEC_CFLAGS=	-DUSE_PF_KEY_V2
+
+CFLAGS+=	-DHAVE_GETNAMEINFO
+
+# XXX This test does not work as MACHINE_ARCH does not get defined by GNU make.
+# Furthermore these defines should not happen for neither mips, powerpc nor vax
+# just like alpha.
+ifneq (${MACHINE_ARCH},alpha)
+HAVE_DLOPEN=	defined
+CFLAGS+=	-DSYMBOL_PREFIX='"_"'
+endif
+
+USE_LIBCRYPTO=	defined
+ifneq (${MACHINE_ARCH},alpha)
+ifneq (${MACHINE_ARCH},vax)
+ifneq (${MACHINE_ARCH},m88k)
+SRCS+=		keynote_compat.c
+endif
+endif
+endif
+USE_KEYNOTE=	defined
+
+ifndef USE_LIBCRYPTO
+DESLIB=		-ldes
+DESLIBDEP=	${LIBDES}
+endif