upgrade libipsec to the latest.

- parser now uses yacc/lex (there'll be no symbol conflict). - outbound policy and inbound policy is now separate - policy specification for tunnel SA is improved - api changed, bump shlib major XXX some of programs will become not buildable - will commit shortly
2000-01-31 14:15:30 +00:00 · 2000-01-31 14:15:30 +00:00 · e5e6464767
commit e5e6464767
parent 2a29f83468
11 changed files with 1463 additions and 1852 deletions
--- a/distrib/sets/lists/base/shl.elf
+++ b/distrib/sets/lists/base/shl.elf
@ -1,4 +1,4 @@
-# $NetBSD: shl.elf,v 1.14 1999/11/23 11:20:29 blymn Exp $
+# $NetBSD: shl.elf,v 1.15 2000/01/31 14:15:34 itojun Exp $
 ./usr/lib/libamu.so.1
 ./usr/lib/libbfd.so.3
 ./usr/lib/libbz2.so.0
@ -8,7 +8,7 @@
 ./usr/lib/libedit.so.2
 ./usr/lib/libg2c.so.0
 ./usr/lib/libgnumalloc.so.0
-./usr/lib/libipsec.so.0
+./usr/lib/libipsec.so.1
 ./usr/lib/libkvm.so.5
 ./usr/lib/libm.so.0
 ./usr/lib/libmenu.so.0
--- a/distrib/sets/lists/base/shl.mi
+++ b/distrib/sets/lists/base/shl.mi
@ -1,4 +1,4 @@
-# $NetBSD: shl.mi,v 1.52 2000/01/28 17:40:41 itojun Exp $
+# $NetBSD: shl.mi,v 1.53 2000/01/31 14:15:34 itojun Exp $
 ./usr/lib/libamu.so.1.1
 ./usr/lib/libbfd.so.3.0
 ./usr/lib/libbz2.so.0.0
@ -8,7 +8,7 @@
 ./usr/lib/libedit.so.2.3
 ./usr/lib/libg2c.so.0.0
 ./usr/lib/libgnumalloc.so.0.0
-./usr/lib/libipsec.so.0.0
+./usr/lib/libipsec.so.1.0
 ./usr/lib/libkvm.so.5.0
 ./usr/lib/libm.so.0.1
 ./usr/lib/libmenu.so.0.1
--- a/lib/libipsec/Makefile
+++ b/lib/libipsec/Makefile
@ -1,17 +1,24 @@
-# $NetBSD: Makefile,v 1.2 1999/07/03 06:59:28 itojun Exp $
+# $NetBSD: Makefile,v 1.3 2000/01/31 14:15:30 itojun Exp $
 LIB=	ipsec
-#CFLAGS+=-g
+CFLAGS+=-g
-CPPFLAGS+=-DIPSEC_DEBUG
+CPPFLAGS+=-DIPSEC_DEBUG -DIPSEC -DINET6 -I. -DYY_NO_UNPUT
 CPPFLAGS+=-DIPSEC
 CPPFLAGS+=-DINET6
 .PATH:	${.CURDIR}/../../sys/netkey
 SRCS=	pfkey.c pfkey_dump.c
-SRCS+=	ipsec_policy.c ipsec_strerror.c key_debug.c
+SRCS+=	ipsec_strerror.c policy_parse.y policy_token.l
 SRCS+=	ipsec_get_policylen.c ipsec_dump_policy.c
 SRCS+=	key_debug.c
 LPREFIX+=__libyy
 YPREFIX+=__libyy
 YHEADER=1
 #LFLAGS+=	-olex.yy.c
 MAN=	ipsec_set_policy.3 ipsec_strerror.3
 MLINKS+=ipsec_set_policy.3 ipsec_get_policylen.3 \
 	ipsec_set_policy.3 ipsec_dump_policy.3
 CLEANFILES+=	y.tab.h
 .include <bsd.lib.mk>
--- a/lib/libipsec/ipsec_policy.c
+++ b/lib/libipsec/ipsec_policy.c
@ -1,667 +0,0 @@
 /*	$NetBSD: ipsec_policy.c,v 1.3 1999/07/04 01:36:12 itojun Exp $	*/
 /*
 * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. Neither the name of the project nor the names of its contributors
 *    may be used to endorse or promote products derived from this software
 *    without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 */
 #if 0
 static char *rcsid = "@(#) ipsec_policy.c KAME Revision: 1.1.4.8";
 #else
 #include <sys/cdefs.h>
 #ifndef lint
 __RCSID("$NetBSD: ipsec_policy.c,v 1.3 1999/07/04 01:36:12 itojun Exp $");
 #endif
 #endif
 /*
 * The following requests are accepted:
 *	protocol		parsed as protocol/default/
 *	protocol/level/proxy
 *	protocol/		parsed as protocol/default/
 *	protocol/level		parsed as protocol/level/
 *	protocol/level/		parsed as protocol/level/
 *	protocol/proxy		parsed as protocol/default/proxy
 *	protocol//proxy		parsed as protocol/default/proxy
 *	protocol//		parsed as protocol/default/
 * You can concatenate these requests with either ' ' or '\n'.
 */
 #include <sys/types.h>
 #include <sys/param.h>
 #include <sys/socket.h>
 #include <assert.h>
 #include <net/route.h>
 #include <netinet/in.h>
 #include <netinet6/ipsec.h>
 #include <netkey/keyv2.h>
 #include <netkey/key_var.h>
 #include <arpa/inet.h>
 #include <netdb.h>
 #include <stdlib.h>
 #include <stdio.h>
 #include <ctype.h>
 #include <strings.h>
 #include <errno.h>
 #include "ipsec_strerror.h"
 /* order must be the same */
 static char *tokens[] = {
 	"discard", "none", "ipsec", "entrust", "bypass",
 	"esp", "ah", "ipcomp", "default", "use", "require", "/", NULL
 };
 enum token {
 	t_invalid = -1, t_discard, t_none, t_ipsec, t_entrust, t_bypass,
 	t_esp, t_ah, t_ipcomp, t_default, t_use, t_require, t_slash, t_omit,
 };
 static int values[] = {
 	IPSEC_POLICY_DISCARD, IPSEC_POLICY_NONE, IPSEC_POLICY_IPSEC,
 	IPSEC_POLICY_ENTRUST, IPSEC_POLICY_BYPASS,
 	IPPROTO_ESP, IPPROTO_AH, IPPROTO_IPCOMP,
 	IPSEC_LEVEL_DEFAULT, IPSEC_LEVEL_USE, IPSEC_LEVEL_REQUIRE, 0, 0,
 };
 struct pbuf {
 	char *buf;
 	int buflen;	/* size of the buffer */
 	int off;	/* current offset */
 };
 /* XXX duplicated def */
 static char *ipsp_strs[] = {
 	"discard", "none", "ipsec", "entrust", "bypass",
 };
 static enum token gettoken(char *p);
 static char *skiptoken(char *p, enum token t);
 static char *skipspaces(char *p);
 static char *parse_request(struct pbuf *pbuf, char *p);
 static char *parse_policy(struct pbuf *pbuf, char *p);
 static char *get_sockaddr(char *host, struct sockaddr *addr);
 static int parse_setreq(struct pbuf *pbuf, int proto, int level,
 	struct sockaddr *proxy);
 static int parse_main(struct pbuf *pbuf, char *policy);
 static enum token gettoken(char *p)
 {
 	int i;
 	int l;
 	assert(p);
 	for (i = 0; i < sizeof(tokens)/sizeof(tokens[0]); i++) {
 		if (tokens[i] == NULL)
 			continue;
 		l = strlen(tokens[i]);
 		if (strncmp(p, tokens[i], l) != 0)
 			continue;
 		/* slash alone is okay as token */
 		if (i == t_slash)
 			return i;
 		/* other ones are words, so needs proper termination */
 		if (isspace(p[l]) || p[l] == '/' || p[l] == '\0')
 			return i;
 	}
 	return t_invalid;
 }
 static char *skiptoken(char *p, enum token t)
 {
 	assert(p);
 	assert(tokens[t] != NULL);
 	if (gettoken(p) != t)
 		return NULL;
 	return p + strlen(tokens[t]);
 }
 static char *skipspaces(char *p)
 {
 	assert(p);
 	while (p && isspace(*p))
 		p++;
 	return p;
 }
 static char *parse_request(struct pbuf *pbuf, char *p)
 {
 	enum token t;
 	int i;
 	enum token ts[3];	/* set of tokens */
 	struct sockaddr_storage proxy;
 	int isproxy;
 	assert(p);
 	assert(pbuf);
 	i = 0;
 	/*
 	 * here, we accept sequence like:
 	 *	[token slash]* token
 	 * and decode that into ts[].
 	 */
 	for (i = 0; i < sizeof(ts)/sizeof(ts[0]); i++)
 		ts[i] = t_invalid;
 	i = 0;
 	while (i < sizeof(ts)/sizeof(ts[0])) {
 		/* get a token */
 		p = skipspaces(p);
 		t = gettoken(p);
 		switch (t) {
 		case t_invalid:
 			/*
 			 * this may be a proxy.
 			 * this shouldn't be a termination.
 			 */
 			if (*p != '\0')
 				goto breakbreak;
 			goto parseerror;
 		case t_esp:
 		case t_ah:
 		case t_ipcomp:
 		case t_default:
 		case t_use:
 		case t_require:
 			/*
 			 * protocol or level - just keep it into ts[],
 			 * we'll care about protocol/level ordering afterwards
 			 */
 			ts[i++] = t;
 			p = skiptoken(p, t);
 			break;
 		case t_slash:
 			/*
 			 * the user did not specify the token - don't advance
 			 * the pointer.
 			 */
 			ts[i++] = t_omit;
 			break;
 		default:
 			/* bzz, you are wrong */
 			goto parseerror;
 		}
 		/* get a slash */
 		p = skipspaces(p);
 		t = gettoken(p);
 		switch (t) {
 		case t_invalid:
 			/* this may be a termination. */
 			if (*p == '\0')
 				goto breakbreak;
 			goto parseerror;
 		case t_esp:
 		case t_ah:
 		case t_ipcomp:
 			/* protocol - we've hit the next request */
 			goto breakbreak;
 		case t_slash:
 			p = skiptoken(p, t);
 			break;
 		default:
 			/* bzz, you are wrong */
 			return NULL;
 		}
 	}
 breakbreak:
 	/* alright, we've got the tokens. */
 	switch (i) {
 	case 0:
 		ipsec_errcode = EIPSEC_NO_PROTO;
 		return NULL;	/* no token?  naa, go away */
 	case 1:
 	case 2:
 		if (!(ts[0] == t_esp || ts[0] == t_ah || ts[0] == t_ipcomp)) {
 			ipsec_errcode = EIPSEC_INVAL_PROTO;
 			return NULL;
 		}
 		if (i == 1) {
 			i++;
 			ts[1] = t_default;
 		}
 		if (ts[1] == t_omit)
 			ts[1] = t_default;
 		if (!(ts[1] == t_default || ts[1] == t_use
 		 || ts[1] == t_require)) {
 			ipsec_errcode = EIPSEC_INVAL_LEVEL;
 			return NULL;
 		}
 		break;
 	default:
 		ipsec_errcode = EIPSEC_INVAL_LEVEL;	/*XXX*/
 		return NULL;
 	}
 	/* here, we should be having 2 tokens */
 	assert(i == 2);
 	/* we may have a proxy here */
 	isproxy = 0;
 	if (*p != '\0' && gettoken(p) == t_invalid) {
 		p = get_sockaddr(p, (struct sockaddr *)&proxy);
 		if (p == NULL) {
 			/* get_sockaddr updates ipsec_errcode */
 			return NULL;
 		}
 		isproxy++;
 		p = skipspaces(p);
 	}
 	if (parse_setreq(pbuf, values[ts[0]], values[ts[1]],
 			isproxy ? (struct sockaddr *)&proxy : NULL) < 0) {
 		/* parse_setreq updates ipsec_errcode */
 		return NULL;
 	}
 	return p;
 parseerror:
 	ipsec_errcode = EIPSEC_NO_ERROR;	/*sentinel*/
 	switch (i) {
 	case 0:
 		ipsec_errcode = EIPSEC_NO_PROTO;
 		break;
 	case 1:
 	case 2:
 		if (!(ts[0] == t_esp || ts[0] == t_ah || ts[0] == t_ipcomp))
 			ipsec_errcode = EIPSEC_INVAL_PROTO;
 		if (i == 1)
 			break;
 		if (!(ts[1] == t_default || ts[1] == t_use
 		 || ts[1] == t_require)) {
 			ipsec_errcode = EIPSEC_INVAL_LEVEL;
 		}
 		break;
 	}
 	if (ipsec_errcode == EIPSEC_NO_ERROR)
 		ipsec_errcode = EIPSEC_INVAL_LEVEL;	/*XXX*/
 	return NULL;
 }
 static char *parse_policy(struct pbuf *pbuf, char *p)
 {
 	enum token t;
 	int len;
 	struct sadb_x_policy *policy;
 	assert(p);
 	assert(pbuf);
 	ipsec_errcode = EIPSEC_NO_ERROR;
 	/* get the token */
 	p = skipspaces(p);
 	t = gettoken(p);
 	switch (t) {
 	case t_discard:
 	case t_none:
 	case t_ipsec:
 	case t_entrust:
 	case t_bypass:
 		p = skiptoken(p, t);
 		break;
 	default:
 		/* bzz, you're wrong */
 		ipsec_errcode = EIPSEC_INVAL_POLICY;
 		return NULL;
 	}
 	/* construct policy structure */
 	len = PFKEY_ALIGN8(sizeof(*policy));
 	policy = NULL;
 	if (pbuf->buf) {
 		if (pbuf->off + len > pbuf->buflen) {
 			/* buffer overflow */
 			ipsec_errcode = EIPSEC_NO_BUFS;
 			return NULL;
 		}
 		policy = (struct sadb_x_policy *)&pbuf->buf[pbuf->off];
 		memset(policy, 0, sizeof(*policy));
 		policy->sadb_x_policy_len = PFKEY_UNIT64(len);
 			/* update later */
 		policy->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
 		policy->sadb_x_policy_type = values[t];
 	}
 	pbuf->off += len;
 	/* alright, go to the next step */
 	while (p && *p)
 		p = parse_request(pbuf, p);
 	/* ipsec policy needs request */
 	if (t == t_ipsec && pbuf->off == len) {
 		ipsec_errcode = EIPSEC_INVAL_POLICY;
 		return NULL;
 	}
 	/* update length */
 	if (policy)
 		policy->sadb_x_policy_len = PFKEY_UNIT64(pbuf->off);
 	return p;
 }
 static char *get_sockaddr(char *host, struct sockaddr *addr)
 {
 	struct sockaddr *saddr = NULL;
 	struct addrinfo hints, *res;
 	char *serv = NULL;
 	int error;
 	char *p, c;
 	/* find the next delimiter */
 	p = host;
 	while (p && *p && !isspace(*p) && *p != '/')
 		p++;
 	if (p == host)
 		return NULL;
 	c = *p;
 	*p = '\0';
 	memset(&hints, 0, sizeof(hints));
 	hints.ai_family = PF_UNSPEC;
 	if ((error = getaddrinfo(host, serv, &hints, &res)) != 0) {
 		ipsec_set_strerror(gai_strerror(error));
 		*p = c;
 		return NULL;
 	}
 	if (res->ai_addr == NULL) {
 		ipsec_set_strerror(gai_strerror(error));
 		*p = c;
 		return NULL;
 	}
 #if 0
 	if (res->ai_next) {
 		printf("getaddrinfo(%s): "
 			"resolved to multiple address, taking the first one",
 			host);
 	}
 #endif
 	if ((saddr = malloc(res->ai_addr->sa_len)) == NULL) {
 		ipsec_errcode = EIPSEC_NO_BUFS;
 		freeaddrinfo(res);
 		*p = c;
 		return NULL;
 	}
 	memcpy(addr, res->ai_addr, res->ai_addr->sa_len);
 	freeaddrinfo(res);
 	ipsec_errcode = EIPSEC_NO_ERROR;
 	*p = c;
 	return p;
 }
 static int parse_setreq(struct pbuf *pbuf, int proto, int level,
 	struct sockaddr *proxy)
 {
 	struct sadb_x_ipsecrequest *req;
 	int start;
 	int len;
 	assert(pbuf);
 	start = pbuf->off;
 	len = PFKEY_ALIGN8(sizeof(*req));
 	req = NULL;
 	if (pbuf->buf) {
 		if (pbuf->off + len > pbuf->buflen) {
 			/* buffer overflow */
 			ipsec_errcode = EIPSEC_NO_BUFS;
 			return -1;
 		}
 		req = (struct sadb_x_ipsecrequest *)&pbuf->buf[pbuf->off];
 		memset(req, 0, sizeof(*req));
 		req->sadb_x_ipsecrequest_len = len;	/* updated later */
 		req->sadb_x_ipsecrequest_proto = proto;
 		req->sadb_x_ipsecrequest_mode =
 			(proxy == NULL ? IPSEC_MODE_TRANSPORT
 				       : IPSEC_MODE_TUNNEL);
 		req->sadb_x_ipsecrequest_level = level;
 	}
 	pbuf->off += len;
 	if (proxy) {
 		len = PFKEY_ALIGN8(proxy->sa_len);
 		if (pbuf->buf) {
 			if (pbuf->off + len > pbuf->buflen) {
 				/* buffer overflow */
 				ipsec_errcode = EIPSEC_NO_BUFS;
 				return -1;
 			}
 			memset(&pbuf->buf[pbuf->off], 0, len);
 			memcpy(&pbuf->buf[pbuf->off], proxy, proxy->sa_len);
 		}
 		if (req)
 			req->sadb_x_ipsecrequest_len += len;
 		pbuf->off += len;
 	}
 	return 0;
 }
 static int parse_main(struct pbuf *pbuf, char *policy)
 {
 	char *p;
 	ipsec_errcode = EIPSEC_NO_ERROR;
 	if (policy == NULL) {
 		ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
 		return -1;
 	}
 	p = parse_policy(pbuf, policy);
 	if (!p) {
 		/* ipsec_errcode updated somewhere inside */
 		return -1;
 	}
 	p = skipspaces(p);
 	if (*p != '\0') {
 		ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
 		return -1;
 	}
 	ipsec_errcode = EIPSEC_NO_ERROR;
 	return 0;
 }
 /* %%% */
 int ipsec_get_policylen(char *policy)
 {
 	struct pbuf pbuf;
 	memset(&pbuf, 0, sizeof(pbuf));
 	if (parse_main(&pbuf, policy) < 0)
 		return -1;
 	ipsec_errcode = EIPSEC_NO_ERROR;
 	return pbuf.off;
 }
 int ipsec_set_policy(char *buf, int len, char *policy)
 {
 	struct pbuf pbuf;
 	memset(&pbuf, 0, sizeof(pbuf));
 	pbuf.buf = buf;
 	pbuf.buflen = len;
 	if (parse_main(&pbuf, policy) < 0)
 		return -1;
 	ipsec_errcode = EIPSEC_NO_ERROR;
 	return pbuf.off;
 }
 /*
 * policy is sadb_x_policy buffer.
 * Must call free() later.
 * When delimiter == NULL, alternatively ' '(space) is applied.
 */
 char *ipsec_dump_policy(char *policy, char *delimiter)
 {
 	struct sadb_x_policy *xpl = (struct sadb_x_policy *)policy;
 	struct sadb_x_ipsecrequest *xisr;
 	int xtlen, buflen;
 	char *buf;
 	/* sanity check */
 	if (policy == NULL)
 		return NULL;
 	if (xpl->sadb_x_policy_exttype != SADB_X_EXT_POLICY) {
 		ipsec_errcode = EIPSEC_INVAL_EXTTYPE;
 		return NULL;
 	}
 	/* set delimiter */
 	if (delimiter == NULL)
 		delimiter = " ";
 	switch (xpl->sadb_x_policy_type) {
 	case IPSEC_POLICY_DISCARD:
 	case IPSEC_POLICY_NONE:
 	case IPSEC_POLICY_IPSEC:
 	case IPSEC_POLICY_BYPASS:
 	case IPSEC_POLICY_ENTRUST:
 		break;
 	default:
 		ipsec_errcode = EIPSEC_INVAL_POLICY;
 		return NULL;
 	}
 	buflen = strlen(ipsp_strs[xpl->sadb_x_policy_type]) + 1;
 	if ((buf = malloc(buflen)) == NULL) {
 		ipsec_errcode = EIPSEC_NO_BUFS;
 		return NULL;
 	}
 	strcpy(buf, ipsp_strs[xpl->sadb_x_policy_type]);
 	if (xpl->sadb_x_policy_type != IPSEC_POLICY_IPSEC) {
 		ipsec_errcode = EIPSEC_NO_ERROR;
 		return buf;
 	}
 	xtlen = PFKEY_UNUNIT64(xpl->sadb_x_policy_len) - sizeof(*xpl);
 	xisr = (struct sadb_x_ipsecrequest *)(policy + sizeof(*xpl));
 	/* count length of buffer for use */
 	/* XXX non-seriously */
 	while (xtlen > 0) {
 		buflen += 20;
 		if (xisr->sadb_x_ipsecrequest_mode ==IPSEC_MODE_TUNNEL)
 			buflen += 50;
 		xtlen -= xisr->sadb_x_ipsecrequest_len;
 		xisr = (struct sadb_x_ipsecrequest *)((caddr_t)xisr
 				+ xisr->sadb_x_ipsecrequest_len);
 	}
 	/* validity check */
 	if (xtlen < 0) {
 		ipsec_errcode = EIPSEC_INVAL_SADBMSG;
 		free(buf);
 		return NULL;
 	}
 	if ((buf = realloc(buf, buflen)) == NULL) {
 		ipsec_errcode = EIPSEC_NO_BUFS;
 		return NULL;
 	}
 	xtlen = PFKEY_UNUNIT64(xpl->sadb_x_policy_len) - sizeof(*xpl);
 	xisr = (struct sadb_x_ipsecrequest *)(policy + sizeof(*xpl));
 	while (xtlen > 0) {
 		switch (xisr->sadb_x_ipsecrequest_proto) {
 		case IPPROTO_ESP:
 			strcat(buf, delimiter);
 			strcat(buf, "esp");
 			break;
 		case IPPROTO_AH:
 			strcat(buf, delimiter);
 			strcat(buf, "ah");
 			break;
 		case IPPROTO_IPCOMP:
 			strcat(buf, delimiter);
 			strcat(buf, "ipcomp");
 			break;
 		default:
 			ipsec_errcode = EIPSEC_INVAL_PROTO;
 			free(buf);
 			return NULL;
 		}
 		switch (xisr->sadb_x_ipsecrequest_level) {
 		case IPSEC_LEVEL_DEFAULT:
 			strcat(buf, "/default");
 			break;
 		case IPSEC_LEVEL_USE:
 			strcat(buf, "/use");
 			break;
 		case IPSEC_LEVEL_REQUIRE:
 			strcat(buf, "/require");
 			break;
 		default:
 			ipsec_errcode = EIPSEC_INVAL_LEVEL;
 			free(buf);
 			return NULL;
 		}
 		if (xisr->sadb_x_ipsecrequest_mode ==IPSEC_MODE_TUNNEL) {
 			char tmp[100]; /* XXX */
 			struct sockaddr *saddr =
 				(struct sockaddr *)((caddr_t)xisr + sizeof(*xisr));
 #if 1
 			inet_ntop(saddr->sa_family, _INADDRBYSA(saddr),
 				tmp, sizeof(tmp));
 #else
 			getnameinfo(saddr, saddr->sa_len, tmp, sizeof(tmp),
 				NULL, 0, NI_NUMERICHOST);
 #endif
 			strcat(buf, "/");
 			strcat(buf, tmp);
 		}
 		xtlen -= xisr->sadb_x_ipsecrequest_len;
 		xisr = (struct sadb_x_ipsecrequest *)((caddr_t)xisr
 				+ xisr->sadb_x_ipsecrequest_len);
 	}
 	ipsec_errcode = EIPSEC_NO_ERROR;
 	return buf;
 }
--- a/lib/libipsec/ipsec_set_policy.3
+++ b/lib/libipsec/ipsec_set_policy.3
@ -25,8 +25,8 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.\"     $NetBSD: ipsec_set_policy.3,v 1.5 1999/12/21 14:17:18 itojun Exp $
+.\"     $NetBSD: ipsec_set_policy.3,v 1.6 2000/01/31 14:15:31 itojun Exp $
-.\"     KAME Id: ipsec_set_policy.3,v 1.1.2.6 1999/07/01 06:54:58 sakane Exp
+.\"     KAME Id: ipsec_set_policy.3,v 1.8 2000/01/27 17:59:12 itojun Exp
 .\"
 .Dd May 5, 1998
 .Dt IPSEC_SET_POLICY 3
@ -43,10 +43,10 @@
 .\"
 .Sh SYNOPSIS
 .Fd #include <netinet6/ipsec.h>
 .Ft "char *"
 .Fn ipsec_set_policy "char *policy" "int len"
 .Ft int
-.Fn ipsec_set_policy "char *buf" "int len" "char *policy"
+.Fn ipsec_get_policylen "char *buf"
 .Ft int
 .Fn ipsec_get_policylen "char *policy"
 .Ft "char *"
 .Fn ipsec_dump_policy "char *buf" "char *delim"
 .\"
@ -58,21 +58,18 @@ and/or
 .Li struct sadb_x_ipsecrequest
 from human-readable policy specification.
 policy specification must be given as C string
 .Fa policy ,
 and the resulting structure will be generated at the buffer pointed to by
 .Fa buf ,
 length
 .Fa len .
 .Pp
 To obtain the required buffer size beforehand, use
 .Fn ipsec_get_policylen
 with the same
 .Fa policy
-argument.
+and length
 .Fa len
 of
 .Fa policy .
 .Fn ipsec_set_policy
 will return the buffer of IPsec policy specification structure.
 .Pp
 You may want the length of the generated buffer such when calling
 .Xr setsockopt 2 .
 .Fn ipsec_get_policylen
-will return the required buffer size,
+will return the length.
 and you may want to allocate buffer dynamically for use with
 .Fn ipsec_set_policy .
 .Pp
 .Fn ipsec_dump_policy
 converts IPsec policy structure into readable form.
@ -95,51 +92,99 @@ returns pointer to dynamically allocated string.
 It is caller's responsibility to reclaim the region, by using
 .Xr free 3 .
 .Pp
 .\"
 .Fa policy
 is formatted as either of the following:
 .Bl -tag  -width "discard"
-.It Li discard
+.It Ar direction Li entrust
-.Li discard
+.Ar direction
-means the packet matching indexes will be discarded.
+must be
-.It Li none
+.Li in
-.Li none
+or
-means IPsec will not be performed on the matching packets
+.Li out .
 .Ar direction
 specifies which direction the policy needs to be applied.
 .Li entrust
 means to consult to SPD defined by
 .Xr setkey 8 .
 .It Ar direction Li bypass
 .Li bypass
 means to be bypassed the IPsec processing.
 .Po
 packet will be transmitted in clear
 .Pc .
-.It Xo Li ipsec
+This is for privileged socket.
-.Ar protocol
+.It Xo
-.Op Ar /level
+.Ar direction
-.Op Ar /peer
+.Li ipsec
-.Op ...
+.Ar request ...
 .Xc
 .Li ipsec
 means that the matching packets are subject to IPsec processing.
 .Li ipsec
-can be followed by multiple set of
+can be followed by one or more
-.Do
+.Ar request
 string, which is formatted as below:
 .Bl -tag  -width "discard"
 .It Xo
 .Ar protocol
 .Li /
 .Ar mode
 .Li /
 .Ar src
 .Li -
 .Ar dst
 .Op Ar /level
-.Op Ar /peer
+.Xc
 .Dc
 arguments.
 .Ar protocol
 is either
 .Li ah ,
 .Li esp
 or
 .Li ipcomp .
 .Pp
 .Ar mode
 is either
 .Li transport
 or
 .Li tunnel .
 .Pp
 .Ar src
 and
 .Ar dst
 specifies IPsec endpoint.
 .Ar src
 always means
 .Dq sending node
 and
 .Ar dst
 always means
 .Dq receiving node .
 Therefore, when
 .Ar direction
 is
 .Li in ,
 .Ar dst
 is this node
 and
 .Ar src
 is the other node
 .Pq peer .
 .Pp
 .Ar level
 must be set to one of the following:
-.Li default , use
+.Li default , use , require
 or
-.Li require .
+.Li unique .
 .Li default
 means that the kernel should consult the system default policy
 defined by
 .Xr sysctl 8 ,
 such as
 .Li net.inet.ipsec.esp_trans_deflev .
 See
 .Xr ipsec 4
 regarding the system default.
 .Li use
 means that a relevant SA can be used when available,
 since the kernel may perform IPsec operation against packets when possible.
@ -150,14 +195,24 @@ or encrypted
 .Li require
 means that a relevant SA is required,
 since the kernel must perform IPsec operation against packets.
-.Ar peer
+.Li unique
-is an IPv4 or IPv6 address string, and it will be used as
+is the same as
-a hint when IPsec system configures IPsec tunnel mode SA by using
+.Li require ,
-key management protocol.
+but adds the restriction that the SA for outbound traffic is used
-.Pp
+only for this policy.
-If the string is kept unambiguous,
+You may need the identifier in order to relate the policy and the SA
 when you define the SA by manual keying.
 You can put the decimal number as the identifier after
 .Li unique
 like
 .Li unique : number .
 .Li number
 must be between 1 and 32767 .
 If the
 .Ar request
 string is kept unambiguous,
 .Ar level
-and slashes surrounding
+and slash prior to
 .Ar level
 can be omitted.
 However, it is encouraged to specify them explicitly
@ -167,19 +222,31 @@ If
 is omitted, it will be interpreted as
 .Li default .
 .El
 .El
 .Pp
-Here are several examples:
+Note that there is a bit difference of specification from
 .Xr setkey 8 .
 In specification by
 .Xr setkey 8 ,
 both entrust and bypass are not used.  Refer to
 .Xr setkey 8
 for detail.
 .Pp
 Here are several examples
 .Pq long lines are wrapped for readability :
 .Bd -literal -offset indent
-discard
+in discard
-ipsec esp/require
+out ipsec esp/transport/10.1.1.1-10.1.1.2/require
-ipsec ah/use/10.1.1.1
+in ipsec ah/transport/10.1.1.2-10.1.1.1/require
-ipsec esp/use ah/require
+out ipsec esp/transport/10.1.1.2-10.1.1.1/use
-ipsec ipcomp/use esp/use ah/require
+        ah/tunnel/10.1.1.2-10.1.1.1/unique:1000
 in ipsec ipcomp/transport/10.1.1.2-10.1.1.1/use
        esp/transport/10.1.1.2-10.1.1.1/use
 .Ed
 .\"
 .Sh RETURN VALUES
 .Fn ipsec_set_policy
-returns with 0 on success, negative value on errors.
+returns a pointer to the allocated buffer of policy specification if successful; otherwise a NULL pointer is returned.
 .Fn ipsec_get_policylen
 returns with positive value
 .Pq meaning the buffer size
@ -192,6 +259,7 @@ on errors.
 .\"
 .Sh SEE ALSO
 .Xr ipsec_strerror 3 ,
 .Xr ispec 4 ,
 .Xr setkey 8
 .\"
 .Sh HISTORY
--- a/lib/libipsec/ipsec_strerror.3
+++ b/lib/libipsec/ipsec_strerror.3
@ -25,8 +25,8 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.\"     $NetBSD: ipsec_strerror.3,v 1.5 1999/12/21 14:17:18 itojun Exp $
+.\"     $NetBSD: ipsec_strerror.3,v 1.6 2000/01/31 14:15:31 itojun Exp $
-.\"     KAME Id: ipsec_strerror.3,v 1.1.2.1 1999/05/06 09:26:43 itojun Exp
+.\"     KAME Id: ipsec_strerror.3,v 1.4 2000/01/27 17:59:13 itojun Exp
 .\"
 .Dd May 6, 1998
 .Dt IPSEC_STRERROR 3
@ -42,7 +42,7 @@
 .Sh SYNOPSIS
 .Fd #include <netinet6/ipsec.h>
 .Ft "char *"
-.Fn ipsec_strerror "int code"
+.Fn ipsec_strerror
 .\"
 .Sh DESCRIPTION
 .Pa netinet6/ipsec.h
@ -54,6 +54,19 @@ which is used to pass error code from IPsec policy manipulation library
 to user program.
 .Fn ipsec_strerror
 can be used to obtain error message string for the error code.
 .Pp
 The array pointed to is not to be modified by the program.
 Since
 .Fn ipsec_strerror
 uses
 .Xr strerror 3
 as underlying function, calling
 .Xr strerror 3
 after
 .Fn ipsec_strerror
 would make the return value from
 .Fn ipsec_strerror
 invalid, or overwritten.
 .\"
 .Sh RETURN VALUES
 .Fn ipsec_strerror
--- a/lib/libipsec/ipsec_strerror.c
+++ b/lib/libipsec/ipsec_strerror.c
@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec_strerror.c,v 1.3 1999/07/04 01:36:13 itojun Exp $	*/
+/*	$NetBSD: ipsec_strerror.c,v 1.4 2000/01/31 14:15:31 itojun Exp $	*/
 /*
 * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
@ -46,7 +46,9 @@ static char *ipsec_errlist[] = {
 "Invalid sadb message",				/*EIPSEC_INVAL_SADBMSG*/
 "Invalid version",				/*EIPSEC_INVAL_VERSION*/
 "Invalid security policy",			/*EIPSEC_INVAL_POLICY*/
 "Invalid address specification",		/*EIPSEC_INVAL_ADDRESS*/
 "Invalid ipsec protocol",			/*EIPSEC_INVAL_PROTO*/
 "Invalid ipsec mode",				/*EIPSEC_INVAL_MODE*/
 "Invalid ipsec level",				/*EIPSEC_INVAL_LEVEL*/
 "Invalid SA type",				/*EIPSEC_INVAL_SATYPE*/
 "Invalid message type",				/*EIPSEC_INVAL_MSGTYPE*/
@ -55,6 +57,7 @@ static char *ipsec_errlist[] = {
 "Invalid key length",				/*EIPSEC_INVAL_KEYLEN*/
 "Invalid address family",			/*EIPSEC_INVAL_FAMILY*/
 "Invalid prefix length",			/*EIPSEC_INVAL_PREFIXLEN*/
 "Invalid direciton",				/*EIPSEC_INVAL_DIR*/
 "SPI range violation",				/*EIPSEC_INVAL_SPI*/
 "No protocol specified",			/*EIPSEC_NO_PROTO*/
 "No algorithm specified",			/*EIPSEC_NO_ALGS*/
@ -62,6 +65,7 @@ static char *ipsec_errlist[] = {
 "Must get supported algorithms list first",	/*EIPSEC_DO_GET_SUPP_LIST*/
 "Protocol mismatch",				/*EIPSEC_PROTO_MISMATCH*/
 "Family mismatch",				/*EIPSEC_FAMILY_MISMATCH*/
 "Too few arguments",				/*EIPSEC_FEW_ARGUMENTS*/
 NULL,						/*EIPSEC_SYSTEM_ERROR*/
 "Unknown error",				/*EIPSEC_MAX*/
 };
--- a/lib/libipsec/ipsec_strerror.h
+++ b/lib/libipsec/ipsec_strerror.h
@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec_strerror.h,v 1.3 1999/07/04 01:36:13 itojun Exp $	*/
+/*	$NetBSD: ipsec_strerror.h,v 1.4 2000/01/31 14:15:31 itojun Exp $	*/
 /*
 * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
@ -30,7 +30,7 @@
 */
 extern int ipsec_errcode;
-extern void ipsec_set_strerror(char *str);
+extern void ipsec_set_strerror __P((char *));
 #define EIPSEC_NO_ERROR		0	/*success*/
 #define EIPSEC_NOT_SUPPORTED	1	/*not supported*/
@ -38,21 +38,25 @@ extern void ipsec_set_strerror(char *str);
 #define EIPSEC_INVAL_SADBMSG	3	/*invalid sadb message*/
 #define EIPSEC_INVAL_VERSION	4	/*invalid version*/
 #define EIPSEC_INVAL_POLICY	5	/*invalid security policy*/
-#define EIPSEC_INVAL_PROTO	6	/*invalid ipsec protocol*/
+#define EIPSEC_INVAL_ADDRESS	6	/*invalid address specification*/
-#define EIPSEC_INVAL_LEVEL	7	/*invalid ipsec level*/
+#define EIPSEC_INVAL_PROTO	7	/*invalid ipsec protocol*/
-#define EIPSEC_INVAL_SATYPE	8	/*invalid SA type*/
+#define EIPSEC_INVAL_MODE	8	/*Invalid ipsec mode*/
-#define EIPSEC_INVAL_MSGTYPE	9	/*invalid message type*/
+#define EIPSEC_INVAL_LEVEL	9	/*invalid ipsec level*/
-#define EIPSEC_INVAL_EXTTYPE	10	/*invalid extension type*/
+#define EIPSEC_INVAL_SATYPE	10	/*invalid SA type*/
-#define EIPSEC_INVAL_ALGS	11	/*Invalid algorithm type*/
+#define EIPSEC_INVAL_MSGTYPE	11	/*invalid message type*/
-#define EIPSEC_INVAL_KEYLEN	12	/*invalid key length*/
+#define EIPSEC_INVAL_EXTTYPE	12	/*invalid extension type*/
-#define EIPSEC_INVAL_FAMILY	13	/*invalid address family*/
+#define EIPSEC_INVAL_ALGS	13	/*Invalid algorithm type*/
-#define EIPSEC_INVAL_PREFIXLEN	14	/*SPI range violation*/
+#define EIPSEC_INVAL_KEYLEN	14	/*invalid key length*/
-#define EIPSEC_INVAL_SPI	15	/*invalid prefixlen*/
+#define EIPSEC_INVAL_FAMILY	15	/*invalid address family*/
-#define EIPSEC_NO_PROTO		16	/*no protocol specified*/
+#define EIPSEC_INVAL_PREFIXLEN	16	/*SPI range violation*/
-#define EIPSEC_NO_ALGS		17	/*No algorithm specified*/
+#define EIPSEC_INVAL_DIR	17	/*Invalid direciton*/
-#define EIPSEC_NO_BUFS		18	/*no buffers available*/
+#define EIPSEC_INVAL_SPI	18	/*invalid prefixlen*/
-#define EIPSEC_DO_GET_SUPP_LIST	19	/*must get supported algorithm first*/
+#define EIPSEC_NO_PROTO		19	/*no protocol specified*/
-#define EIPSEC_PROTO_MISMATCH	20	/*protocol mismatch*/
+#define EIPSEC_NO_ALGS		20	/*No algorithm specified*/
-#define EIPSEC_FAMILY_MISMATCH	21	/*family mismatch*/
+#define EIPSEC_NO_BUFS		21	/*no buffers available*/
-#define EIPSEC_SYSTEM_ERROR	22	/*system error*/
+#define EIPSEC_DO_GET_SUPP_LIST	22	/*must get supported algorithm first*/
-#define EIPSEC_MAX		23	/*unknown error*/
+#define EIPSEC_PROTO_MISMATCH	23	/*protocol mismatch*/
 #define EIPSEC_FAMILY_MISMATCH	24	/*family mismatch*/
 #define EIPSEC_FEW_ARGUMENTS	25	/*Too few arguments*/
 #define EIPSEC_SYSTEM_ERROR	26	/*system error*/
 #define EIPSEC_MAX		27	/*unknown error*/
--- a/lib/libipsec/pfkey.c
+++ b/lib/libipsec/pfkey.c
--- a/lib/libipsec/pfkey_dump.c
+++ b/lib/libipsec/pfkey_dump.c
@ -1,4 +1,4 @@
-/*	$NetBSD: pfkey_dump.c,v 1.3 1999/07/04 01:36:13 itojun Exp $	*/
+/*	$NetBSD: pfkey_dump.c,v 1.4 2000/01/31 14:15:32 itojun Exp $	*/
 /*
 * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
@ -38,6 +38,7 @@
 #include <netkey/key_debug.h>
 #include <netinet/in.h>
 #include <netinet6/ipsec.h>
 #ifdef INET6
 #include <netinet6/in6.h>
 #endif
@ -52,7 +53,7 @@
 #include "ipsec_strerror.h"
 #define GETMSGSTR(str, num) \
-{ \
+do { \
 	if (sizeof((str)[0]) == 0 \
 	 || num >= sizeof(str)/sizeof((str)[0])) \
 		printf("%d ", (num)); \
@ -60,14 +61,15 @@
 		printf("%d ", (num)); \
 	else \
 		printf("%s ", (str)[(num)]); \
-}
+} while (0)
 #define GETAF(p) \
 	(((struct sockaddr *)(p))->sa_family)
-static char *_str_addr(u_int family, caddr_t addr, u_int pref, u_int port);
+static char *_str_ipaddr __P((u_int family, caddr_t addr));
-static char *_str_time(time_t t);
+static char *_str_prefport __P((u_int family, u_int pref, u_int port));
-static void _str_lifetime_byte(struct sadb_lifetime *x, char *str);
+static char *_str_time __P((time_t t));
 static void _str_lifetime_byte __P((struct sadb_lifetime *x, char *str));
 /*
 * Must to be re-written about following strings.
@ -85,21 +87,27 @@ static char *_str_satype[] = {
 	"ipcomp",
 };
-static char *_str_upper[] = {
+static char *_str_mode[] = {
-	"any",	"icmp",	"",	"",	"",
+	"any",
-	"",	"tcp",	"",	"",	"",
+	"transport",
-	"",	"",	"",	"",	"",
+	"tunnel",
 	"",	"",	"udp",	"",	"",
 	"",	"",	"",	"",	"",
 	"",	"",	"",	"",	"",
 };
-#if 0
+static char *_str_upper[] = {
-static char *_str_base[] = {
+/*0*/	"ip", "icmp", "igmp", "ggp", "ip4",
-	"new",
+	"", "tcp", "", "egp", "",
-	"old",
+/*10*/	"", "", "", "", "",
 	"", "", "udp", "", "",
 /*20*/	"", "", "idp", "", "",
 	"", "", "", "", "tp",
 /*30*/	"", "", "", "", "",
 	"", "", "", "", "",
 /*40*/	"", "ip6", "", "rt6", "frag6",
 	"", "rsvp", "gre", "", "",
 /*50*/	"esp", "ah", "", "", "",
 	"", "", "", "icmp6", "none",
 /*60*/	"dst6",
 };
 #endif
 static char *_str_state[] = {
 	"larval",
@ -134,16 +142,12 @@ static char *_str_alg_comp[] = {
 	"lzs",
 };
 static char *_str_dir[] = {
 	"outbound",
 	"inbound",
 	"bi-direction",
 };
 /*
 * dump SADB_MSG formated.  For debugging, you should use kdebug_sadb().
 */
-void pfkey_sadump(struct sadb_msg *m)
+void
 pfkey_sadump(m)
 	struct sadb_msg *m;
 {
 	caddr_t mhp[SADB_EXT_MAX + 1];
 	struct sadb_sa *m_sa;
@ -154,7 +158,11 @@ void pfkey_sadump(struct sadb_msg *m)
 	struct sadb_sens *m_sens;
 	/* check pfkey message. */
-	if (pfkey_check(m, mhp)) {
+	if (pfkey_align(m, mhp)) {
 		printf("%s\n", ipsec_strerror());
 		return;
 	}
 	if (pfkey_check(mhp)) {
 		printf("%s\n", ipsec_strerror());
 		return;
 	}
@ -169,7 +177,7 @@ void pfkey_sadump(struct sadb_msg *m)
 	m_auth = (struct sadb_key *)mhp[SADB_EXT_KEY_AUTH];
 	m_enc = (struct sadb_key *)mhp[SADB_EXT_KEY_ENCRYPT];
 	m_sid = (struct sadb_ident *)mhp[SADB_EXT_IDENTITY_SRC];
-	m_did = (struct sadb_ident *)mhp[SADB_EXT_IDENTITY_SRC];
+	m_did = (struct sadb_ident *)mhp[SADB_EXT_IDENTITY_DST];
 	m_sens = (struct sadb_sens *)mhp[SADB_EXT_SENSITIVITY];
 	/* source address */
@ -178,10 +186,7 @@ void pfkey_sadump(struct sadb_msg *m)
 		return;
 	}
 	printf("%s ",
-		_str_addr(GETAF((caddr_t)m_saddr + sizeof(*m_saddr)),
+		_str_ipaddr(GETAF(m_saddr + 1), _INADDRBYSA(m_saddr + 1)));
 		     _INADDRBYSA((caddr_t)m_saddr + sizeof(*m_saddr)),
 		     m_saddr->sadb_address_prefixlen,
 		     _INPORTBYSA((caddr_t)m_saddr + sizeof(*m_saddr))));
 	/* destination address */
 	if (m_daddr == NULL) {
@ -189,42 +194,25 @@ void pfkey_sadump(struct sadb_msg *m)
 		return;
 	}
 	printf("%s ",
-		_str_addr(GETAF((caddr_t)m_daddr + sizeof(*m_daddr)),
+		_str_ipaddr(GETAF(m_daddr + 1), _INADDRBYSA(m_daddr + 1)));
 		     _INADDRBYSA((caddr_t)m_daddr + sizeof(*m_daddr)),
 		     m_daddr->sadb_address_prefixlen,
 		     _INPORTBYSA((caddr_t)m_daddr + sizeof(*m_daddr))));
 	/* upper layer protocol */
 	if (m_saddr->sadb_address_proto != m_saddr->sadb_address_proto) {
 		printf("upper layer protocol mismatched.\n");
 		return;
 	}
 	GETMSGSTR(_str_upper, m_saddr->sadb_address_proto);
 	/* proxy address */
 	if (m_paddr != NULL) {
 		int prefix = _INALENBYAF(GETAF((caddr_t)m_paddr + sizeof(*m_paddr))) << 3;
 		printf("%s",
 			_str_addr(GETAF((caddr_t)m_paddr + sizeof(*m_paddr)),
 			     _INADDRBYSA((caddr_t)m_paddr + sizeof(*m_paddr)),
 		             prefix,
 			     0));
 	}
 	printf("\n");
 	/* SA type */
 	if (m_sa == NULL) {
 		printf("no SA extension.\n");
 		return;
 	}
-	printf("\t");
+	printf("\n\t");
 	GETMSGSTR(_str_satype, m->sadb_msg_satype);
-	printf("spi=%u(0x%08x) replay=%u flags=0x%08x\n",
+	printf("mode=");
 	GETMSGSTR(_str_mode, m->sadb_msg_mode);
 	printf("spi=%u(0x%08x) reqid=%u(0x%08x)\n",
 		(u_int32_t)ntohl(m_sa->sadb_sa_spi),
 		(u_int32_t)ntohl(m_sa->sadb_sa_spi),
-		m_sa->sadb_sa_replay,
+		(u_int32_t)m->sadb_msg_reqid,
-		m_sa->sadb_sa_flags);
+		(u_int32_t)m->sadb_msg_reqid);
 	/* encryption key */
 	if (m->sadb_msg_satype == SADB_X_SATYPE_IPCOMP) {
@ -249,8 +237,13 @@ void pfkey_sadump(struct sadb_msg *m)
 		printf("\n");
 	}
 	/* replay windoe size & flags */
 	printf("\treplay=%u flags=0x%08x ",
 		m_sa->sadb_sa_replay,
 		m_sa->sadb_sa_flags);
 	/* state */
-	printf("\tstate=");
+	printf("state=");
 	GETMSGSTR(_str_state, m_sa->sadb_sa_state);
 	printf("seq=%lu pid=%lu\n",
@ -299,24 +292,26 @@ void pfkey_sadump(struct sadb_msg *m)
 			0 : m_lfts->sadb_lifetime_allocations));
 	}
-    {	/* XXX TEST */
+	/* XXX DEBUG */
-	char *x = (char *)&m->sadb_msg_reserved;
+	printf("\trefcnt=%u\n", m->sadb_msg_reserved2);
 	printf("\tdir=");
 	GETMSGSTR(_str_dir, (int)x[0]);
 	printf("refcnt=%d\n", (int)x[1]);
    }
 	return;
 }
-void pfkey_spdump(struct sadb_msg *m)
+void
 pfkey_spdump(m)
 	struct sadb_msg *m;
 {
 	caddr_t mhp[SADB_EXT_MAX + 1];
 	struct sadb_address *m_saddr, *m_daddr;
 	struct sadb_x_policy *m_xpl;
 	/* check pfkey message. */
-	if (pfkey_check(m, mhp)) {
+	if (pfkey_align(m, mhp)) {
 		printf("%s\n", ipsec_strerror());
 		return;
 	}
 	if (pfkey_check(mhp)) {
 		printf("%s\n", ipsec_strerror());
 		return;
 	}
@ -330,24 +325,31 @@ void pfkey_spdump(struct sadb_msg *m)
 		printf("no ADDRESS_SRC extension.\n");
 		return;
 	}
-	printf("%s ",
+	printf("%s%s ",
-		_str_addr(GETAF((caddr_t)m_saddr + sizeof(*m_saddr)),
+		_str_ipaddr(GETAF(m_saddr + 1), _INADDRBYSA(m_saddr + 1)),
-		      _INADDRBYSA((caddr_t)m_saddr + sizeof(*m_saddr)),
+		_str_prefport(GETAF(m_saddr + 1),
 		     m_saddr->sadb_address_prefixlen,
-		      _INPORTBYSA((caddr_t)m_saddr + sizeof(*m_saddr))));
+		     _INPORTBYSA(m_saddr + 1)));
 	/* destination address */
 	if (m_daddr == NULL) {
 		printf("no ADDRESS_DST extension.\n");
 		return;
 	}
-	printf("%s ",
+	printf("%s%s ",
-		_str_addr(GETAF((caddr_t)m_daddr + sizeof(*m_daddr)),
+		_str_ipaddr(GETAF(m_daddr + 1), _INADDRBYSA(m_daddr + 1)),
-		      _INADDRBYSA((caddr_t)m_daddr + sizeof(*m_daddr)),
+		_str_prefport(GETAF(m_daddr + 1),
 		     m_daddr->sadb_address_prefixlen,
-		      _INPORTBYSA((caddr_t)m_daddr + sizeof(*m_daddr))));
+		     _INPORTBYSA(m_daddr + 1)));
 	/* upper layer protocol */
 	if (m_saddr->sadb_address_proto != m_daddr->sadb_address_proto) {
 		printf("upper layer protocol mismatched.\n");
 		return;
 	}
 	if (m_saddr->sadb_address_proto == IPSEC_ULPROTO_ANY)
 		printf("any");
 	else
 		GETMSGSTR(_str_upper, m_saddr->sadb_address_proto);
 	/* policy */
@ -369,37 +371,65 @@ void pfkey_spdump(struct sadb_msg *m)
 		(u_long)m->sadb_msg_seq,
 		(u_long)m->sadb_msg_pid);
-    {	/* TEST */
+	/* XXX TEST */
-	char *x = (char *)&m->sadb_msg_reserved;
+	printf("\trefcnt=%u\n", m->sadb_msg_reserved2);
 	printf("\tdir=");
 	GETMSGSTR(_str_dir, (int)x[0]);
 	printf("refcnt=%d\n", (int)x[1]);
    }
 	return;
 }
 /*
- * set "ip address/prefix[port number]" to buffer.
+ * set "ipaddress" to buffer.
 */
-static char *_str_addr(u_int family, caddr_t addr, u_int pref, u_int port)
+static char *
 _str_ipaddr(family, addr)
 	u_int family;
 	caddr_t addr;
 {
 	static char buf[128];
-	char pbuf[128];
+	char addrbuf[128];
 	if (addr == NULL)
 		return "";
-	inet_ntop(family, addr, pbuf, sizeof(pbuf));
+	inet_ntop(family, addr, addrbuf, sizeof(addrbuf));
 	snprintf(buf, sizeof(buf), "%s", addrbuf);
 	return buf;
 }
 /*
 * set "/prefix[port number]" to buffer.
 */
 static char *
 _str_prefport(family, pref, port)
 	u_int family, pref, port;
 {
 	static char buf[128];
 	char prefbuf[10];
 	char portbuf[10];
 	if (pref == (_INALENBYAF(family) << 3))
 		prefbuf[0] = '\0';
 	else
 		snprintf(prefbuf, sizeof(prefbuf), "/%u", pref);
 	if (port == IPSEC_PORT_ANY)
 		snprintf(portbuf, sizeof(portbuf), "[%s]", "any");
 	else
 		snprintf(portbuf, sizeof(portbuf), "[%u]", ntohs(port));
 	snprintf(buf, sizeof(buf), "%s%s", prefbuf, portbuf);
 	snprintf(buf, sizeof(buf), "%s/%u[%u]", pbuf, pref, ntohs(port));
 	return buf;
 }
 /*
 * set "Mon Day Time Year" to buffer
 */
-static char *_str_time(time_t t)
+static char *
 _str_time(t)
 	time_t t;
 {
 	static char buf[128];
@ -417,7 +447,10 @@ static char *_str_time(time_t t)
 	return(buf);
 }
-static void _str_lifetime_byte(struct sadb_lifetime *x, char *str)
+static void
 _str_lifetime_byte(x, str)
 	struct sadb_lifetime *x;
 	char *str;
 {
 	double y;
 	char *unit;
--- a/lib/libipsec/shlib_version
+++ b/lib/libipsec/shlib_version
@ -1,5 +1,5 @@
-#	$NetBSD: shlib_version,v 1.1 1999/07/01 20:15:29 itojun Exp $
+#	$NetBSD: shlib_version,v 1.2 2000/01/31 14:15:32 itojun Exp $
 #	Remember to update distrib/sets/lists/base/shl.* when changing
 #
-major=0
+major=1
 minor=0