]> git.saurik.com Git - apple/ipsec.git/blobdiff - ipsec-tools/racoon/oakley.c
ipsec-317.220.1.tar.gz
[apple/ipsec.git] / ipsec-tools / racoon / oakley.c
index eefa0fb135cb5a78621b4964ed6bfaeec2f21a35..24bdba8a0afdbaa4931bd1e7b1c3a8a308f3bbe6 100644 (file)
@@ -60,9 +60,6 @@
 #  include <time.h>
 # endif
 #endif
-#ifdef ENABLE_HYBRID
-#include <resolv.h>
-#endif
 
 #include "var.h"
 #include "misc.h"
@@ -78,8 +75,6 @@
 #include "isakmp_cfg.h" 
 #endif                
 #include "oakley.h"
-#include "admin.h"
-#include "privsep.h"
 #include "localconf.h"
 #include "policy.h"
 #include "handler.h"
 #if HAVE_OPENDIR
 #include "open_dir.h"
 #endif
-#include "dnssec.h"
 #include "sockmisc.h"
 #include "strnames.h"
 #include "gcmalloc.h"
-#ifdef HAVE_OPENSSL
-#include "rsalist.h"
-#endif
 #include <CoreFoundation/CoreFoundation.h>
 #include "remoteconf.h"
 #include "vpn_control.h"
-#if TARGET_OS_EMBEDDED
+#ifndef HAVE_OPENSSL
 #include <Security/SecCertificate.h>
 #include <Security/SecCertificatePriv.h>
 #endif
-#ifdef HAVE_GSSAPI
-#include "gssapi.h"
-#endif
 #include "vpn_control_var.h"
+#include "extern.h"
 
 #define OUTBOUND_SA    0
 #define INBOUND_SA     1
@@ -155,35 +144,19 @@ struct dhgroup dh_modp6144;
 struct dhgroup dh_modp8192;
 
 
-static int oakley_check_dh_pub __P((vchar_t *, vchar_t **));
-static int oakley_compute_keymat_x __P((struct ph2handle *, int, int));
-static int get_cert_fromlocal __P((struct ph1handle *, int));
-#ifdef HAVE_OPENSSL
-static int get_plainrsa_fromlocal __P((struct ph1handle *, int));
-#endif
-static int oakley_check_certid __P((struct ph1handle *iph1, int));
-static int oakley_check_certid_1 __P((vchar_t *, int, int, void*, cert_status_t *certStatus));
-static int check_typeofcertname __P((int, int));
-static cert_t *save_certbuf __P((struct isakmp_gen *));
+static int oakley_check_dh_pub (vchar_t *, vchar_t **);
+static int oakley_compute_keymat_x (phase2_handle_t *, int, int);
+static int get_cert_fromlocal (phase1_handle_t *, int);
+static int oakley_check_certid (phase1_handle_t *iph1);
+static int oakley_check_certid_1 (vchar_t *, int, int, void*, cert_status_t *certStatus);
 #ifdef HAVE_OPENSSL
-static cert_t *save_certx509 __P((X509 *));
+static int check_typeofcertname (int, int);
 #endif
-static int oakley_padlen __P((int, int));
-
-static int base64toCFData(vchar_t *, CFDataRef*);
-static cert_t *oakley_appendcert_to_certchain(cert_t *, cert_t *);
+static cert_t *save_certbuf (struct isakmp_gen *);
+static int oakley_padlen (int, int);
 
-static void oakley_cert_prettyprint (vchar_t *cert)
-{
-       char *p = NULL;
-#ifdef HAVE_OPENSSL
-       p = eay_get_x509text(cert);
-#else
-       /* add new cert dump code here */
-#endif
-       plog(LLV_DEBUG, LOCATION, NULL, "%s", p ? p : "\n");
-       racoon_free(p);
-}
+static int base64toCFData (vchar_t *, CFDataRef*);
+static cert_t *oakley_appendcert_to_certchain (cert_t *, cert_t *);
 
 int
 oakley_get_defaultlifetime()
@@ -216,17 +189,12 @@ oakley_dhinit()
 }
 
 void
-oakley_dhgrp_free(dhgrp)
-       struct dhgroup *dhgrp;
+oakley_dhgrp_free(struct dhgroup *dhgrp)
 {
-       if (dhgrp->prime)
-               vfree(dhgrp->prime);
-       if (dhgrp->curve_a)
-               vfree(dhgrp->curve_a);
-       if (dhgrp->curve_b)
-               vfree(dhgrp->curve_b);
-       if (dhgrp->order)
-               vfree(dhgrp->order);
+    VPTRINIT(dhgrp->prime);
+    VPTRINIT(dhgrp->curve_a);
+    VPTRINIT(dhgrp->curve_b);
+    VPTRINIT(dhgrp->order);
        racoon_free(dhgrp);
 }
 
@@ -237,8 +205,7 @@ oakley_dhgrp_free(dhgrp)
  * performed, prepending zero bits to the value if necessary.
  */
 static int
-oakley_check_dh_pub(prime, pub0)
-       vchar_t *prime, **pub0;
+oakley_check_dh_pub(vchar_t *prime, vchar_t **pub0)
 {
        vchar_t *tmp;
        vchar_t *pub = *pub0;
@@ -248,7 +215,7 @@ oakley_check_dh_pub(prime, pub0)
 
        if (prime->l < pub->l) {
                /* what should i do ? */
-               plog(LLV_ERROR, LOCATION, NULL,
+               plog(ASL_LEVEL_ERR, 
                        "invalid public information was generated.\n");
                return -1;
        }
@@ -256,7 +223,7 @@ oakley_check_dh_pub(prime, pub0)
        /* prime->l > pub->l */
        tmp = vmalloc(prime->l);
        if (tmp == NULL) {
-               plog(LLV_ERROR, LOCATION, NULL,
+               plog(ASL_LEVEL_ERR, 
                        "failed to get DH buffer.\n");
                return -1;
        }
@@ -281,7 +248,7 @@ oakley_dh_compute(const struct dhgroup *dh, vchar_t *pub, vchar_t *priv, vchar_t
        struct timeval start, end;
 #endif
        if ((*gxy = vmalloc(dh->prime->l)) == NULL) {
-               plog(LLV_ERROR, LOCATION, NULL,
+               plog(ASL_LEVEL_ERR, 
                        "failed to get DH buffer.\n");
                return -1;
        }
@@ -292,37 +259,36 @@ oakley_dh_compute(const struct dhgroup *dh, vchar_t *pub, vchar_t *priv, vchar_t
        switch (dh->type) {
        case OAKLEY_ATTR_GRP_TYPE_MODP:
                if (eay_dh_compute(dh->prime, dh->gen1, pub, priv, pub_p, gxy) < 0) {
-                       plog(LLV_ERROR, LOCATION, NULL,
+                       plog(ASL_LEVEL_ERR, 
                                "failed to compute dh value.\n");
                        return -1;
                }
                break;
        case OAKLEY_ATTR_GRP_TYPE_ECP:
        case OAKLEY_ATTR_GRP_TYPE_EC2N:
-               plog(LLV_ERROR, LOCATION, NULL,
+               plog(ASL_LEVEL_ERR, 
                        "dh type %d isn't supported.\n", dh->type);
                return -1;
        default:
-               plog(LLV_ERROR, LOCATION, NULL,
+               plog(ASL_LEVEL_ERR, 
                        "invalid dh type %d.\n", dh->type);
                return -1;
        }
 
 #ifdef ENABLE_STATS
        gettimeofday(&end, NULL);
-       syslog(LOG_NOTICE, "%s(%s%d): %8.6f", __func__,
+       plog(ASL_LEVEL_NOTICE, "%s(%s%d): %8.6f", __func__,
                s_attr_isakmp_group(dh->type), dh->prime->l << 3,
                timedelta(&start, &end));
 #endif
 
-       plog(LLV_DEBUG, LOCATION, NULL, "compute DH's shared.\n");
-       plogdump(LLV_DEBUG, (*gxy)->v, (*gxy)->l);
+       plog(ASL_LEVEL_DEBUG, "compute DH's shared.\n");
 
        return 0;
 }
 #else
 int
-oakley_dh_compute(const struct dhgroup *dh, vchar_t *pub_p, size_t publicKeySize, vchar_t **gxy, SecDHContext dhC)
+oakley_dh_compute(const struct dhgroup *dh, vchar_t *pub_p, size_t publicKeySize, vchar_t **gxy, SecDHContext *dhC)
 {
        
        vchar_t *computed_key = NULL;
@@ -334,42 +300,47 @@ oakley_dh_compute(const struct dhgroup *dh, vchar_t *pub_p, size_t publicKeySize
        gettimeofday(&start, NULL);
 #endif
        
-       plog(LLV_DEBUG, LOCATION, NULL, "compute DH result.\n");
+       plog(ASL_LEVEL_DEBUG, "compute DH result.\n");
 
-       maxKeyLen = SecDHGetMaxKeyLength(dhC);
+       maxKeyLen = SecDHGetMaxKeyLength(*dhC);
        computed_key = vmalloc(maxKeyLen);
        if (computed_key == NULL) {
-               plog(LLV_ERROR, LOCATION, NULL, "memory error.\n");
+               plog(ASL_LEVEL_ERR, "memory error.\n");
                goto fail;
        }
        computed_keylen = computed_key->l;
-       if (SecDHComputeKey(dhC, pub_p->v + (maxKeyLen - publicKeySize), publicKeySize, 
-                                               computed_key->v, &computed_keylen)) {
-               plog(LLV_ERROR, LOCATION, NULL, "failed to compute dh value.\n");
+       if (SecDHComputeKey(*dhC, (uint8_t*)pub_p->v + (maxKeyLen - publicKeySize), publicKeySize,
+                                               (uint8_t*)computed_key->v, &computed_keylen)) {
+               plog(ASL_LEVEL_ERR, "failed to compute dh value.\n");
                goto fail;
        }
        
 #ifdef ENABLE_STATS
        gettimeofday(&end, NULL);
-       syslog(LOG_NOTICE, "%s(%s%d): %8.6f", __func__,
+       plog(ASL_LEVEL_NOTICE, "%s(%s%d): %8.6f", __func__,
                   s_attr_isakmp_group(dh->type), dh->prime->l << 3,
                   timedelta(&start, &end));
 #endif
        
        *gxy = vmalloc(maxKeyLen);
        if (*gxy == NULL) {
-               plog(LLV_ERROR, LOCATION, NULL, "memory error.\n");
+               plog(ASL_LEVEL_ERR, "memory error.\n");
                goto fail;
        }
        memcpy((*gxy)->v + (maxKeyLen - computed_keylen), computed_key->v, computed_keylen);
-       plog(LLV_DEBUG, LOCATION, NULL, "compute DH's shared.\n");
-       plogdump(LLV_DEBUG, (*gxy)->v, (*gxy)->l);
-       SecDHDestroy(dhC);
+       plog(ASL_LEVEL_DEBUG, "compute DH's shared.\n");
+       if (*dhC) {
+               SecDHDestroy(*dhC);
+               *dhC = NULL;
+       }
        vfree(computed_key);
        return 0;
        
 fail:
-       SecDHDestroy(dhC);
+       if (*dhC) {
+               SecDHDestroy(*dhC);
+               *dhC = NULL;
+       }
        vfree(*gxy);
        vfree(computed_key);
        return -1;
@@ -384,9 +355,7 @@ fail:
  */
 #ifdef HAVE_OPENSSL
 int
-oakley_dh_generate(dh, pub, priv)
-       const struct dhgroup *dh;
-       vchar_t **pub, **priv;
+oakley_dh_generate(const struct dhgroup *dh, vchar_t **pub, vchar_t **priv)
 {
 #ifdef ENABLE_STATS
        struct timeval start, end;
@@ -395,7 +364,7 @@ oakley_dh_generate(dh, pub, priv)
        switch (dh->type) {
        case OAKLEY_ATTR_GRP_TYPE_MODP:
                if (eay_dh_generate(dh->prime, dh->gen1, dh->gen2, pub, priv) < 0) {
-                       plog(LLV_ERROR, LOCATION, NULL,
+                       plog(ASL_LEVEL_ERR, 
                                "failed to compute dh value.\n");
                        return -1;
                }
@@ -403,18 +372,18 @@ oakley_dh_generate(dh, pub, priv)
 
        case OAKLEY_ATTR_GRP_TYPE_ECP:
        case OAKLEY_ATTR_GRP_TYPE_EC2N:
-               plog(LLV_ERROR, LOCATION, NULL,
+               plog(ASL_LEVEL_ERR, 
                        "dh type %d isn't supported.\n", dh->type);
                return -1;
        default:
-               plog(LLV_ERROR, LOCATION, NULL,
+               plog(ASL_LEVEL_ERR, 
                        "invalid dh type %d.\n", dh->type);
                return -1;
        }
 
 #ifdef ENABLE_STATS
        gettimeofday(&end, NULL);
-       syslog(LOG_NOTICE, "%s(%s%d): %8.6f", __func__,
+       plog(ASL_LEVEL_NOTICE, "%s(%s%d): %8.6f", __func__,
                s_attr_isakmp_group(dh->type), dh->prime->l << 3,
                timedelta(&start, &end));
 #endif
@@ -422,10 +391,8 @@ oakley_dh_generate(dh, pub, priv)
        if (oakley_check_dh_pub(dh->prime, pub) != 0)
                return -1;
 
-       plog(LLV_DEBUG, LOCATION, NULL, "compute DH's private.\n");
-       plogdump(LLV_DEBUG, (*priv)->v, (*priv)->l);
-       plog(LLV_DEBUG, LOCATION, NULL, "compute DH's public.\n");
-       plogdump(LLV_DEBUG, (*pub)->v, (*pub)->l);
+       plog(ASL_LEVEL_DEBUG, "compute DH's private.\n");
+       plog(ASL_LEVEL_DEBUG, "compute DH's public.\n");
 
        return 0;
 }
@@ -441,34 +408,31 @@ oakley_dh_generate(const struct dhgroup *dh, vchar_t **pub, size_t *publicKeySiz
        gettimeofday(&start, NULL);
 #endif
                
-       plog(LLV_DEBUG, LOCATION, NULL, "generate DH key pair.\n");
+       plog(ASL_LEVEL_DEBUG, "generate DH key pair.\n");
        *pub = NULL;
        switch (dh->type) {
                case OAKLEY_ATTR_GRP_TYPE_MODP:
-                       if (dh->desc != OAKLEY_ATTR_GRP_DESC_MODP1024 && dh->desc != OAKLEY_ATTR_GRP_DESC_MODP1536) {
-                               plog(LLV_ERROR, LOCATION, NULL, "Invalid dh group.\n");
-                               goto fail;
-                       }       
-                       if (SecDHCreate(dh->desc, dh->prime->v, dh->prime->l, 0, NULL, 0, dhC)) {
-                               plog(LLV_ERROR, LOCATION, NULL, "failed to create dh context.\n");
+#define SECDH_MODP_GENERATOR 2
+                       if (SecDHCreate(SECDH_MODP_GENERATOR, (uint8_t*)dh->prime->v, dh->prime->l, 0, NULL, 0, dhC)) {
+                               plog(ASL_LEVEL_ERR, "failed to create dh context.\n");
                                goto fail;
                        }
                        maxKeyLen = SecDHGetMaxKeyLength(*dhC);
                        public = vmalloc(maxKeyLen);
                        *publicKeySize = public->l;
                        if (public == NULL) {
-                               plog(LLV_ERROR, LOCATION, NULL, "memory error.\n");
+                               plog(ASL_LEVEL_ERR, "memory error.\n");
                                goto fail;
                        }
-                       if (SecDHGenerateKeypair(*dhC, public->v, publicKeySize)) {
-                               plog(LLV_ERROR, LOCATION, NULL, "failed to generate dh key pair.\n");
+                       if (SecDHGenerateKeypair(*dhC, (uint8_t*)public->v, publicKeySize)) {
+                               plog(ASL_LEVEL_ERR, "failed to generate dh key pair.\n");
                                goto fail;
                        }
-                       plog(LLV_DEBUG, LOCATION, NULL, "got DH key pair.\n");
+                       plog(ASL_LEVEL_DEBUG, "got DH key pair.\n");
                        
                        *pub = vmalloc(maxKeyLen);
                        if (*pub == NULL) {
-                               plog(LLV_ERROR, LOCATION, NULL, "memory error.\n");
+                               plog(ASL_LEVEL_ERR, "memory error.\n");
                                goto fail;
                        }                       
                        /* copy and fill with leading zeros */
@@ -477,36 +441,37 @@ oakley_dh_generate(const struct dhgroup *dh, vchar_t **pub, size_t *publicKeySiz
                        
                case OAKLEY_ATTR_GRP_TYPE_ECP:
                case OAKLEY_ATTR_GRP_TYPE_EC2N:
-                       plog(LLV_ERROR, LOCATION, NULL,
+                       plog(ASL_LEVEL_ERR, 
                                 "dh type %d isn't supported.\n", dh->type);
                        goto fail;
                default:
-                       plog(LLV_ERROR, LOCATION, NULL,
+                       plog(ASL_LEVEL_ERR, 
                                 "invalid dh type %d.\n", dh->type);
                        goto fail;
        }
        
 #ifdef ENABLE_STATS
        gettimeofday(&end, NULL);
-       syslog(LOG_NOTICE, "%s(%s%d): %8.6f", __func__,
+       plog(ASL_LEVEL_NOTICE, "%s(%s%d): %8.6f", __func__,
                   s_attr_isakmp_group(dh->type), dh->prime->l << 3,
                   timedelta(&start, &end));
 #endif
        
        if (oakley_check_dh_pub(dh->prime, pub) != 0) {
-               plog(LLV_DEBUG, LOCATION, NULL, "failed DH public key size check.\n");
+               plog(ASL_LEVEL_DEBUG, "failed DH public key size check.\n");
                goto fail;
        }
        
-       plog(LLV_DEBUG, LOCATION, NULL, "compute DH's private.\n");
-       plog(LLV_DEBUG, LOCATION, NULL, "compute DH's public.\n");
-       plogdump(LLV_DEBUG, (*pub)->v, (*pub)->l);
+       //plogdump(ASL_LEVEL_DEBUG, (*pub)->v, (*pub)->l, "compute DH's public.\n");
        
        vfree(public);
        return 0;
        
 fail:
-       SecDHDestroy(*dhC);
+       if (*dhC) {
+               SecDHDestroy(*dhC);
+               *dhC = NULL;
+       }
        vfree(*pub);
        vfree(public);
        return -1;
@@ -518,9 +483,7 @@ fail:
  * copy pre-defined dhgroup values.
  */
 int
-oakley_setdhgroup(group, dhgrp)
-       int group;
-       struct dhgroup **dhgrp;
+oakley_setdhgroup(int group, struct dhgroup **dhgrp)
 {
        struct dhgroup *g;
 
@@ -528,21 +491,21 @@ oakley_setdhgroup(group, dhgrp)
 
        g = alg_oakley_dhdef_group(group);
        if (g == NULL) {
-               plog(LLV_ERROR, LOCATION, NULL,
+               plog(ASL_LEVEL_ERR, 
                        "invalid DH parameter grp=%d.\n", group);
                return -1;
        }
 
        if (!g->type || !g->prime || !g->gen1) {
                /* unsuported */
-               plog(LLV_ERROR, LOCATION, NULL,
+               plog(ASL_LEVEL_ERR, 
                        "unsupported DH parameters grp=%d.\n", group);
                return -1;
        }
 
        *dhgrp = racoon_calloc(1, sizeof(struct dhgroup));
        if (*dhgrp == NULL) {
-               plog(LLV_ERROR, LOCATION, NULL,
+               plog(ASL_LEVEL_ERR, 
                        "failed to get DH buffer.\n");
                return 0;
        }
@@ -563,25 +526,26 @@ oakley_setdhgroup(group, dhgrp)
  * modify oakley_compute_keymat() accordingly.
  */
 vchar_t *
-oakley_prf(key, buf, iph1)
-       vchar_t *key, *buf;
-       struct ph1handle *iph1;
+oakley_prf(vchar_t *key, vchar_t *buf, phase1_handle_t *iph1)
 {
        vchar_t *res = NULL;
-       int type;
+       int type = OAKLEY_ATTR_HASH_ALG_MD5;
 
        if (iph1->approval == NULL) {
-               /*
-                * it's before negotiating hash algorithm.
-                * We use md5 as default.
-                */
-               type = OAKLEY_ATTR_HASH_ALG_MD5;
+               if (iph1->version == ISAKMP_VERSION_NUMBER_IKEV1) {
+                       /*
+                        * it's before negotiating hash algorithm.
+                        * We use md5 as default.
+                        */
+                       type = OAKLEY_ATTR_HASH_ALG_MD5;
+               }
        } else
-               type = iph1->approval->hashtype;
-
-       res = alg_oakley_hmacdef_one(type, key, buf);
+    {
+        type = iph1->approval->hashtype;
+    }
+    res = alg_oakley_hmacdef_one(type, key, buf);
        if (res == NULL) {
-               plog(LLV_ERROR, LOCATION, NULL,
+               plog(ASL_LEVEL_ERR, 
                        "invalid hmac algorithm %d.\n", type);
                return NULL;
        }
@@ -593,25 +557,28 @@ oakley_prf(key, buf, iph1)
  * hash
  */
 vchar_t *
-oakley_hash(buf, iph1)
-       vchar_t *buf;
-       struct ph1handle *iph1;
+oakley_hash(vchar_t *buf, phase1_handle_t *iph1)
 {
        vchar_t *res = NULL;
-       int type;
+       int type = OAKLEY_ATTR_HASH_ALG_MD5;
 
        if (iph1->approval == NULL) {
-               /*
-                * it's before negotiating hash algorithm.
-                * We use md5 as default.
-                */
-               type = OAKLEY_ATTR_HASH_ALG_MD5;
-       } else
-               type = iph1->approval->hashtype;
+               if (iph1->version == ISAKMP_VERSION_NUMBER_IKEV1) {
+                       /*
+                        * it's before negotiating hash algorithm.
+                        * We use md5 as default.
+                        */
+                       type = OAKLEY_ATTR_HASH_ALG_MD5;
+               }
+       } else {
+        if (iph1->version == ISAKMP_VERSION_NUMBER_IKEV1) {
+            type = iph1->approval->hashtype;
+        }
+    }
 
        res = alg_oakley_hashdef_one(type, buf);
        if (res == NULL) {
-               plog(LLV_ERROR, LOCATION, NULL,
+               plog(ASL_LEVEL_ERR, 
                        "invalid hash algorithm %d.\n", type);
                return NULL;
        }
@@ -624,9 +591,7 @@ oakley_hash(buf, iph1)
  *   see seciton 5.5 Phase 2 - Quick Mode in isakmp-oakley-05.
  */
 int
-oakley_compute_keymat(iph2, side)
-       struct ph2handle *iph2;
-       int side;
+oakley_compute_keymat(phase2_handle_t *iph2, int side)
 {
        int error = -1;
 
@@ -636,7 +601,7 @@ oakley_compute_keymat(iph2, side)
                if (oakley_dh_compute(iph2->pfsgrp, iph2->dhpub,
                                                          iph2->dhpriv, iph2->dhpub_p, &iph2->dhgxy) < 0)
 #else
-               if (oakley_dh_compute(iph2->pfsgrp, iph2->dhpub_p, iph2->publicKeySize, &iph2->dhgxy, iph2->dhC) < 0)
+               if (oakley_dh_compute(iph2->pfsgrp, iph2->dhpub_p, iph2->publicKeySize, &iph2->dhgxy, &iph2->dhC) < 0)
 #endif
                        goto end;
        }
@@ -646,7 +611,7 @@ oakley_compute_keymat(iph2, side)
         || oakley_compute_keymat_x(iph2, side, OUTBOUND_SA) < 0)
                goto end;
 
-       plog(LLV_DEBUG, LOCATION, NULL, "KEYMAT computed.\n");
+       plog(ASL_LEVEL_DEBUG, "KEYMAT computed.\n");
 
        error = 0;
 
@@ -664,10 +629,7 @@ end:
  * so we do not implement RFC2409 Appendix B (DOORAK-MAC example).
  */
 static int
-oakley_compute_keymat_x(iph2, side, sa_dir)
-       struct ph2handle *iph2;
-       int side;
-       int sa_dir;
+oakley_compute_keymat_x(phase2_handle_t *iph2, int side, int sa_dir)
 {
        vchar_t *buf = NULL, *res = NULL, *bp;
        char *p;
@@ -688,7 +650,7 @@ oakley_compute_keymat_x(iph2, side, sa_dir)
                + iph2->nonce_p->l);
        buf = vmalloc(len);
        if (buf == NULL) {
-               plog(LLV_ERROR, LOCATION, NULL,
+               plog(ASL_LEVEL_ERR, 
                        "failed to get keymat buffer.\n");
                goto end;
        }
@@ -718,8 +680,7 @@ oakley_compute_keymat_x(iph2, side, sa_dir)
                p += bp->l;
 
                /* compute IV */
-               plog(LLV_DEBUG, LOCATION, NULL, "KEYMAT compute with\n");
-               plogdump(LLV_DEBUG, buf->v, buf->l);
+               //plogdump(ASL_LEVEL_DEBUG, buf->v, buf->l, "KEYMAT compute with\n");
 
                /* res = K1 */
                res = oakley_prf(iph2->ph1->skeyid_d, buf, iph2->ph1);
@@ -751,16 +712,16 @@ oakley_compute_keymat_x(iph2, side, sa_dir)
                default:
                        break;
                }
-               plog(LLV_DEBUG, LOCATION, NULL, "encklen=%d authklen=%d\n",
+               plog(ASL_LEVEL_DEBUG, "encklen=%d authklen=%d\n",
                        encklen, authklen);
 
                dupkeymat = (encklen + authklen) / 8 / res->l;
                dupkeymat += 2; /* safety mergin */
                if (dupkeymat < 3)
                        dupkeymat = 3;
-               plog(LLV_DEBUG, LOCATION, NULL,
-                       "generating %zu bits of key (dupkeymat=%d)\n",
-                       dupkeymat * 8 * res->l, dupkeymat);
+               //plog(ASL_LEVEL_DEBUG,
+               //      "generating %zu bits of key (dupkeymat=%d)\n",
+               //      dupkeymat * 8 * res->l, dupkeymat);
                if (0 < --dupkeymat) {
                        vchar_t *prev = res;    /* K(n-1) */
                        vchar_t *seed = NULL;   /* seed for Kn */
@@ -776,13 +737,13 @@ oakley_compute_keymat_x(iph2, side, sa_dir)
                         *   K3 = prf(SKEYID_d, K2 | src)
                         *   Kn = prf(SKEYID_d, K(n-1) | src)
                         */
-                       plog(LLV_DEBUG, LOCATION, NULL,
-                               "generating K1...K%d for KEYMAT.\n",
-                               dupkeymat + 1);
+                       //plog(ASL_LEVEL_DEBUG,
+                       //      "generating K1...K%d for KEYMAT.\n",
+                       //      dupkeymat + 1);
 
                        seed = vmalloc(prev->l + buf->l);
                        if (seed == NULL) {
-                               plog(LLV_ERROR, LOCATION, NULL,
+                               plog(ASL_LEVEL_ERR, 
                                        "failed to get keymat buffer.\n");
                                if (prev && prev != res)
                                        vfree(prev);
@@ -798,7 +759,7 @@ oakley_compute_keymat_x(iph2, side, sa_dir)
                                this = oakley_prf(iph2->ph1->skeyid_d, seed,
                                                        iph2->ph1);
                                if (!this) {
-                                       plog(LLV_ERROR, LOCATION, NULL,
+                                       plog(ASL_LEVEL_ERR, 
                                                "oakley_prf memory overflow\n");
                                        if (prev && prev != res)
                                                vfree(prev);
@@ -816,7 +777,7 @@ oakley_compute_keymat_x(iph2, side, sa_dir)
                                        prev = res;
 
                                if (res == NULL) {
-                                       plog(LLV_ERROR, LOCATION, NULL,
+                                       plog(ASL_LEVEL_ERR, 
                                                "failed to get keymat buffer.\n");
                                        if (prev && prev != res)
                                                vfree(prev);
@@ -837,7 +798,7 @@ oakley_compute_keymat_x(iph2, side, sa_dir)
                        vfree(seed);
                }
 
-               plogdump(LLV_DEBUG, res->v, res->l);
+               //plogdump(ASL_LEVEL_DEBUG, res->v, res->l, "");
 
                if (sa_dir == INBOUND_SA)
                        pr->keymat = res;
@@ -870,69 +831,13 @@ end:
        return error;
 }
 
-#if notyet
-/*
- * NOTE: Must terminate by NULL.
- */
-vchar_t *
-oakley_compute_hashx(struct ph1handle *iph1, ...)
-{
-       vchar_t *buf, *res;
-       vchar_t *s;
-       caddr_t p;
-       int len;
-
-       va_list ap;
-
-       /* get buffer length */
-       va_start(ap, iph1);
-       len = 0;
-        while ((s = va_arg(ap, vchar_t *)) != NULL) {
-               len += s->l
-        }
-       va_end(ap);
-
-       buf = vmalloc(len);
-       if (buf == NULL) {
-               plog(LLV_ERROR, LOCATION, NULL,
-                       "failed to get hash buffer\n");
-               return NULL;
-       }
-
-       /* set buffer */
-       va_start(ap, iph1);
-       p = buf->v;
-        while ((s = va_arg(ap, char *)) != NULL) {
-               memcpy(p, s->v, s->l);
-               p += s->l;
-       }
-       va_end(ap);
-
-       plog(LLV_DEBUG, LOCATION, NULL, "HASH with: \n");
-       plogdump(LLV_DEBUG, buf->v, buf->l);
-
-       /* compute HASH */
-       res = oakley_prf(iph1->skeyid_a, buf, iph1);
-       vfree(buf);
-       if (res == NULL)
-               return NULL;
-
-       plog(LLV_DEBUG, LOCATION, NULL, "HASH computed:\n");
-       plogdump(LLV_DEBUG, res->v, res->l);
-
-       return res;
-}
-#endif
 
 /*
  * compute HASH(3) prf(SKEYID_a, 0 | M-ID | Ni_b | Nr_b)
  *   see seciton 5.5 Phase 2 - Quick Mode in isakmp-oakley-05.
  */
 vchar_t *
-oakley_compute_hash3(iph1, msgid, body)
-       struct ph1handle *iph1;
-       u_int32_t msgid;
-       vchar_t *body;
+oakley_compute_hash3(phase1_handle_t *iph1, u_int32_t msgid, vchar_t *body)
 {
        vchar_t *buf = 0, *res = 0;
        int len;
@@ -942,7 +847,7 @@ oakley_compute_hash3(iph1, msgid, body)
        len = 1 + sizeof(u_int32_t) + body->l;
        buf = vmalloc(len);
        if (buf == NULL) {
-               plog(LLV_DEBUG, LOCATION, NULL,
+               plog(ASL_LEVEL_NOTICE,
                        "failed to get hash buffer\n");
                goto end;
        }
@@ -953,9 +858,6 @@ oakley_compute_hash3(iph1, msgid, body)
 
        memcpy(buf->v + 1 + sizeof(u_int32_t), body->v, body->l);
 
-       plog(LLV_DEBUG, LOCATION, NULL, "HASH with: \n");
-       plogdump(LLV_DEBUG, buf->v, buf->l);
-
        /* compute HASH */
        res = oakley_prf(iph1->skeyid_a, buf, iph1);
        if (res == NULL)
@@ -963,8 +865,7 @@ oakley_compute_hash3(iph1, msgid, body)
 
        error = 0;
 
-       plog(LLV_DEBUG, LOCATION, NULL, "HASH computed:\n");
-       plogdump(LLV_DEBUG, res->v, res->l);
+       //plogdump(ASL_LEVEL_DEBUG, res->v, res->l, "HASH computed:\n");
 
 end:
        if (buf != NULL)
@@ -983,10 +884,7 @@ end:
  *             prf(SKEYID_a, M-ID | N/D)
  */
 vchar_t *
-oakley_compute_hash1(iph1, msgid, body)
-       struct ph1handle *iph1;
-       u_int32_t msgid;
-       vchar_t *body;
+oakley_compute_hash1(phase1_handle_t *iph1, u_int32_t msgid, vchar_t *body)
 {
        vchar_t *buf = NULL, *res = NULL;
        char *p;
@@ -997,7 +895,7 @@ oakley_compute_hash1(iph1, msgid, body)
        len = sizeof(u_int32_t) + body->l;
        buf = vmalloc(len);
        if (buf == NULL) {
-               plog(LLV_DEBUG, LOCATION, NULL,
+               plog(ASL_LEVEL_NOTICE,
                        "failed to get hash buffer\n");
                goto end;
        }
@@ -1009,9 +907,6 @@ oakley_compute_hash1(iph1, msgid, body)
 
        memcpy(p, body->v, body->l);
 
-       plog(LLV_DEBUG, LOCATION, NULL, "HASH with:\n");
-       plogdump(LLV_DEBUG, buf->v, buf->l);
-
        /* compute HASH */
        res = oakley_prf(iph1->skeyid_a, buf, iph1);
        if (res == NULL)
@@ -1019,8 +914,7 @@ oakley_compute_hash1(iph1, msgid, body)
 
        error = 0;
 
-       plog(LLV_DEBUG, LOCATION, NULL, "HASH computed:\n");
-       plogdump(LLV_DEBUG, res->v, res->l);
+       //plogdump(ASL_LEVEL_DEBUG, res->v, res->l, "HASH computed:\n");
 
 end:
        if (buf != NULL)
@@ -1036,17 +930,12 @@ end:
  * for gssapi, also include all GSS tokens, and call gss_wrap on the result
  */
 vchar_t *
-oakley_ph1hash_common(iph1, sw)
-       struct ph1handle *iph1;
-       int sw;
+oakley_ph1hash_common(phase1_handle_t *iph1, int sw)
 {
        vchar_t *buf = NULL, *res = NULL, *bp;
        char *p, *bp2;
        int len, bl;
        int error = -1;
-#ifdef HAVE_GSSAPI
-       vchar_t *gsstokens = NULL;
-#endif
 
        /* create buffer */
        len = iph1->dhpub->l
@@ -1055,25 +944,9 @@ oakley_ph1hash_common(iph1, sw)
                + iph1->sa->l
                + (sw == GENERATE ? iph1->id->l : iph1->id_p->l);
 
-#ifdef HAVE_GSSAPI
-       if (AUTHMETHOD(iph1) == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB) {
-               if (iph1->gi_i != NULL && iph1->gi_r != NULL) {
-                       bp = (sw == GENERATE ? iph1->gi_i : iph1->gi_r);
-                       len += bp->l;
-               }
-               if (sw == GENERATE)
-                       gssapi_get_itokens(iph1, &gsstokens);
-               else
-                       gssapi_get_rtokens(iph1, &gsstokens);
-               if (gsstokens == NULL)
-                       return NULL;
-               len += gsstokens->l;
-       }
-#endif
-
        buf = vmalloc(len);
        if (buf == NULL) {
-               plog(LLV_ERROR, LOCATION, NULL,
+               plog(ASL_LEVEL_ERR, 
                        "failed to get hash buffer\n");
                goto end;
        }
@@ -1116,21 +989,6 @@ oakley_ph1hash_common(iph1, sw)
        memcpy(p, bp->v, bp->l);
        p += bp->l;
 
-#ifdef HAVE_GSSAPI
-       if (AUTHMETHOD(iph1) == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB) {
-               if (iph1->gi_i != NULL && iph1->gi_r != NULL) {
-                       bp = (sw == GENERATE ? iph1->gi_i : iph1->gi_r);
-                       memcpy(p, bp->v, bp->l);
-                       p += bp->l;
-               }
-               memcpy(p, gsstokens->v, gsstokens->l);
-               p += gsstokens->l;
-       }
-#endif
-
-       plog(LLV_DEBUG, LOCATION, NULL, "HASH with:\n");
-       plogdump(LLV_DEBUG, buf->v, buf->l);
-
        /* compute HASH */
        res = oakley_prf(iph1->skeyid, buf, iph1);
        if (res == NULL)
@@ -1138,17 +996,9 @@ oakley_ph1hash_common(iph1, sw)
 
        error = 0;
 
-       plog(LLV_DEBUG, LOCATION, NULL, "HASH (%s) computed:\n",
-               iph1->side == INITIATOR ? "init" : "resp");
-       plogdump(LLV_DEBUG, res->v, res->l);
-
 end:
        if (buf != NULL)
                vfree(buf);
-#ifdef HAVE_GSSAPI
-       if (gsstokens != NULL)
-               vfree(gsstokens);
-#endif
        return res;
 }
 
@@ -1160,9 +1010,7 @@ end:
  *   HASH_I = prf(hash(Ni_b | Nr_b), g^xi | CKY-I | CKY-R | SAi_b | IDii_b)
  */
 vchar_t *
-oakley_ph1hash_base_i(iph1, sw)
-       struct ph1handle *iph1;
-       int sw;
+oakley_ph1hash_base_i(phase1_handle_t *iph1, int sw)
 {
        vchar_t *buf = NULL, *res = NULL, *bp;
        vchar_t *hashkey = NULL;
@@ -1173,7 +1021,7 @@ oakley_ph1hash_base_i(iph1, sw)
 
        /* sanity check */
        if (iph1->etype != ISAKMP_ETYPE_BASE) {
-               plog(LLV_ERROR, LOCATION, NULL,
+               plog(ASL_LEVEL_ERR, 
                        "invalid etype for this hash function\n");
                return NULL;
        }
@@ -1191,32 +1039,24 @@ oakley_ph1hash_base_i(iph1, sw)
        case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
 #endif
                if (iph1->skeyid == NULL) {
-                       plog(LLV_ERROR, LOCATION, NULL, "no SKEYID found.\n");
+                       plog(ASL_LEVEL_ERR, "no SKEYID found.\n");
                        return NULL;
                }
                hashkey = iph1->skeyid;
                break;
 
-       case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
        case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
-#ifdef HAVE_GSSAPI
-       case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB:
-#endif
 #ifdef ENABLE_HYBRID
        case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
        case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
-       case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
-       case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
        case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
        case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
-       case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I:
-       case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
 #endif
                /* make hash for seed */
                len = iph1->nonce->l + iph1->nonce_p->l;
                buf = vmalloc(len);
                if (buf == NULL) {
-                       plog(LLV_ERROR, LOCATION, NULL,
+                       plog(ASL_LEVEL_ERR, 
                                "failed to get hash buffer\n");
                        goto end;
                }
@@ -1240,7 +1080,7 @@ oakley_ph1hash_base_i(iph1, sw)
                break;
 
        default:
-               plog(LLV_ERROR, LOCATION, NULL,
+               plog(ASL_LEVEL_ERR, 
                        "not supported authentication method %d\n",
                        iph1->approval->authmethod);
                return NULL;
@@ -1253,7 +1093,7 @@ oakley_ph1hash_base_i(iph1, sw)
                + (sw == GENERATE ? iph1->id->l : iph1->id_p->l);
        buf = vmalloc(len);
        if (buf == NULL) {
-               plog(LLV_ERROR, LOCATION, NULL,
+               plog(ASL_LEVEL_ERR, 
                        "failed to get hash buffer\n");
                goto end;
        }
@@ -1275,8 +1115,7 @@ oakley_ph1hash_base_i(iph1, sw)
        memcpy(p, bp->v, bp->l);
        p += bp->l;
 
-       plog(LLV_DEBUG, LOCATION, NULL, "HASH_I with:\n");
-       plogdump(LLV_DEBUG, buf->v, buf->l);
+       //plogdump(ASL_LEVEL_DEBUG, buf->v, buf->l, "HASH_I with:\n");
 
        /* compute HASH */
        res = oakley_prf(hashkey, buf, iph1);
@@ -1285,8 +1124,7 @@ oakley_ph1hash_base_i(iph1, sw)
 
        error = 0;
 
-       plog(LLV_DEBUG, LOCATION, NULL, "HASH_I computed:\n");
-       plogdump(LLV_DEBUG, res->v, res->l);
+       //plogdump(ASL_LEVEL_DEBUG, res->v, res->l, "HASH_I computed:\n");
 
 end:
        if (hash != NULL)
@@ -1302,9 +1140,7 @@ end:
  * HASH_R = prf(hash(Ni_b | Nr_b), g^xi | g^xr | CKY-I | CKY-R | SAi_b | IDii_b)
  */
 vchar_t *
-oakley_ph1hash_base_r(iph1, sw)
-       struct ph1handle *iph1;
-       int sw;
+oakley_ph1hash_base_r(phase1_handle_t *iph1, int sw)
 {
        vchar_t *buf = NULL, *res = NULL, *bp;
        vchar_t *hash = NULL;
@@ -1314,28 +1150,23 @@ oakley_ph1hash_base_r(iph1, sw)
 
        /* sanity check */
        if (iph1->etype != ISAKMP_ETYPE_BASE) {
-               plog(LLV_ERROR, LOCATION, NULL,
+               plog(ASL_LEVEL_ERR, 
                        "invalid etype for this hash function\n");
                return NULL;
        }
 
        switch(AUTHMETHOD(iph1)) {
-       case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
        case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
 #ifdef ENABLE_HYBRID
        case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
        case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
-       case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
-       case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
        case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
        case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
-       case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I:
-       case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
        case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I:
 #endif
                break;
        default:
-               plog(LLV_ERROR, LOCATION, NULL,
+               plog(ASL_LEVEL_ERR, 
                        "not supported authentication method %d\n",
                        iph1->approval->authmethod);
                return NULL;
@@ -1346,7 +1177,7 @@ oakley_ph1hash_base_r(iph1, sw)
        len = iph1->nonce->l + iph1->nonce_p->l;
        buf = vmalloc(len);
        if (buf == NULL) {
-               plog(LLV_ERROR, LOCATION, NULL,
+               plog(ASL_LEVEL_ERR, 
                        "failed to get hash buffer\n");
                goto end;
        }
@@ -1374,7 +1205,7 @@ oakley_ph1hash_base_r(iph1, sw)
                + (sw == GENERATE ? iph1->id_p->l : iph1->id->l);
        buf = vmalloc(len);
        if (buf == NULL) {
-               plog(LLV_ERROR, LOCATION, NULL,
+               plog(ASL_LEVEL_ERR, 
                        "failed to get hash buffer\n");
                goto end;
        }
@@ -1401,8 +1232,7 @@ oakley_ph1hash_base_r(iph1, sw)
        memcpy(p, bp->v, bp->l);
        p += bp->l;
 
-       plog(LLV_DEBUG, LOCATION, NULL, "HASH_R with:\n");
-       plogdump(LLV_DEBUG, buf->v, buf->l);
+       //plogdump(ASL_LEVEL_DEBUG, buf->v, buf->l, "HASH_R with:\n");
 
        /* compute HASH */
        res = oakley_prf(hash, buf, iph1);
@@ -1411,8 +1241,7 @@ oakley_ph1hash_base_r(iph1, sw)
 
        error = 0;
 
-       plog(LLV_DEBUG, LOCATION, NULL, "HASH_R computed:\n");
-       plogdump(LLV_DEBUG, res->v, res->l);
+       //plogdump(ASL_LEVEL_DEBUG, res->v, res->l, "HASH_R computed:\n");
 
 end:
        if (buf != NULL)
@@ -1424,15 +1253,21 @@ end:
 
 #if HAVE_OPENDIR
 static int
-oakley_verify_userid(iph1)
-       struct ph1handle *iph1;
+oakley_verify_userid(phase1_handle_t *iph1)
 {
        cert_t  *p;
        vchar_t *user_id;
        int      user_id_found = 0;
+#ifndef HAVE_OPENSSL
+       SecCertificateRef certificate;
+       CFArrayRef commonNames;
+       CFIndex i, l;
+       CFStringRef name;
+#endif /* HAVE_OPENSSL */
 
        for (p = iph1->cert_p; p; p = p->chain) {
-               user_id = eay_get_x509_common_name(&p->cert);
+#ifdef HAVE_OPENSSL
+               user_id = eay_get_x509_common_name(&p->cert); //%%%%%%%% fix this
                if (user_id) {
                        user_id_found = 1;
                        // the following functions will check if user_id == 0
@@ -1442,61 +1277,57 @@ oakley_verify_userid(iph1)
                        }
                        vfree(user_id);
                }
+#else /* HAVE_OPENSSL */
+               certificate = crypto_cssm_x509cert_CreateSecCertificateRef(&p->cert);
+               if (certificate == NULL) {
+                       plog(ASL_LEVEL_ERR,
+                                "ovuid failed to get SecCertificateRef\n");
+                       continue;
+               }
+
+               commonNames = SecCertificateCopyCommonNames(certificate);
+               if (commonNames == NULL) {
+                       plog(ASL_LEVEL_ERR,
+                                "ovuid failed to get commonNames\n");
+                       CFRelease(certificate);
+                       continue;
+               }
+
+               l = CFArrayGetCount(commonNames);
+               for (i = 0; i < l; i++) {
+                       name = CFArrayGetValueAtIndex(commonNames, i);
+                       user_id = vmalloc(CFStringGetMaximumSizeForEncoding(CFStringGetLength(name),
+                                                                                                                               kCFStringEncodingUTF8) + 1);
+                       if (user_id) {
+                               if (CFStringGetCString(name, user_id->v, user_id->l,
+                                                                               kCFStringEncodingUTF8)) {
+                                       user_id_found = 1;
+                                       // the following functions will check if user_id == 0
+                                       if (open_dir_authorize_id(user_id, iph1->rmconf->open_dir_auth_group)) {
+                                               vfree(user_id);
+                                               CFRelease(certificate);
+                                               CFRelease(commonNames);
+                                               return 0;
+                                       }
+                               }
+                               vfree(user_id);
+                       }
+               }
+               CFRelease(certificate);
+               CFRelease(commonNames);
+#endif /* HAVE_OPENSSL */
        }
        if (user_id_found) {
-               plog(LLV_ERROR, LOCATION, NULL,
+               plog(ASL_LEVEL_ERR, 
                         "the peer is not authorized for access.\n");
        } else {
-               plog(LLV_ERROR, LOCATION, NULL,
+               plog(ASL_LEVEL_ERR, 
                         "the peer is not authorized for access - user ID not found.\n");
        }
        return ISAKMP_NTYPE_AUTHENTICATION_FAILED;
 }
 #endif /* HAVE_OPENDIR */
 
-#ifdef HAVE_OPENSSL
-static int
-oakley_verify_x509sign(certchain, my_hash, my_sig)
-       cert_t *certchain;
-       vchar_t *my_hash;
-       vchar_t *my_sig;
-{
-       cert_t *p;
-       int     result = -1;
-
-       for (p = certchain; p; p = p->chain) {
-               if ((result = eay_check_x509sign(my_hash,
-                                                                                my_sig,
-                                                                                &p->cert)) == 0) {
-                       break;
-               }
-       }
-       return result;
-}
-#endif
-#ifdef HAVE_OPENSSL
-static int
-oakley_check_x509cert(certchain, capath, cafile, local)
-       cert_t *certchain;
-       char   *capath;
-       char   *cafile;
-       int     local;
-{
-       cert_t *p;
-       int     result = 0;
-
-       for (p = certchain; p; p = p->chain) {
-               if ((result = eay_check_x509cert(&p->cert,
-                                                                                capath, 
-                                                                                cafile,
-                                                                                local))) {
-                       break;
-               }
-       }
-       return result;
-}
-#endif /* HAVE_OPENSSL */
-
 /*
  * compute each authentication method in phase 1.
  * OUT:
@@ -1506,20 +1337,14 @@ oakley_check_x509cert(certchain, capath, cafile, local)
  *             the value is notification type.
  */
 int
-oakley_validate_auth(iph1)
-       struct ph1handle *iph1;
+oakley_validate_auth(phase1_handle_t *iph1)
 {
        vchar_t *my_hash = NULL;
        int result;
-#ifdef HAVE_GSSAPI
-       vchar_t *gsshash = NULL;
-#endif
 #ifdef ENABLE_STATS
        struct timeval start, end;
 #endif
-#if TARGET_OS_EMBEDDED
-       SecKeyRef publicKeyRef;
-#endif
+       SecKeyRef publicKeyRef = NULL;
 
 #ifdef ENABLE_STATS
        gettimeofday(&start, NULL);
@@ -1536,7 +1361,7 @@ oakley_validate_auth(iph1)
                char *r_hash;
 
                if (iph1->id_p == NULL || iph1->pl_hash == NULL) {
-                       plog(LLV_ERROR, LOCATION, iph1->remote,
+                       plog(ASL_LEVEL_ERR,
                                "few isakmp message received.\n");
                        return ISAKMP_NTYPE_PAYLOAD_MALFORMED;
                }
@@ -1544,7 +1369,7 @@ oakley_validate_auth(iph1)
                if (AUTHMETHOD(iph1) == FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I &&
                    ((iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) == 0))
                {
-                       plog(LLV_ERROR, LOCATION, NULL, "No SIG was passed, "
+                       plog(ASL_LEVEL_ERR, "No SIG was passed, "
                            "hybrid auth is enabled, "
                            "but peer is no Xauth compliant\n");
                        return ISAKMP_NTYPE_SITUATION_NOT_SUPPORTED;
@@ -1553,25 +1378,26 @@ oakley_validate_auth(iph1)
 #endif
                r_hash = (caddr_t)(iph1->pl_hash + 1);
 
-               plog(LLV_DEBUG, LOCATION, NULL, "HASH received:\n");
-               plogdump(LLV_DEBUG, r_hash,
-                       ntohs(iph1->pl_hash->h.len) - sizeof(*iph1->pl_hash));
+               //plogdump(ASL_LEVEL_DEBUG, r_hash,
+               //      ntohs(iph1->pl_hash->h.len) - sizeof(*iph1->pl_hash), "HASH received:\n");
 
-               switch (iph1->etype) {
-               case ISAKMP_ETYPE_IDENT:
-               case ISAKMP_ETYPE_AGG:
-                       my_hash = oakley_ph1hash_common(iph1, VALIDATE);
-                       break;
-               case ISAKMP_ETYPE_BASE:
-                       if (iph1->side == INITIATOR)
+               if (iph1->version == ISAKMP_VERSION_NUMBER_IKEV1) {
+                       switch (iph1->etype) {
+                       case ISAKMP_ETYPE_IDENT:
+                       case ISAKMP_ETYPE_AGG:
                                my_hash = oakley_ph1hash_common(iph1, VALIDATE);
-                       else
-                               my_hash = oakley_ph1hash_base_i(iph1, VALIDATE);
-                       break;
-               default:
-                       plog(LLV_ERROR, LOCATION, NULL,
-                               "invalid etype %d\n", iph1->etype);
-                       return ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE;
+                               break;
+                       case ISAKMP_ETYPE_BASE:
+                               if (iph1->side == INITIATOR)
+                                       my_hash = oakley_ph1hash_common(iph1, VALIDATE);
+                               else
+                                       my_hash = oakley_ph1hash_base_i(iph1, VALIDATE);
+                               break;
+                       default:
+                               plog(ASL_LEVEL_ERR, 
+                                        "invalid etype %d\n", iph1->etype);
+                               return ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE;
+                       }
                }
                if (my_hash == NULL)
                        return ISAKMP_INTERNAL_ERROR;
@@ -1580,22 +1406,18 @@ oakley_validate_auth(iph1)
                vfree(my_hash);
 
                if (result) {
-                       plog(LLV_ERROR, LOCATION, NULL, "HASH mismatched\n");
+                       plog(ASL_LEVEL_ERR, "HASH mismatched\n");
                        return ISAKMP_NTYPE_INVALID_HASH_INFORMATION;
                }
 
-               plog(LLV_DEBUG, LOCATION, NULL, "HASH for PSK validated.\n");
+               plog(ASL_LEVEL_DEBUG, "HASH for PSK validated.\n");
            }
                break;
-       case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
        case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
 #ifdef ENABLE_HYBRID
        case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
-       case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
        case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
        case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
-       case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I:
-       case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
 #endif
            {
                int error = 0;
@@ -1603,78 +1425,29 @@ oakley_validate_auth(iph1)
 
                /* validation */
                if (iph1->id_p == NULL) {
-                       plog(LLV_ERROR, LOCATION, iph1->remote,
+                       plog(ASL_LEVEL_ERR,
                                "no ID payload was passed.\n");
                        return ISAKMP_NTYPE_PAYLOAD_MALFORMED;
                }
                if (iph1->sig_p == NULL) {
-                       plog(LLV_ERROR, LOCATION, iph1->remote,
+                       plog(ASL_LEVEL_ERR,
                                "no SIG payload was passed.\n");
                        return ISAKMP_NTYPE_PAYLOAD_MALFORMED;
                }
 
-               plog(LLV_DEBUG, LOCATION, NULL, "SIGN passed:\n");
-               plogdump(LLV_DEBUG, iph1->sig_p->v, iph1->sig_p->l);
+               plog(ASL_LEVEL_DEBUG, "SIGN passed\n");
 
                /* get peer's cert */
                switch (iph1->rmconf->getcert_method) {
                case ISAKMP_GETCERT_PAYLOAD:
                        if (iph1->cert_p == NULL) {
-                               plog(LLV_ERROR, LOCATION, NULL,
+                               plog(ASL_LEVEL_ERR, 
                                        "no peer's CERT payload found.\n");
                                return ISAKMP_INTERNAL_ERROR;
                        }
                        break;
-#ifdef HAVE_OPENSSL
-               case ISAKMP_GETCERT_LOCALFILE:
-                       switch (iph1->rmconf->certtype) {
-                               case ISAKMP_CERT_X509SIGN:
-                                       if (iph1->rmconf->peerscertfile == NULL) {
-                                               plog(LLV_ERROR, LOCATION, NULL,
-                                                       "no peer's CERT file found.\n");
-                                               return ISAKMP_INTERNAL_ERROR;
-                                       }
-
-                                       /* don't use cached cert */
-                                       if (iph1->cert_p != NULL) {
-                                               oakley_delcert(iph1->cert_p);
-                                               iph1->cert_p = NULL;
-                                       }
-
-                                       error = get_cert_fromlocal(iph1, 0);
-                                       break;
-
-                               case ISAKMP_CERT_PLAINRSA:
-                                       error = get_plainrsa_fromlocal(iph1, 0);
-                                       break;
-                       }
-                       if (error)
-                               return ISAKMP_INTERNAL_ERROR;
-                       break;
-#endif
-               case ISAKMP_GETCERT_DNS:
-                       if (iph1->rmconf->peerscertfile != NULL) {
-                               plog(LLV_ERROR, LOCATION, NULL,
-                                       "why peer's CERT file is defined "
-                                       "though getcert method is dns ?\n");
-                               return ISAKMP_INTERNAL_ERROR;
-                       }
-
-                       /* don't use cached cert */
-                       if (iph1->cert_p != NULL) {
-                               oakley_delcert(iph1->cert_p);
-                               iph1->cert_p = NULL;
-                       }
-
-                       iph1->cert_p = dnssec_getcert(iph1->id_p);
-                       if (iph1->cert_p == NULL) {
-                               plog(LLV_ERROR, LOCATION, NULL,
-                                       "no CERT RR found.\n");
-                               return ISAKMP_INTERNAL_ERROR;
-                       }
-                       break;
                default:
-                       plog(LLV_ERROR, LOCATION, NULL,
+                       plog(ASL_LEVEL_ERR, 
                                "invalid getcert_mothod: %d\n",
                                iph1->rmconf->getcert_method);
                        return ISAKMP_INTERNAL_ERROR;
@@ -1682,17 +1455,8 @@ oakley_validate_auth(iph1)
 
                /* compare ID payload and certificate name */
                if (iph1->rmconf->verify_cert &&
-                   (error = oakley_check_certid(iph1, CERT_CHECKID_FROM_PEER)) != 0)
-                       return error;
-
-               /* check configured peers identifier against cert IDs                           */
-               /* allows checking of specified ID against multiple ids in the cert */
-               /* such as multiple domain names                                                                        */
-#if !TARGET_OS_EMBEDDED
-               if (iph1->rmconf->cert_verification_option == VERIFICATION_OPTION_PEERS_IDENTIFIER &&
-                       (error = oakley_check_certid(iph1, CERT_CHECKID_FROM_RMCONFIG)) != 0)
+                   (error = oakley_check_certid(iph1)) != 0)
                        return error;
-#endif
 
 #if HAVE_OPENDIR
                /* check cert common name against Open Directory authentication group */
@@ -1710,7 +1474,6 @@ oakley_validate_auth(iph1)
 #ifdef ENABLE_HYBRID
                        switch (AUTHMETHOD(iph1)) {
                        case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
-                       case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
                                certtype = iph1->cert_p->type;
                                break;
                        default:
@@ -1719,8 +1482,6 @@ oakley_validate_auth(iph1)
 #endif
                        switch (certtype) {
                        case ISAKMP_CERT_X509SIGN:
-
-#if TARGET_OS_EMBEDDED
                        {
                                /* use ID from remote configuration */  
                                /* check each ID in list                        */
@@ -1732,9 +1493,9 @@ oakley_validate_auth(iph1)
                                if (iph1->rmconf->cert_verification_option == VERIFICATION_OPTION_PEERS_IDENTIFIER) {
                                        id_spec = genlist_next(iph1->rmconf->idvl_p, &gpb);     /* expect only one id */                                                
                                        if (id_spec->idtype == IDTYPE_ADDRESS) {
-                                               switch (((struct sockaddr *)(id_spec->id->v))->sa_family) {                                                     
+                                               switch ((ALIGNED_CAST(struct sockaddr_storage *)(id_spec->id->v))->ss_family) {
                                                        case AF_INET:
-                                                               peers_id = inet_ntoa(((struct sockaddr_in *)(id_spec->id->v))->sin_addr);
+                                                               peers_id = inet_ntoa((ALIGNED_CAST(struct sockaddr_in *)(id_spec->id->v))->sin_addr);
                                                                hostname = CFStringCreateWithCString(NULL, peers_id, kCFStringEncodingUTF8);
                                                                break;
 #ifdef INET6
@@ -1743,7 +1504,7 @@ oakley_validate_auth(iph1)
                                                                break;
 #endif
                                                        default:
-                                                               plog(LLV_ERROR, LOCATION, NULL,
+                                                               plog(ASL_LEVEL_ERR, 
                                                                        "unknown address type for peers identifier.\n");
                                                                return ISAKMP_NTYPE_AUTHENTICATION_FAILED;
                                                                break;
@@ -1755,63 +1516,40 @@ oakley_validate_auth(iph1)
                                if (hostname)
                                        CFRelease(hostname);
                        }
-                       
-#else /* TARGET_OS_EMBEDDED */
-                               if (iph1->rmconf->cert_verification == VERIFICATION_MODULE_SEC_FRAMEWORK)
-                                       error = crypto_cssm_check_x509cert(oakley_get_peer_cert_from_certchain(iph1),
-                                                                                                          iph1->cert_p,
-                                                                                                          NULL);
-                               else 
-                               {
-                                       char path[MAXPATHLEN];
-                                       char *ca;
-
-                                       if (iph1->rmconf->cacertfile != NULL) {
-                                               getpathname(path, sizeof(path), 
-                                               LC_PATHTYPE_CERT, 
-                                               iph1->rmconf->cacertfile);
-                                               ca = path;
-                                       } else {
-                                               ca = NULL;
-                                       }
-
-                                       error = oakley_check_x509cert(iph1->cert_p,
-                                                                                                 lcconf->pathinfo[LC_PATHTYPE_CERT], 
-                                                                                                 ca, 0);
-                               }
-#endif /* TARGET_OS_EMBEDDED */
-                               break;
+            break;
                        
                        default:
-                               plog(LLV_ERROR, LOCATION, NULL,
+                               plog(ASL_LEVEL_ERR, 
                                        "no supported certtype %d\n", certtype);
                                return ISAKMP_INTERNAL_ERROR;
                        }
                        if (error != 0) {
-                               plog(LLV_ERROR, LOCATION, NULL,
+                               plog(ASL_LEVEL_ERR, 
                                        "the peer's certificate is not verified.\n");
                                return ISAKMP_NTYPE_INVALID_CERT_AUTHORITY;
                        }
                }
 
-               plog(LLV_DEBUG, LOCATION, NULL, "CERT validated\n");
+               plog(ASL_LEVEL_DEBUG, "CERT validated\n");
 
-               /* compute hash */
-               switch (iph1->etype) {
-               case ISAKMP_ETYPE_IDENT:
-               case ISAKMP_ETYPE_AGG:
-                       my_hash = oakley_ph1hash_common(iph1, VALIDATE);
-                       break;
-               case ISAKMP_ETYPE_BASE:
-                       if (iph1->side == INITIATOR)
-                               my_hash = oakley_ph1hash_base_r(iph1, VALIDATE);
-                       else
-                               my_hash = oakley_ph1hash_base_i(iph1, VALIDATE);
-                       break;
-               default:
-                       plog(LLV_ERROR, LOCATION, NULL,
-                               "invalid etype %d\n", iph1->etype);
-                       return ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE;
+               if (iph1->version == ISAKMP_VERSION_NUMBER_IKEV1) {
+                       /* compute hash */
+                       switch (iph1->etype) {
+                       case ISAKMP_ETYPE_IDENT:
+                       case ISAKMP_ETYPE_AGG:
+                               my_hash = oakley_ph1hash_common(iph1, VALIDATE);
+                               break;
+                       case ISAKMP_ETYPE_BASE:
+                               if (iph1->side == INITIATOR)
+                                       my_hash = oakley_ph1hash_base_r(iph1, VALIDATE);
+                               else
+                                       my_hash = oakley_ph1hash_base_i(iph1, VALIDATE);
+                               break;
+                       default:
+                               plog(ASL_LEVEL_ERR, 
+                                        "invalid etype %d\n", iph1->etype);
+                               return ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE;
+                       }
                }
                if (my_hash == NULL)
                        return ISAKMP_INTERNAL_ERROR;
@@ -1821,7 +1559,6 @@ oakley_validate_auth(iph1)
 #ifdef ENABLE_HYBRID
                switch (AUTHMETHOD(iph1)) {
                case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
-               case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
                        certtype = iph1->cert_p->type;
                        break;
                default:
@@ -1830,102 +1567,52 @@ oakley_validate_auth(iph1)
 #endif
                /* check signature */
                switch (certtype) {
-               case ISAKMP_CERT_X509SIGN:
-               case ISAKMP_CERT_DNS:
-#if TARGET_OS_EMBEDDED
-                       error = crypto_cssm_verify_x509sign(publicKeyRef, my_hash, iph1->sig_p);
-                       if (error)      
-                               plog(LLV_ERROR, LOCATION, NULL, "error verifying signature %s\n", GetSecurityErrorString(error));
-                               
-                       CFRelease(publicKeyRef);                                
-#else
-                       error = oakley_verify_x509sign(iph1->cert_p, my_hash, iph1->sig_p);
-#endif
-                       break;
-#ifdef HAVE_OPENSSL
-               case ISAKMP_CERT_PLAINRSA:
-                       iph1->rsa_p = rsa_try_check_rsasign(my_hash,
-                                       iph1->sig_p, iph1->rsa_candidates);
-                       error = iph1->rsa_p ? 0 : -1;
-
-                       break;
-#endif
-               default:
-                       plog(LLV_ERROR, LOCATION, NULL,
-                               "no supported certtype %d\n",
-                               certtype);
-                       vfree(my_hash);
-                       return ISAKMP_INTERNAL_ERROR;
+                       case ISAKMP_CERT_X509SIGN:
+                               if (publicKeyRef == NULL) {
+                                       plog(ASL_LEVEL_ERR, "@@@@@@ publicKeyRef is NULL\n");
+                               }
+                               if (iph1->version == ISAKMP_VERSION_NUMBER_IKEV1) {
+                                       error = crypto_cssm_verify_x509sign(publicKeyRef, my_hash, iph1->sig_p, FALSE);
+                               }
+                               if (error) {
+                                       plog(ASL_LEVEL_ERR, "error verifying signature %s\n", GetSecurityErrorString(error));
+                               }
+                                       
+                               CFRelease(publicKeyRef);                                
+                               break;
+                       default:
+                               plog(ASL_LEVEL_ERR, 
+                                       "no supported certtype %d\n",
+                                       certtype);
+                               vfree(my_hash);
+                               return ISAKMP_INTERNAL_ERROR;
                }
 
                vfree(my_hash);
                if (error != 0) {
-                       plog(LLV_ERROR, LOCATION, NULL,
+                       plog(ASL_LEVEL_ERR, 
                                "Invalid SIG.\n");
                        return ISAKMP_NTYPE_INVALID_SIGNATURE;
                }
-               plog(LLV_DEBUG, LOCATION, NULL, "SIG authenticated\n");
+               plog(ASL_LEVEL_DEBUG, "SIG authenticated\n");
            }
                break;
 #ifdef ENABLE_HYBRID
        case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
-       case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
            {
                if ((iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) == 0) {
-                       plog(LLV_ERROR, LOCATION, NULL, "No SIG was passed, "
+                       plog(ASL_LEVEL_ERR, "No SIG was passed, "
                            "hybrid auth is enabled, "
                            "but peer is no Xauth compliant\n");
                        return ISAKMP_NTYPE_SITUATION_NOT_SUPPORTED;
                        break;
                }
-               plog(LLV_INFO, LOCATION, NULL, "No SIG was passed, "
+               plog(ASL_LEVEL_NOTICE, "No SIG was passed, "
                    "but hybrid auth is enabled\n");
 
                return 0;
                break;
            }
-#endif
-#ifdef HAVE_GSSAPI
-       case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB:
-               /* check if we're not into XAUTH_PSKEY_I instead */
-#ifdef ENABLE_HYBRID
-               if (iph1->rmconf->xauth)
-                       break;
-#endif
-               switch (iph1->etype) {
-               case ISAKMP_ETYPE_IDENT:
-               case ISAKMP_ETYPE_AGG:
-                       my_hash = oakley_ph1hash_common(iph1, VALIDATE);
-                       break;
-               default:
-                       plog(LLV_ERROR, LOCATION, NULL,
-                               "invalid etype %d\n", iph1->etype);
-                       return ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE;
-               }
-
-               if (my_hash == NULL) {
-                       if (gssapi_more_tokens(iph1))
-                               return ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE;
-                       else
-                               return ISAKMP_NTYPE_INVALID_HASH_INFORMATION;
-               }
-
-               gsshash = gssapi_unwraphash(iph1);
-               if (gsshash == NULL) {
-                       vfree(my_hash);
-                       return ISAKMP_NTYPE_INVALID_HASH_INFORMATION;
-               }
-
-               result = memcmp(my_hash->v, gsshash->v, my_hash->l);
-               vfree(my_hash);
-               vfree(gsshash);
-
-               if (result) {
-                       plog(LLV_ERROR, LOCATION, NULL, "HASH mismatched\n");
-                       return ISAKMP_NTYPE_INVALID_HASH_INFORMATION;
-               }
-               plog(LLV_DEBUG, LOCATION, NULL, "hash compared OK\n");
-               break;
 #endif
        case OAKLEY_ATTR_AUTH_METHOD_RSAENC:
        case OAKLEY_ATTR_AUTH_METHOD_RSAREV:
@@ -1936,23 +1623,23 @@ oakley_validate_auth(iph1)
        case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R:
 #endif
                if (iph1->id_p == NULL || iph1->pl_hash == NULL) {
-                       plog(LLV_ERROR, LOCATION, iph1->remote,
+                       plog(ASL_LEVEL_ERR,
                                "few isakmp message received.\n");
                        return ISAKMP_NTYPE_PAYLOAD_MALFORMED;
                }
-               plog(LLV_ERROR, LOCATION, iph1->remote,
+               plog(ASL_LEVEL_ERR,
                        "not supported authmethod type %s\n",
                        s_oakley_attr_method(iph1->approval->authmethod));
                return ISAKMP_INTERNAL_ERROR;
        default:
-               plog(LLV_ERROR, LOCATION, iph1->remote,
+               plog(ASL_LEVEL_ERR,
                        "invalid authmethod %d why ?\n",
                        iph1->approval->authmethod);
                return ISAKMP_INTERNAL_ERROR;
        }
 #ifdef ENABLE_STATS
        gettimeofday(&end, NULL);
-       syslog(LOG_NOTICE, "%s(%s): %8.6f", __func__,
+       plog(ASL_LEVEL_NOTICE, "%s(%s): %8.6f", __func__,
                s_oakley_attr_method(iph1->approval->authmethod),
                timedelta(&start, &end));
 #endif
@@ -1975,29 +1662,23 @@ oakley_find_status_in_certchain (cert_t *certchain, cert_status_t certStatus)
 
 static
 int
-oakley_vpncontrol_notify_ike_failed_if_mycert_invalid (struct ph1handle *iph1,
-                                                                                                          int               notify_initiator)
+oakley_vpncontrol_notify_ike_failed_if_mycert_invalid (phase1_handle_t *iph1, int notify_initiator)
 {
-#if TARGET_OS_EMBEDDED
+#ifndef HAVE_OPENSSL
        int premature = oakley_find_status_in_certchain(iph1->cert, CERT_STATUS_PREMATURE);
        int expired = oakley_find_status_in_certchain(iph1->cert, CERT_STATUS_EXPIRED);
        if (premature || expired) {
-               u_int32_t address;
                u_int32_t fail_reason;
 
-               if (iph1->remote->sa_family == AF_INET)
-                       address = ((struct sockaddr_in *)(iph1->remote))->sin_addr.s_addr;
-               else
-                       address = 0;
                if (premature) {
                        fail_reason = VPNCTL_NTYPE_LOCAL_CERT_PREMATURE;
                } else {
                        fail_reason = VPNCTL_NTYPE_LOCAL_CERT_EXPIRED;
                }
-               vpncontrol_notify_ike_failed(fail_reason, notify_initiator, address, 0, NULL);
+               vpncontrol_notify_ike_failed(fail_reason, notify_initiator, iph1_get_remote_v4_address(iph1), 0, NULL);
                return -1;
        }
-#endif /* TARGET_OS_EMBEDDED */
+#endif /* HAVE_OPENSSL */
        return 0;
 }
 
@@ -2005,11 +1686,9 @@ oakley_vpncontrol_notify_ike_failed_if_mycert_invalid (struct ph1handle *iph1,
  * NOTE: include certificate type.
  */
 int
-oakley_getmycert(iph1)
-       struct ph1handle *iph1;
+oakley_getmycert(phase1_handle_t *iph1)
 {
        int     err;
-       u_int32_t address;
        
        switch (iph1->rmconf->certtype) {
                case ISAKMP_CERT_X509SIGN:
@@ -2021,14 +1700,8 @@ oakley_getmycert(iph1)
                                }
                        }
                        return err;
-#ifdef HAVE_OPENSSL
-               case ISAKMP_CERT_PLAINRSA:
-                       if (iph1->rsa)
-                               return 0;
-                       return get_plainrsa_fromlocal(iph1, 1);
-#endif
                default:
-                       plog(LLV_ERROR, LOCATION, NULL,
+                       plog(ASL_LEVEL_ERR, 
                             "Unknown certtype #%d\n",
                             iph1->rmconf->certtype);
                        return -1;
@@ -2043,26 +1716,19 @@ oakley_getmycert(iph1)
  *     my == 0 peer's cert.
  */
 static int
-get_cert_fromlocal(iph1, my)
-       struct ph1handle *iph1;
-       int my;
+get_cert_fromlocal(phase1_handle_t *iph1, int my)
 {
-       char path[MAXPATHLEN];
        vchar_t *cert = NULL;
        cert_t **certpl;
-       char *certfile;
        int error = -1;
        cert_status_t status = CERT_STATUS_OK;
 
-       if (my) {
-               certfile = iph1->rmconf->mycertfile;
+       if (my)
                certpl = &iph1->cert;
-       } else {
-               certfile = iph1->rmconf->peerscertfile;
+       else
                certpl = &iph1->cert_p;
-       }
-       if (!certfile && iph1->rmconf->identity_in_keychain == 0) {
-               plog(LLV_ERROR, LOCATION, NULL, "no CERT defined.\n");
+       if (iph1->rmconf->identity_in_keychain == 0) {
+               plog(ASL_LEVEL_ERR, "no CERT defined.\n");
                return 0;
        }
 
@@ -2074,29 +1740,19 @@ get_cert_fromlocal(iph1, my)
                        if (iph1->rmconf->keychainCertRef == NULL || base64toCFData(iph1->rmconf->keychainCertRef, &dataRef))
                                goto end;
                        cert = crypto_cssm_get_x509cert(dataRef, &status);
-                       plog(LLV_DEBUG, LOCATION, NULL, "done with chking cert status %d\n",status);
+                       plog(ASL_LEVEL_DEBUG, "done with chking cert status %d\n",status);
                        CFRelease(dataRef);
                        break;
                } // else fall thru
-#ifdef HAVE_OPENSSL
-       case ISAKMP_CERT_DNS:
-               /* make public file name */
-               getpathname(path, sizeof(path), LC_PATHTYPE_CERT, certfile);
-               cert = eay_get_x509cert(path);
-               if (cert) {
-                       oakley_cert_prettyprint(cert);
-               };
-               break;
-#endif
        default:
-               plog(LLV_ERROR, LOCATION, NULL,
+               plog(ASL_LEVEL_ERR, 
                        "not supported certtype %d\n",
                        iph1->rmconf->certtype);
                goto end;
        }
 
        if (!cert) {
-               plog(LLV_ERROR, LOCATION, NULL,
+               plog(ASL_LEVEL_ERR, 
                        "failed to get %s CERT.\n",
                        my ? "my" : "peers");
                goto end;
@@ -2104,13 +1760,13 @@ get_cert_fromlocal(iph1, my)
 
        *certpl = oakley_newcert();
        if (!*certpl) {
-               plog(LLV_ERROR, LOCATION, NULL,
+               plog(ASL_LEVEL_ERR, 
                        "failed to get cert buffer.\n");
                goto end;
        }
        (*certpl)->pl = vmalloc(cert->l + 1);
        if ((*certpl)->pl == NULL) {
-               plog(LLV_ERROR, LOCATION, NULL,
+               plog(ASL_LEVEL_ERR, 
                        "failed to get cert buffer\n");
                oakley_delcert(*certpl);
                *certpl = NULL;
@@ -2123,9 +1779,7 @@ get_cert_fromlocal(iph1, my)
        (*certpl)->cert.v = (*certpl)->pl->v + 1;
        (*certpl)->cert.l = (*certpl)->pl->l - 1;
 
-       plog(LLV_DEBUG, LOCATION, NULL, "created CERT payload:\n");
-       plogdump(LLV_DEBUG, (*certpl)->pl->v, (*certpl)->pl->l);
-       oakley_cert_prettyprint(cert);
+       plog(ASL_LEVEL_DEBUG, "created CERT payload\n");
                
        error = 0;
 
@@ -2136,66 +1790,11 @@ end:
        return error;
 }
 
-#ifdef HAVE_OPENSSL
-static int
-get_plainrsa_fromlocal(iph1, my)
-       struct ph1handle *iph1;
-       int my;
-{
-       char path[MAXPATHLEN];
-       vchar_t *cert = NULL;
-       char *certfile;
-       int error = -1;
-
-       iph1->rsa_candidates = rsa_lookup_keys(iph1, my);
-       if (!iph1->rsa_candidates || 
-           rsa_list_count(iph1->rsa_candidates) == 0) {
-               plog(LLV_ERROR, LOCATION, NULL,
-                       "%s RSA key not found for %s\n",
-                       my ? "Private" : "Public",
-                       saddr2str_fromto("%s <-> %s", 
-                       iph1->local, iph1->remote));
-               goto end;
-       }
-
-       if (my && rsa_list_count(iph1->rsa_candidates) > 1) {
-               plog(LLV_WARNING, LOCATION, NULL,
-                       "More than one (=%lu) private "
-                       "PlainRSA key found for %s\n",
-                       rsa_list_count(iph1->rsa_candidates),
-                       saddr2str_fromto("%s <-> %s", 
-                       iph1->local, iph1->remote));
-               plog(LLV_WARNING, LOCATION, NULL,
-                       "This may have unpredictable results, "
-                       "i.e. wrong key could be used!\n");
-               plog(LLV_WARNING, LOCATION, NULL,
-                       "Consider using only one single private "
-                       "key for all peers...\n");
-       }
-       if (my) {
-               iph1->rsa = ((struct rsa_key *)
-                   genlist_next(iph1->rsa_candidates, NULL))->rsa;
-
-               genlist_free(iph1->rsa_candidates, NULL);
-               iph1->rsa_candidates = NULL;
-
-               if (iph1->rsa == NULL)
-                       goto end;
-       }
-
-       error = 0;
-
-end:
-       return error;
-}
-#endif
 
 /* get signature */
 int
-oakley_getsign(iph1)
-       struct ph1handle *iph1;
+oakley_getsign(phase1_handle_t *iph1)
 {
-       char path[MAXPATHLEN];
        vchar_t *privkey = NULL;
        int error = -1;
 
@@ -2211,46 +1810,19 @@ oakley_getsign(iph1)
                        CFRelease(dataRef);
                        break;
                } // else fall thru
-#ifdef HAVE_OPENSSL
-       case ISAKMP_CERT_DNS:
-               if (iph1->rmconf->myprivfile == NULL) {
-                       plog(LLV_ERROR, LOCATION, NULL, "no cert defined.\n");
-                       goto end;
-               }
-
-               /* make private file name */
-               getpathname(path, sizeof(path),
-                       LC_PATHTYPE_CERT,
-                       iph1->rmconf->myprivfile);
-               privkey = privsep_eay_get_pkcs1privkey(path);
-               if (privkey == NULL) {
-                       plog(LLV_ERROR, LOCATION, NULL,
-                               "failed to get private key.\n");
-                       goto end;
-               }
-               plog(LLV_DEBUG2, LOCATION, NULL, "private key:\n");
-               plogdump(LLV_DEBUG2, privkey->v, privkey->l);
-
-               iph1->sig = eay_get_x509sign(iph1->hash, privkey);
-               break;
-       case ISAKMP_CERT_PLAINRSA:
-               iph1->sig = eay_get_rsasign(iph1->hash, iph1->rsa);
-               break;
-#endif
        default:
-               plog(LLV_ERROR, LOCATION, NULL,
+               plog(ASL_LEVEL_ERR, 
                     "Unknown certtype #%d\n",
                     iph1->rmconf->certtype);
                goto end;
        }
 
        if (iph1->sig == NULL) {
-               plog(LLV_ERROR, LOCATION, NULL, "failed to sign.\n");
+               plog(ASL_LEVEL_ERR, "failed to sign.\n");
                goto end;
        }
 
-       plog(LLV_DEBUG, LOCATION, NULL, "SIGN computed:\n");
-       plogdump(LLV_DEBUG, iph1->sig->v, iph1->sig->l);
+       //plogdump(ASL_LEVEL_DEBUG, iph1->sig->v, iph1->sig->l, "SIGN computed:\n");
 
        error = 0;
 
@@ -2262,12 +1834,11 @@ end:
 }
 
 void
-oakley_verify_certid(iph1)
-struct ph1handle *iph1;
+oakley_verify_certid(phase1_handle_t *iph1)
 {
        if (iph1->rmconf->verify_cert &&
-               oakley_check_certid(iph1, CERT_CHECKID_FROM_PEER)){
-               plog(LLV_DEBUG, LOCATION, NULL,
+               oakley_check_certid(iph1)){
+               plog(ASL_LEVEL_DEBUG, 
                         "Discarding CERT: does not match ID:\n");
                oakley_delcert(iph1->cert_p);
                iph1->cert_p = NULL;
@@ -2275,11 +1846,7 @@ struct ph1handle *iph1;
 }
 
 static int
-oakley_check_certid_in_certchain(certchain, idtype, idlen, id)
-       cert_t *certchain;
-       int idtype;
-       int idlen;
-       void *id;
+oakley_check_certid_in_certchain(cert_t *certchain, int idtype, int idlen, void *id)
 {
        cert_t *p;
 
@@ -2292,8 +1859,7 @@ oakley_check_certid_in_certchain(certchain, idtype, idlen, id)
 }
 
 cert_t *
-oakley_get_peer_cert_from_certchain(iph1)
-       struct ph1handle * iph1;
+oakley_get_peer_cert_from_certchain(phase1_handle_t * iph1)
 {
        cert_t               *p;
        struct ipsecdoi_id_b *id_b;
@@ -2301,7 +1867,7 @@ oakley_get_peer_cert_from_certchain(iph1)
        void                 *peers_id;
 
        if (!iph1->id_p || !iph1->cert_p) {
-               plog(LLV_ERROR, LOCATION, NULL, "no ID nor CERT found.\n");
+               plog(ASL_LEVEL_ERR, "no ID nor CERT found.\n");
                return NULL;
        }
        if (!iph1->cert_p->chain) {
@@ -2309,7 +1875,7 @@ oakley_get_peer_cert_from_certchain(iph1)
                return iph1->cert_p;
        }
 
-       id_b = (struct ipsecdoi_id_b *)iph1->id_p->v;
+       id_b = ALIGNED_CAST(struct ipsecdoi_id_b *)iph1->id_p->v;
        peers_id = id_b + 1;
        idlen = iph1->id_p->l - sizeof(*id_b);
        for (p = iph1->cert_p; p; p = p->chain) {
@@ -2324,189 +1890,109 @@ oakley_get_peer_cert_from_certchain(iph1)
  * compare certificate name and ID value.
  */
 static int
-oakley_check_certid(iph1, which_id)
-       struct ph1handle *iph1;
-       int which_id;
+oakley_check_certid(phase1_handle_t *iph1)
 {
        struct ipsecdoi_id_b *id_b;
        int idlen;
        u_int8_t doi_type = 255;
        void *peers_id = NULL;
-       struct genlist_entry *gpb = NULL;
 
-       if (which_id == CERT_CHECKID_FROM_PEER) {
-               /* use ID from peer */
-               if (iph1->id_p == NULL || iph1->cert_p == NULL) {
-                       plog(LLV_ERROR, LOCATION, NULL, "no ID nor CERT found.\n");
-                       return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
-               }
-               id_b = (struct ipsecdoi_id_b *)iph1->id_p->v;
-               doi_type = id_b->type;
-               peers_id = id_b + 1;
-               idlen = iph1->id_p->l - sizeof(*id_b);
-               
-               return oakley_check_certid_in_certchain(iph1->cert_p, doi_type, idlen, peers_id);
+    /* use ID from peer */
+    if (iph1->id_p == NULL || iph1->cert_p == NULL) {
+        plog(ASL_LEVEL_ERR, "no ID nor CERT found.\n");
+        return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
+    }
+    id_b = ALIGNED_CAST(struct ipsecdoi_id_b *)iph1->id_p->v;
+    doi_type = id_b->type;
+    peers_id = id_b + 1;
+    idlen = iph1->id_p->l - sizeof(*id_b);
+    
+    return oakley_check_certid_in_certchain(iph1->cert_p, doi_type, idlen, peers_id);
 
-       } else {
-               /* use ID from remote configuration */  
-               /* check each ID in list                        */
-               struct idspec *id_spec;
-               
-               for (id_spec = genlist_next (iph1->rmconf->idvl_p, &gpb); id_spec; id_spec = genlist_next (0, &gpb)) {
-                       
-                       if (id_spec->idtype == IDTYPE_ADDRESS) {
-                               switch (((struct sockaddr *)(id_spec->id->v))->sa_family) {                                                     
-                                       case AF_INET:
-                                               doi_type = IPSECDOI_ID_IPV4_ADDR;
-                                               idlen = sizeof(struct in_addr);
-                                               peers_id = &(((struct sockaddr_in *)(id_spec->id->v))->sin_addr.s_addr);
-                                               break;
-       #ifdef INET6
-                                       case AF_INET6:
-                                               doi_type = IPSECDOI_ID_IPV6_ADDR;
-                                               idlen = sizeof(struct in6_addr);
-                                               peers_id = &(((struct sockaddr_in6 *)(id_spec->id->v))->sin6_addr.s6_addr);
-                                               break;
-       #endif
-                                       default:
-                                               plog(LLV_ERROR, LOCATION, NULL,
-                                                       "unknown address type for peers identifier.\n");
-                                               return ISAKMP_NTYPE_AUTHENTICATION_FAILED;
-                                               break;
-                               }
-                               
-                       } else {
-                               doi_type = idtype2doi(id_spec->idtype);
-                               peers_id = id_spec->id->v;
-                               idlen = id_spec->id->l;
-                       }
-                       if (oakley_check_certid_in_certchain(iph1->cert_p, doi_type, idlen, peers_id) == 0)
-                               return 0;
-               }
-               return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
-       }
 }
-  
+
 static int
-oakley_check_certid_1(cert, idtype, idlen, id, certStatus)
-       vchar_t *cert;
-       int idtype;
-       int idlen;
-       void *id;
-       cert_status_t *certStatus;
+oakley_check_certid_1(vchar_t *cert, int idtype, int idlen, void *id, cert_status_t *certStatus)
 {
 
-       vchar_t *name = NULL;
-       char *altname = NULL;
-       int type, len;
-       int error;
+       int len = 0;
+       int error = 0;
 
+#ifdef HAVE_OPENSSL
+    int type;
+       char *altname = NULL;
+#endif
+    
        switch (idtype) {
        case IPSECDOI_ID_DER_ASN1_DN:
-#if TARGET_OS_EMBEDDED
        {
-               SecCertificateRef certificate;
-               CFDataRef subject;
-               UInt8* namePtr;
-               
-               certificate = crypto_cssm_x509cert_get_SecCertificateRef(cert);
+        CFDataRef subject;
+        SecCertificateRef certificate;
+               UInt8* namePtr = NULL;
+
+               certificate = crypto_cssm_x509cert_CreateSecCertificateRef(cert);
                if (certificate == NULL) {
-                       plog(LLV_ERROR, LOCATION, NULL, "failed to get SecCertificateRef\n");
+                       plog(ASL_LEVEL_ERR,
+                                "failed to get SecCertificateRef\n");
                        if (certStatus && !*certStatus) {
                                *certStatus = CERT_STATUS_INVALID;
                        }
-                       return ISAKMP_NTYPE_INVALID_CERTIFICATE;                        
-               }
-               subject = SecCertificateCopySubjectSequence(certificate);
-               if (subject == NULL) {
-                       plog(LLV_ERROR, LOCATION, NULL, "failed to get subjectName\n");
-                       if (certStatus && !*certStatus) {
-                               *certStatus = CERT_STATUS_INVALID_SUBJNAME;
-                       }
-                       CFRelease(certificate);
-                       return ISAKMP_NTYPE_INVALID_CERTIFICATE;
-               }
-               len = CFDataGetLength(subject);
-               namePtr = CFDataGetBytePtr(subject);
-               if (idlen != len) {
-                       plog(LLV_ERROR, LOCATION, NULL, "Invalid ID length in phase 1.\n");
-                       if (certStatus && !*certStatus) {
-                               *certStatus = CERT_STATUS_INVALID_SUBJNAME;
-                       }
-                       CFRelease(subject);
-                       CFRelease(certificate);
-                       return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
-               }
-               error = memcmp(id, namePtr, idlen);
-               if (error != 0) {
-                       plog(LLV_ERROR, LOCATION, NULL,
-                                "ID mismatched with subjectName.\n");
-                       plog(LLV_ERROR, LOCATION, NULL,
-                                "subjectName (type %s):\n",
-                                s_ipsecdoi_ident(idtype));
-                       plogdump(LLV_ERROR, namePtr, len);
-                       plog(LLV_ERROR, LOCATION, NULL,
-                                "ID:\n");
-                       plogdump(LLV_ERROR, id, idlen);
-                       if (certStatus && !*certStatus) {
-                               *certStatus = CERT_STATUS_INVALID_SUBJNAME;
-                       }
-                       CFRelease(certificate);
-                       CFRelease(subject);
-                       return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
-               }
-       }
-#else
-               name = eay_get_x509asn1subjectname(cert);
-               if (!name) {
-                       plog(LLV_ERROR, LOCATION, NULL,
-                               "failed to get subjectName\n");
-                       if (certStatus && !*certStatus) {
-                               *certStatus = CERT_STATUS_INVALID_SUBJNAME;
-                       }
                        return ISAKMP_NTYPE_INVALID_CERTIFICATE;
-               }
-               if (idlen != name->l) {
-                       plog(LLV_ERROR, LOCATION, NULL,
-                               "Invalid ID length in phase 1.\n");
-                       vfree(name);
-                       if (certStatus && !*certStatus) {
-                               *certStatus = CERT_STATUS_INVALID_SUBJNAME;
-                       }
-                       return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
-               }
-               error = memcmp(id, name->v, idlen);
-               if (error != 0) {
-                       plog(LLV_ERROR, LOCATION, NULL,
-                               "ID mismatched with subjectName.\n");
-                       plog(LLV_ERROR, LOCATION, NULL,
-                                "subjectName (type %s):\n",
-                                s_ipsecdoi_ident(idtype));
-                       plogdump(LLV_ERROR, name->v, name->l);
-                       plog(LLV_ERROR, LOCATION, NULL,
-                                "ID:\n");
-                       plogdump(LLV_ERROR, id, idlen);
-                       vfree(name);
-                       if (certStatus && !*certStatus) {
-                               *certStatus = CERT_STATUS_INVALID_SUBJNAME;
+               }        
+        subject = crypto_cssm_CopySubjectSequence(certificate);
+        if (subject == NULL) {
+            plog(ASL_LEVEL_ERR, "failed to get certificate subjectName\n");
+            if (certStatus && !*certStatus) {
+                *certStatus = CERT_STATUS_INVALID_SUBJNAME;
+            }
+            error = ISAKMP_NTYPE_INVALID_CERTIFICATE;
+        } else {
+            len = CFDataGetLength(subject);
+            namePtr = (UInt8*)CFDataGetBytePtr(subject);
+            if (namePtr) {
+                if (idlen != len || memcmp(id, namePtr, idlen)) {
+                    plog(ASL_LEVEL_ERR, "ID mismatched with certificate subjectName\n");
+                    error =ISAKMP_NTYPE_INVALID_ID_INFORMATION;
+                }
+            } else {
+                plog(ASL_LEVEL_ERR, "no certificate subjectName found\n");
+                error = ISAKMP_NTYPE_INVALID_CERTIFICATE;
+            }
+        }
+        if (error) {
+            plog(ASL_LEVEL_ERR,
+                 "ID mismatched with certificate subjectName\n");
+                       if (namePtr != NULL) {
+                               plogdump(ASL_LEVEL_ERR, namePtr, len, "subjectName (type %s):\n",
+                                                s_ipsecdoi_ident(idtype));
+                       } else {
+                               plog(ASL_LEVEL_ERR, "subjectName (type %s):\n", s_ipsecdoi_ident(idtype));
                        }
-                       return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
-               }
-               vfree(name);
-#endif
-               return 0;
+            plogdump(ASL_LEVEL_ERR, id, idlen, "ID:\n");
+            if (certStatus && !*certStatus) {
+                *certStatus = CERT_STATUS_INVALID_SUBJNAME;
+            }
+        }
+        CFRelease(certificate);
+        if (subject != NULL) {
+            CFRelease(subject);
+        }
+        return 0;
+    }
+    break;
 
        case IPSECDOI_ID_IPV4_ADDR:                     
        case IPSECDOI_ID_IPV6_ADDR:
        {
-#if TARGET_OS_EMBEDDED
+#ifndef HAVE_OPENSSL
                CFIndex pos, count;
                SecCertificateRef certificate;
                CFArrayRef addresses;
-       
-               certificate = crypto_cssm_x509cert_get_SecCertificateRef(cert);
+#define ADDRESS_BUF_SIZE    64
+        
+               certificate = crypto_cssm_x509cert_CreateSecCertificateRef(cert);
                if (certificate == NULL) {
-                       plog(LLV_ERROR, LOCATION, NULL,
+                       plog(ASL_LEVEL_ERR, 
                                 "failed to get SecCertificateRef\n");
                        if (certStatus && !*certStatus) {
                                *certStatus = CERT_STATUS_INVALID;
@@ -2515,7 +2001,7 @@ oakley_check_certid_1(cert, idtype, idlen, id, certStatus)
                }
                addresses = SecCertificateCopyIPAddresses(certificate);
                if (addresses == NULL) {
-                       plog(LLV_ERROR, LOCATION, NULL, "failed to get subjectName\n");
+                       plog(ASL_LEVEL_ERR, "failed to get subjectName\n");
                        if (certStatus && !*certStatus) {
                                *certStatus = CERT_STATUS_INVALID_SUBJALTNAME;
                        }
@@ -2534,17 +2020,19 @@ oakley_check_certid_1(cert, idtype, idlen, id, certStatus)
                        addressLen = CFStringGetLength(address);
                        if (addressLen == 0)
                                continue;
-                       addressBuf = racoon_malloc(addressLen + 1);
+                       addressBuf = racoon_malloc(ADDRESS_BUF_SIZE);
                        if (addressBuf == NULL) {
-                               plog(LLV_ERROR, LOCATION, NULL, "out of memory\n");
+                               plog(ASL_LEVEL_ERR, "out of memory\n");
+                CFRelease(addresses);
+                CFRelease(certificate);
                                return -1;
                        }
-                       if (CFStringGetCString(address, addressBuf, addressLen + 1, kCFStringEncodingUTF8) == TRUE) {
+                       if (CFStringGetCString(address, addressBuf, ADDRESS_BUF_SIZE, kCFStringEncodingUTF8) == TRUE) {
                                result = inet_pton(idtype == IPSECDOI_ID_IPV4_ADDR ? AF_INET : AF_INET6, addressBuf, numAddress);
                                racoon_free(addressBuf);
                                if (result == 0)
                                        continue;       // wrong type or invalid address
-                               if (memcmp(id, numAddress, idtype == IPSECDOI_ID_IPV4_ADDR ? 32 : 128) == 0) {          // found a match ?
+                               if (!memcmp(id, numAddress, idtype == IPSECDOI_ID_IPV4_ADDR ? 32 : 128) == 0) {         // found a match ?
                                        CFRelease(addresses);
                                        CFRelease(certificate);
                                        return 0;
@@ -2552,11 +2040,10 @@ oakley_check_certid_1(cert, idtype, idlen, id, certStatus)
                        } else
                                racoon_free(addressBuf);
                }
-               plog(LLV_ERROR, LOCATION, NULL, "ID mismatched with subjectAltName.\n");
-               plog(LLV_ERROR, LOCATION, NULL,
+               plog(ASL_LEVEL_ERR, "ID mismatched with subjectAltName.\n");
+               plog(ASL_LEVEL_ERR, 
                         "subjectAltName (expected type %s):\n", s_ipsecdoi_ident(idtype));
-               plog(LLV_ERROR, LOCATION, NULL, "ID:\n");
-               plogdump(LLV_ERROR, id, idlen);
+               plogdump(ASL_LEVEL_ERR, id, idlen, "ID:\n");
                CFRelease(addresses);
                CFRelease(certificate);         
                if (certStatus && !*certStatus) {
@@ -2573,16 +2060,16 @@ oakley_check_certid_1(cert, idtype, idlen, id, certStatus)
                
                int pos;
                
-               if (idtype == IPSECDOI_ID_IPV4_ADDR && idlen != sizeof(struct in_addr)
-                       || idtype == IPSECDOI_ID_IPV6_ADDR && idlen != sizeof(struct in6_addr)) {
-                       plog(LLV_ERROR, LOCATION, NULL,
+               if ((idtype == IPSECDOI_ID_IPV4_ADDR && idlen != sizeof(struct in_addr))
+                       || (idtype == IPSECDOI_ID_IPV6_ADDR && idlen != sizeof(struct in6_addr))) {
+                       plog(ASL_LEVEL_ERR, 
                                        "invalid address length passed.\n");
                        return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
                }
 
                for (pos = 1; ; pos++) {
                        if (eay_get_x509subjectaltname(cert, &altname, &type, pos, &len) !=0) {
-                               plog(LLV_ERROR, LOCATION, NULL,
+                               plog(ASL_LEVEL_ERR, 
                                        "failed to get subjectAltName\n");
                                if (certStatus && !*certStatus) {
                                        *certStatus = CERT_STATUS_INVALID_SUBJALTNAME;
@@ -2592,7 +2079,7 @@ oakley_check_certid_1(cert, idtype, idlen, id, certStatus)
 
                        /* it's the end condition of the loop. */
                        if (!altname) {
-                               plog(LLV_ERROR, LOCATION, NULL,
+                               plog(ASL_LEVEL_ERR, 
                                         "invalid subjectAltName\n");
                                if (certStatus && !*certStatus) {
                                        *certStatus = CERT_STATUS_INVALID_SUBJALTNAME;
@@ -2627,13 +2114,11 @@ oakley_check_certid_1(cert, idtype, idlen, id, certStatus)
 #endif
                        else {
                                /* invalid IP address length in certificate - bad or bogus certificate */
-                               plog(LLV_ERROR, LOCATION, NULL,
+                               plog(ASL_LEVEL_ERR, 
                                        "invalid IP address in certificate.\n");
-                               plog(LLV_ERROR, LOCATION, NULL,
-                                        "subjectAltName (expected type %s, got type %s):\n",
-                                        s_ipsecdoi_ident(idtype),
-                                        s_ipsecdoi_ident(type));
-                               plogdump(LLV_ERROR, altname, len);
+                               plogdump(ASL_LEVEL_ERR, altname, len, "subjectAltName (expected type %s, got type %s):\n",
+                                                s_ipsecdoi_ident(idtype),
+                                                s_ipsecdoi_ident(type));
                                racoon_free(altname);
                                altname = NULL;
                                if (certStatus && !*certStatus) {
@@ -2650,25 +2135,21 @@ oakley_check_certid_1(cert, idtype, idlen, id, certStatus)
                        return 0;
                }               
                /* failed to find a match */
-               plog(LLV_ERROR, LOCATION, NULL,
+               plog(ASL_LEVEL_ERR, 
                         "ID mismatched with subjectAltName.\n");
-               plog(LLV_ERROR, LOCATION, NULL,
-                        "subjectAltName (expected type %s, got type %s):\n",
-                        s_ipsecdoi_ident(idtype),
-                        s_ipsecdoi_ident(type));
-               plogdump(LLV_ERROR, altname, len);
-               plog(LLV_ERROR, LOCATION, NULL,
-                        "ID:\n");
-               plogdump(LLV_ERROR, id, idlen);
+               plogdump(ASL_LEVEL_ERR, altname, len, "subjectAltName (expected type %s, got type %s):\n",
+                                s_ipsecdoi_ident(idtype),
+                                s_ipsecdoi_ident(type));
+               plogdump(ASL_LEVEL_ERR, id, idlen, "ID:\n");
                racoon_free(altname);
                if (certStatus && !*certStatus)
                        *certStatus = CERT_STATUS_INVALID_SUBJALTNAME;
                return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
                
-#endif /* TARGET_OS_EMBEDDED */        
+#endif /* HAVE_OPENSSL */
        }
 
-#if TARGET_OS_EMBEDDED
+#ifndef HAVE_OPENSSL
        case IPSECDOI_ID_FQDN:
        {
                CFIndex pos, count;
@@ -2676,9 +2157,9 @@ oakley_check_certid_1(cert, idtype, idlen, id, certStatus)
                CFArrayRef names;
                CFStringRef name, ID;
                
-               certificate = crypto_cssm_x509cert_get_SecCertificateRef(cert);
+               certificate = crypto_cssm_x509cert_CreateSecCertificateRef(cert);
                if (certificate == NULL) {
-                       plog(LLV_ERROR, LOCATION, NULL,
+                       plog(ASL_LEVEL_ERR, 
                                 "failed to get SecCertificateRef\n");
                        if (certStatus && !*certStatus) {
                                *certStatus = CERT_STATUS_INVALID;
@@ -2687,7 +2168,7 @@ oakley_check_certid_1(cert, idtype, idlen, id, certStatus)
                }
                names = SecCertificateCopyDNSNames(certificate);
                if (names == NULL) {
-                       plog(LLV_ERROR, LOCATION, NULL,
+                       plog(ASL_LEVEL_ERR, 
                                 "failed to get subjectName\n");
                        if (certStatus && !*certStatus) {
                                *certStatus = CERT_STATUS_INVALID_SUBJALTNAME;
@@ -2696,12 +2177,12 @@ oakley_check_certid_1(cert, idtype, idlen, id, certStatus)
                        return ISAKMP_NTYPE_INVALID_CERTIFICATE;
                }
                count = CFArrayGetCount(names);         
-               ID = CFStringCreateWithCString(NULL, id, kCFStringEncodingUTF8);
+               ID = CFStringCreateWithBytes(kCFAllocatorDefault, id, idlen, kCFStringEncodingUTF8, FALSE);
                if (ID== NULL) {
-                       plog(LLV_ERROR, LOCATION, NULL, "memory error\n");
+                       plog(ASL_LEVEL_ERR, "memory error\n");
                        CFRelease(names);
                        CFRelease(certificate);
-                       
+                       return 0;
                }
                for (pos = 0; pos < count; pos++) {
                        name = CFArrayGetValueAtIndex(names, pos);
@@ -2712,11 +2193,10 @@ oakley_check_certid_1(cert, idtype, idlen, id, certStatus)
                                return 0;
                        }
                }
-               plog(LLV_ERROR, LOCATION, NULL, "ID mismatched with subjectAltName.\n");
-               plog(LLV_ERROR, LOCATION, NULL,
+               plog(ASL_LEVEL_ERR, "ID mismatched with subjectAltName.\n");
+               plog(ASL_LEVEL_ERR, 
                         "subjectAltName (expected type %s):\n", s_ipsecdoi_ident(idtype));
-               plog(LLV_ERROR, LOCATION, NULL, "ID:\n");
-               plogdump(LLV_ERROR, id, idlen);
+               plogdump(ASL_LEVEL_ERR, id, idlen, "ID:\n");
                CFRelease(ID);
                CFRelease(names);
                CFRelease(certificate);         
@@ -2734,9 +2214,9 @@ oakley_check_certid_1(cert, idtype, idlen, id, certStatus)
                CFArrayRef names;
                CFStringRef name, ID;
                
-               certificate = crypto_cssm_x509cert_get_SecCertificateRef(cert);
+               certificate = crypto_cssm_x509cert_CreateSecCertificateRef(cert);
                if (certificate == NULL) {
-                       plog(LLV_ERROR, LOCATION, NULL,
+                       plog(ASL_LEVEL_ERR, 
                                 "failed to get SecCertificateRef\n");
                        if (certStatus && !*certStatus) {
                                *certStatus = CERT_STATUS_INVALID;
@@ -2745,7 +2225,7 @@ oakley_check_certid_1(cert, idtype, idlen, id, certStatus)
                }
                names = SecCertificateCopyRFC822Names(certificate);
                if (names == NULL) {
-                       plog(LLV_ERROR, LOCATION, NULL,
+                       plog(ASL_LEVEL_ERR, 
                                 "failed to get subjectName\n");
                        if (certStatus && !*certStatus) {
                                *certStatus = CERT_STATUS_INVALID_SUBJALTNAME;
@@ -2754,9 +2234,9 @@ oakley_check_certid_1(cert, idtype, idlen, id, certStatus)
                        return ISAKMP_NTYPE_INVALID_CERTIFICATE;
                }
                count = CFArrayGetCount(names);
-               ID = CFStringCreateWithCString(NULL, id, kCFStringEncodingUTF8);
+               ID = CFStringCreateWithBytes(kCFAllocatorDefault, id, idlen, kCFStringEncodingUTF8, FALSE);
                if (ID == NULL) {
-                       plog(LLV_ERROR, LOCATION, NULL,
+                       plog(ASL_LEVEL_ERR, 
                                 "memory error\n");
                        if (certStatus && !*certStatus) {
                                *certStatus = CERT_STATUS_INVALID;
@@ -2774,11 +2254,10 @@ oakley_check_certid_1(cert, idtype, idlen, id, certStatus)
                                return 0;
                        }
                }
-               plog(LLV_ERROR, LOCATION, NULL, "ID mismatched with subjectAltName.\n");
-               plog(LLV_ERROR, LOCATION, NULL,
+               plog(ASL_LEVEL_ERR, "ID mismatched with subjectAltName.\n");
+               plog(ASL_LEVEL_ERR, 
                         "subjectAltName (expected type %s):\n", s_ipsecdoi_ident(idtype));
-               plog(LLV_ERROR, LOCATION, NULL, "ID:\n");
-               plogdump(LLV_ERROR, id, idlen);
+               plogdump(ASL_LEVEL_ERR, id, idlen, "ID:\n");
                CFRelease(ID);
                CFRelease(names);
                CFRelease(certificate);         
@@ -2795,7 +2274,7 @@ oakley_check_certid_1(cert, idtype, idlen, id, certStatus)
 
                for (pos = 1; ; pos++) {
                        if (eay_get_x509subjectaltname(cert, &altname, &type, pos, &len) != 0) {
-                               plog(LLV_ERROR, LOCATION, NULL,
+                               plog(ASL_LEVEL_ERR, 
                                        "failed to get subjectAltName\n");
                                if (certStatus && !*certStatus) {
                                        *certStatus = CERT_STATUS_INVALID_SUBJALTNAME;
@@ -2805,7 +2284,7 @@ oakley_check_certid_1(cert, idtype, idlen, id, certStatus)
 
                        /* it's the end condition of the loop. */
                        if (!altname) {
-                               plog(LLV_ERROR, LOCATION, NULL,
+                               plog(ASL_LEVEL_ERR, 
                                         "invalid subjectAltName\n");
                                if (certStatus && !*certStatus) {
                                        *certStatus = CERT_STATUS_INVALID_SUBJALTNAME;
@@ -2832,15 +2311,15 @@ oakley_check_certid_1(cert, idtype, idlen, id, certStatus)
                        racoon_free(altname);
                        return 0;
                }
-               plog(LLV_ERROR, LOCATION, NULL, "ID mismatched with subjectAltName.\n");
-               plog(LLV_ERROR, LOCATION, NULL,
+               plog(ASL_LEVEL_ERR, "ID mismatched with subjectAltName.\n");
+               plog(ASL_LEVEL_ERR, 
                         "subjectAltName (expected type %s, got type %s):\n",
                         s_ipsecdoi_ident(idtype),
                         s_ipsecdoi_ident(type));
-               plogdump(LLV_ERROR, altname, len);
-               plog(LLV_ERROR, LOCATION, NULL,
-                        "ID:\n");
-               plogdump(LLV_ERROR, id, idlen);
+               plogdump(ASL_LEVEL_ERR, altname, len, "subjectAltName (expected type %s, got type %s):\n",
+                                s_ipsecdoi_ident(idtype),
+                                s_ipsecdoi_ident(type));
+               plogdump(ASL_LEVEL_ERR, id, idlen, "ID:\n");
                racoon_free(altname);
                if (certStatus && !*certStatus)
                        *certStatus = CERT_STATUS_INVALID_SUBJALTNAME;
@@ -2848,7 +2327,7 @@ oakley_check_certid_1(cert, idtype, idlen, id, certStatus)
        }
 #endif                 
        default:
-               plog(LLV_ERROR, LOCATION, NULL,
+               plog(ASL_LEVEL_ERR, 
                        "Impropper ID type passed: %s.\n",
                        s_ipsecdoi_ident(idtype));
                return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
@@ -2857,8 +2336,7 @@ oakley_check_certid_1(cert, idtype, idlen, id, certStatus)
 }
 #ifdef HAVE_OPENSSL
 static int
-check_typeofcertname(doi, genid)
-       int doi, genid;
+check_typeofcertname(int doi, int genid)
 {
        switch (doi) {
        case IPSECDOI_ID_IPV4_ADDR:
@@ -2892,162 +2370,49 @@ check_typeofcertname(doi, genid)
  * save certificate including certificate type.
  */
 int
-oakley_savecert(iph1, gen)
-       struct ph1handle *iph1;
-       struct isakmp_gen *gen;
+oakley_savecert(phase1_handle_t *iph1, struct isakmp_gen *gen)
 {
        cert_t **c;
        u_int8_t type;
-#ifdef HAVE_OPENSSL
-       STACK_OF(X509) *certs=NULL;
-       PKCS7 *p7;
-#endif
        type = *(u_int8_t *)(gen + 1) & 0xff;
 
        switch (type) {
-       case ISAKMP_CERT_DNS:
-               plog(LLV_WARNING, LOCATION, NULL,
-                       "CERT payload is unnecessary in DNSSEC. "
-                       "ignore this CERT payload.\n");
-               return 0;
-       case ISAKMP_CERT_PKCS7:
-       case ISAKMP_CERT_PGP:
        case ISAKMP_CERT_X509SIGN:
-       case ISAKMP_CERT_KERBEROS:
-       case ISAKMP_CERT_SPKI:
                c = &iph1->cert_p;
                break;
-       case ISAKMP_CERT_CRL:
-               c = &iph1->crl_p;
-               break;
-       case ISAKMP_CERT_X509KE:
-       case ISAKMP_CERT_X509ATTR:
-       case ISAKMP_CERT_ARL:
-               plog(LLV_ERROR, LOCATION, NULL,
-                       "No supported such CERT type %d\n", type);
-               return -1;
        default:
-               plog(LLV_ERROR, LOCATION, NULL,
+               plog(ASL_LEVEL_ERR, 
                        "Invalid CERT type %d\n", type);
                return -1;
        }
 
        if (*c) {
-               plog(LLV_WARNING, LOCATION, NULL,
+               plog(ASL_LEVEL_WARNING, 
                        "preexisting CERT payload... chaining.\n");
        }
-#ifdef HAVE_OPENSSL
-       if (type == ISAKMP_CERT_PKCS7) {
-               u_char *bp;
-               int i;
-
-               /* Skip the header */
-               bp = (u_char *)(gen + 1);
-               /* And the first byte is the certificate type, 
-                * we know that already
-                */
-               bp++;
-               p7 = d2i_PKCS7(NULL, (void *)&bp, 
-                   ntohs(gen->len) - sizeof(*gen) - 1);
-
-               if (!p7) {
-                       plog(LLV_ERROR, LOCATION, NULL,
-                            "Failed to parse PKCS#7 CERT.\n");
-                       return -1;
-               }
-
-               /* Copied this from the openssl pkcs7 application;
-                * there"s little by way of documentation for any of
-                * it. I can only presume it"s correct.
-                */
-               
-               i = OBJ_obj2nid(p7->type);
-               switch (i) {
-               case NID_pkcs7_signed:
-                       certs=p7->d.sign->cert;
-                       break;
-               case NID_pkcs7_signedAndEnveloped:
-                       certs=p7->d.signed_and_enveloped->cert;
-                       break;
-               default:
-                        break;
-               }
-
-               if (!certs) {
-                       plog(LLV_ERROR, LOCATION, NULL,
-                            "CERT PKCS#7 bundle contains no certs.\n");
-                       PKCS7_free(p7);
-                       return -1;
-               }
-
-               for (i = 0; i < sk_X509_num(certs); i++) {
-                       int len;
-                       u_char *bp;
-                       cert_t *new;
-                       X509 *cert = sk_X509_value(certs,i);
 
-                       plog(LLV_DEBUG, LOCATION, NULL, 
-                            "Trying PKCS#7 cert %d.\n", i);
-
-                       /* We'll just try each cert in turn */
-                       new = save_certx509(cert);
-                       if (!new) {
-                               plog(LLV_ERROR, LOCATION, NULL,
-                                    "Failed to get CERT buffer.\n");
-                               continue;
-                       }
-                       *c = oakley_appendcert_to_certchain(*c, new);
-                       plog(LLV_DEBUG, LOCATION, NULL, "CERT saved:\n");
-                       plogdump(LLV_DEBUG, new->cert.v, new->cert.l);
-                       oakley_cert_prettyprint(&new->cert);
-               }
-               PKCS7_free(p7);
-
-       } else 
-#endif 
-       {
-               cert_t *new;
-               new = save_certbuf(gen);
-               if (!new) {
-                       plog(LLV_ERROR, LOCATION, NULL,
-                            "Failed to get CERT buffer.\n");
-                       return -1;
-               }
+    cert_t *new;
+    new = save_certbuf(gen);
+    if (!new) {
+        plog(ASL_LEVEL_ERR, 
+             "Failed to get CERT buffer.\n");
+        return -1;
+    }
 
-               switch (new->type) {
-               case ISAKMP_CERT_DNS:
-                       plog(LLV_WARNING, LOCATION, NULL,
-                            "CERT payload is unnecessary in DNSSEC. "
-                            "ignore it.\n");
-                       return 0;
-               case ISAKMP_CERT_PGP:
-               case ISAKMP_CERT_X509SIGN:
-               case ISAKMP_CERT_KERBEROS:
-               case ISAKMP_CERT_SPKI:
-                       /* Ignore cert if it doesn't match identity
-                        * XXX If verify cert is disabled, we still just take
-                        * the first certificate....
-                        */
-                       *c = oakley_appendcert_to_certchain(*c, new);
-                       plog(LLV_DEBUG, LOCATION, NULL, "CERT saved:\n");
-                       plogdump(LLV_DEBUG, new->cert.v, new->cert.l);
-                       oakley_cert_prettyprint(&new->cert);
-                       break;
-               case ISAKMP_CERT_CRL:
-                       *c = oakley_appendcert_to_certchain(*c, new);
-                       plog(LLV_DEBUG, LOCATION, NULL, "CRL saved:\n");
-                       plogdump(LLV_DEBUG, new->cert.v, new->cert.l);
-                       oakley_cert_prettyprint(&new->cert);
-                       break;
-               case ISAKMP_CERT_X509KE:
-               case ISAKMP_CERT_X509ATTR:
-               case ISAKMP_CERT_ARL:
-               default:
-                       /* XXX */
-                       oakley_delcert(new);
-                       return 0;
-               }
-       }
+    switch (new->type) {
+    case ISAKMP_CERT_X509SIGN:
+        /* Ignore cert if it doesn't match identity
+         * XXX If verify cert is disabled, we still just take
+         * the first certificate....
+         */
+        *c = oakley_appendcert_to_certchain(*c, new);
+        plog(ASL_LEVEL_DEBUG, "CERT saved:\n");
+        break;
+    default:
+        /* XXX */
+        oakley_delcert(new);
+        return 0;
+    }
        
        return 0;
 }
@@ -3056,9 +2421,7 @@ oakley_savecert(iph1, gen)
  * save certificate including certificate type.
  */
 int
-oakley_savecr(iph1, gen)
-       struct ph1handle *iph1;
-       struct isakmp_gen *gen;
+oakley_savecr(phase1_handle_t *iph1, struct isakmp_gen *gen)
 {
        cert_t **c;
        u_int8_t type;
@@ -3067,69 +2430,52 @@ oakley_savecr(iph1, gen)
        type = *(u_int8_t *)(gen + 1) & 0xff;
 
        switch (type) {
-       case ISAKMP_CERT_DNS:
-               plog(LLV_WARNING, LOCATION, NULL,
-                       "CERT payload is unnecessary in DNSSEC\n");
-               /*FALLTHRU*/
-       case ISAKMP_CERT_PKCS7:
-       case ISAKMP_CERT_PGP:
        case ISAKMP_CERT_X509SIGN:
-       case ISAKMP_CERT_KERBEROS:
-       case ISAKMP_CERT_SPKI:
                if (iph1->cr_p) {
                        oakley_delcert(iph1->cr_p);
                        iph1->cr_p = NULL;
                }
                c = &iph1->cr_p;
                break;
-       case ISAKMP_CERT_X509KE:
-       case ISAKMP_CERT_X509ATTR:
-       case ISAKMP_CERT_ARL:
-               plog(LLV_ERROR, LOCATION, NULL,
-                       "No supported such CR type %d\n", type);
-               return -1;
-       case ISAKMP_CERT_CRL:
        default:
-               plog(LLV_ERROR, LOCATION, NULL,
+               plog(ASL_LEVEL_ERR, 
                        "Invalid CR type %d\n", type);
                return -1;
        }
 
        new = save_certbuf(gen);
        if (!new) {
-               plog(LLV_ERROR, LOCATION, NULL,
+               plog(ASL_LEVEL_ERR, 
                        "Failed to get CR buffer.\n");
                return -1;
        }
        *c = oakley_appendcert_to_certchain(*c, new);
-       plog(LLV_DEBUG, LOCATION, NULL, "CR saved:\n");
-       plogdump(LLV_DEBUG, new->cert.v, new->cert.l);
+       plog(ASL_LEVEL_DEBUG, "CR saved\n");
 
        return 0;
 }
 
 static cert_t *
-save_certbuf(gen)
-       struct isakmp_gen *gen;
+save_certbuf(struct isakmp_gen *gen)
 {
        cert_t *new;
 
        if(ntohs(gen->len) <= sizeof(*gen)){
-               plog(LLV_ERROR, LOCATION, NULL,
+               plog(ASL_LEVEL_ERR, 
                         "Len is too small !!.\n");
                return NULL;
        }
 
        new = oakley_newcert();
        if (!new) {
-               plog(LLV_ERROR, LOCATION, NULL,
+               plog(ASL_LEVEL_ERR, 
                        "Failed to get CERT buffer.\n");
                return NULL;
        }
 
        new->pl = vmalloc(ntohs(gen->len) - sizeof(*gen));
        if (new->pl == NULL) {
-               plog(LLV_ERROR, LOCATION, NULL,
+               plog(ASL_LEVEL_ERR, 
                        "Failed to copy CERT from packet.\n");
                oakley_delcert(new);
                new = NULL;
@@ -3143,41 +2489,6 @@ save_certbuf(gen)
        return new;
 }
 
-#ifdef HAVE_OPENSSL
-static cert_t *
-save_certx509(cert)
-       X509 *cert;
-{
-       cert_t *new;
-        int len;
-        u_char *bp;
-
-       new = oakley_newcert();
-       if (!new) {
-               plog(LLV_ERROR, LOCATION, NULL,
-                       "Failed to get CERT buffer.\n");
-               return NULL;
-       }
-
-        len = i2d_X509(cert, NULL);
-       new->pl = vmalloc(len);
-       if (new->pl == NULL) {
-               plog(LLV_ERROR, LOCATION, NULL,
-                       "Failed to copy CERT from packet.\n");
-               oakley_delcert(new);
-               new = NULL;
-               return NULL;
-       }
-        bp = (u_char *) new->pl->v;
-        len = i2d_X509(cert, &bp);
-       new->type = ISAKMP_CERT_X509SIGN;
-       new->cert.v = new->pl->v;
-       new->cert.l = new->pl->l;
-
-       return new;
-}
-#endif
-
 /*
  * get my CR.
  * NOTE: No Certificate Authority field is included to CR payload at the
@@ -3186,28 +2497,27 @@ save_certx509(cert)
  * if there is no specific certificate authority requested.
  */
 vchar_t *
-oakley_getcr(iph1)
-       struct ph1handle *iph1;
+oakley_getcr(phase1_handle_t *iph1)
 {
        vchar_t *buf;
 
        buf = vmalloc(1);
        if (buf == NULL) {
-               plog(LLV_ERROR, LOCATION, NULL,
+               plog(ASL_LEVEL_ERR, 
                        "failed to get cr buffer\n");
                return NULL;
        }
        if(iph1->rmconf->certtype == ISAKMP_CERT_NONE) {
                buf->v[0] = iph1->rmconf->cacerttype;
-               plog(LLV_DEBUG, LOCATION, NULL, "create my CR: NONE, using %s instead\n",
+               plog(ASL_LEVEL_DEBUG, "create my CR: NONE, using %s instead\n",
                s_isakmp_certtype(iph1->rmconf->cacerttype));
        } else {
                buf->v[0] = iph1->rmconf->certtype;
-               plog(LLV_DEBUG, LOCATION, NULL, "create my CR: %s\n",
+               plog(ASL_LEVEL_DEBUG, "create my CR: %s\n",
                s_isakmp_certtype(iph1->rmconf->certtype));
        }
-       if (buf->l > 1)
-               plogdump(LLV_DEBUG, buf->v, buf->l);
+       //if (buf->l > 1)
+       //      plogdump(ASL_LEVEL_DEBUG, buf->v, buf->l, "");
 
        return buf;
 }
@@ -3216,18 +2526,17 @@ oakley_getcr(iph1)
  * check peer's CR.
  */
 int
-oakley_checkcr(iph1)
-       struct ph1handle *iph1;
+oakley_checkcr(phase1_handle_t *iph1)
 {
        if (iph1->cr_p == NULL)
                return 0;
 
-       plog(LLV_DEBUG, LOCATION, iph1->remote,
+       plog(ASL_LEVEL_DEBUG,
                "peer transmitted CR: %s\n",
                s_isakmp_certtype(iph1->cr_p->type));
 
        if (iph1->cr_p->type != iph1->rmconf->certtype) {
-               plog(LLV_ERROR, LOCATION, iph1->remote,
+               plog(ASL_LEVEL_ERR,
                        "such a cert type isn't supported: %d\n",
                        (char)iph1->cr_p->type);
                return -1;
@@ -3240,19 +2549,14 @@ oakley_checkcr(iph1)
  * check to need CR payload.
  */
 int
-oakley_needcr(type)
-       int type;
+oakley_needcr(int type)
 {
        switch (type) {
-       case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
        case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
 #ifdef ENABLE_HYBRID
        case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
-       case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
        case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
        case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
-       case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I:
-       case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
 #endif
                return 1;
        default:
@@ -3261,6 +2565,62 @@ oakley_needcr(type)
        /*NOTREACHED*/
 }
 
+vchar_t *
+oakley_getpskall(phase1_handle_t *iph1)
+{
+       vchar_t *secret = NULL;
+
+       if (iph1->rmconf->shared_secret) {
+               
+               switch (iph1->rmconf->secrettype) {
+                       case SECRETTYPE_KEY:
+                               /* in psk file - use KEY from remote configuration to locate it */
+                               secret = getpsk(iph1->rmconf->shared_secret->v, iph1->rmconf->shared_secret->l-1);
+                               break;
+#if HAVE_KEYCHAIN
+                       case SECRETTYPE_KEYCHAIN:
+                               /* in the system keychain */
+                               secret = getpskfromkeychain(iph1->rmconf->shared_secret->v, iph1->etype, iph1->rmconf->secrettype, NULL);
+                               break;
+                       case SECRETTYPE_KEYCHAIN_BY_ID:
+                               /* in the system keychain - use peer id */
+                               secret = getpskfromkeychain(iph1->rmconf->shared_secret->v, iph1->etype, iph1->rmconf->secrettype, iph1->id_p);
+                               break;
+#endif // HAVE_KEYCHAIN
+                       case SECRETTYPE_USE:
+                               /* in the remote configuration */
+                       default:
+                               /* rmconf->shared_secret is a string and contains a NULL character that must be removed */
+                               secret = vmalloc(iph1->rmconf->shared_secret->l - 1);
+                               if (secret == NULL) {
+                                       plog(ASL_LEVEL_ERR, "memory error.\n");
+                                       goto end;
+                               }
+                               memcpy(secret->v, iph1->rmconf->shared_secret->v, secret->l);
+               }
+       } else if (iph1->etype != ISAKMP_ETYPE_IDENT) {
+               secret = getpskbyname(iph1->id_p);
+               if (!secret) {
+                       if (iph1->rmconf->verify_identifier) {
+                               plog(ASL_LEVEL_ERR, "couldn't find pskey by peer's ID.\n");
+                               goto end;
+                       }
+               }
+       }
+       if (!secret) {
+               plog(ASL_LEVEL_NOTICE, "try to get pskey by the peer's address.\n");
+               secret = getpskbyaddr(iph1->remote);
+               if (!secret) {
+                       plog(ASL_LEVEL_ERR,
+                            "couldn't find the pskey by address %s.\n",
+                            saddrwop2str((struct sockaddr *)iph1->remote));
+               }
+       }
+
+end:
+       return secret;
+}
+
 /*
  * compute SKEYID
  * see seciton 5. Exchanges in RFC 2409
@@ -3269,175 +2629,114 @@ oakley_needcr(type)
  * enc: SKEYID = prf(H(Ni_b | Nr_b), CKY-I | CKY-R)
  */
 int
-oakley_skeyid(iph1)
-       struct ph1handle *iph1;
+oakley_skeyid(phase1_handle_t *iph1)
 {
-       vchar_t *buf = NULL, *bp;
+    vchar_t *key = NULL;
+       vchar_t *buf = NULL;
+    vchar_t *bp;
        char *p;
        int len;
        int error = -1;
-
+       
        /* SKEYID */
        switch (AUTHMETHOD(iph1)) {
-       case OAKLEY_ATTR_AUTH_METHOD_PSKEY:
+        case OAKLEY_ATTR_AUTH_METHOD_PSKEY:
 #ifdef ENABLE_HYBRID
-       case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I:
-       case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
-#endif
-       if (iph1->rmconf->shared_secret) {
-
-                       switch (iph1->rmconf->secrettype) {
-                               case SECRETTYPE_KEY:
-                                       /* in psk file - use KEY from remote configuration to locate it */
-                                       iph1->authstr = getpsk(iph1->rmconf->shared_secret->v, iph1->rmconf->shared_secret->l-1);
-                                       break;
-#if HAVE_KEYCHAIN
-                               case SECRETTYPE_KEYCHAIN:
-                                       /* in the system keychain */
-                                       iph1->authstr = getpskfromkeychain(iph1->rmconf->shared_secret->v, iph1->etype, iph1->rmconf->secrettype, NULL);
-                                       break;
-                               case SECRETTYPE_KEYCHAIN_BY_ID:
-                                       /* in the system keychain - use peer id */
-                                       iph1->authstr = getpskfromkeychain(iph1->rmconf->shared_secret->v, iph1->etype, iph1->rmconf->secrettype, iph1->id_p);
-                                       break;
-#endif HAVE_KEYCHAIN
-                               case SECRETTYPE_USE:
-                                       /* in the remote configuration */
-                               default:
-                                       /* rmconf->shared_secret is a string and contains a NULL character that must be removed */
-                                       iph1->authstr = vmalloc(iph1->rmconf->shared_secret->l - 1);
-                                       if (iph1->authstr == NULL) {
-                                               plog(LLV_ERROR, LOCATION, NULL, "memory error.\n");
-                                               break;
-                                       }
-                                       memcpy(iph1->authstr->v, iph1->rmconf->shared_secret->v, iph1->authstr->l);
-                       }
-               }
-               else
-               if (iph1->etype != ISAKMP_ETYPE_IDENT) {
-                       iph1->authstr = getpskbyname(iph1->id_p);
-                       if (iph1->authstr == NULL) {
-                               if (iph1->rmconf->verify_identifier) {
-                                       plog(LLV_ERROR, LOCATION, iph1->remote,
-                                               "couldn't find the pskey.\n");
-                                       goto end;
-                               }
-                               plog(LLV_NOTIFY, LOCATION, iph1->remote,
-                                       "couldn't find the proper pskey, "
-                                       "try to get one by the peer's address.\n");
-                       }
-               }
-               if (iph1->authstr == NULL) {
-                       /*
-                        * If the exchange type is the main mode or if it's
-                        * failed to get the psk by ID, racoon try to get
-                        * the psk by remote IP address.
-                        * It may be nonsense.
-                        */
-                       iph1->authstr = getpskbyaddr(iph1->remote);
-                       if (iph1->authstr == NULL) {
-                               plog(LLV_ERROR, LOCATION, iph1->remote,
-                                       "couldn't find the pskey for %s.\n",
-                                       saddrwop2str(iph1->remote));
-                               goto end;
-                       }
-               }
-               plog(LLV_DEBUG, LOCATION, NULL, "the psk found.\n");
-               /* should be secret PSK */
-               plog(LLV_DEBUG2, LOCATION, NULL, "psk: ");
-               plogdump(LLV_DEBUG2, iph1->authstr->v, iph1->authstr->l);
-
-               len = iph1->nonce->l + iph1->nonce_p->l;
-               buf = vmalloc(len);
-               if (buf == NULL) {
-                       plog(LLV_ERROR, LOCATION, NULL,
-                               "failed to get skeyid buffer\n");
-                       goto end;
-               }
-               p = buf->v;
-
-               bp = (iph1->side == INITIATOR ? iph1->nonce : iph1->nonce_p);
-               plog(LLV_DEBUG, LOCATION, NULL, "nonce 1: ");
-               plogdump(LLV_DEBUG, bp->v, bp->l);
-               memcpy(p, bp->v, bp->l);
-               p += bp->l;
-
-               bp = (iph1->side == INITIATOR ? iph1->nonce_p : iph1->nonce);
-               plog(LLV_DEBUG, LOCATION, NULL, "nonce 2: ");
-               plogdump(LLV_DEBUG, bp->v, bp->l);
-               memcpy(p, bp->v, bp->l);
-               p += bp->l;
-
-               iph1->skeyid = oakley_prf(iph1->authstr, buf, iph1);
-               if (iph1->skeyid == NULL)
-                       goto end;
-               break;
-
-       case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
-       case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
+        case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I:
+        case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
+#endif
+            key = oakley_getpskall(iph1);
+            if (key == NULL) {
+                plog(ASL_LEVEL_ERR,
+                     "couldn't find the pskey for %s.\n",
+                     saddrwop2str((struct sockaddr *)iph1->remote));
+                goto end;
+            }
+            plog(ASL_LEVEL_DEBUG, "the psk found.\n");
+            /* should be secret PSK */
+            plogdump(ASL_LEVEL_DEBUG, key->v, key->l, "psk: ");
+            
+            len = iph1->nonce->l + iph1->nonce_p->l;
+            buf = vmalloc(len);
+            if (buf == NULL) {
+                plog(ASL_LEVEL_ERR,
+                     "failed to get skeyid buffer\n");
+                goto end;
+            }
+            p = buf->v;
+            
+            bp = (iph1->side == INITIATOR ? iph1->nonce : iph1->nonce_p);
+            //plogdump(ASL_LEVEL_DEBUG, bp->v, bp->l, "nonce 1: ");
+            memcpy(p, bp->v, bp->l);
+            p += bp->l;
+            
+            bp = (iph1->side == INITIATOR ? iph1->nonce_p : iph1->nonce);
+            //plogdump(ASL_LEVEL_DEBUG, bp->v, bp->l, "nonce 2: ");
+            memcpy(p, bp->v, bp->l);
+            p += bp->l;
+            
+            iph1->skeyid = oakley_prf(key, buf, iph1);
+            
+            if (iph1->skeyid == NULL)
+                goto end;
+            break;
+            
+        case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
 #ifdef ENABLE_HYBRID
-       case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
-       case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
-       case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
-       case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
-       case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
-       case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
-       case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I:
-       case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
-#endif
-#ifdef HAVE_GSSAPI
-       case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB:
-#endif
-               len = iph1->nonce->l + iph1->nonce_p->l;
-               buf = vmalloc(len);
-               if (buf == NULL) {
-                       plog(LLV_ERROR, LOCATION, NULL,
-                               "failed to get nonce buffer\n");
-                       goto end;
-               }
-               p = buf->v;
-
-               bp = (iph1->side == INITIATOR ? iph1->nonce : iph1->nonce_p);
-               plog(LLV_DEBUG, LOCATION, NULL, "nonce1: ");
-               plogdump(LLV_DEBUG, bp->v, bp->l);
-               memcpy(p, bp->v, bp->l);
-               p += bp->l;
-
-               bp = (iph1->side == INITIATOR ? iph1->nonce_p : iph1->nonce);
-               plog(LLV_DEBUG, LOCATION, NULL, "nonce2: ");
-               plogdump(LLV_DEBUG, bp->v, bp->l);
-               memcpy(p, bp->v, bp->l);
-               p += bp->l;
-
-               iph1->skeyid = oakley_prf(buf, iph1->dhgxy, iph1);
-               if (iph1->skeyid == NULL)
-                       goto end;
-               break;
-       case OAKLEY_ATTR_AUTH_METHOD_RSAENC:
-       case OAKLEY_ATTR_AUTH_METHOD_RSAREV:
+        case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
+        case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
+        case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
+        case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
+#endif
+            len = iph1->nonce->l + iph1->nonce_p->l;
+            buf = vmalloc(len);
+            if (buf == NULL) {
+                plog(ASL_LEVEL_ERR,
+                     "failed to get nonce buffer\n");
+                goto end;
+            }
+            p = buf->v;
+            
+            bp = (iph1->side == INITIATOR ? iph1->nonce : iph1->nonce_p);
+            //plogdump(ASL_LEVEL_DEBUG, bp->v, bp->l, "nonce1: ");
+            memcpy(p, bp->v, bp->l);
+            p += bp->l;
+            
+            bp = (iph1->side == INITIATOR ? iph1->nonce_p : iph1->nonce);
+            //plogdump(ASL_LEVEL_DEBUG, bp->v, bp->l, "nonce2: ");
+            memcpy(p, bp->v, bp->l);
+            p += bp->l;
+            
+            iph1->skeyid = oakley_prf(buf, iph1->dhgxy, iph1);
+            if (iph1->skeyid == NULL)
+                goto end;
+            break;
+        case OAKLEY_ATTR_AUTH_METHOD_RSAENC:
+        case OAKLEY_ATTR_AUTH_METHOD_RSAREV:
 #ifdef ENABLE_HYBRID
-       case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I:
-       case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R:
-       case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I:
-       case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R:
-#endif
-               plog(LLV_WARNING, LOCATION, NULL,
-                       "not supported authentication method %s\n",
-                       s_oakley_attr_method(iph1->approval->authmethod));
-               goto end;
-       default:
-               plog(LLV_ERROR, LOCATION, NULL,
-                       "invalid authentication method %d\n",
-                       iph1->approval->authmethod);
-               goto end;
-       }
-
-       plog(LLV_DEBUG, LOCATION, NULL, "SKEYID computed:\n");
-       plogdump(LLV_DEBUG, iph1->skeyid->v, iph1->skeyid->l);
-
+        case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I:
+        case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R:
+        case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I:
+        case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R:
+#endif
+            plog(ASL_LEVEL_WARNING, 
+                 "not supported authentication method %s\n",
+                 s_oakley_attr_method(iph1->approval->authmethod));
+            goto end;
+        default:
+            plog(ASL_LEVEL_ERR, 
+                 "invalid authentication method %d\n",
+                 iph1->approval->authmethod);
+            goto end;
+       }
+    
+       //plogdump(ASL_LEVEL_DEBUG, iph1->skeyid->v, iph1->skeyid->l, "IKEv1 SKEYID computed:\n");
+    
        error = 0;
-
+    
 end:
+    if (key != NULL)
+        vfree(key);
        if (buf != NULL)
                vfree(buf);
        return error;
@@ -3445,14 +2744,9 @@ end:
 
 /*
  * compute SKEYID_[dae]
- * see seciton 5. Exchanges in RFC 2409
- * SKEYID_d = prf(SKEYID, g^ir | CKY-I | CKY-R | 0)
- * SKEYID_a = prf(SKEYID, SKEYID_d | g^ir | CKY-I | CKY-R | 1)
- * SKEYID_e = prf(SKEYID, SKEYID_a | g^ir | CKY-I | CKY-R | 2)
  */
 int
-oakley_skeyid_dae(iph1)
-       struct ph1handle *iph1;
+oakley_skeyid_dae(phase1_handle_t *iph1)
 {
        vchar_t *buf = NULL;
        char *p;
@@ -3460,16 +2754,22 @@ oakley_skeyid_dae(iph1)
        int error = -1;
 
        if (iph1->skeyid == NULL) {
-               plog(LLV_ERROR, LOCATION, NULL, "no SKEYID found.\n");
+               plog(ASL_LEVEL_ERR, "no SKEYID found.\n");
                goto end;
        }
-
+       
+       /*
+        * see seciton 5. Exchanges in RFC 2409
+        * SKEYID_d = prf(SKEYID, g^ir | CKY-I | CKY-R | 0)
+        * SKEYID_a = prf(SKEYID, SKEYID_d | g^ir | CKY-I | CKY-R | 1)
+        * SKEYID_e = prf(SKEYID, SKEYID_a | g^ir | CKY-I | CKY-R | 2)
+        */
        /* SKEYID D */
        /* SKEYID_d = prf(SKEYID, g^xy | CKY-I | CKY-R | 0) */
        len = iph1->dhgxy->l + sizeof(cookie_t) * 2 + 1;
        buf = vmalloc(len);
        if (buf == NULL) {
-               plog(LLV_ERROR, LOCATION, NULL,
+               plog(ASL_LEVEL_ERR, 
                        "failed to get skeyid buffer\n");
                goto end;
        }
@@ -3489,15 +2789,14 @@ oakley_skeyid_dae(iph1)
        vfree(buf);
        buf = NULL;
 
-       plog(LLV_DEBUG, LOCATION, NULL, "SKEYID_d computed:\n");
-       plogdump(LLV_DEBUG, iph1->skeyid_d->v, iph1->skeyid_d->l);
+       //plogdump(ASL_LEVEL_DEBUG, iph1->skeyid_d->v, iph1->skeyid_d->l, "SKEYID_d computed:\n");
 
        /* SKEYID A */
        /* SKEYID_a = prf(SKEYID, SKEYID_d | g^xy | CKY-I | CKY-R | 1) */
        len = iph1->skeyid_d->l + iph1->dhgxy->l + sizeof(cookie_t) * 2 + 1;
        buf = vmalloc(len);
        if (buf == NULL) {
-               plog(LLV_ERROR, LOCATION, NULL,
+               plog(ASL_LEVEL_ERR, 
                        "failed to get skeyid buffer\n");
                goto end;
        }
@@ -3518,15 +2817,14 @@ oakley_skeyid_dae(iph1)
        vfree(buf);
        buf = NULL;
 
-       plog(LLV_DEBUG, LOCATION, NULL, "SKEYID_a computed:\n");
-       plogdump(LLV_DEBUG, iph1->skeyid_a->v, iph1->skeyid_a->l);
+       //plogdump(ASL_LEVEL_DEBUG, iph1->skeyid_a->v, iph1->skeyid_a->l, "SKEYID_a computed:\n");
 
        /* SKEYID E */
        /* SKEYID_e = prf(SKEYID, SKEYID_a | g^xy | CKY-I | CKY-R | 2) */
        len = iph1->skeyid_a->l + iph1->dhgxy->l + sizeof(cookie_t) * 2 + 1;
        buf = vmalloc(len);
        if (buf == NULL) {
-               plog(LLV_ERROR, LOCATION, NULL,
+               plog(ASL_LEVEL_ERR, 
                        "failed to get skeyid buffer\n");
                goto end;
        }
@@ -3547,8 +2845,7 @@ oakley_skeyid_dae(iph1)
        vfree(buf);
        buf = NULL;
 
-       plog(LLV_DEBUG, LOCATION, NULL, "SKEYID_e computed:\n");
-       plogdump(LLV_DEBUG, iph1->skeyid_e->v, iph1->skeyid_e->l);
+       //plogdump(ASL_LEVEL_DEBUG, iph1->skeyid_e->v, iph1->skeyid_e->l, "SKEYID_e computed:\n");
 
        error = 0;
 
@@ -3563,8 +2860,7 @@ end:
  * see Appendix B.
  */
 int
-oakley_compute_enckey(iph1)
-       struct ph1handle *iph1;
+oakley_compute_enckey(phase1_handle_t *iph1)
 {
        u_int keylen, prflen;
        int error = -1;
@@ -3573,7 +2869,7 @@ oakley_compute_enckey(iph1)
        keylen = alg_oakley_encdef_keylen(iph1->approval->enctype,
                                        iph1->approval->encklen);
        if (keylen == -1) {
-               plog(LLV_ERROR, LOCATION, NULL,
+               plog(ASL_LEVEL_ERR, 
                        "invalid encryption algoritym %d, "
                        "or invalid key length %d.\n",
                        iph1->approval->enctype,
@@ -3582,7 +2878,7 @@ oakley_compute_enckey(iph1)
        }
        iph1->key = vmalloc(keylen >> 3);
        if (iph1->key == NULL) {
-               plog(LLV_ERROR, LOCATION, NULL,
+               plog(ASL_LEVEL_ERR, 
                        "failed to get key buffer\n");
                goto end;
        }
@@ -3590,7 +2886,7 @@ oakley_compute_enckey(iph1)
        /* set prf length */
        prflen = alg_oakley_hashdef_hashlen(iph1->approval->hashtype);
        if (prflen == -1) {
-               plog(LLV_ERROR, LOCATION, NULL,
+               plog(ASL_LEVEL_ERR, 
                        "invalid hash type %d.\n", iph1->approval->hashtype);
                goto end;
        }
@@ -3616,13 +2912,13 @@ oakley_compute_enckey(iph1)
                 *      K2 = prf(SKEYID_e, K1)
                 *      K3 = prf(SKEYID_e, K2)
                 */
-               plog(LLV_DEBUG, LOCATION, NULL,
+               plog(ASL_LEVEL_DEBUG, 
                        "len(SKEYID_e) < len(Ka) (%zu < %zu), "
                        "generating long key (Ka = K1 | K2 | ...)\n",
                        iph1->skeyid_e->l, iph1->key->l);
 
                if ((buf = vmalloc(prflen >> 3)) == 0) {
-                       plog(LLV_ERROR, LOCATION, NULL,
+                       plog(ASL_LEVEL_ERR, 
                                "failed to get key buffer\n");
                        goto end;
                }
@@ -3641,11 +2937,11 @@ oakley_compute_enckey(iph1)
                                vfree(buf);
                                goto end;
                        }
-                       plog(LLV_DEBUG, LOCATION, NULL,
+                       plog(ASL_LEVEL_DEBUG, 
                                "compute intermediate encryption key K%d\n",
                                subkey);
-                       plogdump(LLV_DEBUG, buf->v, buf->l);
-                       plogdump(LLV_DEBUG, res->v, res->l);
+                       //plogdump(ASL_LEVEL_DEBUG, buf->v, buf->l, "");
+                       //plogdump(ASL_LEVEL_DEBUG, res->v, res->l, "");
 
                        cplen = (res->l < ep - p) ? res->l : ep - p;
                        memcpy(p, res->v, cplen);
@@ -3653,7 +2949,7 @@ oakley_compute_enckey(iph1)
 
                        buf->l = prflen >> 3;   /* to cancel K1 speciality */
                        if (res->l != buf->l) {
-                               plog(LLV_ERROR, LOCATION, NULL,
+                               plog(ASL_LEVEL_ERR, 
                                        "internal error: res->l=%zu buf->l=%zu\n",
                                        res->l, buf->l);
                                vfree(res);
@@ -3673,24 +2969,8 @@ oakley_compute_enckey(iph1)
         * draft-ietf-ipsec-ike-01.txt Appendix B.
         * draft-ietf-ipsec-ciph-aes-cbc-00.txt Section 2.3.
         */
-#if 0
-       /* weakkey check */
-       if (iph1->approval->enctype > ARRAYLEN(oakley_encdef)
-        || oakley_encdef[iph1->approval->enctype].weakkey == NULL) {
-               plog(LLV_ERROR, LOCATION, NULL,
-                       "encryption algoritym %d isn't supported.\n",
-                       iph1->approval->enctype);
-               goto end;
-       }
-       if ((oakley_encdef[iph1->approval->enctype].weakkey)(iph1->key)) {
-               plog(LLV_ERROR, LOCATION, NULL,
-                       "weakkey was generated.\n");
-               goto end;
-       }
-#endif
 
-       plog(LLV_DEBUG, LOCATION, NULL, "final encryption key computed:\n");
-       plogdump(LLV_DEBUG, iph1->key->v, iph1->key->l);
+       //plogdump(ASL_LEVEL_DEBUG, iph1->key->v, iph1->key->l, "final encryption key computed:\n");
 
        error = 0;
 
@@ -3700,13 +2980,13 @@ end:
 
 /* allocated new buffer for CERT */
 cert_t *
-oakley_newcert()
+oakley_newcert(void)
 {
        cert_t *new;
 
        new = racoon_calloc(1, sizeof(*new));
        if (new == NULL) {
-               plog(LLV_ERROR, LOCATION, NULL,
+               plog(ASL_LEVEL_ERR, 
                        "failed to get cert's buffer\n");
                return NULL;
        }
@@ -3719,8 +2999,7 @@ oakley_newcert()
 
 /* delete buffer for CERT */
 void
-oakley_delcert_1(cert)
-       cert_t *cert;
+oakley_delcert_1(cert_t *cert)
 {
        if (!cert)
                return;
@@ -3731,8 +3010,7 @@ oakley_delcert_1(cert)
 
 /* delete buffer for CERT */
 void
-oakley_delcert(cert)
-       cert_t *cert;
+oakley_delcert(cert_t *cert)
 {
        cert_t *p, *to_delete;
 
@@ -3748,9 +3026,7 @@ oakley_delcert(cert)
 
 /* delete buffer for CERT */
 static cert_t *
-oakley_appendcert_to_certchain(certchain, new)
-       cert_t *certchain;
-       cert_t *new;
+oakley_appendcert_to_certchain(cert_t *certchain, cert_t *new)
 {
        cert_t *p;
 
@@ -3772,8 +3048,7 @@ oakley_appendcert_to_certchain(certchain, new)
  * see 4.1 Phase 1 state in draft-ietf-ipsec-ike.
  */
 int
-oakley_newiv(iph1)
-       struct ph1handle *iph1;
+oakley_newiv(phase1_handle_t *iph1)
 {
        struct isakmp_ivm *newivm = NULL;
        vchar_t *buf = NULL, *bp;
@@ -3784,8 +3059,8 @@ oakley_newiv(iph1)
        len = iph1->dhpub->l + iph1->dhpub_p->l;
        buf = vmalloc(len);
        if (buf == NULL) {
-               plog(LLV_ERROR, LOCATION, NULL,
-                       "failed to get iv buffer\n");
+               plog(ASL_LEVEL_ERR, 
+                       "Failed to get IV buffer\n");
                return -1;
        }
 
@@ -3802,8 +3077,8 @@ oakley_newiv(iph1)
        /* allocate IVm */
        newivm = racoon_calloc(1, sizeof(struct isakmp_ivm));
        if (newivm == NULL) {
-               plog(LLV_ERROR, LOCATION, NULL,
-                       "failed to get iv buffer\n");
+               plog(ASL_LEVEL_ERR, 
+                       "Failed to get IV buffer\n");
                vfree(buf);
                return -1;
        }
@@ -3819,8 +3094,8 @@ oakley_newiv(iph1)
        /* adjust length of iv */
        newivm->iv->l = alg_oakley_encdef_blocklen(iph1->approval->enctype);
        if (newivm->iv->l == -1) {
-               plog(LLV_ERROR, LOCATION, NULL,
-                       "invalid encryption algoriym %d.\n",
+               plog(ASL_LEVEL_ERR, 
+                       "Invalid encryption algorithm %d.\n",
                        iph1->approval->enctype);
                vfree(buf);
                oakley_delivm(newivm);
@@ -3829,7 +3104,7 @@ oakley_newiv(iph1)
 
        /* create buffer to save iv */
        if ((newivm->ive = vdup(newivm->iv)) == NULL) {
-               plog(LLV_ERROR, LOCATION, NULL,
+               plog(ASL_LEVEL_ERR, 
                        "vdup (%s)\n", strerror(errno));
                vfree(buf);
                oakley_delivm(newivm);
@@ -3838,8 +3113,7 @@ oakley_newiv(iph1)
 
        vfree(buf);
 
-       plog(LLV_DEBUG, LOCATION, NULL, "IV computed:\n");
-       plogdump(LLV_DEBUG, newivm->iv->v, newivm->iv->l);
+       //plogdump(ASL_LEVEL_DEBUG, newivm->iv->v, newivm->iv->l, "IV computed:\n");
 
        if (iph1->ivm != NULL)
                oakley_delivm(iph1->ivm);
@@ -3859,9 +3133,7 @@ oakley_newiv(iph1)
  * see 4.2 Phase 2 state in draft-ietf-ipsec-ike.
  */
 struct isakmp_ivm *
-oakley_newiv2(iph1, msgid)
-       struct ph1handle *iph1;
-       u_int32_t msgid;
+oakley_newiv2(phase1_handle_t *iph1, u_int32_t msgid)
 {
        struct isakmp_ivm *newivm = NULL;
        vchar_t *buf = NULL;
@@ -3873,8 +3145,8 @@ oakley_newiv2(iph1, msgid)
        len = iph1->ivm->iv->l + sizeof(msgid_t);
        buf = vmalloc(len);
        if (buf == NULL) {
-               plog(LLV_ERROR, LOCATION, NULL,
-                       "failed to get iv buffer\n");
+               plog(ASL_LEVEL_ERR, 
+                       "Failed to get IV buffer\n");
                goto end;
        }
 
@@ -3885,15 +3157,14 @@ oakley_newiv2(iph1, msgid)
 
        memcpy(p, &msgid, sizeof(msgid));
 
-       plog(LLV_DEBUG, LOCATION, NULL, "compute IV for phase2\n");
-       plog(LLV_DEBUG, LOCATION, NULL, "phase1 last IV:\n");
-       plogdump(LLV_DEBUG, buf->v, buf->l);
+       plog(ASL_LEVEL_DEBUG, "Compute IV for Phase 2\n");
+       //plogdump(ASL_LEVEL_DEBUG, buf->v, buf->l, "Phase 1 last IV:\n");
 
        /* allocate IVm */
        newivm = racoon_calloc(1, sizeof(struct isakmp_ivm));
        if (newivm == NULL) {
-               plog(LLV_ERROR, LOCATION, NULL,
-                       "failed to get iv buffer\n");
+               plog(ASL_LEVEL_ERR, 
+                       "Failed to get IV buffer\n");
                goto end;
        }
 
@@ -3904,22 +3175,21 @@ oakley_newiv2(iph1, msgid)
        /* adjust length of iv */
        newivm->iv->l = alg_oakley_encdef_blocklen(iph1->approval->enctype);
        if (newivm->iv->l == -1) {
-               plog(LLV_ERROR, LOCATION, NULL,
-                       "invalid encryption algoriym %d.\n",
+               plog(ASL_LEVEL_ERR, 
+                       "Invalid encryption algorithm %d.\n",
                        iph1->approval->enctype);
                goto end;
        }
 
        /* create buffer to save new iv */
        if ((newivm->ive = vdup(newivm->iv)) == NULL) {
-               plog(LLV_ERROR, LOCATION, NULL, "vdup (%s)\n", strerror(errno));
+               plog(ASL_LEVEL_ERR, "vdup (%s)\n", strerror(errno));
                goto end;
        }
 
        error = 0;
 
-       plog(LLV_DEBUG, LOCATION, NULL, "phase2 IV computed:\n");
-       plogdump(LLV_DEBUG, newivm->iv->v, newivm->iv->l);
+       //plogdump(ASL_LEVEL_DEBUG, newivm->iv->v, newivm->iv->l, "Phase 2 IV computed:\n");
 
 end:
        if (error && newivm != NULL){
@@ -3932,8 +3202,7 @@ end:
 }
 
 void
-oakley_delivm(ivm)
-       struct isakmp_ivm *ivm;
+oakley_delivm(struct isakmp_ivm *ivm)
 {
        if (ivm == NULL)
                return;
@@ -3943,7 +3212,7 @@ oakley_delivm(ivm)
        if (ivm->ive != NULL)
                vfree(ivm->ive);
        racoon_free(ivm);
-       plog(LLV_DEBUG, LOCATION, NULL, "IV freed\n");
+       plog(ASL_LEVEL_DEBUG, "IV freed\n");
 
        return;
 }
@@ -3953,9 +3222,7 @@ oakley_delivm(ivm)
  *   save new iv and old iv.
  */
 vchar_t *
-oakley_do_decrypt(iph1, msg, ivdp, ivep)
-       struct ph1handle *iph1;
-       vchar_t *msg, *ivdp, *ivep;
+oakley_do_ikev1_decrypt(phase1_handle_t *iph1, vchar_t *msg, vchar_t *ivdp, vchar_t *ivep)
 {
        vchar_t *buf = NULL, *new = NULL;
        char *pl;
@@ -3964,12 +3231,12 @@ oakley_do_decrypt(iph1, msg, ivdp, ivep)
        int blen;
        int error = -1;
 
-       plog(LLV_DEBUG, LOCATION, NULL, "begin decryption.\n");
+       plog(ASL_LEVEL_DEBUG, "Begin decryption.\n");
 
        blen = alg_oakley_encdef_blocklen(iph1->approval->enctype);
        if (blen == -1) {
-               plog(LLV_ERROR, LOCATION, NULL,
-                       "invalid encryption algoriym %d.\n",
+               plog(ASL_LEVEL_ERR, 
+                       "Invalid encryption algorithm %d.\n",
                        iph1->approval->enctype);
                goto end;
        }
@@ -3978,9 +3245,7 @@ oakley_do_decrypt(iph1, msg, ivdp, ivep)
        memset(ivep->v, 0, ivep->l);
        memcpy(ivep->v, (caddr_t)&msg->v[msg->l - blen], blen);
 
-       plog(LLV_DEBUG, LOCATION, NULL,
-               "IV was saved for next processing:\n");
-       plogdump(LLV_DEBUG, ivep->v, ivep->l);
+       plogdump(ASL_LEVEL_DEBUG, ivep->v, ivep->l, "IV was saved for next processing:\n");
 
        pl = msg->v + sizeof(struct isakmp);
 
@@ -3989,8 +3254,8 @@ oakley_do_decrypt(iph1, msg, ivdp, ivep)
        /* create buffer */
        buf = vmalloc(len);
        if (buf == NULL) {
-               plog(LLV_ERROR, LOCATION, NULL,
-                       "failed to get buffer to decrypt.\n");
+               plog(ASL_LEVEL_ERR, 
+                       "Failed to get buffer to decrypt.\n");
                goto end;
        }
        memcpy(buf->v, pl, len);
@@ -3999,52 +3264,44 @@ oakley_do_decrypt(iph1, msg, ivdp, ivep)
        new = alg_oakley_encdef_decrypt(iph1->approval->enctype,
                                        buf, iph1->key, ivdp);
        if (new == NULL || new->v == NULL || new->l == 0) {
-               plog(LLV_ERROR, LOCATION, NULL,
-                       "decryption %d failed.\n", iph1->approval->enctype);
+               plog(ASL_LEVEL_ERR, 
+                       "Decryption %d failed.\n", iph1->approval->enctype);
                goto end;
        }
-       plog(LLV_DEBUG, LOCATION, NULL, "with key:\n");
-       plogdump(LLV_DEBUG, iph1->key->v, iph1->key->l);
+       //plogdump(ASL_LEVEL_DEBUG, iph1->key->v, iph1->key->l, "with key:\n");
 
        vfree(buf);
        buf = NULL;
        if (new == NULL)
                goto end;
 
-       plog(LLV_DEBUG, LOCATION, NULL, "decrypted payload by IV:\n");
-       plogdump(LLV_DEBUG, ivdp->v, ivdp->l);
-
-       plog(LLV_DEBUG, LOCATION, NULL,
-               "decrypted payload, but not trimed.\n");
-       plogdump(LLV_DEBUG, new->v, new->l);
+       plog(ASL_LEVEL_DEBUG, "decrypted payload by IV:\n");
 
        /* get padding length */
        if (lcconf->pad_excltail)
                padlen = new->v[new->l - 1] + 1;
        else
                padlen = new->v[new->l - 1];
-       plog(LLV_DEBUG, LOCATION, NULL, "padding len=%u\n", padlen);
+       plog(ASL_LEVEL_DEBUG, "padding len=%u\n", padlen);
 
        /* trim padding */
        if (lcconf->pad_strict) {
                if (padlen > new->l) {
-                       plog(LLV_ERROR, LOCATION, NULL,
-                               "invalid padding len=%u, buflen=%zu.\n",
-                               padlen, new->l);
-                       plogdump(LLV_ERROR, new->v, new->l);
+                       plog(ASL_LEVEL_ERR, "invalid padding len=%u, buflen=%zu.\n",
+                                        padlen, new->l);
                        goto end;
                }
                new->l -= padlen;
-               plog(LLV_DEBUG, LOCATION, NULL, "trimmed padding\n");
+               plog(ASL_LEVEL_DEBUG, "trimmed padding\n");
        } else {
-               plog(LLV_DEBUG, LOCATION, NULL, "skip to trim padding.\n");
+               plog(ASL_LEVEL_DEBUG, "skip to trim padding.\n");
        }
 
        /* create new buffer */
        len = sizeof(struct isakmp) + new->l;
        buf = vmalloc(len);
        if (buf == NULL) {
-               plog(LLV_ERROR, LOCATION, NULL,
+               plog(ASL_LEVEL_ERR, 
                        "failed to get buffer to decrypt.\n");
                goto end;
        }
@@ -4052,8 +3309,7 @@ oakley_do_decrypt(iph1, msg, ivdp, ivep)
        memcpy(buf->v + sizeof(struct isakmp), new->v, new->l);
        ((struct isakmp *)buf->v)->len = htonl(buf->l);
 
-       plog(LLV_DEBUG, LOCATION, NULL, "decrypted.\n");
-       plogdump(LLV_DEBUG, buf->v, buf->l);
+       plog(ASL_LEVEL_DEBUG, "decrypted.\n");
 
 #ifdef HAVE_PRINT_ISAKMP_C
        isakmp_printpacket(buf, iph1->remote, iph1->local, 1);
@@ -4072,13 +3328,25 @@ end:
        return buf;
 }
 
+/*
+ * decrypt packet.
+ */
+vchar_t *
+oakley_do_decrypt(phase1_handle_t *iph1, vchar_t *msg, vchar_t *ivdp, vchar_t *ivep)
+{
+       if (iph1->version == ISAKMP_VERSION_NUMBER_IKEV1) {
+               return(oakley_do_ikev1_decrypt(iph1, msg, ivdp, ivep));
+       }
+       
+       plog(ASL_LEVEL_ERR, "Failed to decrypt invalid IKE version");
+       return NULL;
+}
+
 /*
  * encrypt packet.
  */
 vchar_t *
-oakley_do_encrypt(iph1, msg, ivep, ivp)
-       struct ph1handle *iph1;
-       vchar_t *msg, *ivep, *ivp;
+oakley_do_ikev1_encrypt(phase1_handle_t *iph1, vchar_t *msg, vchar_t *ivep, vchar_t *ivp)
 {
        vchar_t *buf = 0, *new = 0;
        char *pl;
@@ -4087,13 +3355,13 @@ oakley_do_encrypt(iph1, msg, ivep, ivp)
        int blen;
        int error = -1;
 
-       plog(LLV_DEBUG, LOCATION, NULL, "begin encryption.\n");
+       plog(ASL_LEVEL_DEBUG, "Begin encryption.\n");
 
        /* set cbc block length */
        blen = alg_oakley_encdef_blocklen(iph1->approval->enctype);
        if (blen == -1) {
-               plog(LLV_ERROR, LOCATION, NULL,
-                       "invalid encryption algoriym %d.\n",
+               plog(ASL_LEVEL_ERR, 
+                       "Invalid encryption algorithm %d.\n",
                        iph1->approval->enctype);
                goto end;
        }
@@ -4103,13 +3371,13 @@ oakley_do_encrypt(iph1, msg, ivep, ivp)
 
        /* add padding */
        padlen = oakley_padlen(len, blen);
-       plog(LLV_DEBUG, LOCATION, NULL, "pad length = %u\n", padlen);
+       plog(ASL_LEVEL_DEBUG, "pad length = %u\n", padlen);
 
        /* create buffer */
        buf = vmalloc(len + padlen);
        if (buf == NULL) {
-               plog(LLV_ERROR, LOCATION, NULL,
-                       "failed to get buffer to encrypt.\n");
+               plog(ASL_LEVEL_ERR, 
+                       "Failed to get buffer to encrypt.\n");
                goto end;
        }
         if (padlen) {
@@ -4128,40 +3396,37 @@ oakley_do_encrypt(iph1, msg, ivep, ivp)
        else
                buf->v[len + padlen - 1] = padlen;
 
-       plogdump(LLV_DEBUG, buf->v, buf->l);
+       plogdump(ASL_LEVEL_DEBUG, buf->v, buf->l, "About to encrypt %d bytes", buf->l);
 
        /* do encrypt */
        new = alg_oakley_encdef_encrypt(iph1->approval->enctype,
                                        buf, iph1->key, ivep);
        if (new == NULL) {
-               plog(LLV_ERROR, LOCATION, NULL,
-                       "encryption %d failed.\n", iph1->approval->enctype);
+               plog(ASL_LEVEL_ERR, 
+                       "Encryption %d failed.\n", iph1->approval->enctype);
                goto end;
        }
-       plog(LLV_DEBUG, LOCATION, NULL, "with key:\n");
-       plogdump(LLV_DEBUG, iph1->key->v, iph1->key->l);
+       //plogdump(ASL_LEVEL_DEBUG, iph1->key->v, iph1->key->l, "with key:\n");
 
        vfree(buf);
        buf = NULL;
        if (new == NULL)
                goto end;
 
-       plog(LLV_DEBUG, LOCATION, NULL, "encrypted payload by IV:\n");
-       plogdump(LLV_DEBUG, ivep->v, ivep->l);
+       //plogdump(ASL_LEVEL_DEBUG, ivep->v, ivep->l, "encrypted payload by IV:\n");
 
        /* save IV for next */
        memset(ivp->v, 0, ivp->l);
        memcpy(ivp->v, (caddr_t)&new->v[new->l - blen], blen);
 
-       plog(LLV_DEBUG, LOCATION, NULL, "save IV for next:\n");
-       plogdump(LLV_DEBUG, ivp->v, ivp->l);
+       //plogdump(ASL_LEVEL_DEBUG, ivp->v, ivp->l, "save IV for next:\n");
 
        /* create new buffer */
        len = sizeof(struct isakmp) + new->l;
        buf = vmalloc(len);
        if (buf == NULL) {
-               plog(LLV_ERROR, LOCATION, NULL,
-                       "failed to get buffer to encrypt.\n");
+               plog(ASL_LEVEL_ERR, 
+                       "Failed to get buffer to encrypt.\n");
                goto end;
        }
        memcpy(buf->v, msg->v, sizeof(struct isakmp));
@@ -4170,7 +3435,7 @@ oakley_do_encrypt(iph1, msg, ivep, ivp)
 
        error = 0;
 
-       plog(LLV_DEBUG, LOCATION, NULL, "encrypted.\n");
+       plog(ASL_LEVEL_DEBUG, "Encrypted.\n");
 
 end:
        if (error && buf != NULL) {
@@ -4183,14 +3448,27 @@ end:
        return buf;
 }
 
+/*
+ * encrypt packet.
+ */
+vchar_t *
+oakley_do_encrypt(phase1_handle_t *iph1, vchar_t *msg, vchar_t *ivep, vchar_t *ivp)
+{
+       if (iph1->version == ISAKMP_VERSION_NUMBER_IKEV1) {
+               return(oakley_do_ikev1_encrypt(iph1, msg, ivep, ivp));          
+       }
+
+       plog(ASL_LEVEL_ERR, "Failed to encrypt invalid IKE version");
+       return NULL;
+}
+
 /* culculate padding length */
 static int
-oakley_padlen(len, base)
-       int len, base;
+oakley_padlen(int len, int base)
 {
        int padlen;
 
-       padlen = base - len % base;
+       padlen = base - (len % base);
 
        if (lcconf->pad_randomlen)
                padlen += ((eay_random() % (lcconf->pad_maxsize + 1) + 1) *
@@ -4239,7 +3517,7 @@ static int base64toCFData(vchar_t *textin, CFDataRef *dataRef)
     int                numeq = 0;
     int                acc = 0;
     int                cntr = 0;
-    uint8_t            *textcur = textin->v;
+    uint8_t            *textcur = (__typeof__(textcur))textin->v;
     int                        len = textin->l;
     int                i;