9.7.0b1

138 files changed, 12069 insertions, 22435 deletions

diff --git a/contrib/pkcs11-keygen/PEM_write_pubkey.c b/contrib/pkcs11-keygen/PEM_write_pubkey.c
deleted file mode 100644
index 65def632..00000000
--- a/contrib/pkcs11-keygen/PEM_write_pubkey.c
+++ /dev/null
@@ -1,124 +0,0 @@
-/* OpenSSL tool
- *
- * usage: PEM_write_pubkey -e engine -p pin -k keyname -f filename
- */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <openssl/engine.h>
-#include <openssl/conf.h>
-#include <unistd.h>
-#include <errno.h>
-
-extern int PEM_write_PUBKEY(FILE *fp, EVP_PKEY *x);
-
-int
-main(int argc, char *argv[])
-{
-    ENGINE *e;
-    EVP_PKEY *pub_key;
-    FILE *fp;
-    char *engine = NULL;
-    char *pin = NULL;
-    char *keyname = NULL;
-    char *filename = NULL;
-    int c, errflg = 0;
-    extern char *optarg;
-    extern int optopt;
-       
-    while ((c = getopt(argc, argv, ":e:p:k:f:")) != -1) {
-        switch (c) {
-        case 'e':
-            engine = optarg;
-            break;
-	case 'p':
-	    pin = optarg;
-	    break;
-        case 'k':
-            keyname = optarg;
-            break;
-        case 'f':
-            filename = optarg;
-            break;
-        case ':':
-            fprintf(stderr, "Option -%c requires an operand\n", optopt);
-            errflg++;
-            break;
-        case '?':
-	default:
-            fprintf(stderr, "Unrecognised option: -%c\n", optopt);
-            errflg++;
-        }
-    }
-    if ((errflg) || (!engine) || (!filename) || (!keyname)) {
-        fprintf(stderr,
-		"usage: PEM_write_pubkey -e engine [-p pin] "
-		"-k keyname -f filename\n");
-        exit(1);
-    }
-    
-    /* Load the config file */
-    OPENSSL_config(NULL);
-
-    /* Register engine */
-    e = ENGINE_by_id(engine);
-    if (!e) {
-        /* the engine isn't available */
-        printf("The engine isn't available\n");
-	ERR_print_errors_fp(stderr);
-        exit(1);
-    }
-    
-    /* Send PIN to engine */
-    if (pin && !ENGINE_ctrl_cmd_string(e, "PIN", pin, 0)){
-        printf("Error sending PIN to engine\n");
-	ERR_print_errors_fp(stderr);
-        ENGINE_free(e);
-        exit(1);
-    }
-    
-    if (!ENGINE_init(e)) {
-        /* the engine couldn't initialise, release 'e' */
-        printf("The engine couldn't initialise\n");
-	ERR_print_errors_fp(stderr);
-        ENGINE_free(e);
-        exit(1);
-    }
-
-    if (!ENGINE_register_RSA(e)){
-        /* This should only happen when 'e' can't initialise, but the previous
-	 * statement suggests it did. */
-        printf("This should not happen\n");
-	ERR_print_errors_fp(stderr);
-        exit(1);
-    }
-    
-    /* Load public key */
-    pub_key = ENGINE_load_public_key(e, keyname, NULL, NULL);
-    if (pub_key == NULL) {
-        /* No public key */
-        printf("Error loading public key\n");
-	ERR_print_errors_fp(stderr);
-        ENGINE_free(e);
-        exit(1);
-    }
-
-    /* write public key to file in PEM format */
-    fp = fopen(filename, "w");
-    if (fp == NULL) {
-        printf("Error opening output file.\n");
-	ENGINE_free(e);
-        exit(1);
-    }
-     
-    if (!PEM_write_PUBKEY(fp, pub_key)) {
-        /* Error writing public key */
-        printf("Error writing public key");
-	ERR_print_errors_fp(stderr);
-        ENGINE_free(e);
-        exit(1);
-    }
-    
-    fclose(fp);
-    exit(0);
-}
diff --git a/contrib/pkcs11-keygen/PKCS11-NOTES b/contrib/pkcs11-keygen/PKCS11-NOTES
deleted file mode 100644
index 2d07e9f2..00000000
--- a/contrib/pkcs11-keygen/PKCS11-NOTES
+++ /dev/null
@@ -1,94 +0,0 @@
-
-			BIND-9 PKCS#11 support
-
-Prerequisite
-
-The PKCS#11 support needs a PKCS#11 OpenSSL engine based on the Solaris one,
-released the 2008-12-02 for OpenSSL 0.9.8i, with back port of key by reference
-and some improvements, including user friendly PIN management. You may also
-use the original engine code.
-
-Compilation
-
-"configure --with-pkcs11 ..."
-
-PKCS#11 Libraries
-
-Tested with Solaris one with a SCA board and with openCryptoki with the
-software token. Known to work on Linux and Windows 2003 server so
-should work on most operating systems. For AEP Keyper or any device used
-only for its protected key store, please switch to the sign-only engine.
-
-OpenSSL Engines
-
-With PKCS#11 support the PKCS#11 engine is statically loaded but at its
-initialization it dynamically loads the PKCS#11 objects.
-Even the pre commands are therefore unused they are defined with:
- SO_PATH:
-   define: PKCS11_SO_PATH
-   default: /usr/local/lib/engines/engine_pkcs11.so
- MODULE_PATH:
-   define: PKCS11_MODULE_PATH
-   default: /usr/lib/libpkcs11.so
-Without PKCS#11 support, a specific OpenSSL engine can be still used
-by defining ENGINE_ID at compile time.
-
-PKCS#11 tools
-
-The contrib/pkcs11-keygen directory contains a set of experimental tools
-to handle keys stored in a Hardware Security Module at the benefit of BIND.
-
-The patch for OpenSSL 0.9.8i is in this directory. Read its README.pkcs11
-for the way to use it (these are the original notes so with the original
-path, etc. Define HAVE_GETPASSPHRASE if you have getpassphrase() on
-a operating system which is not Solaris.)
-
-Not all tools are supported on AEP Keyper but genkey and dnssec-keyfromlabel
-are functional.
-
-PIN management
-
-With the just fixed PKCS#11 OpenSSL engine, the PIN should be entered
-each time it is required. With the improved engine, the PIN should be
-entered the first time it is required or can be configured in the
-OpenSSL configuration file (aka. openssl.cnf) by adding in it:
- - at the beginning:
-	openssl_conf = openssl_def
- - at any place these sections:
-	[ openssl_def ]
-	engines = engine_section
-	[ engine_section ]
-	pkcs11 = pkcs11_section
-	[ pkcs11_section ]
-	PIN = put__your__pin__value__here
-
-Slot management
-
-The engine tries to use the first best slot but it is recommended
-to simply use the slot 0 (usual default, meta-slot on Solaris).
-
-Sign-only engine
-
-openssl.../crypto/engine/hw_pk11-kp.c and hw_pk11_pub-kp.c contain
-a stripped down version of hw_pk11.c and hw_pk11_pub.c files which
-has only the useful functions (i.e., signature with a RSA private
-key in the device protected key store and key loading).
-
-This engine should be used with a device which provides mainly
-a protected store and no acceleration. AEP Keyper is an example
-of such a device (BTW with the fully capable engine, key export
-must be enabled on this device and this configuration is not yet
-supported).
-
-Original engine
-
-If you are using the original engine and getpassphrase() is not defined, add:
-#define getpassphrase(x) getpass(x)
-in openssl.../crypto/engine/hw_pk11_pub.c
-
-Notes
-
-Some names here are registered trademarks, at least Solaris is a trademark
-of Sun Microsystems Inc...
-Include files are from RSA Labs., PKCS#11 version is 2.20 amendment 3.
-The PKCS#11 support is compatible with the forthcoming FIPS 140-2 support.
diff --git a/contrib/pkcs11-keygen/README b/contrib/pkcs11-keygen/README
index 718208f0..caac9824 100644
--- a/contrib/pkcs11-keygen/README
+++ b/contrib/pkcs11-keygen/README
@@ -1,20 +1 @@
-This is a set of utilities that when used together create rsa keys in
-a PKCS11 keystore. The keys will have a label of "zone,zsk|ksk,xxx" and
-an id of the keytag in hex.
-
-Run genkey.sh to generate a new key and call the other programs in turn.
-Run writekey.sh to load key to the key store from Kxxx.{key,private}.
-Run genkey, dnssec-keyfromlabel and optionally set_key_id when you have
-no perl or no Net::DNS::SEC perl module.
-
-genkey[.c] uses PKCS11 calls to generate keys.
-PEM_write_pubkey[.c] uses OpenSSL to write a public key from the key store
- into a file in PEM format.
-keyconv.pl uses Net::DNS::SEC to calculate the key tag and to write out
- a DNSKEY RR into a file.
-set_key_id[.c] uses PKCS11 to set to the key id == keytag in the key store.
-readkey[.c] and writekey[.c] extracts and loads a key from/to the key store.
-keydump.pl uses Net::DNS::SEC to get the key from a Kxxx.private file and
- write it into a file in PEM format.
-
-listobjs and destroyobjs browse the key store, prints or destroys objects.
+Moved to ${top}/bin/pkcs11
diff --git a/contrib/pkcs11-keygen/destroyobj.c b/contrib/pkcs11-keygen/destroyobj.c
deleted file mode 100644
index e7068e4d..00000000
--- a/contrib/pkcs11-keygen/destroyobj.c
+++ /dev/null
@@ -1,178 +0,0 @@
-/* destroyobj [-s $slot] [-i $id | -l $label] [-p $pin] */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <fcntl.h>
-#include <errno.h>
-#include <string.h>
-#include <sys/types.h>
-#include <opencryptoki/pkcs11.h>
-
-int
-main(int argc, char *argv[])
-{
-    CK_RV rv;
-    CK_SLOT_ID slot = 0;
-    CK_SESSION_HANDLE hSession;
-    CK_UTF8CHAR *pin = NULL;
-    CK_BYTE attr_id[2];
-    CK_OBJECT_HANDLE akey[50];
-    char *label = NULL;
-    int error = 0;
-    int id = 0, i = 0;
-    int c, errflg = 0;
-    CK_ULONG ulObjectCount;
-    CK_ATTRIBUTE search_template[] = {
-	{CKA_ID, &attr_id, sizeof(attr_id)}
-    };
-    extern char *optarg;
-    extern int optopt;
-
-    while ((c = getopt(argc, argv, ":s:i:l:p:")) != -1) {
-	switch (c) {
-	case 's':
-	    slot = atoi(optarg);
-	    break;
-	case 'i':
-	    id = atoi(optarg);
-	    id &= 0xffff;
-	    break;
-	case 'l':
-	    label = optarg;
-	    break;
-	case 'p':
-	    pin = (CK_UTF8CHAR *)optarg;
-	    break;
-	case ':':
-	    fprintf(stderr, "Option -%c requires an operand\n", optopt);
-	    errflg++;
-	    break;
-	case '?':
-	default:
-	    fprintf(stderr, "Unrecognised option: -%c\n", optopt);
-	    errflg++;
-	}
-    }
-    if (errflg || ((!id) && (!label))) {
-	fprintf(stderr,
-		"usage: destroykey [-s slot] [-i id | -l label] [-p pin]\n");
-	exit(1);
-    }
-    if (id) {
-	printf("id %i\n", id);
-	attr_id[0] = (id >> 8) & 0xff;
-	attr_id[1] = id & 0xff;
-    } else if (label) {
-	printf("label %s\n", label);
-	search_template[0].type = CKA_LABEL;
-	search_template[0].pValue = label;
-	search_template[0].ulValueLen = strlen(label);
-    }
-
-    /* Initialize the CRYPTOKI library */
-    rv = C_Initialize(NULL_PTR);
-    if (rv != CKR_OK) {
-	fprintf(stderr, "C_Initialize: Error = 0x%.8X\n", rv);
-	exit(1);
-    }
-
-    /* Open a session on the slot found */
-    rv = C_OpenSession(slot, CKF_RW_SESSION+CKF_SERIAL_SESSION,
-		       NULL_PTR, NULL_PTR, &hSession);
-    if (rv != CKR_OK) {
-	fprintf(stderr, "C_OpenSession: Error = 0x%.8X\n", rv);
-	error = 1;
-	goto exit_program;
-    }
-
-    /* Login to the Token (Keystore) */
-    if (!pin)
-#ifndef HAVE_GETPASS
-	pin = (CK_UTF8CHAR *)getpassphrase("Enter Pin: ");
-#else
-	pin = (CK_UTF8CHAR *)getpass("Enter Pin: ");
-#endif
-    rv = C_Login(hSession, CKU_USER, pin, strlen((char *)pin));
-    memset(pin, 0, strlen((char *)pin));
-    if (rv != CKR_OK) {
-	fprintf(stderr, "C_Login: Error = 0x%.8X\n", rv);
-	error = 1;
-	goto exit_session;
-    }
-
-    rv = C_FindObjectsInit(hSession, search_template,
-			   ((id != 0) || (label != NULL)) ? 1 : 0); 
-    if (rv != CKR_OK) {
-	fprintf(stderr, "C_FindObjectsInit: Error = 0x%.8X\n", rv);
-	error = 1;
-	goto exit_session;
-    }
-    
-    rv = C_FindObjects(hSession, akey, 50, &ulObjectCount);
-    if (rv != CKR_OK) {
-	fprintf(stderr, "C_FindObjects: Error = 0x%.8X\n", rv);
-	error = 1;
-	goto exit_search;
-    }
-
-    for (i = 0; i < ulObjectCount; i++) {
-	CK_OBJECT_CLASS oclass = 0;
-	CK_BYTE labelbuf[64 + 1];
-	CK_BYTE idbuf[64];
-	CK_ATTRIBUTE attr_template[] = {
-	    {CKA_CLASS, &oclass, sizeof(oclass)},
-	    {CKA_LABEL, labelbuf, sizeof(labelbuf) - 1},
-	    {CKA_ID, idbuf, sizeof(idbuf)}
-	};
-	int j, len;
-
-	memset(labelbuf, 0, sizeof(labelbuf));
-	memset(idbuf, 0, sizeof(idbuf));
-
-	rv = C_GetAttributeValue(hSession, akey[i], attr_template, 3);
-	if (rv != CKR_OK) {
-	    fprintf(stderr, "C_GetAttributeValue[%d]: rv = 0x%.8X\n", i, rv);
-	    error = 1;
-	    goto exit_search;
-	}
-	len = attr_template[2].ulValueLen;
-	printf("object[%d]: class %d label '%s' id[%u] ",
-	       i, oclass, labelbuf, attr_template[2].ulValueLen);
-	if (len > 4)
-	    len = 4;
-	for (j = 0; j < len; j++)
-	    printf("%02x", idbuf[j]);
-	if (attr_template[2].ulValueLen > len)
-	    printf("...\n");
-	else
-	    printf("\n");
-    }
-
-    /* give a chance to kill this */
-    printf("sleeping 5 seconds...\n");
-    sleep(5);
-
-    for (i = 0; i < ulObjectCount; i++) {
-	rv = C_DestroyObject(hSession, akey[i]);
-	if (rv != CKR_OK) {
-	    fprintf(stderr, "C_DestroyObject[%d]: rv = 0x%.8X\n", i, rv);
-	    error = 1;
-	}
-    }
-
- exit_search:
-    rv = C_FindObjectsFinal(hSession);
-    if (rv != CKR_OK) {
-	fprintf(stderr, "C_FindObjectsFinal: Error = 0x%.8X\n", rv);
-	error = 1;
-    }
-
- exit_session:
-    (void) C_CloseSession(hSession);
-
- exit_program:
-    (void) C_Finalize(NULL_PTR);
-
-    exit(error);
-}
diff --git a/contrib/pkcs11-keygen/genkey.c b/contrib/pkcs11-keygen/genkey.c
deleted file mode 100644
index 45a9e3cd..00000000
--- a/contrib/pkcs11-keygen/genkey.c
+++ /dev/null
@@ -1,201 +0,0 @@
-/* genkey - pkcs11 rsa key generator
- *
- * create RSASHA1 key in the keystore of an SCA6000
- * The calculation of key tag is left to the script
- * that converts the key into a DNSKEY RR and inserts 
- * it into a zone file.
- *
- * usage:
- * genkey [-P] [-s slot] -b keysize -l label [-p pin] 
- *
- */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <fcntl.h>
-#include <errno.h>
-#include <string.h>
-#include <sys/types.h>
-#include <opencryptoki/pkcs11.h>
-
-/* Define static key template values */
-static CK_BBOOL truevalue = TRUE;
-static CK_BBOOL falsevalue = FALSE;
-
-int
-main(int argc, char *argv[])
-{
-    CK_RV rv;
-    CK_SLOT_ID slot = 0;
-    CK_MECHANISM genmech;
-    CK_SESSION_HANDLE hSession;
-    CK_UTF8CHAR *pin = NULL;
-    CK_ULONG modulusbits = 0;
-    CK_CHAR *label = NULL;
-    CK_OBJECT_HANDLE privatekey, publickey;
-    CK_BYTE public_exponent[3];
-    int error = 0;
-    int i = 0;
-    int c, errflg = 0;
-    int hide = 1;
-    CK_ULONG ulObjectCount;
-    /* Set search template */
-    CK_ATTRIBUTE search_template[] = {
-        {CKA_LABEL, NULL_PTR, 0}
-    };
-    CK_ATTRIBUTE publickey_template[] = {
-        {CKA_LABEL, NULL_PTR, 0},
-        {CKA_VERIFY, &truevalue, sizeof (truevalue)},
-        {CKA_TOKEN, &truevalue, sizeof (truevalue)},
-        {CKA_MODULUS_BITS, &modulusbits, sizeof (modulusbits)},
-        {CKA_PUBLIC_EXPONENT, &public_exponent, sizeof (public_exponent)}
-    };
-    CK_ATTRIBUTE privatekey_template[] = {
-        {CKA_LABEL, NULL_PTR, 0},
-        {CKA_SIGN, &truevalue, sizeof (truevalue)},
-        {CKA_TOKEN, &truevalue, sizeof (truevalue)},
-        {CKA_PRIVATE, &truevalue, sizeof (truevalue)},
-        {CKA_SENSITIVE, &truevalue, sizeof (truevalue)},
-        {CKA_EXTRACTABLE, &falsevalue, sizeof (falsevalue)}
-    };
-    extern char *optarg;
-    extern int optopt;
-    
-    while ((c = getopt(argc, argv, ":Ps:b:i:l:p:")) != -1) {
-        switch (c) {
-	case 'P':
-	    hide = 0;
-	    break;
-	case 's':
-	    slot = atoi(optarg);
-	    break;
-        case 'b':
-            modulusbits = atoi(optarg);
-            break;
-        case 'l':
-            label = (CK_CHAR *)optarg;
-            break;
-        case 'p':
-            pin = (CK_UTF8CHAR *)optarg;
-            break;
-        case ':':
-            fprintf(stderr, "Option -%c requires an operand\n", optopt);
-            errflg++;
-            break;
-        case '?':
-	default:
-            fprintf(stderr, "Unrecognised option: -%c\n", optopt);
-            errflg++;
-        }
-    }
-    if ((errflg) || (!modulusbits) || (!label)) {
-        fprintf(stderr,
-		"usage: genkey [-P] [-s slot] -b keysize -l label [-p pin]\n");
-        exit(2);
-    }
-    
-    search_template[0].pValue = label;
-    search_template[0].ulValueLen = strlen((char *)label);
-    publickey_template[0].pValue = label;
-    publickey_template[0].ulValueLen = strlen((char *)label);
-    privatekey_template[0].pValue = label;
-    privatekey_template[0].ulValueLen = strlen((char *)label);
-
-    /* Set public exponent to 65537 */
-    public_exponent[0] = 0x01;
-    public_exponent[1] = 0x00;
-    public_exponent[2] = 0x01;
-
-    /* Set up mechanism for generating key pair */
-    genmech.mechanism = CKM_RSA_PKCS_KEY_PAIR_GEN;
-    genmech.pParameter = NULL_PTR;
-    genmech.ulParameterLen = 0;
-
-    /* Initialize the CRYPTOKI library */
-    rv = C_Initialize(NULL_PTR);
-
-    if (rv != CKR_OK) {
-        fprintf(stderr, "C_Initialize: Error = 0x%.8X\n", rv);
-	exit(1);
-    }
-
-    /* Open a session on the slot found */
-    rv = C_OpenSession(slot, CKF_RW_SESSION+CKF_SERIAL_SESSION,
-		       NULL_PTR, NULL_PTR, &hSession);
-
-    if (rv != CKR_OK) {
-	fprintf(stderr, "C_OpenSession: Error = 0x%.8X\n", rv);
-	error = 1;
-	goto exit_program;
-    }
-
-    /* Login to the Token (Keystore) */
-    if (!pin)
-#ifndef HAVE_GETPASS
-        pin = (CK_UTF8CHAR *)getpassphrase("Enter Pin: ");
-#else
-        pin = (CK_UTF8CHAR *)getpass("Enter Pin: ");
-#endif
-    rv = C_Login(hSession, CKU_USER, pin, strlen((char *)pin));
-    memset(pin, 0, strlen((char *)pin));
-    if (rv != CKR_OK) {
-	fprintf(stderr, "C_Login: Error = 0x%.8X\n", rv);
-        error = 1;
-        goto exit_session;
-    }
-   
-    /* check if a key with the same id already exists */
-    rv = C_FindObjectsInit(hSession, search_template, 1); 
-    if (rv != CKR_OK) {
-        fprintf(stderr, "C_FindObjectsInit: Error = 0x%.8X\n", rv);
-        error = 1;
-        goto exit_session;
-    }
-    rv = C_FindObjects(hSession, &privatekey, 1, &ulObjectCount);
-    if (rv != CKR_OK) {
-        fprintf(stderr, "C_FindObjects: Error = 0x%.8X\n", rv);
-        error = 1;
-        goto exit_search;
-    }
-    if (ulObjectCount != 0) {
-        fprintf(stderr, "Key already exists.\n");
-        error = 1;
-        goto exit_search;
-    }
-    
-    /* Set attributes if the key is not to be hidden */
-    if (!hide) {
-        privatekey_template[4].pValue = &falsevalue;
-	privatekey_template[5].pValue = &truevalue;
-    }
-
-    /* Generate Key pair for signing/verifying */
-    rv = C_GenerateKeyPair(hSession, &genmech, publickey_template,
-			   (sizeof (publickey_template) /
-			    sizeof (CK_ATTRIBUTE)),
-			   privatekey_template,
-			   (sizeof (privatekey_template) /
-			    sizeof (CK_ATTRIBUTE)),
-			   &publickey, &privatekey);
-        
-    if (rv != CKR_OK) {
-        fprintf(stderr, "C_GenerateKeyPair: Error = 0x%.8X\n", rv);
-        error = 1;
-    }
-    
- exit_search:
-    rv = C_FindObjectsFinal(hSession);
-    if (rv != CKR_OK) {
-        fprintf(stderr, "C_FindObjectsFinal: Error = 0x%.8X\n", rv);
-        error = 1;
-    }
-
- exit_session:
-    (void) C_CloseSession(hSession);
-
- exit_program:
-    (void) C_Finalize(NULL_PTR);
-
-    exit(error);
-}
diff --git a/contrib/pkcs11-keygen/genkey.sh b/contrib/pkcs11-keygen/genkey.sh
deleted file mode 100755
index f5bf1468..00000000
--- a/contrib/pkcs11-keygen/genkey.sh
+++ /dev/null
@@ -1,55 +0,0 @@
-#!/usr/bin/bash
-
-usage="Usage: $0 -z zone -x ext -p pin -b bits -e engine [-f] -k key_path"
-tmp_file=/tmp/cur_key.$$
-while getopts ":z:x:p:t:k:b:e:f" opt; do
-  case $opt in
-    z  ) zone=$OPTARG ;;
-    x  ) ext=$OPTARG ;;
-    p  ) pin=$OPTARG ;;
-    t  ) id=$OPTARG ;;
-    f  ) flag="ksk" ;;
-    e  ) engine=$OPTARG ;;
-    b  ) bits=$OPTARG ;;
-    k  ) key_path=$OPTARG ;;
-    \? ) echo $usage 
-	 exit 1 ;;
-   esac
-done
-shift $(($OPTIND -1))
-
-if [ ! "$zone" -o ! "$ext" -o ! "$pin" -o ! "$engine" -o ! "$bits" -o ! "$key_path" ] ; then
-  echo $usage
-  exit 1
-fi
-
-if [ "$flag" ] ; then
-  label="$zone,$flag,$ext"
-else
-  label="$zone,zsk,$ext"
-fi
-
-# for testing
-mypath=.
-
-echo "Generating key"
-$mypath/genkey -b $bits -l $label -p $pin
-if [ $? -ne 0 ] ; then exit 1 ; fi
-
-echo "Exporting public key"
-$mypath/PEM_write_pubkey -e $engine -p $pin -k pkcs11:$label -f $tmp_file
-if [ $? -ne 0 ] ; then exit 1 ; fi
-
-echo "Generating DNSKEY RR"
-if [ "$flag" ] ; then
-  keytag=`$mypath/keyconv.pl -a 5 -k -e $engine -l $label -p $key_path -i $tmp_file $zone`
-else
-  keytag=`$mypath/keyconv.pl -a 5 -e $engine -l $label -p $key_path -i $tmp_file $zone`
-fi
-
-if [ ! $keytag ] ; then rm $tmp_file; exit 1 ; fi
-
-echo "Set key id"
-$mypath/set_key_id -l $label -n $keytag -p $pin
-
-rm $tmp_file
diff --git a/contrib/pkcs11-keygen/keyconv.pl b/contrib/pkcs11-keygen/keyconv.pl
deleted file mode 100755
index c68124c8..00000000
--- a/contrib/pkcs11-keygen/keyconv.pl
+++ /dev/null
@@ -1,61 +0,0 @@
-#!/usr/bin/perl -w
-
-use strict;
-use Crypt::OpenSSL::RSA;
-use Getopt::Std;
-use MIME::Base64;
-use Net::DNS;
-use Net::DNS::SEC;
-
-my %option;
-getopts('a:e:i:l:p:hk',\%option);
-
-die "usage: keyconv.pl [-a alg] [-k (to indicate KSK)] -e engine -l label [-p (path to store key)] -i filename domainname\n" if $option{h} || (not defined $option{i}) || (not defined $option{e}) || (not defined $option{l});
-
-# The default path is local.
-$option{p} || ($option{p}="./");
-
-# The default algorithm is 5.
-$option{a} || ($option{a}=5);
-
-$option{k} || ($option{k}=0);
-
-# The algorithm is either 5 or 133.
-$option{a}==5 || $option{a}==133 || die "algorithm must be 5 or 133\n";
-
-# standard flags (value is 256) plus optionally the KSK flag.
-my $flags=(256 + $option{k});
-
-open(PFILE, $option{i});
-   my @fc = <PFILE>;
-close(PFILE);
-
-my $rsa = Crypt::OpenSSL::RSA->new_public_key(join "", @fc);
-
-my ($m,$e)= $rsa->get_key_parameters;
-
-(my $l=pack("Cn",0,length($e->to_bin))) =~ s/^\000{2}//;
-
-my $rrkey=$l.$e->to_bin.$m->to_bin;
-my $keystr = $ARGV[0]. ". IN DNSKEY $flags 3 $option{a} ".encode_base64($rrkey,"");
-my $keyrr = Net::DNS::RR->new($keystr);
-
-open(PFILE, "> $option{p}/K".$ARGV[0].".+".sprintf("%03d",$option{a})."+".$keyrr->keytag.".key");
-print PFILE $ARGV[0], ". IN DNSKEY $flags 3 $option{a} ",encode_base64($rrkey,"")."\n";
-close(PFILE);
-
-open(PFILE, "> $option{p}/K".$ARGV[0].".+".sprintf("%03d",$option{a})."+".$keyrr->keytag.".private");
-print PFILE "Private-key-format: v1.2\n";
-print PFILE "Algorithm: ", $option{a}, " (RSASHA1)\n";
-print PFILE "Modulus: ".encode_base64($m->to_bin,"")."\n";
-print PFILE "PublicExponent: ".encode_base64($e->to_bin,"")."\n";
-my $engine="";
-$engine=encode_base64($option{e}."\0","");
-print PFILE "Engine: ", $engine, "\n";
-my $label="";
-$option{k}==0 && ($label=encode_base64($option{e}.":".$option{l}."\0",""));
-$option{k}!=0 && ($label=encode_base64($option{e}.":".$option{l}."\0",""));
-print PFILE "Label: ", $label, "\n";
-close(PFILE);
-
-print $keyrr->keytag;
diff --git a/contrib/pkcs11-keygen/keydump.pl b/contrib/pkcs11-keygen/keydump.pl
deleted file mode 100755
index acbb00c3..00000000
--- a/contrib/pkcs11-keygen/keydump.pl
+++ /dev/null
@@ -1,26 +0,0 @@
-#!/usr/bin/perl -w
-
-use strict;
-use Getopt::Std;
-use Crypt::OpenSSL::RSA;
-use Net::DNS::SEC;
-
-my %option;
-getopts('k:p:o:h',\%option);
-
-$option{h} || (not defined $option{k}) || (not defined $option{p}) || (not defined $option{o}) && die "usage: keydump.pl -k Kxxx.key -p Kxxx.priv -o pem\n";
-
-my $rsa = Net::DNS::SEC::Private->new($option{p});
-
-open(PFILE, "> $option{o}");
-print PFILE $rsa->dump_rsa_private_der;
-close(PFILE);
-
-open(KFILE, "< $option{k}");
-my @fc = <KFILE>;
-close(KFILE);
-
-my $keyrr = Net::DNS::RR->new(join "", @fc);
-
-print $keyrr->flags;
-
diff --git a/contrib/pkcs11-keygen/listobjs.c b/contrib/pkcs11-keygen/listobjs.c
deleted file mode 100644
index 3fb6eaa8..00000000
--- a/contrib/pkcs11-keygen/listobjs.c
+++ /dev/null
@@ -1,192 +0,0 @@
-/* listobjs [-P] [-s slot] [-i $id | -l $label] [-p $pin] */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <fcntl.h>
-#include <errno.h>
-#include <string.h>
-#include <sys/types.h>
-#include <opencryptoki/pkcs11.h>
-
-int
-main(int argc, char *argv[])
-{
-    CK_RV rv;
-    CK_SLOT_ID slot = 0;
-    CK_SESSION_HANDLE hSession;
-    CK_UTF8CHAR *pin = NULL;
-    CK_BYTE attr_id[2];
-    CK_OBJECT_HANDLE akey[50];
-    char *label = NULL;
-    int error = 0, public = 0, all = 0;
-    int i = 0, id = 0;
-    int c, errflg = 0;
-    CK_ULONG ulObjectCount;
-    CK_ATTRIBUTE search_template[] = {
-	{CKA_ID, &attr_id, sizeof(attr_id)}
-    };
-    extern char *optarg;
-    extern int optopt;
-
-    while ((c = getopt(argc, argv, ":s:i:l:p:P")) != -1) {
-	switch (c) {
-	case 'P':
-	    public = 1;
-	    break;
-	case 's':
-	    slot = atoi(optarg);
-	    break;
-	case 'i':
-	    id = atoi(optarg);
-	    id &= 0xffff;
-	    break;
-	case 'l':
-	    label = optarg;
-	    break;
-	case 'p':
-	    pin = (CK_UTF8CHAR *)optarg;
-	    break;
-	case ':':
-	    fprintf(stderr, "Option -%c requires an operand\n", optopt);
-	    errflg++;
-	    break;
-	case '?':
-	default:
-	    fprintf(stderr, "Unrecognised option: -%c\n", optopt);
-	    errflg++;
-	}
-    }
-    if (errflg) {
-	fprintf(stderr,
-		"usage: listobjs [-P] [-s slot] [-p pin] -i id | $label\n");
-	exit(1);
-    }
-    if ((!id) && (!label))
-	all = 1;
-    if (slot)
-	printf("slot %d\n", slot);
-    if (id) {
-	printf("id %i\n", id);
-	attr_id[0] = (id >> 8) & 0xff;
-	attr_id[1] = id & 0xff;
-    } else if (label) {
-	printf("label %s\n", label);
-	search_template[0].type = CKA_LABEL;
-	search_template[0].pValue = label;
-	search_template[0].ulValueLen = strlen(label);
-    }
-
-    /* Initialize the CRYPTOKI library */
-    rv = C_Initialize(NULL_PTR);
-    if (rv != CKR_OK) {
-	fprintf(stderr, "C_Initialize: Error = 0x%.8X\n", rv);
-	exit(1);
-    }
-
-    /* Open a session on the slot found */
-    rv = C_OpenSession(slot, CKF_SERIAL_SESSION,
-		       NULL_PTR, NULL_PTR, &hSession);
-    if (rv != CKR_OK) {
-	fprintf(stderr, "C_OpenSession: Error = 0x%.8X\n", rv);
-	error = 1;
-	goto exit_program;
-    }
-
-    /* Login to the Token (Keystore) */
-    if (!public) {
-	if (!pin)
-#ifndef HAVE_GETPASS
-	    pin = (CK_UTF8CHAR *)getpassphrase("Enter Pin: ");
-#else
-	    pin = (CK_UTF8CHAR *)getpass("Enter Pin: ");
-#endif
-	rv = C_Login(hSession, CKU_USER, pin, strlen((char *)pin));
-	memset(pin, 0, strlen((char *)pin));
-	if (rv != CKR_OK) {
-	    fprintf(stderr, "C_Login: Error = 0x%.8X\n", rv);
-	    error = 1;
-	    goto exit_session;
-	}
-    }
-
-    rv = C_FindObjectsInit(hSession, search_template, all ? 0 : 1); 
-    if (rv != CKR_OK) {
-	fprintf(stderr, "C_FindObjectsInit: Error = 0x%.8X\n", rv);
-	error = 1;
-	goto exit_session;
-    }
-    
-    ulObjectCount = 1;
-    while (ulObjectCount) {
-	rv = C_FindObjects(hSession, akey, 50, &ulObjectCount);
-	if (rv != CKR_OK) {
-	    fprintf(stderr, "C_FindObjects: Error = 0x%.8X\n", rv);
-	    error = 1;
-	    goto exit_search;
-	}
-
-	for (i = 0; i < ulObjectCount; i++) {
-	    CK_OBJECT_CLASS oclass = 0;
-	    CK_BYTE labelbuf[64 + 1];
-	    CK_BYTE idbuf[64];
-	    CK_ATTRIBUTE attr_template[] = {
-		{CKA_CLASS, &oclass, sizeof(oclass)},
-		{CKA_LABEL, labelbuf, sizeof(labelbuf) - 1},
-		{CKA_ID, idbuf, sizeof(idbuf)}
-	    };
-	    int j, len;
-
-	    memset(labelbuf, 0, sizeof(labelbuf));
-	    memset(idbuf, 0, sizeof(idbuf));
-
-	    rv = C_GetAttributeValue(hSession, akey[i], attr_template, 3);
-	    if (rv != CKR_OK) {
-		fprintf(stderr,
-			"C_GetAttributeValue[%d]: rv = 0x%.8X\n", i, rv);
-		if (rv = CKR_BUFFER_TOO_SMALL)
-		    fprintf(stderr, "%d too small: %u %u %u\n", i,
-			    attr_template[0].ulValueLen,
-			    attr_template[1].ulValueLen,
-			    attr_template[2].ulValueLen);
-		error = 1;
-		continue;
-	    }
-
-	    len = attr_template[2].ulValueLen;
-	    printf("object[%d]: handle %u class %d label[%u] '%s' id[%u] ",
-		   i, akey[i], oclass,
-		   attr_template[1].ulValueLen, labelbuf,
-		   attr_template[2].ulValueLen);
-	    if (len == 2) {
-		id = (idbuf[0] << 8) & 0xff00;
-		id |= idbuf[1] & 0xff;
-		printf("%i\n", id);
-	    } else {
-		if (len > 8)
-		    len = 8;
-		for (j = 0; j < len; j++)
-		    printf("%02x", idbuf[j]);
-		if (attr_template[2].ulValueLen > len)
-		    printf("...\n");
-		else
-		    printf("\n");
-	    }
-	}
-    }
-
- exit_search:
-    rv = C_FindObjectsFinal(hSession);
-    if (rv != CKR_OK) {
-	fprintf(stderr, "C_FindObjectsFinal: Error = 0x%.8X\n", rv);
-	error = 1;
-    }
-
- exit_session:
-    (void) C_CloseSession(hSession);
-
- exit_program:
-    (void) C_Finalize(NULL_PTR);
-
-    exit(error);
-}
diff --git a/contrib/pkcs11-keygen/opencryptoki/apiclient.h b/contrib/pkcs11-keygen/opencryptoki/apiclient.h
deleted file mode 100644
index f825b89d..00000000
--- a/contrib/pkcs11-keygen/opencryptoki/apiclient.h
+++ /dev/null
@@ -1,481 +0,0 @@
-/*
- * $Header: /proj/cvs/prod/bind9/contrib/pkcs11-keygen/opencryptoki/apiclient.h,v 1.1 2009/09/07 21:19:21 fdupont Exp $
- */
-
-
-/*
-             Common Public License Version 0.5
-
-             THE ACCOMPANYING PROGRAM IS PROVIDED UNDER THE TERMS OF
-             THIS COMMON PUBLIC LICENSE ("AGREEMENT"). ANY USE,
-             REPRODUCTION OR DISTRIBUTION OF THE PROGRAM CONSTITUTES
-             RECIPIENT'S ACCEPTANCE OF THIS AGREEMENT.
-
-             1. DEFINITIONS
-
-             "Contribution" means: 
-                   a) in the case of the initial Contributor, the
-                   initial code and documentation distributed under
-                   this Agreement, and 
-
-                   b) in the case of each subsequent Contributor:
-                   i) changes to the Program, and
-                   ii) additions to the Program;
-
-                   where such changes and/or additions to the Program
-                   originate from and are distributed by that
-                   particular Contributor. A Contribution 'originates'
-                   from a Contributor if it was added to the Program
-                   by such Contributor itself or anyone acting on such
-                   Contributor's behalf. Contributions do not include
-                   additions to the Program which: (i) are separate
-                   modules of software distributed in conjunction with
-                   the Program under their own license agreement, and
-                   (ii) are not derivative works of the Program.
-
-
-             "Contributor" means any person or entity that distributes
-             the Program.
-
-             "Licensed Patents " mean patent claims licensable by a
-             Contributor which are necessarily infringed by the use or
-             sale of its Contribution alone or when combined with the
-             Program. 
-
-             "Program" means the Contributions distributed in
-             accordance with this Agreement.
-
-             "Recipient" means anyone who receives the Program under
-             this Agreement, including all Contributors.
-
-             2. GRANT OF RIGHTS
-
-                   a) Subject to the terms of this Agreement, each
-                   Contributor hereby grants Recipient a
-                   non-exclusive, worldwide, royalty-free copyright
-                   license to reproduce, prepare derivative works of,
-                   publicly display, publicly perform, distribute and
-                   sublicense the Contribution of such Contributor, if
-                   any, and such derivative works, in source code and
-                   object code form.
-
-                   b) Subject to the terms of this Agreement, each
-                   Contributor hereby grants Recipient a
-                   non-exclusive, worldwide, royalty-free patent
-                   license under Licensed Patents to make, use, sell,
-                   offer to sell, import and otherwise transfer the
-                   Contribution of such Contributor, if any, in source
-                   code and object code form. This patent license
-                   shall apply to the combination of the Contribution
-                   and the Program if, at the time the Contribution is
-                   added by the Contributor, such addition of the
-                   Contribution causes such combination to be covered
-                   by the Licensed Patents. The patent license shall
-                   not apply to any other combinations which include
-                   the Contribution. No hardware per se is licensed
-                   hereunder.
-
-                   c) Recipient understands that although each
-                   Contributor grants the licenses to its
-                   Contributions set forth herein, no assurances are
-                   provided by any Contributor that the Program does
-                   not infringe the patent or other intellectual
-                   property rights of any other entity. Each
-                   Contributor disclaims any liability to Recipient
-                   for claims brought by any other entity based on
-                   infringement of intellectual property rights or
-                   otherwise. As a condition to exercising the rights
-                   and licenses granted hereunder, each Recipient
-                   hereby assumes sole responsibility to secure any
-                   other intellectual property rights needed, if any.
-
-                   For example, if a third party patent license is
-                   required to allow Recipient to distribute the
-                   Program, it is Recipient's responsibility to
-                   acquire that license before distributing the
-                   Program.
-
-                   d) Each Contributor represents that to its
-                   knowledge it has sufficient copyright rights in its
-                   Contribution, if any, to grant the copyright
-                   license set forth in this Agreement.
-
-             3. REQUIREMENTS
-
-             A Contributor may choose to distribute the Program in
-             object code form under its own license agreement, provided
-             that:
-                   a) it complies with the terms and conditions of
-                   this Agreement; and
-
-                   b) its license agreement:
-                   i) effectively disclaims on behalf of all
-                   Contributors all warranties and conditions, express
-                   and implied, including warranties or conditions of
-                   title and non-infringement, and implied warranties
-                   or conditions of merchantability and fitness for a
-                   particular purpose;
-
-                   ii) effectively excludes on behalf of all
-                   Contributors all liability for damages, including
-                   direct, indirect, special, incidental and
-                   consequential damages, such as lost profits;
-
-                   iii) states that any provisions which differ from
-                   this Agreement are offered by that Contributor
-                   alone and not by any other party; and
-
-                   iv) states that source code for the Program is
-                   available from such Contributor, and informs
-                   licensees how to obtain it in a reasonable manner
-                   on or through a medium customarily used for
-                   software exchange.
-
-             When the Program is made available in source code form:
-                   a) it must be made available under this Agreement;
-                   and
-                   b) a copy of this Agreement must be included with
-                   each copy of the Program. 
-
-             Contributors may not remove or alter any copyright notices
-             contained within the Program.
-
-             Each Contributor must identify itself as the originator of
-             its Contribution, if any, in a manner that reasonably
-             allows subsequent Recipients to identify the originator of
-             the Contribution. 
-
-
-             4. COMMERCIAL DISTRIBUTION
-
-             Commercial distributors of software may accept certain
-             responsibilities with respect to end users, business
-             partners and the like. While this license is intended to
-             facilitate the commercial use of the Program, the
-             Contributor who includes the Program in a commercial
-             product offering should do so in a manner which does not
-             create potential liability for other Contributors.
-             Therefore, if a Contributor includes the Program in a
-             commercial product offering, such Contributor ("Commercial
-             Contributor") hereby agrees to defend and indemnify every
-             other Contributor ("Indemnified Contributor") against any
-             losses, damages and costs (collectively "Losses") arising
-             from claims, lawsuits and other legal actions brought by a
-             third party against the Indemnified Contributor to the
-             extent caused by the acts or omissions of such Commercial
-             Contributor in connection with its distribution of the
-             Program in a commercial product offering. The obligations
-             in this section do not apply to any claims or Losses
-             relating to any actual or alleged intellectual property
-             infringement. In order to qualify, an Indemnified
-             Contributor must: a) promptly notify the Commercial
-             Contributor in writing of such claim, and b) allow the
-             Commercial Contributor to control, and cooperate with the
-             Commercial Contributor in, the defense and any related
-             settlement negotiations. The Indemnified Contributor may
-             participate in any such claim at its own expense.
-
-
-             For example, a Contributor might include the Program in a
-             commercial product offering, Product X. That Contributor
-             is then a Commercial Contributor. If that Commercial
-             Contributor then makes performance claims, or offers
-             warranties related to Product X, those performance claims
-             and warranties are such Commercial Contributor's
-             responsibility alone. Under this section, the Commercial
-             Contributor would have to defend claims against the other
-             Contributors related to those performance claims and
-             warranties, and if a court requires any other Contributor
-             to pay any damages as a result, the Commercial Contributor
-             must pay those damages.
-
-
-             5. NO WARRANTY
-
-             EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, THE
-             PROGRAM IS PROVIDED ON AN "AS IS" BASIS, WITHOUT
-             WARRANTIES OR CONDITIONS OF ANY KIND, EITHER EXPRESS OR
-             IMPLIED INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OR
-             CONDITIONS OF TITLE, NON-INFRINGEMENT, MERCHANTABILITY OR
-             FITNESS FOR A PARTICULAR PURPOSE. Each Recipient is solely
-             responsible for determining the appropriateness of using
-             and distributing the Program and assumes all risks
-             associated with its exercise of rights under this
-             Agreement, including but not limited to the risks and
-             costs of program errors, compliance with applicable laws,
-             damage to or loss of data, programs or equipment, and
-             unavailability or interruption of operations. 
-
-             6. DISCLAIMER OF LIABILITY
-             EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, NEITHER
-             RECIPIENT NOR ANY CONTRIBUTORS SHALL HAVE ANY LIABILITY
-             FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
-             OR CONSEQUENTIAL DAMAGES (INCLUDING WITHOUT LIMITATION
-             LOST PROFITS), HOWEVER CAUSED AND ON ANY THEORY OF
-             LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-             (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
-             OF THE USE OR DISTRIBUTION OF THE PROGRAM OR THE EXERCISE
-             OF ANY RIGHTS GRANTED HEREUNDER, EVEN IF ADVISED OF THE
-             POSSIBILITY OF SUCH DAMAGES.
-
-             7. GENERAL
-
-             If any provision of this Agreement is invalid or
-             unenforceable under applicable law, it shall not affect
-             the validity or enforceability of the remainder of the
-             terms of this Agreement, and without further action by the
-             parties hereto, such provision shall be reformed to the
-             minimum extent necessary to make such provision valid and
-             enforceable.
-
-
-             If Recipient institutes patent litigation against a
-             Contributor with respect to a patent applicable to
-             software (including a cross-claim or counterclaim in a
-             lawsuit), then any patent licenses granted by that
-             Contributor to such Recipient under this Agreement shall
-             terminate as of the date such litigation is filed. In
-             addition, If Recipient institutes patent litigation
-             against any entity (including a cross-claim or
-             counterclaim in a lawsuit) alleging that the Program
-             itself (excluding combinations of the Program with other
-             software or hardware) infringes such Recipient's
-             patent(s), then such Recipient's rights granted under
-             Section 2(b) shall terminate as of the date such
-             litigation is filed.
-
-             All Recipient's rights under this Agreement shall
-             terminate if it fails to comply with any of the material
-             terms or conditions of this Agreement and does not cure
-             such failure in a reasonable period of time after becoming
-             aware of such noncompliance. If all Recipient's rights
-             under this Agreement terminate, Recipient agrees to cease
-             use and distribution of the Program as soon as reasonably
-             practicable. However, Recipient's obligations under this
-             Agreement and any licenses granted by Recipient relating
-             to the Program shall continue and survive. 
-
-             Everyone is permitted to copy and distribute copies of
-             this Agreement, but in order to avoid inconsistency the
-             Agreement is copyrighted and may only be modified in the
-             following manner. The Agreement Steward reserves the right
-             to publish new versions (including revisions) of this
-             Agreement from time to time. No one other than the
-             Agreement Steward has the right to modify this Agreement.
-
-             IBM is the initial Agreement Steward. IBM may assign the
-             responsibility to serve as the Agreement Steward to a
-             suitable separate entity. Each new version of the
-             Agreement will be given a distinguishing version number.
-             The Program (including Contributions) may always be
-             distributed subject to the version of the Agreement under
-             which it was received. In addition, after a new version of
-             the Agreement is published, Contributor may elect to
-             distribute the Program (including its Contributions) under
-             the new version. Except as expressly stated in Sections
-             2(a) and 2(b) above, Recipient receives no rights or
-             licenses to the intellectual property of any Contributor
-             under this Agreement, whether expressly, by implication,
-             estoppel or otherwise. All rights in the Program not
-             expressly granted under this Agreement are reserved.
-
-
-             This Agreement is governed by the laws of the State of New
-             York and the intellectual property laws of the United
-             States of America. No party to this Agreement will bring a
-             legal action under this Agreement more than one year after
-             the cause of action arose. Each party waives its rights to
-             a jury trial in any resulting litigation. 
-
-
-
-*/
-
-/* (C) COPYRIGHT International Business Machines Corp. 2001          */
-
-
-#ifndef _APICLIENT_H
-#define _APICLIENT_H
-
-
-#include "pkcs11types.h"
-
-
-
-#define VERSION_MAJOR  2  // Version 2 of the PKCS library
-#define VERSION_MINOR  01 // minor revision .10 of PKCS11
-
-#ifdef __cplusplus
-extern "C"
-{
-#endif
-
-CK_RV C_CancelFunction ( CK_SESSION_HANDLE );
-
-CK_RV C_CloseAllSessions ( CK_SLOT_ID );
-
-CK_RV C_CloseSession ( CK_SESSION_HANDLE );
-
-CK_RV C_CopyObject ( CK_SESSION_HANDLE, CK_OBJECT_HANDLE,
-                             CK_ATTRIBUTE_PTR, CK_ULONG, CK_OBJECT_HANDLE_PTR );
-
-CK_RV C_CreateObject ( CK_SESSION_HANDLE, CK_ATTRIBUTE_PTR, CK_ULONG,
-                               CK_OBJECT_HANDLE_PTR );
-
-CK_RV C_Decrypt ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR,
-                          CK_ULONG_PTR );
-
-CK_RV C_DecryptDigestUpdate ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG,
-                                      CK_BYTE_PTR, CK_ULONG_PTR );
-
-CK_RV C_DecryptFinal ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG_PTR );
-
-CK_RV C_DecryptInit ( CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_OBJECT_HANDLE );
-
-CK_RV C_DecryptUpdate ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR,
-                                CK_ULONG_PTR );
-
-CK_RV C_DecryptVerifyUpdate ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG,
-                                      CK_BYTE_PTR, CK_ULONG_PTR );
-
-CK_RV C_DeriveKey ( CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_OBJECT_HANDLE,
-                            CK_ATTRIBUTE_PTR, CK_ULONG, CK_OBJECT_HANDLE_PTR );
-
-CK_RV C_DestroyObject ( CK_SESSION_HANDLE, CK_OBJECT_HANDLE );
-
-CK_RV C_Digest ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR,
-                         CK_ULONG_PTR );
-
-CK_RV C_DigestEncryptUpdate ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG,
-                                      CK_BYTE_PTR, CK_ULONG_PTR );
-
-CK_RV C_DigestFinal ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG_PTR );
-
-CK_RV C_DigestInit ( CK_SESSION_HANDLE, CK_MECHANISM_PTR );
-
-CK_RV C_DigestKey ( CK_SESSION_HANDLE, CK_OBJECT_HANDLE );
-
-CK_RV C_DigestUpdate ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG );
-
-CK_RV C_Encrypt ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR,
-                          CK_ULONG_PTR );
-
-CK_RV C_EncryptFinal ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG_PTR );
-
-CK_RV C_EncryptInit ( CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_OBJECT_HANDLE );
-
-CK_RV C_EncryptUpdate ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR,
-                                CK_ULONG_PTR );
-
-CK_RV C_Finalize ( CK_VOID_PTR );
-
-CK_RV C_FindObjects ( CK_SESSION_HANDLE, CK_OBJECT_HANDLE_PTR, CK_ULONG,
-                              CK_ULONG_PTR );
-
-CK_RV C_FindObjectsFinal ( CK_SESSION_HANDLE );
-
-CK_RV C_FindObjectsInit ( CK_SESSION_HANDLE, CK_ATTRIBUTE_PTR, CK_ULONG );
-
-CK_RV C_GenerateKey ( CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_ATTRIBUTE_PTR,
-                              CK_ULONG, CK_OBJECT_HANDLE_PTR );
-
-CK_RV C_GenerateKeyPair ( CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_ATTRIBUTE_PTR,
-                                  CK_ULONG, CK_ATTRIBUTE_PTR, CK_ULONG,
-                                  CK_OBJECT_HANDLE_PTR, CK_OBJECT_HANDLE_PTR );
-
-CK_RV C_GenerateRandom ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG );
-
-CK_RV C_GetAttributeValue ( CK_SESSION_HANDLE, CK_OBJECT_HANDLE,
-                                    CK_ATTRIBUTE_PTR, CK_ULONG );
-
-CK_RV C_GetFunctionList ( CK_FUNCTION_LIST_PTR_PTR );
-
-CK_RV C_GetFunctionStatus ( CK_SESSION_HANDLE );
-
-CK_RV C_GetInfo ( CK_INFO_PTR );
-
-CK_RV C_GetMechanismInfo ( CK_SLOT_ID, CK_MECHANISM_TYPE, CK_MECHANISM_INFO_PTR );
-
-CK_RV C_GetMechanismList ( CK_SLOT_ID, CK_MECHANISM_TYPE_PTR, CK_ULONG_PTR );
-
-CK_RV C_GetObjectSize ( CK_SESSION_HANDLE, CK_OBJECT_HANDLE, CK_ULONG_PTR );
-
-CK_RV C_GetOperationState ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG_PTR );
-
-CK_RV C_GetSessionInfo ( CK_SESSION_HANDLE, CK_SESSION_INFO_PTR );
-
-CK_RV C_GetSlotInfo ( CK_SLOT_ID, CK_SLOT_INFO_PTR );
-
-CK_RV C_GetSlotList ( CK_BBOOL, CK_SLOT_ID_PTR, CK_ULONG_PTR );
-
-CK_RV C_GetTokenInfo ( CK_SLOT_ID, CK_TOKEN_INFO_PTR );
-
-CK_RV C_Initialize ( CK_VOID_PTR );
-
-CK_RV C_InitPIN ( CK_SESSION_HANDLE, CK_CHAR_PTR, CK_ULONG );
-
-CK_RV C_InitToken ( CK_SLOT_ID, CK_CHAR_PTR, CK_ULONG, CK_CHAR_PTR );
-
-CK_RV C_Login ( CK_SESSION_HANDLE, CK_USER_TYPE, CK_CHAR_PTR, CK_ULONG );
-
-CK_RV C_Logout ( CK_SESSION_HANDLE );
-
-CK_RV C_OpenSession ( CK_SLOT_ID, CK_FLAGS, CK_VOID_PTR, CK_NOTIFY,
-                              CK_SESSION_HANDLE_PTR );
-
-CK_RV C_SeedRandom ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG );
-
-CK_RV C_SetAttributeValue ( CK_SESSION_HANDLE, CK_OBJECT_HANDLE,
-                                    CK_ATTRIBUTE_PTR, CK_ULONG );
-
-CK_RV C_SetOperationState ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG,
-                                    CK_OBJECT_HANDLE, CK_OBJECT_HANDLE );
-
-CK_RV C_SetPIN ( CK_SESSION_HANDLE, CK_CHAR_PTR, CK_ULONG, CK_CHAR_PTR, CK_ULONG );
-
-CK_RV C_Sign ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR,
-                       CK_ULONG_PTR );
-
-CK_RV C_SignEncryptUpdate ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG,
-                                    CK_BYTE_PTR, CK_ULONG_PTR );
-
-CK_RV C_SignFinal ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG_PTR );
-
-CK_RV C_SignInit ( CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_OBJECT_HANDLE );
-
-CK_RV C_SignRecover ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR,
-                              CK_ULONG_PTR );
-
-CK_RV C_SignRecoverInit ( CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_OBJECT_HANDLE );
-
-CK_RV C_SignUpdate ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG );
-
-CK_RV C_UnwrapKey ( CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_OBJECT_HANDLE,
-                            CK_BYTE_PTR, CK_ULONG, CK_ATTRIBUTE_PTR, CK_ULONG,
-                            CK_OBJECT_HANDLE_PTR );
-
-CK_RV C_Verify ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR, CK_ULONG );
-
-CK_RV C_VerifyFinal ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG );
-
-CK_RV C_VerifyInit ( CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_OBJECT_HANDLE );
-
-CK_RV C_VerifyRecover ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR,
-                                CK_ULONG_PTR );
-
-CK_RV C_VerifyRecoverInit ( CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_OBJECT_HANDLE );
-
-CK_RV C_VerifyUpdate ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG );
-
-CK_RV C_WaitForSlotEvent ( CK_FLAGS, CK_SLOT_ID_PTR, CK_VOID_PTR );
-
-CK_RV C_WrapKey ( CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_OBJECT_HANDLE,
-                          CK_OBJECT_HANDLE, CK_BYTE_PTR, CK_ULONG_PTR );
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif // _APICLIENT_H
-
-
diff --git a/contrib/pkcs11-keygen/opencryptoki/pkcs11.h b/contrib/pkcs11-keygen/opencryptoki/pkcs11.h
deleted file mode 100644
index bf1fe59f..00000000
--- a/contrib/pkcs11-keygen/opencryptoki/pkcs11.h
+++ /dev/null
@@ -1,297 +0,0 @@
-/*
-             Common Public License Version 0.5
-
-             THE ACCOMPANYING PROGRAM IS PROVIDED UNDER THE TERMS OF
-             THIS COMMON PUBLIC LICENSE ("AGREEMENT"). ANY USE,
-             REPRODUCTION OR DISTRIBUTION OF THE PROGRAM CONSTITUTES
-             RECIPIENT'S ACCEPTANCE OF THIS AGREEMENT.
-
-             1. DEFINITIONS
-
-             "Contribution" means: 
-                   a) in the case of the initial Contributor, the
-                   initial code and documentation distributed under
-                   this Agreement, and 
-
-                   b) in the case of each subsequent Contributor:
-                   i) changes to the Program, and
-                   ii) additions to the Program;
-
-                   where such changes and/or additions to the Program
-                   originate from and are distributed by that
-                   particular Contributor. A Contribution 'originates'
-                   from a Contributor if it was added to the Program
-                   by such Contributor itself or anyone acting on such
-                   Contributor's behalf. Contributions do not include
-                   additions to the Program which: (i) are separate
-                   modules of software distributed in conjunction with
-                   the Program under their own license agreement, and
-                   (ii) are not derivative works of the Program.
-
-
-             "Contributor" means any person or entity that distributes
-             the Program.
-
-             "Licensed Patents " mean patent claims licensable by a
-             Contributor which are necessarily infringed by the use or
-             sale of its Contribution alone or when combined with the
-             Program. 
-
-             "Program" means the Contributions distributed in
-             accordance with this Agreement.
-
-             "Recipient" means anyone who receives the Program under
-             this Agreement, including all Contributors.
-
-             2. GRANT OF RIGHTS
-
-                   a) Subject to the terms of this Agreement, each
-                   Contributor hereby grants Recipient a
-                   non-exclusive, worldwide, royalty-free copyright
-                   license to reproduce, prepare derivative works of,
-                   publicly display, publicly perform, distribute and
-                   sublicense the Contribution of such Contributor, if
-                   any, and such derivative works, in source code and
-                   object code form.
-
-                   b) Subject to the terms of this Agreement, each
-                   Contributor hereby grants Recipient a
-                   non-exclusive, worldwide, royalty-free patent
-                   license under Licensed Patents to make, use, sell,
-                   offer to sell, import and otherwise transfer the
-                   Contribution of such Contributor, if any, in source
-                   code and object code form. This patent license
-                   shall apply to the combination of the Contribution
-                   and the Program if, at the time the Contribution is
-                   added by the Contributor, such addition of the
-                   Contribution causes such combination to be covered
-                   by the Licensed Patents. The patent license shall
-                   not apply to any other combinations which include
-                   the Contribution. No hardware per se is licensed
-                   hereunder.
-
-                   c) Recipient understands that although each
-                   Contributor grants the licenses to its
-                   Contributions set forth herein, no assurances are
-                   provided by any Contributor that the Program does
-                   not infringe the patent or other intellectual
-                   property rights of any other entity. Each
-                   Contributor disclaims any liability to Recipient
-                   for claims brought by any other entity based on
-                   infringement of intellectual property rights or
-                   otherwise. As a condition to exercising the rights
-                   and licenses granted hereunder, each Recipient
-                   hereby assumes sole responsibility to secure any
-                   other intellectual property rights needed, if any.
-
-                   For example, if a third party patent license is
-                   required to allow Recipient to distribute the
-                   Program, it is Recipient's responsibility to
-                   acquire that license before distributing the
-                   Program.
-
-                   d) Each Contributor represents that to its
-                   knowledge it has sufficient copyright rights in its
-                   Contribution, if any, to grant the copyright
-                   license set forth in this Agreement.
-
-             3. REQUIREMENTS
-
-             A Contributor may choose to distribute the Program in
-             object code form under its own license agreement, provided
-             that:
-                   a) it complies with the terms and conditions of
-                   this Agreement; and
-
-                   b) its license agreement:
-                   i) effectively disclaims on behalf of all
-                   Contributors all warranties and conditions, express
-                   and implied, including warranties or conditions of
-                   title and non-infringement, and implied warranties
-                   or conditions of merchantability and fitness for a
-                   particular purpose;
-
-                   ii) effectively excludes on behalf of all
-                   Contributors all liability for damages, including
-                   direct, indirect, special, incidental and
-                   consequential damages, such as lost profits;
-
-                   iii) states that any provisions which differ from
-                   this Agreement are offered by that Contributor
-                   alone and not by any other party; and
-
-                   iv) states that source code for the Program is
-                   available from such Contributor, and informs
-                   licensees how to obtain it in a reasonable manner
-                   on or through a medium customarily used for
-                   software exchange.
-
-             When the Program is made available in source code form:
-                   a) it must be made available under this Agreement;
-                   and
-                   b) a copy of this Agreement must be included with
-                   each copy of the Program. 
-
-             Contributors may not remove or alter any copyright notices
-             contained within the Program.
-
-             Each Contributor must identify itself as the originator of
-             its Contribution, if any, in a manner that reasonably
-             allows subsequent Recipients to identify the originator of
-             the Contribution. 
-
-
-             4. COMMERCIAL DISTRIBUTION
-
-             Commercial distributors of software may accept certain
-             responsibilities with respect to end users, business
-             partners and the like. While this license is intended to
-             facilitate the commercial use of the Program, the
-             Contributor who includes the Program in a commercial
-             product offering should do so in a manner which does not
-             create potential liability for other Contributors.
-             Therefore, if a Contributor includes the Program in a
-             commercial product offering, such Contributor ("Commercial
-             Contributor") hereby agrees to defend and indemnify every
-             other Contributor ("Indemnified Contributor") against any
-             losses, damages and costs (collectively "Losses") arising
-             from claims, lawsuits and other legal actions brought by a
-             third party against the Indemnified Contributor to the
-             extent caused by the acts or omissions of such Commercial
-             Contributor in connection with its distribution of the
-             Program in a commercial product offering. The obligations
-             in this section do not apply to any claims or Losses
-             relating to any actual or alleged intellectual property
-             infringement. In order to qualify, an Indemnified
-             Contributor must: a) promptly notify the Commercial
-             Contributor in writing of such claim, and b) allow the
-             Commercial Contributor to control, and cooperate with the
-             Commercial Contributor in, the defense and any related
-             settlement negotiations. The Indemnified Contributor may
-             participate in any such claim at its own expense.
-
-
-             For example, a Contributor might include the Program in a
-             commercial product offering, Product X. That Contributor
-             is then a Commercial Contributor. If that Commercial
-             Contributor then makes performance claims, or offers
-             warranties related to Product X, those performance claims
-             and warranties are such Commercial Contributor's
-             responsibility alone. Under this section, the Commercial
-             Contributor would have to defend claims against the other
-             Contributors related to those performance claims and
-             warranties, and if a court requires any other Contributor
-             to pay any damages as a result, the Commercial Contributor
-             must pay those damages.
-
-
-             5. NO WARRANTY
-
-             EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, THE
-             PROGRAM IS PROVIDED ON AN "AS IS" BASIS, WITHOUT
-             WARRANTIES OR CONDITIONS OF ANY KIND, EITHER EXPRESS OR
-             IMPLIED INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OR
-             CONDITIONS OF TITLE, NON-INFRINGEMENT, MERCHANTABILITY OR
-             FITNESS FOR A PARTICULAR PURPOSE. Each Recipient is solely
-             responsible for determining the appropriateness of using
-             and distributing the Program and assumes all risks
-             associated with its exercise of rights under this
-             Agreement, including but not limited to the risks and
-             costs of program errors, compliance with applicable laws,
-             damage to or loss of data, programs or equipment, and
-             unavailability or interruption of operations. 
-
-             6. DISCLAIMER OF LIABILITY
-             EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, NEITHER
-             RECIPIENT NOR ANY CONTRIBUTORS SHALL HAVE ANY LIABILITY
-             FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
-             OR CONSEQUENTIAL DAMAGES (INCLUDING WITHOUT LIMITATION
-             LOST PROFITS), HOWEVER CAUSED AND ON ANY THEORY OF
-             LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-             (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
-             OF THE USE OR DISTRIBUTION OF THE PROGRAM OR THE EXERCISE
-             OF ANY RIGHTS GRANTED HEREUNDER, EVEN IF ADVISED OF THE
-             POSSIBILITY OF SUCH DAMAGES.
-
-             7. GENERAL
-
-             If any provision of this Agreement is invalid or
-             unenforceable under applicable law, it shall not affect
-             the validity or enforceability of the remainder of the
-             terms of this Agreement, and without further action by the
-             parties hereto, such provision shall be reformed to the
-             minimum extent necessary to make such provision valid and
-             enforceable.
-
-
-             If Recipient institutes patent litigation against a
-             Contributor with respect to a patent applicable to
-             software (including a cross-claim or counterclaim in a
-             lawsuit), then any patent licenses granted by that
-             Contributor to such Recipient under this Agreement shall
-             terminate as of the date such litigation is filed. In
-             addition, If Recipient institutes patent litigation
-             against any entity (including a cross-claim or
-             counterclaim in a lawsuit) alleging that the Program
-             itself (excluding combinations of the Program with other
-             software or hardware) infringes such Recipient's
-             patent(s), then such Recipient's rights granted under
-             Section 2(b) shall terminate as of the date such
-             litigation is filed.
-
-             All Recipient's rights under this Agreement shall
-             terminate if it fails to comply with any of the material
-             terms or conditions of this Agreement and does not cure
-             such failure in a reasonable period of time after becoming
-             aware of such noncompliance. If all Recipient's rights
-             under this Agreement terminate, Recipient agrees to cease
-             use and distribution of the Program as soon as reasonably
-             practicable. However, Recipient's obligations under this
-             Agreement and any licenses granted by Recipient relating
-             to the Program shall continue and survive. 
-
-             Everyone is permitted to copy and distribute copies of
-             this Agreement, but in order to avoid inconsistency the
-             Agreement is copyrighted and may only be modified in the
-             following manner. The Agreement Steward reserves the right
-             to publish new versions (including revisions) of this
-             Agreement from time to time. No one other than the
-             Agreement Steward has the right to modify this Agreement.
-
-             IBM is the initial Agreement Steward. IBM may assign the
-             responsibility to serve as the Agreement Steward to a
-             suitable separate entity. Each new version of the
-             Agreement will be given a distinguishing version number.
-             The Program (including Contributions) may always be
-             distributed subject to the version of the Agreement under
-             which it was received. In addition, after a new version of
-             the Agreement is published, Contributor may elect to
-             distribute the Program (including its Contributions) under
-             the new version. Except as expressly stated in Sections
-             2(a) and 2(b) above, Recipient receives no rights or
-             licenses to the intellectual property of any Contributor
-             under this Agreement, whether expressly, by implication,
-             estoppel or otherwise. All rights in the Program not
-             expressly granted under this Agreement are reserved.
-
-
-             This Agreement is governed by the laws of the State of New
-             York and the intellectual property laws of the United
-             States of America. No party to this Agreement will bring a
-             legal action under this Agreement more than one year after
-             the cause of action arose. Each party waives its rights to
-             a jury trial in any resulting litigation. 
-
-
-
-*/
-
-/* (c) COPYRIGHT International Business Machines Corp. 2001          */
-
-#ifndef OPENCRYPTOKI_PKCS11_H
-#define OPENCRYPTOKI_PKCS11_H
-
-#include <opencryptoki/pkcs11types.h>
-#include <opencryptoki/apiclient.h>
-
-#endif
diff --git a/contrib/pkcs11-keygen/opencryptoki/pkcs11types.h b/contrib/pkcs11-keygen/opencryptoki/pkcs11types.h
deleted file mode 100644
index 97a83a3d..00000000
--- a/contrib/pkcs11-keygen/opencryptoki/pkcs11types.h
+++ /dev/null
@@ -1,1865 +0,0 @@
-/*
- * $Header: /proj/cvs/prod/bind9/contrib/pkcs11-keygen/opencryptoki/pkcs11types.h,v 1.1 2009/09/07 21:19:21 fdupont Exp $
- */
-
-/*
-             Common Public License Version 0.5
-
-             THE ACCOMPANYING PROGRAM IS PROVIDED UNDER THE TERMS OF
-             THIS COMMON PUBLIC LICENSE ("AGREEMENT"). ANY USE,
-             REPRODUCTION OR DISTRIBUTION OF THE PROGRAM CONSTITUTES
-             RECIPIENT'S ACCEPTANCE OF THIS AGREEMENT.
-
-             1. DEFINITIONS
-
-             "Contribution" means: 
-                   a) in the case of the initial Contributor, the
-                   initial code and documentation distributed under
-                   this Agreement, and 
-
-                   b) in the case of each subsequent Contributor:
-                   i) changes to the Program, and
-                   ii) additions to the Program;
-
-                   where such changes and/or additions to the Program
-                   originate from and are distributed by that
-                   particular Contributor. A Contribution 'originates'
-                   from a Contributor if it was added to the Program
-                   by such Contributor itself or anyone acting on such
-                   Contributor's behalf. Contributions do not include
-                   additions to the Program which: (i) are separate
-                   modules of software distributed in conjunction with
-                   the Program under their own license agreement, and
-                   (ii) are not derivative works of the Program.
-
-
-             "Contributor" means any person or entity that distributes
-             the Program.
-
-             "Licensed Patents " mean patent claims licensable by a
-             Contributor which are necessarily infringed by the use or
-             sale of its Contribution alone or when combined with the
-             Program. 
-
-             "Program" means the Contributions distributed in
-             accordance with this Agreement.
-
-             "Recipient" means anyone who receives the Program under
-             this Agreement, including all Contributors.
-
-             2. GRANT OF RIGHTS
-
-                   a) Subject to the terms of this Agreement, each
-                   Contributor hereby grants Recipient a
-                   non-exclusive, worldwide, royalty-free copyright
-                   license to reproduce, prepare derivative works of,
-                   publicly display, publicly perform, distribute and
-                   sublicense the Contribution of such Contributor, if
-                   any, and such derivative works, in source code and
-                   object code form.
-
-                   b) Subject to the terms of this Agreement, each
-                   Contributor hereby grants Recipient a
-                   non-exclusive, worldwide, royalty-free patent
-                   license under Licensed Patents to make, use, sell,
-                   offer to sell, import and otherwise transfer the
-                   Contribution of such Contributor, if any, in source
-                   code and object code form. This patent license
-                   shall apply to the combination of the Contribution
-                   and the Program if, at the time the Contribution is
-                   added by the Contributor, such addition of the
-                   Contribution causes such combination to be covered
-                   by the Licensed Patents. The patent license shall
-                   not apply to any other combinations which include
-                   the Contribution. No hardware per se is licensed
-                   hereunder.
-
-                   c) Recipient understands that although each
-                   Contributor grants the licenses to its
-                   Contributions set forth herein, no assurances are
-                   provided by any Contributor that the Program does
-                   not infringe the patent or other intellectual
-                   property rights of any other entity. Each
-                   Contributor disclaims any liability to Recipient
-                   for claims brought by any other entity based on
-                   infringement of intellectual property rights or
-                   otherwise. As a condition to exercising the rights
-                   and licenses granted hereunder, each Recipient
-                   hereby assumes sole responsibility to secure any
-                   other intellectual property rights needed, if any.
-
-                   For example, if a third party patent license is
-                   required to allow Recipient to distribute the
-                   Program, it is Recipient's responsibility to
-                   acquire that license before distributing the
-                   Program.
-
-                   d) Each Contributor represents that to its
-                   knowledge it has sufficient copyright rights in its
-                   Contribution, if any, to grant the copyright
-                   license set forth in this Agreement.
-
-             3. REQUIREMENTS
-
-             A Contributor may choose to distribute the Program in
-             object code form under its own license agreement, provided
-             that:
-                   a) it complies with the terms and conditions of
-                   this Agreement; and
-
-                   b) its license agreement:
-                   i) effectively disclaims on behalf of all
-                   Contributors all warranties and conditions, express
-                   and implied, including warranties or conditions of
-                   title and non-infringement, and implied warranties
-                   or conditions of merchantability and fitness for a
-                   particular purpose;
-
-                   ii) effectively excludes on behalf of all
-                   Contributors all liability for damages, including
-                   direct, indirect, special, incidental and
-                   consequential damages, such as lost profits;
-
-                   iii) states that any provisions which differ from
-                   this Agreement are offered by that Contributor
-                   alone and not by any other party; and
-
-                   iv) states that source code for the Program is
-                   available from such Contributor, and informs
-                   licensees how to obtain it in a reasonable manner
-                   on or through a medium customarily used for
-                   software exchange.
-
-             When the Program is made available in source code form:
-                   a) it must be made available under this Agreement;
-                   and
-                   b) a copy of this Agreement must be included with
-                   each copy of the Program. 
-
-             Contributors may not remove or alter any copyright notices
-             contained within the Program.
-
-             Each Contributor must identify itself as the originator of
-             its Contribution, if any, in a manner that reasonably
-             allows subsequent Recipients to identify the originator of
-             the Contribution. 
-
-
-             4. COMMERCIAL DISTRIBUTION
-
-             Commercial distributors of software may accept certain
-             responsibilities with respect to end users, business
-             partners and the like. While this license is intended to
-             facilitate the commercial use of the Program, the
-             Contributor who includes the Program in a commercial
-             product offering should do so in a manner which does not
-             create potential liability for other Contributors.
-             Therefore, if a Contributor includes the Program in a
-             commercial product offering, such Contributor ("Commercial
-             Contributor") hereby agrees to defend and indemnify every
-             other Contributor ("Indemnified Contributor") against any
-             losses, damages and costs (collectively "Losses") arising
-             from claims, lawsuits and other legal actions brought by a
-             third party against the Indemnified Contributor to the
-             extent caused by the acts or omissions of such Commercial
-             Contributor in connection with its distribution of the
-             Program in a commercial product offering. The obligations
-             in this section do not apply to any claims or Losses
-             relating to any actual or alleged intellectual property
-             infringement. In order to qualify, an Indemnified
-             Contributor must: a) promptly notify the Commercial
-             Contributor in writing of such claim, and b) allow the
-             Commercial Contributor to control, and cooperate with the
-             Commercial Contributor in, the defense and any related
-             settlement negotiations. The Indemnified Contributor may
-             participate in any such claim at its own expense.
-
-
-             For example, a Contributor might include the Program in a
-             commercial product offering, Product X. That Contributor
-             is then a Commercial Contributor. If that Commercial
-             Contributor then makes performance claims, or offers
-             warranties related to Product X, those performance claims
-             and warranties are such Commercial Contributor's
-             responsibility alone. Under this section, the Commercial
-             Contributor would have to defend claims against the other
-             Contributors related to those performance claims and
-             warranties, and if a court requires any other Contributor
-             to pay any damages as a result, the Commercial Contributor
-             must pay those damages.
-
-
-             5. NO WARRANTY
-
-             EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, THE
-             PROGRAM IS PROVIDED ON AN "AS IS" BASIS, WITHOUT
-             WARRANTIES OR CONDITIONS OF ANY KIND, EITHER EXPRESS OR
-             IMPLIED INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OR
-             CONDITIONS OF TITLE, NON-INFRINGEMENT, MERCHANTABILITY OR
-             FITNESS FOR A PARTICULAR PURPOSE. Each Recipient is solely
-             responsible for determining the appropriateness of using
-             and distributing the Program and assumes all risks
-             associated with its exercise of rights under this
-             Agreement, including but not limited to the risks and
-             costs of program errors, compliance with applicable laws,
-             damage to or loss of data, programs or equipment, and
-             unavailability or interruption of operations. 
-
-             6. DISCLAIMER OF LIABILITY
-             EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, NEITHER
-             RECIPIENT NOR ANY CONTRIBUTORS SHALL HAVE ANY LIABILITY
-             FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
-             OR CONSEQUENTIAL DAMAGES (INCLUDING WITHOUT LIMITATION
-             LOST PROFITS), HOWEVER CAUSED AND ON ANY THEORY OF
-             LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-             (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
-             OF THE USE OR DISTRIBUTION OF THE PROGRAM OR THE EXERCISE
-             OF ANY RIGHTS GRANTED HEREUNDER, EVEN IF ADVISED OF THE
-             POSSIBILITY OF SUCH DAMAGES.
-
-             7. GENERAL
-
-             If any provision of this Agreement is invalid or
-             unenforceable under applicable law, it shall not affect
-             the validity or enforceability of the remainder of the
-             terms of this Agreement, and without further action by the
-             parties hereto, such provision shall be reformed to the
-             minimum extent necessary to make such provision valid and
-             enforceable.
-
-
-             If Recipient institutes patent litigation against a
-             Contributor with respect to a patent applicable to
-             software (including a cross-claim or counterclaim in a
-             lawsuit), then any patent licenses granted by that
-             Contributor to such Recipient under this Agreement shall
-             terminate as of the date such litigation is filed. In
-             addition, If Recipient institutes patent litigation
-             against any entity (including a cross-claim or
-             counterclaim in a lawsuit) alleging that the Program
-             itself (excluding combinations of the Program with other
-             software or hardware) infringes such Recipient's
-             patent(s), then such Recipient's rights granted under
-             Section 2(b) shall terminate as of the date such
-             litigation is filed.
-
-             All Recipient's rights under this Agreement shall
-             terminate if it fails to comply with any of the material
-             terms or conditions of this Agreement and does not cure
-             such failure in a reasonable period of time after becoming
-             aware of such noncompliance. If all Recipient's rights
-             under this Agreement terminate, Recipient agrees to cease
-             use and distribution of the Program as soon as reasonably
-             practicable. However, Recipient's obligations under this
-             Agreement and any licenses granted by Recipient relating
-             to the Program shall continue and survive. 
-
-             Everyone is permitted to copy and distribute copies of
-             this Agreement, but in order to avoid inconsistency the
-             Agreement is copyrighted and may only be modified in the
-             following manner. The Agreement Steward reserves the right
-             to publish new versions (including revisions) of this
-             Agreement from time to time. No one other than the
-             Agreement Steward has the right to modify this Agreement.
-
-             IBM is the initial Agreement Steward. IBM may assign the
-             responsibility to serve as the Agreement Steward to a
-             suitable separate entity. Each new version of the
-             Agreement will be given a distinguishing version number.
-             The Program (including Contributions) may always be
-             distributed subject to the version of the Agreement under
-             which it was received. In addition, after a new version of
-             the Agreement is published, Contributor may elect to
-             distribute the Program (including its Contributions) under
-             the new version. Except as expressly stated in Sections
-             2(a) and 2(b) above, Recipient receives no rights or
-             licenses to the intellectual property of any Contributor
-             under this Agreement, whether expressly, by implication,
-             estoppel or otherwise. All rights in the Program not
-             expressly granted under this Agreement are reserved.
-
-
-             This Agreement is governed by the laws of the State of New
-             York and the intellectual property laws of the United
-             States of America. No party to this Agreement will bring a
-             legal action under this Agreement more than one year after
-             the cause of action arose. Each party waives its rights to
-             a jury trial in any resulting litigation. 
-
-
-
-*/
-
-/* (C) COPYRIGHT International Business Machines Corp. 2001          */
-
-
-//----------------------------------------------------------------------------
-//
-// File: PKCS11Types.h
-//
-//
-//----------------------------------------------------------------------------
-
-
-#ifndef _PKCS11TYPES_H_
-#define _PKCS11TYPES_H_
-
-
-#ifdef __cplusplus
-extern "C"
-{
-#endif
-
-#ifndef FALSE
-#define FALSE             0
-#endif
-
-#ifndef TRUE
-#define TRUE              (!FALSE)
-#endif
-
-// AIX Addition for 64Bit work.
-// All types are 32bit types, therefore the longs have to be
-// typedefed to be 32bit values.
-typedef unsigned int uint_32;
-typedef int int_32;
-
-#define CK_PTR *
-
-#define CK_CALLBACK_FUNCTION(returnType, name) \
-  returnType (* name)
-
-#ifndef NULL_PTR
-	#define NULL_PTR ((void *) NULL)
-#endif /* NULL_PTR */
-
-/* an unsigned 8-bit value */
-typedef unsigned char     CK_BYTE;
-
-/* an unsigned 8-bit character */
-typedef CK_BYTE           CK_CHAR;
-
-/* an 8-bit UTF-8 character */
-typedef CK_BYTE           CK_UTF8CHAR;
-
-/* a BYTE-sized Boolean flag */
-typedef CK_BYTE           CK_BBOOL;
-
-/* an unsigned value, at least 32 bits long */
-typedef unsigned long int CK_ULONG;
-
-/* a signed value, the same size as a CK_ULONG */
-/* CK_LONG is new for v2.0 */
-typedef long int          CK_LONG;
-
-/* at least 32 bits; each bit is a Boolean flag */
-typedef CK_ULONG          CK_FLAGS;
-
-
-/* some special values for certain CK_ULONG variables */
-#define CK_UNAVAILABLE_INFORMATION (~0UL)
-#define CK_EFFECTIVELY_INFINITE    0
-
-
-typedef CK_BYTE     CK_PTR   CK_BYTE_PTR;
-typedef CK_CHAR     CK_PTR   CK_CHAR_PTR;
-typedef CK_UTF8CHAR CK_PTR   CK_UTF8CHAR_PTR;
-typedef CK_ULONG    CK_PTR   CK_ULONG_PTR;
-typedef void        CK_PTR   CK_VOID_PTR;
-
-/* Pointer to a CK_VOID_PTR-- i.e., pointer to pointer to void */
-typedef CK_VOID_PTR CK_PTR CK_VOID_PTR_PTR;
-
-
-/* The following value is always invalid if used as a session */
-/* handle or object handle */
-#define CK_INVALID_HANDLE 0
-
-
-typedef struct CK_VERSION {
-  CK_BYTE       major;  /* integer portion of version number */
-  CK_BYTE       minor;  /* 1/100ths portion of version number */
-} CK_VERSION;
-
-typedef CK_VERSION CK_PTR CK_VERSION_PTR;
-
-
-typedef struct CK_INFO {
-  CK_VERSION    cryptokiVersion;     /* Cryptoki interface ver */
-  CK_CHAR       manufacturerID[32];  /* blank padded */
-  CK_FLAGS      flags;               /* must be zero */
-
-  /* libraryDescription and libraryVersion are new for v2.0 */
-  CK_CHAR       libraryDescription[32];  /* blank padded */
-  CK_VERSION    libraryVersion;          /* version of library */
-} CK_INFO;
-
-typedef CK_INFO CK_PTR    CK_INFO_PTR;
-
-
-/* CK_NOTIFICATION enumerates the types of notifications that
- * Cryptoki provides to an application */
-/* CK_NOTIFICATION has been changed from an enum to a CK_ULONG
- * for v2.0 */
-typedef CK_ULONG CK_NOTIFICATION;
-#define CKN_SURRENDER       0
-
-
-typedef CK_ULONG          CK_SLOT_ID;
-
-typedef CK_SLOT_ID CK_PTR CK_SLOT_ID_PTR;
-
-
-/* CK_SLOT_INFO provides information about a slot */
-typedef struct CK_SLOT_INFO {
-  CK_CHAR       slotDescription[64];  /* blank padded */
-  CK_CHAR       manufacturerID[32];   /* blank padded */
-  CK_FLAGS      flags;
-
-  /* hardwareVersion and firmwareVersion are new for v2.0 */
-  CK_VERSION    hardwareVersion;  /* version of hardware */
-  CK_VERSION    firmwareVersion;  /* version of firmware */
-} CK_SLOT_INFO;
-
-/* flags: bit flags that provide capabilities of the slot
- *      Bit Flag              Mask        Meaning
- */
-#define CKF_TOKEN_PRESENT     0x00000001  /* a token is there */
-#define CKF_REMOVABLE_DEVICE  0x00000002  /* removable devices*/
-#define CKF_HW_SLOT           0x00000004  /* hardware slot */
-
-typedef CK_SLOT_INFO CK_PTR CK_SLOT_INFO_PTR;
-
-
-/* CK_TOKEN_INFO provides information about a token */
-typedef struct CK_TOKEN_INFO {
-  CK_CHAR       label[32];           /* blank padded */
-  CK_CHAR       manufacturerID[32];  /* blank padded */
-  CK_CHAR       model[16];           /* blank padded */
-  CK_CHAR       serialNumber[16];    /* blank padded */
-  CK_FLAGS      flags;               /* see below */
-
-  /* ulMaxSessionCount, ulSessionCount, ulMaxRwSessionCount,
-   * ulRwSessionCount, ulMaxPinLen, and ulMinPinLen have all been
-   * changed from CK_USHORT to CK_ULONG for v2.0 */
-  CK_ULONG      ulMaxSessionCount;     /* max open sessions */
-  CK_ULONG      ulSessionCount;        /* sess. now open */
-  CK_ULONG      ulMaxRwSessionCount;   /* max R/W sessions */
-  CK_ULONG      ulRwSessionCount;      /* R/W sess. now open */
-  CK_ULONG      ulMaxPinLen;           /* in bytes */
-  CK_ULONG      ulMinPinLen;           /* in bytes */
-  CK_ULONG      ulTotalPublicMemory;   /* in bytes */
-  CK_ULONG      ulFreePublicMemory;    /* in bytes */
-  CK_ULONG      ulTotalPrivateMemory;  /* in bytes */
-  CK_ULONG      ulFreePrivateMemory;   /* in bytes */
-
-  /* hardwareVersion, firmwareVersion, and time are new for
-   * v2.0 */
-  CK_VERSION    hardwareVersion;       /* version of hardware */
-  CK_VERSION    firmwareVersion;       /* version of firmware */
-  CK_CHAR       utcTime[16];           /* time */
-} CK_TOKEN_INFO;
-
-/* The flags parameter is defined as follows:
- *      Bit Flag                    Mask        Meaning
- */
-#define CKF_RNG                     0x00000001  /* has random #
-                                                 * generator */
-#define CKF_WRITE_PROTECTED         0x00000002  /* token is
-                                                 * write-
-                                                 * protected */
-#define CKF_LOGIN_REQUIRED          0x00000004  /* user must
-                                                 * login */
-#define CKF_USER_PIN_INITIALIZED    0x00000008  /* normal user's
-                                                 * PIN is set */
-
-/* CKF_RESTORE_KEY_NOT_NEEDED is new for v2.0.  If it is set,
- * that means that *every* time the state of cryptographic
- * operations of a session is successfully saved, all keys
- * needed to continue those operations are stored in the state */
-#define CKF_RESTORE_KEY_NOT_NEEDED  0x00000020
-
-/* CKF_CLOCK_ON_TOKEN is new for v2.0.  If it is set, that means
- * that the token has some sort of clock.  The time on that
- * clock is returned in the token info structure */
-#define CKF_CLOCK_ON_TOKEN          0x00000040
-
-/* CKF_PROTECTED_AUTHENTICATION_PATH is new for v2.0.  If it is
- * set, that means that there is some way for the user to login
- * without sending a PIN through the Cryptoki library itself */
-#define CKF_PROTECTED_AUTHENTICATION_PATH 0x00000100
-
-/* CKF_DUAL_CRYPTO_OPERATIONS is new for v2.0.  If it is true,
- * that means that a single session with the token can perform
- * dual simultaneous cryptographic operations (digest and
- * encrypt; decrypt and digest; sign and encrypt; and decrypt
- * and sign) */
-#define CKF_DUAL_CRYPTO_OPERATIONS  0x00000200
-
-/* CKF_TOKEN_INITIALIZED is new for v2.11. If it is true, the
- * token has been initialized using C_InitializeToken or an
- * equivalent mechanism outside the scope of this standard.
- * Calling C_InitializeToken when this flag is set will cause
- * the token to be reinitialized. */
-#define CKF_TOKEN_INITIALIZED		0x00000400
-
-/* CKF_SECONDARY_AUTHENTICATION is new for v2.11.  If it is
- * true, the token supports secondary authentication for private
- * key objects. According to the 2.11 spec pg. 45, this flag
- * is deprecated and this flags should never be true. */
-#define CKF_SECONDARY_AUTHENTICATION	0x00000800
-
-/* CKF_USER_PIN_COUNT_LOW is new in v2.11.  This flag is true
- * is an incorrect user PIN has been entered at least once
- * since the last successful authentication. */
-#define CKF_USER_PIN_COUNT_LOW		0x00010000
-
-/* CKF_USER_PIN_FINAL_TRY is new in v2.11.  This flag is true if
- * supplying an incorrect user PIN will cause it to become
- * locked. */
-#define CKF_USER_PIN_FINAL_TRY		0x00020000
-
-/* CKF_USER_PIN_LOCKED is new in v2.11.  This is true if the
- * user PIN has been locked.  User login to the token is not
- * possible. */
-#define CKF_USER_PIN_LOCKED		0x00040000
-
-/* CKF_USER_PIN_TO_BE_CHANGED is new in v2.11.  This flag is
- * true if the user PIN value is the default value set by
- * token initialization of manufacturing, or the PIN has
- * been expired by the card. */
-#define CKF_USER_PIN_TO_BE_CHANGED	0x00080000
-
-/* CKF_SO_PIN_COUNT_LOW is new in v2.11.  This flag is true if
- * and incorrect SO login PIN has been entered at least once
- * since the last successful authentication. */
-#define CKF_SO_PIN_COUNT_LOW		0x00100000
-
-/* CKF_SO_PIN_FINAL_TRY is new in v2.11.  This flag is true if
- * supplying an incorrect SO PIN will cause it to become 
- * locked. */
-#define CKF_SO_PIN_FINAL_TRY		0x00200000
-
-/* CKF_SO_PIN_LOCKED is new in v2.11.  This flag is true if
- * the SO PIN has been locked.  User login to the token is not
- * possible. */
-#define CKF_SO_PIN_LOCKED		0x00400000
-
-/* CKF_SO_PIN_TO_BE_CHANGED is new in v2.11. This flag is true
- * if the SO PIN calue is the default value set by token init-
- * ialization of manufacturing, or the PIN has been expired by
- * the card. */
-#define CKF_SO_PIN_TO_BE_CHANGED	0x00800000
-
-#if 0
-/* IBM extended Token Info Flags - defined by Michael Hamann */
-/* These Flags are not part of PKCS#11 Version 2.01          */
-
-/* This will be used to track the state of login retries     */
-#define CKF_USER_PIN_COUNT_LOW      0x00010000
-#define CKF_USER_PIN_FINAL_TRY      0x00020000
-#define CKF_USER_PIN_LOCKED         0x00040000
-#define CKF_USER_PIN_MANUFACT_VALUE 0x00080000
-
-#define CKF_SO_PIN_COUNT_LOW        0x00100000
-#define CKF_SO_PIN_FINAL_TRY        0x00200000
-#define CKF_SO_PIN_LOCKED           0x00400000
-#define CKF_SO_PIN_MANUFACT_VALUE   0x00800000
-#endif
-
-/*  other IBM extended Token info Flags 05/29/99  */
-#define CKF_SO_PIN_DERIVED          0x01000000  // Sec Officer pin on card is derived from card id
-#define CKF_SO_CARD                 0x02000000  // Security Officer Card
-/* End of IBM extented Token Info Flags   */
-
-
-typedef CK_TOKEN_INFO CK_PTR CK_TOKEN_INFO_PTR;
-
-/* CK_SESSION_HANDLE is a Cryptoki-assigned value that
- * identifies a session */
-typedef CK_ULONG          CK_SESSION_HANDLE;
-
-typedef CK_SESSION_HANDLE CK_PTR CK_SESSION_HANDLE_PTR;
-
-
-/* CK_USER_TYPE enumerates the types of Cryptoki users */
-/* CK_USER_TYPE has been changed from an enum to a CK_ULONG for
- * v2.0 */
-typedef CK_ULONG          CK_USER_TYPE;
-/* Security Officer */
-#define CKU_SO    0
-/* Normal user */
-#define CKU_USER  1
-
-
-/* CK_STATE enumerates the session states */
-/* CK_STATE has been changed from an enum to a CK_ULONG for
- * v2.0 */
-typedef CK_ULONG          CK_STATE;
-#define CKS_RO_PUBLIC_SESSION  0
-#define CKS_RO_USER_FUNCTIONS  1
-#define CKS_RW_PUBLIC_SESSION  2
-#define CKS_RW_USER_FUNCTIONS  3
-#define CKS_RW_SO_FUNCTIONS    4
-
-
-/* CK_SESSION_INFO provides information about a session */
-typedef struct CK_SESSION_INFO {
-  CK_SLOT_ID    slotID;
-  CK_STATE      state;
-  CK_FLAGS      flags;          /* see below */
-
-  /* ulDeviceError was changed from CK_USHORT to CK_ULONG for
-   * v2.0 */
-  CK_ULONG      ulDeviceError;  /* device-dependent error code */
-} CK_SESSION_INFO;
-
-/* The flags are defined in the following table:
- *      Bit Flag                Mask        Meaning
- */
-#define CKF_RW_SESSION          0x00000002  /* session is r/w */
-#define CKF_SERIAL_SESSION      0x00000004  /* no parallel */
-
-typedef CK_SESSION_INFO CK_PTR CK_SESSION_INFO_PTR;
-
-
-/* CK_OBJECT_HANDLE is a token-specific identifier for an
- * object  */
-typedef CK_ULONG          CK_OBJECT_HANDLE;
-
-typedef CK_OBJECT_HANDLE CK_PTR CK_OBJECT_HANDLE_PTR;
-
-
-/* CK_OBJECT_CLASS is a value that identifies the classes (or
- * types) of objects that Cryptoki recognizes.  It is defined
- * as follows: */
-/* CK_OBJECT_CLASS was changed from CK_USHORT to CK_ULONG for
- * v2.0 */
-typedef CK_ULONG          CK_OBJECT_CLASS;
-
-/* The following classes of objects are defined: */
-#define CKO_DATA              0x00000000
-#define CKO_CERTIFICATE       0x00000001
-#define CKO_PUBLIC_KEY        0x00000002
-#define CKO_PRIVATE_KEY       0x00000003
-#define CKO_SECRET_KEY        0x00000004
-/* CKO_HW_FEATURE and CKO_DOMAIN_PARAMETERS are new for v2.11 */
-#define CKO_HW_FEATURE        0x00000005
-#define CKO_DOMAIN_PARAMETERS 0x00000006
-#define CKO_VENDOR_DEFINED    0x80000000
-
-typedef CK_OBJECT_CLASS CK_PTR CK_OBJECT_CLASS_PTR;
-
-/* CK_HW_FEATURE_TYPE is a value that identifies a hardware
- * feature type of a device. This is new for v2.11.
- */
-typedef CK_ULONG          CK_HW_FEATURE_TYPE;
-
-/* The following hardware feature types are defined: */
-#define CKH_MONOTONIC_COUNTER	0x00000001
-#define CKH_CLOCK		0x00000002
-#define CKH_VENDOR_DEFINED	0x80000000
-
-
-/* CK_KEY_TYPE is a value that identifies a key type */
-/* CK_KEY_TYPE was changed from CK_USHORT to CK_ULONG for v2.0 */
-typedef CK_ULONG          CK_KEY_TYPE;
-
-/* the following key types are defined: */
-#define CKK_RSA             0x00000000
-#define CKK_DSA             0x00000001
-#define CKK_DH              0x00000002
-
-/* CKK_ECDSA and CKK_KEA are new for v2.0 */
-/* CKK_ECDSA is deprecated in v2.11, CKK_EC is preferred */
-#define CKK_ECDSA           0x00000003
-#define CKK_EC              0x00000003
-#define CKK_X9_42_DH        0x00000004
-#define CKK_KEA             0x00000005
-
-#define CKK_GENERIC_SECRET  0x00000010
-#define CKK_RC2             0x00000011
-#define CKK_RC4             0x00000012
-#define CKK_DES             0x00000013
-#define CKK_DES2            0x00000014
-#define CKK_DES3            0x00000015
-
-/* all these key types are new for v2.0 */
-#define CKK_CAST            0x00000016
-#define CKK_CAST3           0x00000017
-/* CKK_CAST5 is deprecated in v2.11, CKK_CAST128 is preferred */
-#define CKK_CAST5           0x00000018
-#define CKK_CAST128         0x00000018  /* CAST128=CAST5 */
-#define CKK_RC5             0x00000019
-#define CKK_IDEA            0x0000001A
-#define CKK_SKIPJACK        0x0000001B
-#define CKK_BATON           0x0000001C
-#define CKK_JUNIPER         0x0000001D
-#define CKK_CDMF            0x0000001E
-/* CKK_AES is new for v2.11 */
-#define CKK_AES             0x0000001F
-
-#define CKK_VENDOR_DEFINED  0x80000000
-
-
-/* CK_CERTIFICATE_TYPE is a value that identifies a certificate
- * type */
-/* CK_CERTIFICATE_TYPE was changed from CK_USHORT to CK_ULONG
- * for v2.0 */
-typedef CK_ULONG          CK_CERTIFICATE_TYPE;
-
-/* The following certificate types are defined: */
-#define CKC_X_509           0x00000000
-/* CKC_X_509_ATTR_CERT is new for v2.11 */
-#define CKC_X_509_ATTR_CERT 0x00000001
-#define CKC_VENDOR_DEFINED  0x80000000
-
-
-/* CK_ATTRIBUTE_TYPE is a value that identifies an attribute
- * type */
-/* CK_ATTRIBUTE_TYPE was changed from CK_USHORT to CK_ULONG for
- * v2.0 */
-typedef CK_ULONG          CK_ATTRIBUTE_TYPE;
-
-/* The following attribute types are defined: */
-#define CKA_CLASS              0x00000000
-#define CKA_TOKEN              0x00000001
-#define CKA_PRIVATE            0x00000002
-#define CKA_LABEL              0x00000003
-#define CKA_APPLICATION        0x00000010
-#define CKA_VALUE              0x00000011
-/* CKA_OBJECT_ID is new for v2.11 */
-#define CKA_OBJECT_ID          0x00000012
-#define CKA_CERTIFICATE_TYPE   0x00000080
-#define CKA_ISSUER             0x00000081
-#define CKA_SERIAL_NUMBER      0x00000082
-/* CKA_AC_ISSUER, CKA_OWNER, CKA_ATTR_TYPES and CKA_TRUSTED 
- * are new for v2.11 */
-#define CKA_AC_ISSUER          0x00000083
-#define CKA_OWNER              0x00000084
-#define CKA_ATTR_TYPES         0x00000085
-#define CKA_TRUSTED            0x00000086
-
-#define CKA_KEY_TYPE           0x00000100
-#define CKA_SUBJECT            0x00000101
-#define CKA_ID                 0x00000102
-#define CKA_SENSITIVE          0x00000103
-#define CKA_ENCRYPT            0x00000104
-#define CKA_DECRYPT            0x00000105
-#define CKA_WRAP               0x00000106
-#define CKA_UNWRAP             0x00000107
-#define CKA_SIGN               0x00000108
-#define CKA_SIGN_RECOVER       0x00000109
-#define CKA_VERIFY             0x0000010A
-#define CKA_VERIFY_RECOVER     0x0000010B
-#define CKA_DERIVE             0x0000010C
-#define CKA_START_DATE         0x00000110
-#define CKA_END_DATE           0x00000111
-#define CKA_MODULUS            0x00000120
-#define CKA_MODULUS_BITS       0x00000121
-#define CKA_PUBLIC_EXPONENT    0x00000122
-#define CKA_PRIVATE_EXPONENT   0x00000123
-#define CKA_PRIME_1            0x00000124
-#define CKA_PRIME_2            0x00000125
-#define CKA_EXPONENT_1         0x00000126
-#define CKA_EXPONENT_2         0x00000127
-#define CKA_COEFFICIENT        0x00000128
-#define CKA_PRIME              0x00000130
-#define CKA_SUBPRIME           0x00000131
-#define CKA_BASE               0x00000132
-/* CKA_PRIME_BITS and CKA_SUB_PRIME_BITS are new for v2.11 */
-#define CKA_PRIME_BITS         0x00000133
-#define CKA_SUBPRIME_BITS      0x00000134
-
-#define CKA_VALUE_BITS         0x00000160
-#define CKA_VALUE_LEN          0x00000161
-
-/* CKA_EXTRACTABLE, CKA_LOCAL, CKA_NEVER_EXTRACTABLE,
- * CKA_ALWAYS_SENSITIVE, CKA_MODIFIABLE, CKA_ECDSA_PARAMS,
- * and CKA_EC_POINT are new for v2.0 */
-#define CKA_EXTRACTABLE        0x00000162
-#define CKA_LOCAL              0x00000163
-#define CKA_NEVER_EXTRACTABLE  0x00000164
-#define CKA_ALWAYS_SENSITIVE   0x00000165
-/* CKA_KEY_GEN_MECHANISM is new for v2.11 */
-#define CKA_KEY_GEN_MECHANISM  0x00000166
-#define CKA_MODIFIABLE         0x00000170
-/* CKA_ECDSA_PARAMS is deprecated in v2.11, CKA_EC_PARAMS is preferred */
-#define CKA_ECDSA_PARAMS       0x00000180
-#define CKA_EC_PARAMS          0x00000180
-#define CKA_EC_POINT           0x00000181
-/* The following are new for v2.11 */
-#define CKA_SECONDARY_AUTH     0x00000200
-#define CKA_AUTH_PIN_FLAGS     0x00000201
-#define CKA_HW_FEATURE_TYPE    0x00000300
-#define CKA_RESET_ON_INIT      0x00000301
-#define CKA_HAS_RESET          0x00000302
-
-#define CKA_VENDOR_DEFINED     0x80000000
-
-/* For use in storing objects that have an encrypted or otherwise
- * opaque attribute. Support has been added to use this attribute
- * in key objects only. */
-#define CKA_IBM_OPAQUE         CKA_VENDOR_DEFINED + 1
-
-
-/* CK_ATTRIBUTE is a structure that includes the type, length
- * and value of an attribute */
-typedef struct CK_ATTRIBUTE {
-  CK_ATTRIBUTE_TYPE type;
-  CK_VOID_PTR       pValue;
-
-  /* ulValueLen went from CK_USHORT to CK_ULONG for v2.0 */
-  CK_ULONG          ulValueLen;  /* in bytes */
-} CK_ATTRIBUTE;
-
-typedef CK_ATTRIBUTE CK_PTR CK_ATTRIBUTE_PTR;
-
-
-/* CK_DATE is a structure that defines a date */
-typedef struct CK_DATE{
-  CK_CHAR       year[4];   /* the year ("1900" - "9999") */
-  CK_CHAR       month[2];  /* the month ("01" - "12") */
-  CK_CHAR       day[2];    /* the day   ("01" - "31") */
-} CK_DATE;
-
-
-/* CK_MECHANISM_TYPE is a value that identifies a mechanism
- * type */
-/* CK_MECHANISM_TYPE was changed from CK_USHORT to CK_ULONG for
- * v2.0 */
-typedef CK_ULONG          CK_MECHANISM_TYPE;
-
-/* the following mechanism types are defined: */
-#define CKM_RSA_PKCS_KEY_PAIR_GEN      0x00000000
-#define CKM_RSA_PKCS                   0x00000001
-#define CKM_RSA_9796                   0x00000002
-#define CKM_RSA_X_509                  0x00000003
-
-/* CKM_MD2_RSA_PKCS, CKM_MD5_RSA_PKCS, and CKM_SHA1_RSA_PKCS
- * are new for v2.0.  They are mechanisms which hash and sign */
-#define CKM_MD2_RSA_PKCS               0x00000004
-#define CKM_MD5_RSA_PKCS               0x00000005
-#define CKM_SHA1_RSA_PKCS              0x00000006
-/* The following are new for v2.11: */
-#define CKM_RIPEMD128_RSA_PKCS         0x00000007
-#define CKM_RIPEMD160_RSA_PKCS         0x00000008
-#define CKM_RSA_PKCS_OAEP              0x00000009
-#define CKM_RSA_X9_31_KEY_PAIR_GEN     0x0000000A
-#define CKM_RSA_X9_31                  0x0000000B
-#define CKM_SHA1_RSA_X9_31             0x0000000C
-#define CKM_RSA_PKCS_PSS               0x0000000D
-#define CKM_SHA1_RSA_PKCS_PSS          0x0000000E
-
-#define CKM_DSA_KEY_PAIR_GEN           0x00000010
-#define CKM_DSA                        0x00000011
-#define CKM_DSA_SHA1                   0x00000012
-#define CKM_DH_PKCS_KEY_PAIR_GEN       0x00000020
-#define CKM_DH_PKCS_DERIVE             0x00000021
-/* The following are new for v2.11 */
-#define CKM_X9_42_DH_KEY_PAIR_GEN      0x00000030
-#define CKM_X9_42_DH_DERIVE            0x00000031
-#define CKM_X9_42_DH_HYBRID_DERIVE     0x00000032
-#define CKM_X9_42_MQV_DERIVE           0x00000033
-
-#define CKM_SHA256_RSA_PKCS            0x00000043
-
-#define CKM_RC2_KEY_GEN                0x00000100
-#define CKM_RC2_ECB                    0x00000101
-#define CKM_RC2_CBC                    0x00000102
-#define CKM_RC2_MAC                    0x00000103
-
-/* CKM_RC2_MAC_GENERAL and CKM_RC2_CBC_PAD are new for v2.0 */
-#define CKM_RC2_MAC_GENERAL            0x00000104
-#define CKM_RC2_CBC_PAD                0x00000105
-
-#define CKM_RC4_KEY_GEN                0x00000110
-#define CKM_RC4                        0x00000111
-#define CKM_DES_KEY_GEN                0x00000120
-#define CKM_DES_ECB                    0x00000121
-#define CKM_DES_CBC                    0x00000122
-#define CKM_DES_MAC                    0x00000123
-
-/* CKM_DES_MAC_GENERAL and CKM_DES_CBC_PAD are new for v2.0 */
-#define CKM_DES_MAC_GENERAL            0x00000124
-#define CKM_DES_CBC_PAD                0x00000125
-
-#define CKM_DES2_KEY_GEN               0x00000130
-#define CKM_DES3_KEY_GEN               0x00000131
-#define CKM_DES3_ECB                   0x00000132
-#define CKM_DES3_CBC                   0x00000133
-#define CKM_DES3_MAC                   0x00000134
-
-/* CKM_DES3_MAC_GENERAL, CKM_DES3_CBC_PAD, CKM_CDMF_KEY_GEN,
- * CKM_CDMF_ECB, CKM_CDMF_CBC, CKM_CDMF_MAC,
- * CKM_CDMF_MAC_GENERAL, and CKM_CDMF_CBC_PAD are new for v2.0 */
-#define CKM_DES3_MAC_GENERAL           0x00000135
-#define CKM_DES3_CBC_PAD               0x00000136
-#define CKM_CDMF_KEY_GEN               0x00000140
-#define CKM_CDMF_ECB                   0x00000141
-#define CKM_CDMF_CBC                   0x00000142
-#define CKM_CDMF_MAC                   0x00000143
-#define CKM_CDMF_MAC_GENERAL           0x00000144
-#define CKM_CDMF_CBC_PAD               0x00000145
-
-#define CKM_MD2                        0x00000200
-
-/* CKM_MD2_HMAC and CKM_MD2_HMAC_GENERAL are new for v2.0 */
-#define CKM_MD2_HMAC                   0x00000201
-#define CKM_MD2_HMAC_GENERAL           0x00000202
-
-#define CKM_MD5                        0x00000210
-
-/* CKM_MD5_HMAC and CKM_MD5_HMAC_GENERAL are new for v2.0 */
-#define CKM_MD5_HMAC                   0x00000211
-#define CKM_MD5_HMAC_GENERAL           0x00000212
-
-#define CKM_SHA_1                      0x00000220
-
-/* CKM_SHA_1_HMAC and CKM_SHA_1_HMAC_GENERAL are new for v2.0 */
-#define CKM_SHA_1_HMAC                 0x00000221
-#define CKM_SHA_1_HMAC_GENERAL         0x00000222
-
-/* The following are new for v2.11 */
-#define CKM_RIPEMD128                  0x00000230
-#define CKM_RIPEMD128_HMAC             0x00000231
-#define CKM_RIPEMD128_HMAC_GENERAL     0x00000232
-#define CKM_RIPEMD160                  0x00000240
-#define CKM_RIPEMD160_HMAC             0x00000241
-#define CKM_RIPEMD160_HMAC_GENERAL     0x00000242
-
-#define CKM_SHA256                     0x00000250
-#define CKM_SHA256_HMAC                0x00000251
-#define CKM_SHA256_HMAC_GENERAL        0x00000252
-#define CKM_SHA384                     0x00000260
-#define CKM_SHA384_HMAC                0x00000261
-#define CKM_SHA384_HMAC_GENERAL        0x00000262
-#define CKM_SHA512                     0x00000270
-#define CKM_SHA512_HMAC                0x00000271
-#define CKM_SHA512_HMAC_GENERAL        0x00000272
-
-/* All of the following mechanisms are new for v2.0 */
-/* Note that CAST128 and CAST5 are the same algorithm */
-#define CKM_CAST_KEY_GEN               0x00000300
-#define CKM_CAST_ECB                   0x00000301
-#define CKM_CAST_CBC                   0x00000302
-#define CKM_CAST_MAC                   0x00000303
-#define CKM_CAST_MAC_GENERAL           0x00000304
-#define CKM_CAST_CBC_PAD               0x00000305
-#define CKM_CAST3_KEY_GEN              0x00000310
-#define CKM_CAST3_ECB                  0x00000311
-#define CKM_CAST3_CBC                  0x00000312
-#define CKM_CAST3_MAC                  0x00000313
-#define CKM_CAST3_MAC_GENERAL          0x00000314
-#define CKM_CAST3_CBC_PAD              0x00000315
-#define CKM_CAST5_KEY_GEN              0x00000320
-#define CKM_CAST128_KEY_GEN            0x00000320
-#define CKM_CAST5_ECB                  0x00000321
-#define CKM_CAST128_ECB                0x00000321
-#define CKM_CAST5_CBC                  0x00000322
-#define CKM_CAST128_CBC                0x00000322
-#define CKM_CAST5_MAC                  0x00000323
-#define CKM_CAST128_MAC                0x00000323
-#define CKM_CAST5_MAC_GENERAL          0x00000324
-#define CKM_CAST128_MAC_GENERAL        0x00000324
-#define CKM_CAST5_CBC_PAD              0x00000325
-#define CKM_CAST128_CBC_PAD            0x00000325
-#define CKM_RC5_KEY_GEN                0x00000330
-#define CKM_RC5_ECB                    0x00000331
-#define CKM_RC5_CBC                    0x00000332
-#define CKM_RC5_MAC                    0x00000333
-#define CKM_RC5_MAC_GENERAL            0x00000334
-#define CKM_RC5_CBC_PAD                0x00000335
-#define CKM_IDEA_KEY_GEN               0x00000340
-#define CKM_IDEA_ECB                   0x00000341
-#define CKM_IDEA_CBC                   0x00000342
-#define CKM_IDEA_MAC                   0x00000343
-#define CKM_IDEA_MAC_GENERAL           0x00000344
-#define CKM_IDEA_CBC_PAD               0x00000345
-#define CKM_GENERIC_SECRET_KEY_GEN     0x00000350
-#define CKM_CONCATENATE_BASE_AND_KEY   0x00000360
-#define CKM_CONCATENATE_BASE_AND_DATA  0x00000362
-#define CKM_CONCATENATE_DATA_AND_BASE  0x00000363
-#define CKM_XOR_BASE_AND_DATA          0x00000364
-#define CKM_EXTRACT_KEY_FROM_KEY       0x00000365
-#define CKM_SSL3_PRE_MASTER_KEY_GEN    0x00000370
-#define CKM_SSL3_MASTER_KEY_DERIVE     0x00000371
-#define CKM_SSL3_KEY_AND_MAC_DERIVE    0x00000372
-/* The following are new for v2.11 */
-#define CKM_SSL3_MASTER_KEY_DERIVE_DH  0x00000373
-#define CKM_TLS_PRE_MASTER_KEY_GEN     0x00000374
-#define CKM_TLS_MASTER_KEY_DERIVE      0x00000375
-#define CKM_TLS_KEY_AND_MAC_DERIVE     0x00000376
-#define CKM_TLS_MASTER_KEY_DERIVE_DH   0x00000377
-
-#define CKM_SSL3_MD5_MAC               0x00000380
-#define CKM_SSL3_SHA1_MAC              0x00000381
-#define CKM_MD5_KEY_DERIVATION         0x00000390
-#define CKM_MD2_KEY_DERIVATION         0x00000391
-#define CKM_SHA1_KEY_DERIVATION        0x00000392
-#define CKM_SHA256_KEY_DERIVATION      0x00000393
-#define CKM_PBE_MD2_DES_CBC            0x000003A0
-#define CKM_PBE_MD5_DES_CBC            0x000003A1
-#define CKM_PBE_MD5_CAST_CBC           0x000003A2
-#define CKM_PBE_MD5_CAST3_CBC          0x000003A3
-#define CKM_PBE_MD5_CAST5_CBC          0x000003A4
-#define CKM_PBE_MD5_CAST128_CBC        0x000003A4
-#define CKM_PBE_SHA1_CAST5_CBC         0x000003A5
-#define CKM_PBE_SHA1_CAST128_CBC       0x000003A5
-#define CKM_PBE_SHA1_RC4_128           0x000003A6
-#define CKM_PBE_SHA1_RC4_40            0x000003A7
-#define CKM_PBE_SHA1_DES3_EDE_CBC      0x000003A8
-#define CKM_PBE_SHA1_DES2_EDE_CBC      0x000003A9
-#define CKM_PBE_SHA1_RC2_128_CBC       0x000003AA
-#define CKM_PBE_SHA1_RC2_40_CBC        0x000003AB
-/* CKM_PKCS5_PBKD2 is new for v2.11 */
-#define CKM_PKCS5_PBKD2                0x000003B0
-#define CKM_PBA_SHA1_WITH_SHA1_HMAC    0x000003C0
-#define CKM_KEY_WRAP_LYNKS             0x00000400
-#define CKM_KEY_WRAP_SET_OAEP          0x00000401
-
-/* Fortezza mechanisms */
-#define CKM_SKIPJACK_KEY_GEN           0x00001000
-#define CKM_SKIPJACK_ECB64             0x00001001
-#define CKM_SKIPJACK_CBC64             0x00001002
-#define CKM_SKIPJACK_OFB64             0x00001003
-#define CKM_SKIPJACK_CFB64             0x00001004
-#define CKM_SKIPJACK_CFB32             0x00001005
-#define CKM_SKIPJACK_CFB16             0x00001006
-#define CKM_SKIPJACK_CFB8              0x00001007
-#define CKM_SKIPJACK_WRAP              0x00001008
-#define CKM_SKIPJACK_PRIVATE_WRAP      0x00001009
-#define CKM_SKIPJACK_RELAYX            0x0000100a
-#define CKM_KEA_KEY_PAIR_GEN           0x00001010
-#define CKM_KEA_KEY_DERIVE             0x00001011
-#define CKM_FORTEZZA_TIMESTAMP         0x00001020
-#define CKM_BATON_KEY_GEN              0x00001030
-#define CKM_BATON_ECB128               0x00001031
-#define CKM_BATON_ECB96                0x00001032
-#define CKM_BATON_CBC128               0x00001033
-#define CKM_BATON_COUNTER              0x00001034
-#define CKM_BATON_SHUFFLE              0x00001035
-#define CKM_BATON_WRAP                 0x00001036
-
-/* CKM_ECDSA_KEY_PAIR_GEN is deprecated in v2.11, 
- * CKM_EC_KEY_PAIR_GEN is preferred. */
-#define CKM_ECDSA_KEY_PAIR_GEN         0x00001040
-#define CKM_EC_KEY_PAIR_GEN            0x00001040
-#define CKM_ECDSA                      0x00001041
-#define CKM_ECDSA_SHA1                 0x00001042
-/* The following are new for v2.11 */
-#define CKM_ECDH1_DERIVE               0x00001050
-#define CKM_ECDH1_COFACTOR_DERIVE      0x00001051
-#define CKM_ECMQV_DERIVE               0x00001052
-
-#define CKM_JUNIPER_KEY_GEN            0x00001060
-#define CKM_JUNIPER_ECB128             0x00001061
-#define CKM_JUNIPER_CBC128             0x00001062
-#define CKM_JUNIPER_COUNTER            0x00001063
-#define CKM_JUNIPER_SHUFFLE            0x00001064
-#define CKM_JUNIPER_WRAP               0x00001065
-#define CKM_FASTHASH                   0x00001070
-/* The following are new for v2.11 */
-#define CKM_AES_KEY_GEN                0x00001080
-#define CKM_AES_ECB                    0x00001081
-#define CKM_AES_CBC                    0x00001082
-#define CKM_AES_MAC                    0x00001083
-#define CKM_AES_MAC_GENERAL            0x00001084
-#define CKM_AES_CBC_PAD                0x00001085
-#define CKM_DSA_PARAMETER_GEN          0x00002000
-#define CKM_DH_PKCS_PARAMETER_GEN      0x00002001
-#define CKM_X9_42_DH_PARAMETER_GEN     0x00002002
-
-#define CKM_VENDOR_DEFINED             0x80000000
-
-typedef CK_MECHANISM_TYPE CK_PTR CK_MECHANISM_TYPE_PTR;
-
-
-/* CK_MECHANISM is a structure that specifies a particular
- * mechanism  */
-typedef struct CK_MECHANISM {
-  CK_MECHANISM_TYPE mechanism;
-  CK_VOID_PTR       pParameter;
-
-  /* ulParameterLen was changed from CK_USHORT to CK_ULONG for
-   * v2.0 */
-  CK_ULONG          ulParameterLen;  /* in bytes */
-} CK_MECHANISM;
-
-typedef CK_MECHANISM CK_PTR CK_MECHANISM_PTR;
-
-
-/* CK_MECHANISM_INFO provides information about a particular
- * mechanism */
-typedef struct CK_MECHANISM_INFO {
-    CK_ULONG    ulMinKeySize;
-    CK_ULONG    ulMaxKeySize;
-    CK_FLAGS    flags;
-} CK_MECHANISM_INFO;
-
-/* The flags are defined as follows:
- *      Bit Flag               Mask        Meaning */
-#define CKF_HW                 0x00000001  /* performed by HW */
-
-/* The flags CKF_ENCRYPT, CKF_DECRYPT, CKF_DIGEST, CKF_SIGN,
- * CKG_SIGN_RECOVER, CKF_VERIFY, CKF_VERIFY_RECOVER,
- * CKF_GENERATE, CKF_GENERATE_KEY_PAIR, CKF_WRAP, CKF_UNWRAP,
- * and CKF_DERIVE are new for v2.0.  They specify whether or not
- * a mechanism can be used for a particular task */
-#define CKF_ENCRYPT            0x00000100
-#define CKF_DECRYPT            0x00000200
-#define CKF_DIGEST             0x00000400
-#define CKF_SIGN               0x00000800
-#define CKF_SIGN_RECOVER       0x00001000
-#define CKF_VERIFY             0x00002000
-#define CKF_VERIFY_RECOVER     0x00004000
-#define CKF_GENERATE           0x00008000
-#define CKF_GENERATE_KEY_PAIR  0x00010000
-#define CKF_WRAP               0x00020000
-#define CKF_UNWRAP             0x00040000
-#define CKF_DERIVE             0x00080000
-/* The following are new for v2.11 */
-#define CKF_EC_F_P             0x00100000
-#define CKF_EC_F_2M            0x00200000
-#define CKF_EC_ECPARAMETERS    0x00400000
-#define CKF_EC_NAMEDCURVE      0x00800000
-#define CKF_EC_UNCOMPRESS      0x01000000
-#define CKF_EC_COMPRESS        0x02000000
-
-#define CKF_EXTENSION          0x80000000  /* FALSE for 2.01 */
-
-typedef CK_MECHANISM_INFO CK_PTR CK_MECHANISM_INFO_PTR;
-
-
-/* CK_RV is a value that identifies the return value of a
- * Cryptoki function */
-/* CK_RV was changed from CK_USHORT to CK_ULONG for v2.0 */
-typedef CK_ULONG          CK_RV;
-
-#define CKR_OK                                0x00000000
-#define CKR_CANCEL                            0x00000001
-#define CKR_HOST_MEMORY                       0x00000002
-#define CKR_SLOT_ID_INVALID                   0x00000003
-
-/* CKR_FLAGS_INVALID was removed for v2.0 */
-
-/* CKR_GENERAL_ERROR and CKR_FUNCTION_FAILED are new for v2.0 */
-#define CKR_GENERAL_ERROR                     0x00000005
-#define CKR_FUNCTION_FAILED                   0x00000006
-
-/* CKR_ARGUMENTS_BAD, CKR_NO_EVENT, CKR_NEED_TO_CREATE_THREADS,
- * and CKR_CANT_LOCK are new for v2.01 */
-#define CKR_ARGUMENTS_BAD                     0x00000007
-#define CKR_NO_EVENT                          0x00000008
-#define CKR_NEED_TO_CREATE_THREADS            0x00000009
-#define CKR_CANT_LOCK                         0x0000000A
-
-#define CKR_ATTRIBUTE_READ_ONLY               0x00000010
-#define CKR_ATTRIBUTE_SENSITIVE               0x00000011
-#define CKR_ATTRIBUTE_TYPE_INVALID            0x00000012
-#define CKR_ATTRIBUTE_VALUE_INVALID           0x00000013
-#define CKR_DATA_INVALID                      0x00000020
-#define CKR_DATA_LEN_RANGE                    0x00000021
-#define CKR_DEVICE_ERROR                      0x00000030
-#define CKR_DEVICE_MEMORY                     0x00000031
-#define CKR_DEVICE_REMOVED                    0x00000032
-#define CKR_ENCRYPTED_DATA_INVALID            0x00000040
-#define CKR_ENCRYPTED_DATA_LEN_RANGE          0x00000041
-#define CKR_FUNCTION_CANCELED                 0x00000050
-#define CKR_FUNCTION_NOT_PARALLEL             0x00000051
-
-/* CKR_FUNCTION_NOT_SUPPORTED is new for v2.0 */
-#define CKR_FUNCTION_NOT_SUPPORTED            0x00000054
-
-#define CKR_KEY_HANDLE_INVALID                0x00000060
-
-/* CKR_KEY_SENSITIVE was removed for v2.0 */
-
-#define CKR_KEY_SIZE_RANGE                    0x00000062
-#define CKR_KEY_TYPE_INCONSISTENT             0x00000063
-
-/* CKR_KEY_NOT_NEEDED, CKR_KEY_CHANGED, CKR_KEY_NEEDED,
- * CKR_KEY_INDIGESTIBLE, CKR_KEY_FUNCTION_NOT_PERMITTED,
- * CKR_KEY_NOT_WRAPPABLE, and CKR_KEY_UNEXTRACTABLE are new for
- * v2.0 */
-#define CKR_KEY_NOT_NEEDED                    0x00000064
-#define CKR_KEY_CHANGED                       0x00000065
-#define CKR_KEY_NEEDED                        0x00000066
-#define CKR_KEY_INDIGESTIBLE                  0x00000067
-#define CKR_KEY_FUNCTION_NOT_PERMITTED        0x00000068
-#define CKR_KEY_NOT_WRAPPABLE                 0x00000069
-#define CKR_KEY_UNEXTRACTABLE                 0x0000006A
-
-#define CKR_MECHANISM_INVALID                 0x00000070
-#define CKR_MECHANISM_PARAM_INVALID           0x00000071
-
-/* CKR_OBJECT_CLASS_INCONSISTENT and CKR_OBJECT_CLASS_INVALID
- * were removed for v2.0 */
-#define CKR_OBJECT_HANDLE_INVALID             0x00000082
-#define CKR_OPERATION_ACTIVE                  0x00000090
-#define CKR_OPERATION_NOT_INITIALIZED         0x00000091
-#define CKR_PIN_INCORRECT                     0x000000A0
-#define CKR_PIN_INVALID                       0x000000A1
-#define CKR_PIN_LEN_RANGE                     0x000000A2
-
-/* CKR_PIN_EXPIRED and CKR_PIN_LOCKED are new for v2.0 */
-#define CKR_PIN_EXPIRED                       0x000000A3
-#define CKR_PIN_LOCKED                        0x000000A4
-
-#define CKR_SESSION_CLOSED                    0x000000B0
-#define CKR_SESSION_COUNT                     0x000000B1
-#define CKR_SESSION_HANDLE_INVALID            0x000000B3
-#define CKR_SESSION_PARALLEL_NOT_SUPPORTED    0x000000B4
-#define CKR_SESSION_READ_ONLY                 0x000000B5
-#define CKR_SESSION_EXISTS                    0x000000B6
-
-/* CKR_SESSION_READ_ONLY_EXISTS and
- * CKR_SESSION_READ_WRITE_SO_EXISTS are new for v2.0 */
-#define CKR_SESSION_READ_ONLY_EXISTS          0x000000B7
-#define CKR_SESSION_READ_WRITE_SO_EXISTS      0x000000B8
-
-#define CKR_SIGNATURE_INVALID                 0x000000C0
-#define CKR_SIGNATURE_LEN_RANGE               0x000000C1
-#define CKR_TEMPLATE_INCOMPLETE               0x000000D0
-#define CKR_TEMPLATE_INCONSISTENT             0x000000D1
-#define CKR_TOKEN_NOT_PRESENT                 0x000000E0
-#define CKR_TOKEN_NOT_RECOGNIZED              0x000000E1
-#define CKR_TOKEN_WRITE_PROTECTED             0x000000E2
-#define CKR_UNWRAPPING_KEY_HANDLE_INVALID     0x000000F0
-#define CKR_UNWRAPPING_KEY_SIZE_RANGE         0x000000F1
-#define CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT  0x000000F2
-#define CKR_USER_ALREADY_LOGGED_IN            0x00000100
-#define CKR_USER_NOT_LOGGED_IN                0x00000101
-#define CKR_USER_PIN_NOT_INITIALIZED          0x00000102
-#define CKR_USER_TYPE_INVALID                 0x00000103
-
-/* CKR_USER_ANOTHER_ALREADY_LOGGED_IN and CKR_USER_TOO_MANY_TYPES
- * are new to v2.01 */
-#define CKR_USER_ANOTHER_ALREADY_LOGGED_IN    0x00000104
-#define CKR_USER_TOO_MANY_TYPES               0x00000105
-
-#define CKR_WRAPPED_KEY_INVALID               0x00000110
-#define CKR_WRAPPED_KEY_LEN_RANGE             0x00000112
-#define CKR_WRAPPING_KEY_HANDLE_INVALID       0x00000113
-#define CKR_WRAPPING_KEY_SIZE_RANGE           0x00000114
-#define CKR_WRAPPING_KEY_TYPE_INCONSISTENT    0x00000115
-#define CKR_RANDOM_SEED_NOT_SUPPORTED         0x00000120
-
-/* These are new to v2.0 */
-#define CKR_RANDOM_NO_RNG                     0x00000121
-/* CKR_DOMAIN_PARAMS_INVALID is new for v2.11 */
-#define CKR_DOMAIN_PARAMS_INVALID             0x00000130
-#define CKR_BUFFER_TOO_SMALL                  0x00000150
-#define CKR_SAVED_STATE_INVALID               0x00000160
-#define CKR_INFORMATION_SENSITIVE             0x00000170
-#define CKR_STATE_UNSAVEABLE                  0x00000180
-
-/* These are new to v2.01 */
-#define CKR_CRYPTOKI_NOT_INITIALIZED          0x00000190
-#define CKR_CRYPTOKI_ALREADY_INITIALIZED      0x00000191
-#define CKR_MUTEX_BAD                         0x000001A0
-#define CKR_MUTEX_NOT_LOCKED                  0x000001A1
-
-#define CKR_VENDOR_DEFINED                    0x80000000
-
-
-/* CK_NOTIFY is an application callback that processes events */
-typedef CK_CALLBACK_FUNCTION(CK_RV, CK_NOTIFY)(
-  CK_SESSION_HANDLE hSession,     /* the session's handle */
-  CK_NOTIFICATION   event,
-  CK_VOID_PTR       pApplication  /* passed to C_OpenSession */
-);
-
-/* CK_CREATEMUTEX is an application callback for creating a
- * mutex object */
-typedef CK_CALLBACK_FUNCTION(CK_RV, CK_CREATEMUTEX)(
-  CK_VOID_PTR_PTR ppMutex  /* location to receive ptr to mutex */
-);
-
-
-/* CK_DESTROYMUTEX is an application callback for destroying a
- * mutex object */
-typedef CK_CALLBACK_FUNCTION(CK_RV, CK_DESTROYMUTEX)(
-  CK_VOID_PTR pMutex  /* pointer to mutex */
-);
-
-
-/* CK_LOCKMUTEX is an application callback for locking a mutex */
-typedef CK_CALLBACK_FUNCTION(CK_RV, CK_LOCKMUTEX)(
-  CK_VOID_PTR pMutex  /* pointer to mutex */
-);
-
-
-/* CK_UNLOCKMUTEX is an application callback for unlocking a
- * mutex */
-typedef CK_CALLBACK_FUNCTION(CK_RV, CK_UNLOCKMUTEX)(
-  CK_VOID_PTR pMutex  /* pointer to mutex */
-);
-
-
-/* CK_C_INITIALIZE_ARGS provides the optional arguments to
- * C_Initialize */
-// SAB the mutex ones had pf infront previously..
-// The spec says otherwise.
-typedef struct CK_C_INITIALIZE_ARGS {
-  CK_CREATEMUTEX  CreateMutex;
-  CK_DESTROYMUTEX DestroyMutex;
-  CK_LOCKMUTEX    LockMutex;
-  CK_UNLOCKMUTEX  UnlockMutex;
-  CK_FLAGS        flags;
-  CK_VOID_PTR     pReserved;
-} CK_C_INITIALIZE_ARGS;
-
-/* flags: bit flags that provide capabilities of the slot
- *      Bit Flag                           Mask       Meaning
- */
-#define CKF_LIBRARY_CANT_CREATE_OS_THREADS 0x00000001
-#define CKF_OS_LOCKING_OK                  0x00000002
-
-typedef CK_C_INITIALIZE_ARGS CK_PTR CK_C_INITIALIZE_ARGS_PTR;
-
-
-/* additional flags for parameters to functions */
-
-/* CKF_DONT_BLOCK is for the function C_WaitForSlotEvent */
-#define CKF_DONT_BLOCK     1
-
-
-/* CK_KEA_DERIVE_PARAMS provides the parameters to the
- * CKM_KEA_DERIVE mechanism */
-/* CK_KEA_DERIVE_PARAMS is new for v2.0 */
-typedef struct CK_KEA_DERIVE_PARAMS {
-  CK_BBOOL      isSender;
-  CK_ULONG      ulRandomLen;
-  CK_BYTE_PTR   pRandomA;
-  CK_BYTE_PTR   pRandomB;
-  CK_ULONG      ulPublicDataLen;
-  CK_BYTE_PTR   pPublicData;
-} CK_KEA_DERIVE_PARAMS;
-
-typedef CK_KEA_DERIVE_PARAMS CK_PTR CK_KEA_DERIVE_PARAMS_PTR;
-
-
-/* CK_RC2_PARAMS provides the parameters to the CKM_RC2_ECB and
- * CKM_RC2_MAC mechanisms.  An instance of CK_RC2_PARAMS just
- * holds the effective keysize */
-typedef CK_ULONG          CK_RC2_PARAMS;
-
-typedef CK_RC2_PARAMS CK_PTR CK_RC2_PARAMS_PTR;
-
-
-/* CK_RC2_CBC_PARAMS provides the parameters to the CKM_RC2_CBC
- * mechanism */
-typedef struct CK_RC2_CBC_PARAMS {
-  /* ulEffectiveBits was changed from CK_USHORT to CK_ULONG for
-   * v2.0 */
-  CK_ULONG      ulEffectiveBits;  /* effective bits (1-1024) */
-
-  CK_BYTE       iv[8];            /* IV for CBC mode */
-} CK_RC2_CBC_PARAMS;
-
-typedef CK_RC2_CBC_PARAMS CK_PTR CK_RC2_CBC_PARAMS_PTR;
-
-
-/* CK_RC2_MAC_GENERAL_PARAMS provides the parameters for the
- * CKM_RC2_MAC_GENERAL mechanism */
-/* CK_RC2_MAC_GENERAL_PARAMS is new for v2.0 */
-typedef struct CK_RC2_MAC_GENERAL_PARAMS {
-  CK_ULONG      ulEffectiveBits;  /* effective bits (1-1024) */
-  CK_ULONG      ulMacLength;      /* Length of MAC in bytes */
-} CK_RC2_MAC_GENERAL_PARAMS;
-
-typedef CK_RC2_MAC_GENERAL_PARAMS CK_PTR \
-  CK_RC2_MAC_GENERAL_PARAMS_PTR;
-
-
-/* CK_RC5_PARAMS provides the parameters to the CKM_RC5_ECB and
- * CKM_RC5_MAC mechanisms */
-/* CK_RC5_PARAMS is new for v2.0 */
-typedef struct CK_RC5_PARAMS {
-  CK_ULONG      ulWordsize;  /* wordsize in bits */
-  CK_ULONG      ulRounds;    /* number of rounds */
-} CK_RC5_PARAMS;
-
-typedef CK_RC5_PARAMS CK_PTR CK_RC5_PARAMS_PTR;
-
-
-/* CK_RC5_CBC_PARAMS provides the parameters to the CKM_RC5_CBC
- * mechanism */
-/* CK_RC5_CBC_PARAMS is new for v2.0 */
-typedef struct CK_RC5_CBC_PARAMS {
-  CK_ULONG      ulWordsize;  /* wordsize in bits */
-  CK_ULONG      ulRounds;    /* number of rounds */
-  CK_BYTE_PTR   pIv;         /* pointer to IV */
-  CK_ULONG      ulIvLen;     /* length of IV in bytes */
-} CK_RC5_CBC_PARAMS;
-
-typedef CK_RC5_CBC_PARAMS CK_PTR CK_RC5_CBC_PARAMS_PTR;
-
-
-/* CK_RC5_MAC_GENERAL_PARAMS provides the parameters for the
- * CKM_RC5_MAC_GENERAL mechanism */
-/* CK_RC5_MAC_GENERAL_PARAMS is new for v2.0 */
-typedef struct CK_RC5_MAC_GENERAL_PARAMS {
-  CK_ULONG      ulWordsize;   /* wordsize in bits */
-  CK_ULONG      ulRounds;     /* number of rounds */
-  CK_ULONG      ulMacLength;  /* Length of MAC in bytes */
-} CK_RC5_MAC_GENERAL_PARAMS;
-
-typedef CK_RC5_MAC_GENERAL_PARAMS CK_PTR \
-  CK_RC5_MAC_GENERAL_PARAMS_PTR;
-
-
-/* CK_MAC_GENERAL_PARAMS provides the parameters to most block
- * ciphers' MAC_GENERAL mechanisms.  Its value is the length of
- * the MAC */
-/* CK_MAC_GENERAL_PARAMS is new for v2.0 */
-typedef CK_ULONG          CK_MAC_GENERAL_PARAMS;
-
-typedef CK_MAC_GENERAL_PARAMS CK_PTR CK_MAC_GENERAL_PARAMS_PTR;
-
-
-/* CK_SKIPJACK_PRIVATE_WRAP_PARAMS provides the parameters to the
- * CKM_SKIPJACK_PRIVATE_WRAP mechanism */
-/* CK_SKIPJACK_PRIVATE_WRAP_PARAMS is new for v2.0 */
-typedef struct CK_SKIPJACK_PRIVATE_WRAP_PARAMS {
-  CK_ULONG      ulPasswordLen;
-  CK_BYTE_PTR   pPassword;
-  CK_ULONG      ulPublicDataLen;
-  CK_BYTE_PTR   pPublicData;
-  CK_ULONG      ulPAndGLen;
-  CK_ULONG      ulQLen;
-  CK_ULONG      ulRandomLen;
-  CK_BYTE_PTR   pRandomA;
-  CK_BYTE_PTR   pPrimeP;
-  CK_BYTE_PTR   pBaseG;
-  CK_BYTE_PTR   pSubprimeQ;
-} CK_SKIPJACK_PRIVATE_WRAP_PARAMS;
-
-typedef CK_SKIPJACK_PRIVATE_WRAP_PARAMS CK_PTR \
-  CK_SKIPJACK_PRIVATE_WRAP_PTR;
-
-
-/* CK_SKIPJACK_RELAYX_PARAMS provides the parameters to the
- * CKM_SKIPJACK_RELAYX mechanism */
-/* CK_SKIPJACK_RELAYX_PARAMS is new for v2.0 */
-typedef struct CK_SKIPJACK_RELAYX_PARAMS {
-  CK_ULONG      ulOldWrappedXLen;
-  CK_BYTE_PTR   pOldWrappedX;
-  CK_ULONG      ulOldPasswordLen;
-  CK_BYTE_PTR   pOldPassword;
-  CK_ULONG      ulOldPublicDataLen;
-  CK_BYTE_PTR   pOldPublicData;
-  CK_ULONG      ulOldRandomLen;
-  CK_BYTE_PTR   pOldRandomA;
-  CK_ULONG      ulNewPasswordLen;
-  CK_BYTE_PTR   pNewPassword;
-  CK_ULONG      ulNewPublicDataLen;
-  CK_BYTE_PTR   pNewPublicData;
-  CK_ULONG      ulNewRandomLen;
-  CK_BYTE_PTR   pNewRandomA;
-} CK_SKIPJACK_RELAYX_PARAMS;
-
-typedef CK_SKIPJACK_RELAYX_PARAMS CK_PTR \
-  CK_SKIPJACK_RELAYX_PARAMS_PTR;
-
-
-typedef struct CK_PBE_PARAMS {
-  CK_CHAR_PTR  pInitVector;
-  CK_CHAR_PTR  pPassword;
-  CK_ULONG     ulPasswordLen;
-  CK_CHAR_PTR  pSalt;
-  CK_ULONG     ulSaltLen;
-  CK_ULONG     ulIteration;
-} CK_PBE_PARAMS;
-
-typedef CK_PBE_PARAMS CK_PTR CK_PBE_PARAMS_PTR;
-
-
-/* CK_KEY_WRAP_SET_OAEP_PARAMS provides the parameters to the
- * CKM_KEY_WRAP_SET_OAEP mechanism */
-/* CK_KEY_WRAP_SET_OAEP_PARAMS is new for v2.0 */
-typedef struct CK_KEY_WRAP_SET_OAEP_PARAMS {
-  CK_BYTE       bBC;     /* block contents byte */
-  CK_BYTE_PTR   pX;      /* extra data */
-  CK_ULONG      ulXLen;  /* length of extra data in bytes */
-} CK_KEY_WRAP_SET_OAEP_PARAMS;
-
-typedef CK_KEY_WRAP_SET_OAEP_PARAMS CK_PTR \
-  CK_KEY_WRAP_SET_OAEP_PARAMS_PTR;
-
-
-typedef struct CK_SSL3_RANDOM_DATA {
-  CK_BYTE_PTR  pClientRandom;
-  CK_ULONG     ulClientRandomLen;
-  CK_BYTE_PTR  pServerRandom;
-  CK_ULONG     ulServerRandomLen;
-} CK_SSL3_RANDOM_DATA;
-
-
-typedef struct CK_SSL3_MASTER_KEY_DERIVE_PARAMS {
-  CK_SSL3_RANDOM_DATA RandomInfo;
-  CK_VERSION_PTR pVersion;
-} CK_SSL3_MASTER_KEY_DERIVE_PARAMS;
-
-typedef struct CK_SSL3_MASTER_KEY_DERIVE_PARAMS CK_PTR \
-  CK_SSL3_MASTER_KEY_DERIVE_PARAMS_PTR;
-
-
-typedef struct CK_SSL3_KEY_MAT_OUT {
-  CK_OBJECT_HANDLE hClientMacSecret;
-  CK_OBJECT_HANDLE hServerMacSecret;
-  CK_OBJECT_HANDLE hClientKey;
-  CK_OBJECT_HANDLE hServerKey;
-  CK_BYTE_PTR      pIVClient;
-  CK_BYTE_PTR      pIVServer;
-} CK_SSL3_KEY_MAT_OUT;
-
-typedef CK_SSL3_KEY_MAT_OUT CK_PTR CK_SSL3_KEY_MAT_OUT_PTR;
-
-
-typedef struct CK_SSL3_KEY_MAT_PARAMS {
-  CK_ULONG                ulMacSizeInBits;
-  CK_ULONG                ulKeySizeInBits;
-  CK_ULONG                ulIVSizeInBits;
-  CK_BBOOL                bIsExport;
-  CK_SSL3_RANDOM_DATA     RandomInfo;
-  CK_SSL3_KEY_MAT_OUT_PTR pReturnedKeyMaterial;
-} CK_SSL3_KEY_MAT_PARAMS;
-
-typedef CK_SSL3_KEY_MAT_PARAMS CK_PTR CK_SSL3_KEY_MAT_PARAMS_PTR;
-
-
-typedef struct CK_KEY_DERIVATION_STRING_DATA {
-  CK_BYTE_PTR pData;
-  CK_ULONG    ulLen;
-} CK_KEY_DERIVATION_STRING_DATA;
-
-typedef CK_KEY_DERIVATION_STRING_DATA CK_PTR \
-  CK_KEY_DERIVATION_STRING_DATA_PTR;
-
-
-/* The CK_EXTRACT_PARAMS is used for the
- * CKM_EXTRACT_KEY_FROM_KEY mechanism.  It specifies which bit
- * of the base key should be used as the first bit of the
- * derived key */
-/* CK_EXTRACT_PARAMS is new for v2.0 */
-typedef CK_ULONG CK_EXTRACT_PARAMS;
-
-typedef CK_EXTRACT_PARAMS CK_PTR CK_EXTRACT_PARAMS_PTR;
-
-
-/* CK_FUNCTION_LIST is a structure holding a Cryptoki spec
- * version and pointers of appropriate types to all the
- * Cryptoki functions */
-/* CK_FUNCTION_LIST is new for v2.0 */
-typedef struct CK_FUNCTION_LIST CK_FUNCTION_LIST;
-
-typedef CK_FUNCTION_LIST CK_PTR CK_FUNCTION_LIST_PTR;
-
-typedef CK_FUNCTION_LIST_PTR CK_PTR CK_FUNCTION_LIST_PTR_PTR;
-
-typedef CK_RV	(CK_PTR CK_C_Initialize)
-						(CK_VOID_PTR pReserved);
-typedef CK_RV	(CK_PTR  CK_C_Finalize)
-						(CK_VOID_PTR pReserved);
-typedef CK_RV	(CK_PTR  CK_C_Terminate)
-						(void);
-typedef CK_RV	(CK_PTR  CK_C_GetInfo)
-						(CK_INFO_PTR pInfo);
-typedef CK_RV	(CK_PTR  CK_C_GetFunctionList)
-						(CK_FUNCTION_LIST_PTR_PTR ppFunctionList);
-typedef CK_RV	(CK_PTR  CK_C_GetSlotList)
-						(CK_BBOOL tokenPresent, CK_SLOT_ID_PTR pSlotList,
-						 CK_ULONG_PTR pusCount);
-typedef CK_RV	(CK_PTR  CK_C_GetSlotInfo)
-						(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo);
-typedef CK_RV	(CK_PTR  CK_C_GetTokenInfo)
-						(CK_SLOT_ID slotID, CK_TOKEN_INFO_PTR pInfo);
-typedef CK_RV	(CK_PTR  CK_C_GetMechanismList)
-						(CK_SLOT_ID slotID, CK_MECHANISM_TYPE_PTR pMechanismList,
-						 CK_ULONG_PTR pusCount);
-typedef CK_RV	(CK_PTR  CK_C_GetMechanismInfo)
-						(CK_SLOT_ID slotID, CK_MECHANISM_TYPE type,
-						 CK_MECHANISM_INFO_PTR pInfo);
-typedef CK_RV	(CK_PTR  CK_C_InitToken)
-						(CK_SLOT_ID slotID, CK_CHAR_PTR pPin, CK_ULONG usPinLen,
-						 CK_CHAR_PTR pLabel);
-typedef CK_RV	(CK_PTR  CK_C_InitPIN)
-						(CK_SESSION_HANDLE hSession, CK_CHAR_PTR pPin,
-						 CK_ULONG usPinLen);
-typedef CK_RV	(CK_PTR  CK_C_SetPIN)
-						(CK_SESSION_HANDLE hSession, CK_CHAR_PTR pOldPin,
-						 CK_ULONG usOldLen, CK_CHAR_PTR pNewPin,
-						 CK_ULONG usNewLen);
-typedef CK_RV	(CK_PTR  CK_C_OpenSession)
-						(CK_SLOT_ID slotID, CK_FLAGS flags,
-						 CK_VOID_PTR pApplication,
-						 CK_RV  (*Notify) (CK_SESSION_HANDLE hSession,
-						 CK_NOTIFICATION event, CK_VOID_PTR pApplication),
-						 CK_SESSION_HANDLE_PTR phSession);
-typedef CK_RV	(CK_PTR  CK_C_CloseSession)
-						(CK_SESSION_HANDLE hSession);
-typedef CK_RV	(CK_PTR  CK_C_CloseAllSessions)
-						(CK_SLOT_ID slotID);
-typedef CK_RV	(CK_PTR  CK_C_GetSessionInfo)
-						(CK_SESSION_HANDLE hSession, CK_SESSION_INFO_PTR pInfo);
-typedef CK_RV	(CK_PTR  CK_C_GetOperationState)
-						(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pOperationState,
-						 CK_ULONG_PTR pulOperationStateLen);
-typedef CK_RV	(CK_PTR  CK_C_SetOperationState)
-						(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pOperationState,
-						 CK_ULONG ulOperationStateLen,
-						 CK_OBJECT_HANDLE hEncryptionKey,
-						 CK_OBJECT_HANDLE hAuthenticationKey);
-typedef CK_RV	(CK_PTR  CK_C_Login)(CK_SESSION_HANDLE hSession,
-						 CK_USER_TYPE userType, CK_CHAR_PTR pPin,
-						 CK_ULONG usPinLen);
-typedef CK_RV	(CK_PTR  CK_C_Logout)(CK_SESSION_HANDLE hSession);
-typedef CK_RV	(CK_PTR  CK_C_CreateObject)
-						(CK_SESSION_HANDLE hSession, CK_ATTRIBUTE_PTR pTemplate,
-						 CK_ULONG usCount, CK_OBJECT_HANDLE_PTR phObject);
-typedef CK_RV	(CK_PTR  CK_C_CopyObject)
-						(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject,
-						 CK_ATTRIBUTE_PTR pTemplate, CK_ULONG usCount,
-						 CK_OBJECT_HANDLE_PTR phNewObject);
-typedef CK_RV (CK_PTR  CK_C_DestroyObject)
-                       (CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject);
-typedef CK_RV(CK_PTR  CK_C_GetObjectSize)
-                       (CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject,
-                        CK_ULONG_PTR pusSize);
-typedef CK_RV(CK_PTR  CK_C_GetAttributeValue)
-                       (CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject,
-                        CK_ATTRIBUTE_PTR pTemplate, CK_ULONG usCount);
-typedef CK_RV(CK_PTR  CK_C_SetAttributeValue)
-                       (CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject,
-                        CK_ATTRIBUTE_PTR pTemplate, CK_ULONG usCount);
-typedef CK_RV (CK_PTR  CK_C_FindObjectsInit)
-                       (CK_SESSION_HANDLE hSession, CK_ATTRIBUTE_PTR pTemplate,
-                        CK_ULONG usCount);
-typedef CK_RV (CK_PTR  CK_C_FindObjects)
-                       (CK_SESSION_HANDLE hSession,
-                        CK_OBJECT_HANDLE_PTR phObject, CK_ULONG usMaxObjectCount,
-                        CK_ULONG_PTR pusObjectCount);
-typedef CK_RV (CK_PTR  CK_C_FindObjectsFinal)
-                       (CK_SESSION_HANDLE hSession);
-typedef CK_RV (CK_PTR  CK_C_EncryptInit)
-                       (CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
-                        CK_OBJECT_HANDLE hKey);
-typedef CK_RV (CK_PTR  CK_C_Encrypt)
-                       (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData,
-                        CK_ULONG usDataLen, CK_BYTE_PTR pEncryptedData,
-                        CK_ULONG_PTR pusEncryptedDataLen);
-typedef CK_RV (CK_PTR  CK_C_EncryptUpdate)
-                       (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart,
-                        CK_ULONG usPartLen, CK_BYTE_PTR pEncryptedPart,
-                        CK_ULONG_PTR pusEncryptedPartLen);
-typedef CK_RV (CK_PTR  CK_C_EncryptFinal)
-                       (CK_SESSION_HANDLE hSession,
-                        CK_BYTE_PTR pLastEncryptedPart,
-                        CK_ULONG_PTR pusLastEncryptedPartLen);
-typedef CK_RV (CK_PTR  CK_C_DecryptInit)
-                       (CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
-                        CK_OBJECT_HANDLE hKey);
-typedef CK_RV (CK_PTR  CK_C_Decrypt)
-                       (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pEncryptedData,
-                        CK_ULONG usEncryptedDataLen, CK_BYTE_PTR pData,
-                        CK_ULONG_PTR pusDataLen);
-typedef CK_RV (CK_PTR  CK_C_DecryptUpdate)
-                       (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pEncryptedPart,
-                        CK_ULONG usEncryptedPartLen, CK_BYTE_PTR pPart,
-                        CK_ULONG_PTR pusPartLen);
-typedef CK_RV (CK_PTR  CK_C_DecryptFinal)
-                       (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pLastPart,
-                        CK_ULONG_PTR pusLastPartLen);
-typedef CK_RV (CK_PTR  CK_C_DigestInit)
-                       (CK_SESSION_HANDLE hSession,
-                        CK_MECHANISM_PTR pMechanism);
-typedef CK_RV (CK_PTR  CK_C_Digest)
-                       (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData,
-                        CK_ULONG usDataLen, CK_BYTE_PTR pDigest,
-                        CK_ULONG_PTR pusDigestLen);
-typedef CK_RV (CK_PTR  CK_C_DigestUpdate)
-                       (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart,
-                        CK_ULONG usPartLen);
-typedef CK_RV (CK_PTR  CK_C_DigestKey)
-                       (CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hKey);
-typedef CK_RV (CK_PTR  CK_C_DigestFinal)
-                       (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pDigest,
-                        CK_ULONG_PTR pusDigestLen);
-typedef CK_RV (CK_PTR  CK_C_SignInit)
-                       (CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
-                        CK_OBJECT_HANDLE hKey);
-typedef CK_RV (CK_PTR  CK_C_Sign)
-                       (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData,
-                        CK_ULONG usDataLen, CK_BYTE_PTR pSignature,
-                        CK_ULONG_PTR pusSignatureLen);
-typedef CK_RV (CK_PTR  CK_C_SignUpdate)
-                       (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart,
-                        CK_ULONG usPartLen);
-typedef CK_RV (CK_PTR  CK_C_SignFinal)
-                       (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSignature,
-                        CK_ULONG_PTR pusSignatureLen);
-typedef CK_RV (CK_PTR  CK_C_SignRecoverInit)
-                       (CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
-                        CK_OBJECT_HANDLE hKey);
-typedef CK_RV (CK_PTR  CK_C_SignRecover)
-                       (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData,
-                        CK_ULONG usDataLen, CK_BYTE_PTR pSignature,
-                        CK_ULONG_PTR pusSignatureLen);
-typedef CK_RV (CK_PTR  CK_C_VerifyInit)
-                       (CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
-                        CK_OBJECT_HANDLE hKey);
-typedef CK_RV (CK_PTR  CK_C_Verify)
-                       (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData,
-                        CK_ULONG usDataLen, CK_BYTE_PTR pSignature,
-                        CK_ULONG usSignatureLen);
-typedef CK_RV (CK_PTR  CK_C_VerifyUpdate)
-                       (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart,
-                        CK_ULONG usPartLen);
-typedef CK_RV (CK_PTR  CK_C_VerifyFinal)
-                       (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSignature,
-                        CK_ULONG usSignatureLen);
-typedef CK_RV (CK_PTR  CK_C_VerifyRecoverInit)
-                       (CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
-                        CK_OBJECT_HANDLE hKey);
-typedef CK_RV (CK_PTR  CK_C_VerifyRecover)
-                       (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSignature,
-                        CK_ULONG usSignatureLen, CK_BYTE_PTR pData,
-                        CK_ULONG_PTR pusDataLen);
-typedef CK_RV (CK_PTR  CK_C_DigestEncryptUpdate)
-                       (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart,
-                        CK_ULONG ulPartLen, CK_BYTE_PTR pEncryptedPart,
-                        CK_ULONG_PTR pulEncryptedPartLen);
-typedef CK_RV (CK_PTR  CK_C_DecryptDigestUpdate)
-                       (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pEncryptedPart,
-                        CK_ULONG ulEncryptedPartLen, CK_BYTE_PTR pPart,
-                        CK_ULONG_PTR pulPartLen);
-typedef CK_RV (CK_PTR  CK_C_SignEncryptUpdate)
-                       (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart,
-                        CK_ULONG ulPartLen, CK_BYTE_PTR pEncryptedPart,
-                        CK_ULONG_PTR pulEncryptedPartLen);
-typedef CK_RV (CK_PTR  CK_C_DecryptVerifyUpdate)
-                       (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pEncryptedPart,
-                        CK_ULONG ulEncryptedPartLen, CK_BYTE_PTR pPart,
-                        CK_ULONG_PTR pulPartLen);
-typedef CK_RV (CK_PTR  CK_C_GenerateKey)
-                       (CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
-                        CK_ATTRIBUTE_PTR pTemplate, CK_ULONG usCount,
-                        CK_OBJECT_HANDLE_PTR phKey);
-typedef CK_RV (CK_PTR  CK_C_GenerateKeyPair)
-                       (CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
-                        CK_ATTRIBUTE_PTR pPublicKeyTemplate,
-                        CK_ULONG usPublicKeyAttributeCount,
-                        CK_ATTRIBUTE_PTR pPrivateKeyTemplate,
-                        CK_ULONG usPrivateKeyAttributeCount,
-                        CK_OBJECT_HANDLE_PTR phPrivateKey,
-                        CK_OBJECT_HANDLE_PTR phPublicKey);
-typedef CK_RV (CK_PTR  CK_C_WrapKey)
-                       (CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
-                        CK_OBJECT_HANDLE hWrappingKey, CK_OBJECT_HANDLE hKey,
-                        CK_BYTE_PTR pWrappedKey, CK_ULONG_PTR pusWrappedKeyLen);
-typedef CK_RV (CK_PTR  CK_C_UnwrapKey)
-                       (CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
-                        CK_OBJECT_HANDLE hUnwrappingKey, CK_BYTE_PTR pWrappedKey,
-                        CK_ULONG usWrappedKeyLen, CK_ATTRIBUTE_PTR pTemplate,
-                        CK_ULONG usAttributeCount, CK_OBJECT_HANDLE_PTR phKey);
-typedef CK_RV (CK_PTR  CK_C_DeriveKey)
-                       (CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
-                        CK_OBJECT_HANDLE hBaseKey, CK_ATTRIBUTE_PTR pTemplate,
-                        CK_ULONG usAttributeCount, CK_OBJECT_HANDLE_PTR phKey);
-typedef CK_RV (CK_PTR  CK_C_SeedRandom)
-                       (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSeed,
-                        CK_ULONG usSeedLen);
-typedef CK_RV (CK_PTR  CK_C_GenerateRandom)
-                       (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pRandomData,
-                        CK_ULONG usRandomLen);
-typedef CK_RV (CK_PTR  CK_C_GetFunctionStatus)
-                       (CK_SESSION_HANDLE hSession);
-typedef CK_RV (CK_PTR  CK_C_CancelFunction)
-                       (CK_SESSION_HANDLE hSession);
-typedef CK_RV	(CK_PTR  CK_Notify)
-						(CK_SESSION_HANDLE hSession, CK_NOTIFICATION event,
-						 CK_VOID_PTR pApplication);
-typedef CK_RV	(CK_PTR  CK_C_WaitForSlotEvent)
-						(CK_FLAGS flags, CK_SLOT_ID_PTR pSlot,
-						 CK_VOID_PTR pReserved);
-
-struct CK_FUNCTION_LIST {
-	CK_VERSION version;
-	CK_C_Initialize C_Initialize;
-	CK_C_Finalize C_Finalize;
-	CK_C_GetInfo C_GetInfo;
-	CK_C_GetFunctionList C_GetFunctionList;
-	CK_C_GetSlotList C_GetSlotList;
-	CK_C_GetSlotInfo C_GetSlotInfo;
-	CK_C_GetTokenInfo C_GetTokenInfo;
-	CK_C_GetMechanismList C_GetMechanismList;
-	CK_C_GetMechanismInfo C_GetMechanismInfo;
-	CK_C_InitToken C_InitToken;
-	CK_C_InitPIN C_InitPIN;
-	CK_C_SetPIN C_SetPIN;
-	CK_C_OpenSession C_OpenSession;
-	CK_C_CloseSession C_CloseSession;
-	CK_C_CloseAllSessions C_CloseAllSessions;
-	CK_C_GetSessionInfo C_GetSessionInfo;
-	CK_C_GetOperationState C_GetOperationState;
-	CK_C_SetOperationState C_SetOperationState;
-	CK_C_Login C_Login;
-	CK_C_Logout C_Logout;
-	CK_C_CreateObject C_CreateObject;
-	CK_C_CopyObject C_CopyObject;
-	CK_C_DestroyObject C_DestroyObject;
-	CK_C_GetObjectSize C_GetObjectSize;
-	CK_C_GetAttributeValue C_GetAttributeValue;
-	CK_C_SetAttributeValue C_SetAttributeValue;
-	CK_C_FindObjectsInit C_FindObjectsInit;
-	CK_C_FindObjects C_FindObjects;
-	CK_C_FindObjectsFinal C_FindObjectsFinal;
-	CK_C_EncryptInit C_EncryptInit;
-	CK_C_Encrypt C_Encrypt;
-	CK_C_EncryptUpdate C_EncryptUpdate;
-	CK_C_EncryptFinal C_EncryptFinal;
-	CK_C_DecryptInit C_DecryptInit;
-	CK_C_Decrypt C_Decrypt;
-	CK_C_DecryptUpdate C_DecryptUpdate;
-	CK_C_DecryptFinal C_DecryptFinal;
-	CK_C_DigestInit C_DigestInit;
-	CK_C_Digest C_Digest;
-	CK_C_DigestUpdate C_DigestUpdate;
-	CK_C_DigestKey C_DigestKey;
-	CK_C_DigestFinal C_DigestFinal;
-	CK_C_SignInit C_SignInit;
-	CK_C_Sign C_Sign;
-	CK_C_SignUpdate C_SignUpdate;
-	CK_C_SignFinal C_SignFinal;
-	CK_C_SignRecoverInit C_SignRecoverInit;
-	CK_C_SignRecover C_SignRecover;
-	CK_C_VerifyInit C_VerifyInit;
-	CK_C_Verify C_Verify;
-	CK_C_VerifyUpdate C_VerifyUpdate;
-	CK_C_VerifyFinal C_VerifyFinal;
-	CK_C_VerifyRecoverInit C_VerifyRecoverInit;
-	CK_C_VerifyRecover C_VerifyRecover;
-	CK_C_DigestEncryptUpdate C_DigestEncryptUpdate;
-	CK_C_DecryptDigestUpdate C_DecryptDigestUpdate;
-	CK_C_SignEncryptUpdate C_SignEncryptUpdate;
-	CK_C_DecryptVerifyUpdate C_DecryptVerifyUpdate;
-	CK_C_GenerateKey C_GenerateKey;
-	CK_C_GenerateKeyPair C_GenerateKeyPair;
-	CK_C_WrapKey C_WrapKey;
-	CK_C_UnwrapKey C_UnwrapKey;
-	CK_C_DeriveKey C_DeriveKey;
-	CK_C_SeedRandom C_SeedRandom;
-	CK_C_GenerateRandom C_GenerateRandom;
-	CK_C_GetFunctionStatus C_GetFunctionStatus;
-	CK_C_CancelFunction C_CancelFunction;
-	CK_C_WaitForSlotEvent C_WaitForSlotEvent;
-};
-
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif // _PKCS11TYPES_H_
diff --git a/contrib/pkcs11-keygen/openssl-0.9.8i-patch b/contrib/pkcs11-keygen/openssl-0.9.8i-patch
deleted file mode 100644
index 0ea5beec..00000000
--- a/contrib/pkcs11-keygen/openssl-0.9.8i-patch
+++ /dev/null
@@ -1,14000 +0,0 @@
-Index: openssl/Configure
-diff -u openssl/Configure:1.1.2.1 openssl/Configure:1.5
---- openssl/Configure:1.1.2.1	Fri Sep 12 14:47:00 2008
-+++ openssl/Configure	Tue Dec 16 14:12:43 2008
-@@ -10,7 +10,7 @@
- 
- # see INSTALL for instructions.
- 
--my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [enable-montasm] [no-asm] [no-dso] [no-krb5] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--test-sanity] os/compiler[:flags]\n";
-+my $usage="Usage: Configure --pk11-libname=PK11_LIB_LOCATION [no-<cipher> ...] [enable-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [enable-montasm] [no-asm] [no-dso] [no-krb5] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--test-sanity] os/compiler[:flags]\n";
- 
- # Options:
- #
-@@ -19,6 +19,9 @@
- # --prefix      prefix for the OpenSSL include, lib and bin directories
- #               (Default: the OPENSSLDIR directory)
- #
-+# --pk11-libname  PKCS#11 library name.
-+#               (Default: none)
-+#
- # --install_prefix  Additional prefix for package builders (empty by
- #               default).  This needn't be set in advance, you can
- #               just as well use "make INSTALL_PREFIX=/whatever install".
-@@ -322,7 +325,7 @@
- "linux-ppc",	"gcc:-DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL::linux_ppc32.o::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
- #### IA-32 targets...
- "linux-ia32-icc",	"icc:-DL_ENDIAN -DTERMIO -O2 -no_cpprt::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
--"linux-elf",	"gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"linux-elf",	"gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT -pthread::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
- "linux-aout",	"gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -march=i486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}",
- ####
- "linux-generic64","gcc:-DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-@@ -573,6 +576,9 @@
- my $idx_ranlib = $idx++;
- my $idx_arflags = $idx++;
- 
-+# PKCS#11 engine patch
-+my $pk11_libname="";
-+
- my $prefix="";
- my $openssldir="";
- my $exe_ext="";
-@@ -755,6 +761,10 @@
- 				{
- 				$flags.=$_." ";
- 				}
-+                        elsif (/^--pk11-libname=(.*)$/)
-+                                {
-+                                $pk11_libname=$1;
-+                                }
- 			elsif (/^--prefix=(.*)$/)
- 				{
- 				$prefix=$1;
-@@ -878,6 +888,13 @@
- 	exit 0;
- }
- 
-+if (! $pk11_libname)
-+        {
-+        print STDERR "You must set --pk11-libname for PKCS#11 library.\n";
-+        print STDERR "See README.pkcs11 for more information.\n";
-+        exit 1;
-+        }
-+
- if ($target =~ m/^CygWin32(-.*)$/) {
- 	$target = "Cygwin".$1;
- }
-@@ -1006,6 +1023,8 @@
- if ($flags ne "")	{ $cflags="$flags$cflags"; }
- else			{ $no_user_cflags=1;       }
- 
-+$cflags="-DPK11_LIB_LOCATION=\"$pk11_libname\" $cflags";
-+
- # Kerberos settings.  The flavor must be provided from outside, either through
- # the script "config" or manually.
- if (!$no_krb5)
-@@ -1348,6 +1367,7 @@
- 	s/^VERSION=.*/VERSION=$version/;
- 	s/^MAJOR=.*/MAJOR=$major/;
- 	s/^MINOR=.*/MINOR=$minor/;
-+	s/^PK11_LIB_LOCATION=.*/PK11_LIB_LOCATION=$pk11_libname/;
- 	s/^SHLIB_VERSION_NUMBER=.*/SHLIB_VERSION_NUMBER=$shlib_version_number/;
- 	s/^SHLIB_VERSION_HISTORY=.*/SHLIB_VERSION_HISTORY=$shlib_version_history/;
- 	s/^SHLIB_MAJOR=.*/SHLIB_MAJOR=$shlib_major/;
-Index: openssl/Makefile.org
-diff -u openssl/Makefile.org:1.1.2.1 openssl/Makefile.org:1.2
---- openssl/Makefile.org:1.1.2.1	Thu Apr  3 23:03:39 2008
-+++ openssl/Makefile.org	Fri Aug 29 16:19:02 2008
-@@ -26,6 +26,9 @@
- INSTALL_PREFIX=
- INSTALLTOP=/usr/local/ssl
- 
-+# You must set this through --pk11-libname configure option.
-+PK11_LIB_LOCATION=
-+
- # Do not edit this manually. Use Configure --openssldir=DIR do change this!
- OPENSSLDIR=/usr/local/ssl
- 
-Index: openssl/README.pkcs11
-diff -u /dev/null openssl/README.pkcs11:1.4
---- /dev/null	Wed Sep  2 11:37:22 2009
-+++ openssl/README.pkcs11	Mon Dec 15 12:59:11 2008
-@@ -0,0 +1,218 @@
-+PKCS#11 engine support for OpenSSL 0.9.8i
-+=========================================
-+
-+[December 2, 2008]
-+
-+Contents:
-+
-+Overview
-+Revisions of patch for 0.9.8 branch
-+FAQs
-+Feedback
-+
-+Overview
-+========
-+
-+This patch containing code available in OpenSolaris adds support for PKCS#11
-+engine into OpenSSL and implements PKCS#11 v2.20. It is to be applied against
-+OpenSSL 0.9.8i source code distribution as shipped by OpenSSL.Org. Your system
-+must provide PKCS#11 backend otherwise the patch is useless. You provide the
-+PKCS#11 library name during the build configuration phase, see below.
-+
-+Patch can be applied like this:
-+
-+	# NOTE: use gtar if on Solaris
-+	tar xfzv openssl-0.9.8i.tar.gz
-+	# now download the patch to the current directory
-+	# ...
-+	cd openssl-0.9.8i
-+	# NOTE: use gpatch if on Solaris	
-+	patch -p1 < ../pkcs11_engine-0.9.8i.patch.2008-12-02
-+
-+It is designed to support pure acceleration for RSA, DSA, DH and all the
-+symetric ciphers and message digest algorithms that PKCS#11 and OpenSSL share
-+except for missing support for patented algorithms MDC2, RC3, RC5 and IDEA.
-+
-+According to the PKCS#11 providers installed on your machine, it can support
-+following mechanisms:
-+
-+	RSA, DSA, DH, RAND, DES-CBC, DES-EDE3-CBC, DES-ECB, DES-EDE3, RC4,
-+	AES-128-CBC, AES-192-CBC, AES-256-CBC, AES-128-ECB, AES-192-ECB,
-+	AES-256-ECB, AES-128-CTR, AES-192-CTR, AES-256-CTR, MD5, SHA1, SHA224,
-+	SHA256, SHA384, SHA512
-+
-+Note that for AES counter mode the application must provide their own EVP
-+functions since OpenSSL doesn't support counter mode through EVP yet. You may
-+see OpenSSH source code (cipher.c) to get the idea how to do that. SunSSH is an
-+example of code that uses the PKCS#11 engine and deals with the fork-safety
-+problem (see engine.c and packet.c files if interested).
-+
-++------------------------------------------------------------------------------+
-+| NOTE: this patch version does NOT contain experimental code for accessing    |
-+| RSA keys stored in PKCS#11 key stores by reference. Some problems were found |
-+| (thanks to all who wrote me!) and due to my ENOTIME problem I may address    |
-+| those issues in the next version of the patch that will have that code back, |
-+| hopefully fixed.                                                             |
-++------------------------------------------------------------------------------+
-+
-+You must provide the location of PKCS#11 library in your system to the
-+configure script. You will be instructed to do that when you try to run the
-+config script:
-+
-+	$ ./config 
-+	Operating system: i86pc-whatever-solaris2
-+	Configuring for solaris-x86-cc
-+	You must set --pk11-libname for PKCS#11 library.
-+	See README.pkcs11 for more information.
-+
-+Taking openCryptoki project on Linux AMD64 box as an example, you would run
-+configure script like this:
-+
-+	./config --pk11-libname=/usr/lib64/pkcs11/PKCS11_API.so
-+
-+To check whether newly built openssl really supports PKCS#11 it's enough to run
-+"apps/openssl engine" and look for "(pkcs11) PKCS #11 engine support" in the
-+output. If you see no PKCS#11 engine support check that the built openssl binary
-+and the PKCS#11 library from --pk11-libname don't conflict on 32/64 bits.
-+
-+This patch was tested on Solaris against PKCS#11 engine available from Solaris
-+Cryptographic Framework (Solaris 10 and OpenSolaris) and also on Linux using
-+PKCS#11 libraries from openCryptoki project (see openCryptoki website
-+http://sourceforge.net/projects/opencryptoki for more information). Some Linux
-+distributions even ship those libraries with the system. The patch should work
-+on any system that is supported by OpenSSL itself and has functional PKCS#11
-+library.
-+
-+The patch contains "RSA Security Inc. PKCS #11 Cryptographic Token Interface
-+(Cryptoki)" - files cryptoki.h, pkcs11.h, pkcs11f.h and pkcs11t.h which are
-+copyrighted by RSA Security Inc., see pkcs11.h for more information.
-+
-+Other added/modified code in this patch is copyrighted by Sun Microsystems,
-+Inc. and is released under the OpenSSL license (see LICENSE file for more
-+information).
-+
-+Revisions of patch for 0.9.8 branch
-+===================================
-+
-+2008-12-02
-+- fixed bugs and RFEs (most of the work done by Vladimir Kotal)
-+
-+	6723504 more granular locking in PKCS#11 engine
-+	6667128 CRYPTO_LOCK_PK11_ENGINE assumption does not hold true
-+	6710420 PKCS#11 engine source should be lint clean
-+	6747327 PKCS#11 engine atfork handlers need to be aware of guys who take
-+		it seriously
-+	6746712 PKCS#11 engine source code should be cstyle clean
-+	6731380 return codes of several functions are not checked in the PKCS#11
-+		engine code
-+	6746735 PKCS#11 engine should use extended FILE space API
-+	6734038 Apache SSL web server using the pkcs11 engine fails to start if
-+		meta slot is disabled
-+
-+2008-08-01
-+- fixed bug
-+
-+	6731839 OpenSSL PKCS#11 engine no longer uses n2cp for symmetric ciphers
-+		and digests
-+
-+- Solaris specific code for slot selection made automatic
-+
-+2008-07-29
-+- update the patch to OpenSSL 0.9.8h version
-+- pkcs11t.h updated to the latest version:
-+
-+	6545665 make CKM_AES_CTR available to non-kernel users
-+
-+- fixed bugs in the engine code:
-+
-+	6602801 PK11_SESSION cache has to employ reference counting scheme for
-+		asymmetric key operations
-+	6605538 pkcs11 functions C_FindObjects[{Init,Final}]() not called
-+		atomically
-+	6607307 pkcs#11 engine can't read RSA private keys
-+	6652362 pk11_RSA_finish() is cutting corners
-+	6662112 pk11_destroy_{rsa,dsa,dh}_key_objects() use locking in
-+		suboptimal way
-+	6666625 pk11_destroy_{rsa,dsa,dh}_key_objects() should be more
-+		resilient to destroy failures
-+	6667273 OpenSSL engine should not use free() but OPENSSL_free()
-+	6670363 PKCS#11 engine fails to reuse existing symmetric keys
-+	6678135 memory corruption in pk11_DH_generate_key() in pkcs#11 engine
-+	6678503 DSA signature conversion in pk11_dsa_do_verify() ignores size
-+		of big numbers leading to failures
-+	6706562 pk11_DH_compute_key() returns 0 in case of failure instead of
-+		-1
-+	6706622 pk11_load_{pub,priv}key create corrupted RSA key references
-+	6707129 return values from BN_new() in pk11_DH_generate_key() are not
-+		checked
-+	6707274 DSA/RSA/DH PKCS#11 engine operations need to be resistant to
-+		structure reuse
-+	6707782 OpenSSL PKCS#11 engine pretends to be aware of
-+		OPENSSL_NO_{RSA,DSA,DH}
-+	defines but fails miserably
-+	6709966 make check_new_*() to return values to indicate cache hit/miss
-+	6705200 pk11_dh struct initialization in PKCS#11 engine is missing
-+		generate_params parameter
-+	6709513 PKCS#11 engine sets IV length even for ECB modes
-+	6728296 buffer length not initialized for C_(En|De)crypt_Final() in the
-+		PKCS#11 engine
-+	6728871 PKCS#11 engine must reset global_session in pk11_finish()
-+
-+- new features and enhancements:
-+
-+	6562155 OpenSSL pkcs#11 engine needs support for SHA224/256/384/512
-+	6685012 OpenSSL pkcs#11 engine needs support for new cipher modes
-+	6725903 OpenSSL PKCS#11 engine shouldn't use soft token for symmetric
-+		ciphers and digests
-+
-+2007-10-15
-+- update for 0.9.8f version
-+- update for "6607670 teach pkcs#11 engine how to use keys be reference"
-+
-+2007-10-02
-+- draft for "6607670 teach pkcs#11 engine how to use keys be reference"
-+- draft for "6607307 pkcs#11 engine can't read RSA private keys"
-+
-+2007-09-26
-+- 6375348 Using pkcs11 as the SSLCryptoDevice with Apache/OpenSSL causes
-+	  significant performance drop
-+- 6573196 memory is leaked when OpenSSL is used with PKCS#11 engine
-+
-+2007-05-25
-+- 6558630 race in OpenSSL pkcs11 engine when using symetric block ciphers
-+
-+2007-05-19
-+- initial patch for 0.9.8e using latest OpenSolaris code
-+
-+FAQs
-+====
-+
-+(1) my build failed on Linux distro with this error:
-+
-+../libcrypto.a(hw_pk11.o): In function `pk11_library_init':
-+hw_pk11.c:(.text+0x20f5): undefined reference to `pthread_atfork'
-+
-+	- don't use "no-threads" when configuring
-+	- if you didn't then OpenSSL failed to create a threaded library by
-+	  default. You may manually edit Configure and try again. Look for the
-+	  architecture that Configure printed, for example:
-+
-+Configured for linux-elf.
-+
-+	- then edit Configure, find string "linux-elf" (inluding the quotes),
-+	  and add flags to support threads to the 4th column of the 2nd string.
-+	  If you build with GCC then adding "-pthread" should be enough. With
-+	  "linux-elf" as an example, you would add " -pthread" right after
-+	  "-D_REENTRANT", like this:
-+
-+....-O3 -fomit-frame-pointer -Wall::-D_REENTRANT -pthread::-ldl:.....
-+
-+
-+Feedback
-+========
-+
-+Please send feedback to security-discuss@opensolaris.org. The patch was
-+created by Jan.Pechanec@Sun.COM from code available in OpenSolaris.
-+
-+Latest version should be always available on http://blogs.sun.com/janp.
-+
-Index: openssl/crypto/opensslconf.h
-diff -u openssl/crypto/opensslconf.h:1.1.2.1 openssl/crypto/opensslconf.h:1.4
---- openssl/crypto/opensslconf.h:1.1.2.1	Mon Sep 15 15:27:21 2008
-+++ openssl/crypto/opensslconf.h	Mon Dec 15 13:00:52 2008
-@@ -36,6 +36,9 @@
- #endif
- 
- #endif /* OPENSSL_DOING_MAKEDEPEND */
-+#ifndef OPENSSL_THREADS
-+# define OPENSSL_THREADS
-+#endif
- #ifndef OPENSSL_NO_DYNAMIC_ENGINE
- # define OPENSSL_NO_DYNAMIC_ENGINE
- #endif
-@@ -77,6 +80,8 @@
- # endif
- #endif
- 
-+#define OPENSSL_CPUID_OBJ
-+
- /* crypto/opensslconf.h.in */
- 
- /* Generate 80386 code? */
-@@ -123,7 +128,7 @@
-  * This enables code handling data aligned at natural CPU word
-  * boundary. See crypto/rc4/rc4_enc.c for further details.
-  */
--#undef RC4_CHUNK
-+#define RC4_CHUNK unsigned long
- #endif
- #endif
- 
-@@ -131,7 +136,7 @@
- /* If this is set to 'unsigned int' on a DEC Alpha, this gives about a
-  * %20 speed up (longs are 8 bytes, int's are 4). */
- #ifndef DES_LONG
--#define DES_LONG unsigned long
-+#define DES_LONG unsigned int
- #endif
- #endif
- 
-@@ -145,9 +150,9 @@
- /* The prime number generation stuff may not work when
-  * EIGHT_BIT but I don't care since I've only used this mode
-  * for debuging the bignum libraries */
--#undef SIXTY_FOUR_BIT_LONG
-+#define SIXTY_FOUR_BIT_LONG
- #undef SIXTY_FOUR_BIT
--#define THIRTY_TWO_BIT
-+#undef THIRTY_TWO_BIT
- #undef SIXTEEN_BIT
- #undef EIGHT_BIT
- #endif
-@@ -161,7 +166,7 @@
- 
- #if defined(HEADER_BF_LOCL_H) && !defined(CONFIG_HEADER_BF_LOCL_H)
- #define CONFIG_HEADER_BF_LOCL_H
--#undef BF_PTR
-+#define BF_PTR2
- #endif /* HEADER_BF_LOCL_H */
- 
- #if defined(HEADER_DES_LOCL_H) && !defined(CONFIG_HEADER_DES_LOCL_H)
-@@ -191,7 +196,7 @@
- /* Unroll the inner loop, this sometimes helps, sometimes hinders.
-  * Very mucy CPU dependant */
- #ifndef DES_UNROLL
--#undef DES_UNROLL
-+#define DES_UNROLL
- #endif
- 
- /* These default values were supplied by
-Index: openssl/crypto/engine/Makefile
-diff -u openssl/crypto/engine/Makefile:1.1.2.1 openssl/crypto/engine/Makefile:1.3
---- openssl/crypto/engine/Makefile:1.1.2.1	Sun Sep 14 16:43:34 2008
-+++ openssl/crypto/engine/Makefile	Wed Oct 15 21:03:29 2008
-@@ -21,12 +21,14 @@
- 	eng_table.c eng_pkey.c eng_fat.c eng_all.c \
- 	tb_rsa.c tb_dsa.c tb_ecdsa.c tb_dh.c tb_ecdh.c tb_rand.c tb_store.c \
- 	tb_cipher.c tb_digest.c \
--	eng_openssl.c eng_cnf.c eng_dyn.c eng_cryptodev.c eng_padlock.c
-+	eng_openssl.c eng_cnf.c eng_dyn.c eng_cryptodev.c eng_padlock.c \
-+	hw_pk11.c hw_pk11_pub.c
- LIBOBJ= eng_err.o eng_lib.o eng_list.o eng_init.o eng_ctrl.o \
- 	eng_table.o eng_pkey.o eng_fat.o eng_all.o \
- 	tb_rsa.o tb_dsa.o tb_ecdsa.o tb_dh.o tb_ecdh.o tb_rand.o tb_store.o \
- 	tb_cipher.o tb_digest.o \
--	eng_openssl.o eng_cnf.o eng_dyn.o eng_cryptodev.o eng_padlock.o
-+	eng_openssl.o eng_cnf.o eng_dyn.o eng_cryptodev.o eng_padlock.o \
-+	hw_pk11.o hw_pk11_pub.o
- 
- SRC= $(LIBSRC)
- 
-@@ -279,6 +281,54 @@
- eng_table.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
- eng_table.o: ../../include/openssl/x509_vfy.h ../cryptlib.h eng_int.h
- eng_table.o: eng_table.c
-+hw_pk11.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
-+hw_pk11.o: ../../include/openssl/engine.h ../../include/openssl/ossl_typ.h
-+hw_pk11.o: ../../include/openssl/bn.h ../../include/openssl/rsa.h
-+hw_pk11.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-+hw_pk11.o: ../../include/openssl/crypto.h ../../include/openssl/stack.h
-+hw_pk11.o: ../../include/openssl/safestack.h ../../include/openssl/opensslv.h
-+hw_pk11.o: ../../include/openssl/symhacks.h ../../include/openssl/dsa.h
-+hw_pk11.o: ../../include/openssl/dh.h ../../include/openssl/rand.h
-+hw_pk11.o: ../../include/openssl/ui.h ../../include/openssl/err.h
-+hw_pk11.o: ../../include/openssl/lhash.h ../../include/openssl/dso.h
-+hw_pk11.o: ../../include/openssl/pem.h ../../include/openssl/evp.h
-+hw_pk11.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-+hw_pk11.o: ../../include/openssl/md5.h ../../include/openssl/sha.h
-+hw_pk11.o: ../../include/openssl/ripemd.h ../../include/openssl/des.h
-+hw_pk11.o: ../../include/openssl/des_old.h ../../include/openssl/ui_compat.h
-+hw_pk11.o: ../../include/openssl/rc4.h ../../include/openssl/rc2.h
-+hw_pk11.o: ../../crypto/rc5/rc5.h ../../include/openssl/blowfish.h
-+hw_pk11.o: ../../include/openssl/cast.h ../../include/openssl/idea.h
-+hw_pk11.o: ../../crypto/mdc2/mdc2.h ../../include/openssl/aes.h
-+hw_pk11.o: ../../include/openssl/objects.h ../../include/openssl/obj_mac.h
-+hw_pk11.o: ../../include/openssl/x509.h ../../include/openssl/buffer.h
-+hw_pk11.o: ../../include/openssl/x509_vfy.h ../../include/openssl/pkcs7.h
-+hw_pk11.o: ../../include/openssl/pem2.h ../cryptlib.h
-+hw_pk11.o: ../../e_os.h hw_pk11_err.c hw_pk11_err.h hw_pk11.c
-+hw_pk11_pub.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
-+hw_pk11_pub.o: ../../include/openssl/engine.h ../../include/openssl/ossl_typ.h
-+hw_pk11_pub.o: ../../include/openssl/bn.h ../../include/openssl/rsa.h
-+hw_pk11_pub.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-+hw_pk11_pub.o: ../../include/openssl/crypto.h ../../include/openssl/stack.h
-+hw_pk11_pub.o: ../../include/openssl/safestack.h ../../include/openssl/opensslv.h
-+hw_pk11_pub.o: ../../include/openssl/symhacks.h ../../include/openssl/dsa.h
-+hw_pk11_pub.o: ../../include/openssl/dh.h ../../include/openssl/rand.h
-+hw_pk11_pub.o: ../../include/openssl/ui.h ../../include/openssl/err.h
-+hw_pk11_pub.o: ../../include/openssl/lhash.h ../../include/openssl/dso.h
-+hw_pk11_pub.o: ../../include/openssl/pem.h ../../include/openssl/evp.h
-+hw_pk11_pub.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-+hw_pk11_pub.o: ../../include/openssl/md5.h ../../include/openssl/sha.h
-+hw_pk11_pub.o: ../../include/openssl/ripemd.h ../../include/openssl/des.h
-+hw_pk11_pub.o: ../../include/openssl/des_old.h ../../include/openssl/ui_compat.h
-+hw_pk11_pub.o: ../../include/openssl/rc4.h ../../include/openssl/rc2.h
-+hw_pk11_pub.o: ../../crypto/rc5/rc5.h ../../include/openssl/blowfish.h
-+hw_pk11_pub.o: ../../include/openssl/cast.h ../../include/openssl/idea.h
-+hw_pk11_pub.o: ../../crypto/mdc2/mdc2.h ../../include/openssl/aes.h
-+hw_pk11_pub.o: ../../include/openssl/objects.h ../../include/openssl/obj_mac.h
-+hw_pk11_pub.o: ../../include/openssl/x509.h ../../include/openssl/buffer.h
-+hw_pk11_pub.o: ../../include/openssl/x509_vfy.h ../../include/openssl/pkcs7.h
-+hw_pk11_pub.o: ../../include/openssl/pem2.h ../cryptlib.h
-+hw_pk11_pub.o: ../../e_os.h hw_pk11_err.c hw_pk11_err.h hw_pk11_pub.c
- tb_cipher.o: ../../e_os.h ../../include/openssl/asn1.h
- tb_cipher.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
- tb_cipher.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-Index: openssl/crypto/engine/cryptoki.h
-diff -u /dev/null openssl/crypto/engine/cryptoki.h:1.4
---- /dev/null	Wed Sep  2 11:37:23 2009
-+++ openssl/crypto/engine/cryptoki.h	Thu Dec 18 00:14:12 2008
-@@ -0,0 +1,103 @@
-+/*
-+ * CDDL HEADER START
-+ *
-+ * The contents of this file are subject to the terms of the
-+ * Common Development and Distribution License, Version 1.0 only
-+ * (the "License").  You may not use this file except in compliance
-+ * with the License.
-+ *
-+ * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
-+ * or http://www.opensolaris.org/os/licensing.
-+ * See the License for the specific language governing permissions
-+ * and limitations under the License.
-+ *
-+ * When distributing Covered Code, include this CDDL HEADER in each
-+ * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
-+ * If applicable, add the following below this CDDL HEADER, with the
-+ * fields enclosed by brackets "[]" replaced with your own identifying
-+ * information: Portions Copyright [yyyy] [name of copyright owner]
-+ *
-+ * CDDL HEADER END
-+ */
-+/*
-+ * Copyright 2003 Sun Microsystems, Inc.   All rights reserved.
-+ * Use is subject to license terms.
-+ */
-+
-+#ifndef	_CRYPTOKI_H
-+#define	_CRYPTOKI_H
-+
-+/* ident	"@(#)cryptoki.h	1.2	05/06/08 SMI" */
-+
-+#ifdef	__cplusplus
-+extern "C" {
-+#endif
-+
-+#ifndef	CK_PTR
-+#define	CK_PTR *
-+#endif
-+
-+#ifndef CK_DEFINE_FUNCTION
-+#define	CK_DEFINE_FUNCTION(returnType, name) returnType name
-+#endif
-+
-+#ifndef CK_DECLARE_FUNCTION
-+#define	CK_DECLARE_FUNCTION(returnType, name) returnType name
-+#endif
-+
-+#ifndef CK_DECLARE_FUNCTION_POINTER
-+#define	CK_DECLARE_FUNCTION_POINTER(returnType, name) returnType (* name)
-+#endif
-+
-+#ifndef CK_CALLBACK_FUNCTION
-+#define	CK_CALLBACK_FUNCTION(returnType, name) returnType (* name)
-+#endif
-+
-+#ifndef NULL_PTR
-+#include <unistd.h>	/* For NULL */
-+#define	NULL_PTR NULL
-+#endif
-+
-+/*
-+ * pkcs11t.h defines TRUE and FALSE in a way that upsets lint
-+ */
-+#ifndef	CK_DISABLE_TRUE_FALSE
-+#define	CK_DISABLE_TRUE_FALSE
-+#ifndef	TRUE
-+#define	TRUE	1
-+#endif /* TRUE */
-+#ifndef	FALSE
-+#define	FALSE	0
-+#endif /* FALSE */
-+#endif /* CK_DISABLE_TRUE_FALSE */
-+
-+#undef CK_PKCS11_FUNCTION_INFO
-+
-+#include "pkcs11.h"
-+
-+/* Solaris specific functions */
-+
-+#include <stdlib.h>
-+
-+/*
-+ * SUNW_C_GetMechSession will initialize the framework and do all
-+ * the necessary PKCS#11 calls to create a session capable of
-+ * providing operations on the requested mechanism
-+ */
-+CK_RV SUNW_C_GetMechSession(CK_MECHANISM_TYPE mech,
-+    CK_SESSION_HANDLE_PTR hSession);
-+
-+/*
-+ * SUNW_C_KeyToObject will create a secret key object for the given
-+ * mechanism from the rawkey data.
-+ */
-+CK_RV SUNW_C_KeyToObject(CK_SESSION_HANDLE hSession,
-+    CK_MECHANISM_TYPE mech, const void *rawkey, size_t rawkey_len,
-+    CK_OBJECT_HANDLE_PTR obj);
-+
-+
-+#ifdef	__cplusplus
-+}
-+#endif
-+
-+#endif	/* _CRYPTOKI_H */
-Index: openssl/crypto/engine/eng_all.c
-diff -u openssl/crypto/engine/eng_all.c:1.1.2.1 openssl/crypto/engine/eng_all.c:1.2
---- openssl/crypto/engine/eng_all.c:1.1.2.1	Wed Jun  4 18:01:39 2008
-+++ openssl/crypto/engine/eng_all.c	Wed Oct 15 15:39:48 2008
-@@ -110,6 +110,9 @@
- #if defined(OPENSSL_SYS_WIN32) && !defined(OPENSSL_NO_CAPIENG)
- 	ENGINE_load_capi();
- #endif
-+#ifndef OPENSSL_NO_HW_PKCS11
-+	ENGINE_load_pk11();
-+#endif
- #endif
- 	}
- 
-Index: openssl/crypto/engine/engine.h
-diff -u openssl/crypto/engine/engine.h:1.1.2.1 openssl/crypto/engine/engine.h:1.2
---- openssl/crypto/engine/engine.h:1.1.2.1	Wed Jun  4 18:01:40 2008
-+++ openssl/crypto/engine/engine.h	Wed Oct 15 15:39:48 2008
-@@ -337,6 +337,7 @@
- void ENGINE_load_ubsec(void);
- #endif
- void ENGINE_load_cryptodev(void);
-+void ENGINE_load_pk11(void);
- void ENGINE_load_padlock(void);
- void ENGINE_load_builtin_engines(void);
- #ifndef OPENSSL_NO_CAPIENG
-Index: openssl/crypto/engine/hw_pk11-kp.c
-diff -u /dev/null openssl/crypto/engine/hw_pk11-kp.c:1.20
---- /dev/null	Wed Sep  2 11:37:23 2009
-+++ openssl/crypto/engine/hw_pk11-kp.c	Tue Sep  1 06:02:18 2009
-@@ -0,0 +1,1611 @@
-+/*
-+ * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
-+ * Use is subject to license terms.
-+ */
-+
-+/* crypto/engine/hw_pk11.c */
-+/*
-+ * This product includes software developed by the OpenSSL Project for
-+ * use in the OpenSSL Toolkit (http://www.openssl.org/).
-+ *
-+ * This project also referenced hw_pkcs11-0.9.7b.patch written by
-+ * Afchine Madjlessi.
-+ */
-+/*
-+ * ====================================================================
-+ * Copyright (c) 2000-2001 The OpenSSL Project.  All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ *    notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ *    notice, this list of conditions and the following disclaimer in
-+ *    the documentation and/or other materials provided with the
-+ *    distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ *    software must display the following acknowledgment:
-+ *    "This product includes software developed by the OpenSSL Project
-+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ *    endorse or promote products derived from this software without
-+ *    prior written permission. For written permission, please contact
-+ *    licensing@OpenSSL.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ *    nor may "OpenSSL" appear in their names without prior written
-+ *    permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ *    acknowledgment:
-+ *    "This product includes software developed by the OpenSSL Project
-+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ * ====================================================================
-+ *
-+ * This product includes cryptographic software written by Eric Young
-+ * (eay@cryptsoft.com).  This product includes software written by Tim
-+ * Hudson (tjh@cryptsoft.com).
-+ *
-+ */
-+
-+/* Modified to keep only RNG and RSA Sign */
-+
-+#ifdef OPENSSL_NO_RSA
-+#error RSA is disabled
-+#endif
-+
-+#include <stdio.h>
-+#include <stdlib.h>
-+#include <string.h>
-+#include <sys/types.h>
-+
-+#include <openssl/e_os2.h>
-+#include <openssl/crypto.h>
-+#include <cryptlib.h>
-+#include <openssl/engine.h>
-+#include <openssl/dso.h>
-+#include <openssl/err.h>
-+#include <openssl/bn.h>
-+#include <openssl/md5.h>
-+#include <openssl/pem.h>
-+#include <openssl/rsa.h>
-+#include <openssl/rand.h>
-+#include <openssl/objects.h>
-+#include <openssl/x509.h>
-+
-+#ifdef OPENSSL_SYS_WIN32
-+typedef int pid_t;
-+#define getpid() GetCurrentProcessId()
-+#define NOPTHREADS
-+#ifndef NULL_PTR
-+#define NULL_PTR NULL
-+#endif
-+#define CK_DEFINE_FUNCTION(returnType, name) \
-+	returnType __declspec(dllexport) name
-+#define CK_DECLARE_FUNCTION(returnType, name) \
-+	returnType __declspec(dllimport) name
-+#define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
-+	returnType __declspec(dllimport) (* name)
-+#else
-+#include <signal.h>
-+#include <unistd.h>
-+#include <dlfcn.h>
-+#endif
-+
-+#ifndef NOPTHREADS
-+#include <pthread.h>
-+#endif
-+
-+#ifndef OPENSSL_NO_HW
-+#ifndef OPENSSL_NO_HW_PK11
-+
-+/* label for debug messages printed on stderr */
-+#define	PK11_DBG	"PKCS#11 ENGINE DEBUG"
-+/* prints a lot of debug messages on stderr about slot selection process */
-+#undef	DEBUG_SLOT_SELECTION
-+
-+#ifndef OPENSSL_NO_DSA
-+#define OPENSSL_NO_DSA
-+#endif
-+#ifndef OPENSSL_NO_DH
-+#define OPENSSL_NO_DH
-+#endif
-+
-+#ifdef OPENSSL_SYS_WIN32
-+#pragma pack(push, cryptoki, 1)
-+#include "cryptoki.h"
-+#include "pkcs11.h"
-+#pragma pack(pop, cryptoki)
-+#else
-+#include "cryptoki.h"
-+#include "pkcs11.h"
-+#endif
-+#include "hw_pk11_err.c"
-+
-+/* PKCS#11 session caches and their locks for all operation types */
-+static PK11_CACHE session_cache[OP_MAX];
-+
-+/*
-+ * As stated in v2.20, 11.7 Object Management Function, in section for
-+ * C_FindObjectsInit(), at most one search operation may be active at a given
-+ * time in a given session. Therefore, C_Find{,Init,Final}Objects() should be
-+ * grouped together to form one atomic search operation. This is already
-+ * ensured by the property of unique PKCS#11 session handle used for each
-+ * PK11_SESSION object.
-+ *
-+ * This is however not the biggest concern - maintaining consistency of the
-+ * underlying object store is more important. The same section of the spec also
-+ * says that one thread can be in the middle of a search operation while another
-+ * thread destroys the object matching the search template which would result in
-+ * invalid handle returned from the search operation.
-+ *
-+ * Hence, the following locks are used for both protection of the object stores.
-+ * They are also used for active list protection.
-+ */
-+#ifndef NOPTHREADS
-+pthread_mutex_t *find_lock[OP_MAX] = { NULL };
-+#endif
-+
-+/*
-+ * lists of asymmetric key handles which are active (referenced by at least one
-+ * PK11_SESSION structure, either held by a thread or present in free_session
-+ * list) for given algorithm type
-+ */
-+PK11_active *active_list[OP_MAX] = { NULL };
-+
-+/*
-+ * Create all secret key objects in a global session so that they are available
-+ * to use for other sessions. These other sessions may be opened or closed
-+ * without losing the secret key objects.
-+ */
-+static CK_SESSION_HANDLE	global_session = CK_INVALID_HANDLE;
-+
-+/* ENGINE level stuff */
-+static int pk11_init(ENGINE *e);
-+static int pk11_library_init(ENGINE *e);
-+static int pk11_finish(ENGINE *e);
-+static int pk11_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)(void));
-+static int pk11_destroy(ENGINE *e);
-+
-+/* RAND stuff */
-+static void pk11_rand_seed(const void *buf, int num);
-+static void pk11_rand_add(const void *buf, int num, double add_entropy);
-+static void pk11_rand_cleanup(void);
-+static int pk11_rand_bytes(unsigned char *buf, int num);
-+static int pk11_rand_status(void);
-+
-+/* These functions are also used in other files */
-+PK11_SESSION *pk11_get_session(PK11_OPTYPE optype);
-+void pk11_return_session(PK11_SESSION *sp, PK11_OPTYPE optype);
-+
-+/* active list manipulation functions used in this file */
-+extern int pk11_active_delete(CK_OBJECT_HANDLE h, PK11_OPTYPE type);
-+extern void pk11_free_active_list(PK11_OPTYPE type);
-+
-+int pk11_destroy_rsa_key_objects(PK11_SESSION *session);
-+int pk11_destroy_rsa_object_pub(PK11_SESSION *sp, CK_BBOOL uselock);
-+int pk11_destroy_rsa_object_priv(PK11_SESSION *sp, CK_BBOOL uselock);
-+
-+/* Local helper functions */
-+static int pk11_free_all_sessions(void);
-+static int pk11_free_session_list(PK11_OPTYPE optype);
-+static int pk11_setup_session(PK11_SESSION *sp, PK11_OPTYPE optype);
-+static int pk11_destroy_object(CK_SESSION_HANDLE session,
-+	CK_OBJECT_HANDLE oh);
-+static const char *get_PK11_LIBNAME(void);
-+static void free_PK11_LIBNAME(void);
-+static long set_PK11_LIBNAME(const char *name);
-+
-+static int pk11_choose_slots(int *any_slot_found);
-+
-+static int pk11_init_all_locks(void);
-+static void pk11_free_all_locks(void);
-+
-+#define	TRY_OBJ_DESTROY(sess_hdl, obj_hdl, retval, uselock, alg_type)	\
-+	{								\
-+	if (uselock)							\
-+		LOCK_OBJSTORE(alg_type);				\
-+	if (pk11_active_delete(obj_hdl, alg_type) == 1)			\
-+		{							\
-+		retval = pk11_destroy_object(sess_hdl, obj_hdl);	\
-+		}							\
-+	if (uselock)							\
-+		UNLOCK_OBJSTORE(alg_type);				\
-+	}
-+
-+#define	TRY_OBJ_DELETE(sess_hdl, obj_hdl, retval, uselock, alg_type)	\
-+	{								\
-+	if (uselock)							\
-+		LOCK_OBJSTORE(alg_type);				\
-+	(void) pk11_active_delete(obj_hdl, alg_type);			\
-+	if (uselock)							\
-+		UNLOCK_OBJSTORE(alg_type);				\
-+	}
-+
-+static CK_BBOOL pk11_have_rsa	= CK_FALSE;
-+static CK_BBOOL pk11_have_random = CK_FALSE;
-+
-+/*
-+ * Initialization function. Sets up various PKCS#11 library components.
-+ * The definitions for control commands specific to this engine
-+ */
-+#define PK11_CMD_SO_PATH		ENGINE_CMD_BASE
-+#define PK11_CMD_PIN			(ENGINE_CMD_BASE+1)
-+#define PK11_CMD_SLOT			(ENGINE_CMD_BASE+2)
-+static const ENGINE_CMD_DEFN pk11_cmd_defns[] =
-+	{
-+		{
-+		PK11_CMD_SO_PATH,
-+		"SO_PATH",
-+		"Specifies the path to the 'pkcs#11' shared library",
-+		ENGINE_CMD_FLAG_STRING
-+		},
-+		{
-+		PK11_CMD_PIN,
-+		"PIN",
-+		"Specifies the pin code",
-+		ENGINE_CMD_FLAG_STRING
-+		},
-+		{
-+		PK11_CMD_SLOT,
-+		"SLOT",
-+		"Specifies the slot (default is auto select)",
-+		ENGINE_CMD_FLAG_NUMERIC,
-+		},
-+		{0, NULL, NULL, 0}
-+	};
-+
-+
-+static RAND_METHOD pk11_random =
-+	{
-+	pk11_rand_seed,
-+	pk11_rand_bytes,
-+	pk11_rand_cleanup,
-+	pk11_rand_add,
-+	pk11_rand_bytes,
-+	pk11_rand_status
-+	};
-+
-+
-+/* Constants used when creating the ENGINE */
-+static const char *engine_pk11_id = "pkcs11";
-+static const char *engine_pk11_name = "PKCS #11 engine support";
-+
-+CK_FUNCTION_LIST_PTR pFuncList = NULL;
-+static const char PK11_GET_FUNCTION_LIST[] = "C_GetFunctionList";
-+
-+/*
-+ * These is the static string constant for the DSO file name and the function
-+ * symbol names to bind to.
-+ */
-+static const char def_PK11_LIBNAME[] = PK11_LIB_LOCATION;
-+
-+static CK_SLOT_ID pubkey_SLOTID = 0;
-+static CK_SLOT_ID rand_SLOTID = 0;
-+static CK_SLOT_ID SLOTID = 0;
-+char *pk11_pin = NULL;
-+static CK_BBOOL pk11_library_initialized = FALSE;
-+static CK_BBOOL pk11_atfork_initialized = FALSE;
-+static int pk11_pid = 0;
-+
-+static DSO *pk11_dso = NULL;
-+
-+/* allocate and initialize all locks used by the engine itself */
-+static int pk11_init_all_locks(void)
-+	{
-+#ifndef NOPTHREADS
-+	int type;
-+
-+	find_lock[OP_RSA] = OPENSSL_malloc(sizeof (pthread_mutex_t));
-+	if (find_lock[OP_RSA] == NULL)
-+		goto malloc_err;
-+	(void) pthread_mutex_init(find_lock[OP_RSA], NULL);
-+
-+	for (type = 0; type < OP_MAX; type++)
-+		{
-+		session_cache[type].lock =
-+		    OPENSSL_malloc(sizeof (pthread_mutex_t));
-+		if (session_cache[type].lock == NULL)
-+			goto malloc_err;
-+		(void) pthread_mutex_init(session_cache[type].lock, NULL);
-+		}
-+
-+	return (1);
-+
-+malloc_err:
-+	pk11_free_all_locks();
-+	PK11err(PK11_F_INIT_ALL_LOCKS, PK11_R_MALLOC_FAILURE);
-+	return (0);
-+#else
-+	return (1);
-+#endif
-+	}
-+
-+static void pk11_free_all_locks(void)
-+	{
-+#ifndef NOPTHREADS
-+	int type;
-+
-+	if (find_lock[OP_RSA] != NULL)
-+		{
-+		(void) pthread_mutex_destroy(find_lock[OP_RSA]);
-+		OPENSSL_free(find_lock[OP_RSA]);
-+		find_lock[OP_RSA] = NULL;
-+		}
-+
-+	for (type = 0; type < OP_MAX; type++)
-+		{
-+		if (session_cache[type].lock != NULL)
-+			{
-+			(void) pthread_mutex_destroy(session_cache[type].lock);
-+			OPENSSL_free(session_cache[type].lock);
-+			session_cache[type].lock = NULL;
-+			}
-+		}
-+#endif
-+	}
-+
-+/*
-+ * This internal function is used by ENGINE_pk11() and "dynamic" ENGINE support.
-+ */
-+static int bind_pk11(ENGINE *e)
-+	{
-+	if (!pk11_library_initialized)
-+		if (!pk11_library_init(e))
-+			return (0);
-+
-+	if (!ENGINE_set_id(e, engine_pk11_id) ||
-+	    !ENGINE_set_name(e, engine_pk11_name))
-+		return (0);
-+
-+	if (pk11_have_rsa == CK_TRUE)
-+		{
-+		if (!ENGINE_set_RSA(e, PK11_RSA()) ||
-+		    !ENGINE_set_load_privkey_function(e, pk11_load_privkey) ||
-+		    !ENGINE_set_load_pubkey_function(e, pk11_load_pubkey))
-+			return (0);
-+#ifdef	DEBUG_SLOT_SELECTION
-+		fprintf(stderr, "%s: registered RSA\n", PK11_DBG);
-+#endif	/* DEBUG_SLOT_SELECTION */
-+		}
-+
-+	if (pk11_have_random)
-+		{
-+		if (!ENGINE_set_RAND(e, &pk11_random))
-+			return (0);
-+#ifdef	DEBUG_SLOT_SELECTION
-+		fprintf(stderr, "%s: registered random\n", PK11_DBG);
-+#endif	/* DEBUG_SLOT_SELECTION */
-+		}
-+	if (!ENGINE_set_init_function(e, pk11_init) ||
-+	    !ENGINE_set_destroy_function(e, pk11_destroy) ||
-+	    !ENGINE_set_finish_function(e, pk11_finish) ||
-+	    !ENGINE_set_ctrl_function(e, pk11_ctrl) ||
-+	    !ENGINE_set_cmd_defns(e, pk11_cmd_defns))
-+		return (0);
-+
-+	/* Ensure the pk11 error handling is set up */
-+	ERR_load_pk11_strings();
-+
-+	return (1);
-+	}
-+
-+/* Dynamic engine support is disabled at a higher level for Solaris */
-+#ifdef	ENGINE_DYNAMIC_SUPPORT
-+static int bind_helper(ENGINE *e, const char *id)
-+	{
-+	if (id && (strcmp(id, engine_pk11_id) != 0))
-+		return (0);
-+
-+	if (!bind_pk11(e))
-+		return (0);
-+
-+	return (1);
-+	}
-+
-+IMPLEMENT_DYNAMIC_CHECK_FN()
-+IMPLEMENT_DYNAMIC_BIND_FN(bind_helper)
-+
-+#else
-+static ENGINE *engine_pk11(void)
-+	{
-+	ENGINE *ret = ENGINE_new();
-+
-+	if (!ret)
-+		return (NULL);
-+
-+	if (!bind_pk11(ret))
-+		{
-+		ENGINE_free(ret);
-+		return (NULL);
-+		}
-+
-+	return (ret);
-+	}
-+
-+void
-+ENGINE_load_pk11(void)
-+	{
-+	ENGINE *e_pk11 = NULL;
-+
-+	/*
-+	 * Do not use dynamic PKCS#11 library on Solaris due to
-+	 * security reasons. We will link it in statically.
-+	 */
-+	/* Attempt to load PKCS#11 library */
-+	if (!pk11_dso)
-+		pk11_dso = DSO_load(NULL, get_PK11_LIBNAME(), NULL, 0);
-+
-+	if (pk11_dso == NULL)
-+		{
-+		PK11err(PK11_F_LOAD, PK11_R_DSO_FAILURE);
-+		return;
-+		}
-+
-+	e_pk11 = engine_pk11();
-+	if (!e_pk11)
-+		{
-+		DSO_free(pk11_dso);
-+		pk11_dso = NULL;
-+		return;
-+		}
-+
-+	/*
-+	 * At this point, the pk11 shared library is either dynamically
-+	 * loaded or statically linked in. So, initialize the pk11
-+	 * library before calling ENGINE_set_default since the latter
-+	 * needs cipher and digest algorithm information
-+	 */
-+	if (!pk11_library_init(e_pk11))
-+		{
-+		DSO_free(pk11_dso);
-+		pk11_dso = NULL;
-+		ENGINE_free(e_pk11);
-+		return;
-+		}
-+
-+	ENGINE_add(e_pk11);
-+
-+	ENGINE_free(e_pk11);
-+	ERR_clear_error();
-+	}
-+#endif	/* ENGINE_DYNAMIC_SUPPORT */
-+
-+/*
-+ * These are the static string constants for the DSO file name and
-+ * the function symbol names to bind to.
-+ */
-+static const char *PK11_LIBNAME = NULL;
-+
-+static const char *get_PK11_LIBNAME(void)
-+	{
-+	if (PK11_LIBNAME)
-+		return (PK11_LIBNAME);
-+
-+	return (def_PK11_LIBNAME);
-+	}
-+
-+static void free_PK11_LIBNAME(void)
-+	{
-+	if (PK11_LIBNAME)
-+		OPENSSL_free((void*)PK11_LIBNAME);
-+
-+	PK11_LIBNAME = NULL;
-+	}
-+
-+static long set_PK11_LIBNAME(const char *name)
-+	{
-+	free_PK11_LIBNAME();
-+
-+	return ((PK11_LIBNAME = BUF_strdup(name)) != NULL ? 1 : 0);
-+	}
-+
-+/* acquire all engine specific mutexes before fork */
-+static void pk11_fork_prepare(void)
-+	{
-+#ifndef NOPTHREADS
-+	int i;
-+
-+	if (!pk11_library_initialized)
-+		return;
-+
-+	LOCK_OBJSTORE(OP_RSA);
-+	for (i = 0; i < OP_MAX; i++)
-+		{
-+		(void) pthread_mutex_lock(session_cache[i].lock);
-+		}
-+#endif
-+	}
-+
-+/* release all engine specific mutexes */
-+static void pk11_fork_parent(void)
-+	{
-+#ifndef NOPTHREADS
-+	int i;
-+
-+	if (!pk11_library_initialized)
-+		return;
-+
-+	for (i = OP_MAX - 1; i >= 0; i--)
-+		{
-+		(void) pthread_mutex_unlock(session_cache[i].lock);
-+		}
-+	UNLOCK_OBJSTORE(OP_RSA);
-+#endif
-+	}
-+
-+/*
-+ * same situation as in parent - we need to unlock all locks to make them
-+ * accessible to all threads.
-+ */
-+static void pk11_fork_child(void)
-+	{
-+#ifndef NOPTHREADS
-+	int i;
-+
-+	if (!pk11_library_initialized)
-+		return;
-+
-+	for (i = OP_MAX - 1; i >= 0; i--)
-+		{
-+		(void) pthread_mutex_unlock(session_cache[i].lock);
-+		}
-+	UNLOCK_OBJSTORE(OP_RSA);
-+#endif
-+	}
-+
-+/* Initialization function for the pk11 engine */
-+static int pk11_init(ENGINE *e)
-+{
-+	return (pk11_library_init(e));
-+}
-+
-+/*
-+ * Initialization function. Sets up various PKCS#11 library components.
-+ * It selects a slot based on predefined critiera. In the process, it also
-+ * count how many ciphers and digests to support. Since the cipher and
-+ * digest information is needed when setting default engine, this function
-+ * needs to be called before calling ENGINE_set_default.
-+ */
-+/* ARGSUSED */
-+static int pk11_library_init(ENGINE *e)
-+	{
-+	CK_C_GetFunctionList p;
-+	CK_RV rv = CKR_OK;
-+	CK_INFO info;
-+	int any_slot_found;
-+	int i;
-+#ifndef OPENSSL_SYS_WIN32
-+	struct sigaction sigint_act, sigterm_act, sighup_act;
-+#endif
-+
-+	/*
-+	 * pk11_library_initialized is set to 0 in pk11_finish() which is called
-+	 * from ENGINE_finish(). However, if there is still at least one
-+	 * existing functional reference to the engine (see engine(3) for more
-+	 * information), pk11_finish() is skipped. For example, this can happen
-+	 * if an application forgets to clear one cipher context. In case of a
-+	 * fork() when the application is finishing the engine so that it can be
-+	 * reinitialized in the child, forgotten functional reference causes
-+	 * pk11_library_initialized to stay 1. In that case we need the PID
-+	 * check so that we properly initialize the engine again.
-+	 */
-+	if (pk11_library_initialized)
-+		{
-+		if (pk11_pid == getpid())
-+			{
-+			return (1);
-+			}
-+		else
-+			{
-+			global_session = CK_INVALID_HANDLE;
-+			/*
-+			 * free the locks first to prevent memory leak in case
-+			 * the application calls fork() without finishing the
-+			 * engine first.
-+			 */
-+			pk11_free_all_locks();
-+			}
-+		}
-+
-+	if (pk11_dso == NULL)
-+		{
-+		PK11err(PK11_F_LIBRARY_INIT, PK11_R_DSO_FAILURE);
-+		goto err;
-+		}
-+
-+	/* get the C_GetFunctionList function from the loaded library */
-+	p = (CK_C_GetFunctionList)DSO_bind_func(pk11_dso,
-+		PK11_GET_FUNCTION_LIST);
-+	if (!p)
-+		{
-+		PK11err(PK11_F_LIBRARY_INIT, PK11_R_DSO_FAILURE);
-+		goto err;
-+		}
-+
-+	/* get the full function list from the loaded library */
-+	rv = p(&pFuncList);
-+	if (rv != CKR_OK)
-+		{
-+		PK11err_add_data(PK11_F_LIBRARY_INIT, PK11_R_DSO_FAILURE, rv);
-+		goto err;
-+		}
-+
-+#ifndef OPENSSL_SYS_WIN32
-+	/* Not all PKCS#11 library are signal safe! */
-+
-+	(void) memset(&sigint_act, 0, sizeof(sigint_act));
-+	(void) memset(&sigterm_act, 0, sizeof(sigterm_act));
-+	(void) memset(&sighup_act, 0, sizeof(sighup_act));
-+	(void) sigaction(SIGINT, NULL, &sigint_act);
-+	(void) sigaction(SIGTERM, NULL, &sigterm_act);
-+	(void) sigaction(SIGHUP, NULL, &sighup_act);
-+#endif
-+	rv = pFuncList->C_Initialize(NULL_PTR);
-+#ifndef OPENSSL_SYS_WIN32
-+	(void) sigaction(SIGINT, &sigint_act, NULL);
-+	(void) sigaction(SIGTERM, &sigterm_act, NULL);
-+	(void) sigaction(SIGHUP, &sighup_act, NULL);
-+#endif
-+	if ((rv != CKR_OK) && (rv != CKR_CRYPTOKI_ALREADY_INITIALIZED))
-+		{
-+		PK11err_add_data(PK11_F_LIBRARY_INIT, PK11_R_INITIALIZE, rv);
-+		goto err;
-+		}
-+
-+	rv = pFuncList->C_GetInfo(&info);
-+	if (rv != CKR_OK)
-+		{
-+		PK11err_add_data(PK11_F_LIBRARY_INIT, PK11_R_GETINFO, rv);
-+		goto err;
-+		}
-+
-+	if (pk11_choose_slots(&any_slot_found) == 0)
-+		goto err;
-+
-+	/*
-+	 * The library we use, set in def_PK11_LIBNAME, may not offer any
-+	 * slot(s). In that case, we must not proceed but we must not return an
-+	 * error. The reason is that applications that try to set up the PKCS#11
-+	 * engine don't exit on error during the engine initialization just
-+	 * because no slot was present.
-+	 */
-+	if (any_slot_found == 0)
-+		return (1);
-+
-+	if (global_session == CK_INVALID_HANDLE)
-+		{
-+		/* Open the global_session for the new process */
-+		rv = pFuncList->C_OpenSession(SLOTID, CKF_SERIAL_SESSION,
-+			NULL_PTR, NULL_PTR, &global_session);
-+		if (rv != CKR_OK)
-+			{
-+			PK11err_add_data(PK11_F_LIBRARY_INIT,
-+			    PK11_R_OPENSESSION, rv);
-+			goto err;
-+			}
-+		}
-+
-+	pk11_library_initialized = TRUE;
-+	pk11_pid = getpid();
-+	/*
-+	 * if initialization of the locks fails pk11_init_all_locks()
-+	 * will do the cleanup.
-+	 */
-+	if (!pk11_init_all_locks())
-+		goto err;
-+	for (i = 0; i < OP_MAX; i++)
-+		session_cache[i].head = NULL;
-+	/*
-+	 * initialize active lists. We only use active lists
-+	 * for asymmetric ciphers.
-+	 */
-+	for (i = 0; i < OP_MAX; i++)
-+		active_list[i] = NULL;
-+
-+#ifndef NOPTHREADS
-+	if (!pk11_atfork_initialized)
-+		{
-+		if (pthread_atfork(pk11_fork_prepare, pk11_fork_parent,
-+		    pk11_fork_child) != 0)
-+			{
-+			PK11err(PK11_F_LIBRARY_INIT, PK11_R_ATFORK_FAILED);
-+			goto err;
-+			}
-+		pk11_atfork_initialized = TRUE;
-+		}
-+#endif
-+
-+	return (1);
-+
-+err:
-+	return (0);
-+	}
-+
-+/* Destructor (complements the "ENGINE_pk11()" constructor) */
-+/* ARGSUSED */
-+static int pk11_destroy(ENGINE *e)
-+	{
-+	free_PK11_LIBNAME();
-+	ERR_unload_pk11_strings();
-+	if (pk11_pin) {
-+		memset(pk11_pin, 0, strlen(pk11_pin));
-+		OPENSSL_free((void*)pk11_pin);
-+	}
-+	pk11_pin = NULL;
-+	return (1);
-+	}
-+
-+/*
-+ * Termination function to clean up the session, the token, and the pk11
-+ * library.
-+ */
-+/* ARGSUSED */
-+static int pk11_finish(ENGINE *e)
-+	{
-+	int i;
-+
-+	if (pk11_pin) {
-+		memset(pk11_pin, 0, strlen(pk11_pin));
-+		OPENSSL_free((void*)pk11_pin);
-+	}
-+	pk11_pin = NULL;
-+
-+	if (pk11_dso == NULL)
-+		{
-+		PK11err(PK11_F_FINISH, PK11_R_NOT_LOADED);
-+		goto err;
-+		}
-+
-+	OPENSSL_assert(pFuncList != NULL);
-+
-+	if (pk11_free_all_sessions() == 0)
-+		goto err;
-+
-+	/* free all active lists */
-+	for (i = 0; i < OP_MAX; i++)
-+		pk11_free_active_list(i);
-+
-+	pFuncList->C_CloseSession(global_session);
-+	global_session = CK_INVALID_HANDLE;
-+
-+	/*
-+	 * Since we are part of a library (libcrypto.so), calling this function
-+	 * may have side-effects.
-+	 */
-+#if 0
-+	pFuncList->C_Finalize(NULL);
-+#endif
-+
-+	if (!DSO_free(pk11_dso))
-+		{
-+		PK11err(PK11_F_FINISH, PK11_R_DSO_FAILURE);
-+		goto err;
-+		}
-+	pk11_dso = NULL;
-+	pFuncList = NULL;
-+	pk11_library_initialized = FALSE;
-+	pk11_pid = 0;
-+	/*
-+	 * There is no way how to unregister atfork handlers (other than
-+	 * unloading the library) so we just free the locks. For this reason
-+	 * the atfork handlers check if the engine is initialized and bail out
-+	 * immediately if not. This is necessary in case a process finishes
-+	 * the engine before calling fork().
-+	 */
-+	pk11_free_all_locks();
-+
-+	return (1);
-+
-+err:
-+	return (0);
-+	}
-+
-+/* Standard engine interface function to set the dynamic library path */
-+/* ARGSUSED */
-+static int pk11_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)(void))
-+	{
-+	int initialized = ((pk11_dso == NULL) ? 0 : 1);
-+
-+	switch (cmd)
-+		{
-+	case PK11_CMD_SO_PATH:
-+		if (p == NULL)
-+			{
-+			PK11err(PK11_F_CTRL, ERR_R_PASSED_NULL_PARAMETER);
-+			return (0);
-+			}
-+
-+		if (initialized)
-+			{
-+			PK11err(PK11_F_CTRL, PK11_R_ALREADY_LOADED);
-+			return (0);
-+			}
-+
-+		return (set_PK11_LIBNAME((const char *)p));
-+	case PK11_CMD_PIN:
-+		if (pk11_pin) {
-+			memset(pk11_pin, 0, strlen(pk11_pin));
-+			OPENSSL_free((void*)pk11_pin);
-+		}
-+		pk11_pin = NULL;
-+
-+		if (p == NULL)
-+			{
-+			PK11err(PK11_F_CTRL, ERR_R_PASSED_NULL_PARAMETER);
-+			return (0);
-+			}
-+
-+		pk11_pin = BUF_strdup(p);
-+		if (pk11_pin == NULL)
-+			{
-+			PK11err(PK11_F_GET_SESSION, PK11_R_MALLOC_FAILURE);
-+			return (0);
-+			}
-+		return (1);
-+	case PK11_CMD_SLOT:
-+		SLOTID = (CK_SLOT_ID)i;
-+#ifdef DEBUG_SLOT_SELECTION
-+		fprintf(stderr, "%s: slot set\n", PK11_DBG);
-+#endif
-+		return (1);
-+	default:
-+		break;
-+		}
-+
-+	PK11err(PK11_F_CTRL, PK11_R_CTRL_COMMAND_NOT_IMPLEMENTED);
-+
-+	return (0);
-+	}
-+
-+
-+/* Required function by the engine random interface. It does nothing here */
-+static void pk11_rand_cleanup(void)
-+	{
-+	return;
-+	}
-+
-+/* ARGSUSED */
-+static void pk11_rand_add(const void *buf, int num, double add)
-+	{
-+	PK11_SESSION *sp;
-+
-+	if ((sp = pk11_get_session(OP_RAND)) == NULL)
-+		return;
-+
-+	/*
-+	 * Ignore any errors (e.g. CKR_RANDOM_SEED_NOT_SUPPORTED) since
-+	 * the calling functions do not care anyway
-+	 */
-+	pFuncList->C_SeedRandom(sp->session, (unsigned char *) buf, num);
-+	pk11_return_session(sp, OP_RAND);
-+
-+	return;
-+	}
-+
-+static void pk11_rand_seed(const void *buf, int num)
-+	{
-+	pk11_rand_add(buf, num, 0);
-+	}
-+
-+static int pk11_rand_bytes(unsigned char *buf, int num)
-+	{
-+	CK_RV rv;
-+	PK11_SESSION *sp;
-+
-+	if ((sp = pk11_get_session(OP_RAND)) == NULL)
-+		return (0);
-+
-+	rv = pFuncList->C_GenerateRandom(sp->session, buf, num);
-+	if (rv != CKR_OK)
-+		{
-+		PK11err_add_data(PK11_F_RAND_BYTES, PK11_R_GENERATERANDOM, rv);
-+		pk11_return_session(sp, OP_RAND);
-+		return (0);
-+		}
-+
-+	pk11_return_session(sp, OP_RAND);
-+	return (1);
-+	}
-+
-+/* Required function by the engine random interface. It does nothing here */
-+static int pk11_rand_status(void)
-+	{
-+	return (1);
-+	}
-+
-+/* Free all BIGNUM structures from PK11_SESSION. */
-+static void pk11_free_nums(PK11_SESSION *sp, PK11_OPTYPE optype)
-+	{
-+	switch (optype)
-+		{
-+		case OP_RSA:
-+			if (sp->opdata_rsa_n_num != NULL)
-+				{
-+				BN_free(sp->opdata_rsa_n_num);
-+				sp->opdata_rsa_n_num = NULL;
-+				}
-+			if (sp->opdata_rsa_e_num != NULL)
-+				{
-+				BN_free(sp->opdata_rsa_e_num);
-+				sp->opdata_rsa_e_num = NULL;
-+				}
-+			if (sp->opdata_rsa_d_num != NULL)
-+				{
-+				BN_free(sp->opdata_rsa_d_num);
-+				sp->opdata_rsa_d_num = NULL;
-+				}
-+			break;
-+		default:
-+			break;
-+		}
-+	}
-+
-+/*
-+ * Get new PK11_SESSION structure ready for use. Every process must have
-+ * its own freelist of PK11_SESSION structures so handle fork() here
-+ * by destroying the old and creating new freelist.
-+ * The returned PK11_SESSION structure is disconnected from the freelist.
-+ */
-+PK11_SESSION *
-+pk11_get_session(PK11_OPTYPE optype)
-+	{
-+	PK11_SESSION *sp = NULL, *sp1, *freelist;
-+#ifndef NOPTHREADS
-+	pthread_mutex_t *freelist_lock = NULL;
-+#endif
-+	CK_RV rv;
-+
-+	switch (optype)
-+		{
-+		case OP_RSA:
-+		case OP_DSA:
-+		case OP_DH:
-+		case OP_RAND:
-+		case OP_DIGEST:
-+		case OP_CIPHER:
-+#ifndef NOPTHREADS
-+			freelist_lock = session_cache[optype].lock;
-+#endif
-+			break;
-+		default:
-+			PK11err(PK11_F_GET_SESSION,
-+				PK11_R_INVALID_OPERATION_TYPE);
-+			return (NULL);
-+		}
-+#ifndef NOPTHREADS
-+	(void) pthread_mutex_lock(freelist_lock);
-+#else
-+	CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
-+#endif
-+	freelist = session_cache[optype].head;
-+	sp = freelist;
-+
-+	/*
-+	 * If the free list is empty, allocate new unitialized (filled
-+	 * with zeroes) PK11_SESSION structure otherwise return first
-+	 * structure from the freelist.
-+	 */
-+	if (sp == NULL)
-+		{
-+		if ((sp = OPENSSL_malloc(sizeof (PK11_SESSION))) == NULL)
-+			{
-+			PK11err(PK11_F_GET_SESSION,
-+				PK11_R_MALLOC_FAILURE);
-+			goto err;
-+			}
-+		(void) memset(sp, 0, sizeof (PK11_SESSION));
-+		}
-+	else
-+		{
-+		freelist = sp->next;
-+		}
-+
-+	if (sp->pid != 0 && sp->pid != getpid())
-+		{
-+		/*
-+		 * We are a new process and thus need to free any inherited
-+		 * PK11_SESSION objects.
-+		 */
-+		while ((sp1 = freelist) != NULL)
-+			{
-+			freelist = sp1->next;
-+			/*
-+			 * NOTE: we do not want to call pk11_free_all_sessions()
-+			 * here because it would close underlying PKCS#11
-+			 * sessions and destroy all objects.
-+			 */
-+			pk11_free_nums(sp1, optype);
-+			OPENSSL_free(sp1);
-+			}
-+
-+		/* we have to free the active list as well. */
-+		pk11_free_active_list(optype);
-+
-+		/* Initialize the process */
-+		rv = pFuncList->C_Initialize(NULL_PTR);
-+		if ((rv != CKR_OK) && (rv != CKR_CRYPTOKI_ALREADY_INITIALIZED))
-+			{
-+			PK11err_add_data(PK11_F_GET_SESSION, PK11_R_INITIALIZE,
-+			    rv);
-+			OPENSSL_free(sp);
-+			sp = NULL;
-+			goto err;
-+			}
-+
-+		/*
-+		 * Choose slot here since the slot table is different on this
-+		 * process. If we are here then we must have found at least one
-+		 * usable slot before so we don't need to check any_slot_found.
-+		 * See pk11_library_init()'s usage of this function for more
-+		 * information.
-+		 */
-+		if (pk11_choose_slots(NULL) == 0)
-+			goto err;
-+
-+		/* Open the global_session for the new process */
-+		rv = pFuncList->C_OpenSession(SLOTID, CKF_SERIAL_SESSION,
-+			NULL_PTR, NULL_PTR, &global_session);
-+		if (rv != CKR_OK)
-+			{
-+			PK11err_add_data(PK11_F_GET_SESSION, PK11_R_OPENSESSION,
-+			    rv);
-+			OPENSSL_free(sp);
-+			sp = NULL;
-+			goto err;
-+			}
-+
-+		/* It is an inherited session and needs re-initialization. */
-+		if (pk11_setup_session(sp, optype) == 0)
-+			{
-+			OPENSSL_free(sp);
-+			sp = NULL;
-+			}
-+		}
-+	if (sp->pid == 0)
-+		{
-+		/* It is a new session and needs initialization. */
-+		if (pk11_setup_session(sp, optype) == 0)
-+			{
-+			OPENSSL_free(sp);
-+			sp = NULL;
-+			}
-+		}
-+
-+	/* set new head for the list of PK11_SESSION objects */
-+	session_cache[optype].head = freelist;
-+
-+err:
-+	if (sp != NULL)
-+		sp->next = NULL;
-+
-+#ifndef NOPTHREADS
-+	(void) pthread_mutex_unlock(freelist_lock);
-+#else
-+	CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
-+#endif
-+
-+	return (sp);
-+	}
-+
-+
-+void
-+pk11_return_session(PK11_SESSION *sp, PK11_OPTYPE optype)
-+	{
-+#ifndef NOPTHREADS
-+	pthread_mutex_t *freelist_lock;
-+#endif
-+	PK11_SESSION *freelist;
-+
-+	if (sp == NULL || sp->pid != getpid())
-+		return;
-+
-+	switch (optype)
-+		{
-+		case OP_RSA:
-+		case OP_DSA:
-+		case OP_DH:
-+		case OP_RAND:
-+		case OP_DIGEST:
-+		case OP_CIPHER:
-+#ifndef NOPTHREADS
-+			freelist_lock = session_cache[optype].lock;
-+#endif
-+			break;
-+		default:
-+			PK11err(PK11_F_RETURN_SESSION,
-+				PK11_R_INVALID_OPERATION_TYPE);
-+			return;
-+		}
-+
-+#ifndef NOPTHREADS
-+	(void) pthread_mutex_lock(freelist_lock);
-+#else
-+	CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
-+#endif
-+	freelist = session_cache[optype].head;
-+	sp->next = freelist;
-+	session_cache[optype].head = sp;
-+#ifndef NOPTHREADS
-+	(void) pthread_mutex_unlock(freelist_lock);
-+#else
-+	CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
-+#endif
-+	}
-+
-+
-+/* Destroy all objects. This function is called when the engine is finished */
-+static int pk11_free_all_sessions()
-+	{
-+	int ret = 1;
-+	int type;
-+
-+	(void) pk11_destroy_rsa_key_objects(NULL);
-+
-+	/*
-+	 * We try to release as much as we can but any error means that we will
-+	 * return 0 on exit.
-+	 */
-+	for (type = 0; type < OP_MAX; type++)
-+		{
-+		if (pk11_free_session_list(type) == 0)
-+			ret = 0;
-+		}
-+
-+	return (ret);
-+	}
-+
-+/*
-+ * Destroy session structures from the linked list specified. Free as many
-+ * sessions as possible but any failure in C_CloseSession() means that we
-+ * return an error on return.
-+ */
-+static int pk11_free_session_list(PK11_OPTYPE optype)
-+	{
-+	CK_RV rv;
-+	PK11_SESSION *sp = NULL;
-+	PK11_SESSION *freelist = NULL;
-+	pid_t mypid = getpid();
-+#ifndef NOPTHREADS
-+	pthread_mutex_t *freelist_lock;
-+#endif
-+	int ret = 1;
-+
-+	switch (optype)
-+		{
-+		case OP_RSA:
-+		case OP_DSA:
-+		case OP_DH:
-+		case OP_RAND:
-+		case OP_DIGEST:
-+		case OP_CIPHER:
-+#ifndef NOPTHREADS
-+			freelist_lock = session_cache[optype].lock;
-+#endif
-+			break;
-+		default:
-+			PK11err(PK11_F_FREE_ALL_SESSIONS,
-+				PK11_R_INVALID_OPERATION_TYPE);
-+			return (0);
-+		}
-+
-+#ifndef NOPTHREADS
-+	(void) pthread_mutex_lock(freelist_lock);
-+#else
-+	CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
-+#endif
-+	freelist = session_cache[optype].head;
-+	while ((sp = freelist) != NULL)
-+		{
-+		if (sp->session != CK_INVALID_HANDLE && sp->pid == mypid)
-+			{
-+			rv = pFuncList->C_CloseSession(sp->session);
-+			if (rv != CKR_OK)
-+				{
-+				PK11err_add_data(PK11_F_FREE_ALL_SESSIONS,
-+					PK11_R_CLOSESESSION, rv);
-+				ret = 0;
-+				}
-+			}
-+		freelist = sp->next;
-+		pk11_free_nums(sp, optype);
-+		OPENSSL_free(sp);
-+		}
-+
-+#ifndef NOPTHREADS
-+	(void) pthread_mutex_unlock(freelist_lock);
-+#else
-+	CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
-+#endif
-+	return (ret);
-+	}
-+
-+
-+static int pk11_setup_session(PK11_SESSION *sp, PK11_OPTYPE optype)
-+	{
-+	CK_RV rv;
-+	CK_SLOT_ID myslot;
-+
-+	switch (optype)
-+		{
-+		case OP_RSA:
-+			myslot = pubkey_SLOTID;
-+			break;
-+		case OP_RAND:
-+			myslot = rand_SLOTID;
-+			break;
-+		default:
-+			PK11err(PK11_F_SETUP_SESSION,
-+			    PK11_R_INVALID_OPERATION_TYPE);
-+			return (0);
-+		}
-+
-+	sp->session = CK_INVALID_HANDLE;
-+#ifdef	DEBUG_SLOT_SELECTION
-+	fprintf(stderr, "%s: myslot=%d optype=%d\n", PK11_DBG, myslot, optype);
-+#endif	/* DEBUG_SLOT_SELECTION */
-+	rv = pFuncList->C_OpenSession(myslot, CKF_SERIAL_SESSION,
-+		NULL_PTR, NULL_PTR, &sp->session);
-+	if (rv == CKR_CRYPTOKI_NOT_INITIALIZED)
-+		{
-+		/*
-+		 * We are probably a child process so force the
-+		 * reinitialize of the session
-+		 */
-+		pk11_library_initialized = FALSE;
-+		if (!pk11_library_init(NULL))
-+			return (0);
-+		rv = pFuncList->C_OpenSession(myslot, CKF_SERIAL_SESSION,
-+			NULL_PTR, NULL_PTR, &sp->session);
-+		}
-+	if (rv != CKR_OK)
-+		{
-+		PK11err_add_data(PK11_F_SETUP_SESSION, PK11_R_OPENSESSION, rv);
-+		return (0);
-+		}
-+
-+	sp->pid = getpid();
-+
-+	if (optype == OP_RSA)
-+		{
-+		sp->opdata_rsa_pub_key = CK_INVALID_HANDLE;
-+		sp->opdata_rsa_priv_key = CK_INVALID_HANDLE;
-+		sp->opdata_rsa_pub = NULL;
-+		sp->opdata_rsa_n_num = NULL;
-+		sp->opdata_rsa_e_num = NULL;
-+		sp->opdata_rsa_priv = NULL;
-+		sp->opdata_rsa_d_num = NULL;
-+		}
-+
-+	return (1);
-+	}
-+
-+/* Destroy RSA public key from single session. */
-+int
-+pk11_destroy_rsa_object_pub(PK11_SESSION *sp, CK_BBOOL uselock)
-+	{
-+	int ret = 0;
-+
-+	if (sp->opdata_rsa_pub_key != CK_INVALID_HANDLE)
-+		{
-+		TRY_OBJ_DESTROY(sp->session, sp->opdata_rsa_pub_key,
-+		    ret, uselock, OP_RSA);
-+		sp->opdata_rsa_pub_key = CK_INVALID_HANDLE;
-+		sp->opdata_rsa_pub = NULL;
-+		if (sp->opdata_rsa_n_num != NULL)
-+			{
-+			BN_free(sp->opdata_rsa_n_num);
-+			sp->opdata_rsa_n_num = NULL;
-+			}
-+		if (sp->opdata_rsa_e_num != NULL)
-+			{
-+			BN_free(sp->opdata_rsa_e_num);
-+			sp->opdata_rsa_e_num = NULL;
-+			}
-+		}
-+
-+	return (ret);
-+	}
-+
-+/* Destroy RSA private key from single session. */
-+int
-+pk11_destroy_rsa_object_priv(PK11_SESSION *sp, CK_BBOOL uselock)
-+	{
-+	int ret = 0;
-+
-+	if (sp->opdata_rsa_priv_key != CK_INVALID_HANDLE)
-+		{
-+		TRY_OBJ_DELETE(sp->session,
-+			       sp->opdata_rsa_priv_key,
-+			       ret, uselock, OP_RSA);
-+		sp->opdata_rsa_priv_key = CK_INVALID_HANDLE;
-+		sp->opdata_rsa_priv = NULL;
-+		if (sp->opdata_rsa_d_num != NULL)
-+			{
-+			BN_free(sp->opdata_rsa_d_num);
-+			sp->opdata_rsa_d_num = NULL;
-+			}
-+		}
-+
-+	return (ret);
-+	}
-+
-+/*
-+ * Destroy RSA key object wrapper. If session is NULL, try to destroy all
-+ * objects in the free list.
-+ */
-+int
-+pk11_destroy_rsa_key_objects(PK11_SESSION *session)
-+	{
-+	int ret = 1;
-+	PK11_SESSION *sp = NULL;
-+	PK11_SESSION *local_free_session;
-+	CK_BBOOL uselock = TRUE;
-+
-+	if (session != NULL)
-+		local_free_session = session;
-+	else
-+		{
-+#ifndef NOPTHREADS
-+		(void) pthread_mutex_lock(session_cache[OP_RSA].lock);
-+#else
-+		CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
-+#endif
-+		local_free_session = session_cache[OP_RSA].head;
-+		uselock = FALSE;
-+		}
-+
-+	/*
-+	 * go through the list of sessions and delete key objects
-+	 */
-+	while ((sp = local_free_session) != NULL)
-+		{
-+		local_free_session = sp->next;
-+
-+		/*
-+		 * Do not terminate list traversal if one of the
-+		 * destroy operations fails.
-+		 */
-+		if (pk11_destroy_rsa_object_pub(sp, uselock) == 0)
-+			{
-+			ret = 0;
-+			continue;
-+			}
-+		if (pk11_destroy_rsa_object_priv(sp, uselock) == 0)
-+			{
-+			ret = 0;
-+			continue;
-+			}
-+		}
-+
-+#ifndef NOPTHREADS
-+	if (session == NULL)
-+		(void) pthread_mutex_unlock(session_cache[OP_RSA].lock);
-+#else
-+	if (session == NULL)
-+		CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
-+#endif
-+
-+	return (ret);
-+	}
-+
-+static int pk11_destroy_object(CK_SESSION_HANDLE session, CK_OBJECT_HANDLE oh)
-+	{
-+	CK_RV rv;
-+	rv = pFuncList->C_DestroyObject(session, oh);
-+	if (rv != CKR_OK)
-+		{
-+		PK11err_add_data(PK11_F_DESTROY_OBJECT, PK11_R_DESTROYOBJECT,
-+		    rv);
-+		return (0);
-+		}
-+
-+	return (1);
-+	}
-+
-+
-+/*
-+ * Public key mechanisms optionally supported
-+ *
-+ * CKM_RSA_X_509
-+ * CKM_RSA_PKCS
-+ *
-+ * The first slot that supports at least one of those mechanisms is chosen as a
-+ * public key slot.
-+ *
-+ * The output of this function is a set of global variables indicating which
-+ * mechanisms from RSA, DSA, DH and RAND are present, and also two arrays of
-+ * mechanisms, one for symmetric ciphers and one for digests. Also, 3 global
-+ * variables carry information about which slot was chosen for (a) public key
-+ * mechanisms, (b) random operations, and (c) symmetric ciphers and digests.
-+ */
-+static int
-+pk11_choose_slots(int *any_slot_found)
-+	{
-+	CK_SLOT_ID_PTR pSlotList = NULL_PTR;
-+	CK_ULONG ulSlotCount = 0;
-+	CK_MECHANISM_INFO mech_info;
-+	CK_TOKEN_INFO token_info;
-+	unsigned int i;
-+	CK_RV rv;
-+	CK_SLOT_ID best_slot_sofar = 0;
-+	CK_BBOOL found_candidate_slot = CK_FALSE;
-+	CK_SLOT_ID current_slot = 0;
-+
-+	/* let's initialize the output parameter */
-+	if (any_slot_found != NULL)
-+		*any_slot_found = 0;
-+
-+	/* Get slot list for memory allocation */
-+	rv = pFuncList->C_GetSlotList(0, NULL_PTR, &ulSlotCount);
-+
-+	if (rv != CKR_OK)
-+		{
-+		PK11err_add_data(PK11_F_CHOOSE_SLOT, PK11_R_GETSLOTLIST, rv);
-+		return (0);
-+		}
-+
-+	/* it's not an error if we didn't find any providers */
-+	if (ulSlotCount == 0)
-+		{
-+#ifdef	DEBUG_SLOT_SELECTION
-+		fprintf(stderr, "%s: no crypto providers found\n", PK11_DBG);
-+#endif	/* DEBUG_SLOT_SELECTION */
-+		return (1);
-+		}
-+
-+	pSlotList = OPENSSL_malloc(ulSlotCount * sizeof (CK_SLOT_ID));
-+
-+	if (pSlotList == NULL)
-+		{
-+		PK11err(PK11_F_CHOOSE_SLOT, PK11_R_MALLOC_FAILURE);
-+		return (0);
-+		}
-+
-+	/* Get the slot list for processing */
-+	rv = pFuncList->C_GetSlotList(0, pSlotList, &ulSlotCount);
-+	if (rv != CKR_OK)
-+		{
-+		PK11err_add_data(PK11_F_CHOOSE_SLOT, PK11_R_GETSLOTLIST, rv);
-+		OPENSSL_free(pSlotList);
-+		return (0);
-+		}
-+
-+#ifdef	DEBUG_SLOT_SELECTION
-+	fprintf(stderr, "%s: provider: %s\n", PK11_DBG, def_PK11_LIBNAME);
-+	fprintf(stderr, "%s: number of slots: %d\n", PK11_DBG, ulSlotCount);
-+
-+	fprintf(stderr, "%s: == checking rand slots ==\n", PK11_DBG);
-+#endif	/* DEBUG_SLOT_SELECTION */
-+	for (i = 0; i < ulSlotCount; i++)
-+		{
-+		current_slot = pSlotList[i];
-+
-+#ifdef	DEBUG_SLOT_SELECTION
-+	fprintf(stderr, "%s: checking slot: %d\n", PK11_DBG, i);
-+#endif	/* DEBUG_SLOT_SELECTION */
-+		/* Check if slot has random support. */
-+		rv = pFuncList->C_GetTokenInfo(current_slot, &token_info);
-+		if (rv != CKR_OK)
-+			continue;
-+
-+#ifdef	DEBUG_SLOT_SELECTION
-+	fprintf(stderr, "%s: token label: %.32s\n", PK11_DBG, token_info.label);
-+#endif	/* DEBUG_SLOT_SELECTION */
-+
-+		if (token_info.flags & CKF_RNG)
-+			{
-+#ifdef	DEBUG_SLOT_SELECTION
-+	fprintf(stderr, "%s: this token has CKF_RNG flag\n", PK11_DBG);
-+#endif	/* DEBUG_SLOT_SELECTION */
-+			pk11_have_random = CK_TRUE;
-+			rand_SLOTID = current_slot;
-+			break;
-+			}
-+		}
-+
-+#ifdef	DEBUG_SLOT_SELECTION
-+	fprintf(stderr, "%s: == checking pubkey slots ==\n", PK11_DBG);
-+#endif	/* DEBUG_SLOT_SELECTION */
-+
-+	pubkey_SLOTID = pSlotList[0];
-+	for (i = 0; i < ulSlotCount; i++)
-+		{
-+		CK_BBOOL slot_has_rsa = CK_FALSE;
-+		current_slot = pSlotList[i];
-+
-+#ifdef	DEBUG_SLOT_SELECTION
-+	fprintf(stderr, "%s: checking slot: %d\n", PK11_DBG, i);
-+#endif	/* DEBUG_SLOT_SELECTION */
-+		rv = pFuncList->C_GetTokenInfo(current_slot, &token_info);
-+		if (rv != CKR_OK)
-+			continue;
-+
-+#ifdef	DEBUG_SLOT_SELECTION
-+	fprintf(stderr, "%s: token label: %.32s\n", PK11_DBG, token_info.label);
-+#endif	/* DEBUG_SLOT_SELECTION */
-+
-+		/*
-+		 * Check if this slot is capable of signing with CKM_RSA_PKCS.
-+		 */
-+		rv = pFuncList->C_GetMechanismInfo(current_slot, CKM_RSA_PKCS,
-+			&mech_info);
-+
-+		if (rv == CKR_OK && ((mech_info.flags & CKF_SIGN)))
-+			{
-+			slot_has_rsa = CK_TRUE;
-+			}
-+
-+		if (!found_candidate_slot && slot_has_rsa)
-+			{
-+#ifdef	DEBUG_SLOT_SELECTION
-+			fprintf(stderr,
-+			    "%s: potential slot: %d\n", PK11_DBG, current_slot);
-+#endif	/* DEBUG_SLOT_SELECTION */
-+			best_slot_sofar = current_slot;
-+			pk11_have_rsa = slot_has_rsa;
-+			found_candidate_slot = CK_TRUE;
-+#ifdef	DEBUG_SLOT_SELECTION
-+			fprintf(stderr,
-+			    "%s: setting found_candidate_slot to CK_TRUE\n",
-+			    PK11_DBG);
-+			fprintf(stderr,
-+			    "%s: best so far slot: %d\n", PK11_DBG,
-+			    best_slot_sofar);
-+			}
-+		else
-+			{
-+			fprintf(stderr,
-+			    "%s: no rsa\n", PK11_DBG);
-+			}
-+#else
-+			} /* if */
-+#endif	/* DEBUG_SLOT_SELECTION */
-+		} /* for */
-+
-+	if (found_candidate_slot)
-+		{
-+		pubkey_SLOTID = best_slot_sofar;
-+		}
-+
-+	/*SLOTID = pSlotList[0];*/
-+
-+#ifdef	DEBUG_SLOT_SELECTION
-+	fprintf(stderr,
-+	    "%s: chosen pubkey slot: %d\n", PK11_DBG, pubkey_SLOTID);
-+	fprintf(stderr,
-+	    "%s: chosen rand slot: %d\n", PK11_DBG, rand_SLOTID);
-+	fprintf(stderr,
-+	    "%s: pk11_have_rsa %d\n", PK11_DBG, pk11_have_rsa);
-+	fprintf(stderr,
-+	    "%s: pk11_have_random %d\n", PK11_DBG, pk11_have_random);
-+#endif	/* DEBUG_SLOT_SELECTION */
-+
-+	if (pSlotList != NULL)
-+		OPENSSL_free(pSlotList);
-+
-+	if (any_slot_found != NULL)
-+		*any_slot_found = 1;
-+	return (1);
-+	}
-+
-+#endif	/* OPENSSL_NO_HW_PK11 */
-+#endif	/* OPENSSL_NO_HW */
-Index: openssl/crypto/engine/hw_pk11.c
-diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.24
---- /dev/null	Wed Sep  2 11:37:23 2009
-+++ openssl/crypto/engine/hw_pk11.c	Fri Aug 28 06:31:09 2009
-@@ -0,0 +1,3916 @@
-+/*
-+ * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
-+ * Use is subject to license terms.
-+ */
-+
-+/* crypto/engine/hw_pk11.c */
-+/*
-+ * This product includes software developed by the OpenSSL Project for
-+ * use in the OpenSSL Toolkit (http://www.openssl.org/).
-+ *
-+ * This project also referenced hw_pkcs11-0.9.7b.patch written by
-+ * Afchine Madjlessi.
-+ */
-+/*
-+ * ====================================================================
-+ * Copyright (c) 2000-2001 The OpenSSL Project.  All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ *    notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ *    notice, this list of conditions and the following disclaimer in
-+ *    the documentation and/or other materials provided with the
-+ *    distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ *    software must display the following acknowledgment:
-+ *    "This product includes software developed by the OpenSSL Project
-+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ *    endorse or promote products derived from this software without
-+ *    prior written permission. For written permission, please contact
-+ *    licensing@OpenSSL.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ *    nor may "OpenSSL" appear in their names without prior written
-+ *    permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ *    acknowledgment:
-+ *    "This product includes software developed by the OpenSSL Project
-+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ * ====================================================================
-+ *
-+ * This product includes cryptographic software written by Eric Young
-+ * (eay@cryptsoft.com).  This product includes software written by Tim
-+ * Hudson (tjh@cryptsoft.com).
-+ *
-+ */
-+
-+#include <stdio.h>
-+#include <stdlib.h>
-+#include <string.h>
-+#include <sys/types.h>
-+
-+#include <openssl/e_os2.h>
-+#include <openssl/crypto.h>
-+#include <cryptlib.h>
-+#include <openssl/engine.h>
-+#include <openssl/dso.h>
-+#include <openssl/err.h>
-+#include <openssl/bn.h>
-+#include <openssl/md5.h>
-+#include <openssl/pem.h>
-+#ifndef OPENSSL_NO_RSA
-+#include <openssl/rsa.h>
-+#endif
-+#ifndef OPENSSL_NO_DSA
-+#include <openssl/dsa.h>
-+#endif
-+#ifndef OPENSSL_NO_DH
-+#include <openssl/dh.h>
-+#endif
-+#include <openssl/rand.h>
-+#include <openssl/objects.h>
-+#include <openssl/x509.h>
-+#include <openssl/aes.h>
-+
-+#ifdef OPENSSL_SYS_WIN32
-+typedef int pid_t;
-+#define getpid() GetCurrentProcessId()
-+#define NOPTHREADS
-+#ifndef NULL_PTR
-+#define NULL_PTR NULL
-+#endif
-+#define CK_DEFINE_FUNCTION(returnType, name) \
-+	returnType __declspec(dllexport) name
-+#define CK_DECLARE_FUNCTION(returnType, name) \
-+	returnType __declspec(dllimport) name
-+#define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
-+	returnType __declspec(dllimport) (* name)
-+#else
-+#include <signal.h>
-+#include <unistd.h>
-+#include <dlfcn.h>
-+#endif
-+
-+#ifndef NOPTHREADS
-+#include <pthread.h>
-+#endif
-+
-+#ifndef OPENSSL_NO_HW
-+#ifndef OPENSSL_NO_HW_PK11
-+
-+/* label for debug messages printed on stderr */
-+#define	PK11_DBG	"PKCS#11 ENGINE DEBUG"
-+/* prints a lot of debug messages on stderr about slot selection process */
-+#undef	DEBUG_SLOT_SELECTION
-+/*
-+ * Solaris specific code. See comment at check_hw_mechanisms() for more
-+ * information.
-+ */
-+#if defined (__SVR4) && defined (__sun)
-+#undef	SOLARIS_HW_SLOT_SELECTION
-+#endif
-+
-+/*
-+ * AES counter mode is not supported in the OpenSSL EVP API yet and neither
-+ * there are official OIDs for mechanisms based on this mode. With our changes,
-+ * an application can define its own EVP calls for AES counter mode and then
-+ * it can make use of hardware acceleration through this engine. However, it's
-+ * better if we keep AES CTR support code under ifdef's.
-+ */
-+#define	SOLARIS_AES_CTR
-+
-+#ifdef OPENSSL_SYS_WIN32
-+#pragma pack(push, cryptoki, 1)
-+#include "cryptoki.h"
-+#include "pkcs11.h"
-+#pragma pack(pop, cryptoki)
-+#else
-+#include "cryptoki.h"
-+#include "pkcs11.h"
-+#endif
-+#include "hw_pk11_err.c"
-+
-+#ifdef	SOLARIS_AES_CTR
-+/*
-+ * NIDs for AES counter mode that will be defined during the engine
-+ * initialization.
-+ */
-+int NID_aes_128_ctr = NID_undef;
-+int NID_aes_192_ctr = NID_undef;
-+int NID_aes_256_ctr = NID_undef;
-+#endif	/* SOLARIS_AES_CTR */
-+
-+#ifdef	SOLARIS_HW_SLOT_SELECTION
-+/*
-+ * Tables for symmetric ciphers and digest mechs found in the pkcs11_kernel
-+ * library. See comment at check_hw_mechanisms() for more information.
-+ */
-+int *hw_cnids;
-+int *hw_dnids;
-+#endif	/* SOLARIS_HW_SLOT_SELECTION */
-+
-+/* PKCS#11 session caches and their locks for all operation types */
-+static PK11_CACHE session_cache[OP_MAX];
-+
-+/*
-+ * As stated in v2.20, 11.7 Object Management Function, in section for
-+ * C_FindObjectsInit(), at most one search operation may be active at a given
-+ * time in a given session. Therefore, C_Find{,Init,Final}Objects() should be
-+ * grouped together to form one atomic search operation. This is already
-+ * ensured by the property of unique PKCS#11 session handle used for each
-+ * PK11_SESSION object.
-+ *
-+ * This is however not the biggest concern - maintaining consistency of the
-+ * underlying object store is more important. The same section of the spec also
-+ * says that one thread can be in the middle of a search operation while another
-+ * thread destroys the object matching the search template which would result in
-+ * invalid handle returned from the search operation.
-+ *
-+ * Hence, the following locks are used for both protection of the object stores.
-+ * They are also used for active list protection.
-+ */
-+#ifndef NOPTHREADS
-+pthread_mutex_t *find_lock[OP_MAX] = { NULL };
-+#endif
-+
-+/*
-+ * lists of asymmetric key handles which are active (referenced by at least one
-+ * PK11_SESSION structure, either held by a thread or present in free_session
-+ * list) for given algorithm type
-+ */
-+PK11_active *active_list[OP_MAX] = { NULL };
-+
-+/*
-+ * Create all secret key objects in a global session so that they are available
-+ * to use for other sessions. These other sessions may be opened or closed
-+ * without losing the secret key objects.
-+ */
-+static CK_SESSION_HANDLE	global_session = CK_INVALID_HANDLE;
-+
-+/* ENGINE level stuff */
-+static int pk11_init(ENGINE *e);
-+static int pk11_library_init(ENGINE *e);
-+static int pk11_finish(ENGINE *e);
-+static int pk11_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)(void));
-+static int pk11_destroy(ENGINE *e);
-+
-+/* RAND stuff */
-+static void pk11_rand_seed(const void *buf, int num);
-+static void pk11_rand_add(const void *buf, int num, double add_entropy);
-+static void pk11_rand_cleanup(void);
-+static int pk11_rand_bytes(unsigned char *buf, int num);
-+static int pk11_rand_status(void);
-+
-+/* These functions are also used in other files */
-+PK11_SESSION *pk11_get_session(PK11_OPTYPE optype);
-+void pk11_return_session(PK11_SESSION *sp, PK11_OPTYPE optype);
-+
-+/* active list manipulation functions used in this file */
-+extern int pk11_active_delete(CK_OBJECT_HANDLE h, PK11_OPTYPE type);
-+extern void pk11_free_active_list(PK11_OPTYPE type);
-+
-+#ifndef OPENSSL_NO_RSA
-+int pk11_destroy_rsa_key_objects(PK11_SESSION *session);
-+int pk11_destroy_rsa_object_pub(PK11_SESSION *sp, CK_BBOOL uselock);
-+int pk11_destroy_rsa_object_priv(PK11_SESSION *sp, CK_BBOOL uselock);
-+#endif
-+#ifndef OPENSSL_NO_DSA
-+int pk11_destroy_dsa_key_objects(PK11_SESSION *session);
-+int pk11_destroy_dsa_object_pub(PK11_SESSION *sp, CK_BBOOL uselock);
-+int pk11_destroy_dsa_object_priv(PK11_SESSION *sp, CK_BBOOL uselock);
-+#endif
-+#ifndef OPENSSL_NO_DH
-+int pk11_destroy_dh_key_objects(PK11_SESSION *session);
-+int pk11_destroy_dh_object(PK11_SESSION *session, CK_BBOOL uselock);
-+#endif
-+
-+/* Local helper functions */
-+static int pk11_free_all_sessions(void);
-+static int pk11_free_session_list(PK11_OPTYPE optype);
-+static int pk11_setup_session(PK11_SESSION *sp, PK11_OPTYPE optype);
-+static int pk11_destroy_cipher_key_objects(PK11_SESSION *session);
-+static int pk11_destroy_object(CK_SESSION_HANDLE session,
-+	CK_OBJECT_HANDLE oh);
-+static const char *get_PK11_LIBNAME(void);
-+static void free_PK11_LIBNAME(void);
-+static long set_PK11_LIBNAME(const char *name);
-+
-+/* Symmetric cipher and digest support functions */
-+static int cipher_nid_to_pk11(int nid);
-+#ifdef	SOLARIS_AES_CTR
-+static int pk11_add_NID(char *sn, char *ln);
-+static int pk11_add_aes_ctr_NIDs(void);
-+#endif	/* SOLARIS_AES_CTR */
-+static int pk11_usable_ciphers(const int **nids);
-+static int pk11_usable_digests(const int **nids);
-+static int pk11_cipher_init(EVP_CIPHER_CTX *ctx, const unsigned char *key,
-+	const unsigned char *iv, int enc);
-+static int pk11_cipher_final(PK11_SESSION *sp);
-+static int pk11_cipher_do_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
-+	const unsigned char *in, unsigned int inl);
-+static int pk11_cipher_cleanup(EVP_CIPHER_CTX *ctx);
-+static int pk11_engine_ciphers(ENGINE *e, const EVP_CIPHER **cipher,
-+	const int **nids, int nid);
-+static int pk11_engine_digests(ENGINE *e, const EVP_MD **digest,
-+	const int **nids, int nid);
-+static CK_OBJECT_HANDLE pk11_get_cipher_key(EVP_CIPHER_CTX *ctx,
-+	const unsigned char *key, CK_KEY_TYPE key_type, PK11_SESSION *sp);
-+static int check_new_cipher_key(PK11_SESSION *sp, const unsigned char *key,
-+	int key_len);
-+static int md_nid_to_pk11(int nid);
-+static int pk11_digest_init(EVP_MD_CTX *ctx);
-+static int pk11_digest_update(EVP_MD_CTX *ctx, const void *data,
-+	size_t count);
-+static int pk11_digest_final(EVP_MD_CTX *ctx, unsigned char *md);
-+static int pk11_digest_copy(EVP_MD_CTX *to, const EVP_MD_CTX *from);
-+static int pk11_digest_cleanup(EVP_MD_CTX *ctx);
-+
-+static int pk11_choose_slots(int *any_slot_found);
-+static void pk11_find_symmetric_ciphers(CK_FUNCTION_LIST_PTR pflist,
-+    CK_SLOT_ID current_slot, int *current_slot_n_cipher,
-+    int *local_cipher_nids);
-+static void pk11_find_digests(CK_FUNCTION_LIST_PTR pflist,
-+    CK_SLOT_ID current_slot, int *current_slot_n_digest,
-+    int *local_digest_nids);
-+static void pk11_get_symmetric_cipher(CK_FUNCTION_LIST_PTR, int slot_id,
-+    CK_MECHANISM_TYPE mech, int *current_slot_n_cipher, int *local_cipher_nids,
-+    int id);
-+static void pk11_get_digest(CK_FUNCTION_LIST_PTR pflist, int slot_id,
-+    CK_MECHANISM_TYPE mech, int *current_slot_n_digest, int *local_digest_nids,
-+    int id);
-+
-+static int pk11_init_all_locks(void);
-+static void pk11_free_all_locks(void);
-+
-+#ifdef	SOLARIS_HW_SLOT_SELECTION
-+static int check_hw_mechanisms(void);
-+static int nid_in_table(int nid, int *nid_table);
-+#endif	/* SOLARIS_HW_SLOT_SELECTION */
-+
-+/* Index for the supported ciphers */
-+enum pk11_cipher_id {
-+	PK11_DES_CBC,
-+	PK11_DES3_CBC,
-+	PK11_DES_ECB,
-+	PK11_DES3_ECB,
-+	PK11_RC4,
-+	PK11_AES_128_CBC,
-+	PK11_AES_192_CBC,
-+	PK11_AES_256_CBC,
-+	PK11_AES_128_ECB,
-+	PK11_AES_192_ECB,
-+	PK11_AES_256_ECB,
-+	PK11_BLOWFISH_CBC,
-+#ifdef	SOLARIS_AES_CTR
-+	PK11_AES_128_CTR,
-+	PK11_AES_192_CTR,
-+	PK11_AES_256_CTR,
-+#endif	/* SOLARIS_AES_CTR */
-+	PK11_CIPHER_MAX
-+};
-+
-+/* Index for the supported digests */
-+enum pk11_digest_id {
-+	PK11_MD5,
-+	PK11_SHA1,
-+	PK11_SHA224,
-+	PK11_SHA256,
-+	PK11_SHA384,
-+	PK11_SHA512,
-+	PK11_DIGEST_MAX
-+};
-+
-+#define	TRY_OBJ_DESTROY(sess_hdl, obj_hdl, retval, uselock, alg_type)	\
-+	{								\
-+	if (uselock)							\
-+		LOCK_OBJSTORE(alg_type);				\
-+	if (pk11_active_delete(obj_hdl, alg_type) == 1)			\
-+		{							\
-+		retval = pk11_destroy_object(sess_hdl, obj_hdl);	\
-+		}							\
-+	if (uselock)							\
-+		UNLOCK_OBJSTORE(alg_type);				\
-+	}
-+
-+#define	TRY_OBJ_DELETE(sess_hdl, obj_hdl, retval, uselock, alg_type)	\
-+	{								\
-+	if (uselock)							\
-+		LOCK_OBJSTORE(alg_type);				\
-+	(void) pk11_active_delete(obj_hdl, alg_type);			\
-+	if (uselock)							\
-+		UNLOCK_OBJSTORE(alg_type);				\
-+	}
-+
-+static int cipher_nids[PK11_CIPHER_MAX];
-+static int digest_nids[PK11_DIGEST_MAX];
-+static int cipher_count		= 0;
-+static int digest_count		= 0;
-+static CK_BBOOL pk11_have_rsa	= CK_FALSE;
-+static CK_BBOOL pk11_have_recover = CK_FALSE;
-+static CK_BBOOL pk11_have_dsa	= CK_FALSE;
-+static CK_BBOOL pk11_have_dh	= CK_FALSE;
-+static CK_BBOOL pk11_have_random = CK_FALSE;
-+
-+typedef struct PK11_CIPHER_st
-+	{
-+	enum pk11_cipher_id	id;
-+	int			nid;
-+	int			iv_len;
-+	int			key_len;
-+	CK_KEY_TYPE		key_type;
-+	CK_MECHANISM_TYPE	mech_type;
-+	} PK11_CIPHER;
-+
-+static PK11_CIPHER ciphers[] =
-+	{
-+	{ PK11_DES_CBC,		NID_des_cbc,		8,	8,
-+		CKK_DES,	CKM_DES_CBC, },
-+	{ PK11_DES3_CBC,	NID_des_ede3_cbc,	8,	24,
-+		CKK_DES3,	CKM_DES3_CBC, },
-+	{ PK11_DES_ECB,		NID_des_ecb,		0,	8,
-+		CKK_DES,	CKM_DES_ECB, },
-+	{ PK11_DES3_ECB,	NID_des_ede3_ecb,	0,	24,
-+		CKK_DES3,	CKM_DES3_ECB, },
-+	{ PK11_RC4,		NID_rc4,		0,	16,
-+		CKK_RC4,	CKM_RC4, },
-+	{ PK11_AES_128_CBC,	NID_aes_128_cbc,	16,	16,
-+		CKK_AES,	CKM_AES_CBC, },
-+	{ PK11_AES_192_CBC,	NID_aes_192_cbc,	16,	24,
-+		CKK_AES,	CKM_AES_CBC, },
-+	{ PK11_AES_256_CBC,	NID_aes_256_cbc,	16,	32,
-+		CKK_AES,	CKM_AES_CBC, },
-+	{ PK11_AES_128_ECB,	NID_aes_128_ecb,	0,	16,
-+		CKK_AES,	CKM_AES_ECB, },
-+	{ PK11_AES_192_ECB,	NID_aes_192_ecb,	0,	24,
-+		CKK_AES,	CKM_AES_ECB, },
-+	{ PK11_AES_256_ECB,	NID_aes_256_ecb,	0,	32,
-+		CKK_AES,	CKM_AES_ECB, },
-+	{ PK11_BLOWFISH_CBC,	NID_bf_cbc,		8,	16,
-+		CKK_BLOWFISH,	CKM_BLOWFISH_CBC, },
-+#ifdef	SOLARIS_AES_CTR
-+	/* we don't know the correct NIDs until the engine is initialized */
-+	{ PK11_AES_128_CTR,	NID_undef,		16,	16,
-+		CKK_AES,	CKM_AES_CTR, },
-+	{ PK11_AES_192_CTR,	NID_undef,		16,	24,
-+		CKK_AES,	CKM_AES_CTR, },
-+	{ PK11_AES_256_CTR,	NID_undef,		16,	32,
-+		CKK_AES,	CKM_AES_CTR, },
-+#endif	/* SOLARIS_AES_CTR */
-+	};
-+
-+typedef struct PK11_DIGEST_st
-+	{
-+	enum pk11_digest_id	id;
-+	int			nid;
-+	CK_MECHANISM_TYPE	mech_type;
-+	} PK11_DIGEST;
-+
-+static PK11_DIGEST digests[] =
-+	{
-+	{PK11_MD5,	NID_md5,	CKM_MD5, },
-+	{PK11_SHA1,	NID_sha1,	CKM_SHA_1, },
-+	{PK11_SHA224,	NID_sha224,	CKM_SHA224, },
-+	{PK11_SHA256,	NID_sha256,	CKM_SHA256, },
-+	{PK11_SHA384,	NID_sha384,	CKM_SHA384, },
-+	{PK11_SHA512,	NID_sha512,	CKM_SHA512, },
-+	{0,		NID_undef,	0xFFFF, },
-+	};
-+
-+/*
-+ * Structure to be used for the cipher_data/md_data in
-+ * EVP_CIPHER_CTX/EVP_MD_CTX structures in order to use the same pk11
-+ * session in multiple cipher_update calls
-+ */
-+typedef struct PK11_CIPHER_STATE_st
-+	{
-+	PK11_SESSION	*sp;
-+	} PK11_CIPHER_STATE;
-+
-+
-+/*
-+ * libcrypto EVP stuff - this is how we get wired to EVP so the engine gets
-+ * called when libcrypto requests a cipher NID.
-+ *
-+ * Note how the PK11_CIPHER_STATE is used here.
-+ */
-+
-+/* DES CBC EVP */
-+static const EVP_CIPHER pk11_des_cbc =
-+	{
-+	NID_des_cbc,
-+	8, 8, 8,
-+	EVP_CIPH_CBC_MODE,
-+	pk11_cipher_init,
-+	pk11_cipher_do_cipher,
-+	pk11_cipher_cleanup,
-+	sizeof (PK11_CIPHER_STATE),
-+	EVP_CIPHER_set_asn1_iv,
-+	EVP_CIPHER_get_asn1_iv,
-+	NULL
-+	};
-+
-+/* 3DES CBC EVP */
-+static const EVP_CIPHER pk11_3des_cbc =
-+	{
-+	NID_des_ede3_cbc,
-+	8, 24, 8,
-+	EVP_CIPH_CBC_MODE,
-+	pk11_cipher_init,
-+	pk11_cipher_do_cipher,
-+	pk11_cipher_cleanup,
-+	sizeof (PK11_CIPHER_STATE),
-+	EVP_CIPHER_set_asn1_iv,
-+	EVP_CIPHER_get_asn1_iv,
-+	NULL
-+	};
-+
-+/*
-+ * ECB modes don't use an Initial Vector so that's why set_asn1_parameters and
-+ * get_asn1_parameters fields are set to NULL.
-+ */
-+static const EVP_CIPHER pk11_des_ecb =
-+	{
-+	NID_des_ecb,
-+	8, 8, 8,
-+	EVP_CIPH_ECB_MODE,
-+	pk11_cipher_init,
-+	pk11_cipher_do_cipher,
-+	pk11_cipher_cleanup,
-+	sizeof (PK11_CIPHER_STATE),
-+	NULL,
-+	NULL,
-+	NULL
-+	};
-+
-+static const EVP_CIPHER pk11_3des_ecb =
-+	{
-+	NID_des_ede3_ecb,
-+	8, 24, 8,
-+	EVP_CIPH_ECB_MODE,
-+	pk11_cipher_init,
-+	pk11_cipher_do_cipher,
-+	pk11_cipher_cleanup,
-+	sizeof (PK11_CIPHER_STATE),
-+	NULL,
-+	NULL,
-+	NULL
-+	};
-+
-+
-+static const EVP_CIPHER pk11_aes_128_cbc =
-+	{
-+	NID_aes_128_cbc,
-+	16, 16, 16,
-+	EVP_CIPH_CBC_MODE,
-+	pk11_cipher_init,
-+	pk11_cipher_do_cipher,
-+	pk11_cipher_cleanup,
-+	sizeof (PK11_CIPHER_STATE),
-+	EVP_CIPHER_set_asn1_iv,
-+	EVP_CIPHER_get_asn1_iv,
-+	NULL
-+	};
-+
-+static const EVP_CIPHER pk11_aes_192_cbc =
-+	{
-+	NID_aes_192_cbc,
-+	16, 24, 16,
-+	EVP_CIPH_CBC_MODE,
-+	pk11_cipher_init,
-+	pk11_cipher_do_cipher,
-+	pk11_cipher_cleanup,
-+	sizeof (PK11_CIPHER_STATE),
-+	EVP_CIPHER_set_asn1_iv,
-+	EVP_CIPHER_get_asn1_iv,
-+	NULL
-+	};
-+
-+static const EVP_CIPHER pk11_aes_256_cbc =
-+	{
-+	NID_aes_256_cbc,
-+	16, 32, 16,
-+	EVP_CIPH_CBC_MODE,
-+	pk11_cipher_init,
-+	pk11_cipher_do_cipher,
-+	pk11_cipher_cleanup,
-+	sizeof (PK11_CIPHER_STATE),
-+	EVP_CIPHER_set_asn1_iv,
-+	EVP_CIPHER_get_asn1_iv,
-+	NULL
-+	};
-+
-+/*
-+ * ECB modes don't use IV so that's why set_asn1_parameters and
-+ * get_asn1_parameters are set to NULL.
-+ */
-+static const EVP_CIPHER pk11_aes_128_ecb =
-+	{
-+	NID_aes_128_ecb,
-+	16, 16, 0,
-+	EVP_CIPH_ECB_MODE,
-+	pk11_cipher_init,
-+	pk11_cipher_do_cipher,
-+	pk11_cipher_cleanup,
-+	sizeof (PK11_CIPHER_STATE),
-+	NULL,
-+	NULL,
-+	NULL
-+	};
-+
-+static const EVP_CIPHER pk11_aes_192_ecb =
-+	{
-+	NID_aes_192_ecb,
-+	16, 24, 0,
-+	EVP_CIPH_ECB_MODE,
-+	pk11_cipher_init,
-+	pk11_cipher_do_cipher,
-+	pk11_cipher_cleanup,
-+	sizeof (PK11_CIPHER_STATE),
-+	NULL,
-+	NULL,
-+	NULL
-+	};
-+
-+static const EVP_CIPHER pk11_aes_256_ecb =
-+	{
-+	NID_aes_256_ecb,
-+	16, 32, 0,
-+	EVP_CIPH_ECB_MODE,
-+	pk11_cipher_init,
-+	pk11_cipher_do_cipher,
-+	pk11_cipher_cleanup,
-+	sizeof (PK11_CIPHER_STATE),
-+	NULL,
-+	NULL,
-+	NULL
-+	};
-+
-+#ifdef	SOLARIS_AES_CTR
-+/*
-+ * NID_undef's will be changed to the AES counter mode NIDs as soon they are
-+ * created in pk11_library_init(). Note that the need to change these structures
-+ * is the reason why we don't define them with the const keyword.
-+ */
-+static EVP_CIPHER pk11_aes_128_ctr =
-+	{
-+	NID_undef,
-+	16, 16, 16,
-+	EVP_CIPH_CBC_MODE,
-+	pk11_cipher_init,
-+	pk11_cipher_do_cipher,
-+	pk11_cipher_cleanup,
-+	sizeof (PK11_CIPHER_STATE),
-+	EVP_CIPHER_set_asn1_iv,
-+	EVP_CIPHER_get_asn1_iv,
-+	NULL
-+	};
-+
-+static EVP_CIPHER pk11_aes_192_ctr =
-+	{
-+	NID_undef,
-+	16, 24, 16,
-+	EVP_CIPH_CBC_MODE,
-+	pk11_cipher_init,
-+	pk11_cipher_do_cipher,
-+	pk11_cipher_cleanup,
-+	sizeof (PK11_CIPHER_STATE),
-+	EVP_CIPHER_set_asn1_iv,
-+	EVP_CIPHER_get_asn1_iv,
-+	NULL
-+	};
-+
-+static EVP_CIPHER pk11_aes_256_ctr =
-+	{
-+	NID_undef,
-+	16, 32, 16,
-+	EVP_CIPH_CBC_MODE,
-+	pk11_cipher_init,
-+	pk11_cipher_do_cipher,
-+	pk11_cipher_cleanup,
-+	sizeof (PK11_CIPHER_STATE),
-+	EVP_CIPHER_set_asn1_iv,
-+	EVP_CIPHER_get_asn1_iv,
-+	NULL
-+	};
-+#endif	/* SOLARIS_AES_CTR */
-+
-+static const EVP_CIPHER pk11_bf_cbc =
-+	{
-+	NID_bf_cbc,
-+	8, 16, 8,
-+	EVP_CIPH_VARIABLE_LENGTH,
-+	pk11_cipher_init,
-+	pk11_cipher_do_cipher,
-+	pk11_cipher_cleanup,
-+	sizeof (PK11_CIPHER_STATE),
-+	EVP_CIPHER_set_asn1_iv,
-+	EVP_CIPHER_get_asn1_iv,
-+	NULL
-+	};
-+
-+static const EVP_CIPHER pk11_rc4 =
-+	{
-+	NID_rc4,
-+	1, 16, 0,
-+	EVP_CIPH_VARIABLE_LENGTH,
-+	pk11_cipher_init,
-+	pk11_cipher_do_cipher,
-+	pk11_cipher_cleanup,
-+	sizeof (PK11_CIPHER_STATE),
-+	NULL,
-+	NULL,
-+	NULL
-+	};
-+
-+static const EVP_MD pk11_md5 =
-+	{
-+	NID_md5,
-+	NID_md5WithRSAEncryption,
-+	MD5_DIGEST_LENGTH,
-+	0,
-+	pk11_digest_init,
-+	pk11_digest_update,
-+	pk11_digest_final,
-+	pk11_digest_copy,
-+	pk11_digest_cleanup,
-+	EVP_PKEY_RSA_method,
-+	MD5_CBLOCK,
-+	sizeof (PK11_CIPHER_STATE),
-+	};
-+
-+static const EVP_MD pk11_sha1 =
-+	{
-+	NID_sha1,
-+	NID_sha1WithRSAEncryption,
-+	SHA_DIGEST_LENGTH,
-+	0,
-+	pk11_digest_init,
-+	pk11_digest_update,
-+	pk11_digest_final,
-+	pk11_digest_copy,
-+	pk11_digest_cleanup,
-+	EVP_PKEY_RSA_method,
-+	SHA_CBLOCK,
-+	sizeof (PK11_CIPHER_STATE),
-+	};
-+
-+static const EVP_MD pk11_sha224 =
-+	{
-+	NID_sha224,
-+	NID_sha224WithRSAEncryption,
-+	SHA224_DIGEST_LENGTH,
-+	0,
-+	pk11_digest_init,
-+	pk11_digest_update,
-+	pk11_digest_final,
-+	pk11_digest_copy,
-+	pk11_digest_cleanup,
-+	EVP_PKEY_RSA_method,
-+	/* SHA-224 uses the same cblock size as SHA-256 */
-+	SHA256_CBLOCK,
-+	sizeof (PK11_CIPHER_STATE),
-+	};
-+
-+static const EVP_MD pk11_sha256 =
-+	{
-+	NID_sha256,
-+	NID_sha256WithRSAEncryption,
-+	SHA256_DIGEST_LENGTH,
-+	0,
-+	pk11_digest_init,
-+	pk11_digest_update,
-+	pk11_digest_final,
-+	pk11_digest_copy,
-+	pk11_digest_cleanup,
-+	EVP_PKEY_RSA_method,
-+	SHA256_CBLOCK,
-+	sizeof (PK11_CIPHER_STATE),
-+	};
-+
-+static const EVP_MD pk11_sha384 =
-+	{
-+	NID_sha384,
-+	NID_sha384WithRSAEncryption,
-+	SHA384_DIGEST_LENGTH,
-+	0,
-+	pk11_digest_init,
-+	pk11_digest_update,
-+	pk11_digest_final,
-+	pk11_digest_copy,
-+	pk11_digest_cleanup,
-+	EVP_PKEY_RSA_method,
-+	/* SHA-384 uses the same cblock size as SHA-512 */
-+	SHA512_CBLOCK,
-+	sizeof (PK11_CIPHER_STATE),
-+	};
-+
-+static const EVP_MD pk11_sha512 =
-+	{
-+	NID_sha512,
-+	NID_sha512WithRSAEncryption,
-+	SHA512_DIGEST_LENGTH,
-+	0,
-+	pk11_digest_init,
-+	pk11_digest_update,
-+	pk11_digest_final,
-+	pk11_digest_copy,
-+	pk11_digest_cleanup,
-+	EVP_PKEY_RSA_method,
-+	SHA512_CBLOCK,
-+	sizeof (PK11_CIPHER_STATE),
-+	};
-+
-+/*
-+ * Initialization function. Sets up various PKCS#11 library components.
-+ * The definitions for control commands specific to this engine
-+ */
-+#define PK11_CMD_SO_PATH		ENGINE_CMD_BASE
-+#define PK11_CMD_PIN			(ENGINE_CMD_BASE+1)
-+#define PK11_CMD_SLOT			(ENGINE_CMD_BASE+2)
-+static const ENGINE_CMD_DEFN pk11_cmd_defns[] =
-+	{
-+		{
-+		PK11_CMD_SO_PATH,
-+		"SO_PATH",
-+		"Specifies the path to the 'pkcs#11' shared library",
-+		ENGINE_CMD_FLAG_STRING
-+		},
-+		{
-+		PK11_CMD_PIN,
-+		"PIN",
-+		"Specifies the pin code",
-+		ENGINE_CMD_FLAG_STRING
-+		},
-+		{
-+		PK11_CMD_SLOT,
-+		"SLOT",
-+		"Specifies the slot (default is auto select)",
-+		ENGINE_CMD_FLAG_NUMERIC,
-+		},
-+		{0, NULL, NULL, 0}
-+	};
-+
-+
-+static RAND_METHOD pk11_random =
-+	{
-+	pk11_rand_seed,
-+	pk11_rand_bytes,
-+	pk11_rand_cleanup,
-+	pk11_rand_add,
-+	pk11_rand_bytes,
-+	pk11_rand_status
-+	};
-+
-+
-+/* Constants used when creating the ENGINE */
-+static const char *engine_pk11_id = "pkcs11";
-+static const char *engine_pk11_name = "PKCS #11 engine support";
-+
-+CK_FUNCTION_LIST_PTR pFuncList = NULL;
-+static const char PK11_GET_FUNCTION_LIST[] = "C_GetFunctionList";
-+
-+/*
-+ * These is the static string constant for the DSO file name and the function
-+ * symbol names to bind to.
-+ */
-+static const char def_PK11_LIBNAME[] = PK11_LIB_LOCATION;
-+
-+static CK_BBOOL true = TRUE;
-+static CK_BBOOL false = FALSE;
-+static CK_SLOT_ID pubkey_SLOTID = 0;
-+static CK_SLOT_ID rand_SLOTID = 0;
-+static CK_SLOT_ID SLOTID = 0;
-+char *pk11_pin = NULL;
-+static CK_BBOOL pk11_library_initialized = FALSE;
-+static CK_BBOOL pk11_atfork_initialized = FALSE;
-+static int pk11_pid = 0;
-+
-+static DSO *pk11_dso = NULL;
-+
-+/* allocate and initialize all locks used by the engine itself */
-+static int pk11_init_all_locks(void)
-+	{
-+#ifndef NOPTHREADS
-+	int type;
-+
-+#ifndef OPENSSL_NO_RSA
-+	find_lock[OP_RSA] = OPENSSL_malloc(sizeof (pthread_mutex_t));
-+	if (find_lock[OP_RSA] == NULL)
-+		goto malloc_err;
-+	(void) pthread_mutex_init(find_lock[OP_RSA], NULL);
-+#endif /* OPENSSL_NO_RSA */
-+
-+#ifndef OPENSSL_NO_DSA
-+	find_lock[OP_DSA] = OPENSSL_malloc(sizeof (pthread_mutex_t));
-+	if (find_lock[OP_DSA] == NULL)
-+		goto malloc_err;
-+	(void) pthread_mutex_init(find_lock[OP_DSA], NULL);
-+#endif /* OPENSSL_NO_DSA */
-+
-+#ifndef OPENSSL_NO_DH
-+	find_lock[OP_DH] = OPENSSL_malloc(sizeof (pthread_mutex_t));
-+	if (find_lock[OP_DH] == NULL)
-+		goto malloc_err;
-+	(void) pthread_mutex_init(find_lock[OP_DH], NULL);
-+#endif /* OPENSSL_NO_DH */
-+
-+	for (type = 0; type < OP_MAX; type++)
-+		{
-+		session_cache[type].lock =
-+		    OPENSSL_malloc(sizeof (pthread_mutex_t));
-+		if (session_cache[type].lock == NULL)
-+			goto malloc_err;
-+		(void) pthread_mutex_init(session_cache[type].lock, NULL);
-+		}
-+
-+	return (1);
-+
-+malloc_err:
-+	pk11_free_all_locks();
-+	PK11err(PK11_F_INIT_ALL_LOCKS, PK11_R_MALLOC_FAILURE);
-+	return (0);
-+#else
-+	return (1);
-+#endif
-+	}
-+
-+static void pk11_free_all_locks(void)
-+	{
-+#ifndef NOPTHREADS
-+	int type;
-+
-+#ifndef OPENSSL_NO_RSA
-+	if (find_lock[OP_RSA] != NULL)
-+		{
-+		(void) pthread_mutex_destroy(find_lock[OP_RSA]);
-+		OPENSSL_free(find_lock[OP_RSA]);
-+		find_lock[OP_RSA] = NULL;
-+		}
-+#endif /* OPENSSL_NO_RSA */
-+#ifndef OPENSSL_NO_DSA
-+	if (find_lock[OP_DSA] != NULL)
-+		{
-+		(void) pthread_mutex_destroy(find_lock[OP_DSA]);
-+		OPENSSL_free(find_lock[OP_DSA]);
-+		find_lock[OP_DSA] = NULL;
-+		}
-+#endif /* OPENSSL_NO_DSA */
-+#ifndef OPENSSL_NO_DH
-+	if (find_lock[OP_DH] != NULL)
-+		{
-+		(void) pthread_mutex_destroy(find_lock[OP_DH]);
-+		OPENSSL_free(find_lock[OP_DH]);
-+		find_lock[OP_DH] = NULL;
-+		}
-+#endif /* OPENSSL_NO_DH */
-+
-+	for (type = 0; type < OP_MAX; type++)
-+		{
-+		if (session_cache[type].lock != NULL)
-+			{
-+			(void) pthread_mutex_destroy(session_cache[type].lock);
-+			OPENSSL_free(session_cache[type].lock);
-+			session_cache[type].lock = NULL;
-+			}
-+		}
-+#endif
-+	}
-+
-+/*
-+ * This internal function is used by ENGINE_pk11() and "dynamic" ENGINE support.
-+ */
-+static int bind_pk11(ENGINE *e)
-+	{
-+#ifndef OPENSSL_NO_RSA
-+	const RSA_METHOD *rsa = NULL;
-+	RSA_METHOD *pk11_rsa = PK11_RSA();
-+#endif	/* OPENSSL_NO_RSA */
-+	if (!pk11_library_initialized)
-+		if (!pk11_library_init(e))
-+			return (0);
-+
-+	if (!ENGINE_set_id(e, engine_pk11_id) ||
-+	    !ENGINE_set_name(e, engine_pk11_name) ||
-+	    !ENGINE_set_ciphers(e, pk11_engine_ciphers) ||
-+	    !ENGINE_set_digests(e, pk11_engine_digests))
-+		return (0);
-+#ifndef OPENSSL_NO_RSA
-+	if (pk11_have_rsa == CK_TRUE)
-+		{
-+		if (!ENGINE_set_RSA(e, PK11_RSA()) ||
-+		    !ENGINE_set_load_privkey_function(e, pk11_load_privkey) ||
-+		    !ENGINE_set_load_pubkey_function(e, pk11_load_pubkey))
-+			return (0);
-+#ifdef	DEBUG_SLOT_SELECTION
-+		fprintf(stderr, "%s: registered RSA\n", PK11_DBG);
-+#endif	/* DEBUG_SLOT_SELECTION */
-+		}
-+#endif	/* OPENSSL_NO_RSA */
-+#ifndef OPENSSL_NO_DSA
-+	if (pk11_have_dsa == CK_TRUE)
-+		{
-+		if (!ENGINE_set_DSA(e, PK11_DSA()))
-+			return (0);
-+#ifdef	DEBUG_SLOT_SELECTION
-+		fprintf(stderr, "%s: registered DSA\n", PK11_DBG);
-+#endif	/* DEBUG_SLOT_SELECTION */
-+		}
-+#endif	/* OPENSSL_NO_DSA */
-+#ifndef OPENSSL_NO_DH
-+	if (pk11_have_dh == CK_TRUE)
-+		{
-+		if (!ENGINE_set_DH(e, PK11_DH()))
-+			return (0);
-+#ifdef	DEBUG_SLOT_SELECTION
-+		fprintf(stderr, "%s: registered DH\n", PK11_DBG);
-+#endif	/* DEBUG_SLOT_SELECTION */
-+		}
-+#endif	/* OPENSSL_NO_DH */
-+	if (pk11_have_random)
-+		{
-+		if (!ENGINE_set_RAND(e, &pk11_random))
-+			return (0);
-+#ifdef	DEBUG_SLOT_SELECTION
-+		fprintf(stderr, "%s: registered random\n", PK11_DBG);
-+#endif	/* DEBUG_SLOT_SELECTION */
-+		}
-+	if (!ENGINE_set_init_function(e, pk11_init) ||
-+	    !ENGINE_set_destroy_function(e, pk11_destroy) ||
-+	    !ENGINE_set_finish_function(e, pk11_finish) ||
-+	    !ENGINE_set_ctrl_function(e, pk11_ctrl) ||
-+	    !ENGINE_set_cmd_defns(e, pk11_cmd_defns))
-+		return (0);
-+
-+/*
-+ * Apache calls OpenSSL function RSA_blinding_on() once during startup
-+ * which in turn calls bn_mod_exp. Since we do not implement bn_mod_exp
-+ * here, we wire it back to the OpenSSL software implementation.
-+ * Since it is used only once, performance is not a concern.
-+ */
-+#ifndef OPENSSL_NO_RSA
-+	rsa = RSA_PKCS1_SSLeay();
-+	pk11_rsa->rsa_mod_exp = rsa->rsa_mod_exp;
-+	pk11_rsa->bn_mod_exp = rsa->bn_mod_exp;
-+	if (pk11_have_recover != CK_TRUE)
-+		pk11_rsa->rsa_pub_dec = rsa->rsa_pub_dec;
-+#endif	/* OPENSSL_NO_RSA */
-+
-+	/* Ensure the pk11 error handling is set up */
-+	ERR_load_pk11_strings();
-+
-+	return (1);
-+	}
-+
-+/* Dynamic engine support is disabled at a higher level for Solaris */
-+#ifdef	ENGINE_DYNAMIC_SUPPORT
-+static int bind_helper(ENGINE *e, const char *id)
-+	{
-+	if (id && (strcmp(id, engine_pk11_id) != 0))
-+		return (0);
-+
-+	if (!bind_pk11(e))
-+		return (0);
-+
-+	return (1);
-+	}
-+
-+IMPLEMENT_DYNAMIC_CHECK_FN()
-+IMPLEMENT_DYNAMIC_BIND_FN(bind_helper)
-+
-+#else
-+static ENGINE *engine_pk11(void)
-+	{
-+	ENGINE *ret = ENGINE_new();
-+
-+	if (!ret)
-+		return (NULL);
-+
-+	if (!bind_pk11(ret))
-+		{
-+		ENGINE_free(ret);
-+		return (NULL);
-+		}
-+
-+	return (ret);
-+	}
-+
-+void
-+ENGINE_load_pk11(void)
-+	{
-+	ENGINE *e_pk11 = NULL;
-+
-+	/*
-+	 * Do not use dynamic PKCS#11 library on Solaris due to
-+	 * security reasons. We will link it in statically.
-+	 */
-+	/* Attempt to load PKCS#11 library */
-+	if (!pk11_dso)
-+		pk11_dso = DSO_load(NULL, get_PK11_LIBNAME(), NULL, 0);
-+
-+	if (pk11_dso == NULL)
-+		{
-+		PK11err(PK11_F_LOAD, PK11_R_DSO_FAILURE);
-+		return;
-+		}
-+
-+	e_pk11 = engine_pk11();
-+	if (!e_pk11)
-+		{
-+		DSO_free(pk11_dso);
-+		pk11_dso = NULL;
-+		return;
-+		}
-+
-+	/*
-+	 * At this point, the pk11 shared library is either dynamically
-+	 * loaded or statically linked in. So, initialize the pk11
-+	 * library before calling ENGINE_set_default since the latter
-+	 * needs cipher and digest algorithm information
-+	 */
-+	if (!pk11_library_init(e_pk11))
-+		{
-+		DSO_free(pk11_dso);
-+		pk11_dso = NULL;
-+		ENGINE_free(e_pk11);
-+		return;
-+		}
-+
-+	ENGINE_add(e_pk11);
-+
-+	ENGINE_free(e_pk11);
-+	ERR_clear_error();
-+	}
-+#endif	/* ENGINE_DYNAMIC_SUPPORT */
-+
-+/*
-+ * These are the static string constants for the DSO file name and
-+ * the function symbol names to bind to.
-+ */
-+static const char *PK11_LIBNAME = NULL;
-+
-+static const char *get_PK11_LIBNAME(void)
-+	{
-+	if (PK11_LIBNAME)
-+		return (PK11_LIBNAME);
-+
-+	return (def_PK11_LIBNAME);
-+	}
-+
-+static void free_PK11_LIBNAME(void)
-+	{
-+	if (PK11_LIBNAME)
-+		OPENSSL_free((void*)PK11_LIBNAME);
-+
-+	PK11_LIBNAME = NULL;
-+	}
-+
-+static long set_PK11_LIBNAME(const char *name)
-+	{
-+	free_PK11_LIBNAME();
-+
-+	return ((PK11_LIBNAME = BUF_strdup(name)) != NULL ? 1 : 0);
-+	}
-+
-+/* acquire all engine specific mutexes before fork */
-+static void pk11_fork_prepare(void)
-+	{
-+#ifndef NOPTHREADS
-+	int i;
-+
-+	if (!pk11_library_initialized)
-+		return;
-+
-+	LOCK_OBJSTORE(OP_RSA);
-+	LOCK_OBJSTORE(OP_DSA);
-+	LOCK_OBJSTORE(OP_DH);
-+	for (i = 0; i < OP_MAX; i++)
-+		{
-+		(void) pthread_mutex_lock(session_cache[i].lock);
-+		}
-+#endif
-+	}
-+
-+/* release all engine specific mutexes */
-+static void pk11_fork_parent(void)
-+	{
-+#ifndef NOPTHREADS
-+	int i;
-+
-+	if (!pk11_library_initialized)
-+		return;
-+
-+	for (i = OP_MAX - 1; i >= 0; i--)
-+		{
-+		(void) pthread_mutex_unlock(session_cache[i].lock);
-+		}
-+	UNLOCK_OBJSTORE(OP_DH);
-+	UNLOCK_OBJSTORE(OP_DSA);
-+	UNLOCK_OBJSTORE(OP_RSA);
-+#endif
-+	}
-+
-+/*
-+ * same situation as in parent - we need to unlock all locks to make them
-+ * accessible to all threads.
-+ */
-+static void pk11_fork_child(void)
-+	{
-+#ifndef NOPTHREADS
-+	int i;
-+
-+	if (!pk11_library_initialized)
-+		return;
-+
-+	for (i = OP_MAX - 1; i >= 0; i--)
-+		{
-+		(void) pthread_mutex_unlock(session_cache[i].lock);
-+		}
-+	UNLOCK_OBJSTORE(OP_DH);
-+	UNLOCK_OBJSTORE(OP_DSA);
-+	UNLOCK_OBJSTORE(OP_RSA);
-+#endif
-+	}
-+
-+/* Initialization function for the pk11 engine */
-+static int pk11_init(ENGINE *e)
-+{
-+	return (pk11_library_init(e));
-+}
-+
-+/*
-+ * Initialization function. Sets up various PKCS#11 library components.
-+ * It selects a slot based on predefined critiera. In the process, it also
-+ * count how many ciphers and digests to support. Since the cipher and
-+ * digest information is needed when setting default engine, this function
-+ * needs to be called before calling ENGINE_set_default.
-+ */
-+/* ARGSUSED */
-+static int pk11_library_init(ENGINE *e)
-+	{
-+	CK_C_GetFunctionList p;
-+	CK_RV rv = CKR_OK;
-+	CK_INFO info;
-+	CK_ULONG ul_state_len;
-+	int any_slot_found;
-+	int i;
-+#ifndef OPENSSL_SYS_WIN32
-+	struct sigaction sigint_act, sigterm_act, sighup_act;
-+#endif
-+
-+	/*
-+	 * pk11_library_initialized is set to 0 in pk11_finish() which is called
-+	 * from ENGINE_finish(). However, if there is still at least one
-+	 * existing functional reference to the engine (see engine(3) for more
-+	 * information), pk11_finish() is skipped. For example, this can happen
-+	 * if an application forgets to clear one cipher context. In case of a
-+	 * fork() when the application is finishing the engine so that it can be
-+	 * reinitialized in the child, forgotten functional reference causes
-+	 * pk11_library_initialized to stay 1. In that case we need the PID
-+	 * check so that we properly initialize the engine again.
-+	 */
-+	if (pk11_library_initialized)
-+		{
-+		if (pk11_pid == getpid())
-+			{
-+			return (1);
-+			}
-+		else
-+			{
-+			global_session = CK_INVALID_HANDLE;
-+			/*
-+			 * free the locks first to prevent memory leak in case
-+			 * the application calls fork() without finishing the
-+			 * engine first.
-+			 */
-+			pk11_free_all_locks();
-+			}
-+		}
-+
-+	if (pk11_dso == NULL)
-+		{
-+		PK11err(PK11_F_LIBRARY_INIT, PK11_R_DSO_FAILURE);
-+		goto err;
-+		}
-+
-+#ifdef	SOLARIS_AES_CTR
-+	/*
-+	 * We must do this before we start working with slots since we need all
-+	 * NIDs there.
-+	 */
-+	if (pk11_add_aes_ctr_NIDs() == 0)
-+		goto err;
-+#endif	/* SOLARIS_AES_CTR */
-+
-+#ifdef	SOLARIS_HW_SLOT_SELECTION
-+	if (check_hw_mechanisms() == 0)
-+		goto err;
-+#endif	/* SOLARIS_HW_SLOT_SELECTION */
-+
-+	/* get the C_GetFunctionList function from the loaded library */
-+	p = (CK_C_GetFunctionList)DSO_bind_func(pk11_dso,
-+		PK11_GET_FUNCTION_LIST);
-+	if (!p)
-+		{
-+		PK11err(PK11_F_LIBRARY_INIT, PK11_R_DSO_FAILURE);
-+		goto err;
-+		}
-+
-+	/* get the full function list from the loaded library */
-+	rv = p(&pFuncList);
-+	if (rv != CKR_OK)
-+		{
-+		PK11err_add_data(PK11_F_LIBRARY_INIT, PK11_R_DSO_FAILURE, rv);
-+		goto err;
-+		}
-+
-+#ifndef OPENSSL_SYS_WIN32
-+	/* Not all PKCS#11 library are signal safe! */
-+
-+	(void) memset(&sigint_act, 0, sizeof(sigint_act));
-+	(void) memset(&sigterm_act, 0, sizeof(sigterm_act));
-+	(void) memset(&sighup_act, 0, sizeof(sighup_act));
-+	(void) sigaction(SIGINT, NULL, &sigint_act);
-+	(void) sigaction(SIGTERM, NULL, &sigterm_act);
-+	(void) sigaction(SIGHUP, NULL, &sighup_act);
-+#endif
-+	rv = pFuncList->C_Initialize(NULL_PTR);
-+#ifndef OPENSSL_SYS_WIN32
-+	(void) sigaction(SIGINT, &sigint_act, NULL);
-+	(void) sigaction(SIGTERM, &sigterm_act, NULL);
-+	(void) sigaction(SIGHUP, &sighup_act, NULL);
-+#endif
-+	if ((rv != CKR_OK) && (rv != CKR_CRYPTOKI_ALREADY_INITIALIZED))
-+		{
-+		PK11err_add_data(PK11_F_LIBRARY_INIT, PK11_R_INITIALIZE, rv);
-+		goto err;
-+		}
-+
-+	rv = pFuncList->C_GetInfo(&info);
-+	if (rv != CKR_OK)
-+		{
-+		PK11err_add_data(PK11_F_LIBRARY_INIT, PK11_R_GETINFO, rv);
-+		goto err;
-+		}
-+
-+	if (pk11_choose_slots(&any_slot_found) == 0)
-+		goto err;
-+
-+	/*
-+	 * The library we use, set in def_PK11_LIBNAME, may not offer any
-+	 * slot(s). In that case, we must not proceed but we must not return an
-+	 * error. The reason is that applications that try to set up the PKCS#11
-+	 * engine don't exit on error during the engine initialization just
-+	 * because no slot was present.
-+	 */
-+	if (any_slot_found == 0)
-+		return (1);
-+
-+	if (global_session == CK_INVALID_HANDLE)
-+		{
-+		/* Open the global_session for the new process */
-+		rv = pFuncList->C_OpenSession(SLOTID, CKF_SERIAL_SESSION,
-+			NULL_PTR, NULL_PTR, &global_session);
-+		if (rv != CKR_OK)
-+			{
-+			PK11err_add_data(PK11_F_LIBRARY_INIT,
-+			    PK11_R_OPENSESSION, rv);
-+			goto err;
-+			}
-+		}
-+
-+	/*
-+	 * Disable digest if C_GetOperationState is not supported since
-+	 * this function is required by OpenSSL digest copy function
-+	 */
-+	/* Keyper fails to return CKR_FUNCTION_NOT_SUPPORTED */
-+	if (pFuncList->C_GetOperationState(global_session, NULL, &ul_state_len)
-+			!= CKR_OK) {
-+#ifdef	DEBUG_SLOT_SELECTION
-+		fprintf(stderr, "%s: C_GetOperationState() not supported, "
-+		    "setting digest_count to 0\n", PK11_DBG);
-+#endif	/* DEBUG_SLOT_SELECTION */
-+		digest_count = 0;
-+	}
-+
-+	pk11_library_initialized = TRUE;
-+	pk11_pid = getpid();
-+	/*
-+	 * if initialization of the locks fails pk11_init_all_locks()
-+	 * will do the cleanup.
-+	 */
-+	if (!pk11_init_all_locks())
-+		goto err;
-+	for (i = 0; i < OP_MAX; i++)
-+		session_cache[i].head = NULL;
-+	/*
-+	 * initialize active lists. We only use active lists
-+	 * for asymmetric ciphers.
-+	 */
-+	for (i = 0; i < OP_MAX; i++)
-+		active_list[i] = NULL;
-+
-+#ifndef NOPTHREADS
-+	if (!pk11_atfork_initialized)
-+		{
-+		if (pthread_atfork(pk11_fork_prepare, pk11_fork_parent,
-+		    pk11_fork_child) != 0)
-+			{
-+			PK11err(PK11_F_LIBRARY_INIT, PK11_R_ATFORK_FAILED);
-+			goto err;
-+			}
-+		pk11_atfork_initialized = TRUE;
-+		}
-+#endif
-+
-+	return (1);
-+
-+err:
-+	return (0);
-+	}
-+
-+/* Destructor (complements the "ENGINE_pk11()" constructor) */
-+/* ARGSUSED */
-+static int pk11_destroy(ENGINE *e)
-+	{
-+	free_PK11_LIBNAME();
-+	ERR_unload_pk11_strings();
-+	if (pk11_pin) {
-+		memset(pk11_pin, 0, strlen(pk11_pin));
-+		OPENSSL_free((void*)pk11_pin);
-+	}
-+	pk11_pin = NULL;
-+	return (1);
-+	}
-+
-+/*
-+ * Termination function to clean up the session, the token, and the pk11
-+ * library.
-+ */
-+/* ARGSUSED */
-+static int pk11_finish(ENGINE *e)
-+	{
-+	int i;
-+
-+	if (pk11_pin) {
-+		memset(pk11_pin, 0, strlen(pk11_pin));
-+		OPENSSL_free((void*)pk11_pin);
-+	}
-+	pk11_pin = NULL;
-+
-+	if (pk11_dso == NULL)
-+		{
-+		PK11err(PK11_F_FINISH, PK11_R_NOT_LOADED);
-+		goto err;
-+		}
-+
-+	OPENSSL_assert(pFuncList != NULL);
-+
-+	if (pk11_free_all_sessions() == 0)
-+		goto err;
-+
-+	/* free all active lists */
-+	for (i = 0; i < OP_MAX; i++)
-+		pk11_free_active_list(i);
-+
-+	pFuncList->C_CloseSession(global_session);
-+	global_session = CK_INVALID_HANDLE;
-+
-+	/*
-+	 * Since we are part of a library (libcrypto.so), calling this function
-+	 * may have side-effects.
-+	 */
-+#if 0
-+	pFuncList->C_Finalize(NULL);
-+#endif
-+
-+	if (!DSO_free(pk11_dso))
-+		{
-+		PK11err(PK11_F_FINISH, PK11_R_DSO_FAILURE);
-+		goto err;
-+		}
-+	pk11_dso = NULL;
-+	pFuncList = NULL;
-+	pk11_library_initialized = FALSE;
-+	pk11_pid = 0;
-+	/*
-+	 * There is no way how to unregister atfork handlers (other than
-+	 * unloading the library) so we just free the locks. For this reason
-+	 * the atfork handlers check if the engine is initialized and bail out
-+	 * immediately if not. This is necessary in case a process finishes
-+	 * the engine before calling fork().
-+	 */
-+	pk11_free_all_locks();
-+
-+	return (1);
-+
-+err:
-+	return (0);
-+	}
-+
-+/* Standard engine interface function to set the dynamic library path */
-+/* ARGSUSED */
-+static int pk11_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)(void))
-+	{
-+	int initialized = ((pk11_dso == NULL) ? 0 : 1);
-+
-+	switch (cmd)
-+		{
-+	case PK11_CMD_SO_PATH:
-+		if (p == NULL)
-+			{
-+			PK11err(PK11_F_CTRL, ERR_R_PASSED_NULL_PARAMETER);
-+			return (0);
-+			}
-+
-+		if (initialized)
-+			{
-+			PK11err(PK11_F_CTRL, PK11_R_ALREADY_LOADED);
-+			return (0);
-+			}
-+
-+		return (set_PK11_LIBNAME((const char *)p));
-+	case PK11_CMD_PIN:
-+		if (pk11_pin) {
-+			memset(pk11_pin, 0, strlen(pk11_pin));
-+			OPENSSL_free((void*)pk11_pin);
-+		}
-+		pk11_pin = NULL;
-+
-+		if (p == NULL)
-+			{
-+			PK11err(PK11_F_CTRL, ERR_R_PASSED_NULL_PARAMETER);
-+			return (0);
-+			}
-+
-+		pk11_pin = BUF_strdup(p);
-+		if (pk11_pin == NULL)
-+			{
-+			PK11err(PK11_F_GET_SESSION, PK11_R_MALLOC_FAILURE);
-+			return (0);
-+			}
-+		return (1);
-+	case PK11_CMD_SLOT:
-+		SLOTID = (CK_SLOT_ID)i;
-+#ifdef DEBUG_SLOT_SELECTION
-+		fprintf(stderr, "%s: slot set\n", PK11_DBG);
-+#endif
-+		return (1);
-+	default:
-+		break;
-+		}
-+
-+	PK11err(PK11_F_CTRL, PK11_R_CTRL_COMMAND_NOT_IMPLEMENTED);
-+
-+	return (0);
-+	}
-+
-+
-+/* Required function by the engine random interface. It does nothing here */
-+static void pk11_rand_cleanup(void)
-+	{
-+	return;
-+	}
-+
-+/* ARGSUSED */
-+static void pk11_rand_add(const void *buf, int num, double add)
-+	{
-+	PK11_SESSION *sp;
-+
-+	if ((sp = pk11_get_session(OP_RAND)) == NULL)
-+		return;
-+
-+	/*
-+	 * Ignore any errors (e.g. CKR_RANDOM_SEED_NOT_SUPPORTED) since
-+	 * the calling functions do not care anyway
-+	 */
-+	pFuncList->C_SeedRandom(sp->session, (unsigned char *) buf, num);
-+	pk11_return_session(sp, OP_RAND);
-+
-+	return;
-+	}
-+
-+static void pk11_rand_seed(const void *buf, int num)
-+	{
-+	pk11_rand_add(buf, num, 0);
-+	}
-+
-+static int pk11_rand_bytes(unsigned char *buf, int num)
-+	{
-+	CK_RV rv;
-+	PK11_SESSION *sp;
-+
-+	if ((sp = pk11_get_session(OP_RAND)) == NULL)
-+		return (0);
-+
-+	rv = pFuncList->C_GenerateRandom(sp->session, buf, num);
-+	if (rv != CKR_OK)
-+		{
-+		PK11err_add_data(PK11_F_RAND_BYTES, PK11_R_GENERATERANDOM, rv);
-+		pk11_return_session(sp, OP_RAND);
-+		return (0);
-+		}
-+
-+	pk11_return_session(sp, OP_RAND);
-+	return (1);
-+	}
-+
-+/* Required function by the engine random interface. It does nothing here */
-+static int pk11_rand_status(void)
-+	{
-+	return (1);
-+	}
-+
-+/* Free all BIGNUM structures from PK11_SESSION. */
-+static void pk11_free_nums(PK11_SESSION *sp, PK11_OPTYPE optype)
-+	{
-+	switch (optype)
-+		{
-+#ifndef	OPENSSL_NO_RSA
-+		case OP_RSA:
-+			if (sp->opdata_rsa_n_num != NULL)
-+				{
-+				BN_free(sp->opdata_rsa_n_num);
-+				sp->opdata_rsa_n_num = NULL;
-+				}
-+			if (sp->opdata_rsa_e_num != NULL)
-+				{
-+				BN_free(sp->opdata_rsa_e_num);
-+				sp->opdata_rsa_e_num = NULL;
-+				}
-+			if (sp->opdata_rsa_d_num != NULL)
-+				{
-+				BN_free(sp->opdata_rsa_d_num);
-+				sp->opdata_rsa_d_num = NULL;
-+				}
-+			break;
-+#endif
-+#ifndef	OPENSSL_NO_DSA
-+		case OP_DSA:
-+			if (sp->opdata_dsa_pub_num != NULL)
-+				{
-+				BN_free(sp->opdata_dsa_pub_num);
-+				sp->opdata_dsa_pub_num = NULL;
-+				}
-+			if (sp->opdata_dsa_priv_num != NULL)
-+				{
-+				BN_free(sp->opdata_dsa_priv_num);
-+				sp->opdata_dsa_priv_num = NULL;
-+				}
-+			break;
-+#endif
-+#ifndef	OPENSSL_NO_DH
-+		case OP_DH:
-+			if (sp->opdata_dh_priv_num != NULL)
-+				{
-+				BN_free(sp->opdata_dh_priv_num);
-+				sp->opdata_dh_priv_num = NULL;
-+				}
-+			break;
-+#endif
-+		default:
-+			break;
-+		}
-+	}
-+
-+/*
-+ * Get new PK11_SESSION structure ready for use. Every process must have
-+ * its own freelist of PK11_SESSION structures so handle fork() here
-+ * by destroying the old and creating new freelist.
-+ * The returned PK11_SESSION structure is disconnected from the freelist.
-+ */
-+PK11_SESSION *
-+pk11_get_session(PK11_OPTYPE optype)
-+	{
-+	PK11_SESSION *sp = NULL, *sp1, *freelist;
-+#ifndef NOPTHREADS
-+	pthread_mutex_t *freelist_lock = NULL;
-+#endif
-+	CK_RV rv;
-+
-+	switch (optype)
-+		{
-+		case OP_RSA:
-+		case OP_DSA:
-+		case OP_DH:
-+		case OP_RAND:
-+		case OP_DIGEST:
-+		case OP_CIPHER:
-+#ifndef NOPTHREADS
-+			freelist_lock = session_cache[optype].lock;
-+#endif
-+			break;
-+		default:
-+			PK11err(PK11_F_GET_SESSION,
-+				PK11_R_INVALID_OPERATION_TYPE);
-+			return (NULL);
-+		}
-+#ifndef NOPTHREADS
-+	(void) pthread_mutex_lock(freelist_lock);
-+#else
-+	CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
-+#endif
-+	freelist = session_cache[optype].head;
-+	sp = freelist;
-+
-+	/*
-+	 * If the free list is empty, allocate new unitialized (filled
-+	 * with zeroes) PK11_SESSION structure otherwise return first
-+	 * structure from the freelist.
-+	 */
-+	if (sp == NULL)
-+		{
-+		if ((sp = OPENSSL_malloc(sizeof (PK11_SESSION))) == NULL)
-+			{
-+			PK11err(PK11_F_GET_SESSION,
-+				PK11_R_MALLOC_FAILURE);
-+			goto err;
-+			}
-+		(void) memset(sp, 0, sizeof (PK11_SESSION));
-+		}
-+	else
-+		{
-+		freelist = sp->next;
-+		}
-+
-+	if (sp->pid != 0 && sp->pid != getpid())
-+		{
-+		/*
-+		 * We are a new process and thus need to free any inherited
-+		 * PK11_SESSION objects.
-+		 */
-+		while ((sp1 = freelist) != NULL)
-+			{
-+			freelist = sp1->next;
-+			/*
-+			 * NOTE: we do not want to call pk11_free_all_sessions()
-+			 * here because it would close underlying PKCS#11
-+			 * sessions and destroy all objects.
-+			 */
-+			pk11_free_nums(sp1, optype);
-+			OPENSSL_free(sp1);
-+			}
-+
-+		/* we have to free the active list as well. */
-+		pk11_free_active_list(optype);
-+
-+		/* Initialize the process */
-+		rv = pFuncList->C_Initialize(NULL_PTR);
-+		if ((rv != CKR_OK) && (rv != CKR_CRYPTOKI_ALREADY_INITIALIZED))
-+			{
-+			PK11err_add_data(PK11_F_GET_SESSION, PK11_R_INITIALIZE,
-+			    rv);
-+			OPENSSL_free(sp);
-+			sp = NULL;
-+			goto err;
-+			}
-+
-+		/*
-+		 * Choose slot here since the slot table is different on this
-+		 * process. If we are here then we must have found at least one
-+		 * usable slot before so we don't need to check any_slot_found.
-+		 * See pk11_library_init()'s usage of this function for more
-+		 * information.
-+		 */
-+#ifdef	SOLARIS_HW_SLOT_SELECTION
-+		if (check_hw_mechanisms() == 0)
-+			goto err;
-+#endif	/* SOLARIS_HW_SLOT_SELECTION */
-+		if (pk11_choose_slots(NULL) == 0)
-+			goto err;
-+
-+		/* Open the global_session for the new process */
-+		rv = pFuncList->C_OpenSession(SLOTID, CKF_SERIAL_SESSION,
-+			NULL_PTR, NULL_PTR, &global_session);
-+		if (rv != CKR_OK)
-+			{
-+			PK11err_add_data(PK11_F_GET_SESSION, PK11_R_OPENSESSION,
-+			    rv);
-+			OPENSSL_free(sp);
-+			sp = NULL;
-+			goto err;
-+			}
-+
-+		/* It is an inherited session and needs re-initialization. */
-+		if (pk11_setup_session(sp, optype) == 0)
-+			{
-+			OPENSSL_free(sp);
-+			sp = NULL;
-+			}
-+		}
-+	if (sp->pid == 0)
-+		{
-+		/* It is a new session and needs initialization. */
-+		if (pk11_setup_session(sp, optype) == 0)
-+			{
-+			OPENSSL_free(sp);
-+			sp = NULL;
-+			}
-+		}
-+
-+	/* set new head for the list of PK11_SESSION objects */
-+	session_cache[optype].head = freelist;
-+
-+err:
-+	if (sp != NULL)
-+		sp->next = NULL;
-+
-+#ifndef NOPTHREADS
-+	(void) pthread_mutex_unlock(freelist_lock);
-+#else
-+	CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
-+#endif
-+
-+	return (sp);
-+	}
-+
-+
-+void
-+pk11_return_session(PK11_SESSION *sp, PK11_OPTYPE optype)
-+	{
-+#ifndef NOPTHREADS
-+	pthread_mutex_t *freelist_lock;
-+#endif
-+	PK11_SESSION *freelist;
-+
-+	if (sp == NULL || sp->pid != getpid())
-+		return;
-+
-+	switch (optype)
-+		{
-+		case OP_RSA:
-+		case OP_DSA:
-+		case OP_DH:
-+		case OP_RAND:
-+		case OP_DIGEST:
-+		case OP_CIPHER:
-+#ifndef NOPTHREADS
-+			freelist_lock = session_cache[optype].lock;
-+#endif
-+			break;
-+		default:
-+			PK11err(PK11_F_RETURN_SESSION,
-+				PK11_R_INVALID_OPERATION_TYPE);
-+			return;
-+		}
-+
-+#ifndef NOPTHREADS
-+	(void) pthread_mutex_lock(freelist_lock);
-+#else
-+	CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
-+#endif
-+	freelist = session_cache[optype].head;
-+	sp->next = freelist;
-+	session_cache[optype].head = sp;
-+#ifndef NOPTHREADS
-+	(void) pthread_mutex_unlock(freelist_lock);
-+#else
-+	CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
-+#endif
-+	}
-+
-+
-+/* Destroy all objects. This function is called when the engine is finished */
-+static int pk11_free_all_sessions()
-+	{
-+	int ret = 1;
-+	int type;
-+
-+#ifndef OPENSSL_NO_RSA
-+	(void) pk11_destroy_rsa_key_objects(NULL);
-+#endif	/* OPENSSL_NO_RSA */
-+#ifndef OPENSSL_NO_DSA
-+	(void) pk11_destroy_dsa_key_objects(NULL);
-+#endif	/* OPENSSL_NO_DSA */
-+#ifndef OPENSSL_NO_DH
-+	(void) pk11_destroy_dh_key_objects(NULL);
-+#endif	/* OPENSSL_NO_DH */
-+	(void) pk11_destroy_cipher_key_objects(NULL);
-+
-+	/*
-+	 * We try to release as much as we can but any error means that we will
-+	 * return 0 on exit.
-+	 */
-+	for (type = 0; type < OP_MAX; type++)
-+		{
-+		if (pk11_free_session_list(type) == 0)
-+			ret = 0;
-+		}
-+
-+	return (ret);
-+	}
-+
-+/*
-+ * Destroy session structures from the linked list specified. Free as many
-+ * sessions as possible but any failure in C_CloseSession() means that we
-+ * return an error on return.
-+ */
-+static int pk11_free_session_list(PK11_OPTYPE optype)
-+	{
-+	CK_RV rv;
-+	PK11_SESSION *sp = NULL;
-+	PK11_SESSION *freelist = NULL;
-+	pid_t mypid = getpid();
-+#ifndef NOPTHREADS
-+	pthread_mutex_t *freelist_lock;
-+#endif
-+	int ret = 1;
-+
-+	switch (optype)
-+		{
-+		case OP_RSA:
-+		case OP_DSA:
-+		case OP_DH:
-+		case OP_RAND:
-+		case OP_DIGEST:
-+		case OP_CIPHER:
-+#ifndef NOPTHREADS
-+			freelist_lock = session_cache[optype].lock;
-+#endif
-+			break;
-+		default:
-+			PK11err(PK11_F_FREE_ALL_SESSIONS,
-+				PK11_R_INVALID_OPERATION_TYPE);
-+			return (0);
-+		}
-+
-+#ifndef NOPTHREADS
-+	(void) pthread_mutex_lock(freelist_lock);
-+#else
-+	CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
-+#endif
-+	freelist = session_cache[optype].head;
-+	while ((sp = freelist) != NULL)
-+		{
-+		if (sp->session != CK_INVALID_HANDLE && sp->pid == mypid)
-+			{
-+			rv = pFuncList->C_CloseSession(sp->session);
-+			if (rv != CKR_OK)
-+				{
-+				PK11err_add_data(PK11_F_FREE_ALL_SESSIONS,
-+					PK11_R_CLOSESESSION, rv);
-+				ret = 0;
-+				}
-+			}
-+		freelist = sp->next;
-+		pk11_free_nums(sp, optype);
-+		OPENSSL_free(sp);
-+		}
-+
-+#ifndef NOPTHREADS
-+	(void) pthread_mutex_unlock(freelist_lock);
-+#else
-+	CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
-+#endif
-+	return (ret);
-+	}
-+
-+
-+static int pk11_setup_session(PK11_SESSION *sp, PK11_OPTYPE optype)
-+	{
-+	CK_RV rv;
-+	CK_SLOT_ID myslot;
-+
-+	switch (optype)
-+		{
-+		case OP_RSA:
-+		case OP_DSA:
-+		case OP_DH:
-+			myslot = pubkey_SLOTID;
-+			break;
-+		case OP_RAND:
-+			myslot = rand_SLOTID;
-+			break;
-+		case OP_DIGEST:
-+		case OP_CIPHER:
-+			myslot = SLOTID;
-+			break;
-+		default:
-+			PK11err(PK11_F_SETUP_SESSION,
-+			    PK11_R_INVALID_OPERATION_TYPE);
-+			return (0);
-+		}
-+
-+	sp->session = CK_INVALID_HANDLE;
-+#ifdef	DEBUG_SLOT_SELECTION
-+	fprintf(stderr, "%s: myslot=%d optype=%d\n", PK11_DBG, myslot, optype);
-+#endif	/* DEBUG_SLOT_SELECTION */
-+	rv = pFuncList->C_OpenSession(myslot, CKF_SERIAL_SESSION,
-+		NULL_PTR, NULL_PTR, &sp->session);
-+	if (rv == CKR_CRYPTOKI_NOT_INITIALIZED)
-+		{
-+		/*
-+		 * We are probably a child process so force the
-+		 * reinitialize of the session
-+		 */
-+		pk11_library_initialized = FALSE;
-+		if (!pk11_library_init(NULL))
-+			return (0);
-+		rv = pFuncList->C_OpenSession(myslot, CKF_SERIAL_SESSION,
-+			NULL_PTR, NULL_PTR, &sp->session);
-+		}
-+	if (rv != CKR_OK)
-+		{
-+		PK11err_add_data(PK11_F_SETUP_SESSION, PK11_R_OPENSESSION, rv);
-+		return (0);
-+		}
-+
-+	sp->pid = getpid();
-+
-+	switch (optype)
-+		{
-+#ifndef OPENSSL_NO_RSA
-+		case OP_RSA:
-+			sp->opdata_rsa_pub_key = CK_INVALID_HANDLE;
-+			sp->opdata_rsa_priv_key = CK_INVALID_HANDLE;
-+			sp->opdata_rsa_pub = NULL;
-+			sp->opdata_rsa_n_num = NULL;
-+			sp->opdata_rsa_e_num = NULL;
-+			sp->opdata_rsa_priv = NULL;
-+			sp->opdata_rsa_d_num = NULL;
-+			break;
-+#endif	/* OPENSSL_NO_RSA */
-+#ifndef OPENSSL_NO_DSA
-+		case OP_DSA:
-+			sp->opdata_dsa_pub_key = CK_INVALID_HANDLE;
-+			sp->opdata_dsa_priv_key = CK_INVALID_HANDLE;
-+			sp->opdata_dsa_pub = NULL;
-+			sp->opdata_dsa_pub_num = NULL;
-+			sp->opdata_dsa_priv = NULL;
-+			sp->opdata_dsa_priv_num = NULL;
-+			break;
-+#endif	/* OPENSSL_NO_DSA */
-+#ifndef OPENSSL_NO_DH
-+		case OP_DH:
-+			sp->opdata_dh_key = CK_INVALID_HANDLE;
-+			sp->opdata_dh = NULL;
-+			sp->opdata_dh_priv_num = NULL;
-+			break;
-+#endif	/* OPENSSL_NO_DH */
-+		case OP_CIPHER:
-+			sp->opdata_cipher_key = CK_INVALID_HANDLE;
-+			sp->opdata_encrypt = -1;
-+			break;
-+		default:
-+			break;
-+		}
-+
-+	return (1);
-+	}
-+
-+#ifndef OPENSSL_NO_RSA
-+/* Destroy RSA public key from single session. */
-+int
-+pk11_destroy_rsa_object_pub(PK11_SESSION *sp, CK_BBOOL uselock)
-+	{
-+	int ret = 0;
-+
-+	if (sp->opdata_rsa_pub_key != CK_INVALID_HANDLE)
-+		{
-+		TRY_OBJ_DESTROY(sp->session, sp->opdata_rsa_pub_key,
-+		    ret, uselock, OP_RSA);
-+		sp->opdata_rsa_pub_key = CK_INVALID_HANDLE;
-+		sp->opdata_rsa_pub = NULL;
-+		if (sp->opdata_rsa_n_num != NULL)
-+			{
-+			BN_free(sp->opdata_rsa_n_num);
-+			sp->opdata_rsa_n_num = NULL;
-+			}
-+		if (sp->opdata_rsa_e_num != NULL)
-+			{
-+			BN_free(sp->opdata_rsa_e_num);
-+			sp->opdata_rsa_e_num = NULL;
-+			}
-+		}
-+
-+	return (ret);
-+	}
-+
-+/* Destroy RSA private key from single session. */
-+int
-+pk11_destroy_rsa_object_priv(PK11_SESSION *sp, CK_BBOOL uselock)
-+	{
-+	int ret = 0;
-+
-+	if (sp->opdata_rsa_priv_key != CK_INVALID_HANDLE)
-+		{
-+		if ((sp->opdata_rsa_priv->flags & RSA_FLAG_EXT_PKEY) != 0)
-+			{
-+			TRY_OBJ_DELETE(sp->session,
-+				       sp->opdata_rsa_priv_key,
-+				       ret, uselock, OP_RSA);
-+			}
-+		else
-+			{
-+			TRY_OBJ_DESTROY(sp->session,
-+					sp->opdata_rsa_priv_key,
-+					ret, uselock, OP_RSA);
-+			}
-+		sp->opdata_rsa_priv_key = CK_INVALID_HANDLE;
-+		sp->opdata_rsa_priv = NULL;
-+		if (sp->opdata_rsa_d_num != NULL)
-+			{
-+			BN_free(sp->opdata_rsa_d_num);
-+			sp->opdata_rsa_d_num = NULL;
-+			}
-+		}
-+
-+	return (ret);
-+	}
-+
-+/*
-+ * Destroy RSA key object wrapper. If session is NULL, try to destroy all
-+ * objects in the free list.
-+ */
-+int
-+pk11_destroy_rsa_key_objects(PK11_SESSION *session)
-+	{
-+	int ret = 1;
-+	PK11_SESSION *sp = NULL;
-+	PK11_SESSION *local_free_session;
-+	CK_BBOOL uselock = TRUE;
-+
-+	if (session != NULL)
-+		local_free_session = session;
-+	else
-+		{
-+#ifndef NOPTHREADS
-+		(void) pthread_mutex_lock(session_cache[OP_RSA].lock);
-+#else
-+		CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
-+#endif
-+		local_free_session = session_cache[OP_RSA].head;
-+		uselock = FALSE;
-+		}
-+
-+	/*
-+	 * go through the list of sessions and delete key objects
-+	 */
-+	while ((sp = local_free_session) != NULL)
-+		{
-+		local_free_session = sp->next;
-+
-+		/*
-+		 * Do not terminate list traversal if one of the
-+		 * destroy operations fails.
-+		 */
-+		if (pk11_destroy_rsa_object_pub(sp, uselock) == 0)
-+			{
-+			ret = 0;
-+			continue;
-+			}
-+		if (pk11_destroy_rsa_object_priv(sp, uselock) == 0)
-+			{
-+			ret = 0;
-+			continue;
-+			}
-+		}
-+
-+#ifndef NOPTHREADS
-+	if (session == NULL)
-+		(void) pthread_mutex_unlock(session_cache[OP_RSA].lock);
-+#else
-+	if (session == NULL)
-+		CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
-+#endif
-+
-+	return (ret);
-+	}
-+#endif	/* OPENSSL_NO_RSA */
-+
-+#ifndef OPENSSL_NO_DSA
-+/* Destroy DSA public key from single session. */
-+int
-+pk11_destroy_dsa_object_pub(PK11_SESSION *sp, CK_BBOOL uselock)
-+	{
-+	int ret = 0;
-+
-+	if (sp->opdata_dsa_pub_key != CK_INVALID_HANDLE)
-+		{
-+		TRY_OBJ_DESTROY(sp->session, sp->opdata_dsa_pub_key,
-+		    ret, uselock, OP_DSA);
-+		sp->opdata_dsa_pub_key = CK_INVALID_HANDLE;
-+		sp->opdata_dsa_pub = NULL;
-+		if (sp->opdata_dsa_pub_num != NULL)
-+			{
-+			BN_free(sp->opdata_dsa_pub_num);
-+			sp->opdata_dsa_pub_num = NULL;
-+			}
-+		}
-+
-+	return (ret);
-+	}
-+
-+/* Destroy DSA private key from single session. */
-+int
-+pk11_destroy_dsa_object_priv(PK11_SESSION *sp, CK_BBOOL uselock)
-+	{
-+	int ret = 0;
-+
-+	if (sp->opdata_dsa_priv_key != CK_INVALID_HANDLE)
-+		{
-+		TRY_OBJ_DESTROY(sp->session, sp->opdata_dsa_priv_key,
-+		    ret, uselock, OP_DSA);
-+		sp->opdata_dsa_priv_key = CK_INVALID_HANDLE;
-+		sp->opdata_dsa_priv = NULL;
-+		if (sp->opdata_dsa_priv_num != NULL)
-+			{
-+			BN_free(sp->opdata_dsa_priv_num);
-+			sp->opdata_dsa_priv_num = NULL;
-+			}
-+		}
-+
-+	return (ret);
-+	}
-+
-+/*
-+ * Destroy DSA key object wrapper. If session is NULL, try to destroy all
-+ * objects in the free list.
-+ */
-+int
-+pk11_destroy_dsa_key_objects(PK11_SESSION *session)
-+	{
-+	int ret = 1;
-+	PK11_SESSION *sp = NULL;
-+	PK11_SESSION *local_free_session;
-+	CK_BBOOL uselock = TRUE;
-+
-+	if (session != NULL)
-+		local_free_session = session;
-+	else
-+		{
-+#ifndef NOPTHREADS
-+		(void) pthread_mutex_lock(session_cache[OP_DSA].lock);
-+#else
-+		CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
-+#endif
-+		local_free_session = session_cache[OP_DSA].head;
-+		uselock = FALSE;
-+		}
-+
-+	/*
-+	 * go through the list of sessions and delete key objects
-+	 */
-+	while ((sp = local_free_session) != NULL)
-+		{
-+		local_free_session = sp->next;
-+
-+		/*
-+		 * Do not terminate list traversal if one of the
-+		 * destroy operations fails.
-+		 */
-+		if (pk11_destroy_dsa_object_pub(sp, uselock) == 0)
-+			{
-+			ret = 0;
-+			continue;
-+			}
-+		if (pk11_destroy_dsa_object_priv(sp, uselock) == 0)
-+			{
-+			ret = 0;
-+			continue;
-+			}
-+		}
-+
-+#ifndef NOPTHREADS
-+	if (session == NULL)
-+		(void) pthread_mutex_unlock(session_cache[OP_DSA].lock);
-+#else
-+	if (session == NULL)
-+		CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
-+#endif
-+
-+	return (ret);
-+	}
-+#endif	/* OPENSSL_NO_DSA */
-+
-+#ifndef OPENSSL_NO_DH
-+/* Destroy DH key from single session. */
-+int
-+pk11_destroy_dh_object(PK11_SESSION *sp, CK_BBOOL uselock)
-+	{
-+	int ret = 0;
-+
-+	if (sp->opdata_dh_key != CK_INVALID_HANDLE)
-+		{
-+		TRY_OBJ_DESTROY(sp->session, sp->opdata_dh_key,
-+		    ret, uselock, OP_DH);
-+		sp->opdata_dh_key = CK_INVALID_HANDLE;
-+		sp->opdata_dh = NULL;
-+		if (sp->opdata_dh_priv_num != NULL)
-+			{
-+			BN_free(sp->opdata_dh_priv_num);
-+			sp->opdata_dh_priv_num = NULL;
-+			}
-+		}
-+
-+	return (ret);
-+	}
-+
-+/*
-+ * Destroy DH key object wrapper.
-+ *
-+ * arg0: pointer to PKCS#11 engine session structure
-+ *       if session is NULL, try to destroy all objects in the free list
-+ */
-+int
-+pk11_destroy_dh_key_objects(PK11_SESSION *session)
-+	{
-+	int ret = 1;
-+	PK11_SESSION *sp = NULL;
-+	PK11_SESSION *local_free_session;
-+	CK_BBOOL uselock = TRUE;
-+
-+	if (session != NULL)
-+		local_free_session = session;
-+	else
-+		{
-+#ifndef NOPTHREADS
-+		(void) pthread_mutex_lock(session_cache[OP_DH].lock);
-+#else
-+		CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
-+#endif
-+		local_free_session = session_cache[OP_DH].head;
-+		uselock = FALSE;
-+		}
-+
-+	while ((sp = local_free_session) != NULL)
-+		{
-+		local_free_session = sp->next;
-+
-+		/*
-+		 * Do not terminate list traversal if one of the
-+		 * destroy operations fails.
-+		 */
-+		if (pk11_destroy_dh_object(sp, uselock) == 0)
-+			{
-+			ret = 0;
-+			continue;
-+			}
-+		}
-+
-+#ifndef NOPTHREADS
-+	if (session == NULL)
-+		(void) pthread_mutex_unlock(session_cache[OP_DH].lock);
-+#else
-+	if (session == NULL)
-+		CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
-+#endif
-+
-+	return (ret);
-+	}
-+#endif	/* OPENSSL_NO_DH */
-+
-+static int pk11_destroy_object(CK_SESSION_HANDLE session, CK_OBJECT_HANDLE oh)
-+	{
-+	CK_RV rv;
-+	rv = pFuncList->C_DestroyObject(session, oh);
-+	if (rv != CKR_OK)
-+		{
-+		PK11err_add_data(PK11_F_DESTROY_OBJECT, PK11_R_DESTROYOBJECT,
-+		    rv);
-+		return (0);
-+		}
-+
-+	return (1);
-+	}
-+
-+
-+/* Symmetric ciphers and digests support functions */
-+
-+static int
-+cipher_nid_to_pk11(int nid)
-+	{
-+	int i;
-+
-+	for (i = 0; i < PK11_CIPHER_MAX; i++)
-+		if (ciphers[i].nid == nid)
-+			return (ciphers[i].id);
-+	return (-1);
-+	}
-+
-+static int
-+pk11_usable_ciphers(const int **nids)
-+	{
-+	if (cipher_count > 0)
-+		*nids = cipher_nids;
-+	else
-+		*nids = NULL;
-+	return (cipher_count);
-+	}
-+
-+static int
-+pk11_usable_digests(const int **nids)
-+	{
-+	if (digest_count > 0)
-+		*nids = digest_nids;
-+	else
-+		*nids = NULL;
-+	return (digest_count);
-+	}
-+
-+/*
-+ * Init context for encryption or decryption using a symmetric key.
-+ */
-+static int pk11_init_symmetric(EVP_CIPHER_CTX *ctx, PK11_CIPHER *pcipher,
-+	PK11_SESSION *sp, CK_MECHANISM_PTR pmech)
-+	{
-+	CK_RV rv;
-+#ifdef	SOLARIS_AES_CTR
-+	CK_AES_CTR_PARAMS ctr_params;
-+#endif	/* SOLARIS_AES_CTR */
-+
-+	/*
-+	 * We expect pmech->mechanism to be already set and
-+	 * pParameter/ulParameterLen initialized to NULL/0 before
-+	 * pk11_init_symetric() is called.
-+	 */
-+	OPENSSL_assert(pmech->mechanism != 0);
-+	OPENSSL_assert(pmech->pParameter == NULL);
-+	OPENSSL_assert(pmech->ulParameterLen == 0);
-+
-+#ifdef	SOLARIS_AES_CTR
-+	if (ctx->cipher->nid == NID_aes_128_ctr ||
-+	    ctx->cipher->nid == NID_aes_192_ctr ||
-+	    ctx->cipher->nid == NID_aes_256_ctr)
-+		{
-+		pmech->pParameter = (void *)(&ctr_params);
-+		pmech->ulParameterLen = sizeof (ctr_params);
-+		/*
-+		 * For now, we are limited to the fixed length of the counter,
-+		 * it covers the whole counter block. That's what RFC 4344
-+		 * needs. For more information on internal structure of the
-+		 * counter block, see RFC 3686. If needed in the future, we can
-+		 * add code so that the counter length can be set via
-+		 * ENGINE_ctrl() function.
-+		 */
-+		ctr_params.ulCounterBits = AES_BLOCK_SIZE * 8;
-+		OPENSSL_assert(pcipher->iv_len == AES_BLOCK_SIZE);
-+		(void) memcpy(ctr_params.cb, ctx->iv, AES_BLOCK_SIZE);
-+		}
-+	else
-+#endif	/* SOLARIS_AES_CTR */
-+		{
-+		if (pcipher->iv_len > 0)
-+			{
-+			pmech->pParameter = (void *)ctx->iv;
-+			pmech->ulParameterLen = pcipher->iv_len;
-+			}
-+		}
-+
-+	/* if we get here, the encryption needs to be reinitialized */
-+	if (ctx->encrypt)
-+		rv = pFuncList->C_EncryptInit(sp->session, pmech,
-+			sp->opdata_cipher_key);
-+	else
-+		rv = pFuncList->C_DecryptInit(sp->session, pmech,
-+			sp->opdata_cipher_key);
-+
-+	if (rv != CKR_OK)
-+		{
-+		PK11err_add_data(PK11_F_CIPHER_INIT, ctx->encrypt ?
-+		    PK11_R_ENCRYPTINIT : PK11_R_DECRYPTINIT, rv);
-+		pk11_return_session(sp, OP_CIPHER);
-+		return (0);
-+		}
-+
-+	return (1);
-+	}
-+
-+/* ARGSUSED */
-+static int
-+pk11_cipher_init(EVP_CIPHER_CTX *ctx, const unsigned char *key,
-+    const unsigned char *iv, int enc)
-+	{
-+	CK_MECHANISM mech;
-+	int index;
-+	PK11_CIPHER_STATE *state = (PK11_CIPHER_STATE *) ctx->cipher_data;
-+	PK11_SESSION *sp;
-+	PK11_CIPHER *p_ciph_table_row;
-+
-+	state->sp = NULL;
-+
-+	index = cipher_nid_to_pk11(ctx->cipher->nid);
-+	if (index < 0 || index >= PK11_CIPHER_MAX)
-+		return (0);
-+
-+	p_ciph_table_row = &ciphers[index];
-+	/*
-+	 * iv_len in the ctx->cipher structure is the maximum IV length for the
-+	 * current cipher and it must be less or equal to the IV length in our
-+	 * ciphers table. The key length must match precisely. Every application
-+	 * can define its own EVP functions so this code serves as a sanity
-+	 * check.
-+	 *
-+	 * Note that the reason why the IV length in ctx->cipher might be
-+	 * greater than the actual length is that OpenSSL uses BLOCK_CIPHER_defs
-+	 * macro to define functions that return EVP structures for all DES
-+	 * modes. So, even ECB modes get 8 byte IV.
-+	 */
-+	if (ctx->cipher->iv_len < p_ciph_table_row->iv_len ||
-+	    ctx->key_len != p_ciph_table_row->key_len)
-+		{
-+		PK11err(PK11_F_CIPHER_INIT, PK11_R_KEY_OR_IV_LEN_PROBLEM);
-+		return (0);
-+		}
-+
-+	if ((sp = pk11_get_session(OP_CIPHER)) == NULL)
-+		return (0);
-+
-+	/* if applicable, the mechanism parameter is used for IV */
-+	mech.mechanism = p_ciph_table_row->mech_type;
-+	mech.pParameter = NULL;
-+	mech.ulParameterLen = 0;
-+
-+	/* The key object is destroyed here if it is not the current key. */
-+	(void) check_new_cipher_key(sp, key, p_ciph_table_row->key_len);
-+
-+	/*
-+	 * If the key is the same and the encryption is also the same, then
-+	 * just reuse it. However, we must not forget to reinitialize the
-+	 * context that was finalized in pk11_cipher_cleanup().
-+	 */
-+	if (sp->opdata_cipher_key != CK_INVALID_HANDLE &&
-+	    sp->opdata_encrypt == ctx->encrypt)
-+		{
-+		state->sp = sp;
-+		if (pk11_init_symmetric(ctx, p_ciph_table_row, sp, &mech) == 0)
-+			return (0);
-+
-+		return (1);
-+		}
-+
-+	/*
-+	 * Check if the key has been invalidated. If so, a new key object
-+	 * needs to be created.
-+	 */
-+	if (sp->opdata_cipher_key == CK_INVALID_HANDLE)
-+		{
-+		sp->opdata_cipher_key = pk11_get_cipher_key(
-+			ctx, key, p_ciph_table_row->key_type, sp);
-+		}
-+
-+	if (sp->opdata_encrypt != ctx->encrypt && sp->opdata_encrypt != -1)
-+		{
-+		/*
-+		 * The previous encryption/decryption is different. Need to
-+		 * terminate the previous * active encryption/decryption here.
-+		 */
-+		if (!pk11_cipher_final(sp))
-+			{
-+			pk11_return_session(sp, OP_CIPHER);
-+			return (0);
-+			}
-+		}
-+
-+	if (sp->opdata_cipher_key == CK_INVALID_HANDLE)
-+		{
-+		pk11_return_session(sp, OP_CIPHER);
-+		return (0);
-+		}
-+
-+	/* now initialize the context with a new key */
-+	if (pk11_init_symmetric(ctx, p_ciph_table_row, sp, &mech) == 0)
-+		return (0);
-+
-+	sp->opdata_encrypt = ctx->encrypt;
-+	state->sp = sp;
-+
-+	return (1);
-+	}
-+
-+/*
-+ * When reusing the same key in an encryption/decryption session for a
-+ * decryption/encryption session, we need to close the active session
-+ * and recreate a new one. Note that the key is in the global session so
-+ * that it needs not be recreated.
-+ *
-+ * It is more appropriate to use C_En/DecryptFinish here. At the time of this
-+ * development, these two functions in the PKCS#11 libraries used return
-+ * unexpected errors when passing in 0 length output. It may be a good
-+ * idea to try them again if performance is a problem here and fix
-+ * C_En/DecryptFinial if there are bugs there causing the problem.
-+ */
-+static int
-+pk11_cipher_final(PK11_SESSION *sp)
-+	{
-+	CK_RV rv;
-+
-+	rv = pFuncList->C_CloseSession(sp->session);
-+	if (rv != CKR_OK)
-+		{
-+		PK11err_add_data(PK11_F_CIPHER_FINAL, PK11_R_CLOSESESSION, rv);
-+		return (0);
-+		}
-+
-+	rv = pFuncList->C_OpenSession(SLOTID, CKF_SERIAL_SESSION,
-+		NULL_PTR, NULL_PTR, &sp->session);
-+	if (rv != CKR_OK)
-+		{
-+		PK11err_add_data(PK11_F_CIPHER_FINAL, PK11_R_OPENSESSION, rv);
-+		return (0);
-+		}
-+
-+	return (1);
-+	}
-+
-+/*
-+ * An engine interface function. The calling function allocates sufficient
-+ * memory for the output buffer "out" to hold the results.
-+ */
-+static int
-+pk11_cipher_do_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
-+	const unsigned char *in, unsigned int inl)
-+	{
-+	PK11_CIPHER_STATE *state = (PK11_CIPHER_STATE *) ctx->cipher_data;
-+	PK11_SESSION *sp;
-+	CK_RV rv;
-+	unsigned long outl = inl;
-+
-+	if (state == NULL || state->sp == NULL)
-+		return (0);
-+
-+	sp = (PK11_SESSION *) state->sp;
-+
-+	if (!inl)
-+		return (1);
-+
-+	/* RC4 is the only stream cipher we support */
-+	if (ctx->cipher->nid != NID_rc4 && (inl % ctx->cipher->block_size) != 0)
-+		return (0);
-+
-+	if (ctx->encrypt)
-+		{
-+		rv = pFuncList->C_EncryptUpdate(sp->session,
-+			(unsigned char *)in, inl, out, &outl);
-+
-+		if (rv != CKR_OK)
-+			{
-+			PK11err_add_data(PK11_F_CIPHER_DO_CIPHER,
-+			    PK11_R_ENCRYPTUPDATE, rv);
-+			return (0);
-+			}
-+		}
-+	else
-+		{
-+		rv = pFuncList->C_DecryptUpdate(sp->session,
-+			(unsigned char *)in, inl, out, &outl);
-+
-+		if (rv != CKR_OK)
-+			{
-+			PK11err_add_data(PK11_F_CIPHER_DO_CIPHER,
-+			    PK11_R_DECRYPTUPDATE, rv);
-+			return (0);
-+			}
-+		}
-+
-+	/*
-+	 * For DES_CBC, DES3_CBC, AES_CBC, and RC4, the output size is always
-+	 * the same size of input.
-+	 * The application has guaranteed to call the block ciphers with
-+	 * correctly aligned buffers.
-+	 */
-+	if (inl != outl)
-+		return (0);
-+
-+	return (1);
-+	}
-+
-+/*
-+ * Return the session to the pool. Calling C_EncryptFinal() and C_DecryptFinal()
-+ * here is the right thing because in EVP_DecryptFinal_ex(), engine's
-+ * do_cipher() is not even called, and in EVP_EncryptFinal_ex() it is called but
-+ * the engine can't find out that it's the finalizing call. We wouldn't
-+ * necessarily have to finalize the context here since reinitializing it with
-+ * C_(Encrypt|Decrypt)Init() should be fine but for the sake of correctness,
-+ * let's do it. Some implementations might leak memory if the previously used
-+ * context is initialized without finalizing it first.
-+ */
-+static int
-+pk11_cipher_cleanup(EVP_CIPHER_CTX *ctx)
-+	{
-+	CK_RV rv;
-+	CK_ULONG len = EVP_MAX_BLOCK_LENGTH;
-+	CK_BYTE buf[EVP_MAX_BLOCK_LENGTH];
-+	PK11_CIPHER_STATE *state = ctx->cipher_data;
-+
-+	if (state != NULL && state->sp != NULL)
-+		{
-+		/*
-+		 * We are not interested in the data here, we just need to get
-+		 * rid of the context.
-+		 */
-+		if (ctx->encrypt)
-+			rv = pFuncList->C_EncryptFinal(
-+			    state->sp->session, buf, &len);
-+		else
-+			rv = pFuncList->C_DecryptFinal(
-+			    state->sp->session, buf, &len);
-+
-+		if (rv != CKR_OK)
-+			{
-+			PK11err_add_data(PK11_F_CIPHER_CLEANUP, ctx->encrypt ?
-+			    PK11_R_ENCRYPTFINAL : PK11_R_DECRYPTFINAL, rv);
-+			pk11_return_session(state->sp, OP_CIPHER);
-+			return (0);
-+			}
-+
-+		pk11_return_session(state->sp, OP_CIPHER);
-+		state->sp = NULL;
-+		}
-+
-+	return (1);
-+	}
-+
-+/*
-+ * Registered by the ENGINE when used to find out how to deal with
-+ * a particular NID in the ENGINE. This says what we'll do at the
-+ * top level - note, that list is restricted by what we answer with
-+ */
-+/* ARGSUSED */
-+static int
-+pk11_engine_ciphers(ENGINE *e, const EVP_CIPHER **cipher,
-+	const int **nids, int nid)
-+	{
-+	if (!cipher)
-+		return (pk11_usable_ciphers(nids));
-+
-+	switch (nid)
-+		{
-+		case NID_des_ede3_cbc:
-+			*cipher = &pk11_3des_cbc;
-+			break;
-+		case NID_des_cbc:
-+			*cipher = &pk11_des_cbc;
-+			break;
-+		case NID_des_ede3_ecb:
-+			*cipher = &pk11_3des_ecb;
-+			break;
-+		case NID_des_ecb:
-+			*cipher = &pk11_des_ecb;
-+			break;
-+		case NID_aes_128_cbc:
-+			*cipher = &pk11_aes_128_cbc;
-+			break;
-+		case NID_aes_192_cbc:
-+			*cipher = &pk11_aes_192_cbc;
-+			break;
-+		case NID_aes_256_cbc:
-+			*cipher = &pk11_aes_256_cbc;
-+			break;
-+		case NID_aes_128_ecb:
-+			*cipher = &pk11_aes_128_ecb;
-+			break;
-+		case NID_aes_192_ecb:
-+			*cipher = &pk11_aes_192_ecb;
-+			break;
-+		case NID_aes_256_ecb:
-+			*cipher = &pk11_aes_256_ecb;
-+			break;
-+		case NID_bf_cbc:
-+			*cipher = &pk11_bf_cbc;
-+			break;
-+		case NID_rc4:
-+			*cipher = &pk11_rc4;
-+			break;
-+		default:
-+#ifdef	SOLARIS_AES_CTR
-+			/*
-+			 * These can't be in separated cases because the NIDs
-+			 * here are not constants.
-+			 */
-+			if (nid == NID_aes_128_ctr)
-+				*cipher = &pk11_aes_128_ctr;
-+			else if (nid == NID_aes_192_ctr)
-+				*cipher = &pk11_aes_192_ctr;
-+			else if (nid == NID_aes_256_ctr)
-+				*cipher = &pk11_aes_256_ctr;
-+			else
-+#endif	/* SOLARIS_AES_CTR */
-+			*cipher = NULL;
-+			break;
-+		}
-+	return (*cipher != NULL);
-+	}
-+
-+/* ARGSUSED */
-+static int
-+pk11_engine_digests(ENGINE *e, const EVP_MD **digest,
-+	const int **nids, int nid)
-+	{
-+	if (!digest)
-+		return (pk11_usable_digests(nids));
-+
-+	switch (nid)
-+		{
-+		case NID_md5:
-+			*digest = &pk11_md5;
-+			break;
-+		case NID_sha1:
-+			*digest = &pk11_sha1;
-+			break;
-+		case NID_sha224:
-+			*digest = &pk11_sha224;
-+			break;
-+		case NID_sha256:
-+			*digest = &pk11_sha256;
-+			break;
-+		case NID_sha384:
-+			*digest = &pk11_sha384;
-+			break;
-+		case NID_sha512:
-+			*digest = &pk11_sha512;
-+			break;
-+		default:
-+			*digest = NULL;
-+			break;
-+		}
-+	return (*digest != NULL);
-+	}
-+
-+
-+/* Create a secret key object in a PKCS#11 session */
-+static CK_OBJECT_HANDLE pk11_get_cipher_key(EVP_CIPHER_CTX *ctx,
-+	const unsigned char *key, CK_KEY_TYPE key_type, PK11_SESSION *sp)
-+	{
-+	CK_RV rv;
-+	CK_OBJECT_HANDLE h_key = CK_INVALID_HANDLE;
-+	CK_OBJECT_CLASS obj_key = CKO_SECRET_KEY;
-+	CK_ULONG ul_key_attr_count = 6;
-+
-+	CK_ATTRIBUTE  a_key_template[] =
-+		{
-+		{CKA_CLASS, (void*) NULL, sizeof (CK_OBJECT_CLASS)},
-+		{CKA_KEY_TYPE, (void*) NULL, sizeof (CK_KEY_TYPE)},
-+		{CKA_TOKEN, &false, sizeof (false)},
-+		{CKA_ENCRYPT, &true, sizeof (true)},
-+		{CKA_DECRYPT, &true, sizeof (true)},
-+		{CKA_VALUE, (void*) NULL, 0},
-+		};
-+
-+	/*
-+	 * Create secret key object in global_session. All other sessions
-+	 * can use the key handles. Here is why:
-+	 * OpenSSL will call EncryptInit and EncryptUpdate using a secret key.
-+	 * It may then call DecryptInit and DecryptUpdate using the same key.
-+	 * To use the same key object, we need to call EncryptFinal with
-+	 * a 0 length message. Currently, this does not work for 3DES
-+	 * mechanism. To get around this problem, we close the session and
-+	 * then create a new session to use the same key object. When a session
-+	 * is closed, all the object handles will be invalid. Thus, create key
-+	 * objects in a global session, an individual session may be closed to
-+	 * terminate the active operation.
-+	 */
-+	CK_SESSION_HANDLE session = global_session;
-+	a_key_template[0].pValue = &obj_key;
-+	a_key_template[1].pValue = &key_type;
-+	a_key_template[5].pValue = (void *) key;
-+	a_key_template[5].ulValueLen = (unsigned long) ctx->key_len;
-+
-+	rv = pFuncList->C_CreateObject(session,
-+		a_key_template, ul_key_attr_count, &h_key);
-+	if (rv != CKR_OK)
-+		{
-+		PK11err_add_data(PK11_F_GET_CIPHER_KEY, PK11_R_CREATEOBJECT,
-+		    rv);
-+		goto err;
-+		}
-+
-+	/*
-+	 * Save the key information used in this session.
-+	 * The max can be saved is PK11_KEY_LEN_MAX.
-+	 */
-+	sp->opdata_key_len = ctx->key_len > PK11_KEY_LEN_MAX ?
-+		PK11_KEY_LEN_MAX : ctx->key_len;
-+	(void) memcpy(sp->opdata_key, key, sp->opdata_key_len);
-+err:
-+
-+	return (h_key);
-+	}
-+
-+static int
-+md_nid_to_pk11(int nid)
-+	{
-+	int i;
-+
-+	for (i = 0; i < PK11_DIGEST_MAX; i++)
-+		if (digests[i].nid == nid)
-+			return (digests[i].id);
-+	return (-1);
-+	}
-+
-+static int
-+pk11_digest_init(EVP_MD_CTX *ctx)
-+	{
-+	CK_RV rv;
-+	CK_MECHANISM mech;
-+	int index;
-+	PK11_SESSION *sp;
-+	PK11_DIGEST *pdp;
-+	PK11_CIPHER_STATE *state = (PK11_CIPHER_STATE *) ctx->md_data;
-+
-+	state->sp = NULL;
-+
-+	index = md_nid_to_pk11(ctx->digest->type);
-+	if (index < 0 || index >= PK11_DIGEST_MAX)
-+		return (0);
-+
-+	pdp = &digests[index];
-+	if ((sp = pk11_get_session(OP_DIGEST)) == NULL)
-+		return (0);
-+
-+	/* at present, no parameter is needed for supported digests */
-+	mech.mechanism = pdp->mech_type;
-+	mech.pParameter = NULL;
-+	mech.ulParameterLen = 0;
-+
-+	rv = pFuncList->C_DigestInit(sp->session, &mech);
-+
-+	if (rv != CKR_OK)
-+		{
-+		PK11err_add_data(PK11_F_DIGEST_INIT, PK11_R_DIGESTINIT, rv);
-+		pk11_return_session(sp, OP_DIGEST);
-+		return (0);
-+		}
-+
-+	state->sp = sp;
-+
-+	return (1);
-+	}
-+
-+static int
-+pk11_digest_update(EVP_MD_CTX *ctx, const void *data, size_t count)
-+	{
-+	CK_RV rv;
-+	PK11_CIPHER_STATE *state = (PK11_CIPHER_STATE *) ctx->md_data;
-+
-+	/* 0 length message will cause a failure in C_DigestFinal */
-+	if (count == 0)
-+		return (1);
-+
-+	if (state == NULL || state->sp == NULL)
-+		return (0);
-+
-+	rv = pFuncList->C_DigestUpdate(state->sp->session, (CK_BYTE *) data,
-+		count);
-+
-+	if (rv != CKR_OK)
-+		{
-+		PK11err_add_data(PK11_F_DIGEST_UPDATE, PK11_R_DIGESTUPDATE, rv);
-+		pk11_return_session(state->sp, OP_DIGEST);
-+		state->sp = NULL;
-+		return (0);
-+		}
-+
-+	return (1);
-+	}
-+
-+static int
-+pk11_digest_final(EVP_MD_CTX *ctx, unsigned char *md)
-+	{
-+	CK_RV rv;
-+	unsigned long len;
-+	PK11_CIPHER_STATE *state = (PK11_CIPHER_STATE *) ctx->md_data;
-+	len = ctx->digest->md_size;
-+
-+	if (state == NULL || state->sp == NULL)
-+		return (0);
-+
-+	rv = pFuncList->C_DigestFinal(state->sp->session, md, &len);
-+
-+	if (rv != CKR_OK)
-+		{
-+		PK11err_add_data(PK11_F_DIGEST_FINAL, PK11_R_DIGESTFINAL, rv);
-+		pk11_return_session(state->sp, OP_DIGEST);
-+		state->sp = NULL;
-+		return (0);
-+		}
-+
-+	if (ctx->digest->md_size != len)
-+		return (0);
-+
-+	/*
-+	 * Final is called and digest is returned, so return the session
-+	 * to the pool
-+	 */
-+	pk11_return_session(state->sp, OP_DIGEST);
-+	state->sp = NULL;
-+
-+	return (1);
-+	}
-+
-+static int
-+pk11_digest_copy(EVP_MD_CTX *to, const EVP_MD_CTX *from)
-+	{
-+	CK_RV rv;
-+	int ret = 0;
-+	PK11_CIPHER_STATE *state, *state_to;
-+	CK_BYTE_PTR pstate = NULL;
-+	CK_ULONG ul_state_len;
-+
-+	/* The copy-from state */
-+	state = (PK11_CIPHER_STATE *) from->md_data;
-+	if (state == NULL || state->sp == NULL)
-+		goto err;
-+
-+	/* Initialize the copy-to state */
-+	if (!pk11_digest_init(to))
-+		goto err;
-+	state_to = (PK11_CIPHER_STATE *) to->md_data;
-+
-+	/* Get the size of the operation state of the copy-from session */
-+	rv = pFuncList->C_GetOperationState(state->sp->session, NULL,
-+		&ul_state_len);
-+
-+	if (rv != CKR_OK)
-+		{
-+		PK11err_add_data(PK11_F_DIGEST_COPY, PK11_R_GET_OPERATION_STATE,
-+		    rv);
-+		goto err;
-+		}
-+	if (ul_state_len == 0)
-+		{
-+		goto err;
-+		}
-+
-+	pstate = OPENSSL_malloc(ul_state_len);
-+	if (pstate == NULL)
-+		{
-+		PK11err(PK11_F_DIGEST_COPY, PK11_R_MALLOC_FAILURE);
-+		goto err;
-+		}
-+
-+	/* Get the operation state of the copy-from session */
-+	rv = pFuncList->C_GetOperationState(state->sp->session, pstate,
-+		&ul_state_len);
-+
-+	if (rv != CKR_OK)
-+		{
-+		PK11err_add_data(PK11_F_DIGEST_COPY, PK11_R_GET_OPERATION_STATE,
-+		    rv);
-+		goto err;
-+		}
-+
-+	/* Set the operation state of the copy-to session */
-+	rv = pFuncList->C_SetOperationState(state_to->sp->session, pstate,
-+		ul_state_len, 0, 0);
-+
-+	if (rv != CKR_OK)
-+		{
-+		PK11err_add_data(PK11_F_DIGEST_COPY,
-+		    PK11_R_SET_OPERATION_STATE, rv);
-+		goto err;
-+		}
-+
-+	ret = 1;
-+err:
-+	if (pstate != NULL)
-+		OPENSSL_free(pstate);
-+
-+	return (ret);
-+	}
-+
-+/* Return any pending session state to the pool */
-+static int
-+pk11_digest_cleanup(EVP_MD_CTX *ctx)
-+	{
-+	PK11_CIPHER_STATE *state = ctx->md_data;
-+	unsigned char buf[EVP_MAX_MD_SIZE];
-+
-+	if (state != NULL && state->sp != NULL)
-+		{
-+		/*
-+		 * If state->sp is not NULL then pk11_digest_final() has not
-+		 * been called yet. We must call it now to free any memory
-+		 * that might have been allocated in the token when
-+		 * pk11_digest_init() was called. pk11_digest_final()
-+		 * will return the session to the cache.
-+		 */
-+		if (!pk11_digest_final(ctx, buf))
-+			return (0);
-+		}
-+
-+	return (1);
-+	}
-+
-+/*
-+ * Check if the new key is the same as the key object in the session. If the key
-+ * is the same, no need to create a new key object. Otherwise, the old key
-+ * object needs to be destroyed and a new one will be created. Return 1 for
-+ * cache hit, 0 for cache miss. Note that we must check the key length first
-+ * otherwise we could end up reusing a different, longer key with the same
-+ * prefix.
-+ */
-+static int check_new_cipher_key(PK11_SESSION *sp, const unsigned char *key,
-+	int key_len)
-+	{
-+	if (sp->opdata_key_len != key_len ||
-+	    memcmp(sp->opdata_key, key, key_len) != 0)
-+		{
-+		(void) pk11_destroy_cipher_key_objects(sp);
-+		return (0);
-+		}
-+	return (1);
-+	}
-+
-+/* Destroy one or more secret key objects. */
-+static int pk11_destroy_cipher_key_objects(PK11_SESSION *session)
-+	{
-+	int ret = 0;
-+	PK11_SESSION *sp = NULL;
-+	PK11_SESSION *local_free_session;
-+
-+	if (session != NULL)
-+		local_free_session = session;
-+	else
-+		{
-+#ifndef NOPTHREADS
-+		(void) pthread_mutex_lock(session_cache[OP_CIPHER].lock);
-+#else
-+		CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
-+#endif
-+		local_free_session = session_cache[OP_CIPHER].head;
-+		}
-+
-+	while ((sp = local_free_session) != NULL)
-+		{
-+		local_free_session = sp->next;
-+
-+		if (sp->opdata_cipher_key != CK_INVALID_HANDLE)
-+			{
-+			/*
-+			 * The secret key object is created in the
-+			 * global_session. See pk11_get_cipher_key
-+			 */
-+			if (pk11_destroy_object(global_session,
-+				sp->opdata_cipher_key) == 0)
-+				goto err;
-+			sp->opdata_cipher_key = CK_INVALID_HANDLE;
-+			}
-+		}
-+	ret = 1;
-+err:
-+
-+#ifndef NOPTHREADS
-+	if (session == NULL)
-+		(void) pthread_mutex_unlock(session_cache[OP_CIPHER].lock);
-+#else
-+	if (session == NULL)
-+		CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
-+#endif
-+
-+	return (ret);
-+	}
-+
-+
-+/*
-+ * Public key mechanisms optionally supported
-+ *
-+ * CKM_RSA_X_509
-+ * CKM_RSA_PKCS
-+ * CKM_DSA
-+ *
-+ * The first slot that supports at least one of those mechanisms is chosen as a
-+ * public key slot.
-+ *
-+ * Symmetric ciphers optionally supported
-+ *
-+ * CKM_DES3_CBC
-+ * CKM_DES_CBC
-+ * CKM_AES_CBC
-+ * CKM_DES3_ECB
-+ * CKM_DES_ECB
-+ * CKM_AES_ECB
-+ * CKM_AES_CTR
-+ * CKM_RC4
-+ * CKM_BLOWFISH_CBC
-+ *
-+ * Digests optionally supported
-+ *
-+ * CKM_MD5
-+ * CKM_SHA_1
-+ * CKM_SHA224
-+ * CKM_SHA256
-+ * CKM_SHA384
-+ * CKM_SHA512
-+ *
-+ * The output of this function is a set of global variables indicating which
-+ * mechanisms from RSA, DSA, DH and RAND are present, and also two arrays of
-+ * mechanisms, one for symmetric ciphers and one for digests. Also, 3 global
-+ * variables carry information about which slot was chosen for (a) public key
-+ * mechanisms, (b) random operations, and (c) symmetric ciphers and digests.
-+ */
-+static int
-+pk11_choose_slots(int *any_slot_found)
-+	{
-+	CK_SLOT_ID_PTR pSlotList = NULL_PTR;
-+	CK_ULONG ulSlotCount = 0;
-+	CK_MECHANISM_INFO mech_info;
-+	CK_TOKEN_INFO token_info;
-+	unsigned int i;
-+	CK_RV rv;
-+	CK_SLOT_ID best_slot_sofar = 0;
-+	CK_BBOOL found_candidate_slot = CK_FALSE;
-+	int slot_n_cipher = 0;
-+	int slot_n_digest = 0;
-+	CK_SLOT_ID current_slot = 0;
-+	int current_slot_n_cipher = 0;
-+	int current_slot_n_digest = 0;
-+
-+	int local_cipher_nids[PK11_CIPHER_MAX];
-+	int local_digest_nids[PK11_DIGEST_MAX];
-+
-+	/* let's initialize the output parameter */
-+	if (any_slot_found != NULL)
-+		*any_slot_found = 0;
-+
-+	/* Get slot list for memory allocation */
-+	rv = pFuncList->C_GetSlotList(0, NULL_PTR, &ulSlotCount);
-+
-+	if (rv != CKR_OK)
-+		{
-+		PK11err_add_data(PK11_F_CHOOSE_SLOT, PK11_R_GETSLOTLIST, rv);
-+		return (0);
-+		}
-+
-+	/* it's not an error if we didn't find any providers */
-+	if (ulSlotCount == 0)
-+		{
-+#ifdef	DEBUG_SLOT_SELECTION
-+		fprintf(stderr, "%s: no crypto providers found\n", PK11_DBG);
-+#endif	/* DEBUG_SLOT_SELECTION */
-+		return (1);
-+		}
-+
-+	pSlotList = OPENSSL_malloc(ulSlotCount * sizeof (CK_SLOT_ID));
-+
-+	if (pSlotList == NULL)
-+		{
-+		PK11err(PK11_F_CHOOSE_SLOT, PK11_R_MALLOC_FAILURE);
-+		return (0);
-+		}
-+
-+	/* Get the slot list for processing */
-+	rv = pFuncList->C_GetSlotList(0, pSlotList, &ulSlotCount);
-+	if (rv != CKR_OK)
-+		{
-+		PK11err_add_data(PK11_F_CHOOSE_SLOT, PK11_R_GETSLOTLIST, rv);
-+		OPENSSL_free(pSlotList);
-+		return (0);
-+		}
-+
-+#ifdef	DEBUG_SLOT_SELECTION
-+	fprintf(stderr, "%s: provider: %s\n", PK11_DBG, def_PK11_LIBNAME);
-+	fprintf(stderr, "%s: number of slots: %d\n", PK11_DBG, ulSlotCount);
-+
-+	fprintf(stderr, "%s: == checking rand slots ==\n", PK11_DBG);
-+#endif	/* DEBUG_SLOT_SELECTION */
-+	for (i = 0; i < ulSlotCount; i++)
-+		{
-+		current_slot = pSlotList[i];
-+
-+#ifdef	DEBUG_SLOT_SELECTION
-+	fprintf(stderr, "%s: checking slot: %d\n", PK11_DBG, i);
-+#endif	/* DEBUG_SLOT_SELECTION */
-+		/* Check if slot has random support. */
-+		rv = pFuncList->C_GetTokenInfo(current_slot, &token_info);
-+		if (rv != CKR_OK)
-+			continue;
-+
-+#ifdef	DEBUG_SLOT_SELECTION
-+	fprintf(stderr, "%s: token label: %.32s\n", PK11_DBG, token_info.label);
-+#endif	/* DEBUG_SLOT_SELECTION */
-+
-+		if (token_info.flags & CKF_RNG)
-+			{
-+#ifdef	DEBUG_SLOT_SELECTION
-+	fprintf(stderr, "%s: this token has CKF_RNG flag\n", PK11_DBG);
-+#endif	/* DEBUG_SLOT_SELECTION */
-+			pk11_have_random = CK_TRUE;
-+			rand_SLOTID = current_slot;
-+			break;
-+			}
-+		}
-+
-+#ifdef	DEBUG_SLOT_SELECTION
-+	fprintf(stderr, "%s: == checking pubkey slots ==\n", PK11_DBG);
-+#endif	/* DEBUG_SLOT_SELECTION */
-+
-+	pubkey_SLOTID = pSlotList[0];
-+	for (i = 0; i < ulSlotCount; i++)
-+		{
-+		CK_BBOOL slot_has_rsa = CK_FALSE;
-+		CK_BBOOL slot_has_recover = CK_FALSE;
-+		CK_BBOOL slot_has_dsa = CK_FALSE;
-+		CK_BBOOL slot_has_dh = CK_FALSE;
-+		current_slot = pSlotList[i];
-+
-+#ifdef	DEBUG_SLOT_SELECTION
-+	fprintf(stderr, "%s: checking slot: %d\n", PK11_DBG, i);
-+#endif	/* DEBUG_SLOT_SELECTION */
-+		rv = pFuncList->C_GetTokenInfo(current_slot, &token_info);
-+		if (rv != CKR_OK)
-+			continue;
-+
-+#ifdef	DEBUG_SLOT_SELECTION
-+	fprintf(stderr, "%s: token label: %.32s\n", PK11_DBG, token_info.label);
-+#endif	/* DEBUG_SLOT_SELECTION */
-+
-+#ifndef OPENSSL_NO_RSA
-+		/*
-+		 * Check if this slot is capable of signing and
-+		 * verifying with CKM_RSA_PKCS.
-+		 */
-+		rv = pFuncList->C_GetMechanismInfo(current_slot, CKM_RSA_PKCS,
-+			&mech_info);
-+
-+		if (rv == CKR_OK && ((mech_info.flags & CKF_SIGN) &&
-+				(mech_info.flags & CKF_VERIFY)))
-+			{
-+			/*
-+			 * Check if this slot is capable of encryption,
-+			 * decryption, sign, and verify with CKM_RSA_X_509.
-+			 */
-+			rv = pFuncList->C_GetMechanismInfo(current_slot,
-+			    CKM_RSA_X_509, &mech_info);
-+
-+			if (rv == CKR_OK && ((mech_info.flags & CKF_SIGN) &&
-+			    (mech_info.flags & CKF_VERIFY) &&
-+			    (mech_info.flags & CKF_ENCRYPT) &&
-+			    (mech_info.flags & CKF_DECRYPT)))
-+				{
-+				slot_has_rsa = CK_TRUE;
-+				if (mech_info.flags & CKF_VERIFY_RECOVER)
-+					{
-+					slot_has_recover = CK_TRUE;
-+					}
-+				}
-+			}
-+#endif	/* OPENSSL_NO_RSA */
-+
-+#ifndef OPENSSL_NO_DSA
-+		/*
-+		 * Check if this slot is capable of signing and
-+		 * verifying with CKM_DSA.
-+		 */
-+		rv = pFuncList->C_GetMechanismInfo(current_slot, CKM_DSA,
-+			&mech_info);
-+		if (rv == CKR_OK && ((mech_info.flags & CKF_SIGN) &&
-+		    (mech_info.flags & CKF_VERIFY)))
-+			{
-+			slot_has_dsa = CK_TRUE;
-+			}
-+
-+#endif	/* OPENSSL_NO_DSA */
-+
-+#ifndef OPENSSL_NO_DH
-+		/*
-+		 * Check if this slot is capable of DH key generataion and
-+		 * derivation.
-+		 */
-+		rv = pFuncList->C_GetMechanismInfo(current_slot,
-+		    CKM_DH_PKCS_KEY_PAIR_GEN, &mech_info);
-+
-+		if (rv == CKR_OK && (mech_info.flags & CKF_GENERATE_KEY_PAIR))
-+			{
-+			rv = pFuncList->C_GetMechanismInfo(current_slot,
-+				CKM_DH_PKCS_DERIVE, &mech_info);
-+			if (rv == CKR_OK && (mech_info.flags & CKF_DERIVE))
-+				{
-+				slot_has_dh = CK_TRUE;
-+				}
-+			}
-+#endif	/* OPENSSL_NO_DH */
-+
-+		if (!found_candidate_slot &&
-+		    (slot_has_rsa || slot_has_dsa || slot_has_dh))
-+			{
-+#ifdef	DEBUG_SLOT_SELECTION
-+			fprintf(stderr,
-+			    "%s: potential slot: %d\n", PK11_DBG, current_slot);
-+#endif	/* DEBUG_SLOT_SELECTION */
-+			best_slot_sofar = current_slot;
-+			pk11_have_rsa = slot_has_rsa;
-+			pk11_have_recover = slot_has_recover;
-+			pk11_have_dsa = slot_has_dsa;
-+			pk11_have_dh = slot_has_dh;
-+			found_candidate_slot = CK_TRUE;
-+#ifdef	DEBUG_SLOT_SELECTION
-+			fprintf(stderr,
-+			    "%s: setting found_candidate_slot to CK_TRUE\n",
-+			    PK11_DBG);
-+			fprintf(stderr,
-+			    "%s: best so far slot: %d\n", PK11_DBG,
-+			    best_slot_sofar);
-+			}
-+		else
-+			{
-+			fprintf(stderr,
-+			    "%s: no rsa/dsa/dh\n", PK11_DBG);
-+			}
-+#else
-+			} /* if */
-+#endif	/* DEBUG_SLOT_SELECTION */
-+		} /* for */
-+
-+	if (found_candidate_slot)
-+		{
-+		pubkey_SLOTID = best_slot_sofar;
-+		}
-+
-+	found_candidate_slot = CK_FALSE;
-+	best_slot_sofar = 0;
-+
-+#ifdef	DEBUG_SLOT_SELECTION
-+	fprintf(stderr, "%s: == checking cipher/digest ==\n", PK11_DBG);
-+#endif	/* DEBUG_SLOT_SELECTION */
-+
-+	SLOTID = pSlotList[0];
-+	for (i = 0; i < ulSlotCount; i++)
-+		{
-+#ifdef	DEBUG_SLOT_SELECTION
-+	fprintf(stderr, "%s: checking slot: %d\n", PK11_DBG, i);
-+#endif	/* DEBUG_SLOT_SELECTION */
-+
-+		current_slot = pSlotList[i];
-+		current_slot_n_cipher = 0;
-+		current_slot_n_digest = 0;
-+		(void) memset(local_cipher_nids, 0, sizeof (local_cipher_nids));
-+		(void) memset(local_digest_nids, 0, sizeof (local_digest_nids));
-+
-+		pk11_find_symmetric_ciphers(pFuncList, current_slot,
-+		    &current_slot_n_cipher, local_cipher_nids);
-+
-+		pk11_find_digests(pFuncList, current_slot,
-+		    &current_slot_n_digest, local_digest_nids);
-+
-+#ifdef	DEBUG_SLOT_SELECTION
-+		fprintf(stderr, "%s: current_slot_n_cipher %d\n", PK11_DBG,
-+			current_slot_n_cipher);
-+		fprintf(stderr, "%s: current_slot_n_digest %d\n", PK11_DBG,
-+			current_slot_n_digest);
-+		fprintf(stderr, "%s: best so far cipher/digest slot: %d\n",
-+			PK11_DBG, best_slot_sofar);
-+#endif	/* DEBUG_SLOT_SELECTION */
-+
-+		/*
-+		 * If the current slot supports more ciphers/digests than
-+		 * the previous best one we change the current best to this one,
-+		 * otherwise leave it where it is.
-+		 */
-+		if ((current_slot_n_cipher + current_slot_n_digest) >
-+		    (slot_n_cipher + slot_n_digest))
-+			{
-+#ifdef	DEBUG_SLOT_SELECTION
-+			fprintf(stderr,
-+				"%s: changing best so far slot to %d\n",
-+				PK11_DBG, current_slot);
-+#endif	/* DEBUG_SLOT_SELECTION */
-+			best_slot_sofar = SLOTID = current_slot;
-+			cipher_count = slot_n_cipher = current_slot_n_cipher;
-+			digest_count = slot_n_digest = current_slot_n_digest;
-+			(void) memcpy(cipher_nids, local_cipher_nids,
-+			    sizeof (local_cipher_nids));
-+			(void) memcpy(digest_nids, local_digest_nids, 
-+			    sizeof (local_digest_nids));
-+			}
-+		}
-+
-+#ifdef	DEBUG_SLOT_SELECTION
-+	fprintf(stderr,
-+	    "%s: chosen pubkey slot: %d\n", PK11_DBG, pubkey_SLOTID);
-+	fprintf(stderr,
-+	    "%s: chosen rand slot: %d\n", PK11_DBG, rand_SLOTID);
-+	fprintf(stderr,
-+	    "%s: chosen cipher/digest slot: %d\n", PK11_DBG, SLOTID);
-+	fprintf(stderr,
-+	    "%s: pk11_have_rsa %d\n", PK11_DBG, pk11_have_rsa);
-+	fprintf(stderr,
-+	    "%s: pk11_have_recover %d\n", PK11_DBG, pk11_have_recover);
-+	fprintf(stderr,
-+	    "%s: pk11_have_dsa %d\n", PK11_DBG, pk11_have_dsa);
-+	fprintf(stderr,
-+	    "%s: pk11_have_dh %d\n", PK11_DBG, pk11_have_dh);
-+	fprintf(stderr,
-+	    "%s: pk11_have_random %d\n", PK11_DBG, pk11_have_random);
-+	fprintf(stderr,
-+	    "%s: cipher_count %d\n", PK11_DBG, cipher_count);
-+	fprintf(stderr,
-+	    "%s: digest_count %d\n", PK11_DBG, digest_count);
-+#endif	/* DEBUG_SLOT_SELECTION */
-+
-+	if (pSlotList != NULL)
-+		OPENSSL_free(pSlotList);
-+
-+#ifdef	SOLARIS_HW_SLOT_SELECTION
-+	OPENSSL_free(hw_cnids);
-+	OPENSSL_free(hw_dnids);
-+#endif	/* SOLARIS_HW_SLOT_SELECTION */
-+
-+	if (any_slot_found != NULL)
-+		*any_slot_found = 1;
-+	return (1);
-+	}
-+
-+static void pk11_get_symmetric_cipher(CK_FUNCTION_LIST_PTR pflist,
-+    int slot_id, CK_MECHANISM_TYPE mech, int *current_slot_n_cipher,
-+    int *local_cipher_nids, int id)
-+	{
-+	CK_MECHANISM_INFO mech_info;
-+	CK_RV rv;
-+
-+#ifdef	DEBUG_SLOT_SELECTION
-+	fprintf(stderr, "%s: checking mech: %x", PK11_DBG, mech);
-+#endif	/* DEBUG_SLOT_SELECTION */
-+	rv = pflist->C_GetMechanismInfo(slot_id, mech, &mech_info);
-+
-+	if (rv != CKR_OK)
-+		{
-+#ifdef	DEBUG_SLOT_SELECTION
-+		fprintf(stderr, " not found\n");
-+#endif	/* DEBUG_SLOT_SELECTION */
-+		return;
-+		}
-+
-+	if ((mech_info.flags & CKF_ENCRYPT) &&
-+	    (mech_info.flags & CKF_DECRYPT))
-+		{
-+#ifdef	SOLARIS_HW_SLOT_SELECTION
-+		if (nid_in_table(ciphers[id].nid, hw_cnids))
-+#endif	/* SOLARIS_HW_SLOT_SELECTION */
-+			{
-+#ifdef	DEBUG_SLOT_SELECTION
-+		fprintf(stderr, " usable\n");
-+#endif	/* DEBUG_SLOT_SELECTION */
-+			local_cipher_nids[(*current_slot_n_cipher)++] =
-+			    ciphers[id].nid;
-+			}
-+#ifdef	SOLARIS_HW_SLOT_SELECTION
-+#ifdef	DEBUG_SLOT_SELECTION
-+		else
-+			{
-+		fprintf(stderr, " rejected, software implementation only\n");
-+			}
-+#endif	/* DEBUG_SLOT_SELECTION */
-+#endif	/* SOLARIS_HW_SLOT_SELECTION */
-+		}
-+#ifdef	DEBUG_SLOT_SELECTION
-+	else
-+		{
-+		fprintf(stderr, " unusable\n");
-+		}
-+#endif	/* DEBUG_SLOT_SELECTION */
-+
-+	return;
-+	}
-+
-+static void pk11_get_digest(CK_FUNCTION_LIST_PTR pflist, int slot_id,
-+    CK_MECHANISM_TYPE mech, int *current_slot_n_digest, int *local_digest_nids,
-+    int id)
-+	{
-+	CK_MECHANISM_INFO mech_info;
-+	CK_RV rv;
-+
-+#ifdef	DEBUG_SLOT_SELECTION
-+	fprintf(stderr, "%s: checking mech: %x", PK11_DBG, mech);
-+#endif	/* DEBUG_SLOT_SELECTION */
-+	rv = pflist->C_GetMechanismInfo(slot_id, mech, &mech_info);
-+
-+	if (rv != CKR_OK)
-+		{
-+#ifdef	DEBUG_SLOT_SELECTION
-+		fprintf(stderr, " not found\n");
-+#endif	/* DEBUG_SLOT_SELECTION */
-+		return;
-+		}
-+
-+	if (mech_info.flags & CKF_DIGEST)
-+		{
-+#ifdef	SOLARIS_HW_SLOT_SELECTION
-+		if (nid_in_table(digests[id].nid, hw_dnids))
-+#endif	/* SOLARIS_HW_SLOT_SELECTION */
-+			{
-+#ifdef	DEBUG_SLOT_SELECTION
-+		fprintf(stderr, " usable\n");
-+#endif	/* DEBUG_SLOT_SELECTION */
-+			local_digest_nids[(*current_slot_n_digest)++] =
-+			    digests[id].nid;
-+			}
-+#ifdef	SOLARIS_HW_SLOT_SELECTION
-+#ifdef	DEBUG_SLOT_SELECTION
-+		else
-+			{
-+		fprintf(stderr, " rejected, software implementation only\n");
-+			}
-+#endif	/* DEBUG_SLOT_SELECTION */
-+#endif	/* SOLARIS_HW_SLOT_SELECTION */
-+		}
-+#ifdef	DEBUG_SLOT_SELECTION
-+	else
-+		{
-+		fprintf(stderr, " unusable\n");
-+		}
-+#endif	/* DEBUG_SLOT_SELECTION */
-+
-+	return;
-+	}
-+
-+#ifdef	SOLARIS_AES_CTR
-+/* create a new NID when we have no OID for that mechanism */
-+static int pk11_add_NID(char *sn, char *ln)
-+	{
-+	ASN1_OBJECT *o;
-+	int nid;
-+
-+	if ((o = ASN1_OBJECT_create(OBJ_new_nid(1), (unsigned char *)"",
-+	    1, sn, ln)) == NULL)
-+		{
-+		return (0);
-+		}
-+
-+	/* will return NID_undef on error */
-+	nid = OBJ_add_object(o);
-+	ASN1_OBJECT_free(o);
-+
-+	return (nid);
-+	}
-+
-+/*
-+ * Create new NIDs for AES counter mode. OpenSSL doesn't support them now so we
-+ * have to help ourselves here.
-+ */
-+static int pk11_add_aes_ctr_NIDs(void)
-+	{
-+	/* are we already set? */
-+	if (NID_aes_256_ctr != NID_undef)
-+		return (1);
-+
-+	/*
-+	 * There are no official names for AES counter modes yet so we just
-+	 * follow the format of those that exist.
-+	 */
-+	if ((NID_aes_128_ctr = pk11_add_NID("AES-128-CTR", "aes-128-ctr")) ==
-+	    NID_undef)
-+		goto err;
-+	ciphers[PK11_AES_128_CTR].nid = pk11_aes_128_ctr.nid = NID_aes_128_ctr;
-+	if ((NID_aes_192_ctr = pk11_add_NID("AES-192-CTR", "aes-192-ctr")) ==
-+	    NID_undef)
-+		goto err;
-+	ciphers[PK11_AES_192_CTR].nid = pk11_aes_192_ctr.nid = NID_aes_192_ctr;
-+	if ((NID_aes_256_ctr = pk11_add_NID("AES-256-CTR", "aes-256-ctr")) ==
-+	    NID_undef)
-+		goto err;
-+	ciphers[PK11_AES_256_CTR].nid = pk11_aes_256_ctr.nid = NID_aes_256_ctr;
-+	return (1);
-+
-+err:
-+	PK11err(PK11_F_ADD_AES_CTR_NIDS, PK11_R_ADD_NID_FAILED);
-+	return (0);
-+	}
-+#endif	/* SOLARIS_AES_CTR */
-+
-+/* Find what symmetric ciphers this slot supports. */
-+static void pk11_find_symmetric_ciphers(CK_FUNCTION_LIST_PTR pflist,
-+    CK_SLOT_ID current_slot, int *current_slot_n_cipher, int *local_cipher_nids)
-+	{
-+	int i;
-+
-+	for (i = 0; i < PK11_CIPHER_MAX; ++i)
-+		{
-+		pk11_get_symmetric_cipher(pflist, current_slot,
-+		    ciphers[i].mech_type, current_slot_n_cipher,
-+		    local_cipher_nids, ciphers[i].id);
-+		}
-+	}
-+
-+/* Find what digest algorithms this slot supports. */
-+static void pk11_find_digests(CK_FUNCTION_LIST_PTR pflist,
-+    CK_SLOT_ID current_slot, int *current_slot_n_digest, int *local_digest_nids)
-+	{
-+	int i;
-+
-+	for (i = 0; i < PK11_DIGEST_MAX; ++i)
-+		{
-+		pk11_get_digest(pflist, current_slot, digests[i].mech_type,
-+		    current_slot_n_digest, local_digest_nids, digests[i].id);
-+		}
-+	}
-+
-+#ifdef	SOLARIS_HW_SLOT_SELECTION
-+/*
-+ * It would be great if we could use pkcs11_kernel directly since this library
-+ * offers hardware slots only. That's the easiest way to achieve the situation
-+ * where we use the hardware accelerators when present and OpenSSL native code
-+ * otherwise. That presumes the fact that OpenSSL native code is faster than the
-+ * code in the soft token. It's a logical assumption - Crypto Framework has some
-+ * inherent overhead so going there for the software implementation of a
-+ * mechanism should be logically slower in contrast to the OpenSSL native code,
-+ * presuming that both implementations are of similar speed. For example, the
-+ * soft token for AES is roughly three times slower than OpenSSL for 64 byte
-+ * blocks and still 20% slower for 8KB blocks. So, if we want to ship products
-+ * that use the PKCS#11 engine by default, we must somehow avoid that regression
-+ * on machines without hardware acceleration. That's why switching to the
-+ * pkcs11_kernel library seems like a very good idea.
-+ *
-+ * The problem is that OpenSSL built with SunStudio is roughly 2x slower for
-+ * asymmetric operations (RSA/DSA/DH) than the soft token built with the same
-+ * compiler. That means that if we switched to pkcs11_kernel from the libpkcs11
-+ * library, we would have had a performance regression on machines without
-+ * hardware acceleration for asymmetric operations for all applications that use
-+ * the PKCS#11 engine. There is one such application - Apache web server since
-+ * it's shipped configured to use the PKCS#11 engine by default. Having said
-+ * that, we can't switch to the pkcs11_kernel library now and have to come with
-+ * a solution that, on non-accelerated machines, uses the OpenSSL native code
-+ * for all symmetric ciphers and digests while it uses the soft token for
-+ * asymmetric operations.
-+ *
-+ * This is the idea: dlopen() pkcs11_kernel directly and find out what
-+ * mechanisms are there. We don't care about duplications (more slots can
-+ * support the same mechanism), we just want to know what mechanisms can be
-+ * possibly supported in hardware on that particular machine. As said before,
-+ * pkcs11_kernel will show you hardware providers only.
-+ *
-+ * Then, we rely on the fact that since we use libpkcs11 library we will find
-+ * the metaslot. When we go through the metaslot's mechanisms for symmetric
-+ * ciphers and digests, we check that any found mechanism is in the table
-+ * created using the pkcs11_kernel library. So, as a result we have two arrays
-+ * of mechanisms that were advertised as supported in hardware which was the
-+ * goal of that whole excercise. Thus, we can use libpkcs11 but avoid soft token
-+ * code for symmetric ciphers and digests. See pk11_choose_slots() for more
-+ * information.
-+ *
-+ * This is Solaris specific code, if SOLARIS_HW_SLOT_SELECTION is not defined
-+ * the code won't be used.
-+ */
-+#if defined(__sparcv9) || defined(__x86_64) || defined(__amd64)
-+static const char pkcs11_kernel[] = "/usr/lib/security/64/pkcs11_kernel.so.1";
-+#else
-+static const char pkcs11_kernel[] = "/usr/lib/security/pkcs11_kernel.so.1";
-+#endif
-+
-+/*
-+ * Check hardware capabilities of the machines. The output are two lists,
-+ * hw_cnids and hw_dnids, that contain hardware mechanisms found in all hardware
-+ * providers together. They are not sorted and may contain duplicate mechanisms.
-+ */
-+static int check_hw_mechanisms(void)
-+	{
-+	int i;
-+	CK_RV rv;
-+	void *handle;
-+	CK_C_GetFunctionList p;
-+	CK_TOKEN_INFO token_info;
-+	CK_ULONG ulSlotCount = 0;
-+	int n_cipher = 0, n_digest = 0;
-+	CK_FUNCTION_LIST_PTR pflist = NULL;
-+	CK_SLOT_ID_PTR pSlotList = NULL_PTR;
-+	int *tmp_hw_cnids = NULL, *tmp_hw_dnids = NULL;
-+	int hw_ctable_size, hw_dtable_size;
-+
-+#ifdef	DEBUG_SLOT_SELECTION
-+	fprintf(stderr, "%s: SOLARIS_HW_SLOT_SELECTION code running\n",
-+	    PK11_DBG);
-+#endif
-+	if ((handle = dlopen(pkcs11_kernel, RTLD_LAZY)) == NULL)
-+		{
-+		PK11err(PK11_F_CHECK_HW_MECHANISMS, PK11_R_DSO_FAILURE);
-+		goto err;
-+		}
-+
-+	if ((p = (CK_C_GetFunctionList)dlsym(handle,
-+	    PK11_GET_FUNCTION_LIST)) == NULL)
-+		{
-+		PK11err(PK11_F_CHECK_HW_MECHANISMS, PK11_R_DSO_FAILURE);
-+		goto err;
-+		}
-+
-+	/* get the full function list from the loaded library */
-+	if (p(&pflist) != CKR_OK)
-+		{
-+		PK11err(PK11_F_CHECK_HW_MECHANISMS, PK11_R_DSO_FAILURE);
-+		goto err;
-+		}
-+
-+	rv = pflist->C_Initialize(NULL_PTR);
-+	if ((rv != CKR_OK) && (rv != CKR_CRYPTOKI_ALREADY_INITIALIZED))
-+		{
-+		PK11err_add_data(PK11_F_CHECK_HW_MECHANISMS,
-+		    PK11_R_INITIALIZE, rv);
-+		goto err;
-+		}
-+
-+	if (pflist->C_GetSlotList(0, NULL_PTR, &ulSlotCount) != CKR_OK)
-+		{
-+		PK11err(PK11_F_CHECK_HW_MECHANISMS, PK11_R_GETSLOTLIST);
-+		goto err;
-+		}
-+
-+	/* no slots, set the hw mechanism tables as empty */
-+	if (ulSlotCount == 0)
-+		{
-+#ifdef	DEBUG_SLOT_SELECTION
-+	fprintf(stderr, "%s: no hardware mechanisms found\n", PK11_DBG);
-+#endif
-+		hw_cnids = OPENSSL_malloc(sizeof (int));
-+		hw_dnids = OPENSSL_malloc(sizeof (int));
-+		if (hw_cnids == NULL || hw_dnids == NULL)
-+			{
-+			PK11err(PK11_F_CHECK_HW_MECHANISMS,
-+			    PK11_R_MALLOC_FAILURE);
-+			return (0);
-+			}
-+		/* this means empty tables */
-+		hw_cnids[0] = NID_undef;
-+		hw_dnids[0] = NID_undef;
-+		return (1);
-+		}
-+
-+	pSlotList = OPENSSL_malloc(ulSlotCount * sizeof (CK_SLOT_ID));
-+	if (pSlotList == NULL)
-+		{
-+		PK11err(PK11_F_CHECK_HW_MECHANISMS, PK11_R_MALLOC_FAILURE);
-+		goto err;
-+		}
-+
-+	/* Get the slot list for processing */
-+	if (pflist->C_GetSlotList(0, pSlotList, &ulSlotCount) != CKR_OK)
-+		{
-+		PK11err(PK11_F_CHECK_HW_MECHANISMS, PK11_R_GETSLOTLIST);
-+		goto err;
-+		}
-+
-+	/*
-+	 * We don't care about duplicit mechanisms in multiple slots and also
-+	 * reserve one slot for the terminal NID_undef which we use to stop the
-+	 * search.
-+	 */
-+	hw_ctable_size = ulSlotCount * PK11_CIPHER_MAX + 1;
-+	hw_dtable_size = ulSlotCount * PK11_DIGEST_MAX + 1;
-+	tmp_hw_cnids = OPENSSL_malloc(hw_ctable_size * sizeof (int));
-+	tmp_hw_dnids = OPENSSL_malloc(hw_dtable_size * sizeof (int));
-+	if (tmp_hw_cnids == NULL || tmp_hw_dnids == NULL)
-+		{
-+		PK11err(PK11_F_CHECK_HW_MECHANISMS, PK11_R_MALLOC_FAILURE);
-+		goto err;
-+		}
-+
-+	/*
-+	 * Do not use memset since we should not rely on the fact that NID_undef
-+	 * is zero now.
-+	 */
-+	for (i = 0; i < hw_ctable_size; ++i)
-+		tmp_hw_cnids[i] = NID_undef;
-+	for (i = 0; i < hw_dtable_size; ++i)
-+		tmp_hw_dnids[i] = NID_undef;
-+
-+#ifdef	DEBUG_SLOT_SELECTION
-+	fprintf(stderr, "%s: provider: %s\n", PK11_DBG, pkcs11_kernel);
-+	fprintf(stderr, "%s: found %d hardware slots\n", PK11_DBG, ulSlotCount);
-+	fprintf(stderr, "%s: now looking for mechs supported in hw\n",
-+	    PK11_DBG);
-+#endif	/* DEBUG_SLOT_SELECTION */
-+
-+	for (i = 0; i < ulSlotCount; i++)
-+		{
-+		if (pflist->C_GetTokenInfo(pSlotList[i], &token_info) != CKR_OK)
-+			continue;
-+
-+#ifdef	DEBUG_SLOT_SELECTION
-+	fprintf(stderr, "%s: token label: %.32s\n", PK11_DBG, token_info.label);
-+#endif	/* DEBUG_SLOT_SELECTION */
-+
-+		/*
-+		 * We are filling the hw mech tables here. Global tables are
-+		 * still NULL so all mechanisms are put into tmp tables.
-+		 */
-+		pk11_find_symmetric_ciphers(pflist, pSlotList[i],
-+		    &n_cipher, tmp_hw_cnids);
-+		pk11_find_digests(pflist, pSlotList[i],
-+		    &n_digest, tmp_hw_dnids);
-+		}
-+
-+	/*
-+	 * Since we are part of a library (libcrypto.so), calling this function
-+	 * may have side-effects. Also, C_Finalize() is triggered by
-+	 * dlclose(3C).
-+	 */
-+#if 0
-+	pflist->C_Finalize(NULL);
-+#endif
-+	OPENSSL_free(pSlotList);
-+	(void) dlclose(handle);
-+	hw_cnids = tmp_hw_cnids;
-+	hw_dnids = tmp_hw_dnids;
-+
-+#ifdef	DEBUG_SLOT_SELECTION
-+	fprintf(stderr, "%s: hw mechs check complete\n", PK11_DBG);
-+#endif	/* DEBUG_SLOT_SELECTION */
-+	return (1);
-+
-+err:
-+	if (pSlotList != NULL)
-+		OPENSSL_free(pSlotList);
-+	if (tmp_hw_cnids != NULL)
-+		OPENSSL_free(tmp_hw_cnids);
-+	if (tmp_hw_dnids != NULL)
-+		OPENSSL_free(tmp_hw_dnids);
-+
-+	return (0);
-+	}
-+
-+/*
-+ * Check presence of a NID in the table of NIDs. The table may be NULL (i.e.,
-+ * non-existent).
-+ */
-+static int nid_in_table(int nid, int *nid_table)
-+	{
-+	int i = 0;
-+
-+	/*
-+	 * a special case. NULL means that we are initializing a new
-+	 * table.
-+	 */
-+	if (nid_table == NULL)
-+		return (1);
-+
-+	/*
-+	 * the table is never full, there is always at least one
-+	 * NID_undef.
-+	 */
-+	while (nid_table[i] != NID_undef)
-+		{
-+		if (nid_table[i++] == nid)
-+			{
-+#ifdef	DEBUG_SLOT_SELECTION
-+	fprintf(stderr, " (NID %d in hw table, idx %d)", nid, i);
-+#endif	/* DEBUG_SLOT_SELECTION */
-+			return (1);
-+			}
-+		}
-+
-+	return (0);
-+	}
-+#endif	/* SOLARIS_HW_SLOT_SELECTION */
-+
-+#endif	/* OPENSSL_NO_HW_PK11 */
-+#endif	/* OPENSSL_NO_HW */
-Index: openssl/crypto/engine/hw_pk11_err.c
-diff -u /dev/null openssl/crypto/engine/hw_pk11_err.c:1.4
---- /dev/null	Wed Sep  2 11:37:23 2009
-+++ openssl/crypto/engine/hw_pk11_err.c	Wed Dec 17 16:14:26 2008
-@@ -0,0 +1,259 @@
-+/*
-+ * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
-+ * Use is subject to license terms.
-+ */
-+
-+/* crypto/engine/hw_pk11_err.c */
-+/*
-+ * This product includes software developed by the OpenSSL Project for
-+ * use in the OpenSSL Toolkit (http://www.openssl.org/).
-+ *
-+ * This project also referenced hw_pkcs11-0.9.7b.patch written by
-+ * Afchine Madjlessi.
-+ */
-+/*
-+ * ====================================================================
-+ * Copyright (c) 2000-2001 The OpenSSL Project.  All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ *    notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ *    notice, this list of conditions and the following disclaimer in
-+ *    the documentation and/or other materials provided with the
-+ *    distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ *    software must display the following acknowledgment:
-+ *    "This product includes software developed by the OpenSSL Project
-+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ *    endorse or promote products derived from this software without
-+ *    prior written permission. For written permission, please contact
-+ *    licensing@OpenSSL.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ *    nor may "OpenSSL" appear in their names without prior written
-+ *    permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ *    acknowledgment:
-+ *    "This product includes software developed by the OpenSSL Project
-+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ * ====================================================================
-+ *
-+ * This product includes cryptographic software written by Eric Young
-+ * (eay@cryptsoft.com).  This product includes software written by Tim
-+ * Hudson (tjh@cryptsoft.com).
-+ *
-+ */
-+
-+#include <stdio.h>
-+#include <openssl/err.h>
-+#include "hw_pk11_err.h"
-+
-+/* BEGIN ERROR CODES */
-+#ifndef OPENSSL_NO_ERR
-+static ERR_STRING_DATA pk11_str_functs[]=
-+{
-+{ ERR_PACK(0, PK11_F_INIT, 0),			"PK11_INIT"},
-+{ ERR_PACK(0, PK11_F_FINISH, 0),		"PK11_FINISH"},
-+{ ERR_PACK(0, PK11_F_DESTROY, 0),		"PK11_DESTROY"},
-+{ ERR_PACK(0, PK11_F_CTRL, 0),			"PK11_CTRL"},
-+{ ERR_PACK(0, PK11_F_RSA_INIT, 0),		"PK11_RSA_INIT"},
-+{ ERR_PACK(0, PK11_F_RSA_FINISH, 0),		"PK11_RSA_FINISH"},
-+{ ERR_PACK(0, PK11_F_GET_PUB_RSA_KEY, 0),	"PK11_GET_PUB_RSA_KEY"},
-+{ ERR_PACK(0, PK11_F_GET_PRIV_RSA_KEY, 0),	"PK11_GET_PRIV_RSA_KEY"},
-+{ ERR_PACK(0, PK11_F_RSA_GEN_KEY, 0),		"PK11_RSA_GEN_KEY"},
-+{ ERR_PACK(0, PK11_F_RSA_PUB_ENC, 0),		"PK11_RSA_PUB_ENC"},
-+{ ERR_PACK(0, PK11_F_RSA_PRIV_ENC, 0),		"PK11_RSA_PRIV_ENC"},
-+{ ERR_PACK(0, PK11_F_RSA_PUB_DEC, 0),		"PK11_RSA_PUB_DEC"},
-+{ ERR_PACK(0, PK11_F_RSA_PRIV_DEC, 0),		"PK11_RSA_PRIV_DEC"},
-+{ ERR_PACK(0, PK11_F_RSA_SIGN, 0),		"PK11_RSA_SIGN"},
-+{ ERR_PACK(0, PK11_F_RSA_VERIFY, 0),		"PK11_RSA_VERIFY"},
-+{ ERR_PACK(0, PK11_F_RAND_ADD, 0),		"PK11_RAND_ADD"},
-+{ ERR_PACK(0, PK11_F_RAND_BYTES, 0),		"PK11_RAND_BYTES"},
-+{ ERR_PACK(0, PK11_F_GET_SESSION, 0),		"PK11_GET_SESSION"},
-+{ ERR_PACK(0, PK11_F_FREE_SESSION, 0),		"PK11_FREE_SESSION"},
-+{ ERR_PACK(0, PK11_F_LOAD_PUBKEY, 0),		"PK11_LOAD_PUBKEY"},
-+{ ERR_PACK(0, PK11_F_LOAD_PRIVKEY, 0),		"PK11_LOAD_PRIV_KEY"},
-+{ ERR_PACK(0, PK11_F_RSA_PUB_ENC_LOW, 0),	"PK11_RSA_PUB_ENC_LOW"},
-+{ ERR_PACK(0, PK11_F_RSA_PRIV_ENC_LOW, 0),	"PK11_RSA_PRIV_ENC_LOW"},
-+{ ERR_PACK(0, PK11_F_RSA_PUB_DEC_LOW, 0),	"PK11_RSA_PUB_DEC_LOW"},
-+{ ERR_PACK(0, PK11_F_RSA_PRIV_DEC_LOW, 0),	"PK11_RSA_PRIV_DEC_LOW"},
-+{ ERR_PACK(0, PK11_F_DSA_SIGN, 0),		"PK11_DSA_SIGN"},
-+{ ERR_PACK(0, PK11_F_DSA_VERIFY, 0),		"PK11_DSA_VERIFY"},
-+{ ERR_PACK(0, PK11_F_DSA_INIT, 0),		"PK11_DSA_INIT"},
-+{ ERR_PACK(0, PK11_F_DSA_FINISH, 0),		"PK11_DSA_FINISH"},
-+{ ERR_PACK(0, PK11_F_GET_PUB_DSA_KEY, 0),	"PK11_GET_PUB_DSA_KEY"},
-+{ ERR_PACK(0, PK11_F_GET_PRIV_DSA_KEY, 0),	"PK11_GET_PRIV_DSA_KEY"},
-+{ ERR_PACK(0, PK11_F_DH_INIT, 0),		"PK11_DH_INIT"},
-+{ ERR_PACK(0, PK11_F_DH_FINISH, 0),		"PK11_DH_FINISH"},
-+{ ERR_PACK(0, PK11_F_MOD_EXP_DH, 0),		"PK11_MOD_EXP_DH"},
-+{ ERR_PACK(0, PK11_F_GET_DH_KEY, 0),		"PK11_GET_DH_KEY"},
-+{ ERR_PACK(0, PK11_F_FREE_ALL_SESSIONS, 0),	"PK11_FREE_ALL_SESSIONS"},
-+{ ERR_PACK(0, PK11_F_SETUP_SESSION, 0),		"PK11_SETUP_SESSION"},
-+{ ERR_PACK(0, PK11_F_DESTROY_OBJECT, 0),	"PK11_DESTROY_OBJECT"},
-+{ ERR_PACK(0, PK11_F_CIPHER_INIT, 0),		"PK11_CIPHER_INIT"},
-+{ ERR_PACK(0, PK11_F_CIPHER_DO_CIPHER, 0),	"PK11_CIPHER_DO_CIPHER"},
-+{ ERR_PACK(0, PK11_F_GET_CIPHER_KEY, 0),	"PK11_GET_CIPHER_KEY"},
-+{ ERR_PACK(0, PK11_F_DIGEST_INIT, 0),		"PK11_DIGEST_INIT"},
-+{ ERR_PACK(0, PK11_F_DIGEST_UPDATE, 0),		"PK11_DIGEST_UPDATE"},
-+{ ERR_PACK(0, PK11_F_DIGEST_FINAL, 0),		"PK11_DIGEST_FINAL"},
-+{ ERR_PACK(0, PK11_F_CHOOSE_SLOT, 0),		"PK11_CHOOSE_SLOT"},
-+{ ERR_PACK(0, PK11_F_CIPHER_FINAL, 0),		"PK11_CIPHER_FINAL"},
-+{ ERR_PACK(0, PK11_F_LIBRARY_INIT, 0),		"PK11_LIBRARY_INIT"},
-+{ ERR_PACK(0, PK11_F_LOAD, 0),			"ENGINE_LOAD_PK11"},
-+{ ERR_PACK(0, PK11_F_DH_GEN_KEY, 0),		"PK11_DH_GEN_KEY"},
-+{ ERR_PACK(0, PK11_F_DH_COMP_KEY, 0),		"PK11_DH_COMP_KEY"},
-+{ ERR_PACK(0, PK11_F_DIGEST_COPY, 0),		"PK11_DIGEST_COPY"},
-+{ ERR_PACK(0, PK11_F_CIPHER_CLEANUP, 0),	"PK11_CIPHER_CLEANUP"},
-+{ ERR_PACK(0, PK11_F_ACTIVE_ADD, 0),		"PK11_ACTIVE_ADD"},
-+{ ERR_PACK(0, PK11_F_ACTIVE_DELETE, 0),		"PK11_ACTIVE_DELETE"},
-+{ ERR_PACK(0, PK11_F_CHECK_HW_MECHANISMS, 0),	"PK11_CHECK_HW_MECHANISMS"},
-+{ ERR_PACK(0, PK11_F_INIT_SYMMETRIC, 0),	"PK11_INIT_SYMMETRIC"},
-+{ ERR_PACK(0, PK11_F_ADD_AES_CTR_NIDS, 0),	"PK11_ADD_AES_CTR_NIDS"},
-+{ 0, NULL}
-+};
-+
-+static ERR_STRING_DATA pk11_str_reasons[]=
-+{
-+{ PK11_R_ALREADY_LOADED,		"PKCS#11 DSO already loaded"},
-+{ PK11_R_DSO_FAILURE,			"unable to load PKCS#11 DSO"},
-+{ PK11_R_NOT_LOADED,			"PKCS#11 DSO not loaded"},
-+{ PK11_R_PASSED_NULL_PARAMETER,		"null parameter passed"},
-+{ PK11_R_COMMAND_NOT_IMPLEMENTED,	"command not implemented"},
-+{ PK11_R_INITIALIZE,			"C_Initialize failed"},
-+{ PK11_R_FINALIZE,			"C_Finalize failed"},
-+{ PK11_R_GETINFO,			"C_GetInfo faile"},
-+{ PK11_R_GETSLOTLIST,			"C_GetSlotList failed"},
-+{ PK11_R_NO_MODULUS_OR_NO_EXPONENT,	"no modulus or no exponent"},
-+{ PK11_R_ATTRIBUT_SENSITIVE_OR_INVALID,	"attr sensitive or invalid"},
-+{ PK11_R_GETATTRIBUTVALUE,		"C_GetAttributeValue failed"},
-+{ PK11_R_NO_MODULUS,			"no modulus"},
-+{ PK11_R_NO_EXPONENT,			"no exponent"},
-+{ PK11_R_FINDOBJECTSINIT,		"C_FindObjectsInit failed"},
-+{ PK11_R_FINDOBJECTS,			"C_FindObjects failed"},
-+{ PK11_R_FINDOBJECTSFINAL,		"C_FindObjectsFinal failed"},
-+{ PK11_R_CREATEOBJECT,			"C_CreateObject failed"},
-+{ PK11_R_DESTROYOBJECT,			"C_DestroyObject failed"},
-+{ PK11_R_OPENSESSION,			"C_OpenSession failed"},
-+{ PK11_R_CLOSESESSION,			"C_CloseSession failed"},
-+{ PK11_R_ENCRYPTINIT,			"C_EncryptInit failed"},
-+{ PK11_R_ENCRYPT,			"C_Encrypt failed"},
-+{ PK11_R_SIGNINIT,			"C_SignInit failed"},
-+{ PK11_R_SIGN,				"C_Sign failed"},
-+{ PK11_R_DECRYPTINIT,			"C_DecryptInit failed"},
-+{ PK11_R_DECRYPT,			"C_Decrypt failed"},
-+{ PK11_R_VERIFYINIT,			"C_VerifyRecover failed"},
-+{ PK11_R_VERIFY,			"C_Verify failed"},
-+{ PK11_R_VERIFYRECOVERINIT,		"C_VerifyRecoverInit failed"},
-+{ PK11_R_VERIFYRECOVER,			"C_VerifyRecover failed"},
-+{ PK11_R_GEN_KEY,			"C_GenerateKeyPair failed"},
-+{ PK11_R_SEEDRANDOM,			"C_SeedRandom failed"},
-+{ PK11_R_GENERATERANDOM,		"C_GenerateRandom failed"},
-+{ PK11_R_INVALID_MESSAGE_LENGTH,	"invalid message length"},
-+{ PK11_R_UNKNOWN_ALGORITHM_TYPE,	"unknown algorithm type"},
-+{ PK11_R_UNKNOWN_ASN1_OBJECT_ID,	"unknown asn1 onject id"},
-+{ PK11_R_UNKNOWN_PADDING_TYPE,		"unknown padding type"},
-+{ PK11_R_PADDING_CHECK_FAILED,		"padding check failed"},
-+{ PK11_R_DIGEST_TOO_BIG,		"digest too big"},
-+{ PK11_R_MALLOC_FAILURE,		"malloc failure"},
-+{ PK11_R_CTRL_COMMAND_NOT_IMPLEMENTED,	"ctl command not implemented"},
-+{ PK11_R_DATA_GREATER_THAN_MOD_LEN,	"data is bigger than mod"},
-+{ PK11_R_DATA_TOO_LARGE_FOR_MODULUS,	"data is too larger for mod"},
-+{ PK11_R_MISSING_KEY_COMPONENT,		"a dsa component is missing"},
-+{ PK11_R_INVALID_SIGNATURE_LENGTH,	"invalid signature length"},
-+{ PK11_R_INVALID_DSA_SIGNATURE_R,	"missing r in dsa verify"},
-+{ PK11_R_INVALID_DSA_SIGNATURE_S,	"missing s in dsa verify"},
-+{ PK11_R_INCONSISTENT_KEY,		"inconsistent key type"},
-+{ PK11_R_ENCRYPTUPDATE,			"C_EncryptUpdate failed"},
-+{ PK11_R_DECRYPTUPDATE,			"C_DecryptUpdate failed"},
-+{ PK11_R_DIGESTINIT,			"C_DigestInit failed"},
-+{ PK11_R_DIGESTUPDATE,			"C_DigestUpdate failed"},
-+{ PK11_R_DIGESTFINAL,			"C_DigestFinal failed"},
-+{ PK11_R_ENCRYPTFINAL,			"C_EncryptFinal failed"},
-+{ PK11_R_DECRYPTFINAL,			"C_DecryptFinal failed"},
-+{ PK11_R_NO_PRNG_SUPPORT,		"Slot does not support PRNG"},
-+{ PK11_R_GETTOKENINFO,			"C_GetTokenInfo failed"},
-+{ PK11_R_DERIVEKEY,			"C_DeriveKey failed"},
-+{ PK11_R_GET_OPERATION_STATE,		"C_GetOperationState failed"},
-+{ PK11_R_SET_OPERATION_STATE,		"C_SetOperationState failed"},
-+{ PK11_R_INVALID_PIN,			"invalid PIN"},
-+{ PK11_R_TOO_MANY_OBJECTS,		"too many objects"},
-+{ PK11_R_OBJECT_NOT_FOUND,		"object not found"},
-+{ PK11_R_INVALID_HANDLE,		"invalid PKCS#11 object handle"},
-+{ PK11_R_KEY_OR_IV_LEN_PROBLEM,		"IV or key length incorrect"},
-+{ PK11_R_INVALID_OPERATION_TYPE,	"invalid operation type"},
-+{ PK11_R_ADD_NID_FAILED,		"failed to add NID" },
-+{ 0,	NULL}
-+};
-+#endif	/* OPENSSL_NO_ERR */
-+
-+static int pk11_lib_error_code = 0;
-+static int pk11_error_init = 1;
-+
-+static void
-+ERR_load_pk11_strings(void)
-+	{
-+	if (pk11_lib_error_code == 0)
-+		pk11_lib_error_code = ERR_get_next_error_library();
-+
-+	if (pk11_error_init)
-+		{
-+		pk11_error_init = 0;
-+#ifndef OPENSSL_NO_ERR
-+		ERR_load_strings(pk11_lib_error_code, pk11_str_functs);
-+		ERR_load_strings(pk11_lib_error_code, pk11_str_reasons);
-+#endif
-+		}
-+}
-+
-+static void
-+ERR_unload_pk11_strings(void)
-+	{
-+	if (pk11_error_init == 0)
-+		{
-+#ifndef OPENSSL_NO_ERR
-+		ERR_unload_strings(pk11_lib_error_code, pk11_str_functs);
-+		ERR_unload_strings(pk11_lib_error_code, pk11_str_reasons);
-+#endif
-+		pk11_error_init = 1;
-+		}
-+}
-+
-+void
-+ERR_pk11_error(int function, int reason, char *file, int line)
-+{
-+	if (pk11_lib_error_code == 0)
-+		pk11_lib_error_code = ERR_get_next_error_library();
-+	ERR_PUT_error(pk11_lib_error_code, function, reason, file, line);
-+}
-+
-+void
-+PK11err_add_data(int function, int reason, CK_RV rv)
-+{
-+	char tmp_buf[20];
-+
-+	PK11err(function, reason);
-+	(void) BIO_snprintf(tmp_buf, sizeof (tmp_buf), "%lx", rv);
-+	ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf);
-+}
-Index: openssl/crypto/engine/hw_pk11_err.h
-diff -u /dev/null openssl/crypto/engine/hw_pk11_err.h:1.9
---- /dev/null	Wed Sep  2 11:37:23 2009
-+++ openssl/crypto/engine/hw_pk11_err.h	Wed Dec 17 15:01:45 2008
-@@ -0,0 +1,402 @@
-+/*
-+ * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
-+ * Use is subject to license terms.
-+ */
-+
-+/* crypto/engine/hw_pk11_err.h */
-+/*
-+ * This product includes software developed by the OpenSSL Project for
-+ * use in the OpenSSL Toolkit (http://www.openssl.org/).
-+ *
-+ * This project also referenced hw_pkcs11-0.9.7b.patch written by
-+ * Afchine Madjlessi.
-+ */
-+/*
-+ * ====================================================================
-+ * Copyright (c) 2000-2001 The OpenSSL Project.  All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ *    notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ *    notice, this list of conditions and the following disclaimer in
-+ *    the documentation and/or other materials provided with the
-+ *    distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ *    software must display the following acknowledgment:
-+ *    "This product includes software developed by the OpenSSL Project
-+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ *    endorse or promote products derived from this software without
-+ *    prior written permission. For written permission, please contact
-+ *    licensing@OpenSSL.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ *    nor may "OpenSSL" appear in their names without prior written
-+ *    permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ *    acknowledgment:
-+ *    "This product includes software developed by the OpenSSL Project
-+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ * ====================================================================
-+ *
-+ * This product includes cryptographic software written by Eric Young
-+ * (eay@cryptsoft.com).  This product includes software written by Tim
-+ * Hudson (tjh@cryptsoft.com).
-+ *
-+ */
-+
-+#ifndef	HW_PK11_ERR_H
-+#define	HW_PK11_ERR_H
-+
-+void ERR_pk11_error(int function, int reason, char *file, int line);
-+void PK11err_add_data(int function, int reason, CK_RV rv);
-+#define	PK11err(f, r)	ERR_pk11_error((f), (r), __FILE__, __LINE__)
-+
-+/* Error codes for the PK11 functions. */
-+
-+/* Function codes. */
-+
-+#define	PK11_F_INIT 				100
-+#define	PK11_F_FINISH				101
-+#define	PK11_F_DESTROY 				102
-+#define	PK11_F_CTRL 				103
-+#define	PK11_F_RSA_INIT 			104
-+#define	PK11_F_RSA_FINISH 			105
-+#define	PK11_F_GET_PUB_RSA_KEY 			106
-+#define	PK11_F_GET_PRIV_RSA_KEY 		107
-+#define	PK11_F_RSA_GEN_KEY 			108
-+#define	PK11_F_RSA_PUB_ENC 			109
-+#define	PK11_F_RSA_PRIV_ENC 			110
-+#define	PK11_F_RSA_PUB_DEC 			111
-+#define	PK11_F_RSA_PRIV_DEC 			112
-+#define	PK11_F_RSA_SIGN 			113
-+#define	PK11_F_RSA_VERIFY 			114
-+#define	PK11_F_RAND_ADD 			115
-+#define	PK11_F_RAND_BYTES 			116
-+#define	PK11_F_GET_SESSION 			117
-+#define	PK11_F_FREE_SESSION 			118
-+#define	PK11_F_LOAD_PUBKEY 			119
-+#define	PK11_F_LOAD_PRIVKEY 			120
-+#define	PK11_F_RSA_PUB_ENC_LOW 			121
-+#define	PK11_F_RSA_PRIV_ENC_LOW 		122
-+#define	PK11_F_RSA_PUB_DEC_LOW 			123
-+#define	PK11_F_RSA_PRIV_DEC_LOW 		124
-+#define	PK11_F_DSA_SIGN				125
-+#define	PK11_F_DSA_VERIFY			126
-+#define	PK11_F_DSA_INIT				127
-+#define	PK11_F_DSA_FINISH			128
-+#define	PK11_F_GET_PUB_DSA_KEY 			129
-+#define	PK11_F_GET_PRIV_DSA_KEY 		130
-+#define	PK11_F_DH_INIT 				131
-+#define	PK11_F_DH_FINISH 			132
-+#define	PK11_F_MOD_EXP_DH 			133
-+#define	PK11_F_GET_DH_KEY 			134
-+#define	PK11_F_FREE_ALL_SESSIONS		135
-+#define	PK11_F_SETUP_SESSION			136
-+#define	PK11_F_DESTROY_OBJECT			137
-+#define	PK11_F_CIPHER_INIT			138
-+#define	PK11_F_CIPHER_DO_CIPHER			139
-+#define	PK11_F_GET_CIPHER_KEY			140
-+#define	PK11_F_DIGEST_INIT			141
-+#define	PK11_F_DIGEST_UPDATE			142
-+#define	PK11_F_DIGEST_FINAL			143
-+#define	PK11_F_CHOOSE_SLOT			144
-+#define	PK11_F_CIPHER_FINAL			145
-+#define	PK11_F_LIBRARY_INIT 			146
-+#define	PK11_F_LOAD 				147
-+#define	PK11_F_DH_GEN_KEY			148
-+#define	PK11_F_DH_COMP_KEY 			149
-+#define	PK11_F_DIGEST_COPY 			150
-+#define	PK11_F_CIPHER_CLEANUP			151
-+#define	PK11_F_ACTIVE_ADD			152
-+#define	PK11_F_ACTIVE_DELETE			153
-+#define	PK11_F_CHECK_HW_MECHANISMS		154
-+#define	PK11_F_INIT_SYMMETRIC			155
-+#define	PK11_F_ADD_AES_CTR_NIDS			156
-+#define	PK11_F_INIT_ALL_LOCKS			157
-+#define	PK11_F_RETURN_SESSION			158
-+
-+/* Reason codes. */
-+#define	PK11_R_ALREADY_LOADED 			100
-+#define	PK11_R_DSO_FAILURE 			101
-+#define	PK11_R_NOT_LOADED 			102
-+#define	PK11_R_PASSED_NULL_PARAMETER 		103
-+#define	PK11_R_COMMAND_NOT_IMPLEMENTED 		104
-+#define	PK11_R_INITIALIZE 			105
-+#define	PK11_R_FINALIZE 			106
-+#define	PK11_R_GETINFO 				107
-+#define	PK11_R_GETSLOTLIST 			108
-+#define	PK11_R_NO_MODULUS_OR_NO_EXPONENT 	109
-+#define	PK11_R_ATTRIBUT_SENSITIVE_OR_INVALID 	110
-+#define	PK11_R_GETATTRIBUTVALUE 		111
-+#define	PK11_R_NO_MODULUS 			112
-+#define	PK11_R_NO_EXPONENT 			113
-+#define	PK11_R_FINDOBJECTSINIT 			114
-+#define	PK11_R_FINDOBJECTS 			115
-+#define	PK11_R_FINDOBJECTSFINAL 		116
-+#define	PK11_R_CREATEOBJECT 			118
-+#define	PK11_R_DESTROYOBJECT 			119
-+#define	PK11_R_OPENSESSION 			120
-+#define	PK11_R_CLOSESESSION 			121
-+#define	PK11_R_ENCRYPTINIT 			122
-+#define	PK11_R_ENCRYPT 				123
-+#define	PK11_R_SIGNINIT 			124
-+#define	PK11_R_SIGN 				125
-+#define	PK11_R_DECRYPTINIT 			126
-+#define	PK11_R_DECRYPT 				127
-+#define	PK11_R_VERIFYINIT 			128
-+#define	PK11_R_VERIFY 				129
-+#define	PK11_R_VERIFYRECOVERINIT 		130
-+#define	PK11_R_VERIFYRECOVER 			131
-+#define	PK11_R_GEN_KEY 				132
-+#define	PK11_R_SEEDRANDOM 			133
-+#define	PK11_R_GENERATERANDOM 			134
-+#define	PK11_R_INVALID_MESSAGE_LENGTH 		135
-+#define	PK11_R_UNKNOWN_ALGORITHM_TYPE 		136
-+#define	PK11_R_UNKNOWN_ASN1_OBJECT_ID 		137
-+#define	PK11_R_UNKNOWN_PADDING_TYPE 		138
-+#define	PK11_R_PADDING_CHECK_FAILED 		139
-+#define	PK11_R_DIGEST_TOO_BIG 			140
-+#define	PK11_R_MALLOC_FAILURE 			141
-+#define	PK11_R_CTRL_COMMAND_NOT_IMPLEMENTED 	142
-+#define	PK11_R_DATA_GREATER_THAN_MOD_LEN 	143
-+#define	PK11_R_DATA_TOO_LARGE_FOR_MODULUS 	144
-+#define	PK11_R_MISSING_KEY_COMPONENT		145
-+#define	PK11_R_INVALID_SIGNATURE_LENGTH		146
-+#define	PK11_R_INVALID_DSA_SIGNATURE_R		147
-+#define	PK11_R_INVALID_DSA_SIGNATURE_S		148
-+#define	PK11_R_INCONSISTENT_KEY			149
-+#define	PK11_R_ENCRYPTUPDATE			150
-+#define	PK11_R_DECRYPTUPDATE			151
-+#define	PK11_R_DIGESTINIT			152
-+#define	PK11_R_DIGESTUPDATE			153
-+#define	PK11_R_DIGESTFINAL			154
-+#define	PK11_R_ENCRYPTFINAL			155
-+#define	PK11_R_DECRYPTFINAL			156
-+#define	PK11_R_NO_PRNG_SUPPORT			157
-+#define	PK11_R_GETTOKENINFO			158
-+#define	PK11_R_DERIVEKEY			159
-+#define	PK11_R_GET_OPERATION_STATE		160
-+#define	PK11_R_SET_OPERATION_STATE		161
-+#define	PK11_R_INVALID_HANDLE			162
-+#define	PK11_R_KEY_OR_IV_LEN_PROBLEM		163
-+#define	PK11_R_INVALID_OPERATION_TYPE		164
-+#define	PK11_R_ADD_NID_FAILED			165
-+#define	PK11_R_ATFORK_FAILED			166
-+#define	PK11_R_INVALID_PIN			167
-+#define	PK11_R_TOO_MANY_OBJECTS			168
-+#define	PK11_R_OBJECT_NOT_FOUND			169
-+
-+/* max byte length of a symetric key we support */
-+#define	PK11_KEY_LEN_MAX			32
-+
-+#ifdef NOPTHREADS
-+/*
-+ * CRYPTO_LOCK_PK11_ENGINE lock is primarily used for the protection of the
-+ * free_session list and active_list but generally serves as a global
-+ * per-process lock for the whole engine.
-+ *
-+ * We reuse CRYPTO_LOCK_EC lock (which is defined in OpenSSL for EC method) as
-+ * the global engine lock. This is not optimal w.r.t. performance but
-+ * it's safe.
-+ */
-+#define CRYPTO_LOCK_PK11_ENGINE	CRYPTO_LOCK_EC
-+#endif
-+
-+/*
-+ * This structure encapsulates all reusable information for a PKCS#11
-+ * session. A list of these objects is created on behalf of the
-+ * calling application using an on-demand method. Each operation
-+ * type (see PK11_OPTYPE below) has its own per-process list.
-+ * Each of the lists is basically a cache for faster PKCS#11 object
-+ * access to avoid expensive C_Find{,Init,Final}Object() calls.
-+ *
-+ * When a new request comes in, an object will be taken from the list
-+ * (if there is one) or a new one is created to handle the request
-+ * (if the list is empty). See pk11_get_session() on how it is done.
-+ */
-+typedef struct PK11_st_SESSION
-+	{
-+	struct PK11_st_SESSION	*next;
-+	CK_SESSION_HANDLE	session;	/* PK11 session handle */
-+	pid_t			pid;		/* Current process ID */
-+	union
-+		{
-+#ifndef OPENSSL_NO_RSA
-+		struct
-+			{
-+			CK_OBJECT_HANDLE	rsa_pub_key; /* pub handle */
-+			CK_OBJECT_HANDLE	rsa_priv_key; /* priv handle */
-+			RSA			*rsa_pub; /* pub key addr */
-+			BIGNUM			*rsa_n_num; /* pub modulus */
-+			BIGNUM			*rsa_e_num; /* pub exponent */
-+			RSA			*rsa_priv; /* priv key addr */
-+			BIGNUM			*rsa_d_num; /* priv exponent */
-+			} u_RSA;
-+#endif /* OPENSSL_NO_RSA */
-+#ifndef OPENSSL_NO_DSA
-+		struct
-+			{
-+			CK_OBJECT_HANDLE	dsa_pub_key; /* pub handle */
-+			CK_OBJECT_HANDLE	dsa_priv_key; /* priv handle */
-+			DSA			*dsa_pub; /* pub key addr */
-+			BIGNUM			*dsa_pub_num; /* pub key */
-+			DSA			*dsa_priv; /* priv key addr */
-+			BIGNUM			*dsa_priv_num; /* priv key */
-+			} u_DSA;
-+#endif /* OPENSSL_NO_DSA */
-+#ifndef OPENSSL_NO_DH
-+		struct
-+			{
-+			CK_OBJECT_HANDLE	dh_key; /* key handle */
-+			DH			*dh; /* dh key addr */
-+			BIGNUM			*dh_priv_num; /* priv dh key */
-+			} u_DH;
-+#endif /* OPENSSL_NO_DH */
-+		struct
-+			{
-+			CK_OBJECT_HANDLE	cipher_key; /* key handle */
-+			unsigned char		key[PK11_KEY_LEN_MAX];
-+			int			key_len; /* priv key len */
-+			int			encrypt; /* 1/0 enc/decr */
-+			} u_cipher;
-+		} opdata_u;
-+	} PK11_SESSION;
-+
-+#define	opdata_rsa_pub_key	opdata_u.u_RSA.rsa_pub_key
-+#define	opdata_rsa_priv_key	opdata_u.u_RSA.rsa_priv_key
-+#define	opdata_rsa_pub		opdata_u.u_RSA.rsa_pub
-+#define	opdata_rsa_priv		opdata_u.u_RSA.rsa_priv
-+#define	opdata_rsa_n_num	opdata_u.u_RSA.rsa_n_num
-+#define	opdata_rsa_e_num	opdata_u.u_RSA.rsa_e_num
-+#define	opdata_rsa_d_num	opdata_u.u_RSA.rsa_d_num
-+#define	opdata_dsa_pub_key	opdata_u.u_DSA.dsa_pub_key
-+#define	opdata_dsa_priv_key	opdata_u.u_DSA.dsa_priv_key
-+#define	opdata_dsa_pub		opdata_u.u_DSA.dsa_pub
-+#define	opdata_dsa_pub_num	opdata_u.u_DSA.dsa_pub_num
-+#define	opdata_dsa_priv		opdata_u.u_DSA.dsa_priv
-+#define	opdata_dsa_priv_num	opdata_u.u_DSA.dsa_priv_num
-+#define	opdata_dh_key		opdata_u.u_DH.dh_key
-+#define	opdata_dh		opdata_u.u_DH.dh
-+#define	opdata_dh_priv_num	opdata_u.u_DH.dh_priv_num
-+#define	opdata_cipher_key	opdata_u.u_cipher.cipher_key
-+#define	opdata_key		opdata_u.u_cipher.key
-+#define	opdata_key_len		opdata_u.u_cipher.key_len
-+#define	opdata_encrypt		opdata_u.u_cipher.encrypt
-+
-+/*
-+ * We have 3 different groups of operation types:
-+ *   1) asymmetric operations
-+ *   2) random operations
-+ *   3) symmetric and digest operations
-+ *
-+ * This division into groups stems from the fact that it's common that hardware
-+ * providers may support operations from one group only. For example, hardware
-+ * providers on UltraSPARC T2, n2rng(7d), ncp(7d), and n2cp(7d), each support
-+ * only a single group of operations.
-+ *
-+ * For every group a different slot can be chosen. That means that we must have
-+ * at least 3 different lists of cached PKCS#11 sessions since sessions from
-+ * different groups may be initialized in different slots.
-+ *
-+ * To provide locking granularity in multithreaded environment, the groups are
-+ * further splitted into types with each type having a separate session cache.
-+ */
-+typedef enum PK11_OPTYPE_ENUM
-+	{
-+	OP_RAND,
-+	OP_RSA,
-+	OP_DSA,
-+	OP_DH,
-+	OP_CIPHER,
-+	OP_DIGEST,
-+	OP_MAX
-+	} PK11_OPTYPE;
-+
-+/*
-+ * This structure contains the heads of the lists forming the object caches
-+ * and locks associated with the lists.
-+ */
-+typedef struct PK11_st_CACHE
-+	{
-+	PK11_SESSION *head;
-+#ifndef NOPTHREADS
-+	pthread_mutex_t *lock;
-+#endif
-+	} PK11_CACHE;
-+
-+/* structure for tracking handles of asymmetric key objects */
-+typedef struct PK11_active_st
-+	{
-+	CK_OBJECT_HANDLE h;
-+	unsigned int refcnt;
-+	struct PK11_active_st *prev;
-+	struct PK11_active_st *next;
-+	} PK11_active;
-+
-+#ifndef NOPTHREADS
-+extern pthread_mutex_t *find_lock[];
-+#endif
-+extern PK11_active *active_list[];
-+
-+#ifndef NOPTHREADS
-+#define	LOCK_OBJSTORE(alg_type)	\
-+	(void) pthread_mutex_lock(find_lock[alg_type])
-+#define	UNLOCK_OBJSTORE(alg_type)	\
-+	(void) pthread_mutex_unlock(find_lock[alg_type])
-+#else
-+#define	LOCK_OBJSTORE(alg_type)	\
-+	CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE)
-+#define	UNLOCK_OBJSTORE(alg_type)	\
-+	CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE)
-+#endif
-+
-+extern PK11_SESSION *pk11_get_session(PK11_OPTYPE optype);
-+extern void pk11_return_session(PK11_SESSION *sp, PK11_OPTYPE optype);
-+
-+#ifndef OPENSSL_NO_RSA
-+extern int pk11_destroy_rsa_key_objects(PK11_SESSION *session);
-+extern int pk11_destroy_rsa_object_pub(PK11_SESSION *sp, CK_BBOOL uselock);
-+extern int pk11_destroy_rsa_object_priv(PK11_SESSION *sp, CK_BBOOL uselock);
-+extern EVP_PKEY *pk11_load_privkey(ENGINE *e, const char *pubkey_file,
-+	UI_METHOD *ui_method, void *callback_data);
-+extern EVP_PKEY *pk11_load_pubkey(ENGINE *e, const char *pubkey_file,
-+	UI_METHOD *ui_method, void *callback_data);
-+extern RSA_METHOD *PK11_RSA(void);
-+#endif /* OPENSSL_NO_RSA */
-+#ifndef OPENSSL_NO_DSA
-+extern int pk11_destroy_dsa_key_objects(PK11_SESSION *session);
-+extern int pk11_destroy_dsa_object_pub(PK11_SESSION *sp, CK_BBOOL uselock);
-+extern int pk11_destroy_dsa_object_priv(PK11_SESSION *sp, CK_BBOOL uselock);
-+extern DSA_METHOD *PK11_DSA(void);
-+#endif /* OPENSSL_NO_DSA */
-+#ifndef OPENSSL_NO_DH
-+extern int pk11_destroy_dh_key_objects(PK11_SESSION *session);
-+extern int pk11_destroy_dh_object(PK11_SESSION *sp, CK_BBOOL uselock);
-+extern DH_METHOD *PK11_DH(void);
-+#endif /* OPENSSL_NO_DH */
-+
-+extern CK_FUNCTION_LIST_PTR pFuncList;
-+
-+#endif /* HW_PK11_ERR_H */
-Index: openssl/crypto/engine/hw_pk11_pub-kp.c
-diff -u /dev/null openssl/crypto/engine/hw_pk11_pub-kp.c:1.21
---- /dev/null	Wed Sep  2 11:37:23 2009
-+++ openssl/crypto/engine/hw_pk11_pub-kp.c	Tue Sep  1 06:02:18 2009
-@@ -0,0 +1,896 @@
-+/*
-+ * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
-+ * Use is subject to license terms.
-+ */
-+
-+/* crypto/engine/hw_pk11_pub.c */
-+/*
-+ * This product includes software developed by the OpenSSL Project for
-+ * use in the OpenSSL Toolkit (http://www.openssl.org/).
-+ *
-+ * This project also referenced hw_pkcs11-0.9.7b.patch written by
-+ * Afchine Madjlessi.
-+ */
-+/*
-+ * ====================================================================
-+ * Copyright (c) 2000-2001 The OpenSSL Project.  All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ *    notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ *    notice, this list of conditions and the following disclaimer in
-+ *    the documentation and/or other materials provided with the
-+ *    distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ *    software must display the following acknowledgment:
-+ *    "This product includes software developed by the OpenSSL Project
-+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ *    endorse or promote products derived from this software without
-+ *    prior written permission. For written permission, please contact
-+ *    licensing@OpenSSL.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ *    nor may "OpenSSL" appear in their names without prior written
-+ *    permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ *    acknowledgment:
-+ *    "This product includes software developed by the OpenSSL Project
-+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ * ====================================================================
-+ *
-+ * This product includes cryptographic software written by Eric Young
-+ * (eay@cryptsoft.com).  This product includes software written by Tim
-+ * Hudson (tjh@cryptsoft.com).
-+ *
-+ */
-+
-+/* Modified to keep only RNG and RSA Sign */
-+
-+#ifdef OPENSSL_NO_RSA
-+#error RSA is disabled
-+#endif
-+
-+#include <stdio.h>
-+#include <stdlib.h>
-+#include <string.h>
-+#include <sys/types.h>
-+
-+#include <openssl/e_os2.h>
-+#include <openssl/crypto.h>
-+#include <cryptlib.h>
-+#include <openssl/engine.h>
-+#include <openssl/dso.h>
-+#include <openssl/err.h>
-+#include <openssl/bn.h>
-+#include <openssl/pem.h>
-+#include <openssl/rsa.h>
-+#include <openssl/rand.h>
-+#include <openssl/objects.h>
-+#include <openssl/x509.h>
-+
-+#ifdef OPENSSL_SYS_WIN32
-+#define NOPTHREADS
-+typedef int pid_t;
-+#define HAVE_GETPASSPHRASE
-+static char *getpassphrase(const char *prompt);
-+#ifndef NULL_PTR
-+#define NULL_PTR NULL
-+#endif
-+#define CK_DEFINE_FUNCTION(returnType, name) \
-+	returnType __declspec(dllexport) name
-+#define CK_DECLARE_FUNCTION(returnType, name) \
-+	returnType __declspec(dllimport) name
-+#define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
-+	returnType __declspec(dllimport) (* name)
-+#else
-+#include <unistd.h>
-+#endif
-+
-+#ifndef NOPTHREADS
-+#include <pthread.h>
-+#endif
-+
-+#ifndef OPENSSL_NO_HW
-+#ifndef OPENSSL_NO_HW_PK11
-+
-+#ifndef OPENSSL_NO_DSA
-+#define OPENSSL_NO_DSA
-+#endif
-+#ifndef OPENSSL_NO_DH
-+#define OPENSSL_NO_DH
-+#endif
-+
-+#ifdef OPENSSL_SYS_WIN32
-+#pragma pack(push, cryptoki, 1)
-+#include "cryptoki.h"
-+#include "pkcs11.h"
-+#pragma pack(pop, cryptoki)
-+#else
-+#include "cryptoki.h"
-+#include "pkcs11.h"
-+#endif
-+#include "hw_pk11_err.h"
-+
-+#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
-+#define getpassphrase(x)	getpass(x)
-+#endif
-+
-+/* RSA stuff */
-+static int pk11_RSA_sign(int type, const unsigned char *m, unsigned int m_len,
-+	unsigned char *sigret, unsigned int *siglen, const RSA *rsa);
-+EVP_PKEY *pk11_load_privkey(ENGINE*, const char *pubkey_file,
-+	UI_METHOD *ui_method, void *callback_data);
-+EVP_PKEY *pk11_load_pubkey(ENGINE*, const char *pubkey_file,
-+	UI_METHOD *ui_method, void *callback_data);
-+
-+static CK_OBJECT_HANDLE pk11_get_private_rsa_key(RSA* rsa, RSA** key_ptr,
-+	BIGNUM **rsa_d_num, CK_SESSION_HANDLE session);
-+
-+static int check_new_rsa_key_pub(PK11_SESSION *sp, const RSA *rsa);
-+static int check_new_rsa_key_priv(PK11_SESSION *sp, const RSA *rsa);
-+
-+static void attr_to_BN(CK_ATTRIBUTE_PTR attr, CK_BYTE attr_data[], BIGNUM **bn);
-+
-+/* Read mode string to be used for fopen() */
-+#if SOLARIS_OPENSSL
-+static char *read_mode_flags = "rF";
-+#else
-+static char *read_mode_flags = "r";
-+#endif
-+
-+/*
-+ * increment/create reference for an asymmetric key handle via active list
-+ * manipulation. If active list operation fails, unlock (if locked), set error
-+ * variable and jump to the specified label.
-+ */
-+#define	KEY_HANDLE_REFHOLD(key_handle, alg_type, unlock, var, label)	\
-+	{								\
-+	if (pk11_active_add(key_handle, alg_type) < 0)			\
-+		{							\
-+		var = TRUE;						\
-+		if (unlock)						\
-+			UNLOCK_OBJSTORE(alg_type);			\
-+		goto label;						\
-+		}							\
-+	}
-+
-+/*
-+ * Find active list entry according to object handle and return pointer to the
-+ * entry otherwise return NULL.
-+ *
-+ * This function presumes it is called with lock protecting the active list
-+ * held.
-+ */
-+static PK11_active *pk11_active_find(CK_OBJECT_HANDLE h, PK11_OPTYPE type)
-+	{
-+	PK11_active *entry;
-+
-+	for (entry = active_list[type]; entry != NULL; entry = entry->next)
-+		if (entry->h == h)
-+			return (entry);
-+
-+	return (NULL);
-+	}
-+
-+/*
-+ * Search for an entry in the active list using PKCS#11 object handle as a
-+ * search key and return refcnt of the found/created entry or -1 in case of
-+ * failure.
-+ *
-+ * This function presumes it is called with lock protecting the active list
-+ * held.
-+ */
-+int
-+pk11_active_add(CK_OBJECT_HANDLE h, PK11_OPTYPE type)
-+	{
-+	PK11_active *entry = NULL;
-+
-+	if (h == CK_INVALID_HANDLE)
-+		{
-+		PK11err(PK11_F_ACTIVE_ADD, PK11_R_INVALID_HANDLE);
-+		return (-1);
-+		}
-+
-+	/* search for entry in the active list */
-+	if ((entry = pk11_active_find(h, type)) != NULL)
-+		entry->refcnt++;
-+	else
-+		{
-+		/* not found, create new entry and add it to the list */
-+		entry = OPENSSL_malloc(sizeof (PK11_active));
-+		if (entry == NULL)
-+			{
-+			PK11err(PK11_F_ACTIVE_ADD, PK11_R_MALLOC_FAILURE);
-+			return (-1);
-+			}
-+		entry->h = h;
-+		entry->refcnt = 1;
-+		entry->prev = NULL;
-+		entry->next = NULL;
-+		/* connect the newly created entry to the list */
-+		if (active_list[type] == NULL)
-+			active_list[type] = entry;
-+		else /* make the entry first in the list */
-+			{
-+			entry->next = active_list[type];
-+			active_list[type]->prev = entry;
-+			active_list[type] = entry;
-+			}
-+		}
-+
-+	return (entry->refcnt);
-+	}
-+
-+/*
-+ * Remove active list entry from the list and free it.
-+ *
-+ * This function presumes it is called with lock protecting the active list
-+ * held.
-+ */
-+void
-+pk11_active_remove(PK11_active *entry, PK11_OPTYPE type)
-+	{
-+	PK11_active *prev_entry;
-+
-+	/* remove the entry from the list and free it */
-+	if ((prev_entry = entry->prev) != NULL)
-+		{
-+		prev_entry->next = entry->next;
-+		if (entry->next != NULL)
-+			entry->next->prev = prev_entry;
-+		}
-+	else
-+		{
-+		active_list[type] = entry->next;
-+		/* we were the first but not the only one */
-+		if (entry->next != NULL)
-+			entry->next->prev = NULL;
-+		}
-+
-+	/* sanitization */
-+	entry->h = CK_INVALID_HANDLE;
-+	entry->prev = NULL;
-+	entry->next = NULL;
-+	OPENSSL_free(entry);
-+	}
-+
-+/* Free all entries from the active list. */
-+void
-+pk11_free_active_list(PK11_OPTYPE type)
-+	{
-+	PK11_active *entry;
-+
-+	/* only for asymmetric types since only they have C_Find* locks. */
-+	switch (type)
-+		{
-+		case OP_RSA:
-+			break;
-+		default:
-+			return;
-+		}
-+
-+	/* see find_lock array definition for more info on object locking */
-+	LOCK_OBJSTORE(type);
-+	while ((entry = active_list[type]) != NULL)
-+		pk11_active_remove(entry, type);
-+	UNLOCK_OBJSTORE(type);
-+	}
-+
-+/*
-+ * Search for active list entry associated with given PKCS#11 object handle,
-+ * decrement its refcnt and if it drops to 0, disconnect the entry and free it.
-+ *
-+ * Return 1 if the PKCS#11 object associated with the entry has no references,
-+ * return 0 if there is at least one reference, -1 on error.
-+ *
-+ * This function presumes it is called with lock protecting the active list
-+ * held.
-+ */
-+int
-+pk11_active_delete(CK_OBJECT_HANDLE h, PK11_OPTYPE type)
-+	{
-+	PK11_active *entry = NULL;
-+
-+	if ((entry = pk11_active_find(h, type)) == NULL)
-+		{
-+		PK11err(PK11_F_ACTIVE_DELETE, PK11_R_INVALID_HANDLE);
-+		return (-1);
-+		}
-+
-+	OPENSSL_assert(entry->refcnt > 0);
-+	entry->refcnt--;
-+	if (entry->refcnt == 0)
-+		{
-+		pk11_active_remove(entry, type);
-+		return (1);
-+		}
-+
-+	return (0);
-+	}
-+
-+/* Our internal RSA_METHOD that we provide pointers to */
-+static RSA_METHOD pk11_rsa;
-+
-+RSA_METHOD *
-+PK11_RSA(void)
-+	{
-+	const RSA_METHOD *rsa;
-+
-+	if (pk11_rsa.name == NULL)
-+		{
-+		rsa = RSA_PKCS1_SSLeay();
-+		memcpy(&pk11_rsa, rsa, sizeof(*rsa));
-+		pk11_rsa.name = "PKCS#11 RSA method";
-+		pk11_rsa.rsa_sign = pk11_RSA_sign;
-+		}
-+	return (&pk11_rsa);
-+	}
-+
-+/* Size of an SSL signature: MD5+SHA1 */
-+#define	SSL_SIG_LENGTH		36
-+
-+/*
-+ * Standard engine interface function. Majority codes here are from
-+ * rsa/rsa_sign.c. We replaced the decrypt function call by C_Sign of PKCS#11.
-+ * See more details in rsa/rsa_sign.c
-+ */
-+static int pk11_RSA_sign(int type, const unsigned char *m, unsigned int m_len,
-+	unsigned char *sigret, unsigned int *siglen, const RSA *rsa)
-+	{
-+	X509_SIG sig;
-+	ASN1_TYPE parameter;
-+	int i, j = 0;
-+	unsigned char *p, *s = NULL;
-+	X509_ALGOR algor;
-+	ASN1_OCTET_STRING digest;
-+	CK_RV rv;
-+	CK_MECHANISM mech_rsa = {CKM_RSA_PKCS, NULL, 0};
-+	CK_MECHANISM *p_mech = &mech_rsa;
-+	CK_OBJECT_HANDLE h_priv_key;
-+	PK11_SESSION *sp = NULL;
-+	int ret = 0;
-+	unsigned long ulsiglen;
-+
-+	/* Encode the digest */
-+	/* Special case: SSL signature, just check the length */
-+	if (type == NID_md5_sha1)
-+		{
-+		if (m_len != SSL_SIG_LENGTH)
-+			{
-+			PK11err(PK11_F_RSA_SIGN,
-+				PK11_R_INVALID_MESSAGE_LENGTH);
-+			goto err;
-+			}
-+		i = SSL_SIG_LENGTH;
-+		s = (unsigned char *)m;
-+		}
-+	else
-+		{
-+		sig.algor = &algor;
-+		sig.algor->algorithm = OBJ_nid2obj(type);
-+		if (sig.algor->algorithm == NULL)
-+			{
-+			PK11err(PK11_F_RSA_SIGN,
-+				PK11_R_UNKNOWN_ALGORITHM_TYPE);
-+			goto err;
-+			}
-+		if (sig.algor->algorithm->length == 0)
-+			{
-+			PK11err(PK11_F_RSA_SIGN,
-+				PK11_R_UNKNOWN_ASN1_OBJECT_ID);
-+			goto err;
-+			}
-+		parameter.type = V_ASN1_NULL;
-+		parameter.value.ptr = NULL;
-+		sig.algor->parameter = &parameter;
-+
-+		sig.digest = &digest;
-+		sig.digest->data = (unsigned char *)m;
-+		sig.digest->length = m_len;
-+
-+		i = i2d_X509_SIG(&sig, NULL);
-+		}
-+
-+	j = RSA_size(rsa);
-+	if ((i - RSA_PKCS1_PADDING) > j)
-+		{
-+		PK11err(PK11_F_RSA_SIGN, PK11_R_DIGEST_TOO_BIG);
-+		goto err;
-+		}
-+
-+	if (type != NID_md5_sha1)
-+		{
-+		s = (unsigned char *)OPENSSL_malloc((unsigned int)(j + 1));
-+		if (s == NULL)
-+			{
-+			PK11err(PK11_F_RSA_SIGN, PK11_R_MALLOC_FAILURE);
-+			goto err;
-+			}
-+		p = s;
-+		(void) i2d_X509_SIG(&sig, &p);
-+		}
-+
-+	if ((sp = pk11_get_session(OP_RSA)) == NULL)
-+		goto err;
-+
-+	(void) check_new_rsa_key_priv(sp, rsa);
-+
-+	h_priv_key = sp->opdata_rsa_priv_key;
-+	if (h_priv_key == CK_INVALID_HANDLE)
-+		h_priv_key = sp->opdata_rsa_priv_key =
-+			pk11_get_private_rsa_key((RSA *)rsa,
-+			    &sp->opdata_rsa_priv,
-+			    &sp->opdata_rsa_d_num, sp->session);
-+
-+	if (h_priv_key != CK_INVALID_HANDLE)
-+		{
-+		rv = pFuncList->C_SignInit(sp->session, p_mech, h_priv_key);
-+
-+		if (rv != CKR_OK)
-+			{
-+			PK11err_add_data(PK11_F_RSA_SIGN, PK11_R_SIGNINIT, rv);
-+			goto err;
-+			}
-+
-+		ulsiglen = j;
-+		rv = pFuncList->C_Sign(sp->session, s, i, sigret,
-+			(CK_ULONG_PTR) &ulsiglen);
-+		*siglen = ulsiglen;
-+
-+		if (rv != CKR_OK)
-+			{
-+			PK11err_add_data(PK11_F_RSA_SIGN, PK11_R_SIGN, rv);
-+			goto err;
-+			}
-+		ret = 1;
-+		}
-+
-+err:
-+	if ((type != NID_md5_sha1) && (s != NULL))
-+		{
-+		(void) memset(s, 0, (unsigned int)(j + 1));
-+		OPENSSL_free(s);
-+		}
-+
-+	pk11_return_session(sp, OP_RSA);
-+	return (ret);
-+	}
-+
-+static int hndidx_rsa = -1;
-+
-+/* load RSA private key from a file */
-+/* ARGSUSED */
-+EVP_PKEY *pk11_load_privkey(ENGINE *e, const char *privkey_file,
-+	UI_METHOD *ui_method, void *callback_data)
-+	{
-+	EVP_PKEY *pkey = NULL;
-+	FILE *privkey;
-+	RSA *rsa;
-+	PK11_SESSION *sp = NULL;
-+	/* everything else below needed for key by reference extension */
-+	CK_RV rv;
-+	CK_ULONG objcnt = 0;
-+	CK_BBOOL is_token = TRUE;
-+	CK_BYTE attr_data[2][1024];
-+	CK_OBJECT_CLASS key_class = CKO_PRIVATE_KEY;
-+	CK_OBJECT_HANDLE ks_key = CK_INVALID_HANDLE;	/* key in keystore */
-+	extern char *pk11_pin;
-+
-+	/* we look for private keys only */
-+	CK_ATTRIBUTE search_templ[] =
-+		{
-+		{CKA_TOKEN, &is_token, sizeof(is_token)},
-+		{CKA_CLASS, &key_class, sizeof(key_class)},
-+		{CKA_LABEL, NULL, 0}
-+		};
-+
-+	/* these attributes are needed to initialize OpenSSL RSA structure */
-+	CK_ATTRIBUTE get_templ[] =
-+		{
-+		{CKA_MODULUS, (void *)attr_data[0], 1024},	    /* n */
-+		{CKA_PUBLIC_EXPONENT, (void *)attr_data[1], 1024},  /* e */
-+		};
-+
-+	/*
-+	 * Use simple scheme "pkcs11:<KEY_LABEL>" for now.
-+	 */
-+	if (strstr(privkey_file, "pkcs11:") == privkey_file)
-+		{
-+		if ((sp = pk11_get_session(OP_RSA)) == NULL)
-+			return (NULL);
-+
-+		search_templ[2].pValue = strstr(privkey_file, ":") + 1;
-+		search_templ[2].ulValueLen = strlen(search_templ[2].pValue);
-+
-+		if (pk11_pin == NULL)
-+			{
-+			pk11_pin = BUF_strdup(getpassphrase("Enter PIN: "));
-+
-+			if (pk11_pin == NULL)
-+				{
-+				PK11err(PK11_F_LOAD_PRIVKEY, PK11_R_MALLOC_FAILURE);
-+				goto err;
-+				}
-+			}
-+		if ((rv = pFuncList->C_Login(sp->session, CKU_USER, (CK_UTF8CHAR*)pk11_pin,
-+		    strlen(pk11_pin))) != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN)
-+			{
-+			PK11err_add_data(PK11_F_LOAD_PRIVKEY,
-+					 PK11_R_INVALID_PIN, rv);
-+			goto err;
-+			}
-+
-+		LOCK_OBJSTORE(OP_RSA);
-+		if ((rv = pFuncList->C_FindObjectsInit(sp->session,
-+		    search_templ, 3)) != CKR_OK)
-+			{
-+			UNLOCK_OBJSTORE(OP_RSA);
-+			PK11err_add_data(PK11_F_LOAD_PRIVKEY,
-+					 PK11_R_FINDOBJECTSINIT, rv);
-+			goto err;
-+			}
-+
-+		rv = pFuncList->C_FindObjects(sp->session, &ks_key, 1, &objcnt);
-+		if (rv != CKR_OK)
-+			{
-+			UNLOCK_OBJSTORE(OP_RSA);
-+			PK11err_add_data(PK11_F_LOAD_PRIVKEY,
-+					 PK11_R_FINDOBJECTS, rv);
-+			goto err;
-+			}
-+
-+		if (objcnt > 1)
-+			{
-+			UNLOCK_OBJSTORE(OP_RSA);
-+			PK11err(PK11_F_LOAD_PRIVKEY, PK11_R_TOO_MANY_OBJECTS);
-+			goto err;
-+			}
-+
-+		if (objcnt != 1)
-+			{
-+			UNLOCK_OBJSTORE(OP_RSA);
-+			PK11err(PK11_F_LOAD_PRIVKEY, PK11_R_OBJECT_NOT_FOUND);
-+			goto err;
-+			}
-+
-+		(void) pFuncList->C_FindObjectsFinal(sp->session);
-+		UNLOCK_OBJSTORE(OP_RSA);
-+
-+		if (hndidx_rsa == -1)
-+			hndidx_rsa = RSA_get_ex_new_index(0,
-+				        "pkcs11 RSA HSM key handle",
-+					NULL, NULL, NULL);
-+
-+		pkey = EVP_PKEY_new();
-+		if (pkey == NULL)
-+			goto err;
-+
-+		rsa = RSA_new_method(e);
-+		if (rsa == NULL) {
-+			EVP_PKEY_free(pkey);
-+			pkey = NULL;
-+			goto err;
-+		}
-+		EVP_PKEY_set1_RSA(pkey, rsa);
-+
-+		if ((rv = pFuncList->C_GetAttributeValue(sp->session, ks_key,
-+		    get_templ, 2)) != CKR_OK)
-+			{
-+			PK11err_add_data(PK11_F_LOAD_PRIVKEY,
-+					 PK11_R_GETATTRIBUTVALUE, rv);
-+			EVP_PKEY_free(pkey);
-+			pkey = NULL;
-+			goto err;
-+			}
-+
-+		/* Note: these flags are critical! */
-+		rsa->flags = RSA_FLAG_SIGN_VER | RSA_FLAG_EXT_PKEY;
-+		RSA_set_ex_data(rsa, hndidx_rsa, (void *) ks_key);
-+		(void) check_new_rsa_key_priv(sp, rsa);
-+		sp->opdata_rsa_priv = rsa;
-+		sp->opdata_rsa_priv_key = ks_key;
-+
-+		attr_to_BN(&get_templ[0], attr_data[0], &rsa->n);
-+		attr_to_BN(&get_templ[1], attr_data[1], &rsa->e);
-+		}
-+	else if ((privkey = fopen(privkey_file, read_mode_flags)) != NULL)
-+		{
-+		pkey = PEM_read_PrivateKey(privkey, NULL, NULL, NULL);
-+		(void) fclose(privkey);
-+		}
-+
-+err:
-+	if (sp != NULL)
-+		pk11_return_session(sp, OP_RSA);
-+	return (pkey);
-+	}
-+
-+/* load RSA public key from a file */
-+/* ARGSUSED */
-+EVP_PKEY *pk11_load_pubkey(ENGINE *e, const char *pubkey_file,
-+	UI_METHOD *ui_method, void *callback_data)
-+	{
-+	EVP_PKEY *pkey = NULL;
-+	FILE *pubkey;
-+	RSA *rsa;
-+	PK11_SESSION *sp = NULL;
-+	/* everything else below needed for key by reference extension */
-+	CK_RV rv;
-+	CK_ULONG objcnt = 0;
-+	CK_BBOOL is_token = TRUE;
-+	CK_BYTE attr_data[2][1024];
-+	CK_OBJECT_CLASS key_class = CKO_PUBLIC_KEY;
-+	CK_OBJECT_HANDLE ks_key = CK_INVALID_HANDLE;	/* key in keystore */
-+	extern char *pk11_pin;
-+
-+	/* we look for public keys only */
-+	CK_ATTRIBUTE search_templ[] =
-+		{
-+		{CKA_TOKEN, &is_token, sizeof(is_token)},
-+		{CKA_CLASS, &key_class, sizeof(key_class)},
-+		{CKA_LABEL, NULL, 0}
-+		};
-+
-+	/* these attributes are needed to initialize OpenSSL RSA structure */
-+	CK_ATTRIBUTE get_templ[] =
-+		{
-+		{CKA_MODULUS, (void *)attr_data[0], 1024},	    /* n */
-+		{CKA_PUBLIC_EXPONENT, (void *)attr_data[1], 1024},  /* e */
-+		};
-+
-+	/*
-+	 * Use simple scheme "pkcs11:<KEY_LABEL>" for now.
-+	 */
-+	if (strstr(pubkey_file, "pkcs11:") == pubkey_file)
-+		{
-+		if ((sp = pk11_get_session(OP_RSA)) == NULL)
-+			return (NULL);
-+
-+		search_templ[2].pValue = strstr(pubkey_file, ":") + 1;
-+		search_templ[2].ulValueLen = strlen(search_templ[2].pValue);
-+
-+#define ALLWAYS_LOGIN
-+#ifdef ALLWAYS_LOGIN
-+		if (pk11_pin == NULL)
-+			{
-+			pk11_pin = BUF_strdup(getpassphrase("Enter PIN: "));
-+
-+			if (pk11_pin == NULL)
-+				{
-+				PK11err(PK11_F_LOAD_PUBKEY, PK11_R_MALLOC_FAILURE);
-+				goto err;
-+				}
-+			}
-+		if ((rv = pFuncList->C_Login(sp->session, CKU_USER, (CK_UTF8CHAR*)pk11_pin,
-+		    strlen(pk11_pin))) != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN)
-+			{
-+			PK11err_add_data(PK11_F_LOAD_PUBKEY,
-+					 PK11_R_INVALID_PIN, rv);
-+			goto err;
-+			}
-+#endif
-+
-+		LOCK_OBJSTORE(OP_RSA);
-+		if (pFuncList->C_FindObjectsInit(sp->session, search_templ, 3) != CKR_OK)
-+			{
-+			UNLOCK_OBJSTORE(OP_RSA);
-+			PK11err_add_data(PK11_F_LOAD_PUBKEY,
-+					 PK11_R_FINDOBJECTSINIT, rv);
-+			goto err;
-+			}
-+		rv = pFuncList->C_FindObjects(sp->session, &ks_key, 1, &objcnt);
-+		if (rv != CKR_OK)
-+			{
-+			UNLOCK_OBJSTORE(OP_RSA);
-+			PK11err_add_data(PK11_F_LOAD_PUBKEY,
-+					 PK11_R_FINDOBJECTS, rv);
-+			goto err;
-+			}
-+
-+		if (objcnt > 1)
-+			{
-+			UNLOCK_OBJSTORE(OP_RSA);
-+			PK11err(PK11_F_LOAD_PUBKEY, PK11_R_TOO_MANY_OBJECTS);
-+			goto err;
-+			}
-+
-+		if (objcnt != 1)
-+			{
-+			UNLOCK_OBJSTORE(OP_RSA);
-+			PK11err(PK11_F_LOAD_PUBKEY, PK11_R_OBJECT_NOT_FOUND);
-+			goto err;
-+			}
-+
-+		(void) pFuncList->C_FindObjectsFinal(sp->session);
-+		UNLOCK_OBJSTORE(OP_RSA);
-+
-+		sp->opdata_rsa_pub_key = ks_key;
-+		pkey = EVP_PKEY_new();
-+		if (pkey == NULL)
-+			goto err;
-+
-+		rsa = RSA_new_method(e);
-+		if (rsa == NULL) {
-+			EVP_PKEY_free(pkey);
-+			pkey = NULL;
-+			goto err;
-+		}
-+		EVP_PKEY_set1_RSA(pkey, rsa);
-+
-+		if (pFuncList->C_GetAttributeValue(sp->session, ks_key,
-+		    get_templ, 2) != CKR_OK)
-+			{
-+			PK11err_add_data(PK11_F_LOAD_PUBKEY,
-+					 PK11_R_GETATTRIBUTVALUE, rv);
-+			goto err;
-+			}
-+
-+		(void) check_new_rsa_key_pub(sp, rsa);
-+		sp->opdata_rsa_pub = rsa;
-+
-+		attr_to_BN(&get_templ[0], attr_data[0], &rsa->n);
-+		attr_to_BN(&get_templ[1], attr_data[1], &rsa->e);
-+		}
-+	else if ((pubkey = fopen(pubkey_file, read_mode_flags)) != NULL)
-+		{
-+		pkey = PEM_read_PUBKEY(pubkey, NULL, NULL, NULL);
-+		(void) fclose(pubkey);
-+		}
-+
-+err:
-+	if (sp != NULL)
-+		pk11_return_session(sp, OP_RSA);
-+	return (pkey);
-+	}
-+
-+/*
-+ * Create a private key object in the session from a given rsa structure.
-+ * The *rsa_d_num pointer is non-NULL for RSA private keys.
-+ */
-+static CK_OBJECT_HANDLE pk11_get_private_rsa_key(RSA *rsa,
-+    RSA **key_ptr, BIGNUM **rsa_d_num, CK_SESSION_HANDLE session)
-+	{
-+	CK_OBJECT_HANDLE h_key = CK_INVALID_HANDLE;
-+
-+	if ((rsa->flags & RSA_FLAG_EXT_PKEY) == 0) {
-+		PK11err(PK11_F_GET_PRIV_RSA_KEY, PK11_R_INCONSISTENT_KEY);
-+		return (h_key);
-+	}
-+	
-+	h_key = (CK_OBJECT_HANDLE)RSA_get_ex_data(rsa, hndidx_rsa);
-+	(void) pk11_active_add(h_key, OP_RSA);
-+	if (key_ptr != NULL)
-+		*key_ptr = rsa;
-+	if (rsa_d_num != NULL)
-+		{
-+		if (rsa->d == NULL)
-+			*rsa_d_num = NULL;
-+		else if ((*rsa_d_num = BN_dup(rsa->d)) == NULL)
-+			{
-+			PK11err(PK11_F_GET_PRIV_RSA_KEY, PK11_R_MALLOC_FAILURE);
-+			return (h_key);
-+			}
-+		}
-+	return (h_key);
-+	}
-+
-+/*
-+ * Check for cache miss and clean the object pointer and handle
-+ * in such case. Return 1 for cache hit, 0 for cache miss.
-+ */
-+static int check_new_rsa_key_pub(PK11_SESSION *sp, const RSA *rsa)
-+	{
-+	/*
-+	 * Provide protection against RSA structure reuse by making the
-+	 * check for cache hit stronger. Only public components of RSA
-+	 * key matter here so it is sufficient to compare them with values
-+	 * cached in PK11_SESSION structure.
-+	 */
-+	if ((sp->opdata_rsa_pub != rsa) ||
-+	    (BN_cmp(sp->opdata_rsa_n_num, rsa->n) != 0) ||
-+	    (BN_cmp(sp->opdata_rsa_e_num, rsa->e) != 0))
-+		{
-+		/*
-+		 * We do not check the return value because even in case of
-+		 * failure the sp structure will have both key pointer
-+		 * and object handle cleaned and pk11_destroy_object()
-+		 * reports the failure to the OpenSSL error message buffer.
-+		 */
-+		(void) pk11_destroy_rsa_object_pub(sp, TRUE);
-+		return (0);
-+		}
-+	return (1);
-+	}
-+
-+/*
-+ * Check for cache miss and clean the object pointer and handle
-+ * in such case. Return 1 for cache hit, 0 for cache miss.
-+ */
-+static int check_new_rsa_key_priv(PK11_SESSION *sp, const RSA *rsa)
-+	{
-+	/*
-+	 * Provide protection against RSA structure reuse by making the
-+	 * check for cache hit stronger. Comparing private exponent of RSA
-+	 * key with value cached in PK11_SESSION structure should
-+	 * be sufficient.
-+	 */
-+	if ((sp->opdata_rsa_priv != rsa) ||
-+	    (BN_cmp(sp->opdata_rsa_d_num, rsa->d) != 0) ||
-+	    ((rsa->flags & RSA_FLAG_EXT_PKEY) != 0))
-+		{
-+		/*
-+		 * We do not check the return value because even in case of
-+		 * failure the sp structure will have both key pointer
-+		 * and object handle cleaned and pk11_destroy_object()
-+		 * reports the failure to the OpenSSL error message buffer.
-+		 */
-+		(void) pk11_destroy_rsa_object_priv(sp, TRUE);
-+		return (0);
-+		}
-+	return (1);
-+	}
-+
-+static void attr_to_BN(CK_ATTRIBUTE_PTR attr, CK_BYTE attr_data[], BIGNUM **bn)
-+	{
-+	if (attr->ulValueLen > 0)
-+		{
-+		*bn = BN_bin2bn(attr_data, attr->ulValueLen, NULL);
-+		}
-+	}
-+
-+#ifdef	OPENSSL_SYS_WIN32
-+char *getpassphrase(const char *prompt)
-+	{
-+	static char buf[128];
-+	HANDLE h;
-+	DWORD cc, mode;
-+	int cnt;
-+
-+	h = GetStdHandle(STD_INPUT_HANDLE);
-+	fputs(prompt, stderr);
-+	fflush(stderr);
-+	fflush(stdout);
-+	FlushConsoleInputBuffer(h);
-+	GetConsoleMode(h, &mode);
-+	SetConsoleMode(h, ENABLE_PROCESSED_INPUT);
-+
-+	for (cnt = 0; cnt < sizeof(buf) - 1; cnt++)
-+		{
-+		ReadFile(h, buf + cnt, 1, &cc, NULL);
-+		if (buf[cnt] == '\r')
-+			break;
-+		fputc('*', stdout);
-+		fflush(stderr);
-+		fflush(stdout);
-+		}
-+
-+	SetConsoleMode(h, mode);
-+	buf[cnt] = '\0';
-+	fputs("\n", stderr);
-+	return buf;
-+	}
-+#endif	/* OPENSSL_SYS_WIN32 */
-+#endif	/* OPENSSL_NO_HW_PK11 */
-+#endif	/* OPENSSL_NO_HW */
-Index: openssl/crypto/engine/hw_pk11_pub.c
-diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.31
---- /dev/null	Wed Sep  2 11:37:23 2009
-+++ openssl/crypto/engine/hw_pk11_pub.c	Fri Aug 28 06:31:09 2009
-@@ -0,0 +1,3137 @@
-+/*
-+ * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
-+ * Use is subject to license terms.
-+ */
-+
-+/* crypto/engine/hw_pk11_pub.c */
-+/*
-+ * This product includes software developed by the OpenSSL Project for
-+ * use in the OpenSSL Toolkit (http://www.openssl.org/).
-+ *
-+ * This project also referenced hw_pkcs11-0.9.7b.patch written by
-+ * Afchine Madjlessi.
-+ */
-+/*
-+ * ====================================================================
-+ * Copyright (c) 2000-2001 The OpenSSL Project.  All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ *    notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ *    notice, this list of conditions and the following disclaimer in
-+ *    the documentation and/or other materials provided with the
-+ *    distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ *    software must display the following acknowledgment:
-+ *    "This product includes software developed by the OpenSSL Project
-+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ *    endorse or promote products derived from this software without
-+ *    prior written permission. For written permission, please contact
-+ *    licensing@OpenSSL.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ *    nor may "OpenSSL" appear in their names without prior written
-+ *    permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ *    acknowledgment:
-+ *    "This product includes software developed by the OpenSSL Project
-+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ * ====================================================================
-+ *
-+ * This product includes cryptographic software written by Eric Young
-+ * (eay@cryptsoft.com).  This product includes software written by Tim
-+ * Hudson (tjh@cryptsoft.com).
-+ *
-+ */
-+
-+#include <stdio.h>
-+#include <stdlib.h>
-+#include <string.h>
-+#include <sys/types.h>
-+
-+#include <openssl/e_os2.h>
-+#include <openssl/crypto.h>
-+#include <cryptlib.h>
-+#include <openssl/engine.h>
-+#include <openssl/dso.h>
-+#include <openssl/err.h>
-+#include <openssl/bn.h>
-+#include <openssl/pem.h>
-+#ifndef OPENSSL_NO_RSA
-+#include <openssl/rsa.h>
-+#endif /* OPENSSL_NO_RSA */
-+#ifndef OPENSSL_NO_DSA
-+#include <openssl/dsa.h>
-+#endif /* OPENSSL_NO_DSA */
-+#ifndef OPENSSL_NO_DH
-+#include <openssl/dh.h>
-+#endif /* OPENSSL_NO_DH */
-+#include <openssl/rand.h>
-+#include <openssl/objects.h>
-+#include <openssl/x509.h>
-+
-+#ifdef OPENSSL_SYS_WIN32
-+#define NOPTHREADS
-+typedef int pid_t;
-+#define HAVE_GETPASSPHRASE
-+static char *getpassphrase(const char *prompt);
-+#ifndef NULL_PTR
-+#define NULL_PTR NULL
-+#endif
-+#define CK_DEFINE_FUNCTION(returnType, name) \
-+	returnType __declspec(dllexport) name
-+#define CK_DECLARE_FUNCTION(returnType, name) \
-+	returnType __declspec(dllimport) name
-+#define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
-+	returnType __declspec(dllimport) (* name)
-+#else
-+#include <unistd.h>
-+#endif
-+
-+#ifndef NOPTHREADS
-+#include <pthread.h>
-+#endif
-+
-+#ifndef OPENSSL_NO_HW
-+#ifndef OPENSSL_NO_HW_PK11
-+
-+#ifdef OPENSSL_SYS_WIN32
-+#pragma pack(push, cryptoki, 1)
-+#include "cryptoki.h"
-+#include "pkcs11.h"
-+#pragma pack(pop, cryptoki)
-+#else
-+#include "cryptoki.h"
-+#include "pkcs11.h"
-+#endif
-+#include "hw_pk11_err.h"
-+
-+#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
-+#define getpassphrase(x)	getpass(x)
-+#endif
-+
-+#ifndef OPENSSL_NO_RSA
-+/* RSA stuff */
-+static int pk11_RSA_public_encrypt(int flen, const unsigned char *from,
-+	unsigned char *to, RSA *rsa, int padding);
-+static int pk11_RSA_private_encrypt(int flen, const unsigned char *from,
-+	unsigned char *to, RSA *rsa, int padding);
-+static int pk11_RSA_public_decrypt(int flen, const unsigned char *from,
-+	unsigned char *to, RSA *rsa, int padding);
-+static int pk11_RSA_private_decrypt(int flen, const unsigned char *from,
-+	unsigned char *to, RSA *rsa, int padding);
-+static int pk11_RSA_init(RSA *rsa);
-+static int pk11_RSA_finish(RSA *rsa);
-+static int pk11_RSA_sign(int type, const unsigned char *m, unsigned int m_len,
-+	unsigned char *sigret, unsigned int *siglen, const RSA *rsa);
-+static int pk11_RSA_verify(int dtype, const unsigned char *m,
-+	unsigned int m_len, unsigned char *sigbuf, unsigned int siglen,
-+	const RSA *rsa);
-+EVP_PKEY *pk11_load_privkey(ENGINE*, const char *pubkey_file,
-+	UI_METHOD *ui_method, void *callback_data);
-+EVP_PKEY *pk11_load_pubkey(ENGINE*, const char *pubkey_file,
-+	UI_METHOD *ui_method, void *callback_data);
-+
-+static int pk11_RSA_public_encrypt_low(int flen, const unsigned char *from,
-+	unsigned char *to, RSA *rsa);
-+static int pk11_RSA_private_encrypt_low(int flen, const unsigned char *from,
-+	unsigned char *to, RSA *rsa);
-+static int pk11_RSA_public_decrypt_low(int flen, const unsigned char *from,
-+	unsigned char *to, RSA *rsa);
-+static int pk11_RSA_private_decrypt_low(int flen, const unsigned char *from,
-+	unsigned char *to, RSA *rsa);
-+
-+static CK_OBJECT_HANDLE pk11_get_public_rsa_key(RSA* rsa, RSA** key_ptr,
-+	BIGNUM **rsa_n_num, BIGNUM **rsa_e_num, CK_SESSION_HANDLE session);
-+static CK_OBJECT_HANDLE pk11_get_private_rsa_key(RSA* rsa, RSA** key_ptr,
-+	BIGNUM **rsa_d_num, CK_SESSION_HANDLE session);
-+
-+static int check_new_rsa_key_pub(PK11_SESSION *sp, const RSA *rsa);
-+static int check_new_rsa_key_priv(PK11_SESSION *sp, const RSA *rsa);
-+#endif
-+
-+/* DSA stuff */
-+#ifndef OPENSSL_NO_DSA
-+static int pk11_DSA_init(DSA *dsa);
-+static int pk11_DSA_finish(DSA *dsa);
-+static DSA_SIG *pk11_dsa_do_sign(const unsigned char *dgst, int dlen,
-+	DSA *dsa);
-+static int pk11_dsa_do_verify(const unsigned char *dgst, int dgst_len,
-+	DSA_SIG *sig, DSA *dsa);
-+
-+static CK_OBJECT_HANDLE pk11_get_public_dsa_key(DSA* dsa, DSA **key_ptr,
-+	BIGNUM **dsa_pub_num, CK_SESSION_HANDLE session);
-+static CK_OBJECT_HANDLE pk11_get_private_dsa_key(DSA* dsa, DSA **key_ptr,
-+	BIGNUM **dsa_priv_num, CK_SESSION_HANDLE session);
-+
-+static int check_new_dsa_key_pub(PK11_SESSION *sp, DSA *dsa);
-+static int check_new_dsa_key_priv(PK11_SESSION *sp, DSA *dsa);
-+#endif
-+
-+/* DH stuff */
-+#ifndef OPENSSL_NO_DH
-+static int pk11_DH_init(DH *dh);
-+static int pk11_DH_finish(DH *dh);
-+static int pk11_DH_generate_key(DH *dh);
-+static int pk11_DH_compute_key(unsigned char *key,
-+	const BIGNUM *pub_key, DH *dh);
-+
-+static CK_OBJECT_HANDLE pk11_get_dh_key(DH* dh, DH **key_ptr,
-+	BIGNUM **priv_key, CK_SESSION_HANDLE session);
-+
-+static int check_new_dh_key(PK11_SESSION *sp, DH *dh);
-+#endif
-+
-+static int init_template_value(BIGNUM *bn, CK_VOID_PTR *pValue,
-+	CK_ULONG *ulValueLen);
-+static void attr_to_BN(CK_ATTRIBUTE_PTR attr, CK_BYTE attr_data[], BIGNUM **bn);
-+
-+/* Read mode string to be used for fopen() */
-+#if SOLARIS_OPENSSL
-+static char *read_mode_flags = "rF";
-+#else
-+static char *read_mode_flags = "r";
-+#endif
-+
-+/*
-+ * increment/create reference for an asymmetric key handle via active list
-+ * manipulation. If active list operation fails, unlock (if locked), set error
-+ * variable and jump to the specified label.
-+ */
-+#define	KEY_HANDLE_REFHOLD(key_handle, alg_type, unlock, var, label)	\
-+	{								\
-+	if (pk11_active_add(key_handle, alg_type) < 0)			\
-+		{							\
-+		var = TRUE;						\
-+		if (unlock)						\
-+			UNLOCK_OBJSTORE(alg_type);			\
-+		goto label;						\
-+		}							\
-+	}
-+
-+/*
-+ * Find active list entry according to object handle and return pointer to the
-+ * entry otherwise return NULL.
-+ *
-+ * This function presumes it is called with lock protecting the active list
-+ * held.
-+ */
-+static PK11_active *pk11_active_find(CK_OBJECT_HANDLE h, PK11_OPTYPE type)
-+	{
-+	PK11_active *entry;
-+
-+	for (entry = active_list[type]; entry != NULL; entry = entry->next)
-+		if (entry->h == h)
-+			return (entry);
-+
-+	return (NULL);
-+	}
-+
-+/*
-+ * Search for an entry in the active list using PKCS#11 object handle as a
-+ * search key and return refcnt of the found/created entry or -1 in case of
-+ * failure.
-+ *
-+ * This function presumes it is called with lock protecting the active list
-+ * held.
-+ */
-+int
-+pk11_active_add(CK_OBJECT_HANDLE h, PK11_OPTYPE type)
-+	{
-+	PK11_active *entry = NULL;
-+
-+	if (h == CK_INVALID_HANDLE)
-+		{
-+		PK11err(PK11_F_ACTIVE_ADD, PK11_R_INVALID_HANDLE);
-+		return (-1);
-+		}
-+
-+	/* search for entry in the active list */
-+	if ((entry = pk11_active_find(h, type)) != NULL)
-+		entry->refcnt++;
-+	else
-+		{
-+		/* not found, create new entry and add it to the list */
-+		entry = OPENSSL_malloc(sizeof (PK11_active));
-+		if (entry == NULL)
-+			{
-+			PK11err(PK11_F_ACTIVE_ADD, PK11_R_MALLOC_FAILURE);
-+			return (-1);
-+			}
-+		entry->h = h;
-+		entry->refcnt = 1;
-+		entry->prev = NULL;
-+		entry->next = NULL;
-+		/* connect the newly created entry to the list */
-+		if (active_list[type] == NULL)
-+			active_list[type] = entry;
-+		else /* make the entry first in the list */
-+			{
-+			entry->next = active_list[type];
-+			active_list[type]->prev = entry;
-+			active_list[type] = entry;
-+			}
-+		}
-+
-+	return (entry->refcnt);
-+	}
-+
-+/*
-+ * Remove active list entry from the list and free it.
-+ *
-+ * This function presumes it is called with lock protecting the active list
-+ * held.
-+ */
-+void
-+pk11_active_remove(PK11_active *entry, PK11_OPTYPE type)
-+	{
-+	PK11_active *prev_entry;
-+
-+	/* remove the entry from the list and free it */
-+	if ((prev_entry = entry->prev) != NULL)
-+		{
-+		prev_entry->next = entry->next;
-+		if (entry->next != NULL)
-+			entry->next->prev = prev_entry;
-+		}
-+	else
-+		{
-+		active_list[type] = entry->next;
-+		/* we were the first but not the only one */
-+		if (entry->next != NULL)
-+			entry->next->prev = NULL;
-+		}
-+
-+	/* sanitization */
-+	entry->h = CK_INVALID_HANDLE;
-+	entry->prev = NULL;
-+	entry->next = NULL;
-+	OPENSSL_free(entry);
-+	}
-+
-+/* Free all entries from the active list. */
-+void
-+pk11_free_active_list(PK11_OPTYPE type)
-+	{
-+	PK11_active *entry;
-+
-+	/* only for asymmetric types since only they have C_Find* locks. */
-+	switch (type)
-+		{
-+		case OP_RSA:
-+		case OP_DSA:
-+		case OP_DH:
-+			break;
-+		default:
-+			return;
-+		}
-+
-+	/* see find_lock array definition for more info on object locking */
-+	LOCK_OBJSTORE(type);
-+	while ((entry = active_list[type]) != NULL)
-+		pk11_active_remove(entry, type);
-+	UNLOCK_OBJSTORE(type);
-+	}
-+
-+/*
-+ * Search for active list entry associated with given PKCS#11 object handle,
-+ * decrement its refcnt and if it drops to 0, disconnect the entry and free it.
-+ *
-+ * Return 1 if the PKCS#11 object associated with the entry has no references,
-+ * return 0 if there is at least one reference, -1 on error.
-+ *
-+ * This function presumes it is called with lock protecting the active list
-+ * held.
-+ */
-+int
-+pk11_active_delete(CK_OBJECT_HANDLE h, PK11_OPTYPE type)
-+	{
-+	PK11_active *entry = NULL;
-+
-+	if ((entry = pk11_active_find(h, type)) == NULL)
-+		{
-+		PK11err(PK11_F_ACTIVE_DELETE, PK11_R_INVALID_HANDLE);
-+		return (-1);
-+		}
-+
-+	OPENSSL_assert(entry->refcnt > 0);
-+	entry->refcnt--;
-+	if (entry->refcnt == 0)
-+		{
-+		pk11_active_remove(entry, type);
-+		return (1);
-+		}
-+
-+	return (0);
-+	}
-+
-+#ifndef OPENSSL_NO_RSA
-+/* Our internal RSA_METHOD that we provide pointers to */
-+static RSA_METHOD pk11_rsa =
-+	{
-+	"PKCS#11 RSA method",
-+	pk11_RSA_public_encrypt,		/* rsa_pub_encrypt */
-+	pk11_RSA_public_decrypt,		/* rsa_pub_decrypt */
-+	pk11_RSA_private_encrypt,		/* rsa_priv_encrypt */
-+	pk11_RSA_private_decrypt,		/* rsa_priv_decrypt */
-+	NULL,					/* rsa_mod_exp */
-+	NULL,					/* bn_mod_exp */
-+	pk11_RSA_init,				/* init */
-+	pk11_RSA_finish,			/* finish */
-+	RSA_FLAG_SIGN_VER,			/* flags */
-+	NULL,					/* app_data */
-+	pk11_RSA_sign,				/* rsa_sign */
-+	pk11_RSA_verify				/* rsa_verify */
-+	};
-+
-+RSA_METHOD *
-+PK11_RSA(void)
-+	{
-+	return (&pk11_rsa);
-+	}
-+#endif
-+
-+#ifndef OPENSSL_NO_DSA
-+/* Our internal DSA_METHOD that we provide pointers to */
-+static DSA_METHOD pk11_dsa =
-+	{
-+	"PKCS#11 DSA method",
-+	pk11_dsa_do_sign, 	/* dsa_do_sign */
-+	NULL, 			/* dsa_sign_setup */
-+	pk11_dsa_do_verify, 	/* dsa_do_verify */
-+	NULL,			/* dsa_mod_exp */
-+	NULL, 			/* bn_mod_exp */
-+	pk11_DSA_init, 		/* init */
-+	pk11_DSA_finish, 	/* finish */
-+	0, 			/* flags */
-+	NULL 			/* app_data */
-+	};
-+
-+DSA_METHOD *
-+PK11_DSA(void)
-+	{
-+	return (&pk11_dsa);
-+	}
-+#endif
-+
-+#ifndef OPENSSL_NO_DH
-+/*
-+ * PKCS #11 V2.20, section 11.2 specifies that the number of bytes needed for
-+ * output buffer may somewhat exceed the precise number of bytes needed, but
-+ * should not exceed it by a large amount. That may be caused, for example, by
-+ * rounding it up to multiple of X in the underlying bignum library. 8 should be
-+ * enough.
-+ */
-+#define	DH_BUF_RESERVE	8
-+
-+/* Our internal DH_METHOD that we provide pointers to */
-+static DH_METHOD pk11_dh =
-+	{
-+	"PKCS#11 DH method",
-+	pk11_DH_generate_key,	/* generate_key */
-+	pk11_DH_compute_key,	/* compute_key */
-+	NULL,			/* bn_mod_exp */
-+	pk11_DH_init,		/* init */
-+	pk11_DH_finish,		/* finish */
-+	0,			/* flags */
-+	NULL,			/* app_data */
-+	NULL			/* generate_params */
-+	};
-+
-+DH_METHOD *
-+PK11_DH(void)
-+	{
-+	return (&pk11_dh);
-+	}
-+#endif
-+
-+/* Size of an SSL signature: MD5+SHA1 */
-+#define	SSL_SIG_LENGTH		36
-+
-+/* Lengths of DSA data and signature */
-+#define	DSA_DATA_LEN		20
-+#define	DSA_SIGNATURE_LEN	40
-+
-+static CK_BBOOL true = TRUE;
-+static CK_BBOOL false = FALSE;
-+
-+#ifndef OPENSSL_NO_RSA
-+/*
-+ * Similiar to OpenSSL to take advantage of the paddings. The goal is to
-+ * support all paddings in this engine although PK11 library does not
-+ * support all the paddings used in OpenSSL.
-+ * The input errors should have been checked in the padding functions.
-+ */
-+static int pk11_RSA_public_encrypt(int flen, const unsigned char *from,
-+		unsigned char *to, RSA *rsa, int padding)
-+	{
-+	int i, num = 0, r = -1;
-+	unsigned char *buf = NULL;
-+
-+	num = BN_num_bytes(rsa->n);
-+	if ((buf = (unsigned char *)OPENSSL_malloc(num)) == NULL)
-+		{
-+		RSAerr(PK11_F_RSA_PUB_ENC, PK11_R_MALLOC_FAILURE);
-+		goto err;
-+		}
-+
-+	switch (padding)
-+		{
-+	case RSA_PKCS1_PADDING:
-+		i = RSA_padding_add_PKCS1_type_2(buf, num, from, flen);
-+		break;
-+#ifndef OPENSSL_NO_SHA
-+	case RSA_PKCS1_OAEP_PADDING:
-+		i = RSA_padding_add_PKCS1_OAEP(buf, num, from, flen, NULL, 0);
-+		break;
-+#endif
-+	case RSA_SSLV23_PADDING:
-+		i = RSA_padding_add_SSLv23(buf, num, from, flen);
-+		break;
-+	case RSA_NO_PADDING:
-+		i = RSA_padding_add_none(buf, num, from, flen);
-+		break;
-+	default:
-+		RSAerr(PK11_F_RSA_PUB_ENC, PK11_R_UNKNOWN_PADDING_TYPE);
-+		goto err;
-+		}
-+	if (i <= 0) goto err;
-+
-+	/* PK11 functions are called here */
-+	r = pk11_RSA_public_encrypt_low(num, buf, to, rsa);
-+err:
-+	if (buf != NULL)
-+		{
-+		OPENSSL_cleanse(buf, num);
-+		OPENSSL_free(buf);
-+		}
-+	return (r);
-+	}
-+
-+
-+/*
-+ * Similar to Openssl to take advantage of the paddings. The input errors
-+ * should be catched in the padding functions
-+ */
-+static int pk11_RSA_private_encrypt(int flen, const unsigned char *from,
-+	unsigned char *to, RSA *rsa, int padding)
-+	{
-+	int i, num = 0, r = -1;
-+	unsigned char *buf = NULL;
-+
-+	num = BN_num_bytes(rsa->n);
-+	if ((buf = (unsigned char *)OPENSSL_malloc(num)) == NULL)
-+		{
-+		RSAerr(PK11_F_RSA_PRIV_ENC, PK11_R_MALLOC_FAILURE);
-+		goto err;
-+		}
-+
-+	switch (padding)
-+		{
-+	case RSA_PKCS1_PADDING:
-+		i = RSA_padding_add_PKCS1_type_1(buf, num, from, flen);
-+		break;
-+	case RSA_NO_PADDING:
-+		i = RSA_padding_add_none(buf, num, from, flen);
-+		break;
-+	case RSA_SSLV23_PADDING:
-+	default:
-+		RSAerr(PK11_F_RSA_PRIV_ENC, PK11_R_UNKNOWN_PADDING_TYPE);
-+		goto err;
-+		}
-+	if (i <= 0) goto err;
-+
-+	/* PK11 functions are called here */
-+	r = pk11_RSA_private_encrypt_low(num, buf, to, rsa);
-+err:
-+	if (buf != NULL)
-+		{
-+		OPENSSL_cleanse(buf, num);
-+		OPENSSL_free(buf);
-+		}
-+	return (r);
-+	}
-+
-+/* Similar to OpenSSL code. Input errors are also checked here */
-+static int pk11_RSA_private_decrypt(int flen, const unsigned char *from,
-+	unsigned char *to, RSA *rsa, int padding)
-+	{
-+	BIGNUM f;
-+	int j, num = 0, r = -1;
-+	unsigned char *p;
-+	unsigned char *buf = NULL;
-+
-+	BN_init(&f);
-+
-+	num = BN_num_bytes(rsa->n);
-+
-+	if ((buf = (unsigned char *)OPENSSL_malloc(num)) == NULL)
-+		{
-+		RSAerr(PK11_F_RSA_PRIV_DEC, PK11_R_MALLOC_FAILURE);
-+		goto err;
-+		}
-+
-+	/*
-+	 * This check was for equality but PGP does evil things
-+	 * and chops off the top '0' bytes
-+	 */
-+	if (flen > num)
-+		{
-+		RSAerr(PK11_F_RSA_PRIV_DEC,
-+			PK11_R_DATA_GREATER_THAN_MOD_LEN);
-+		goto err;
-+		}
-+
-+	/* make data into a big number */
-+	if (BN_bin2bn(from, (int)flen, &f) == NULL)
-+		goto err;
-+
-+	if (BN_ucmp(&f, rsa->n) >= 0)
-+		{
-+		RSAerr(PK11_F_RSA_PRIV_DEC,
-+			PK11_R_DATA_TOO_LARGE_FOR_MODULUS);
-+		goto err;
-+		}
-+
-+	/* PK11 functions are called here */
-+	r = pk11_RSA_private_decrypt_low(flen, from, buf, rsa);
-+
-+	/*
-+	 * PK11 CKM_RSA_X_509 mechanism pads 0's at the beginning.
-+	 * Needs to skip these 0's paddings here.
-+	 */
-+	for (j = 0; j < r; j++)
-+		if (buf[j] != 0)
-+			break;
-+
-+	p = buf + j;
-+	j = r - j;  /* j is only used with no-padding mode */
-+
-+	switch (padding)
-+		{
-+	case RSA_PKCS1_PADDING:
-+		r = RSA_padding_check_PKCS1_type_2(to, num, p, j, num);
-+		break;
-+#ifndef OPENSSL_NO_SHA
-+	case RSA_PKCS1_OAEP_PADDING:
-+		r = RSA_padding_check_PKCS1_OAEP(to, num, p, j, num, NULL, 0);
-+		break;
-+#endif
-+	case RSA_SSLV23_PADDING:
-+		r = RSA_padding_check_SSLv23(to, num, p, j, num);
-+		break;
-+	case RSA_NO_PADDING:
-+		r = RSA_padding_check_none(to, num, p, j, num);
-+		break;
-+	default:
-+		RSAerr(PK11_F_RSA_PRIV_DEC, PK11_R_UNKNOWN_PADDING_TYPE);
-+		goto err;
-+		}
-+	if (r < 0)
-+		RSAerr(PK11_F_RSA_PRIV_DEC, PK11_R_PADDING_CHECK_FAILED);
-+
-+err:
-+	BN_clear_free(&f);
-+	if (buf != NULL)
-+		{
-+		OPENSSL_cleanse(buf, num);
-+		OPENSSL_free(buf);
-+		}
-+	return (r);
-+	}
-+
-+/* Similar to OpenSSL code. Input errors are also checked here */
-+static int pk11_RSA_public_decrypt(int flen, const unsigned char *from,
-+	unsigned char *to, RSA *rsa, int padding)
-+	{
-+	BIGNUM f;
-+	int i, num = 0, r = -1;
-+	unsigned char *p;
-+	unsigned char *buf = NULL;
-+
-+	BN_init(&f);
-+	num = BN_num_bytes(rsa->n);
-+	buf = (unsigned char *)OPENSSL_malloc(num);
-+	if (buf == NULL)
-+		{
-+		RSAerr(PK11_F_RSA_PUB_DEC, PK11_R_MALLOC_FAILURE);
-+		goto err;
-+		}
-+
-+	/*
-+	 * This check was for equality but PGP does evil things
-+	 * and chops off the top '0' bytes
-+	 */
-+	if (flen > num)
-+		{
-+		RSAerr(PK11_F_RSA_PUB_DEC, PK11_R_DATA_GREATER_THAN_MOD_LEN);
-+		goto err;
-+		}
-+
-+	if (BN_bin2bn(from, flen, &f) == NULL)
-+		goto err;
-+
-+	if (BN_ucmp(&f, rsa->n) >= 0)
-+		{
-+		RSAerr(PK11_F_RSA_PUB_DEC,
-+			PK11_R_DATA_TOO_LARGE_FOR_MODULUS);
-+		goto err;
-+		}
-+
-+	/* PK11 functions are called here */
-+	r = pk11_RSA_public_decrypt_low(flen, from, buf, rsa);
-+
-+	/*
-+	 * PK11 CKM_RSA_X_509 mechanism pads 0's at the beginning.
-+	 * Needs to skip these 0's here
-+	 */
-+	for (i = 0; i < r; i++)
-+		if (buf[i] != 0)
-+			break;
-+
-+	p = buf + i;
-+	i = r - i;  /* i is only used with no-padding mode */
-+
-+	switch (padding)
-+		{
-+	case RSA_PKCS1_PADDING:
-+		r = RSA_padding_check_PKCS1_type_1(to, num, p, i, num);
-+		break;
-+	case RSA_NO_PADDING:
-+		r = RSA_padding_check_none(to, num, p, i, num);
-+		break;
-+	default:
-+		RSAerr(PK11_F_RSA_PUB_DEC, PK11_R_UNKNOWN_PADDING_TYPE);
-+		goto err;
-+		}
-+	if (r < 0)
-+		RSAerr(PK11_F_RSA_PUB_DEC, PK11_R_PADDING_CHECK_FAILED);
-+
-+err:
-+	BN_clear_free(&f);
-+	if (buf != NULL)
-+		{
-+		OPENSSL_cleanse(buf, num);
-+		OPENSSL_free(buf);
-+		}
-+	return (r);
-+	}
-+
-+/*
-+ * This function implements RSA public encryption using C_EncryptInit and
-+ * C_Encrypt pk11 interfaces. Note that the CKM_RSA_X_509 is used here.
-+ * The calling function allocated sufficient memory in "to" to store results.
-+ */
-+static int pk11_RSA_public_encrypt_low(int flen,
-+	const unsigned char *from, unsigned char *to, RSA *rsa)
-+	{
-+	CK_ULONG bytes_encrypted = flen;
-+	int retval = -1;
-+	CK_RV rv;
-+	CK_MECHANISM mech_rsa = {CKM_RSA_X_509, NULL, 0};
-+	CK_MECHANISM *p_mech = &mech_rsa;
-+	CK_OBJECT_HANDLE h_pub_key = CK_INVALID_HANDLE;
-+	PK11_SESSION *sp;
-+
-+	if ((sp = pk11_get_session(OP_RSA)) == NULL)
-+		return (-1);
-+
-+	(void) check_new_rsa_key_pub(sp, rsa);
-+
-+	h_pub_key = sp->opdata_rsa_pub_key;
-+	if (h_pub_key == CK_INVALID_HANDLE)
-+		h_pub_key = sp->opdata_rsa_pub_key =
-+			pk11_get_public_rsa_key(rsa, &sp->opdata_rsa_pub,
-+			    &sp->opdata_rsa_n_num, &sp->opdata_rsa_e_num,
-+			    sp->session);
-+
-+	if (h_pub_key != CK_INVALID_HANDLE)
-+		{
-+		rv = pFuncList->C_EncryptInit(sp->session, p_mech,
-+			h_pub_key);
-+
-+		if (rv != CKR_OK)
-+			{
-+			PK11err_add_data(PK11_F_RSA_PUB_ENC_LOW,
-+			    PK11_R_ENCRYPTINIT, rv);
-+			pk11_return_session(sp, OP_RSA);
-+			return (-1);
-+			}
-+
-+		rv = pFuncList->C_Encrypt(sp->session,
-+			(unsigned char *)from, flen, to, &bytes_encrypted);
-+
-+		if (rv != CKR_OK)
-+			{
-+			PK11err_add_data(PK11_F_RSA_PUB_ENC_LOW,
-+			    PK11_R_ENCRYPT, rv);
-+			pk11_return_session(sp, OP_RSA);
-+			return (-1);
-+			}
-+		retval = bytes_encrypted;
-+		}
-+
-+	pk11_return_session(sp, OP_RSA);
-+	return (retval);
-+	}
-+
-+
-+/*
-+ * This function implements RSA private encryption using C_SignInit and
-+ * C_Sign pk11 APIs. Note that CKM_RSA_X_509 is used here.
-+ * The calling function allocated sufficient memory in "to" to store results.
-+ */
-+static int pk11_RSA_private_encrypt_low(int flen,
-+	const unsigned char *from, unsigned char *to, RSA *rsa)
-+	{
-+	CK_ULONG ul_sig_len = flen;
-+	int retval = -1;
-+	CK_RV rv;
-+	CK_MECHANISM mech_rsa = {CKM_RSA_X_509, NULL, 0};
-+	CK_MECHANISM *p_mech = &mech_rsa;
-+	CK_OBJECT_HANDLE h_priv_key = CK_INVALID_HANDLE;
-+	PK11_SESSION *sp;
-+
-+	if ((sp = pk11_get_session(OP_RSA)) == NULL)
-+		return (-1);
-+
-+	(void) check_new_rsa_key_priv(sp, rsa);
-+
-+	h_priv_key = sp->opdata_rsa_priv_key;
-+	if (h_priv_key == CK_INVALID_HANDLE)
-+		h_priv_key = sp->opdata_rsa_priv_key =
-+			pk11_get_private_rsa_key(rsa, &sp->opdata_rsa_priv,
-+			    &sp->opdata_rsa_d_num, sp->session);
-+
-+	if (h_priv_key != CK_INVALID_HANDLE)
-+		{
-+		rv = pFuncList->C_SignInit(sp->session, p_mech,
-+			h_priv_key);
-+
-+		if (rv != CKR_OK)
-+			{
-+			PK11err_add_data(PK11_F_RSA_PRIV_ENC_LOW,
-+			    PK11_R_SIGNINIT, rv);
-+			pk11_return_session(sp, OP_RSA);
-+			return (-1);
-+			}
-+
-+		rv = pFuncList->C_Sign(sp->session,
-+			(unsigned char *)from, flen, to, &ul_sig_len);
-+
-+		if (rv != CKR_OK)
-+			{
-+			PK11err_add_data(PK11_F_RSA_PRIV_ENC_LOW, PK11_R_SIGN,
-+			    rv);
-+			pk11_return_session(sp, OP_RSA);
-+			return (-1);
-+			}
-+
-+		retval = ul_sig_len;
-+		}
-+
-+	pk11_return_session(sp, OP_RSA);
-+	return (retval);
-+	}
-+
-+
-+/*
-+ * This function implements RSA private decryption using C_DecryptInit and
-+ * C_Decrypt pk11 APIs. Note that CKM_RSA_X_509 mechanism is used here.
-+ * The calling function allocated sufficient memory in "to" to store results.
-+ */
-+static int pk11_RSA_private_decrypt_low(int flen,
-+	const unsigned char *from, unsigned char *to, RSA *rsa)
-+	{
-+	CK_ULONG bytes_decrypted = flen;
-+	int retval = -1;
-+	CK_RV rv;
-+	CK_MECHANISM mech_rsa = {CKM_RSA_X_509, NULL, 0};
-+	CK_MECHANISM *p_mech = &mech_rsa;
-+	CK_OBJECT_HANDLE h_priv_key;
-+	PK11_SESSION *sp;
-+
-+	if ((sp = pk11_get_session(OP_RSA)) == NULL)
-+		return (-1);
-+
-+	(void) check_new_rsa_key_priv(sp, rsa);
-+
-+	h_priv_key = sp->opdata_rsa_priv_key;
-+	if (h_priv_key == CK_INVALID_HANDLE)
-+		h_priv_key = sp->opdata_rsa_priv_key =
-+			pk11_get_private_rsa_key(rsa, &sp->opdata_rsa_priv,
-+			    &sp->opdata_rsa_d_num, sp->session);
-+
-+	if (h_priv_key != CK_INVALID_HANDLE)
-+		{
-+		rv = pFuncList->C_DecryptInit(sp->session, p_mech,
-+			h_priv_key);
-+
-+		if (rv != CKR_OK)
-+			{
-+			PK11err_add_data(PK11_F_RSA_PRIV_DEC_LOW,
-+				PK11_R_DECRYPTINIT, rv);
-+			pk11_return_session(sp, OP_RSA);
-+			return (-1);
-+			}
-+
-+		rv = pFuncList->C_Decrypt(sp->session,
-+			(unsigned char *)from, flen, to, &bytes_decrypted);
-+
-+		if (rv != CKR_OK)
-+			{
-+			PK11err_add_data(PK11_F_RSA_PRIV_DEC_LOW,
-+			    PK11_R_DECRYPT, rv);
-+			pk11_return_session(sp, OP_RSA);
-+			return (-1);
-+			}
-+		retval = bytes_decrypted;
-+		}
-+
-+	pk11_return_session(sp, OP_RSA);
-+	return (retval);
-+	}
-+
-+
-+/*
-+ * This function implements RSA public decryption using C_VerifyRecoverInit
-+ * and C_VerifyRecover pk11 APIs. Note that CKM_RSA_X_509 is used here.
-+ * The calling function allocated sufficient memory in "to" to store results.
-+ */
-+static int pk11_RSA_public_decrypt_low(int flen,
-+	const unsigned char *from, unsigned char *to, RSA *rsa)
-+	{
-+	CK_ULONG bytes_decrypted = flen;
-+	int retval = -1;
-+	CK_RV rv;
-+	CK_MECHANISM mech_rsa = {CKM_RSA_X_509, NULL, 0};
-+	CK_MECHANISM *p_mech = &mech_rsa;
-+	CK_OBJECT_HANDLE h_pub_key = CK_INVALID_HANDLE;
-+	PK11_SESSION *sp;
-+
-+	if ((sp = pk11_get_session(OP_RSA)) == NULL)
-+		return (-1);
-+
-+	(void) check_new_rsa_key_pub(sp, rsa);
-+
-+	h_pub_key = sp->opdata_rsa_pub_key;
-+	if (h_pub_key == CK_INVALID_HANDLE)
-+		h_pub_key = sp->opdata_rsa_pub_key =
-+			pk11_get_public_rsa_key(rsa, &sp->opdata_rsa_pub,
-+			    &sp->opdata_rsa_n_num, &sp->opdata_rsa_e_num,
-+			    sp->session);
-+
-+	if (h_pub_key != CK_INVALID_HANDLE)
-+		{
-+		rv = pFuncList->C_VerifyRecoverInit(sp->session,
-+			p_mech, h_pub_key);
-+
-+		if (rv != CKR_OK)
-+			{
-+			PK11err_add_data(PK11_F_RSA_PUB_DEC_LOW,
-+				PK11_R_VERIFYRECOVERINIT, rv);
-+			pk11_return_session(sp, OP_RSA);
-+			return (-1);
-+			}
-+
-+		rv = pFuncList->C_VerifyRecover(sp->session,
-+			(unsigned char *)from, flen, to, &bytes_decrypted);
-+
-+		if (rv != CKR_OK)
-+			{
-+			PK11err_add_data(PK11_F_RSA_PUB_DEC_LOW,
-+			    PK11_R_VERIFYRECOVER, rv);
-+			pk11_return_session(sp, OP_RSA);
-+			return (-1);
-+			}
-+		retval = bytes_decrypted;
-+		}
-+
-+	pk11_return_session(sp, OP_RSA);
-+	return (retval);
-+	}
-+
-+static int pk11_RSA_init(RSA *rsa)
-+	{
-+	/*
-+	 * This flag in the RSA_METHOD enables the new rsa_sign,
-+	 * rsa_verify functions. See rsa.h for details.
-+	 */
-+	rsa->flags |= RSA_FLAG_SIGN_VER;
-+
-+	return (1);
-+	}
-+
-+static int pk11_RSA_finish(RSA *rsa)
-+	{
-+	/*
-+	 * Since we are overloading OpenSSL's native RSA_eay_finish() we need
-+	 * to do the same as in the original function, i.e. to free bignum
-+	 * structures.
-+	 */
-+	if (rsa->_method_mod_n != NULL)
-+		BN_MONT_CTX_free(rsa->_method_mod_n);
-+	if (rsa->_method_mod_p != NULL)
-+		BN_MONT_CTX_free(rsa->_method_mod_p);
-+	if (rsa->_method_mod_q != NULL)
-+		BN_MONT_CTX_free(rsa->_method_mod_q);
-+
-+	return (1);
-+	}
-+
-+/*
-+ * Standard engine interface function. Majority codes here are from
-+ * rsa/rsa_sign.c. We replaced the decrypt function call by C_Sign of PKCS#11.
-+ * See more details in rsa/rsa_sign.c
-+ */
-+static int pk11_RSA_sign(int type, const unsigned char *m, unsigned int m_len,
-+	unsigned char *sigret, unsigned int *siglen, const RSA *rsa)
-+	{
-+	X509_SIG sig;
-+	ASN1_TYPE parameter;
-+	int i, j = 0;
-+	unsigned char *p, *s = NULL;
-+	X509_ALGOR algor;
-+	ASN1_OCTET_STRING digest;
-+	CK_RV rv;
-+	CK_MECHANISM mech_rsa = {CKM_RSA_PKCS, NULL, 0};
-+	CK_MECHANISM *p_mech = &mech_rsa;
-+	CK_OBJECT_HANDLE h_priv_key;
-+	PK11_SESSION *sp = NULL;
-+	int ret = 0;
-+	unsigned long ulsiglen;
-+
-+	/* Encode the digest */
-+	/* Special case: SSL signature, just check the length */
-+	if (type == NID_md5_sha1)
-+		{
-+		if (m_len != SSL_SIG_LENGTH)
-+			{
-+			PK11err(PK11_F_RSA_SIGN,
-+				PK11_R_INVALID_MESSAGE_LENGTH);
-+			goto err;
-+			}
-+		i = SSL_SIG_LENGTH;
-+		s = (unsigned char *)m;
-+		}
-+	else
-+		{
-+		sig.algor = &algor;
-+		sig.algor->algorithm = OBJ_nid2obj(type);
-+		if (sig.algor->algorithm == NULL)
-+			{
-+			PK11err(PK11_F_RSA_SIGN,
-+				PK11_R_UNKNOWN_ALGORITHM_TYPE);
-+			goto err;
-+			}
-+		if (sig.algor->algorithm->length == 0)
-+			{
-+			PK11err(PK11_F_RSA_SIGN,
-+				PK11_R_UNKNOWN_ASN1_OBJECT_ID);
-+			goto err;
-+			}
-+		parameter.type = V_ASN1_NULL;
-+		parameter.value.ptr = NULL;
-+		sig.algor->parameter = &parameter;
-+
-+		sig.digest = &digest;
-+		sig.digest->data = (unsigned char *)m;
-+		sig.digest->length = m_len;
-+
-+		i = i2d_X509_SIG(&sig, NULL);
-+		}
-+
-+	j = RSA_size(rsa);
-+	if ((i - RSA_PKCS1_PADDING) > j)
-+		{
-+		PK11err(PK11_F_RSA_SIGN, PK11_R_DIGEST_TOO_BIG);
-+		goto err;
-+		}
-+
-+	if (type != NID_md5_sha1)
-+		{
-+		s = (unsigned char *)OPENSSL_malloc((unsigned int)(j + 1));
-+		if (s == NULL)
-+			{
-+			PK11err(PK11_F_RSA_SIGN, PK11_R_MALLOC_FAILURE);
-+			goto err;
-+			}
-+		p = s;
-+		(void) i2d_X509_SIG(&sig, &p);
-+		}
-+
-+	if ((sp = pk11_get_session(OP_RSA)) == NULL)
-+		goto err;
-+
-+	(void) check_new_rsa_key_priv(sp, rsa);
-+
-+	h_priv_key = sp->opdata_rsa_priv_key;
-+	if (h_priv_key == CK_INVALID_HANDLE)
-+		h_priv_key = sp->opdata_rsa_priv_key =
-+			pk11_get_private_rsa_key((RSA *)rsa,
-+			    &sp->opdata_rsa_priv,
-+			    &sp->opdata_rsa_d_num, sp->session);
-+
-+	if (h_priv_key != CK_INVALID_HANDLE)
-+		{
-+		rv = pFuncList->C_SignInit(sp->session, p_mech, h_priv_key);
-+
-+		if (rv != CKR_OK)
-+			{
-+			PK11err_add_data(PK11_F_RSA_SIGN, PK11_R_SIGNINIT, rv);
-+			goto err;
-+			}
-+
-+		ulsiglen = j;
-+		rv = pFuncList->C_Sign(sp->session, s, i, sigret,
-+			(CK_ULONG_PTR) &ulsiglen);
-+		*siglen = ulsiglen;
-+
-+		if (rv != CKR_OK)
-+			{
-+			PK11err_add_data(PK11_F_RSA_SIGN, PK11_R_SIGN, rv);
-+			goto err;
-+			}
-+		ret = 1;
-+		}
-+
-+err:
-+	if ((type != NID_md5_sha1) && (s != NULL))
-+		{
-+		(void) memset(s, 0, (unsigned int)(j + 1));
-+		OPENSSL_free(s);
-+		}
-+
-+	pk11_return_session(sp, OP_RSA);
-+	return (ret);
-+	}
-+
-+static int pk11_RSA_verify(int type, const unsigned char *m,
-+	unsigned int m_len, unsigned char *sigbuf, unsigned int siglen,
-+	const RSA *rsa)
-+	{
-+	X509_SIG sig;
-+	ASN1_TYPE parameter;
-+	int i, j = 0;
-+	unsigned char *p, *s = NULL;
-+	X509_ALGOR algor;
-+	ASN1_OCTET_STRING digest;
-+	CK_RV rv;
-+	CK_MECHANISM mech_rsa = {CKM_RSA_PKCS, NULL, 0};
-+	CK_MECHANISM *p_mech = &mech_rsa;
-+	CK_OBJECT_HANDLE h_pub_key;
-+	PK11_SESSION *sp = NULL;
-+	int ret = 0;
-+
-+	/* Encode the digest	*/
-+	/* Special case: SSL signature, just check the length */
-+	if (type == NID_md5_sha1)
-+		{
-+		if (m_len != SSL_SIG_LENGTH)
-+			{
-+			PK11err(PK11_F_RSA_VERIFY,
-+				PK11_R_INVALID_MESSAGE_LENGTH);
-+			goto err;
-+			}
-+		i = SSL_SIG_LENGTH;
-+		s = (unsigned char *)m;
-+		}
-+	else
-+		{
-+		sig.algor = &algor;
-+		sig.algor->algorithm = OBJ_nid2obj(type);
-+		if (sig.algor->algorithm == NULL)
-+			{
-+			PK11err(PK11_F_RSA_VERIFY,
-+				PK11_R_UNKNOWN_ALGORITHM_TYPE);
-+			goto err;
-+			}
-+		if (sig.algor->algorithm->length == 0)
-+			{
-+			PK11err(PK11_F_RSA_VERIFY,
-+				PK11_R_UNKNOWN_ASN1_OBJECT_ID);
-+			goto err;
-+			}
-+		parameter.type = V_ASN1_NULL;
-+		parameter.value.ptr = NULL;
-+		sig.algor->parameter = &parameter;
-+		sig.digest = &digest;
-+		sig.digest->data = (unsigned char *)m;
-+		sig.digest->length = m_len;
-+		i = i2d_X509_SIG(&sig, NULL);
-+		}
-+
-+	j = RSA_size(rsa);
-+	if ((i - RSA_PKCS1_PADDING) > j)
-+		{
-+		PK11err(PK11_F_RSA_VERIFY, PK11_R_DIGEST_TOO_BIG);
-+		goto err;
-+		}
-+
-+	if (type != NID_md5_sha1)
-+		{
-+		s = (unsigned char *)OPENSSL_malloc((unsigned int)(j + 1));
-+		if (s == NULL)
-+			{
-+			PK11err(PK11_F_RSA_VERIFY, PK11_R_MALLOC_FAILURE);
-+			goto err;
-+			}
-+		p = s;
-+		(void) i2d_X509_SIG(&sig, &p);
-+		}
-+
-+	if ((sp = pk11_get_session(OP_RSA)) == NULL)
-+		goto err;
-+
-+	(void) check_new_rsa_key_pub(sp, rsa);
-+
-+	h_pub_key = sp->opdata_rsa_pub_key;
-+	if (h_pub_key == CK_INVALID_HANDLE)
-+		h_pub_key = sp->opdata_rsa_pub_key =
-+			pk11_get_public_rsa_key((RSA *)rsa, &sp->opdata_rsa_pub,
-+			    &sp->opdata_rsa_n_num, &sp->opdata_rsa_e_num,
-+			    sp->session);
-+
-+	if (h_pub_key != CK_INVALID_HANDLE)
-+		{
-+		rv = pFuncList->C_VerifyInit(sp->session, p_mech,
-+			h_pub_key);
-+
-+		if (rv != CKR_OK)
-+			{
-+			PK11err_add_data(PK11_F_RSA_VERIFY, PK11_R_VERIFYINIT,
-+			    rv);
-+			goto err;
-+			}
-+		rv = pFuncList->C_Verify(sp->session, s, i, sigbuf,
-+			(CK_ULONG)siglen);
-+
-+		if (rv != CKR_OK)
-+			{
-+			PK11err_add_data(PK11_F_RSA_VERIFY, PK11_R_VERIFY, rv);
-+			goto err;
-+			}
-+		ret = 1;
-+		}
-+
-+err:
-+	if ((type != NID_md5_sha1) && (s != NULL))
-+		{
-+		(void) memset(s, 0, (unsigned int)(j + 1));
-+		OPENSSL_free(s);
-+		}
-+
-+	pk11_return_session(sp, OP_RSA);
-+	return (ret);
-+	}
-+
-+static int hndidx_rsa = -1;
-+
-+/* load RSA private key from a file */
-+/* ARGSUSED */
-+EVP_PKEY *pk11_load_privkey(ENGINE *e, const char *privkey_file,
-+	UI_METHOD *ui_method, void *callback_data)
-+	{
-+	EVP_PKEY *pkey = NULL;
-+	FILE *privkey;
-+	CK_OBJECT_HANDLE  h_priv_key = CK_INVALID_HANDLE;
-+	RSA *rsa;
-+	PK11_SESSION *sp;
-+	/* everything else below needed for key by reference extension */
-+	CK_RV rv;
-+	CK_ULONG objcnt = 0;
-+	CK_BBOOL is_token = TRUE;
-+	CK_BYTE attr_data[2][1024];
-+	CK_OBJECT_CLASS key_class = CKO_PRIVATE_KEY;
-+	CK_OBJECT_HANDLE ks_key = CK_INVALID_HANDLE;	/* key in keystore */
-+	extern char *pk11_pin;
-+
-+	/* we look for private keys only */
-+	CK_ATTRIBUTE search_templ[] =
-+		{
-+		{CKA_TOKEN, &is_token, sizeof(is_token)},
-+		{CKA_CLASS, &key_class, sizeof(key_class)},
-+		{CKA_LABEL, NULL, 0}
-+		};
-+
-+	/* these attributes are needed to initialize OpenSSL RSA structure */
-+	CK_ATTRIBUTE get_templ[] =
-+		{
-+		{CKA_MODULUS, (void *)attr_data[0], 1024},	    /* n */
-+		{CKA_PUBLIC_EXPONENT, (void *)attr_data[1], 1024},  /* e */
-+		};
-+
-+	if ((sp = pk11_get_session(OP_RSA)) == NULL)
-+		return (NULL);
-+
-+	/*
-+	 * Use simple scheme "pkcs11:<KEY_LABEL>" for now.
-+	 */
-+	if (strstr(privkey_file, "pkcs11:") == privkey_file)
-+		{
-+		search_templ[2].pValue = strstr(privkey_file, ":") + 1;
-+		search_templ[2].ulValueLen = strlen(search_templ[2].pValue);
-+
-+		if (pk11_pin == NULL)
-+			{
-+			pk11_pin = BUF_strdup(getpassphrase("Enter PIN: "));
-+
-+			if (pk11_pin == NULL)
-+				{
-+				PK11err(PK11_F_LOAD_PRIVKEY, PK11_R_MALLOC_FAILURE);
-+				goto err;
-+				}
-+			}
-+		if ((rv = pFuncList->C_Login(sp->session, CKU_USER, (CK_UTF8CHAR*)pk11_pin,
-+		    strlen(pk11_pin))) != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN)
-+			{
-+			PK11err_add_data(PK11_F_LOAD_PRIVKEY,
-+					 PK11_R_INVALID_PIN, rv);
-+			goto err;
-+			}
-+
-+		LOCK_OBJSTORE(OP_RSA);
-+		if ((rv = pFuncList->C_FindObjectsInit(sp->session,
-+		    search_templ, 3)) != CKR_OK)
-+			{
-+			UNLOCK_OBJSTORE(OP_RSA);
-+			PK11err_add_data(PK11_F_LOAD_PRIVKEY,
-+					 PK11_R_FINDOBJECTSINIT, rv);
-+			goto err;
-+			}
-+
-+		rv = pFuncList->C_FindObjects(sp->session, &ks_key, 1, &objcnt);
-+		if (rv != CKR_OK)
-+			{
-+			UNLOCK_OBJSTORE(OP_RSA);
-+			PK11err_add_data(PK11_F_LOAD_PRIVKEY,
-+					 PK11_R_FINDOBJECTS, rv);
-+			goto err;
-+			}
-+
-+		if (objcnt > 1)
-+			{
-+			UNLOCK_OBJSTORE(OP_RSA);
-+			PK11err(PK11_F_LOAD_PRIVKEY, PK11_R_TOO_MANY_OBJECTS);
-+			goto err;
-+			}
-+
-+		if (objcnt != 1)
-+			{
-+			UNLOCK_OBJSTORE(OP_RSA);
-+			PK11err(PK11_F_LOAD_PRIVKEY, PK11_R_OBJECT_NOT_FOUND);
-+			goto err;
-+			}
-+
-+		(void) pFuncList->C_FindObjectsFinal(sp->session);
-+		UNLOCK_OBJSTORE(OP_RSA);
-+
-+		if (hndidx_rsa == -1)
-+			hndidx_rsa = RSA_get_ex_new_index(0,
-+				        "pkcs11 RSA HSM key handle",
-+					NULL, NULL, NULL);
-+
-+		pkey = EVP_PKEY_new();
-+		if (pkey == NULL)
-+			goto err;
-+
-+		rsa = RSA_new_method(e);
-+		if (rsa == NULL) {
-+			EVP_PKEY_free(pkey);
-+			pkey = NULL;
-+			goto err;
-+		}
-+		EVP_PKEY_set1_RSA(pkey, rsa);
-+
-+		if ((rv = pFuncList->C_GetAttributeValue(sp->session, ks_key,
-+		    get_templ, 2)) != CKR_OK)
-+			{
-+			PK11err_add_data(PK11_F_LOAD_PRIVKEY,
-+					 PK11_R_GETATTRIBUTVALUE, rv);
-+			EVP_PKEY_free(pkey);
-+			pkey = NULL;
-+			goto err;
-+			}
-+
-+		/*
-+		 * Now we have to initialize an OpenSSL RSA structure,
-+		 * everything else is 0 or NULL.
-+		 */
-+		rsa->flags = RSA_FLAG_SIGN_VER | RSA_FLAG_EXT_PKEY;
-+		RSA_set_ex_data(rsa, hndidx_rsa, (void *) ks_key);
-+		(void) check_new_rsa_key_priv(sp, rsa);
-+		sp->opdata_rsa_priv = rsa;
-+		sp->opdata_rsa_priv_key = ks_key;
-+
-+		attr_to_BN(&get_templ[0], attr_data[0], &rsa->n);
-+		attr_to_BN(&get_templ[1], attr_data[1], &rsa->e);
-+		}
-+	else if ((privkey = fopen(privkey_file, read_mode_flags)) != NULL)
-+		{
-+		pkey = PEM_read_PrivateKey(privkey, NULL, NULL, NULL);
-+		(void) fclose(privkey);
-+		if (pkey != NULL)
-+			{
-+			rsa = EVP_PKEY_get1_RSA(pkey);
-+			if (rsa != NULL)
-+				{
-+				(void) check_new_rsa_key_priv(sp, rsa);
-+
-+				h_priv_key = sp->opdata_rsa_priv_key =
-+				    pk11_get_private_rsa_key(rsa,
-+				    &sp->opdata_rsa_priv, &sp->opdata_rsa_d_num,
-+				    sp->session);
-+				if (h_priv_key == CK_INVALID_HANDLE)
-+					{
-+					EVP_PKEY_free(pkey);
-+					pkey = NULL;
-+					}
-+				}
-+			else
-+				{
-+				EVP_PKEY_free(pkey);
-+				pkey = NULL;
-+				}
-+			}
-+		}
-+
-+err:
-+	pk11_return_session(sp, OP_RSA);
-+	return (pkey);
-+	}
-+
-+/* load RSA public key from a file */
-+/* ARGSUSED */
-+EVP_PKEY *pk11_load_pubkey(ENGINE *e, const char *pubkey_file,
-+	UI_METHOD *ui_method, void *callback_data)
-+	{
-+	EVP_PKEY *pkey = NULL;
-+	FILE *pubkey;
-+	CK_OBJECT_HANDLE h_pub_key = CK_INVALID_HANDLE;
-+	RSA *rsa;
-+	PK11_SESSION *sp;
-+	/* everything else below needed for key by reference extension */
-+	CK_RV rv;
-+	CK_ULONG objcnt = 0;
-+	CK_BBOOL is_token = TRUE;
-+	CK_BYTE attr_data[2][1024];
-+	CK_OBJECT_CLASS key_class = CKO_PUBLIC_KEY;
-+	CK_OBJECT_HANDLE ks_key = CK_INVALID_HANDLE;	/* key in keystore */
-+	extern char *pk11_pin;
-+
-+	/* we look for public keys only */
-+	CK_ATTRIBUTE search_templ[] =
-+		{
-+		{CKA_TOKEN, &is_token, sizeof(is_token)},
-+		{CKA_CLASS, &key_class, sizeof(key_class)},
-+		{CKA_LABEL, NULL, 0}
-+		};
-+
-+	/* these attributes are needed to initialize OpenSSL RSA structure */
-+	CK_ATTRIBUTE get_templ[] =
-+		{
-+		{CKA_MODULUS, (void *)attr_data[0], 1024},	    /* n */
-+		{CKA_PUBLIC_EXPONENT, (void *)attr_data[1], 1024},  /* e */
-+		};
-+
-+	if ((sp = pk11_get_session(OP_RSA)) == NULL)
-+		return (NULL);
-+
-+	/*
-+	 * Use simple scheme "pkcs11:<KEY_LABEL>" for now.
-+	 */
-+	if (strstr(pubkey_file, "pkcs11:") == pubkey_file)
-+		{
-+		search_templ[2].pValue = strstr(pubkey_file, ":") + 1;
-+		search_templ[2].ulValueLen = strlen(search_templ[2].pValue);
-+
-+#define ALLWAYS_LOGIN
-+#ifdef ALLWAYS_LOGIN
-+		if (pk11_pin == NULL)
-+			{
-+			pk11_pin = BUF_strdup(getpassphrase("Enter PIN: "));
-+
-+			if (pk11_pin == NULL)
-+				{
-+				PK11err(PK11_F_LOAD_PUBKEY, PK11_R_MALLOC_FAILURE);
-+				goto err;
-+				}
-+			}
-+		if ((rv = pFuncList->C_Login(sp->session, CKU_USER, (CK_UTF8CHAR*)pk11_pin,
-+		    strlen(pk11_pin))) != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN)
-+			{
-+			PK11err_add_data(PK11_F_LOAD_PUBKEY,
-+					 PK11_R_INVALID_PIN, rv);
-+			goto err;
-+			}
-+#endif
-+
-+		LOCK_OBJSTORE(OP_RSA);
-+		if (pFuncList->C_FindObjectsInit(sp->session, search_templ, 3) != CKR_OK)
-+			{
-+			UNLOCK_OBJSTORE(OP_RSA);
-+			PK11err_add_data(PK11_F_LOAD_PUBKEY,
-+					 PK11_R_FINDOBJECTSINIT, rv);
-+			goto err;
-+			}
-+		rv = pFuncList->C_FindObjects(sp->session, &ks_key, 1, &objcnt);
-+		if (rv != CKR_OK)
-+			{
-+			UNLOCK_OBJSTORE(OP_RSA);
-+			PK11err_add_data(PK11_F_LOAD_PUBKEY,
-+					 PK11_R_FINDOBJECTS, rv);
-+			goto err;
-+			}
-+
-+		if (objcnt > 1)
-+			{
-+			UNLOCK_OBJSTORE(OP_RSA);
-+			PK11err(PK11_F_LOAD_PUBKEY, PK11_R_TOO_MANY_OBJECTS);
-+			goto err;
-+			}
-+
-+		if (objcnt != 1)
-+			{
-+			UNLOCK_OBJSTORE(OP_RSA);
-+			PK11err(PK11_F_LOAD_PUBKEY, PK11_R_OBJECT_NOT_FOUND);
-+			goto err;
-+			}
-+
-+		(void) pFuncList->C_FindObjectsFinal(sp->session);
-+		UNLOCK_OBJSTORE(OP_RSA);
-+
-+		sp->opdata_rsa_pub_key = ks_key;
-+		pkey = EVP_PKEY_new();
-+		if (pkey == NULL)
-+			goto err;
-+
-+		rsa = RSA_new_method(e);
-+		if (rsa == NULL) {
-+			EVP_PKEY_free(pkey);
-+			pkey = NULL;
-+			goto err;
-+		}
-+		EVP_PKEY_set1_RSA(pkey, rsa);
-+
-+		if (pFuncList->C_GetAttributeValue(sp->session, ks_key,
-+		    get_templ, 2) != CKR_OK)
-+			{
-+			PK11err_add_data(PK11_F_LOAD_PUBKEY,
-+					 PK11_R_GETATTRIBUTVALUE, rv);
-+			goto err;
-+			}
-+
-+		/*
-+		 * Now we have to initialize an OpenSSL RSA structure,
-+		 * everything else is 0 or NULL.
-+		 */
-+		rsa->flags = RSA_FLAG_SIGN_VER;
-+		(void) check_new_rsa_key_pub(sp, rsa);
-+		sp->opdata_rsa_pub = rsa;
-+
-+		attr_to_BN(&get_templ[0], attr_data[0], &rsa->n);
-+		attr_to_BN(&get_templ[1], attr_data[1], &rsa->e);
-+		}
-+	else if ((pubkey = fopen(pubkey_file, read_mode_flags)) != NULL)
-+		{
-+		pkey = PEM_read_PUBKEY(pubkey, NULL, NULL, NULL);
-+		(void) fclose(pubkey);
-+		if (pkey != NULL)
-+			{
-+			rsa = EVP_PKEY_get1_RSA(pkey);
-+			if (rsa != NULL)
-+				{
-+				(void) check_new_rsa_key_pub(sp, rsa);
-+
-+				h_pub_key = sp->opdata_rsa_pub_key =
-+				    pk11_get_public_rsa_key(rsa,
-+				    &sp->opdata_rsa_pub, &sp->opdata_rsa_n_num,
-+				    &sp->opdata_rsa_e_num, sp->session);
-+				if (h_pub_key == CK_INVALID_HANDLE)
-+					{
-+					EVP_PKEY_free(pkey);
-+					pkey = NULL;
-+					}
-+				}
-+			else
-+				{
-+				EVP_PKEY_free(pkey);
-+				pkey = NULL;
-+				}
-+			}
-+		}
-+
-+err:
-+	pk11_return_session(sp, OP_RSA);
-+	return (pkey);
-+	}
-+
-+/*
-+ * Create a public key object in a session from a given rsa structure.
-+ * The *rsa_n_num and *rsa_e_num pointers are non-NULL for RSA public keys.
-+ */
-+static CK_OBJECT_HANDLE pk11_get_public_rsa_key(RSA *rsa,
-+    RSA **key_ptr, BIGNUM **rsa_n_num, BIGNUM **rsa_e_num,
-+    CK_SESSION_HANDLE session)
-+	{
-+	CK_RV rv;
-+	CK_OBJECT_HANDLE h_key = CK_INVALID_HANDLE;
-+	CK_ULONG found;
-+	CK_OBJECT_CLASS o_key = CKO_PUBLIC_KEY;
-+	CK_KEY_TYPE k_type = CKK_RSA;
-+	CK_ULONG ul_key_attr_count = 8;
-+	CK_BBOOL rollback = FALSE;
-+
-+	CK_ATTRIBUTE  a_key_template[] =
-+		{
-+		{CKA_CLASS, (void *) NULL, sizeof (CK_OBJECT_CLASS)},
-+		{CKA_KEY_TYPE, (void *) NULL, sizeof (CK_KEY_TYPE)},
-+		{CKA_TOKEN, &false, sizeof (true)},
-+		{CKA_ENCRYPT, &true, sizeof (true)},
-+		{CKA_VERIFY, &true, sizeof (true)},
-+		{CKA_VERIFY_RECOVER, &true, sizeof (true)},
-+		{CKA_MODULUS, (void *)NULL, 0},
-+		{CKA_PUBLIC_EXPONENT, (void *)NULL, 0}
-+		};
-+
-+	int i;
-+
-+	a_key_template[0].pValue = &o_key;
-+	a_key_template[1].pValue = &k_type;
-+
-+	a_key_template[6].ulValueLen = BN_num_bytes(rsa->n);
-+	a_key_template[6].pValue = (CK_VOID_PTR)OPENSSL_malloc(
-+		(size_t)a_key_template[6].ulValueLen);
-+	if (a_key_template[6].pValue == NULL)
-+		{
-+		PK11err(PK11_F_GET_PUB_RSA_KEY, PK11_R_MALLOC_FAILURE);
-+		goto malloc_err;
-+		}
-+
-+	BN_bn2bin(rsa->n, a_key_template[6].pValue);
-+
-+	a_key_template[7].ulValueLen = BN_num_bytes(rsa->e);
-+	a_key_template[7].pValue = (CK_VOID_PTR)OPENSSL_malloc(
-+		(size_t)a_key_template[7].ulValueLen);
-+	if (a_key_template[7].pValue == NULL)
-+		{
-+		PK11err(PK11_F_GET_PUB_RSA_KEY, PK11_R_MALLOC_FAILURE);
-+		goto malloc_err;
-+		}
-+
-+	BN_bn2bin(rsa->e, a_key_template[7].pValue);
-+
-+	/* see find_lock array definition for more info on object locking */
-+	LOCK_OBJSTORE(OP_RSA);
-+	rv = pFuncList->C_FindObjectsInit(session, a_key_template,
-+		ul_key_attr_count);
-+
-+	if (rv != CKR_OK)
-+		{
-+		PK11err_add_data(PK11_F_GET_PUB_RSA_KEY, PK11_R_FINDOBJECTSINIT,
-+		    rv);
-+		goto err;
-+		}
-+
-+	rv = pFuncList->C_FindObjects(session, &h_key, 1, &found);
-+
-+	if (rv != CKR_OK)
-+		{
-+		PK11err_add_data(PK11_F_GET_PUB_RSA_KEY,
-+		    PK11_R_FINDOBJECTS, rv);
-+		goto err;
-+		}
-+
-+	rv = pFuncList->C_FindObjectsFinal(session);
-+
-+	if (rv != CKR_OK)
-+		{
-+		PK11err_add_data(PK11_F_GET_PUB_RSA_KEY,
-+		    PK11_R_FINDOBJECTSFINAL, rv);
-+		goto err;
-+		}
-+
-+	if (found == 0)
-+		{
-+		rv = pFuncList->C_CreateObject(session,
-+			a_key_template, ul_key_attr_count, &h_key);
-+		if (rv != CKR_OK)
-+			{
-+			PK11err_add_data(PK11_F_GET_PUB_RSA_KEY,
-+			    PK11_R_CREATEOBJECT, rv);
-+			goto err;
-+			}
-+		}
-+
-+	if (rsa_n_num != NULL)
-+		if ((*rsa_n_num = BN_dup(rsa->n)) == NULL)
-+			{
-+			PK11err(PK11_F_GET_PUB_RSA_KEY, PK11_R_MALLOC_FAILURE);
-+			rollback = TRUE;
-+			goto err;
-+			}
-+	if (rsa_e_num != NULL)
-+		if ((*rsa_e_num = BN_dup(rsa->e)) == NULL)
-+			{
-+			PK11err(PK11_F_GET_PUB_RSA_KEY, PK11_R_MALLOC_FAILURE);
-+			BN_free(*rsa_n_num);
-+			*rsa_n_num = NULL;
-+			rollback = TRUE;
-+			goto err;
-+			}
-+
-+	/* LINTED: E_CONSTANT_CONDITION */
-+	KEY_HANDLE_REFHOLD(h_key, OP_RSA, FALSE, rollback, err);
-+	if (key_ptr != NULL)
-+		*key_ptr = rsa;
-+
-+err:
-+	if (rollback)
-+		{
-+		/*
-+		 * We do not care about the return value from C_DestroyObject()
-+		 * since we are doing rollback.
-+		 */
-+		if (found == 0)
-+			(void) pFuncList->C_DestroyObject(session, h_key);
-+		h_key = CK_INVALID_HANDLE;
-+		}
-+
-+	UNLOCK_OBJSTORE(OP_RSA);
-+
-+malloc_err:
-+	for (i = 6; i <= 7; i++)
-+		{
-+		if (a_key_template[i].pValue != NULL)
-+			{
-+			OPENSSL_free(a_key_template[i].pValue);
-+			a_key_template[i].pValue = NULL;
-+			}
-+		}
-+
-+	return (h_key);
-+	}
-+
-+/*
-+ * Create a private key object in the session from a given rsa structure.
-+ * The *rsa_d_num pointer is non-NULL for RSA private keys.
-+ */
-+static CK_OBJECT_HANDLE pk11_get_private_rsa_key(RSA *rsa,
-+    RSA **key_ptr, BIGNUM **rsa_d_num, CK_SESSION_HANDLE session)
-+	{
-+	CK_RV rv;
-+	CK_OBJECT_HANDLE h_key = CK_INVALID_HANDLE;
-+	int i;
-+	CK_ULONG found;
-+	CK_OBJECT_CLASS o_key = CKO_PRIVATE_KEY;
-+	CK_KEY_TYPE k_type = CKK_RSA;
-+	CK_ULONG ul_key_attr_count = 14;
-+	CK_BBOOL rollback = FALSE;
-+
-+	/* Both CKA_TOKEN and CKA_SENSITIVE have to be FALSE for session keys */
-+	CK_ATTRIBUTE  a_key_template[] =
-+		{
-+		{CKA_CLASS, (void *) NULL, sizeof (CK_OBJECT_CLASS)},
-+		{CKA_KEY_TYPE, (void *) NULL, sizeof (CK_KEY_TYPE)},
-+		{CKA_TOKEN, &false, sizeof (true)},
-+		{CKA_SENSITIVE, &false, sizeof (true)},
-+		{CKA_DECRYPT, &true, sizeof (true)},
-+		{CKA_SIGN, &true, sizeof (true)},
-+		{CKA_MODULUS, (void *)NULL, 0},
-+		{CKA_PUBLIC_EXPONENT, (void *)NULL, 0},
-+		{CKA_PRIVATE_EXPONENT, (void *)NULL, 0},
-+		{CKA_PRIME_1, (void *)NULL, 0},
-+		{CKA_PRIME_2, (void *)NULL, 0},
-+		{CKA_EXPONENT_1, (void *)NULL, 0},
-+		{CKA_EXPONENT_2, (void *)NULL, 0},
-+		{CKA_COEFFICIENT, (void *)NULL, 0}
-+		};
-+
-+	if ((rsa->flags & RSA_FLAG_EXT_PKEY) != 0) {
-+		h_key = (CK_OBJECT_HANDLE)RSA_get_ex_data(rsa, hndidx_rsa);
-+		LOCK_OBJSTORE(OP_RSA);
-+		goto set;
-+	}
-+	
-+	a_key_template[0].pValue = &o_key;
-+	a_key_template[1].pValue = &k_type;
-+
-+	/* Put the private key components into the template */
-+	if (init_template_value(rsa->n, &a_key_template[6].pValue,
-+		&a_key_template[6].ulValueLen) == 0 ||
-+	    init_template_value(rsa->e, &a_key_template[7].pValue,
-+		&a_key_template[7].ulValueLen) == 0 ||
-+	    init_template_value(rsa->d, &a_key_template[8].pValue,
-+		&a_key_template[8].ulValueLen) == 0 ||
-+	    init_template_value(rsa->p, &a_key_template[9].pValue,
-+		&a_key_template[9].ulValueLen) == 0 ||
-+	    init_template_value(rsa->q, &a_key_template[10].pValue,
-+		&a_key_template[10].ulValueLen) == 0 ||
-+	    init_template_value(rsa->dmp1, &a_key_template[11].pValue,
-+		&a_key_template[11].ulValueLen) == 0 ||
-+	    init_template_value(rsa->dmq1, &a_key_template[12].pValue,
-+		&a_key_template[12].ulValueLen) == 0 ||
-+	    init_template_value(rsa->iqmp, &a_key_template[13].pValue,
-+		&a_key_template[13].ulValueLen) == 0)
-+		{
-+		PK11err(PK11_F_GET_PRIV_RSA_KEY, PK11_R_MALLOC_FAILURE);
-+		goto malloc_err;
-+		}
-+
-+	/* see find_lock array definition for more info on object locking */
-+	LOCK_OBJSTORE(OP_RSA);
-+	rv = pFuncList->C_FindObjectsInit(session, a_key_template,
-+		ul_key_attr_count);
-+
-+	if (rv != CKR_OK)
-+		{
-+		PK11err_add_data(PK11_F_GET_PRIV_RSA_KEY,
-+		    PK11_R_FINDOBJECTSINIT, rv);
-+		goto err;
-+		}
-+
-+	rv = pFuncList->C_FindObjects(session, &h_key, 1, &found);
-+
-+	if (rv != CKR_OK)
-+		{
-+		PK11err_add_data(PK11_F_GET_PRIV_RSA_KEY,
-+		    PK11_R_FINDOBJECTS, rv);
-+		goto err;
-+		}
-+
-+	rv = pFuncList->C_FindObjectsFinal(session);
-+
-+	if (rv != CKR_OK)
-+		{
-+		PK11err_add_data(PK11_F_GET_PRIV_RSA_KEY,
-+		    PK11_R_FINDOBJECTSFINAL, rv);
-+		goto err;
-+		}
-+
-+	if (found == 0)
-+		{
-+		rv = pFuncList->C_CreateObject(session,
-+			a_key_template, ul_key_attr_count, &h_key);
-+		if (rv != CKR_OK)
-+			{
-+			PK11err_add_data(PK11_F_GET_PRIV_RSA_KEY,
-+				PK11_R_CREATEOBJECT, rv);
-+			goto err;
-+			}
-+		}
-+
-+set:
-+	if (rsa_d_num != NULL)
-+		{
-+		if (rsa->d == NULL)
-+			*rsa_d_num = NULL;
-+		else if ((*rsa_d_num = BN_dup(rsa->d)) == NULL)
-+			{
-+			PK11err(PK11_F_GET_PRIV_RSA_KEY, PK11_R_MALLOC_FAILURE);
-+			rollback = TRUE;
-+			goto err;
-+			}
-+		}
-+
-+	/* LINTED: E_CONSTANT_CONDITION */
-+	KEY_HANDLE_REFHOLD(h_key, OP_RSA, FALSE, rollback, err);
-+	if (key_ptr != NULL)
-+		*key_ptr = rsa;
-+
-+err:
-+	if (rollback)
-+		{
-+		/*
-+		 * We do not care about the return value from C_DestroyObject()
-+		 * since we are doing rollback.
-+		 */
-+		if (found == 0 &&
-+		    (rsa->flags & RSA_FLAG_EXT_PKEY) == 0)
-+			(void) pFuncList->C_DestroyObject(session, h_key);
-+		h_key = CK_INVALID_HANDLE;
-+		}
-+
-+	UNLOCK_OBJSTORE(OP_RSA);
-+
-+malloc_err:
-+	/*
-+	 * 6 to 13 entries in the key template are key components.
-+	 * They need to be freed apon exit or error.
-+	 */
-+	for (i = 6; i <= 13; i++)
-+		{
-+		if (a_key_template[i].pValue != NULL)
-+			{
-+			(void) memset(a_key_template[i].pValue, 0,
-+				a_key_template[i].ulValueLen);
-+			OPENSSL_free(a_key_template[i].pValue);
-+			a_key_template[i].pValue = NULL;
-+			}
-+		}
-+
-+	return (h_key);
-+	}
-+
-+/*
-+ * Check for cache miss and clean the object pointer and handle
-+ * in such case. Return 1 for cache hit, 0 for cache miss.
-+ */
-+static int check_new_rsa_key_pub(PK11_SESSION *sp, const RSA *rsa)
-+	{
-+	/*
-+	 * Provide protection against RSA structure reuse by making the
-+	 * check for cache hit stronger. Only public components of RSA
-+	 * key matter here so it is sufficient to compare them with values
-+	 * cached in PK11_SESSION structure.
-+	 */
-+	if ((sp->opdata_rsa_pub != rsa) ||
-+	    (BN_cmp(sp->opdata_rsa_n_num, rsa->n) != 0) ||
-+	    (BN_cmp(sp->opdata_rsa_e_num, rsa->e) != 0))
-+		{
-+		/*
-+		 * We do not check the return value because even in case of
-+		 * failure the sp structure will have both key pointer
-+		 * and object handle cleaned and pk11_destroy_object()
-+		 * reports the failure to the OpenSSL error message buffer.
-+		 */
-+		(void) pk11_destroy_rsa_object_pub(sp, TRUE);
-+		return (0);
-+		}
-+	return (1);
-+	}
-+
-+/*
-+ * Check for cache miss and clean the object pointer and handle
-+ * in such case. Return 1 for cache hit, 0 for cache miss.
-+ */
-+static int check_new_rsa_key_priv(PK11_SESSION *sp, const RSA *rsa)
-+	{
-+	/*
-+	 * Provide protection against RSA structure reuse by making the
-+	 * check for cache hit stronger. Comparing private exponent of RSA
-+	 * key with value cached in PK11_SESSION structure should
-+	 * be sufficient.
-+	 */
-+	if ((sp->opdata_rsa_priv != rsa) ||
-+	    (BN_cmp(sp->opdata_rsa_d_num, rsa->d) != 0) ||
-+	    ((rsa->flags & RSA_FLAG_EXT_PKEY) != 0))
-+		{
-+		/*
-+		 * We do not check the return value because even in case of
-+		 * failure the sp structure will have both key pointer
-+		 * and object handle cleaned and pk11_destroy_object()
-+		 * reports the failure to the OpenSSL error message buffer.
-+		 */
-+		(void) pk11_destroy_rsa_object_priv(sp, TRUE);
-+		return (0);
-+		}
-+	return (1);
-+	}
-+#endif
-+
-+#ifndef OPENSSL_NO_DSA
-+/* The DSA function implementation */
-+/* ARGSUSED */
-+static int pk11_DSA_init(DSA *dsa)
-+	{
-+	return (1);
-+	}
-+
-+/* ARGSUSED */
-+static int pk11_DSA_finish(DSA *dsa)
-+	{
-+	return (1);
-+	}
-+
-+
-+static DSA_SIG *
-+pk11_dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
-+	{
-+	BIGNUM *r = NULL, *s = NULL;
-+	int i;
-+	DSA_SIG *dsa_sig = NULL;
-+
-+	CK_RV rv;
-+	CK_MECHANISM Mechanism_dsa = {CKM_DSA, NULL, 0};
-+	CK_MECHANISM *p_mech = &Mechanism_dsa;
-+	CK_OBJECT_HANDLE h_priv_key;
-+
-+	/*
-+	 * The signature is the concatenation of r and s,
-+	 * each is 20 bytes long
-+	 */
-+	unsigned char sigret[DSA_SIGNATURE_LEN];
-+	unsigned long siglen = DSA_SIGNATURE_LEN;
-+	unsigned int siglen2 = DSA_SIGNATURE_LEN / 2;
-+
-+	PK11_SESSION *sp = NULL;
-+
-+	if ((dsa->p == NULL) || (dsa->q == NULL) || (dsa->g == NULL))
-+		{
-+		PK11err(PK11_F_DSA_SIGN, PK11_R_MISSING_KEY_COMPONENT);
-+		goto ret;
-+		}
-+
-+	i = BN_num_bytes(dsa->q); /* should be 20 */
-+	if (dlen > i)
-+		{
-+		PK11err(PK11_F_DSA_SIGN, PK11_R_INVALID_SIGNATURE_LENGTH);
-+		goto ret;
-+		}
-+
-+	if ((sp = pk11_get_session(OP_DSA)) == NULL)
-+		goto ret;
-+
-+	(void) check_new_dsa_key_priv(sp, dsa);
-+
-+	h_priv_key = sp->opdata_dsa_priv_key;
-+	if (h_priv_key == CK_INVALID_HANDLE)
-+		h_priv_key = sp->opdata_dsa_priv_key =
-+			pk11_get_private_dsa_key((DSA *)dsa,
-+			    &sp->opdata_dsa_priv,
-+			    &sp->opdata_dsa_priv_num, sp->session);
-+
-+	if (h_priv_key != CK_INVALID_HANDLE)
-+		{
-+		rv = pFuncList->C_SignInit(sp->session, p_mech, h_priv_key);
-+
-+		if (rv != CKR_OK)
-+			{
-+			PK11err_add_data(PK11_F_DSA_SIGN, PK11_R_SIGNINIT, rv);
-+			goto ret;
-+			}
-+
-+		(void) memset(sigret, 0, siglen);
-+		rv = pFuncList->C_Sign(sp->session,
-+			(unsigned char*) dgst, dlen, sigret,
-+			(CK_ULONG_PTR) &siglen);
-+
-+		if (rv != CKR_OK)
-+			{
-+			PK11err_add_data(PK11_F_DSA_SIGN, PK11_R_SIGN, rv);
-+			goto ret;
-+			}
-+		}
-+
-+
-+	if ((s = BN_new()) == NULL)
-+		{
-+		PK11err(PK11_F_DSA_SIGN, PK11_R_MALLOC_FAILURE);
-+		goto ret;
-+		}
-+
-+	if ((r = BN_new()) == NULL)
-+		{
-+		PK11err(PK11_F_DSA_SIGN, PK11_R_MALLOC_FAILURE);
-+		goto ret;
-+		}
-+
-+	if ((dsa_sig = DSA_SIG_new()) == NULL)
-+		{
-+		PK11err(PK11_F_DSA_SIGN, PK11_R_MALLOC_FAILURE);
-+		goto ret;
-+		}
-+
-+	if (BN_bin2bn(sigret, siglen2, r) == NULL ||
-+	    BN_bin2bn(&sigret[siglen2], siglen2, s) == NULL)
-+		{
-+		PK11err(PK11_F_DSA_SIGN, PK11_R_MALLOC_FAILURE);
-+		goto ret;
-+		}
-+
-+	dsa_sig->r = r;
-+	dsa_sig->s = s;
-+
-+ret:
-+	if (dsa_sig == NULL)
-+		{
-+		if (r != NULL)
-+			BN_free(r);
-+		if (s != NULL)
-+			BN_free(s);
-+		}
-+
-+	pk11_return_session(sp, OP_DSA);
-+	return (dsa_sig);
-+	}
-+
-+static int
-+pk11_dsa_do_verify(const unsigned char *dgst, int dlen, DSA_SIG *sig,
-+	DSA *dsa)
-+	{
-+	int i;
-+	CK_RV rv;
-+	int retval = 0;
-+	CK_MECHANISM Mechanism_dsa = {CKM_DSA, NULL, 0};
-+	CK_MECHANISM *p_mech = &Mechanism_dsa;
-+	CK_OBJECT_HANDLE h_pub_key;
-+
-+	unsigned char sigbuf[DSA_SIGNATURE_LEN];
-+	unsigned long siglen = DSA_SIGNATURE_LEN;
-+	unsigned long siglen2 = DSA_SIGNATURE_LEN/2;
-+
-+	PK11_SESSION *sp = NULL;
-+
-+	if (BN_is_zero(sig->r) || sig->r->neg || BN_ucmp(sig->r, dsa->q) >= 0)
-+		{
-+		PK11err(PK11_F_DSA_VERIFY,
-+			PK11_R_INVALID_DSA_SIGNATURE_R);
-+		goto ret;
-+		}
-+
-+	if (BN_is_zero(sig->s) || sig->s->neg || BN_ucmp(sig->s, dsa->q) >= 0)
-+		{
-+		PK11err(PK11_F_DSA_VERIFY,
-+			PK11_R_INVALID_DSA_SIGNATURE_S);
-+		goto ret;
-+		}
-+
-+	i = BN_num_bytes(dsa->q); /* should be 20 */
-+
-+	if (dlen > i)
-+		{
-+		PK11err(PK11_F_DSA_VERIFY,
-+			PK11_R_INVALID_SIGNATURE_LENGTH);
-+		goto ret;
-+		}
-+
-+	if ((sp = pk11_get_session(OP_DSA)) == NULL)
-+		goto ret;
-+
-+	(void) check_new_dsa_key_pub(sp, dsa);
-+
-+	h_pub_key = sp->opdata_dsa_pub_key;
-+	if (h_pub_key == CK_INVALID_HANDLE)
-+		h_pub_key = sp->opdata_dsa_pub_key =
-+			pk11_get_public_dsa_key((DSA *)dsa, &sp->opdata_dsa_pub,
-+			    &sp->opdata_dsa_pub_num, sp->session);
-+
-+	if (h_pub_key != CK_INVALID_HANDLE)
-+		{
-+		rv = pFuncList->C_VerifyInit(sp->session, p_mech,
-+			h_pub_key);
-+
-+		if (rv != CKR_OK)
-+			{
-+			PK11err_add_data(PK11_F_DSA_VERIFY, PK11_R_VERIFYINIT,
-+			    rv);
-+			goto ret;
-+			}
-+
-+		/*
-+		 * The representation of each of the two big numbers could
-+		 * be shorter than DSA_SIGNATURE_LEN/2 bytes so we need
-+		 * to act accordingly and shift if necessary.
-+		 */
-+		(void) memset(sigbuf, 0, siglen);
-+		BN_bn2bin(sig->r, sigbuf + siglen2 - BN_num_bytes(sig->r));
-+		BN_bn2bin(sig->s, &sigbuf[siglen2] + siglen2 -
-+		    BN_num_bytes(sig->s));
-+
-+		rv = pFuncList->C_Verify(sp->session,
-+			(unsigned char *) dgst, dlen, sigbuf, (CK_ULONG)siglen);
-+
-+		if (rv != CKR_OK)
-+			{
-+			PK11err_add_data(PK11_F_DSA_VERIFY, PK11_R_VERIFY, rv);
-+			goto ret;
-+			}
-+		}
-+
-+	retval = 1;
-+ret:
-+
-+	pk11_return_session(sp, OP_DSA);
-+	return (retval);
-+	}
-+
-+
-+/*
-+ * Create a public key object in a session from a given dsa structure.
-+ * The *dsa_pub_num pointer is non-NULL for DSA public keys.
-+ */
-+static CK_OBJECT_HANDLE pk11_get_public_dsa_key(DSA* dsa,
-+    DSA **key_ptr, BIGNUM **dsa_pub_num, CK_SESSION_HANDLE session)
-+	{
-+	CK_RV rv;
-+	CK_OBJECT_CLASS o_key = CKO_PUBLIC_KEY;
-+	CK_OBJECT_HANDLE h_key = CK_INVALID_HANDLE;
-+	CK_ULONG found;
-+	CK_KEY_TYPE k_type = CKK_DSA;
-+	CK_ULONG ul_key_attr_count = 8;
-+	CK_BBOOL rollback = FALSE;
-+	int i;
-+
-+	CK_ATTRIBUTE  a_key_template[] =
-+		{
-+		{CKA_CLASS, (void *) NULL, sizeof (CK_OBJECT_CLASS)},
-+		{CKA_KEY_TYPE, (void *) NULL, sizeof (CK_KEY_TYPE)},
-+		{CKA_TOKEN, &false, sizeof (true)},
-+		{CKA_VERIFY, &true, sizeof (true)},
-+		{CKA_PRIME, (void *)NULL, 0},		/* p */
-+		{CKA_SUBPRIME, (void *)NULL, 0},	/* q */
-+		{CKA_BASE, (void *)NULL, 0},		/* g */
-+		{CKA_VALUE, (void *)NULL, 0}		/* pub_key - y */
-+		};
-+
-+	a_key_template[0].pValue = &o_key;
-+	a_key_template[1].pValue = &k_type;
-+
-+	if (init_template_value(dsa->p, &a_key_template[4].pValue,
-+		&a_key_template[4].ulValueLen) == 0 ||
-+	    init_template_value(dsa->q, &a_key_template[5].pValue,
-+		&a_key_template[5].ulValueLen) == 0 ||
-+	    init_template_value(dsa->g, &a_key_template[6].pValue,
-+		&a_key_template[6].ulValueLen) == 0 ||
-+	    init_template_value(dsa->pub_key, &a_key_template[7].pValue,
-+		&a_key_template[7].ulValueLen) == 0)
-+		{
-+		PK11err(PK11_F_GET_PUB_DSA_KEY, PK11_R_MALLOC_FAILURE);
-+		goto malloc_err;
-+		}
-+
-+	/* see find_lock array definition for more info on object locking */
-+	LOCK_OBJSTORE(OP_DSA);
-+	rv = pFuncList->C_FindObjectsInit(session, a_key_template,
-+		ul_key_attr_count);
-+
-+	if (rv != CKR_OK)
-+		{
-+		PK11err_add_data(PK11_F_GET_PUB_DSA_KEY, PK11_R_FINDOBJECTSINIT,
-+		    rv);
-+		goto err;
-+		}
-+
-+	rv = pFuncList->C_FindObjects(session, &h_key, 1, &found);
-+
-+	if (rv != CKR_OK)
-+		{
-+		PK11err_add_data(PK11_F_GET_PUB_DSA_KEY,
-+		    PK11_R_FINDOBJECTS, rv);
-+		goto err;
-+		}
-+
-+	rv = pFuncList->C_FindObjectsFinal(session);
-+
-+	if (rv != CKR_OK)
-+		{
-+		PK11err_add_data(PK11_F_GET_PUB_DSA_KEY,
-+		    PK11_R_FINDOBJECTSFINAL, rv);
-+		goto err;
-+		}
-+
-+	if (found == 0)
-+		{
-+		rv = pFuncList->C_CreateObject(session,
-+			a_key_template, ul_key_attr_count, &h_key);
-+		if (rv != CKR_OK)
-+			{
-+			PK11err_add_data(PK11_F_GET_PUB_DSA_KEY,
-+			    PK11_R_CREATEOBJECT, rv);
-+			goto err;
-+			}
-+		}
-+
-+	if (dsa_pub_num != NULL)
-+		if ((*dsa_pub_num = BN_dup(dsa->pub_key)) == NULL)
-+			{
-+			PK11err(PK11_F_GET_PUB_DSA_KEY, PK11_R_MALLOC_FAILURE);
-+			rollback = TRUE;
-+			goto err;
-+			}
-+
-+	/* LINTED: E_CONSTANT_CONDITION */
-+	KEY_HANDLE_REFHOLD(h_key, OP_DSA, FALSE, rollback, err);
-+	if (key_ptr != NULL)
-+		*key_ptr = dsa;
-+
-+err:
-+	if (rollback)
-+		{
-+		/*
-+		 * We do not care about the return value from C_DestroyObject()
-+		 * since we are doing rollback.
-+		 */
-+		if (found == 0)
-+			(void) pFuncList->C_DestroyObject(session, h_key);
-+		h_key = CK_INVALID_HANDLE;
-+		}
-+
-+	UNLOCK_OBJSTORE(OP_DSA);
-+
-+malloc_err:
-+	for (i = 4; i <= 7; i++)
-+		{
-+		if (a_key_template[i].pValue != NULL)
-+			{
-+			OPENSSL_free(a_key_template[i].pValue);
-+			a_key_template[i].pValue = NULL;
-+			}
-+		}
-+
-+	return (h_key);
-+	}
-+
-+/*
-+ * Create a private key object in the session from a given dsa structure
-+ * The *dsa_priv_num pointer is non-NULL for DSA private keys.
-+ */
-+static CK_OBJECT_HANDLE pk11_get_private_dsa_key(DSA* dsa,
-+    DSA **key_ptr, BIGNUM **dsa_priv_num, CK_SESSION_HANDLE session)
-+	{
-+	CK_RV rv;
-+	CK_OBJECT_HANDLE h_key = CK_INVALID_HANDLE;
-+	CK_OBJECT_CLASS o_key = CKO_PRIVATE_KEY;
-+	int i;
-+	CK_ULONG found;
-+	CK_KEY_TYPE k_type = CKK_DSA;
-+	CK_ULONG ul_key_attr_count = 9;
-+	CK_BBOOL rollback = FALSE;
-+
-+	/* Both CKA_TOKEN and CKA_SENSITIVE have to be FALSE for session keys */
-+	CK_ATTRIBUTE  a_key_template[] =
-+		{
-+		{CKA_CLASS, (void *) NULL, sizeof (CK_OBJECT_CLASS)},
-+		{CKA_KEY_TYPE, (void *) NULL, sizeof (CK_KEY_TYPE)},
-+		{CKA_TOKEN, &false, sizeof (true)},
-+		{CKA_SENSITIVE, &false, sizeof (true)},
-+		{CKA_SIGN, &true, sizeof (true)},
-+		{CKA_PRIME, (void *)NULL, 0},		/* p */
-+		{CKA_SUBPRIME, (void *)NULL, 0},	/* q */
-+		{CKA_BASE, (void *)NULL, 0},		/* g */
-+		{CKA_VALUE, (void *)NULL, 0}		/* priv_key - x */
-+		};
-+
-+	a_key_template[0].pValue = &o_key;
-+	a_key_template[1].pValue = &k_type;
-+
-+	/* Put the private key components into the template */
-+	if (init_template_value(dsa->p, &a_key_template[5].pValue,
-+		&a_key_template[5].ulValueLen) == 0 ||
-+	    init_template_value(dsa->q, &a_key_template[6].pValue,
-+		&a_key_template[6].ulValueLen) == 0 ||
-+	    init_template_value(dsa->g, &a_key_template[7].pValue,
-+		&a_key_template[7].ulValueLen) == 0 ||
-+	    init_template_value(dsa->priv_key, &a_key_template[8].pValue,
-+		&a_key_template[8].ulValueLen) == 0)
-+		{
-+		PK11err(PK11_F_GET_PRIV_DSA_KEY, PK11_R_MALLOC_FAILURE);
-+		goto malloc_err;
-+		}
-+
-+	/* see find_lock array definition for more info on object locking */
-+	LOCK_OBJSTORE(OP_DSA);
-+	rv = pFuncList->C_FindObjectsInit(session, a_key_template,
-+		ul_key_attr_count);
-+
-+	if (rv != CKR_OK)
-+		{
-+		PK11err_add_data(PK11_F_GET_PRIV_DSA_KEY,
-+		    PK11_R_FINDOBJECTSINIT, rv);
-+		goto err;
-+		}
-+
-+	rv = pFuncList->C_FindObjects(session, &h_key, 1, &found);
-+
-+	if (rv != CKR_OK)
-+		{
-+		PK11err_add_data(PK11_F_GET_PRIV_DSA_KEY,
-+		    PK11_R_FINDOBJECTS, rv);
-+		goto err;
-+		}
-+
-+	rv = pFuncList->C_FindObjectsFinal(session);
-+
-+	if (rv != CKR_OK)
-+		{
-+		PK11err_add_data(PK11_F_GET_PRIV_DSA_KEY,
-+		    PK11_R_FINDOBJECTSFINAL, rv);
-+		goto err;
-+		}
-+
-+	if (found == 0)
-+		{
-+		rv = pFuncList->C_CreateObject(session,
-+			a_key_template, ul_key_attr_count, &h_key);
-+		if (rv != CKR_OK)
-+			{
-+			PK11err_add_data(PK11_F_GET_PRIV_DSA_KEY,
-+			    PK11_R_CREATEOBJECT, rv);
-+			goto err;
-+			}
-+		}
-+
-+	if (dsa_priv_num != NULL)
-+		if ((*dsa_priv_num = BN_dup(dsa->priv_key)) == NULL)
-+			{
-+			PK11err(PK11_F_GET_PRIV_DSA_KEY, PK11_R_MALLOC_FAILURE);
-+			rollback = TRUE;
-+			goto err;
-+			}
-+
-+	/* LINTED: E_CONSTANT_CONDITION */
-+	KEY_HANDLE_REFHOLD(h_key, OP_DSA, FALSE, rollback, err);
-+	if (key_ptr != NULL)
-+		*key_ptr = dsa;
-+
-+err:
-+	if (rollback)
-+		{
-+		/*
-+		 * We do not care about the return value from C_DestroyObject()
-+		 * since we are doing rollback.
-+		 */
-+		if (found == 0)
-+			(void) pFuncList->C_DestroyObject(session, h_key);
-+		h_key = CK_INVALID_HANDLE;
-+		}
-+
-+	UNLOCK_OBJSTORE(OP_DSA);
-+
-+malloc_err:
-+	/*
-+	 * 5 to 8 entries in the key template are key components.
-+	 * They need to be freed apon exit or error.
-+	 */
-+	for (i = 5; i <= 8; i++)
-+		{
-+		if (a_key_template[i].pValue != NULL)
-+			{
-+			(void) memset(a_key_template[i].pValue, 0,
-+				a_key_template[i].ulValueLen);
-+			OPENSSL_free(a_key_template[i].pValue);
-+			a_key_template[i].pValue = NULL;
-+			}
-+		}
-+
-+	return (h_key);
-+	}
-+
-+/*
-+ * Check for cache miss and clean the object pointer and handle
-+ * in such case. Return 1 for cache hit, 0 for cache miss.
-+ */
-+static int check_new_dsa_key_pub(PK11_SESSION *sp, DSA *dsa)
-+	{
-+	/*
-+	 * Provide protection against DSA structure reuse by making the
-+	 * check for cache hit stronger. Only public key component of DSA
-+	 * key matters here so it is sufficient to compare it with value
-+	 * cached in PK11_SESSION structure.
-+	 */
-+	if ((sp->opdata_dsa_pub != dsa) ||
-+	    (BN_cmp(sp->opdata_dsa_pub_num, dsa->pub_key) != 0))
-+		{
-+		/*
-+		 * We do not check the return value because even in case of
-+		 * failure the sp structure will have both key pointer
-+		 * and object handle cleaned and pk11_destroy_object()
-+		 * reports the failure to the OpenSSL error message buffer.
-+		 */
-+		(void) pk11_destroy_dsa_object_pub(sp, TRUE);
-+		return (0);
-+		}
-+	return (1);
-+	}
-+
-+/*
-+ * Check for cache miss and clean the object pointer and handle
-+ * in such case. Return 1 for cache hit, 0 for cache miss.
-+ */
-+static int check_new_dsa_key_priv(PK11_SESSION *sp, DSA *dsa)
-+	{
-+	/*
-+	 * Provide protection against DSA structure reuse by making the
-+	 * check for cache hit stronger. Only private key component of DSA
-+	 * key matters here so it is sufficient to compare it with value
-+	 * cached in PK11_SESSION structure.
-+	 */
-+	if ((sp->opdata_dsa_priv != dsa) ||
-+	    (BN_cmp(sp->opdata_dsa_priv_num, dsa->priv_key) != 0))
-+		{
-+		/*
-+		 * We do not check the return value because even in case of
-+		 * failure the sp structure will have both key pointer
-+		 * and object handle cleaned and pk11_destroy_object()
-+		 * reports the failure to the OpenSSL error message buffer.
-+		 */
-+		(void) pk11_destroy_dsa_object_priv(sp, TRUE);
-+		return (0);
-+		}
-+	return (1);
-+	}
-+#endif
-+
-+
-+#ifndef OPENSSL_NO_DH
-+/* The DH function implementation */
-+/* ARGSUSED */
-+static int pk11_DH_init(DH *dh)
-+	{
-+	return (1);
-+	}
-+
-+/* ARGSUSED */
-+static int pk11_DH_finish(DH *dh)
-+	{
-+	return (1);
-+	}
-+
-+/*
-+ * Generate DH key-pair.
-+ *
-+ * Warning: Unlike OpenSSL's DH_generate_key(3) we ignore dh->priv_key
-+ * and override it even if it is set. OpenSSL does not touch dh->priv_key
-+ * if set and just computes dh->pub_key. It looks like PKCS#11 standard
-+ * is not capable of providing this functionality. This could be a problem
-+ * for applications relying on OpenSSL's semantics.
-+ */
-+static int pk11_DH_generate_key(DH *dh)
-+	{
-+	CK_ULONG i;
-+	CK_RV rv, rv1;
-+	int reuse_mem_len = 0, ret = 0;
-+	PK11_SESSION *sp = NULL;
-+	CK_BYTE_PTR reuse_mem;
-+
-+	CK_MECHANISM mechanism = {CKM_DH_PKCS_KEY_PAIR_GEN, NULL_PTR, 0};
-+	CK_OBJECT_HANDLE h_pub_key = CK_INVALID_HANDLE;
-+	CK_OBJECT_HANDLE h_priv_key = CK_INVALID_HANDLE;
-+
-+	CK_ULONG ul_pub_key_attr_count = 3;
-+	CK_ATTRIBUTE pub_key_template[] =
-+		{
-+		{CKA_PRIVATE, &false, sizeof (false)},
-+		{CKA_PRIME, (void *)NULL, 0},
-+		{CKA_BASE, (void *)NULL, 0}
-+		};
-+
-+	CK_ULONG ul_priv_key_attr_count = 3;
-+	CK_ATTRIBUTE priv_key_template[] =
-+		{
-+		{CKA_PRIVATE, &false, sizeof (false)},
-+		{CKA_SENSITIVE, &false, sizeof (false)},
-+		{CKA_DERIVE, &true, sizeof (true)}
-+		};
-+
-+	CK_ULONG pub_key_attr_result_count = 1;
-+	CK_ATTRIBUTE pub_key_result[] =
-+		{
-+		{CKA_VALUE, (void *)NULL, 0}
-+		};
-+
-+	CK_ULONG priv_key_attr_result_count = 1;
-+	CK_ATTRIBUTE priv_key_result[] =
-+		{
-+		{CKA_VALUE, (void *)NULL, 0}
-+		};
-+
-+	pub_key_template[1].ulValueLen = BN_num_bytes(dh->p);
-+	if (pub_key_template[1].ulValueLen > 0)
-+		{
-+		/*
-+		 * We must not increase ulValueLen by DH_BUF_RESERVE since that
-+		 * could cause the same rounding problem. See definition of
-+		 * DH_BUF_RESERVE above.
-+		 */
-+		pub_key_template[1].pValue =
-+			OPENSSL_malloc(pub_key_template[1].ulValueLen +
-+			DH_BUF_RESERVE);
-+		if (pub_key_template[1].pValue == NULL)
-+			{
-+			PK11err(PK11_F_DH_GEN_KEY, PK11_R_MALLOC_FAILURE);
-+			goto err;
-+			}
-+
-+		i = BN_bn2bin(dh->p, pub_key_template[1].pValue);
-+		}
-+	else
-+		goto err;
-+
-+	pub_key_template[2].ulValueLen = BN_num_bytes(dh->g);
-+	if (pub_key_template[2].ulValueLen > 0)
-+		{
-+		pub_key_template[2].pValue =
-+			OPENSSL_malloc(pub_key_template[2].ulValueLen +
-+			DH_BUF_RESERVE);
-+		if (pub_key_template[2].pValue == NULL)
-+			{
-+			PK11err(PK11_F_DH_GEN_KEY, PK11_R_MALLOC_FAILURE);
-+			goto err;
-+			}
-+
-+		i = BN_bn2bin(dh->g, pub_key_template[2].pValue);
-+		}
-+	else
-+		goto err;
-+
-+	/*
-+	 * Note: we are only using PK11_SESSION structure for getting
-+	 *	 a session handle. The objects created in this function are
-+	 *	 destroyed before return and thus not cached.
-+	 */
-+	if ((sp = pk11_get_session(OP_DH)) == NULL)
-+		goto err;
-+
-+	rv = pFuncList->C_GenerateKeyPair(sp->session,
-+	    &mechanism,
-+	    pub_key_template,
-+	    ul_pub_key_attr_count,
-+	    priv_key_template,
-+	    ul_priv_key_attr_count,
-+	    &h_pub_key,
-+	    &h_priv_key);
-+	if (rv != CKR_OK)
-+		{
-+		PK11err_add_data(PK11_F_DH_GEN_KEY, PK11_R_GEN_KEY, rv);
-+		goto err;
-+		}
-+
-+	/*
-+	 * Reuse the larger memory allocated. We know the larger memory
-+	 * should be sufficient for reuse.
-+	 */
-+	if (pub_key_template[1].ulValueLen > pub_key_template[2].ulValueLen)
-+		{
-+		reuse_mem = pub_key_template[1].pValue;
-+		reuse_mem_len = pub_key_template[1].ulValueLen + DH_BUF_RESERVE;
-+		}
-+	else
-+		{
-+		reuse_mem = pub_key_template[2].pValue;
-+		reuse_mem_len = pub_key_template[2].ulValueLen + DH_BUF_RESERVE;
-+		}
-+
-+	rv = pFuncList->C_GetAttributeValue(sp->session, h_pub_key,
-+		pub_key_result, pub_key_attr_result_count);
-+	rv1 = pFuncList->C_GetAttributeValue(sp->session, h_priv_key,
-+		priv_key_result, priv_key_attr_result_count);
-+
-+	if (rv != CKR_OK || rv1 != CKR_OK)
-+		{
-+		rv = (rv != CKR_OK) ? rv : rv1;
-+		PK11err_add_data(PK11_F_DH_GEN_KEY,
-+		    PK11_R_GETATTRIBUTVALUE, rv);
-+		goto err;
-+		}
-+
-+	if (((CK_LONG) pub_key_result[0].ulValueLen) <= 0 ||
-+		((CK_LONG) priv_key_result[0].ulValueLen) <= 0)
-+		{
-+		PK11err(PK11_F_DH_GEN_KEY, PK11_R_GETATTRIBUTVALUE);
-+		goto err;
-+		}
-+
-+	/* Reuse the memory allocated */
-+	pub_key_result[0].pValue = reuse_mem;
-+	pub_key_result[0].ulValueLen = reuse_mem_len;
-+
-+	rv = pFuncList->C_GetAttributeValue(sp->session, h_pub_key,
-+		pub_key_result, pub_key_attr_result_count);
-+
-+	if (rv != CKR_OK)
-+		{
-+		PK11err_add_data(PK11_F_DH_GEN_KEY,
-+		    PK11_R_GETATTRIBUTVALUE, rv);
-+		goto err;
-+		}
-+
-+	if (pub_key_result[0].type == CKA_VALUE)
-+		{
-+		if (dh->pub_key == NULL)
-+			if ((dh->pub_key = BN_new()) == NULL)
-+				{
-+				PK11err(PK11_F_DH_GEN_KEY,
-+					PK11_R_MALLOC_FAILURE);
-+				goto err;
-+				}
-+		dh->pub_key = BN_bin2bn(pub_key_result[0].pValue,
-+			pub_key_result[0].ulValueLen, dh->pub_key);
-+		if (dh->pub_key == NULL)
-+			{
-+			PK11err(PK11_F_DH_GEN_KEY, PK11_R_MALLOC_FAILURE);
-+			goto err;
-+			}
-+		}
-+
-+	/* Reuse the memory allocated */
-+	priv_key_result[0].pValue = reuse_mem;
-+	priv_key_result[0].ulValueLen = reuse_mem_len;
-+
-+	rv = pFuncList->C_GetAttributeValue(sp->session, h_priv_key,
-+		priv_key_result, priv_key_attr_result_count);
-+
-+	if (rv != CKR_OK)
-+		{
-+		PK11err_add_data(PK11_F_DH_GEN_KEY,
-+		    PK11_R_GETATTRIBUTVALUE, rv);
-+		goto err;
-+		}
-+
-+	if (priv_key_result[0].type == CKA_VALUE)
-+		{
-+		if (dh->priv_key == NULL)
-+			if ((dh->priv_key = BN_new()) == NULL)
-+				{
-+				PK11err(PK11_F_DH_GEN_KEY,
-+					PK11_R_MALLOC_FAILURE);
-+				goto err;
-+				}
-+		dh->priv_key = BN_bin2bn(priv_key_result[0].pValue,
-+			priv_key_result[0].ulValueLen, dh->priv_key);
-+		if (dh->priv_key == NULL)
-+			{
-+			PK11err(PK11_F_DH_GEN_KEY, PK11_R_MALLOC_FAILURE);
-+			goto err;
-+			}
-+		}
-+
-+	ret = 1;
-+
-+err:
-+
-+	if (h_pub_key != CK_INVALID_HANDLE)
-+		{
-+		rv = pFuncList->C_DestroyObject(sp->session, h_pub_key);
-+		if (rv != CKR_OK)
-+			{
-+			PK11err_add_data(PK11_F_DH_GEN_KEY,
-+			    PK11_R_DESTROYOBJECT, rv);
-+			}
-+		}
-+
-+	if (h_priv_key != CK_INVALID_HANDLE)
-+		{
-+		rv = pFuncList->C_DestroyObject(sp->session, h_priv_key);
-+		if (rv != CKR_OK)
-+			{
-+			PK11err_add_data(PK11_F_DH_GEN_KEY,
-+			    PK11_R_DESTROYOBJECT, rv);
-+			}
-+		}
-+
-+	for (i = 1; i <= 2; i++)
-+		{
-+		if (pub_key_template[i].pValue != NULL)
-+			{
-+			OPENSSL_free(pub_key_template[i].pValue);
-+			pub_key_template[i].pValue = NULL;
-+			}
-+		}
-+
-+	pk11_return_session(sp, OP_DH);
-+	return (ret);
-+	}
-+
-+static int pk11_DH_compute_key(unsigned char *key, const BIGNUM *pub_key,
-+	DH *dh)
-+	{
-+	unsigned int i;
-+	CK_MECHANISM mechanism = {CKM_DH_PKCS_DERIVE, NULL_PTR, 0};
-+	CK_OBJECT_CLASS key_class = CKO_SECRET_KEY;
-+	CK_KEY_TYPE key_type = CKK_GENERIC_SECRET;
-+	CK_OBJECT_HANDLE h_derived_key = CK_INVALID_HANDLE;
-+	CK_OBJECT_HANDLE h_key = CK_INVALID_HANDLE;
-+
-+	CK_ULONG ul_priv_key_attr_count = 2;
-+	CK_ATTRIBUTE priv_key_template[] =
-+		{
-+		{CKA_CLASS, (void*) NULL, sizeof (key_class)},
-+		{CKA_KEY_TYPE, (void*) NULL, sizeof (key_type)},
-+		};
-+
-+	CK_ULONG priv_key_attr_result_count = 1;
-+	CK_ATTRIBUTE priv_key_result[] =
-+		{
-+		{CKA_VALUE, (void *)NULL, 0}
-+		};
-+
-+	CK_RV rv;
-+	int ret = -1;
-+	PK11_SESSION *sp = NULL;
-+
-+	if (dh->priv_key == NULL)
-+		goto err;
-+
-+	priv_key_template[0].pValue = &key_class;
-+	priv_key_template[1].pValue = &key_type;
-+
-+	if ((sp = pk11_get_session(OP_DH)) == NULL)
-+		goto err;
-+
-+	mechanism.ulParameterLen = BN_num_bytes(pub_key);
-+	mechanism.pParameter = OPENSSL_malloc(mechanism.ulParameterLen);
-+	if (mechanism.pParameter == NULL)
-+		{
-+		PK11err(PK11_F_DH_COMP_KEY, PK11_R_MALLOC_FAILURE);
-+		goto err;
-+		}
-+	BN_bn2bin(pub_key, mechanism.pParameter);
-+
-+	(void) check_new_dh_key(sp, dh);
-+
-+	h_key = sp->opdata_dh_key;
-+	if (h_key == CK_INVALID_HANDLE)
-+		h_key = sp->opdata_dh_key =
-+			pk11_get_dh_key((DH*) dh, &sp->opdata_dh,
-+			    &sp->opdata_dh_priv_num, sp->session);
-+
-+	if (h_key == CK_INVALID_HANDLE)
-+		{
-+		PK11err(PK11_F_DH_COMP_KEY, PK11_R_CREATEOBJECT);
-+		goto err;
-+		}
-+
-+	rv = pFuncList->C_DeriveKey(sp->session,
-+	    &mechanism,
-+	    h_key,
-+	    priv_key_template,
-+	    ul_priv_key_attr_count,
-+	    &h_derived_key);
-+	if (rv != CKR_OK)
-+		{
-+		PK11err_add_data(PK11_F_DH_COMP_KEY, PK11_R_DERIVEKEY, rv);
-+		goto err;
-+		}
-+
-+	rv = pFuncList->C_GetAttributeValue(sp->session, h_derived_key,
-+	    priv_key_result, priv_key_attr_result_count);
-+
-+	if (rv != CKR_OK)
-+		{
-+		PK11err_add_data(PK11_F_DH_COMP_KEY, PK11_R_GETATTRIBUTVALUE,
-+		    rv);
-+		goto err;
-+		}
-+
-+	if (((CK_LONG) priv_key_result[0].ulValueLen) <= 0)
-+		{
-+		PK11err(PK11_F_DH_COMP_KEY, PK11_R_GETATTRIBUTVALUE);
-+		goto err;
-+		}
-+	priv_key_result[0].pValue =
-+		OPENSSL_malloc(priv_key_result[0].ulValueLen);
-+	if (!priv_key_result[0].pValue)
-+		{
-+		PK11err(PK11_F_DH_COMP_KEY, PK11_R_MALLOC_FAILURE);
-+		goto err;
-+		}
-+
-+	rv = pFuncList->C_GetAttributeValue(sp->session, h_derived_key,
-+		priv_key_result, priv_key_attr_result_count);
-+
-+	if (rv != CKR_OK)
-+		{
-+		PK11err_add_data(PK11_F_DH_COMP_KEY, PK11_R_GETATTRIBUTVALUE,
-+		    rv);
-+		goto err;
-+		}
-+
-+	/*
-+	 * OpenSSL allocates the output buffer 'key' which is the same
-+	 * length of the public key. It is long enough for the derived key
-+	 */
-+	if (priv_key_result[0].type == CKA_VALUE)
-+		{
-+		/*
-+		 * CKM_DH_PKCS_DERIVE mechanism is not supposed to strip
-+		 * leading zeros from a computed shared secret. However,
-+		 * OpenSSL always did it so we must do the same here. The
-+		 * vagueness of the spec regarding leading zero bytes was
-+		 * finally cleared with TLS 1.1 (RFC 4346) saying that leading
-+		 * zeros are stripped before the computed data is used as the
-+		 * pre-master secret.
-+		 */
-+		for (i = 0; i < priv_key_result[0].ulValueLen; ++i)
-+			{
-+			if (((char *)priv_key_result[0].pValue)[i] != 0)
-+				break;
-+			}
-+
-+		(void) memcpy(key, ((char *)priv_key_result[0].pValue) + i,
-+			priv_key_result[0].ulValueLen - i);
-+		ret = priv_key_result[0].ulValueLen - i;
-+		}
-+
-+err:
-+
-+	if (h_derived_key != CK_INVALID_HANDLE)
-+		{
-+		rv = pFuncList->C_DestroyObject(sp->session, h_derived_key);
-+		if (rv != CKR_OK)
-+			{
-+			PK11err_add_data(PK11_F_DH_COMP_KEY,
-+			    PK11_R_DESTROYOBJECT, rv);
-+			}
-+		}
-+	if (priv_key_result[0].pValue)
-+		{
-+		OPENSSL_free(priv_key_result[0].pValue);
-+		priv_key_result[0].pValue = NULL;
-+		}
-+
-+	if (mechanism.pParameter)
-+		{
-+		OPENSSL_free(mechanism.pParameter);
-+		mechanism.pParameter = NULL;
-+		}
-+
-+	pk11_return_session(sp, OP_DH);
-+	return (ret);
-+	}
-+
-+
-+static CK_OBJECT_HANDLE pk11_get_dh_key(DH* dh,
-+	DH **key_ptr, BIGNUM **dh_priv_num, CK_SESSION_HANDLE session)
-+	{
-+	CK_RV rv;
-+	CK_OBJECT_HANDLE h_key = CK_INVALID_HANDLE;
-+	CK_OBJECT_CLASS class = CKO_PRIVATE_KEY;
-+	CK_KEY_TYPE key_type = CKK_DH;
-+	CK_ULONG found;
-+	CK_BBOOL rollback = FALSE;
-+	int i;
-+
-+	CK_ULONG ul_key_attr_count = 7;
-+	CK_ATTRIBUTE key_template[] =
-+		{
-+		{CKA_CLASS, (void*) NULL, sizeof (class)},
-+		{CKA_KEY_TYPE, (void*) NULL, sizeof (key_type)},
-+		{CKA_DERIVE, &true, sizeof (true)},
-+		{CKA_PRIVATE, &false, sizeof (false)},
-+		{CKA_PRIME, (void *) NULL, 0},
-+		{CKA_BASE, (void *) NULL, 0},
-+		{CKA_VALUE, (void *) NULL, 0},
-+		};
-+
-+	key_template[0].pValue = &class;
-+	key_template[1].pValue = &key_type;
-+
-+	key_template[4].ulValueLen = BN_num_bytes(dh->p);
-+	key_template[4].pValue = (CK_VOID_PTR)OPENSSL_malloc(
-+		(size_t)key_template[4].ulValueLen);
-+	if (key_template[4].pValue == NULL)
-+		{
-+		PK11err(PK11_F_GET_DH_KEY, PK11_R_MALLOC_FAILURE);
-+		goto malloc_err;
-+		}
-+
-+	BN_bn2bin(dh->p, key_template[4].pValue);
-+
-+	key_template[5].ulValueLen = BN_num_bytes(dh->g);
-+	key_template[5].pValue = (CK_VOID_PTR)OPENSSL_malloc(
-+		(size_t)key_template[5].ulValueLen);
-+	if (key_template[5].pValue == NULL)
-+		{
-+		PK11err(PK11_F_GET_DH_KEY, PK11_R_MALLOC_FAILURE);
-+		goto malloc_err;
-+		}
-+
-+	BN_bn2bin(dh->g, key_template[5].pValue);
-+
-+	key_template[6].ulValueLen = BN_num_bytes(dh->priv_key);
-+	key_template[6].pValue = (CK_VOID_PTR)OPENSSL_malloc(
-+		(size_t)key_template[6].ulValueLen);
-+	if (key_template[6].pValue == NULL)
-+		{
-+		PK11err(PK11_F_GET_DH_KEY, PK11_R_MALLOC_FAILURE);
-+		goto malloc_err;
-+		}
-+
-+	BN_bn2bin(dh->priv_key, key_template[6].pValue);
-+
-+	/* see find_lock array definition for more info on object locking */
-+	LOCK_OBJSTORE(OP_DH);
-+	rv = pFuncList->C_FindObjectsInit(session, key_template,
-+		ul_key_attr_count);
-+
-+	if (rv != CKR_OK)
-+		{
-+		PK11err_add_data(PK11_F_GET_DH_KEY, PK11_R_FINDOBJECTSINIT, rv);
-+		goto err;
-+		}
-+
-+	rv = pFuncList->C_FindObjects(session, &h_key, 1, &found);
-+
-+	if (rv != CKR_OK)
-+		{
-+		PK11err_add_data(PK11_F_GET_DH_KEY, PK11_R_FINDOBJECTS, rv);
-+		goto err;
-+		}
-+
-+	rv = pFuncList->C_FindObjectsFinal(session);
-+
-+	if (rv != CKR_OK)
-+		{
-+		PK11err_add_data(PK11_F_GET_DH_KEY, PK11_R_FINDOBJECTSFINAL,
-+		    rv);
-+		goto err;
-+		}
-+
-+	if (found == 0)
-+		{
-+		rv = pFuncList->C_CreateObject(session,
-+			key_template, ul_key_attr_count, &h_key);
-+		if (rv != CKR_OK)
-+			{
-+			PK11err_add_data(PK11_F_GET_DH_KEY, PK11_R_CREATEOBJECT,
-+			    rv);
-+			goto err;
-+			}
-+		}
-+
-+	if (dh_priv_num != NULL)
-+		if ((*dh_priv_num = BN_dup(dh->priv_key)) == NULL)
-+			{
-+			PK11err(PK11_F_GET_DH_KEY, PK11_R_MALLOC_FAILURE);
-+			rollback = TRUE;
-+			goto err;
-+			}
-+
-+	/* LINTED: E_CONSTANT_CONDITION */
-+	KEY_HANDLE_REFHOLD(h_key, OP_DH, FALSE, rollback, err);
-+	if (key_ptr != NULL)
-+		*key_ptr = dh;
-+
-+err:
-+	if (rollback)
-+		{
-+		/*
-+		 * We do not care about the return value from C_DestroyObject()
-+		 * since we are doing rollback.
-+		 */
-+		if (found == 0)
-+			(void) pFuncList->C_DestroyObject(session, h_key);
-+		h_key = CK_INVALID_HANDLE;
-+		}
-+
-+	UNLOCK_OBJSTORE(OP_DH);
-+
-+malloc_err:
-+	for (i = 4; i <= 6; i++)
-+		{
-+		if (key_template[i].pValue != NULL)
-+			{
-+			OPENSSL_free(key_template[i].pValue);
-+			key_template[i].pValue = NULL;
-+			}
-+		}
-+
-+	return (h_key);
-+	}
-+
-+/*
-+ * Check for cache miss and clean the object pointer and handle
-+ * in such case. Return 1 for cache hit, 0 for cache miss.
-+ *
-+ * Note: we rely on pk11_destroy_dh_key_objects() to set sp->opdata_dh
-+ *       to CK_INVALID_HANDLE even when it fails to destroy the object.
-+ */
-+static int check_new_dh_key(PK11_SESSION *sp, DH *dh)
-+	{
-+	/*
-+	 * Provide protection against DH structure reuse by making the
-+	 * check for cache hit stronger. Private key component of DH key
-+	 * is unique so it is sufficient to compare it with value cached
-+	 * in PK11_SESSION structure.
-+	 */
-+	if ((sp->opdata_dh != dh) ||
-+	    (BN_cmp(sp->opdata_dh_priv_num, dh->priv_key) != 0))
-+		{
-+		/*
-+		 * We do not check the return value because even in case of
-+		 * failure the sp structure will have both key pointer
-+		 * and object handle cleaned and pk11_destroy_object()
-+		 * reports the failure to the OpenSSL error message buffer.
-+		 */
-+		(void) pk11_destroy_dh_object(sp, TRUE);
-+		return (0);
-+		}
-+	return (1);
-+	}
-+#endif
-+
-+/*
-+ * Local function to simplify key template population
-+ * Return 0 -- error, 1 -- no error
-+ */
-+static int init_template_value(BIGNUM *bn, CK_VOID_PTR *p_value,
-+	CK_ULONG *ul_value_len)
-+	{
-+	CK_ULONG len = BN_num_bytes(bn);
-+	if (len == 0)
-+		return (1);
-+
-+	*ul_value_len = len;
-+	*p_value = (CK_VOID_PTR)OPENSSL_malloc((size_t)*ul_value_len);
-+	if (*p_value == NULL)
-+		return (0);
-+
-+	BN_bn2bin(bn, *p_value);
-+
-+	return (1);
-+	}
-+
-+static void attr_to_BN(CK_ATTRIBUTE_PTR attr, CK_BYTE attr_data[], BIGNUM **bn)
-+	{
-+	if (attr->ulValueLen > 0)
-+		{
-+		*bn = BN_bin2bn(attr_data, attr->ulValueLen, NULL);
-+		}
-+	}
-+#ifdef	OPENSSL_SYS_WIN32
-+char *getpassphrase(const char *prompt)
-+	{
-+	static char buf[128];
-+	HANDLE h;
-+	DWORD cc, mode;
-+	int cnt;
-+
-+	h = GetStdHandle(STD_INPUT_HANDLE);
-+	fputs(prompt, stderr);
-+	fflush(stderr);
-+	fflush(stdout);
-+	FlushConsoleInputBuffer(h);
-+	GetConsoleMode(h, &mode);
-+	SetConsoleMode(h, ENABLE_PROCESSED_INPUT);
-+
-+	for (cnt = 0; cnt < sizeof(buf) - 1; cnt++)
-+		{
-+		ReadFile(h, buf + cnt, 1, &cc, NULL);
-+		if (buf[cnt] == '\r')
-+			break;
-+		fputc('*', stdout);
-+		fflush(stderr);
-+		fflush(stdout);
-+		}
-+
-+	SetConsoleMode(h, mode);
-+	buf[cnt] = '\0';
-+	fputs("\n", stderr);
-+	return buf;
-+	}
-+#endif	/* OPENSSL_SYS_WIN32 */
-+#endif	/* OPENSSL_NO_HW_PK11 */
-+#endif	/* OPENSSL_NO_HW */
-Index: openssl/crypto/engine/pkcs11.h
-diff -u /dev/null openssl/crypto/engine/pkcs11.h:1.1.1.1
---- /dev/null	Wed Sep  2 11:37:23 2009
-+++ openssl/crypto/engine/pkcs11.h	Wed Oct 24 23:27:09 2007
-@@ -0,0 +1,299 @@
-+/* pkcs11.h include file for PKCS #11. */
-+/* $Revision: 1.4 $ */
-+
-+/* License to copy and use this software is granted provided that it is
-+ * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface
-+ * (Cryptoki)" in all material mentioning or referencing this software.
-+
-+ * License is also granted to make and use derivative works provided that
-+ * such works are identified as "derived from the RSA Security Inc. PKCS #11
-+ * Cryptographic Token Interface (Cryptoki)" in all material mentioning or 
-+ * referencing the derived work.
-+
-+ * RSA Security Inc. makes no representations concerning either the 
-+ * merchantability of this software or the suitability of this software for
-+ * any particular purpose. It is provided "as is" without express or implied
-+ * warranty of any kind.
-+ */
-+
-+#ifndef _PKCS11_H_
-+#define _PKCS11_H_ 1
-+
-+#ifdef __cplusplus
-+extern "C" {
-+#endif
-+
-+/* Before including this file (pkcs11.h) (or pkcs11t.h by
-+ * itself), 6 platform-specific macros must be defined.  These
-+ * macros are described below, and typical definitions for them
-+ * are also given.  Be advised that these definitions can depend
-+ * on both the platform and the compiler used (and possibly also
-+ * on whether a Cryptoki library is linked statically or
-+ * dynamically).
-+ *
-+ * In addition to defining these 6 macros, the packing convention
-+ * for Cryptoki structures should be set.  The Cryptoki
-+ * convention on packing is that structures should be 1-byte
-+ * aligned.
-+ *
-+ * If you're using Microsoft Developer Studio 5.0 to produce
-+ * Win32 stuff, this might be done by using the following
-+ * preprocessor directive before including pkcs11.h or pkcs11t.h:
-+ *
-+ * #pragma pack(push, cryptoki, 1)
-+ *
-+ * and using the following preprocessor directive after including
-+ * pkcs11.h or pkcs11t.h:
-+ *
-+ * #pragma pack(pop, cryptoki)
-+ *
-+ * If you're using an earlier version of Microsoft Developer
-+ * Studio to produce Win16 stuff, this might be done by using
-+ * the following preprocessor directive before including
-+ * pkcs11.h or pkcs11t.h:
-+ *
-+ * #pragma pack(1)
-+ *
-+ * In a UNIX environment, you're on your own for this.  You might
-+ * not need to do (or be able to do!) anything.
-+ *
-+ *
-+ * Now for the macros:
-+ *
-+ *
-+ * 1. CK_PTR: The indirection string for making a pointer to an
-+ * object.  It can be used like this:
-+ *
-+ * typedef CK_BYTE CK_PTR CK_BYTE_PTR;
-+ *
-+ * If you're using Microsoft Developer Studio 5.0 to produce
-+ * Win32 stuff, it might be defined by:
-+ *
-+ * #define CK_PTR *
-+ *
-+ * If you're using an earlier version of Microsoft Developer
-+ * Studio to produce Win16 stuff, it might be defined by:
-+ *
-+ * #define CK_PTR far *
-+ *
-+ * In a typical UNIX environment, it might be defined by:
-+ *
-+ * #define CK_PTR *
-+ *
-+ *
-+ * 2. CK_DEFINE_FUNCTION(returnType, name): A macro which makes
-+ * an exportable Cryptoki library function definition out of a
-+ * return type and a function name.  It should be used in the
-+ * following fashion to define the exposed Cryptoki functions in
-+ * a Cryptoki library:
-+ *
-+ * CK_DEFINE_FUNCTION(CK_RV, C_Initialize)(
-+ *   CK_VOID_PTR pReserved
-+ * )
-+ * {
-+ *   ...
-+ * }
-+ *
-+ * If you're using Microsoft Developer Studio 5.0 to define a
-+ * function in a Win32 Cryptoki .dll, it might be defined by:
-+ *
-+ * #define CK_DEFINE_FUNCTION(returnType, name) \
-+ *   returnType __declspec(dllexport) name
-+ *
-+ * If you're using an earlier version of Microsoft Developer
-+ * Studio to define a function in a Win16 Cryptoki .dll, it
-+ * might be defined by:
-+ *
-+ * #define CK_DEFINE_FUNCTION(returnType, name) \
-+ *   returnType __export _far _pascal name
-+ *
-+ * In a UNIX environment, it might be defined by:
-+ *
-+ * #define CK_DEFINE_FUNCTION(returnType, name) \
-+ *   returnType name
-+ *
-+ *
-+ * 3. CK_DECLARE_FUNCTION(returnType, name): A macro which makes
-+ * an importable Cryptoki library function declaration out of a
-+ * return type and a function name.  It should be used in the
-+ * following fashion:
-+ *
-+ * extern CK_DECLARE_FUNCTION(CK_RV, C_Initialize)(
-+ *   CK_VOID_PTR pReserved
-+ * );
-+ *
-+ * If you're using Microsoft Developer Studio 5.0 to declare a
-+ * function in a Win32 Cryptoki .dll, it might be defined by:
-+ *
-+ * #define CK_DECLARE_FUNCTION(returnType, name) \
-+ *   returnType __declspec(dllimport) name
-+ *
-+ * If you're using an earlier version of Microsoft Developer
-+ * Studio to declare a function in a Win16 Cryptoki .dll, it
-+ * might be defined by:
-+ *
-+ * #define CK_DECLARE_FUNCTION(returnType, name) \
-+ *   returnType __export _far _pascal name
-+ *
-+ * In a UNIX environment, it might be defined by:
-+ *
-+ * #define CK_DECLARE_FUNCTION(returnType, name) \
-+ *   returnType name
-+ *
-+ *
-+ * 4. CK_DECLARE_FUNCTION_POINTER(returnType, name): A macro
-+ * which makes a Cryptoki API function pointer declaration or
-+ * function pointer type declaration out of a return type and a
-+ * function name.  It should be used in the following fashion:
-+ *
-+ * // Define funcPtr to be a pointer to a Cryptoki API function
-+ * // taking arguments args and returning CK_RV.
-+ * CK_DECLARE_FUNCTION_POINTER(CK_RV, funcPtr)(args);
-+ *
-+ * or
-+ *
-+ * // Define funcPtrType to be the type of a pointer to a
-+ * // Cryptoki API function taking arguments args and returning
-+ * // CK_RV, and then define funcPtr to be a variable of type
-+ * // funcPtrType.
-+ * typedef CK_DECLARE_FUNCTION_POINTER(CK_RV, funcPtrType)(args);
-+ * funcPtrType funcPtr;
-+ *
-+ * If you're using Microsoft Developer Studio 5.0 to access
-+ * functions in a Win32 Cryptoki .dll, in might be defined by:
-+ *
-+ * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
-+ *   returnType __declspec(dllimport) (* name)
-+ *
-+ * If you're using an earlier version of Microsoft Developer
-+ * Studio to access functions in a Win16 Cryptoki .dll, it might
-+ * be defined by:
-+ *
-+ * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
-+ *   returnType __export _far _pascal (* name)
-+ *
-+ * In a UNIX environment, it might be defined by:
-+ *
-+ * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
-+ *   returnType (* name)
-+ *
-+ *
-+ * 5. CK_CALLBACK_FUNCTION(returnType, name): A macro which makes
-+ * a function pointer type for an application callback out of
-+ * a return type for the callback and a name for the callback.
-+ * It should be used in the following fashion:
-+ *
-+ * CK_CALLBACK_FUNCTION(CK_RV, myCallback)(args);
-+ *
-+ * to declare a function pointer, myCallback, to a callback
-+ * which takes arguments args and returns a CK_RV.  It can also
-+ * be used like this:
-+ *
-+ * typedef CK_CALLBACK_FUNCTION(CK_RV, myCallbackType)(args);
-+ * myCallbackType myCallback;
-+ *
-+ * If you're using Microsoft Developer Studio 5.0 to do Win32
-+ * Cryptoki development, it might be defined by:
-+ *
-+ * #define CK_CALLBACK_FUNCTION(returnType, name) \
-+ *   returnType (* name)
-+ *
-+ * If you're using an earlier version of Microsoft Developer
-+ * Studio to do Win16 development, it might be defined by:
-+ *
-+ * #define CK_CALLBACK_FUNCTION(returnType, name) \
-+ *   returnType _far _pascal (* name)
-+ *
-+ * In a UNIX environment, it might be defined by:
-+ *
-+ * #define CK_CALLBACK_FUNCTION(returnType, name) \
-+ *   returnType (* name)
-+ *
-+ *
-+ * 6. NULL_PTR: This macro is the value of a NULL pointer.
-+ *
-+ * In any ANSI/ISO C environment (and in many others as well),
-+ * this should best be defined by
-+ *
-+ * #ifndef NULL_PTR
-+ * #define NULL_PTR 0
-+ * #endif
-+ */
-+
-+
-+/* All the various Cryptoki types and #define'd values are in the
-+ * file pkcs11t.h. */
-+#include "pkcs11t.h"
-+
-+#define __PASTE(x,y)      x##y
-+
-+
-+/* ==============================================================
-+ * Define the "extern" form of all the entry points.
-+ * ==============================================================
-+ */
-+
-+#define CK_NEED_ARG_LIST  1
-+#define CK_PKCS11_FUNCTION_INFO(name) \
-+  extern CK_DECLARE_FUNCTION(CK_RV, name)
-+
-+/* pkcs11f.h has all the information about the Cryptoki
-+ * function prototypes. */
-+#include "pkcs11f.h"
-+
-+#undef CK_NEED_ARG_LIST
-+#undef CK_PKCS11_FUNCTION_INFO
-+
-+
-+/* ==============================================================
-+ * Define the typedef form of all the entry points.  That is, for
-+ * each Cryptoki function C_XXX, define a type CK_C_XXX which is
-+ * a pointer to that kind of function.
-+ * ==============================================================
-+ */
-+
-+#define CK_NEED_ARG_LIST  1
-+#define CK_PKCS11_FUNCTION_INFO(name) \
-+  typedef CK_DECLARE_FUNCTION_POINTER(CK_RV, __PASTE(CK_,name))
-+
-+/* pkcs11f.h has all the information about the Cryptoki
-+ * function prototypes. */
-+#include "pkcs11f.h"
-+
-+#undef CK_NEED_ARG_LIST
-+#undef CK_PKCS11_FUNCTION_INFO
-+
-+
-+/* ==============================================================
-+ * Define structed vector of entry points.  A CK_FUNCTION_LIST
-+ * contains a CK_VERSION indicating a library's Cryptoki version
-+ * and then a whole slew of function pointers to the routines in
-+ * the library.  This type was declared, but not defined, in
-+ * pkcs11t.h.
-+ * ==============================================================
-+ */
-+
-+#define CK_PKCS11_FUNCTION_INFO(name) \
-+  __PASTE(CK_,name) name;
-+  
-+struct CK_FUNCTION_LIST {
-+
-+  CK_VERSION    version;  /* Cryptoki version */
-+
-+/* Pile all the function pointers into the CK_FUNCTION_LIST. */
-+/* pkcs11f.h has all the information about the Cryptoki
-+ * function prototypes. */
-+#include "pkcs11f.h"
-+
-+};
-+
-+#undef CK_PKCS11_FUNCTION_INFO
-+
-+
-+#undef __PASTE
-+
-+#ifdef __cplusplus
-+}
-+#endif
-+
-+#endif
-Index: openssl/crypto/engine/pkcs11f.h
-diff -u /dev/null openssl/crypto/engine/pkcs11f.h:1.1.1.1
---- /dev/null	Wed Sep  2 11:37:23 2009
-+++ openssl/crypto/engine/pkcs11f.h	Wed Oct 24 23:27:09 2007
-@@ -0,0 +1,912 @@
-+/* pkcs11f.h include file for PKCS #11. */
-+/* $Revision: 1.4 $ */
-+
-+/* License to copy and use this software is granted provided that it is
-+ * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface
-+ * (Cryptoki)" in all material mentioning or referencing this software.
-+
-+ * License is also granted to make and use derivative works provided that
-+ * such works are identified as "derived from the RSA Security Inc. PKCS #11
-+ * Cryptographic Token Interface (Cryptoki)" in all material mentioning or 
-+ * referencing the derived work.
-+
-+ * RSA Security Inc. makes no representations concerning either the 
-+ * merchantability of this software or the suitability of this software for
-+ * any particular purpose. It is provided "as is" without express or implied
-+ * warranty of any kind.
-+ */
-+
-+/* This header file contains pretty much everything about all the */
-+/* Cryptoki function prototypes.  Because this information is */
-+/* used for more than just declaring function prototypes, the */
-+/* order of the functions appearing herein is important, and */
-+/* should not be altered. */
-+
-+/* General-purpose */
-+
-+/* C_Initialize initializes the Cryptoki library. */
-+CK_PKCS11_FUNCTION_INFO(C_Initialize)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_VOID_PTR   pInitArgs  /* if this is not NULL_PTR, it gets
-+                            * cast to CK_C_INITIALIZE_ARGS_PTR
-+                            * and dereferenced */
-+);
-+#endif
-+
-+
-+/* C_Finalize indicates that an application is done with the
-+ * Cryptoki library. */
-+CK_PKCS11_FUNCTION_INFO(C_Finalize)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_VOID_PTR   pReserved  /* reserved.  Should be NULL_PTR */
-+);
-+#endif
-+
-+
-+/* C_GetInfo returns general information about Cryptoki. */
-+CK_PKCS11_FUNCTION_INFO(C_GetInfo)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_INFO_PTR   pInfo  /* location that receives information */
-+);
-+#endif
-+
-+
-+/* C_GetFunctionList returns the function list. */
-+CK_PKCS11_FUNCTION_INFO(C_GetFunctionList)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_FUNCTION_LIST_PTR_PTR ppFunctionList  /* receives pointer to
-+                                            * function list */
-+);
-+#endif
-+
-+
-+
-+/* Slot and token management */
-+
-+/* C_GetSlotList obtains a list of slots in the system. */
-+CK_PKCS11_FUNCTION_INFO(C_GetSlotList)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_BBOOL       tokenPresent,  /* only slots with tokens? */
-+  CK_SLOT_ID_PTR pSlotList,     /* receives array of slot IDs */
-+  CK_ULONG_PTR   pulCount       /* receives number of slots */
-+);
-+#endif
-+
-+
-+/* C_GetSlotInfo obtains information about a particular slot in
-+ * the system. */
-+CK_PKCS11_FUNCTION_INFO(C_GetSlotInfo)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SLOT_ID       slotID,  /* the ID of the slot */
-+  CK_SLOT_INFO_PTR pInfo    /* receives the slot information */
-+);
-+#endif
-+
-+
-+/* C_GetTokenInfo obtains information about a particular token
-+ * in the system. */
-+CK_PKCS11_FUNCTION_INFO(C_GetTokenInfo)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SLOT_ID        slotID,  /* ID of the token's slot */
-+  CK_TOKEN_INFO_PTR pInfo    /* receives the token information */
-+);
-+#endif
-+
-+
-+/* C_GetMechanismList obtains a list of mechanism types
-+ * supported by a token. */
-+CK_PKCS11_FUNCTION_INFO(C_GetMechanismList)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SLOT_ID            slotID,          /* ID of token's slot */
-+  CK_MECHANISM_TYPE_PTR pMechanismList,  /* gets mech. array */
-+  CK_ULONG_PTR          pulCount         /* gets # of mechs. */
-+);
-+#endif
-+
-+
-+/* C_GetMechanismInfo obtains information about a particular
-+ * mechanism possibly supported by a token. */
-+CK_PKCS11_FUNCTION_INFO(C_GetMechanismInfo)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SLOT_ID            slotID,  /* ID of the token's slot */
-+  CK_MECHANISM_TYPE     type,    /* type of mechanism */
-+  CK_MECHANISM_INFO_PTR pInfo    /* receives mechanism info */
-+);
-+#endif
-+
-+
-+/* C_InitToken initializes a token. */
-+CK_PKCS11_FUNCTION_INFO(C_InitToken)
-+#ifdef CK_NEED_ARG_LIST
-+/* pLabel changed from CK_CHAR_PTR to CK_UTF8CHAR_PTR for v2.10 */
-+(
-+  CK_SLOT_ID      slotID,    /* ID of the token's slot */
-+  CK_UTF8CHAR_PTR pPin,      /* the SO's initial PIN */
-+  CK_ULONG        ulPinLen,  /* length in bytes of the PIN */
-+  CK_UTF8CHAR_PTR pLabel     /* 32-byte token label (blank padded) */
-+);
-+#endif
-+
-+
-+/* C_InitPIN initializes the normal user's PIN. */
-+CK_PKCS11_FUNCTION_INFO(C_InitPIN)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession,  /* the session's handle */
-+  CK_UTF8CHAR_PTR   pPin,      /* the normal user's PIN */
-+  CK_ULONG          ulPinLen   /* length in bytes of the PIN */
-+);
-+#endif
-+
-+
-+/* C_SetPIN modifies the PIN of the user who is logged in. */
-+CK_PKCS11_FUNCTION_INFO(C_SetPIN)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession,  /* the session's handle */
-+  CK_UTF8CHAR_PTR   pOldPin,   /* the old PIN */
-+  CK_ULONG          ulOldLen,  /* length of the old PIN */
-+  CK_UTF8CHAR_PTR   pNewPin,   /* the new PIN */
-+  CK_ULONG          ulNewLen   /* length of the new PIN */
-+);
-+#endif
-+
-+
-+
-+/* Session management */
-+
-+/* C_OpenSession opens a session between an application and a
-+ * token. */
-+CK_PKCS11_FUNCTION_INFO(C_OpenSession)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SLOT_ID            slotID,        /* the slot's ID */
-+  CK_FLAGS              flags,         /* from CK_SESSION_INFO */
-+  CK_VOID_PTR           pApplication,  /* passed to callback */
-+  CK_NOTIFY             Notify,        /* callback function */
-+  CK_SESSION_HANDLE_PTR phSession      /* gets session handle */
-+);
-+#endif
-+
-+
-+/* C_CloseSession closes a session between an application and a
-+ * token. */
-+CK_PKCS11_FUNCTION_INFO(C_CloseSession)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession  /* the session's handle */
-+);
-+#endif
-+
-+
-+/* C_CloseAllSessions closes all sessions with a token. */
-+CK_PKCS11_FUNCTION_INFO(C_CloseAllSessions)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SLOT_ID     slotID  /* the token's slot */
-+);
-+#endif
-+
-+
-+/* C_GetSessionInfo obtains information about the session. */
-+CK_PKCS11_FUNCTION_INFO(C_GetSessionInfo)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE   hSession,  /* the session's handle */
-+  CK_SESSION_INFO_PTR pInfo      /* receives session info */
-+);
-+#endif
-+
-+
-+/* C_GetOperationState obtains the state of the cryptographic operation
-+ * in a session. */
-+CK_PKCS11_FUNCTION_INFO(C_GetOperationState)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession,             /* session's handle */
-+  CK_BYTE_PTR       pOperationState,      /* gets state */
-+  CK_ULONG_PTR      pulOperationStateLen  /* gets state length */
-+);
-+#endif
-+
-+
-+/* C_SetOperationState restores the state of the cryptographic
-+ * operation in a session. */
-+CK_PKCS11_FUNCTION_INFO(C_SetOperationState)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession,            /* session's handle */
-+  CK_BYTE_PTR      pOperationState,      /* holds state */
-+  CK_ULONG         ulOperationStateLen,  /* holds state length */
-+  CK_OBJECT_HANDLE hEncryptionKey,       /* en/decryption key */
-+  CK_OBJECT_HANDLE hAuthenticationKey    /* sign/verify key */
-+);
-+#endif
-+
-+
-+/* C_Login logs a user into a token. */
-+CK_PKCS11_FUNCTION_INFO(C_Login)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession,  /* the session's handle */
-+  CK_USER_TYPE      userType,  /* the user type */
-+  CK_UTF8CHAR_PTR   pPin,      /* the user's PIN */
-+  CK_ULONG          ulPinLen   /* the length of the PIN */
-+);
-+#endif
-+
-+
-+/* C_Logout logs a user out from a token. */
-+CK_PKCS11_FUNCTION_INFO(C_Logout)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession  /* the session's handle */
-+);
-+#endif
-+
-+
-+
-+/* Object management */
-+
-+/* C_CreateObject creates a new object. */
-+CK_PKCS11_FUNCTION_INFO(C_CreateObject)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession,    /* the session's handle */
-+  CK_ATTRIBUTE_PTR  pTemplate,   /* the object's template */
-+  CK_ULONG          ulCount,     /* attributes in template */
-+  CK_OBJECT_HANDLE_PTR phObject  /* gets new object's handle. */
-+);
-+#endif
-+
-+
-+/* C_CopyObject copies an object, creating a new object for the
-+ * copy. */
-+CK_PKCS11_FUNCTION_INFO(C_CopyObject)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE    hSession,    /* the session's handle */
-+  CK_OBJECT_HANDLE     hObject,     /* the object's handle */
-+  CK_ATTRIBUTE_PTR     pTemplate,   /* template for new object */
-+  CK_ULONG             ulCount,     /* attributes in template */
-+  CK_OBJECT_HANDLE_PTR phNewObject  /* receives handle of copy */
-+);
-+#endif
-+
-+
-+/* C_DestroyObject destroys an object. */
-+CK_PKCS11_FUNCTION_INFO(C_DestroyObject)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession,  /* the session's handle */
-+  CK_OBJECT_HANDLE  hObject    /* the object's handle */
-+);
-+#endif
-+
-+
-+/* C_GetObjectSize gets the size of an object in bytes. */
-+CK_PKCS11_FUNCTION_INFO(C_GetObjectSize)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession,  /* the session's handle */
-+  CK_OBJECT_HANDLE  hObject,   /* the object's handle */
-+  CK_ULONG_PTR      pulSize    /* receives size of object */
-+);
-+#endif
-+
-+
-+/* C_GetAttributeValue obtains the value of one or more object
-+ * attributes. */
-+CK_PKCS11_FUNCTION_INFO(C_GetAttributeValue)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession,   /* the session's handle */
-+  CK_OBJECT_HANDLE  hObject,    /* the object's handle */
-+  CK_ATTRIBUTE_PTR  pTemplate,  /* specifies attrs; gets vals */
-+  CK_ULONG          ulCount     /* attributes in template */
-+);
-+#endif
-+
-+
-+/* C_SetAttributeValue modifies the value of one or more object
-+ * attributes */
-+CK_PKCS11_FUNCTION_INFO(C_SetAttributeValue)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession,   /* the session's handle */
-+  CK_OBJECT_HANDLE  hObject,    /* the object's handle */
-+  CK_ATTRIBUTE_PTR  pTemplate,  /* specifies attrs and values */
-+  CK_ULONG          ulCount     /* attributes in template */
-+);
-+#endif
-+
-+
-+/* C_FindObjectsInit initializes a search for token and session
-+ * objects that match a template. */
-+CK_PKCS11_FUNCTION_INFO(C_FindObjectsInit)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession,   /* the session's handle */
-+  CK_ATTRIBUTE_PTR  pTemplate,  /* attribute values to match */
-+  CK_ULONG          ulCount     /* attrs in search template */
-+);
-+#endif
-+
-+
-+/* C_FindObjects continues a search for token and session
-+ * objects that match a template, obtaining additional object
-+ * handles. */
-+CK_PKCS11_FUNCTION_INFO(C_FindObjects)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+ CK_SESSION_HANDLE    hSession,          /* session's handle */
-+ CK_OBJECT_HANDLE_PTR phObject,          /* gets obj. handles */
-+ CK_ULONG             ulMaxObjectCount,  /* max handles to get */
-+ CK_ULONG_PTR         pulObjectCount     /* actual # returned */
-+);
-+#endif
-+
-+
-+/* C_FindObjectsFinal finishes a search for token and session
-+ * objects. */
-+CK_PKCS11_FUNCTION_INFO(C_FindObjectsFinal)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession  /* the session's handle */
-+);
-+#endif
-+
-+
-+
-+/* Encryption and decryption */
-+
-+/* C_EncryptInit initializes an encryption operation. */
-+CK_PKCS11_FUNCTION_INFO(C_EncryptInit)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession,    /* the session's handle */
-+  CK_MECHANISM_PTR  pMechanism,  /* the encryption mechanism */
-+  CK_OBJECT_HANDLE  hKey         /* handle of encryption key */
-+);
-+#endif
-+
-+
-+/* C_Encrypt encrypts single-part data. */
-+CK_PKCS11_FUNCTION_INFO(C_Encrypt)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession,            /* session's handle */
-+  CK_BYTE_PTR       pData,               /* the plaintext data */
-+  CK_ULONG          ulDataLen,           /* bytes of plaintext */
-+  CK_BYTE_PTR       pEncryptedData,      /* gets ciphertext */
-+  CK_ULONG_PTR      pulEncryptedDataLen  /* gets c-text size */
-+);
-+#endif
-+
-+
-+/* C_EncryptUpdate continues a multiple-part encryption
-+ * operation. */
-+CK_PKCS11_FUNCTION_INFO(C_EncryptUpdate)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession,           /* session's handle */
-+  CK_BYTE_PTR       pPart,              /* the plaintext data */
-+  CK_ULONG          ulPartLen,          /* plaintext data len */
-+  CK_BYTE_PTR       pEncryptedPart,     /* gets ciphertext */
-+  CK_ULONG_PTR      pulEncryptedPartLen /* gets c-text size */
-+);
-+#endif
-+
-+
-+/* C_EncryptFinal finishes a multiple-part encryption
-+ * operation. */
-+CK_PKCS11_FUNCTION_INFO(C_EncryptFinal)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession,                /* session handle */
-+  CK_BYTE_PTR       pLastEncryptedPart,      /* last c-text */
-+  CK_ULONG_PTR      pulLastEncryptedPartLen  /* gets last size */
-+);
-+#endif
-+
-+
-+/* C_DecryptInit initializes a decryption operation. */
-+CK_PKCS11_FUNCTION_INFO(C_DecryptInit)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession,    /* the session's handle */
-+  CK_MECHANISM_PTR  pMechanism,  /* the decryption mechanism */
-+  CK_OBJECT_HANDLE  hKey         /* handle of decryption key */
-+);
-+#endif
-+
-+
-+/* C_Decrypt decrypts encrypted data in a single part. */
-+CK_PKCS11_FUNCTION_INFO(C_Decrypt)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession,           /* session's handle */
-+  CK_BYTE_PTR       pEncryptedData,     /* ciphertext */
-+  CK_ULONG          ulEncryptedDataLen, /* ciphertext length */
-+  CK_BYTE_PTR       pData,              /* gets plaintext */
-+  CK_ULONG_PTR      pulDataLen          /* gets p-text size */
-+);
-+#endif
-+
-+
-+/* C_DecryptUpdate continues a multiple-part decryption
-+ * operation. */
-+CK_PKCS11_FUNCTION_INFO(C_DecryptUpdate)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession,            /* session's handle */
-+  CK_BYTE_PTR       pEncryptedPart,      /* encrypted data */
-+  CK_ULONG          ulEncryptedPartLen,  /* input length */
-+  CK_BYTE_PTR       pPart,               /* gets plaintext */
-+  CK_ULONG_PTR      pulPartLen           /* p-text size */
-+);
-+#endif
-+
-+
-+/* C_DecryptFinal finishes a multiple-part decryption
-+ * operation. */
-+CK_PKCS11_FUNCTION_INFO(C_DecryptFinal)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession,       /* the session's handle */
-+  CK_BYTE_PTR       pLastPart,      /* gets plaintext */
-+  CK_ULONG_PTR      pulLastPartLen  /* p-text size */
-+);
-+#endif
-+
-+
-+
-+/* Message digesting */
-+
-+/* C_DigestInit initializes a message-digesting operation. */
-+CK_PKCS11_FUNCTION_INFO(C_DigestInit)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession,   /* the session's handle */
-+  CK_MECHANISM_PTR  pMechanism  /* the digesting mechanism */
-+);
-+#endif
-+
-+
-+/* C_Digest digests data in a single part. */
-+CK_PKCS11_FUNCTION_INFO(C_Digest)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession,     /* the session's handle */
-+  CK_BYTE_PTR       pData,        /* data to be digested */
-+  CK_ULONG          ulDataLen,    /* bytes of data to digest */
-+  CK_BYTE_PTR       pDigest,      /* gets the message digest */
-+  CK_ULONG_PTR      pulDigestLen  /* gets digest length */
-+);
-+#endif
-+
-+
-+/* C_DigestUpdate continues a multiple-part message-digesting
-+ * operation. */
-+CK_PKCS11_FUNCTION_INFO(C_DigestUpdate)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession,  /* the session's handle */
-+  CK_BYTE_PTR       pPart,     /* data to be digested */
-+  CK_ULONG          ulPartLen  /* bytes of data to be digested */
-+);
-+#endif
-+
-+
-+/* C_DigestKey continues a multi-part message-digesting
-+ * operation, by digesting the value of a secret key as part of
-+ * the data already digested. */
-+CK_PKCS11_FUNCTION_INFO(C_DigestKey)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession,  /* the session's handle */
-+  CK_OBJECT_HANDLE  hKey       /* secret key to digest */
-+);
-+#endif
-+
-+
-+/* C_DigestFinal finishes a multiple-part message-digesting
-+ * operation. */
-+CK_PKCS11_FUNCTION_INFO(C_DigestFinal)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession,     /* the session's handle */
-+  CK_BYTE_PTR       pDigest,      /* gets the message digest */
-+  CK_ULONG_PTR      pulDigestLen  /* gets byte count of digest */
-+);
-+#endif
-+
-+
-+
-+/* Signing and MACing */
-+
-+/* C_SignInit initializes a signature (private key encryption)
-+ * operation, where the signature is (will be) an appendix to
-+ * the data, and plaintext cannot be recovered from the
-+ *signature. */
-+CK_PKCS11_FUNCTION_INFO(C_SignInit)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession,    /* the session's handle */
-+  CK_MECHANISM_PTR  pMechanism,  /* the signature mechanism */
-+  CK_OBJECT_HANDLE  hKey         /* handle of signature key */
-+);
-+#endif
-+
-+
-+/* C_Sign signs (encrypts with private key) data in a single
-+ * part, where the signature is (will be) an appendix to the
-+ * data, and plaintext cannot be recovered from the signature. */
-+CK_PKCS11_FUNCTION_INFO(C_Sign)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession,        /* the session's handle */
-+  CK_BYTE_PTR       pData,           /* the data to sign */
-+  CK_ULONG          ulDataLen,       /* count of bytes to sign */
-+  CK_BYTE_PTR       pSignature,      /* gets the signature */
-+  CK_ULONG_PTR      pulSignatureLen  /* gets signature length */
-+);
-+#endif
-+
-+
-+/* C_SignUpdate continues a multiple-part signature operation,
-+ * where the signature is (will be) an appendix to the data, 
-+ * and plaintext cannot be recovered from the signature. */
-+CK_PKCS11_FUNCTION_INFO(C_SignUpdate)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession,  /* the session's handle */
-+  CK_BYTE_PTR       pPart,     /* the data to sign */
-+  CK_ULONG          ulPartLen  /* count of bytes to sign */
-+);
-+#endif
-+
-+
-+/* C_SignFinal finishes a multiple-part signature operation, 
-+ * returning the signature. */
-+CK_PKCS11_FUNCTION_INFO(C_SignFinal)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession,        /* the session's handle */
-+  CK_BYTE_PTR       pSignature,      /* gets the signature */
-+  CK_ULONG_PTR      pulSignatureLen  /* gets signature length */
-+);
-+#endif
-+
-+
-+/* C_SignRecoverInit initializes a signature operation, where
-+ * the data can be recovered from the signature. */
-+CK_PKCS11_FUNCTION_INFO(C_SignRecoverInit)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession,   /* the session's handle */
-+  CK_MECHANISM_PTR  pMechanism, /* the signature mechanism */
-+  CK_OBJECT_HANDLE  hKey        /* handle of the signature key */
-+);
-+#endif
-+
-+
-+/* C_SignRecover signs data in a single operation, where the
-+ * data can be recovered from the signature. */
-+CK_PKCS11_FUNCTION_INFO(C_SignRecover)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession,        /* the session's handle */
-+  CK_BYTE_PTR       pData,           /* the data to sign */
-+  CK_ULONG          ulDataLen,       /* count of bytes to sign */
-+  CK_BYTE_PTR       pSignature,      /* gets the signature */
-+  CK_ULONG_PTR      pulSignatureLen  /* gets signature length */
-+);
-+#endif
-+
-+
-+
-+/* Verifying signatures and MACs */
-+
-+/* C_VerifyInit initializes a verification operation, where the
-+ * signature is an appendix to the data, and plaintext cannot
-+ *  cannot be recovered from the signature (e.g. DSA). */
-+CK_PKCS11_FUNCTION_INFO(C_VerifyInit)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession,    /* the session's handle */
-+  CK_MECHANISM_PTR  pMechanism,  /* the verification mechanism */
-+  CK_OBJECT_HANDLE  hKey         /* verification key */ 
-+);
-+#endif
-+
-+
-+/* C_Verify verifies a signature in a single-part operation, 
-+ * where the signature is an appendix to the data, and plaintext
-+ * cannot be recovered from the signature. */
-+CK_PKCS11_FUNCTION_INFO(C_Verify)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession,       /* the session's handle */
-+  CK_BYTE_PTR       pData,          /* signed data */
-+  CK_ULONG          ulDataLen,      /* length of signed data */
-+  CK_BYTE_PTR       pSignature,     /* signature */
-+  CK_ULONG          ulSignatureLen  /* signature length*/
-+);
-+#endif
-+
-+
-+/* C_VerifyUpdate continues a multiple-part verification
-+ * operation, where the signature is an appendix to the data, 
-+ * and plaintext cannot be recovered from the signature. */
-+CK_PKCS11_FUNCTION_INFO(C_VerifyUpdate)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession,  /* the session's handle */
-+  CK_BYTE_PTR       pPart,     /* signed data */
-+  CK_ULONG          ulPartLen  /* length of signed data */
-+);
-+#endif
-+
-+
-+/* C_VerifyFinal finishes a multiple-part verification
-+ * operation, checking the signature. */
-+CK_PKCS11_FUNCTION_INFO(C_VerifyFinal)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession,       /* the session's handle */
-+  CK_BYTE_PTR       pSignature,     /* signature to verify */
-+  CK_ULONG          ulSignatureLen  /* signature length */
-+);
-+#endif
-+
-+
-+/* C_VerifyRecoverInit initializes a signature verification
-+ * operation, where the data is recovered from the signature. */
-+CK_PKCS11_FUNCTION_INFO(C_VerifyRecoverInit)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession,    /* the session's handle */
-+  CK_MECHANISM_PTR  pMechanism,  /* the verification mechanism */
-+  CK_OBJECT_HANDLE  hKey         /* verification key */
-+);
-+#endif
-+
-+
-+/* C_VerifyRecover verifies a signature in a single-part
-+ * operation, where the data is recovered from the signature. */
-+CK_PKCS11_FUNCTION_INFO(C_VerifyRecover)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession,        /* the session's handle */
-+  CK_BYTE_PTR       pSignature,      /* signature to verify */
-+  CK_ULONG          ulSignatureLen,  /* signature length */
-+  CK_BYTE_PTR       pData,           /* gets signed data */
-+  CK_ULONG_PTR      pulDataLen       /* gets signed data len */
-+);
-+#endif
-+
-+
-+
-+/* Dual-function cryptographic operations */
-+
-+/* C_DigestEncryptUpdate continues a multiple-part digesting
-+ * and encryption operation. */
-+CK_PKCS11_FUNCTION_INFO(C_DigestEncryptUpdate)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession,            /* session's handle */
-+  CK_BYTE_PTR       pPart,               /* the plaintext data */
-+  CK_ULONG          ulPartLen,           /* plaintext length */
-+  CK_BYTE_PTR       pEncryptedPart,      /* gets ciphertext */
-+  CK_ULONG_PTR      pulEncryptedPartLen  /* gets c-text length */
-+);
-+#endif
-+
-+
-+/* C_DecryptDigestUpdate continues a multiple-part decryption and
-+ * digesting operation. */
-+CK_PKCS11_FUNCTION_INFO(C_DecryptDigestUpdate)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession,            /* session's handle */
-+  CK_BYTE_PTR       pEncryptedPart,      /* ciphertext */
-+  CK_ULONG          ulEncryptedPartLen,  /* ciphertext length */
-+  CK_BYTE_PTR       pPart,               /* gets plaintext */
-+  CK_ULONG_PTR      pulPartLen           /* gets plaintext len */
-+);
-+#endif
-+
-+
-+/* C_SignEncryptUpdate continues a multiple-part signing and
-+ * encryption operation. */
-+CK_PKCS11_FUNCTION_INFO(C_SignEncryptUpdate)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession,            /* session's handle */
-+  CK_BYTE_PTR       pPart,               /* the plaintext data */
-+  CK_ULONG          ulPartLen,           /* plaintext length */
-+  CK_BYTE_PTR       pEncryptedPart,      /* gets ciphertext */
-+  CK_ULONG_PTR      pulEncryptedPartLen  /* gets c-text length */
-+);
-+#endif
-+
-+
-+/* C_DecryptVerifyUpdate continues a multiple-part decryption and
-+ * verify operation. */
-+CK_PKCS11_FUNCTION_INFO(C_DecryptVerifyUpdate)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession,            /* session's handle */
-+  CK_BYTE_PTR       pEncryptedPart,      /* ciphertext */
-+  CK_ULONG          ulEncryptedPartLen,  /* ciphertext length */
-+  CK_BYTE_PTR       pPart,               /* gets plaintext */
-+  CK_ULONG_PTR      pulPartLen           /* gets p-text length */
-+);
-+#endif
-+
-+
-+
-+/* Key management */
-+
-+/* C_GenerateKey generates a secret key, creating a new key
-+ * object. */
-+CK_PKCS11_FUNCTION_INFO(C_GenerateKey)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE    hSession,    /* the session's handle */
-+  CK_MECHANISM_PTR     pMechanism,  /* key generation mech. */
-+  CK_ATTRIBUTE_PTR     pTemplate,   /* template for new key */
-+  CK_ULONG             ulCount,     /* # of attrs in template */
-+  CK_OBJECT_HANDLE_PTR phKey        /* gets handle of new key */
-+);
-+#endif
-+
-+
-+/* C_GenerateKeyPair generates a public-key/private-key pair, 
-+ * creating new key objects. */
-+CK_PKCS11_FUNCTION_INFO(C_GenerateKeyPair)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE    hSession,                    /* session
-+                                                     * handle */
-+  CK_MECHANISM_PTR     pMechanism,                  /* key-gen
-+                                                     * mech. */
-+  CK_ATTRIBUTE_PTR     pPublicKeyTemplate,          /* template
-+                                                     * for pub.
-+                                                     * key */
-+  CK_ULONG             ulPublicKeyAttributeCount,   /* # pub.
-+                                                     * attrs. */
-+  CK_ATTRIBUTE_PTR     pPrivateKeyTemplate,         /* template
-+                                                     * for priv.
-+                                                     * key */
-+  CK_ULONG             ulPrivateKeyAttributeCount,  /* # priv.
-+                                                     * attrs. */
-+  CK_OBJECT_HANDLE_PTR phPublicKey,                 /* gets pub.
-+                                                     * key
-+                                                     * handle */
-+  CK_OBJECT_HANDLE_PTR phPrivateKey                 /* gets
-+                                                     * priv. key
-+                                                     * handle */
-+);
-+#endif
-+
-+
-+/* C_WrapKey wraps (i.e., encrypts) a key. */
-+CK_PKCS11_FUNCTION_INFO(C_WrapKey)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession,        /* the session's handle */
-+  CK_MECHANISM_PTR  pMechanism,      /* the wrapping mechanism */
-+  CK_OBJECT_HANDLE  hWrappingKey,    /* wrapping key */
-+  CK_OBJECT_HANDLE  hKey,            /* key to be wrapped */
-+  CK_BYTE_PTR       pWrappedKey,     /* gets wrapped key */
-+  CK_ULONG_PTR      pulWrappedKeyLen /* gets wrapped key size */
-+);
-+#endif
-+
-+
-+/* C_UnwrapKey unwraps (decrypts) a wrapped key, creating a new
-+ * key object. */
-+CK_PKCS11_FUNCTION_INFO(C_UnwrapKey)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE    hSession,          /* session's handle */
-+  CK_MECHANISM_PTR     pMechanism,        /* unwrapping mech. */
-+  CK_OBJECT_HANDLE     hUnwrappingKey,    /* unwrapping key */
-+  CK_BYTE_PTR          pWrappedKey,       /* the wrapped key */
-+  CK_ULONG             ulWrappedKeyLen,   /* wrapped key len */
-+  CK_ATTRIBUTE_PTR     pTemplate,         /* new key template */
-+  CK_ULONG             ulAttributeCount,  /* template length */
-+  CK_OBJECT_HANDLE_PTR phKey              /* gets new handle */
-+);
-+#endif
-+
-+
-+/* C_DeriveKey derives a key from a base key, creating a new key
-+ * object. */
-+CK_PKCS11_FUNCTION_INFO(C_DeriveKey)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE    hSession,          /* session's handle */
-+  CK_MECHANISM_PTR     pMechanism,        /* key deriv. mech. */
-+  CK_OBJECT_HANDLE     hBaseKey,          /* base key */
-+  CK_ATTRIBUTE_PTR     pTemplate,         /* new key template */
-+  CK_ULONG             ulAttributeCount,  /* template length */
-+  CK_OBJECT_HANDLE_PTR phKey              /* gets new handle */
-+);
-+#endif
-+
-+
-+
-+/* Random number generation */
-+
-+/* C_SeedRandom mixes additional seed material into the token's
-+ * random number generator. */
-+CK_PKCS11_FUNCTION_INFO(C_SeedRandom)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession,  /* the session's handle */
-+  CK_BYTE_PTR       pSeed,     /* the seed material */
-+  CK_ULONG          ulSeedLen  /* length of seed material */
-+);
-+#endif
-+
-+
-+/* C_GenerateRandom generates random data. */
-+CK_PKCS11_FUNCTION_INFO(C_GenerateRandom)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession,    /* the session's handle */
-+  CK_BYTE_PTR       RandomData,  /* receives the random data */
-+  CK_ULONG          ulRandomLen  /* # of bytes to generate */
-+);
-+#endif
-+
-+
-+
-+/* Parallel function management */
-+
-+/* C_GetFunctionStatus is a legacy function; it obtains an
-+ * updated status of a function running in parallel with an
-+ * application. */
-+CK_PKCS11_FUNCTION_INFO(C_GetFunctionStatus)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession  /* the session's handle */
-+);
-+#endif
-+
-+
-+/* C_CancelFunction is a legacy function; it cancels a function
-+ * running in parallel. */
-+CK_PKCS11_FUNCTION_INFO(C_CancelFunction)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession  /* the session's handle */
-+);
-+#endif
-+
-+
-+
-+/* Functions added in for Cryptoki Version 2.01 or later */
-+
-+/* C_WaitForSlotEvent waits for a slot event (token insertion,
-+ * removal, etc.) to occur. */
-+CK_PKCS11_FUNCTION_INFO(C_WaitForSlotEvent)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_FLAGS flags,        /* blocking/nonblocking flag */
-+  CK_SLOT_ID_PTR pSlot,  /* location that receives the slot ID */
-+  CK_VOID_PTR pRserved   /* reserved.  Should be NULL_PTR */
-+);
-+#endif
-Index: openssl/crypto/engine/pkcs11t.h
-diff -u /dev/null openssl/crypto/engine/pkcs11t.h:1.2
---- /dev/null	Wed Sep  2 11:37:23 2009
-+++ openssl/crypto/engine/pkcs11t.h	Sat Aug 30 11:58:07 2008
-@@ -0,0 +1,1885 @@
-+/* pkcs11t.h include file for PKCS #11. */
-+/* $Revision: 1.4 $ */
-+
-+/* License to copy and use this software is granted provided that it is
-+ * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface
-+ * (Cryptoki)" in all material mentioning or referencing this software.
-+
-+ * License is also granted to make and use derivative works provided that
-+ * such works are identified as "derived from the RSA Security Inc. PKCS #11
-+ * Cryptographic Token Interface (Cryptoki)" in all material mentioning or
-+ * referencing the derived work.
-+
-+ * RSA Security Inc. makes no representations concerning either the
-+ * merchantability of this software or the suitability of this software for
-+ * any particular purpose. It is provided "as is" without express or implied
-+ * warranty of any kind.
-+ */
-+
-+/* See top of pkcs11.h for information about the macros that
-+ * must be defined and the structure-packing conventions that
-+ * must be set before including this file. */
-+
-+#ifndef _PKCS11T_H_
-+#define _PKCS11T_H_ 1
-+
-+#define CRYPTOKI_VERSION_MAJOR 2
-+#define CRYPTOKI_VERSION_MINOR 20
-+#define CRYPTOKI_VERSION_AMENDMENT 3
-+
-+#define CK_TRUE 1
-+#define CK_FALSE 0
-+
-+#ifndef CK_DISABLE_TRUE_FALSE
-+#ifndef FALSE
-+#define FALSE CK_FALSE
-+#endif
-+
-+#ifndef TRUE
-+#define TRUE CK_TRUE
-+#endif
-+#endif
-+
-+/* an unsigned 8-bit value */
-+typedef unsigned char     CK_BYTE;
-+
-+/* an unsigned 8-bit character */
-+typedef CK_BYTE           CK_CHAR;
-+
-+/* an 8-bit UTF-8 character */
-+typedef CK_BYTE           CK_UTF8CHAR;
-+
-+/* a BYTE-sized Boolean flag */
-+typedef CK_BYTE           CK_BBOOL;
-+
-+/* an unsigned value, at least 32 bits long */
-+typedef unsigned long int CK_ULONG;
-+
-+/* a signed value, the same size as a CK_ULONG */
-+/* CK_LONG is new for v2.0 */
-+typedef long int          CK_LONG;
-+
-+/* at least 32 bits; each bit is a Boolean flag */
-+typedef CK_ULONG          CK_FLAGS;
-+
-+
-+/* some special values for certain CK_ULONG variables */
-+#define CK_UNAVAILABLE_INFORMATION (~0UL)
-+#define CK_EFFECTIVELY_INFINITE    0
-+
-+
-+typedef CK_BYTE     CK_PTR   CK_BYTE_PTR;
-+typedef CK_CHAR     CK_PTR   CK_CHAR_PTR;
-+typedef CK_UTF8CHAR CK_PTR   CK_UTF8CHAR_PTR;
-+typedef CK_ULONG    CK_PTR   CK_ULONG_PTR;
-+typedef void        CK_PTR   CK_VOID_PTR;
-+
-+/* Pointer to a CK_VOID_PTR-- i.e., pointer to pointer to void */
-+typedef CK_VOID_PTR CK_PTR CK_VOID_PTR_PTR;
-+
-+
-+/* The following value is always invalid if used as a session */
-+/* handle or object handle */
-+#define CK_INVALID_HANDLE 0
-+
-+
-+typedef struct CK_VERSION {
-+  CK_BYTE       major;  /* integer portion of version number */
-+  CK_BYTE       minor;  /* 1/100ths portion of version number */
-+} CK_VERSION;
-+
-+typedef CK_VERSION CK_PTR CK_VERSION_PTR;
-+
-+
-+typedef struct CK_INFO {
-+  /* manufacturerID and libraryDecription have been changed from
-+   * CK_CHAR to CK_UTF8CHAR for v2.10 */
-+  CK_VERSION    cryptokiVersion;     /* Cryptoki interface ver */
-+  CK_UTF8CHAR   manufacturerID[32];  /* blank padded */
-+  CK_FLAGS      flags;               /* must be zero */
-+
-+  /* libraryDescription and libraryVersion are new for v2.0 */
-+  CK_UTF8CHAR   libraryDescription[32];  /* blank padded */
-+  CK_VERSION    libraryVersion;          /* version of library */
-+} CK_INFO;
-+
-+typedef CK_INFO CK_PTR    CK_INFO_PTR;
-+
-+
-+/* CK_NOTIFICATION enumerates the types of notifications that
-+ * Cryptoki provides to an application */
-+/* CK_NOTIFICATION has been changed from an enum to a CK_ULONG
-+ * for v2.0 */
-+typedef CK_ULONG CK_NOTIFICATION;
-+#define CKN_SURRENDER       0
-+
-+/* The following notification is new for PKCS #11 v2.20 amendment 3 */
-+#define CKN_OTP_CHANGED     1
-+
-+
-+typedef CK_ULONG          CK_SLOT_ID;
-+
-+typedef CK_SLOT_ID CK_PTR CK_SLOT_ID_PTR;
-+
-+
-+/* CK_SLOT_INFO provides information about a slot */
-+typedef struct CK_SLOT_INFO {
-+  /* slotDescription and manufacturerID have been changed from
-+   * CK_CHAR to CK_UTF8CHAR for v2.10 */
-+  CK_UTF8CHAR   slotDescription[64];  /* blank padded */
-+  CK_UTF8CHAR   manufacturerID[32];   /* blank padded */
-+  CK_FLAGS      flags;
-+
-+  /* hardwareVersion and firmwareVersion are new for v2.0 */
-+  CK_VERSION    hardwareVersion;  /* version of hardware */
-+  CK_VERSION    firmwareVersion;  /* version of firmware */
-+} CK_SLOT_INFO;
-+
-+/* flags: bit flags that provide capabilities of the slot
-+ *      Bit Flag              Mask        Meaning
-+ */
-+#define CKF_TOKEN_PRESENT     0x00000001  /* a token is there */
-+#define CKF_REMOVABLE_DEVICE  0x00000002  /* removable devices*/
-+#define CKF_HW_SLOT           0x00000004  /* hardware slot */
-+
-+typedef CK_SLOT_INFO CK_PTR CK_SLOT_INFO_PTR;
-+
-+
-+/* CK_TOKEN_INFO provides information about a token */
-+typedef struct CK_TOKEN_INFO {
-+  /* label, manufacturerID, and model have been changed from
-+   * CK_CHAR to CK_UTF8CHAR for v2.10 */
-+  CK_UTF8CHAR   label[32];           /* blank padded */
-+  CK_UTF8CHAR   manufacturerID[32];  /* blank padded */
-+  CK_UTF8CHAR   model[16];           /* blank padded */
-+  CK_CHAR       serialNumber[16];    /* blank padded */
-+  CK_FLAGS      flags;               /* see below */
-+
-+  /* ulMaxSessionCount, ulSessionCount, ulMaxRwSessionCount,
-+   * ulRwSessionCount, ulMaxPinLen, and ulMinPinLen have all been
-+   * changed from CK_USHORT to CK_ULONG for v2.0 */
-+  CK_ULONG      ulMaxSessionCount;     /* max open sessions */
-+  CK_ULONG      ulSessionCount;        /* sess. now open */
-+  CK_ULONG      ulMaxRwSessionCount;   /* max R/W sessions */
-+  CK_ULONG      ulRwSessionCount;      /* R/W sess. now open */
-+  CK_ULONG      ulMaxPinLen;           /* in bytes */
-+  CK_ULONG      ulMinPinLen;           /* in bytes */
-+  CK_ULONG      ulTotalPublicMemory;   /* in bytes */
-+  CK_ULONG      ulFreePublicMemory;    /* in bytes */
-+  CK_ULONG      ulTotalPrivateMemory;  /* in bytes */
-+  CK_ULONG      ulFreePrivateMemory;   /* in bytes */
-+
-+  /* hardwareVersion, firmwareVersion, and time are new for
-+   * v2.0 */
-+  CK_VERSION    hardwareVersion;       /* version of hardware */
-+  CK_VERSION    firmwareVersion;       /* version of firmware */
-+  CK_CHAR       utcTime[16];           /* time */
-+} CK_TOKEN_INFO;
-+
-+/* The flags parameter is defined as follows:
-+ *      Bit Flag                    Mask        Meaning
-+ */
-+#define CKF_RNG                     0x00000001  /* has random #
-+                                                 * generator */
-+#define CKF_WRITE_PROTECTED         0x00000002  /* token is
-+                                                 * write-
-+                                                 * protected */
-+#define CKF_LOGIN_REQUIRED          0x00000004  /* user must
-+                                                 * login */
-+#define CKF_USER_PIN_INITIALIZED    0x00000008  /* normal user's
-+                                                 * PIN is set */
-+
-+/* CKF_RESTORE_KEY_NOT_NEEDED is new for v2.0.  If it is set,
-+ * that means that *every* time the state of cryptographic
-+ * operations of a session is successfully saved, all keys
-+ * needed to continue those operations are stored in the state */
-+#define CKF_RESTORE_KEY_NOT_NEEDED  0x00000020
-+
-+/* CKF_CLOCK_ON_TOKEN is new for v2.0.  If it is set, that means
-+ * that the token has some sort of clock.  The time on that
-+ * clock is returned in the token info structure */
-+#define CKF_CLOCK_ON_TOKEN          0x00000040
-+
-+/* CKF_PROTECTED_AUTHENTICATION_PATH is new for v2.0.  If it is
-+ * set, that means that there is some way for the user to login
-+ * without sending a PIN through the Cryptoki library itself */
-+#define CKF_PROTECTED_AUTHENTICATION_PATH 0x00000100
-+
-+/* CKF_DUAL_CRYPTO_OPERATIONS is new for v2.0.  If it is true,
-+ * that means that a single session with the token can perform
-+ * dual simultaneous cryptographic operations (digest and
-+ * encrypt; decrypt and digest; sign and encrypt; and decrypt
-+ * and sign) */
-+#define CKF_DUAL_CRYPTO_OPERATIONS  0x00000200
-+
-+/* CKF_TOKEN_INITIALIZED if new for v2.10. If it is true, the
-+ * token has been initialized using C_InitializeToken or an
-+ * equivalent mechanism outside the scope of PKCS #11.
-+ * Calling C_InitializeToken when this flag is set will cause
-+ * the token to be reinitialized. */
-+#define CKF_TOKEN_INITIALIZED       0x00000400
-+
-+/* CKF_SECONDARY_AUTHENTICATION if new for v2.10. If it is
-+ * true, the token supports secondary authentication for
-+ * private key objects. This flag is deprecated in v2.11 and
-+   onwards. */
-+#define CKF_SECONDARY_AUTHENTICATION  0x00000800
-+
-+/* CKF_USER_PIN_COUNT_LOW if new for v2.10. If it is true, an
-+ * incorrect user login PIN has been entered at least once
-+ * since the last successful authentication. */
-+#define CKF_USER_PIN_COUNT_LOW       0x00010000
-+
-+/* CKF_USER_PIN_FINAL_TRY if new for v2.10. If it is true,
-+ * supplying an incorrect user PIN will it to become locked. */
-+#define CKF_USER_PIN_FINAL_TRY       0x00020000
-+
-+/* CKF_USER_PIN_LOCKED if new for v2.10. If it is true, the
-+ * user PIN has been locked. User login to the token is not
-+ * possible. */
-+#define CKF_USER_PIN_LOCKED          0x00040000
-+
-+/* CKF_USER_PIN_TO_BE_CHANGED if new for v2.10. If it is true,
-+ * the user PIN value is the default value set by token
-+ * initialization or manufacturing, or the PIN has been
-+ * expired by the card. */
-+#define CKF_USER_PIN_TO_BE_CHANGED   0x00080000
-+
-+/* CKF_SO_PIN_COUNT_LOW if new for v2.10. If it is true, an
-+ * incorrect SO login PIN has been entered at least once since
-+ * the last successful authentication. */
-+#define CKF_SO_PIN_COUNT_LOW         0x00100000
-+
-+/* CKF_SO_PIN_FINAL_TRY if new for v2.10. If it is true,
-+ * supplying an incorrect SO PIN will it to become locked. */
-+#define CKF_SO_PIN_FINAL_TRY         0x00200000
-+
-+/* CKF_SO_PIN_LOCKED if new for v2.10. If it is true, the SO
-+ * PIN has been locked. SO login to the token is not possible.
-+ */
-+#define CKF_SO_PIN_LOCKED            0x00400000
-+
-+/* CKF_SO_PIN_TO_BE_CHANGED if new for v2.10. If it is true,
-+ * the SO PIN value is the default value set by token
-+ * initialization or manufacturing, or the PIN has been
-+ * expired by the card. */
-+#define CKF_SO_PIN_TO_BE_CHANGED     0x00800000
-+
-+typedef CK_TOKEN_INFO CK_PTR CK_TOKEN_INFO_PTR;
-+
-+
-+/* CK_SESSION_HANDLE is a Cryptoki-assigned value that
-+ * identifies a session */
-+typedef CK_ULONG          CK_SESSION_HANDLE;
-+
-+typedef CK_SESSION_HANDLE CK_PTR CK_SESSION_HANDLE_PTR;
-+
-+
-+/* CK_USER_TYPE enumerates the types of Cryptoki users */
-+/* CK_USER_TYPE has been changed from an enum to a CK_ULONG for
-+ * v2.0 */
-+typedef CK_ULONG          CK_USER_TYPE;
-+/* Security Officer */
-+#define CKU_SO    0
-+/* Normal user */
-+#define CKU_USER  1
-+/* Context specific (added in v2.20) */
-+#define CKU_CONTEXT_SPECIFIC   2
-+
-+/* CK_STATE enumerates the session states */
-+/* CK_STATE has been changed from an enum to a CK_ULONG for
-+ * v2.0 */
-+typedef CK_ULONG          CK_STATE;
-+#define CKS_RO_PUBLIC_SESSION  0
-+#define CKS_RO_USER_FUNCTIONS  1
-+#define CKS_RW_PUBLIC_SESSION  2
-+#define CKS_RW_USER_FUNCTIONS  3
-+#define CKS_RW_SO_FUNCTIONS    4
-+
-+
-+/* CK_SESSION_INFO provides information about a session */
-+typedef struct CK_SESSION_INFO {
-+  CK_SLOT_ID    slotID;
-+  CK_STATE      state;
-+  CK_FLAGS      flags;          /* see below */
-+
-+  /* ulDeviceError was changed from CK_USHORT to CK_ULONG for
-+   * v2.0 */
-+  CK_ULONG      ulDeviceError;  /* device-dependent error code */
-+} CK_SESSION_INFO;
-+
-+/* The flags are defined in the following table:
-+ *      Bit Flag                Mask        Meaning
-+ */
-+#define CKF_RW_SESSION          0x00000002  /* session is r/w */
-+#define CKF_SERIAL_SESSION      0x00000004  /* no parallel */
-+
-+typedef CK_SESSION_INFO CK_PTR CK_SESSION_INFO_PTR;
-+
-+
-+/* CK_OBJECT_HANDLE is a token-specific identifier for an
-+ * object  */
-+typedef CK_ULONG          CK_OBJECT_HANDLE;
-+
-+typedef CK_OBJECT_HANDLE CK_PTR CK_OBJECT_HANDLE_PTR;
-+
-+
-+/* CK_OBJECT_CLASS is a value that identifies the classes (or
-+ * types) of objects that Cryptoki recognizes.  It is defined
-+ * as follows: */
-+/* CK_OBJECT_CLASS was changed from CK_USHORT to CK_ULONG for
-+ * v2.0 */
-+typedef CK_ULONG          CK_OBJECT_CLASS;
-+
-+/* The following classes of objects are defined: */
-+/* CKO_HW_FEATURE is new for v2.10 */
-+/* CKO_DOMAIN_PARAMETERS is new for v2.11 */
-+/* CKO_MECHANISM is new for v2.20 */
-+#define CKO_DATA              0x00000000
-+#define CKO_CERTIFICATE       0x00000001
-+#define CKO_PUBLIC_KEY        0x00000002
-+#define CKO_PRIVATE_KEY       0x00000003
-+#define CKO_SECRET_KEY        0x00000004
-+#define CKO_HW_FEATURE        0x00000005
-+#define CKO_DOMAIN_PARAMETERS 0x00000006
-+#define CKO_MECHANISM         0x00000007
-+
-+/* CKO_OTP_KEY is new for PKCS #11 v2.20 amendment 1 */
-+#define CKO_OTP_KEY           0x00000008
-+
-+#define CKO_VENDOR_DEFINED    0x80000000
-+
-+typedef CK_OBJECT_CLASS CK_PTR CK_OBJECT_CLASS_PTR;
-+
-+/* CK_HW_FEATURE_TYPE is new for v2.10. CK_HW_FEATURE_TYPE is a
-+ * value that identifies the hardware feature type of an object
-+ * with CK_OBJECT_CLASS equal to CKO_HW_FEATURE. */
-+typedef CK_ULONG          CK_HW_FEATURE_TYPE;
-+
-+/* The following hardware feature types are defined */
-+/* CKH_USER_INTERFACE is new for v2.20 */
-+#define CKH_MONOTONIC_COUNTER  0x00000001
-+#define CKH_CLOCK           0x00000002
-+#define CKH_USER_INTERFACE  0x00000003
-+#define CKH_VENDOR_DEFINED  0x80000000
-+
-+/* CK_KEY_TYPE is a value that identifies a key type */
-+/* CK_KEY_TYPE was changed from CK_USHORT to CK_ULONG for v2.0 */
-+typedef CK_ULONG          CK_KEY_TYPE;
-+
-+/* the following key types are defined: */
-+#define CKK_RSA             0x00000000
-+#define CKK_DSA             0x00000001
-+#define CKK_DH              0x00000002
-+
-+/* CKK_ECDSA and CKK_KEA are new for v2.0 */
-+/* CKK_ECDSA is deprecated in v2.11, CKK_EC is preferred. */
-+#define CKK_ECDSA           0x00000003
-+#define CKK_EC              0x00000003
-+#define CKK_X9_42_DH        0x00000004
-+#define CKK_KEA             0x00000005
-+
-+#define CKK_GENERIC_SECRET  0x00000010
-+#define CKK_RC2             0x00000011
-+#define CKK_RC4             0x00000012
-+#define CKK_DES             0x00000013
-+#define CKK_DES2            0x00000014
-+#define CKK_DES3            0x00000015
-+
-+/* all these key types are new for v2.0 */
-+#define CKK_CAST            0x00000016
-+#define CKK_CAST3           0x00000017
-+/* CKK_CAST5 is deprecated in v2.11, CKK_CAST128 is preferred. */
-+#define CKK_CAST5           0x00000018
-+#define CKK_CAST128         0x00000018
-+#define CKK_RC5             0x00000019
-+#define CKK_IDEA            0x0000001A
-+#define CKK_SKIPJACK        0x0000001B
-+#define CKK_BATON           0x0000001C
-+#define CKK_JUNIPER         0x0000001D
-+#define CKK_CDMF            0x0000001E
-+#define CKK_AES             0x0000001F
-+
-+/* BlowFish and TwoFish are new for v2.20 */
-+#define CKK_BLOWFISH        0x00000020
-+#define CKK_TWOFISH         0x00000021
-+
-+/* SecurID, HOTP, and ACTI are new for PKCS #11 v2.20 amendment 1 */
-+#define CKK_SECURID         0x00000022
-+#define CKK_HOTP            0x00000023
-+#define CKK_ACTI            0x00000024
-+
-+/* Camellia is new for PKCS #11 v2.20 amendment 3 */
-+#define CKK_CAMELLIA                   0x00000025
-+/* ARIA is new for PKCS #11 v2.20 amendment 3 */
-+#define CKK_ARIA                       0x00000026
-+
-+
-+#define CKK_VENDOR_DEFINED  0x80000000
-+
-+
-+/* CK_CERTIFICATE_TYPE is a value that identifies a certificate
-+ * type */
-+/* CK_CERTIFICATE_TYPE was changed from CK_USHORT to CK_ULONG
-+ * for v2.0 */
-+typedef CK_ULONG          CK_CERTIFICATE_TYPE;
-+
-+/* The following certificate types are defined: */
-+/* CKC_X_509_ATTR_CERT is new for v2.10 */
-+/* CKC_WTLS is new for v2.20 */
-+#define CKC_X_509           0x00000000
-+#define CKC_X_509_ATTR_CERT 0x00000001
-+#define CKC_WTLS            0x00000002
-+#define CKC_VENDOR_DEFINED  0x80000000
-+
-+
-+/* CK_ATTRIBUTE_TYPE is a value that identifies an attribute
-+ * type */
-+/* CK_ATTRIBUTE_TYPE was changed from CK_USHORT to CK_ULONG for
-+ * v2.0 */
-+typedef CK_ULONG          CK_ATTRIBUTE_TYPE;
-+
-+/* The CKF_ARRAY_ATTRIBUTE flag identifies an attribute which
-+   consists of an array of values. */
-+#define CKF_ARRAY_ATTRIBUTE    0x40000000
-+
-+/* The following OTP-related defines are new for PKCS #11 v2.20 amendment 1
-+   and relates to the CKA_OTP_FORMAT attribute */
-+#define CK_OTP_FORMAT_DECIMAL      0
-+#define CK_OTP_FORMAT_HEXADECIMAL  1
-+#define CK_OTP_FORMAT_ALPHANUMERIC 2
-+#define CK_OTP_FORMAT_BINARY       3
-+
-+/* The following OTP-related defines are new for PKCS #11 v2.20 amendment 1
-+   and relates to the CKA_OTP_..._REQUIREMENT attributes */
-+#define CK_OTP_PARAM_IGNORED       0
-+#define CK_OTP_PARAM_OPTIONAL      1
-+#define CK_OTP_PARAM_MANDATORY     2
-+
-+/* The following attribute types are defined: */
-+#define CKA_CLASS              0x00000000
-+#define CKA_TOKEN              0x00000001
-+#define CKA_PRIVATE            0x00000002
-+#define CKA_LABEL              0x00000003
-+#define CKA_APPLICATION        0x00000010
-+#define CKA_VALUE              0x00000011
-+
-+/* CKA_OBJECT_ID is new for v2.10 */
-+#define CKA_OBJECT_ID          0x00000012
-+
-+#define CKA_CERTIFICATE_TYPE   0x00000080
-+#define CKA_ISSUER             0x00000081
-+#define CKA_SERIAL_NUMBER      0x00000082
-+
-+/* CKA_AC_ISSUER, CKA_OWNER, and CKA_ATTR_TYPES are new
-+ * for v2.10 */
-+#define CKA_AC_ISSUER          0x00000083
-+#define CKA_OWNER              0x00000084
-+#define CKA_ATTR_TYPES         0x00000085
-+
-+/* CKA_TRUSTED is new for v2.11 */
-+#define CKA_TRUSTED            0x00000086
-+
-+/* CKA_CERTIFICATE_CATEGORY ...
-+ * CKA_CHECK_VALUE are new for v2.20 */
-+#define CKA_CERTIFICATE_CATEGORY        0x00000087
-+#define CKA_JAVA_MIDP_SECURITY_DOMAIN   0x00000088
-+#define CKA_URL                         0x00000089
-+#define CKA_HASH_OF_SUBJECT_PUBLIC_KEY  0x0000008A
-+#define CKA_HASH_OF_ISSUER_PUBLIC_KEY   0x0000008B
-+#define CKA_CHECK_VALUE                 0x00000090
-+
-+#define CKA_KEY_TYPE           0x00000100
-+#define CKA_SUBJECT            0x00000101
-+#define CKA_ID                 0x00000102
-+#define CKA_SENSITIVE          0x00000103
-+#define CKA_ENCRYPT            0x00000104
-+#define CKA_DECRYPT            0x00000105
-+#define CKA_WRAP               0x00000106
-+#define CKA_UNWRAP             0x00000107
-+#define CKA_SIGN               0x00000108
-+#define CKA_SIGN_RECOVER       0x00000109
-+#define CKA_VERIFY             0x0000010A
-+#define CKA_VERIFY_RECOVER     0x0000010B
-+#define CKA_DERIVE             0x0000010C
-+#define CKA_START_DATE         0x00000110
-+#define CKA_END_DATE           0x00000111
-+#define CKA_MODULUS            0x00000120
-+#define CKA_MODULUS_BITS       0x00000121
-+#define CKA_PUBLIC_EXPONENT    0x00000122
-+#define CKA_PRIVATE_EXPONENT   0x00000123
-+#define CKA_PRIME_1            0x00000124
-+#define CKA_PRIME_2            0x00000125
-+#define CKA_EXPONENT_1         0x00000126
-+#define CKA_EXPONENT_2         0x00000127
-+#define CKA_COEFFICIENT        0x00000128
-+#define CKA_PRIME              0x00000130
-+#define CKA_SUBPRIME           0x00000131
-+#define CKA_BASE               0x00000132
-+
-+/* CKA_PRIME_BITS and CKA_SUB_PRIME_BITS are new for v2.11 */
-+#define CKA_PRIME_BITS         0x00000133
-+#define CKA_SUBPRIME_BITS      0x00000134
-+#define CKA_SUB_PRIME_BITS     CKA_SUBPRIME_BITS
-+/* (To retain backwards-compatibility) */
-+
-+#define CKA_VALUE_BITS         0x00000160
-+#define CKA_VALUE_LEN          0x00000161
-+
-+/* CKA_EXTRACTABLE, CKA_LOCAL, CKA_NEVER_EXTRACTABLE,
-+ * CKA_ALWAYS_SENSITIVE, CKA_MODIFIABLE, CKA_ECDSA_PARAMS,
-+ * and CKA_EC_POINT are new for v2.0 */
-+#define CKA_EXTRACTABLE        0x00000162
-+#define CKA_LOCAL              0x00000163
-+#define CKA_NEVER_EXTRACTABLE  0x00000164
-+#define CKA_ALWAYS_SENSITIVE   0x00000165
-+
-+/* CKA_KEY_GEN_MECHANISM is new for v2.11 */
-+#define CKA_KEY_GEN_MECHANISM  0x00000166
-+
-+#define CKA_MODIFIABLE         0x00000170
-+
-+/* CKA_ECDSA_PARAMS is deprecated in v2.11,
-+ * CKA_EC_PARAMS is preferred. */
-+#define CKA_ECDSA_PARAMS       0x00000180
-+#define CKA_EC_PARAMS          0x00000180
-+
-+#define CKA_EC_POINT           0x00000181
-+
-+/* CKA_SECONDARY_AUTH, CKA_AUTH_PIN_FLAGS,
-+ * are new for v2.10. Deprecated in v2.11 and onwards. */
-+#define CKA_SECONDARY_AUTH     0x00000200
-+#define CKA_AUTH_PIN_FLAGS     0x00000201
-+
-+/* CKA_ALWAYS_AUTHENTICATE ...
-+ * CKA_UNWRAP_TEMPLATE are new for v2.20 */
-+#define CKA_ALWAYS_AUTHENTICATE  0x00000202
-+
-+#define CKA_WRAP_WITH_TRUSTED    0x00000210
-+#define CKA_WRAP_TEMPLATE        (CKF_ARRAY_ATTRIBUTE|0x00000211)
-+#define CKA_UNWRAP_TEMPLATE      (CKF_ARRAY_ATTRIBUTE|0x00000212)
-+
-+/* CKA_OTP... atttributes are new for PKCS #11 v2.20 amendment 3. */
-+#define CKA_OTP_FORMAT                0x00000220
-+#define CKA_OTP_LENGTH                0x00000221
-+#define CKA_OTP_TIME_INTERVAL         0x00000222
-+#define CKA_OTP_USER_FRIENDLY_MODE    0x00000223
-+#define CKA_OTP_CHALLENGE_REQUIREMENT 0x00000224
-+#define CKA_OTP_TIME_REQUIREMENT      0x00000225
-+#define CKA_OTP_COUNTER_REQUIREMENT   0x00000226
-+#define CKA_OTP_PIN_REQUIREMENT       0x00000227
-+#define CKA_OTP_COUNTER               0x0000022E
-+#define CKA_OTP_TIME                  0x0000022F
-+#define CKA_OTP_USER_IDENTIFIER       0x0000022A
-+#define CKA_OTP_SERVICE_IDENTIFIER    0x0000022B
-+#define CKA_OTP_SERVICE_LOGO          0x0000022C
-+#define CKA_OTP_SERVICE_LOGO_TYPE     0x0000022D
-+
-+
-+/* CKA_HW_FEATURE_TYPE, CKA_RESET_ON_INIT, and CKA_HAS_RESET
-+ * are new for v2.10 */
-+#define CKA_HW_FEATURE_TYPE    0x00000300
-+#define CKA_RESET_ON_INIT      0x00000301
-+#define CKA_HAS_RESET          0x00000302
-+
-+/* The following attributes are new for v2.20 */
-+#define CKA_PIXEL_X                     0x00000400
-+#define CKA_PIXEL_Y                     0x00000401
-+#define CKA_RESOLUTION                  0x00000402
-+#define CKA_CHAR_ROWS                   0x00000403
-+#define CKA_CHAR_COLUMNS                0x00000404
-+#define CKA_COLOR                       0x00000405
-+#define CKA_BITS_PER_PIXEL              0x00000406
-+#define CKA_CHAR_SETS                   0x00000480
-+#define CKA_ENCODING_METHODS            0x00000481
-+#define CKA_MIME_TYPES                  0x00000482
-+#define CKA_MECHANISM_TYPE              0x00000500
-+#define CKA_REQUIRED_CMS_ATTRIBUTES     0x00000501
-+#define CKA_DEFAULT_CMS_ATTRIBUTES      0x00000502
-+#define CKA_SUPPORTED_CMS_ATTRIBUTES    0x00000503
-+#define CKA_ALLOWED_MECHANISMS          (CKF_ARRAY_ATTRIBUTE|0x00000600)
-+
-+#define CKA_VENDOR_DEFINED     0x80000000
-+
-+/* CK_ATTRIBUTE is a structure that includes the type, length
-+ * and value of an attribute */
-+typedef struct CK_ATTRIBUTE {
-+  CK_ATTRIBUTE_TYPE type;
-+  CK_VOID_PTR       pValue;
-+
-+  /* ulValueLen went from CK_USHORT to CK_ULONG for v2.0 */
-+  CK_ULONG          ulValueLen;  /* in bytes */
-+} CK_ATTRIBUTE;
-+
-+typedef CK_ATTRIBUTE CK_PTR CK_ATTRIBUTE_PTR;
-+
-+
-+/* CK_DATE is a structure that defines a date */
-+typedef struct CK_DATE{
-+  CK_CHAR       year[4];   /* the year ("1900" - "9999") */
-+  CK_CHAR       month[2];  /* the month ("01" - "12") */
-+  CK_CHAR       day[2];    /* the day   ("01" - "31") */
-+} CK_DATE;
-+
-+
-+/* CK_MECHANISM_TYPE is a value that identifies a mechanism
-+ * type */
-+/* CK_MECHANISM_TYPE was changed from CK_USHORT to CK_ULONG for
-+ * v2.0 */
-+typedef CK_ULONG          CK_MECHANISM_TYPE;
-+
-+/* the following mechanism types are defined: */
-+#define CKM_RSA_PKCS_KEY_PAIR_GEN      0x00000000
-+#define CKM_RSA_PKCS                   0x00000001
-+#define CKM_RSA_9796                   0x00000002
-+#define CKM_RSA_X_509                  0x00000003
-+
-+/* CKM_MD2_RSA_PKCS, CKM_MD5_RSA_PKCS, and CKM_SHA1_RSA_PKCS
-+ * are new for v2.0.  They are mechanisms which hash and sign */
-+#define CKM_MD2_RSA_PKCS               0x00000004
-+#define CKM_MD5_RSA_PKCS               0x00000005
-+#define CKM_SHA1_RSA_PKCS              0x00000006
-+
-+/* CKM_RIPEMD128_RSA_PKCS, CKM_RIPEMD160_RSA_PKCS, and
-+ * CKM_RSA_PKCS_OAEP are new for v2.10 */
-+#define CKM_RIPEMD128_RSA_PKCS         0x00000007
-+#define CKM_RIPEMD160_RSA_PKCS         0x00000008
-+#define CKM_RSA_PKCS_OAEP              0x00000009
-+
-+/* CKM_RSA_X9_31_KEY_PAIR_GEN, CKM_RSA_X9_31, CKM_SHA1_RSA_X9_31,
-+ * CKM_RSA_PKCS_PSS, and CKM_SHA1_RSA_PKCS_PSS are new for v2.11 */
-+#define CKM_RSA_X9_31_KEY_PAIR_GEN     0x0000000A
-+#define CKM_RSA_X9_31                  0x0000000B
-+#define CKM_SHA1_RSA_X9_31             0x0000000C
-+#define CKM_RSA_PKCS_PSS               0x0000000D
-+#define CKM_SHA1_RSA_PKCS_PSS          0x0000000E
-+
-+#define CKM_DSA_KEY_PAIR_GEN           0x00000010
-+#define CKM_DSA                        0x00000011
-+#define CKM_DSA_SHA1                   0x00000012
-+#define CKM_DH_PKCS_KEY_PAIR_GEN       0x00000020
-+#define CKM_DH_PKCS_DERIVE             0x00000021
-+
-+/* CKM_X9_42_DH_KEY_PAIR_GEN, CKM_X9_42_DH_DERIVE,
-+ * CKM_X9_42_DH_HYBRID_DERIVE, and CKM_X9_42_MQV_DERIVE are new for
-+ * v2.11 */
-+#define CKM_X9_42_DH_KEY_PAIR_GEN      0x00000030
-+#define CKM_X9_42_DH_DERIVE            0x00000031
-+#define CKM_X9_42_DH_HYBRID_DERIVE     0x00000032
-+#define CKM_X9_42_MQV_DERIVE           0x00000033
-+
-+/* CKM_SHA256/384/512 are new for v2.20 */
-+#define CKM_SHA256_RSA_PKCS            0x00000040
-+#define CKM_SHA384_RSA_PKCS            0x00000041
-+#define CKM_SHA512_RSA_PKCS            0x00000042
-+#define CKM_SHA256_RSA_PKCS_PSS        0x00000043
-+#define CKM_SHA384_RSA_PKCS_PSS        0x00000044
-+#define CKM_SHA512_RSA_PKCS_PSS        0x00000045
-+
-+/* SHA-224 RSA mechanisms are new for PKCS #11 v2.20 amendment 3 */
-+#define CKM_SHA224_RSA_PKCS            0x00000046
-+#define CKM_SHA224_RSA_PKCS_PSS        0x00000047
-+
-+#define CKM_RC2_KEY_GEN                0x00000100
-+#define CKM_RC2_ECB                    0x00000101
-+#define CKM_RC2_CBC                    0x00000102
-+#define CKM_RC2_MAC                    0x00000103
-+
-+/* CKM_RC2_MAC_GENERAL and CKM_RC2_CBC_PAD are new for v2.0 */
-+#define CKM_RC2_MAC_GENERAL            0x00000104
-+#define CKM_RC2_CBC_PAD                0x00000105
-+
-+#define CKM_RC4_KEY_GEN                0x00000110
-+#define CKM_RC4                        0x00000111
-+#define CKM_DES_KEY_GEN                0x00000120
-+#define CKM_DES_ECB                    0x00000121
-+#define CKM_DES_CBC                    0x00000122
-+#define CKM_DES_MAC                    0x00000123
-+
-+/* CKM_DES_MAC_GENERAL and CKM_DES_CBC_PAD are new for v2.0 */
-+#define CKM_DES_MAC_GENERAL            0x00000124
-+#define CKM_DES_CBC_PAD                0x00000125
-+
-+#define CKM_DES2_KEY_GEN               0x00000130
-+#define CKM_DES3_KEY_GEN               0x00000131
-+#define CKM_DES3_ECB                   0x00000132
-+#define CKM_DES3_CBC                   0x00000133
-+#define CKM_DES3_MAC                   0x00000134
-+
-+/* CKM_DES3_MAC_GENERAL, CKM_DES3_CBC_PAD, CKM_CDMF_KEY_GEN,
-+ * CKM_CDMF_ECB, CKM_CDMF_CBC, CKM_CDMF_MAC,
-+ * CKM_CDMF_MAC_GENERAL, and CKM_CDMF_CBC_PAD are new for v2.0 */
-+#define CKM_DES3_MAC_GENERAL           0x00000135
-+#define CKM_DES3_CBC_PAD               0x00000136
-+#define CKM_CDMF_KEY_GEN               0x00000140
-+#define CKM_CDMF_ECB                   0x00000141
-+#define CKM_CDMF_CBC                   0x00000142
-+#define CKM_CDMF_MAC                   0x00000143
-+#define CKM_CDMF_MAC_GENERAL           0x00000144
-+#define CKM_CDMF_CBC_PAD               0x00000145
-+
-+/* the following four DES mechanisms are new for v2.20 */
-+#define CKM_DES_OFB64                  0x00000150
-+#define CKM_DES_OFB8                   0x00000151
-+#define CKM_DES_CFB64                  0x00000152
-+#define CKM_DES_CFB8                   0x00000153
-+
-+#define CKM_MD2                        0x00000200
-+
-+/* CKM_MD2_HMAC and CKM_MD2_HMAC_GENERAL are new for v2.0 */
-+#define CKM_MD2_HMAC                   0x00000201
-+#define CKM_MD2_HMAC_GENERAL           0x00000202
-+
-+#define CKM_MD5                        0x00000210
-+
-+/* CKM_MD5_HMAC and CKM_MD5_HMAC_GENERAL are new for v2.0 */
-+#define CKM_MD5_HMAC                   0x00000211
-+#define CKM_MD5_HMAC_GENERAL           0x00000212
-+
-+#define CKM_SHA_1                      0x00000220
-+
-+/* CKM_SHA_1_HMAC and CKM_SHA_1_HMAC_GENERAL are new for v2.0 */
-+#define CKM_SHA_1_HMAC                 0x00000221
-+#define CKM_SHA_1_HMAC_GENERAL         0x00000222
-+
-+/* CKM_RIPEMD128, CKM_RIPEMD128_HMAC,
-+ * CKM_RIPEMD128_HMAC_GENERAL, CKM_RIPEMD160, CKM_RIPEMD160_HMAC,
-+ * and CKM_RIPEMD160_HMAC_GENERAL are new for v2.10 */
-+#define CKM_RIPEMD128                  0x00000230
-+#define CKM_RIPEMD128_HMAC             0x00000231
-+#define CKM_RIPEMD128_HMAC_GENERAL     0x00000232
-+#define CKM_RIPEMD160                  0x00000240
-+#define CKM_RIPEMD160_HMAC             0x00000241
-+#define CKM_RIPEMD160_HMAC_GENERAL     0x00000242
-+
-+/* CKM_SHA256/384/512 are new for v2.20 */
-+#define CKM_SHA256                     0x00000250
-+#define CKM_SHA256_HMAC                0x00000251
-+#define CKM_SHA256_HMAC_GENERAL        0x00000252
-+
-+/* SHA-224 is new for PKCS #11 v2.20 amendment 3 */
-+#define CKM_SHA224                     0x00000255
-+#define CKM_SHA224_HMAC                0x00000256
-+#define CKM_SHA224_HMAC_GENERAL        0x00000257
-+
-+#define CKM_SHA384                     0x00000260
-+#define CKM_SHA384_HMAC                0x00000261
-+#define CKM_SHA384_HMAC_GENERAL        0x00000262
-+#define CKM_SHA512                     0x00000270
-+#define CKM_SHA512_HMAC                0x00000271
-+#define CKM_SHA512_HMAC_GENERAL        0x00000272
-+
-+/* SecurID is new for PKCS #11 v2.20 amendment 1 */
-+#define CKM_SECURID_KEY_GEN            0x00000280
-+#define CKM_SECURID                    0x00000282
-+
-+/* HOTP is new for PKCS #11 v2.20 amendment 1 */
-+#define CKM_HOTP_KEY_GEN    0x00000290
-+#define CKM_HOTP            0x00000291
-+
-+/* ACTI is new for PKCS #11 v2.20 amendment 1 */
-+#define CKM_ACTI            0x000002A0
-+#define CKM_ACTI_KEY_GEN    0x000002A1
-+
-+/* All of the following mechanisms are new for v2.0 */
-+/* Note that CAST128 and CAST5 are the same algorithm */
-+#define CKM_CAST_KEY_GEN               0x00000300
-+#define CKM_CAST_ECB                   0x00000301
-+#define CKM_CAST_CBC                   0x00000302
-+#define CKM_CAST_MAC                   0x00000303
-+#define CKM_CAST_MAC_GENERAL           0x00000304
-+#define CKM_CAST_CBC_PAD               0x00000305
-+#define CKM_CAST3_KEY_GEN              0x00000310
-+#define CKM_CAST3_ECB                  0x00000311
-+#define CKM_CAST3_CBC                  0x00000312
-+#define CKM_CAST3_MAC                  0x00000313
-+#define CKM_CAST3_MAC_GENERAL          0x00000314
-+#define CKM_CAST3_CBC_PAD              0x00000315
-+#define CKM_CAST5_KEY_GEN              0x00000320
-+#define CKM_CAST128_KEY_GEN            0x00000320
-+#define CKM_CAST5_ECB                  0x00000321
-+#define CKM_CAST128_ECB                0x00000321
-+#define CKM_CAST5_CBC                  0x00000322
-+#define CKM_CAST128_CBC                0x00000322
-+#define CKM_CAST5_MAC                  0x00000323
-+#define CKM_CAST128_MAC                0x00000323
-+#define CKM_CAST5_MAC_GENERAL          0x00000324
-+#define CKM_CAST128_MAC_GENERAL        0x00000324
-+#define CKM_CAST5_CBC_PAD              0x00000325
-+#define CKM_CAST128_CBC_PAD            0x00000325
-+#define CKM_RC5_KEY_GEN                0x00000330
-+#define CKM_RC5_ECB                    0x00000331
-+#define CKM_RC5_CBC                    0x00000332
-+#define CKM_RC5_MAC                    0x00000333
-+#define CKM_RC5_MAC_GENERAL            0x00000334
-+#define CKM_RC5_CBC_PAD                0x00000335
-+#define CKM_IDEA_KEY_GEN               0x00000340
-+#define CKM_IDEA_ECB                   0x00000341
-+#define CKM_IDEA_CBC                   0x00000342
-+#define CKM_IDEA_MAC                   0x00000343
-+#define CKM_IDEA_MAC_GENERAL           0x00000344
-+#define CKM_IDEA_CBC_PAD               0x00000345
-+#define CKM_GENERIC_SECRET_KEY_GEN     0x00000350
-+#define CKM_CONCATENATE_BASE_AND_KEY   0x00000360
-+#define CKM_CONCATENATE_BASE_AND_DATA  0x00000362
-+#define CKM_CONCATENATE_DATA_AND_BASE  0x00000363
-+#define CKM_XOR_BASE_AND_DATA          0x00000364
-+#define CKM_EXTRACT_KEY_FROM_KEY       0x00000365
-+#define CKM_SSL3_PRE_MASTER_KEY_GEN    0x00000370
-+#define CKM_SSL3_MASTER_KEY_DERIVE     0x00000371
-+#define CKM_SSL3_KEY_AND_MAC_DERIVE    0x00000372
-+
-+/* CKM_SSL3_MASTER_KEY_DERIVE_DH, CKM_TLS_PRE_MASTER_KEY_GEN,
-+ * CKM_TLS_MASTER_KEY_DERIVE, CKM_TLS_KEY_AND_MAC_DERIVE, and
-+ * CKM_TLS_MASTER_KEY_DERIVE_DH are new for v2.11 */
-+#define CKM_SSL3_MASTER_KEY_DERIVE_DH  0x00000373
-+#define CKM_TLS_PRE_MASTER_KEY_GEN     0x00000374
-+#define CKM_TLS_MASTER_KEY_DERIVE      0x00000375
-+#define CKM_TLS_KEY_AND_MAC_DERIVE     0x00000376
-+#define CKM_TLS_MASTER_KEY_DERIVE_DH   0x00000377
-+
-+/* CKM_TLS_PRF is new for v2.20 */
-+#define CKM_TLS_PRF                    0x00000378
-+
-+#define CKM_SSL3_MD5_MAC               0x00000380
-+#define CKM_SSL3_SHA1_MAC              0x00000381
-+#define CKM_MD5_KEY_DERIVATION         0x00000390
-+#define CKM_MD2_KEY_DERIVATION         0x00000391
-+#define CKM_SHA1_KEY_DERIVATION        0x00000392
-+
-+/* CKM_SHA256/384/512 are new for v2.20 */
-+#define CKM_SHA256_KEY_DERIVATION      0x00000393
-+#define CKM_SHA384_KEY_DERIVATION      0x00000394
-+#define CKM_SHA512_KEY_DERIVATION      0x00000395
-+
-+/* SHA-224 key derivation is new for PKCS #11 v2.20 amendment 3 */
-+#define CKM_SHA224_KEY_DERIVATION      0x00000396
-+
-+#define CKM_PBE_MD2_DES_CBC            0x000003A0
-+#define CKM_PBE_MD5_DES_CBC            0x000003A1
-+#define CKM_PBE_MD5_CAST_CBC           0x000003A2
-+#define CKM_PBE_MD5_CAST3_CBC          0x000003A3
-+#define CKM_PBE_MD5_CAST5_CBC          0x000003A4
-+#define CKM_PBE_MD5_CAST128_CBC        0x000003A4
-+#define CKM_PBE_SHA1_CAST5_CBC         0x000003A5
-+#define CKM_PBE_SHA1_CAST128_CBC       0x000003A5
-+#define CKM_PBE_SHA1_RC4_128           0x000003A6
-+#define CKM_PBE_SHA1_RC4_40            0x000003A7
-+#define CKM_PBE_SHA1_DES3_EDE_CBC      0x000003A8
-+#define CKM_PBE_SHA1_DES2_EDE_CBC      0x000003A9
-+#define CKM_PBE_SHA1_RC2_128_CBC       0x000003AA
-+#define CKM_PBE_SHA1_RC2_40_CBC        0x000003AB
-+
-+/* CKM_PKCS5_PBKD2 is new for v2.10 */
-+#define CKM_PKCS5_PBKD2                0x000003B0
-+
-+#define CKM_PBA_SHA1_WITH_SHA1_HMAC    0x000003C0
-+
-+/* WTLS mechanisms are new for v2.20 */
-+#define CKM_WTLS_PRE_MASTER_KEY_GEN         0x000003D0
-+#define CKM_WTLS_MASTER_KEY_DERIVE          0x000003D1
-+#define CKM_WTLS_MASTER_KEY_DERIVE_DH_ECC   0x000003D2
-+#define CKM_WTLS_PRF                        0x000003D3
-+#define CKM_WTLS_SERVER_KEY_AND_MAC_DERIVE  0x000003D4
-+#define CKM_WTLS_CLIENT_KEY_AND_MAC_DERIVE  0x000003D5
-+
-+#define CKM_KEY_WRAP_LYNKS             0x00000400
-+#define CKM_KEY_WRAP_SET_OAEP          0x00000401
-+
-+/* CKM_CMS_SIG is new for v2.20 */
-+#define CKM_CMS_SIG                    0x00000500
-+
-+/* CKM_KIP mechanisms are new for PKCS #11 v2.20 amendment 2 */
-+#define CKM_KIP_DERIVE                 0x00000510
-+#define CKM_KIP_WRAP                   0x00000511
-+#define CKM_KIP_MAC                    0x00000512
-+
-+/* Camellia is new for PKCS #11 v2.20 amendment 3 */
-+#define CKM_CAMELLIA_KEY_GEN           0x00000550
-+#define CKM_CAMELLIA_ECB               0x00000551
-+#define CKM_CAMELLIA_CBC               0x00000552
-+#define CKM_CAMELLIA_MAC               0x00000553
-+#define CKM_CAMELLIA_MAC_GENERAL       0x00000554
-+#define CKM_CAMELLIA_CBC_PAD           0x00000555
-+#define CKM_CAMELLIA_ECB_ENCRYPT_DATA  0x00000556
-+#define CKM_CAMELLIA_CBC_ENCRYPT_DATA  0x00000557
-+#define CKM_CAMELLIA_CTR               0x00000558
-+
-+/* ARIA is new for PKCS #11 v2.20 amendment 3 */
-+#define CKM_ARIA_KEY_GEN               0x00000560
-+#define CKM_ARIA_ECB                   0x00000561
-+#define CKM_ARIA_CBC                   0x00000562
-+#define CKM_ARIA_MAC                   0x00000563
-+#define CKM_ARIA_MAC_GENERAL           0x00000564
-+#define CKM_ARIA_CBC_PAD               0x00000565
-+#define CKM_ARIA_ECB_ENCRYPT_DATA      0x00000566
-+#define CKM_ARIA_CBC_ENCRYPT_DATA      0x00000567
-+
-+/* Fortezza mechanisms */
-+#define CKM_SKIPJACK_KEY_GEN           0x00001000
-+#define CKM_SKIPJACK_ECB64             0x00001001
-+#define CKM_SKIPJACK_CBC64             0x00001002
-+#define CKM_SKIPJACK_OFB64             0x00001003
-+#define CKM_SKIPJACK_CFB64             0x00001004
-+#define CKM_SKIPJACK_CFB32             0x00001005
-+#define CKM_SKIPJACK_CFB16             0x00001006
-+#define CKM_SKIPJACK_CFB8              0x00001007
-+#define CKM_SKIPJACK_WRAP              0x00001008
-+#define CKM_SKIPJACK_PRIVATE_WRAP      0x00001009
-+#define CKM_SKIPJACK_RELAYX            0x0000100a
-+#define CKM_KEA_KEY_PAIR_GEN           0x00001010
-+#define CKM_KEA_KEY_DERIVE             0x00001011
-+#define CKM_FORTEZZA_TIMESTAMP         0x00001020
-+#define CKM_BATON_KEY_GEN              0x00001030
-+#define CKM_BATON_ECB128               0x00001031
-+#define CKM_BATON_ECB96                0x00001032
-+#define CKM_BATON_CBC128               0x00001033
-+#define CKM_BATON_COUNTER              0x00001034
-+#define CKM_BATON_SHUFFLE              0x00001035
-+#define CKM_BATON_WRAP                 0x00001036
-+
-+/* CKM_ECDSA_KEY_PAIR_GEN is deprecated in v2.11,
-+ * CKM_EC_KEY_PAIR_GEN is preferred */
-+#define CKM_ECDSA_KEY_PAIR_GEN         0x00001040
-+#define CKM_EC_KEY_PAIR_GEN            0x00001040
-+
-+#define CKM_ECDSA                      0x00001041
-+#define CKM_ECDSA_SHA1                 0x00001042
-+
-+/* CKM_ECDH1_DERIVE, CKM_ECDH1_COFACTOR_DERIVE, and CKM_ECMQV_DERIVE
-+ * are new for v2.11 */
-+#define CKM_ECDH1_DERIVE               0x00001050
-+#define CKM_ECDH1_COFACTOR_DERIVE      0x00001051
-+#define CKM_ECMQV_DERIVE               0x00001052
-+
-+#define CKM_JUNIPER_KEY_GEN            0x00001060
-+#define CKM_JUNIPER_ECB128             0x00001061
-+#define CKM_JUNIPER_CBC128             0x00001062
-+#define CKM_JUNIPER_COUNTER            0x00001063
-+#define CKM_JUNIPER_SHUFFLE            0x00001064
-+#define CKM_JUNIPER_WRAP               0x00001065
-+#define CKM_FASTHASH                   0x00001070
-+
-+/* CKM_AES_KEY_GEN, CKM_AES_ECB, CKM_AES_CBC, CKM_AES_MAC,
-+ * CKM_AES_MAC_GENERAL, CKM_AES_CBC_PAD, CKM_DSA_PARAMETER_GEN,
-+ * CKM_DH_PKCS_PARAMETER_GEN, and CKM_X9_42_DH_PARAMETER_GEN are
-+ * new for v2.11 */
-+#define CKM_AES_KEY_GEN                0x00001080
-+#define CKM_AES_ECB                    0x00001081
-+#define CKM_AES_CBC                    0x00001082
-+#define CKM_AES_MAC                    0x00001083
-+#define CKM_AES_MAC_GENERAL            0x00001084
-+#define CKM_AES_CBC_PAD                0x00001085
-+
-+/* AES counter mode is new for PKCS #11 v2.20 amendment 3 */
-+#define CKM_AES_CTR                    0x00001086
-+
-+/* BlowFish and TwoFish are new for v2.20 */
-+#define CKM_BLOWFISH_KEY_GEN           0x00001090
-+#define CKM_BLOWFISH_CBC               0x00001091
-+#define CKM_TWOFISH_KEY_GEN            0x00001092
-+#define CKM_TWOFISH_CBC                0x00001093
-+
-+
-+/* CKM_xxx_ENCRYPT_DATA mechanisms are new for v2.20 */
-+#define CKM_DES_ECB_ENCRYPT_DATA       0x00001100
-+#define CKM_DES_CBC_ENCRYPT_DATA       0x00001101
-+#define CKM_DES3_ECB_ENCRYPT_DATA      0x00001102
-+#define CKM_DES3_CBC_ENCRYPT_DATA      0x00001103
-+#define CKM_AES_ECB_ENCRYPT_DATA       0x00001104
-+#define CKM_AES_CBC_ENCRYPT_DATA       0x00001105
-+
-+#define CKM_DSA_PARAMETER_GEN          0x00002000
-+#define CKM_DH_PKCS_PARAMETER_GEN      0x00002001
-+#define CKM_X9_42_DH_PARAMETER_GEN     0x00002002
-+
-+#define CKM_VENDOR_DEFINED             0x80000000
-+
-+typedef CK_MECHANISM_TYPE CK_PTR CK_MECHANISM_TYPE_PTR;
-+
-+
-+/* CK_MECHANISM is a structure that specifies a particular
-+ * mechanism  */
-+typedef struct CK_MECHANISM {
-+  CK_MECHANISM_TYPE mechanism;
-+  CK_VOID_PTR       pParameter;
-+
-+  /* ulParameterLen was changed from CK_USHORT to CK_ULONG for
-+   * v2.0 */
-+  CK_ULONG          ulParameterLen;  /* in bytes */
-+} CK_MECHANISM;
-+
-+typedef CK_MECHANISM CK_PTR CK_MECHANISM_PTR;
-+
-+
-+/* CK_MECHANISM_INFO provides information about a particular
-+ * mechanism */
-+typedef struct CK_MECHANISM_INFO {
-+    CK_ULONG    ulMinKeySize;
-+    CK_ULONG    ulMaxKeySize;
-+    CK_FLAGS    flags;
-+} CK_MECHANISM_INFO;
-+
-+/* The flags are defined as follows:
-+ *      Bit Flag               Mask        Meaning */
-+#define CKF_HW                 0x00000001  /* performed by HW */
-+
-+/* The flags CKF_ENCRYPT, CKF_DECRYPT, CKF_DIGEST, CKF_SIGN,
-+ * CKG_SIGN_RECOVER, CKF_VERIFY, CKF_VERIFY_RECOVER,
-+ * CKF_GENERATE, CKF_GENERATE_KEY_PAIR, CKF_WRAP, CKF_UNWRAP,
-+ * and CKF_DERIVE are new for v2.0.  They specify whether or not
-+ * a mechanism can be used for a particular task */
-+#define CKF_ENCRYPT            0x00000100
-+#define CKF_DECRYPT            0x00000200
-+#define CKF_DIGEST             0x00000400
-+#define CKF_SIGN               0x00000800
-+#define CKF_SIGN_RECOVER       0x00001000
-+#define CKF_VERIFY             0x00002000
-+#define CKF_VERIFY_RECOVER     0x00004000
-+#define CKF_GENERATE           0x00008000
-+#define CKF_GENERATE_KEY_PAIR  0x00010000
-+#define CKF_WRAP               0x00020000
-+#define CKF_UNWRAP             0x00040000
-+#define CKF_DERIVE             0x00080000
-+
-+/* CKF_EC_F_P, CKF_EC_F_2M, CKF_EC_ECPARAMETERS, CKF_EC_NAMEDCURVE,
-+ * CKF_EC_UNCOMPRESS, and CKF_EC_COMPRESS are new for v2.11. They
-+ * describe a token's EC capabilities not available in mechanism
-+ * information. */
-+#define CKF_EC_F_P             0x00100000
-+#define CKF_EC_F_2M            0x00200000
-+#define CKF_EC_ECPARAMETERS    0x00400000
-+#define CKF_EC_NAMEDCURVE      0x00800000
-+#define CKF_EC_UNCOMPRESS      0x01000000
-+#define CKF_EC_COMPRESS        0x02000000
-+
-+#define CKF_EXTENSION          0x80000000 /* FALSE for this version */
-+
-+typedef CK_MECHANISM_INFO CK_PTR CK_MECHANISM_INFO_PTR;
-+
-+
-+/* CK_RV is a value that identifies the return value of a
-+ * Cryptoki function */
-+/* CK_RV was changed from CK_USHORT to CK_ULONG for v2.0 */
-+typedef CK_ULONG          CK_RV;
-+
-+#define CKR_OK                                0x00000000
-+#define CKR_CANCEL                            0x00000001
-+#define CKR_HOST_MEMORY                       0x00000002
-+#define CKR_SLOT_ID_INVALID                   0x00000003
-+
-+/* CKR_FLAGS_INVALID was removed for v2.0 */
-+
-+/* CKR_GENERAL_ERROR and CKR_FUNCTION_FAILED are new for v2.0 */
-+#define CKR_GENERAL_ERROR                     0x00000005
-+#define CKR_FUNCTION_FAILED                   0x00000006
-+
-+/* CKR_ARGUMENTS_BAD, CKR_NO_EVENT, CKR_NEED_TO_CREATE_THREADS,
-+ * and CKR_CANT_LOCK are new for v2.01 */
-+#define CKR_ARGUMENTS_BAD                     0x00000007
-+#define CKR_NO_EVENT                          0x00000008
-+#define CKR_NEED_TO_CREATE_THREADS            0x00000009
-+#define CKR_CANT_LOCK                         0x0000000A
-+
-+#define CKR_ATTRIBUTE_READ_ONLY               0x00000010
-+#define CKR_ATTRIBUTE_SENSITIVE               0x00000011
-+#define CKR_ATTRIBUTE_TYPE_INVALID            0x00000012
-+#define CKR_ATTRIBUTE_VALUE_INVALID           0x00000013
-+#define CKR_DATA_INVALID                      0x00000020
-+#define CKR_DATA_LEN_RANGE                    0x00000021
-+#define CKR_DEVICE_ERROR                      0x00000030
-+#define CKR_DEVICE_MEMORY                     0x00000031
-+#define CKR_DEVICE_REMOVED                    0x00000032
-+#define CKR_ENCRYPTED_DATA_INVALID            0x00000040
-+#define CKR_ENCRYPTED_DATA_LEN_RANGE          0x00000041
-+#define CKR_FUNCTION_CANCELED                 0x00000050
-+#define CKR_FUNCTION_NOT_PARALLEL             0x00000051
-+
-+/* CKR_FUNCTION_NOT_SUPPORTED is new for v2.0 */
-+#define CKR_FUNCTION_NOT_SUPPORTED            0x00000054
-+
-+#define CKR_KEY_HANDLE_INVALID                0x00000060
-+
-+/* CKR_KEY_SENSITIVE was removed for v2.0 */
-+
-+#define CKR_KEY_SIZE_RANGE                    0x00000062
-+#define CKR_KEY_TYPE_INCONSISTENT             0x00000063
-+
-+/* CKR_KEY_NOT_NEEDED, CKR_KEY_CHANGED, CKR_KEY_NEEDED,
-+ * CKR_KEY_INDIGESTIBLE, CKR_KEY_FUNCTION_NOT_PERMITTED,
-+ * CKR_KEY_NOT_WRAPPABLE, and CKR_KEY_UNEXTRACTABLE are new for
-+ * v2.0 */
-+#define CKR_KEY_NOT_NEEDED                    0x00000064
-+#define CKR_KEY_CHANGED                       0x00000065
-+#define CKR_KEY_NEEDED                        0x00000066
-+#define CKR_KEY_INDIGESTIBLE                  0x00000067
-+#define CKR_KEY_FUNCTION_NOT_PERMITTED        0x00000068
-+#define CKR_KEY_NOT_WRAPPABLE                 0x00000069
-+#define CKR_KEY_UNEXTRACTABLE                 0x0000006A
-+
-+#define CKR_MECHANISM_INVALID                 0x00000070
-+#define CKR_MECHANISM_PARAM_INVALID           0x00000071
-+
-+/* CKR_OBJECT_CLASS_INCONSISTENT and CKR_OBJECT_CLASS_INVALID
-+ * were removed for v2.0 */
-+#define CKR_OBJECT_HANDLE_INVALID             0x00000082
-+#define CKR_OPERATION_ACTIVE                  0x00000090
-+#define CKR_OPERATION_NOT_INITIALIZED         0x00000091
-+#define CKR_PIN_INCORRECT                     0x000000A0
-+#define CKR_PIN_INVALID                       0x000000A1
-+#define CKR_PIN_LEN_RANGE                     0x000000A2
-+
-+/* CKR_PIN_EXPIRED and CKR_PIN_LOCKED are new for v2.0 */
-+#define CKR_PIN_EXPIRED                       0x000000A3
-+#define CKR_PIN_LOCKED                        0x000000A4
-+
-+#define CKR_SESSION_CLOSED                    0x000000B0
-+#define CKR_SESSION_COUNT                     0x000000B1
-+#define CKR_SESSION_HANDLE_INVALID            0x000000B3
-+#define CKR_SESSION_PARALLEL_NOT_SUPPORTED    0x000000B4
-+#define CKR_SESSION_READ_ONLY                 0x000000B5
-+#define CKR_SESSION_EXISTS                    0x000000B6
-+
-+/* CKR_SESSION_READ_ONLY_EXISTS and
-+ * CKR_SESSION_READ_WRITE_SO_EXISTS are new for v2.0 */
-+#define CKR_SESSION_READ_ONLY_EXISTS          0x000000B7
-+#define CKR_SESSION_READ_WRITE_SO_EXISTS      0x000000B8
-+
-+#define CKR_SIGNATURE_INVALID                 0x000000C0
-+#define CKR_SIGNATURE_LEN_RANGE               0x000000C1
-+#define CKR_TEMPLATE_INCOMPLETE               0x000000D0
-+#define CKR_TEMPLATE_INCONSISTENT             0x000000D1
-+#define CKR_TOKEN_NOT_PRESENT                 0x000000E0
-+#define CKR_TOKEN_NOT_RECOGNIZED              0x000000E1
-+#define CKR_TOKEN_WRITE_PROTECTED             0x000000E2
-+#define CKR_UNWRAPPING_KEY_HANDLE_INVALID     0x000000F0
-+#define CKR_UNWRAPPING_KEY_SIZE_RANGE         0x000000F1
-+#define CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT  0x000000F2
-+#define CKR_USER_ALREADY_LOGGED_IN            0x00000100
-+#define CKR_USER_NOT_LOGGED_IN                0x00000101
-+#define CKR_USER_PIN_NOT_INITIALIZED          0x00000102
-+#define CKR_USER_TYPE_INVALID                 0x00000103
-+
-+/* CKR_USER_ANOTHER_ALREADY_LOGGED_IN and CKR_USER_TOO_MANY_TYPES
-+ * are new to v2.01 */
-+#define CKR_USER_ANOTHER_ALREADY_LOGGED_IN    0x00000104
-+#define CKR_USER_TOO_MANY_TYPES               0x00000105
-+
-+#define CKR_WRAPPED_KEY_INVALID               0x00000110
-+#define CKR_WRAPPED_KEY_LEN_RANGE             0x00000112
-+#define CKR_WRAPPING_KEY_HANDLE_INVALID       0x00000113
-+#define CKR_WRAPPING_KEY_SIZE_RANGE           0x00000114
-+#define CKR_WRAPPING_KEY_TYPE_INCONSISTENT    0x00000115
-+#define CKR_RANDOM_SEED_NOT_SUPPORTED         0x00000120
-+
-+/* These are new to v2.0 */
-+#define CKR_RANDOM_NO_RNG                     0x00000121
-+
-+/* These are new to v2.11 */
-+#define CKR_DOMAIN_PARAMS_INVALID             0x00000130
-+
-+/* These are new to v2.0 */
-+#define CKR_BUFFER_TOO_SMALL                  0x00000150
-+#define CKR_SAVED_STATE_INVALID               0x00000160
-+#define CKR_INFORMATION_SENSITIVE             0x00000170
-+#define CKR_STATE_UNSAVEABLE                  0x00000180
-+
-+/* These are new to v2.01 */
-+#define CKR_CRYPTOKI_NOT_INITIALIZED          0x00000190
-+#define CKR_CRYPTOKI_ALREADY_INITIALIZED      0x00000191
-+#define CKR_MUTEX_BAD                         0x000001A0
-+#define CKR_MUTEX_NOT_LOCKED                  0x000001A1
-+
-+/* The following return values are new for PKCS #11 v2.20 amendment 3 */
-+#define CKR_NEW_PIN_MODE                      0x000001B0
-+#define CKR_NEXT_OTP                          0x000001B1
-+
-+/* This is new to v2.20 */
-+#define CKR_FUNCTION_REJECTED                 0x00000200
-+
-+#define CKR_VENDOR_DEFINED                    0x80000000
-+
-+
-+/* CK_NOTIFY is an application callback that processes events */
-+typedef CK_CALLBACK_FUNCTION(CK_RV, CK_NOTIFY)(
-+  CK_SESSION_HANDLE hSession,     /* the session's handle */
-+  CK_NOTIFICATION   event,
-+  CK_VOID_PTR       pApplication  /* passed to C_OpenSession */
-+);
-+
-+
-+/* CK_FUNCTION_LIST is a structure holding a Cryptoki spec
-+ * version and pointers of appropriate types to all the
-+ * Cryptoki functions */
-+/* CK_FUNCTION_LIST is new for v2.0 */
-+typedef struct CK_FUNCTION_LIST CK_FUNCTION_LIST;
-+
-+typedef CK_FUNCTION_LIST CK_PTR CK_FUNCTION_LIST_PTR;
-+
-+typedef CK_FUNCTION_LIST_PTR CK_PTR CK_FUNCTION_LIST_PTR_PTR;
-+
-+
-+/* CK_CREATEMUTEX is an application callback for creating a
-+ * mutex object */
-+typedef CK_CALLBACK_FUNCTION(CK_RV, CK_CREATEMUTEX)(
-+  CK_VOID_PTR_PTR ppMutex  /* location to receive ptr to mutex */
-+);
-+
-+
-+/* CK_DESTROYMUTEX is an application callback for destroying a
-+ * mutex object */
-+typedef CK_CALLBACK_FUNCTION(CK_RV, CK_DESTROYMUTEX)(
-+  CK_VOID_PTR pMutex  /* pointer to mutex */
-+);
-+
-+
-+/* CK_LOCKMUTEX is an application callback for locking a mutex */
-+typedef CK_CALLBACK_FUNCTION(CK_RV, CK_LOCKMUTEX)(
-+  CK_VOID_PTR pMutex  /* pointer to mutex */
-+);
-+
-+
-+/* CK_UNLOCKMUTEX is an application callback for unlocking a
-+ * mutex */
-+typedef CK_CALLBACK_FUNCTION(CK_RV, CK_UNLOCKMUTEX)(
-+  CK_VOID_PTR pMutex  /* pointer to mutex */
-+);
-+
-+
-+/* CK_C_INITIALIZE_ARGS provides the optional arguments to
-+ * C_Initialize */
-+typedef struct CK_C_INITIALIZE_ARGS {
-+  CK_CREATEMUTEX CreateMutex;
-+  CK_DESTROYMUTEX DestroyMutex;
-+  CK_LOCKMUTEX LockMutex;
-+  CK_UNLOCKMUTEX UnlockMutex;
-+  CK_FLAGS flags;
-+  CK_VOID_PTR pReserved;
-+} CK_C_INITIALIZE_ARGS;
-+
-+/* flags: bit flags that provide capabilities of the slot
-+ *      Bit Flag                           Mask       Meaning
-+ */
-+#define CKF_LIBRARY_CANT_CREATE_OS_THREADS 0x00000001
-+#define CKF_OS_LOCKING_OK                  0x00000002
-+
-+typedef CK_C_INITIALIZE_ARGS CK_PTR CK_C_INITIALIZE_ARGS_PTR;
-+
-+
-+/* additional flags for parameters to functions */
-+
-+/* CKF_DONT_BLOCK is for the function C_WaitForSlotEvent */
-+#define CKF_DONT_BLOCK     1
-+
-+/* CK_RSA_PKCS_OAEP_MGF_TYPE is new for v2.10.
-+ * CK_RSA_PKCS_OAEP_MGF_TYPE  is used to indicate the Message
-+ * Generation Function (MGF) applied to a message block when
-+ * formatting a message block for the PKCS #1 OAEP encryption
-+ * scheme. */
-+typedef CK_ULONG CK_RSA_PKCS_MGF_TYPE;
-+
-+typedef CK_RSA_PKCS_MGF_TYPE CK_PTR CK_RSA_PKCS_MGF_TYPE_PTR;
-+
-+/* The following MGFs are defined */
-+/* CKG_MGF1_SHA256, CKG_MGF1_SHA384, and CKG_MGF1_SHA512
-+ * are new for v2.20 */
-+#define CKG_MGF1_SHA1         0x00000001
-+#define CKG_MGF1_SHA256       0x00000002
-+#define CKG_MGF1_SHA384       0x00000003
-+#define CKG_MGF1_SHA512       0x00000004
-+/* SHA-224 is new for PKCS #11 v2.20 amendment 3 */
-+#define CKG_MGF1_SHA224       0x00000005
-+
-+/* CK_RSA_PKCS_OAEP_SOURCE_TYPE is new for v2.10.
-+ * CK_RSA_PKCS_OAEP_SOURCE_TYPE  is used to indicate the source
-+ * of the encoding parameter when formatting a message block
-+ * for the PKCS #1 OAEP encryption scheme. */
-+typedef CK_ULONG CK_RSA_PKCS_OAEP_SOURCE_TYPE;
-+
-+typedef CK_RSA_PKCS_OAEP_SOURCE_TYPE CK_PTR CK_RSA_PKCS_OAEP_SOURCE_TYPE_PTR;
-+
-+/* The following encoding parameter sources are defined */
-+#define CKZ_DATA_SPECIFIED    0x00000001
-+
-+/* CK_RSA_PKCS_OAEP_PARAMS is new for v2.10.
-+ * CK_RSA_PKCS_OAEP_PARAMS provides the parameters to the
-+ * CKM_RSA_PKCS_OAEP mechanism. */
-+typedef struct CK_RSA_PKCS_OAEP_PARAMS {
-+        CK_MECHANISM_TYPE hashAlg;
-+        CK_RSA_PKCS_MGF_TYPE mgf;
-+        CK_RSA_PKCS_OAEP_SOURCE_TYPE source;
-+        CK_VOID_PTR pSourceData;
-+        CK_ULONG ulSourceDataLen;
-+} CK_RSA_PKCS_OAEP_PARAMS;
-+
-+typedef CK_RSA_PKCS_OAEP_PARAMS CK_PTR CK_RSA_PKCS_OAEP_PARAMS_PTR;
-+
-+/* CK_RSA_PKCS_PSS_PARAMS is new for v2.11.
-+ * CK_RSA_PKCS_PSS_PARAMS provides the parameters to the
-+ * CKM_RSA_PKCS_PSS mechanism(s). */
-+typedef struct CK_RSA_PKCS_PSS_PARAMS {
-+        CK_MECHANISM_TYPE    hashAlg;
-+        CK_RSA_PKCS_MGF_TYPE mgf;
-+        CK_ULONG             sLen;
-+} CK_RSA_PKCS_PSS_PARAMS;
-+
-+typedef CK_RSA_PKCS_PSS_PARAMS CK_PTR CK_RSA_PKCS_PSS_PARAMS_PTR;
-+
-+/* CK_EC_KDF_TYPE is new for v2.11. */
-+typedef CK_ULONG CK_EC_KDF_TYPE;
-+
-+/* The following EC Key Derivation Functions are defined */
-+#define CKD_NULL                 0x00000001
-+#define CKD_SHA1_KDF             0x00000002
-+
-+/* CK_ECDH1_DERIVE_PARAMS is new for v2.11.
-+ * CK_ECDH1_DERIVE_PARAMS provides the parameters to the
-+ * CKM_ECDH1_DERIVE and CKM_ECDH1_COFACTOR_DERIVE mechanisms,
-+ * where each party contributes one key pair.
-+ */
-+typedef struct CK_ECDH1_DERIVE_PARAMS {
-+  CK_EC_KDF_TYPE kdf;
-+  CK_ULONG ulSharedDataLen;
-+  CK_BYTE_PTR pSharedData;
-+  CK_ULONG ulPublicDataLen;
-+  CK_BYTE_PTR pPublicData;
-+} CK_ECDH1_DERIVE_PARAMS;
-+
-+typedef CK_ECDH1_DERIVE_PARAMS CK_PTR CK_ECDH1_DERIVE_PARAMS_PTR;
-+
-+
-+/* CK_ECDH2_DERIVE_PARAMS is new for v2.11.
-+ * CK_ECDH2_DERIVE_PARAMS provides the parameters to the
-+ * CKM_ECMQV_DERIVE mechanism, where each party contributes two key pairs. */
-+typedef struct CK_ECDH2_DERIVE_PARAMS {
-+  CK_EC_KDF_TYPE kdf;
-+  CK_ULONG ulSharedDataLen;
-+  CK_BYTE_PTR pSharedData;
-+  CK_ULONG ulPublicDataLen;
-+  CK_BYTE_PTR pPublicData;
-+  CK_ULONG ulPrivateDataLen;
-+  CK_OBJECT_HANDLE hPrivateData;
-+  CK_ULONG ulPublicDataLen2;
-+  CK_BYTE_PTR pPublicData2;
-+} CK_ECDH2_DERIVE_PARAMS;
-+
-+typedef CK_ECDH2_DERIVE_PARAMS CK_PTR CK_ECDH2_DERIVE_PARAMS_PTR;
-+
-+typedef struct CK_ECMQV_DERIVE_PARAMS {
-+  CK_EC_KDF_TYPE kdf;
-+  CK_ULONG ulSharedDataLen;
-+  CK_BYTE_PTR pSharedData;
-+  CK_ULONG ulPublicDataLen;
-+  CK_BYTE_PTR pPublicData;
-+  CK_ULONG ulPrivateDataLen;
-+  CK_OBJECT_HANDLE hPrivateData;
-+  CK_ULONG ulPublicDataLen2;
-+  CK_BYTE_PTR pPublicData2;
-+  CK_OBJECT_HANDLE publicKey;
-+} CK_ECMQV_DERIVE_PARAMS;
-+
-+typedef CK_ECMQV_DERIVE_PARAMS CK_PTR CK_ECMQV_DERIVE_PARAMS_PTR;
-+
-+/* Typedefs and defines for the CKM_X9_42_DH_KEY_PAIR_GEN and the
-+ * CKM_X9_42_DH_PARAMETER_GEN mechanisms (new for PKCS #11 v2.11) */
-+typedef CK_ULONG CK_X9_42_DH_KDF_TYPE;
-+typedef CK_X9_42_DH_KDF_TYPE CK_PTR CK_X9_42_DH_KDF_TYPE_PTR;
-+
-+/* The following X9.42 DH key derivation functions are defined
-+   (besides CKD_NULL already defined : */
-+#define CKD_SHA1_KDF_ASN1        0x00000003
-+#define CKD_SHA1_KDF_CONCATENATE 0x00000004
-+
-+/* CK_X9_42_DH1_DERIVE_PARAMS is new for v2.11.
-+ * CK_X9_42_DH1_DERIVE_PARAMS provides the parameters to the
-+ * CKM_X9_42_DH_DERIVE key derivation mechanism, where each party
-+ * contributes one key pair */
-+typedef struct CK_X9_42_DH1_DERIVE_PARAMS {
-+  CK_X9_42_DH_KDF_TYPE kdf;
-+  CK_ULONG ulOtherInfoLen;
-+  CK_BYTE_PTR pOtherInfo;
-+  CK_ULONG ulPublicDataLen;
-+  CK_BYTE_PTR pPublicData;
-+} CK_X9_42_DH1_DERIVE_PARAMS;
-+
-+typedef struct CK_X9_42_DH1_DERIVE_PARAMS CK_PTR CK_X9_42_DH1_DERIVE_PARAMS_PTR;
-+
-+/* CK_X9_42_DH2_DERIVE_PARAMS is new for v2.11.
-+ * CK_X9_42_DH2_DERIVE_PARAMS provides the parameters to the
-+ * CKM_X9_42_DH_HYBRID_DERIVE and CKM_X9_42_MQV_DERIVE key derivation
-+ * mechanisms, where each party contributes two key pairs */
-+typedef struct CK_X9_42_DH2_DERIVE_PARAMS {
-+  CK_X9_42_DH_KDF_TYPE kdf;
-+  CK_ULONG ulOtherInfoLen;
-+  CK_BYTE_PTR pOtherInfo;
-+  CK_ULONG ulPublicDataLen;
-+  CK_BYTE_PTR pPublicData;
-+  CK_ULONG ulPrivateDataLen;
-+  CK_OBJECT_HANDLE hPrivateData;
-+  CK_ULONG ulPublicDataLen2;
-+  CK_BYTE_PTR pPublicData2;
-+} CK_X9_42_DH2_DERIVE_PARAMS;
-+
-+typedef CK_X9_42_DH2_DERIVE_PARAMS CK_PTR CK_X9_42_DH2_DERIVE_PARAMS_PTR;
-+
-+typedef struct CK_X9_42_MQV_DERIVE_PARAMS {
-+  CK_X9_42_DH_KDF_TYPE kdf;
-+  CK_ULONG ulOtherInfoLen;
-+  CK_BYTE_PTR pOtherInfo;
-+  CK_ULONG ulPublicDataLen;
-+  CK_BYTE_PTR pPublicData;
-+  CK_ULONG ulPrivateDataLen;
-+  CK_OBJECT_HANDLE hPrivateData;
-+  CK_ULONG ulPublicDataLen2;
-+  CK_BYTE_PTR pPublicData2;
-+  CK_OBJECT_HANDLE publicKey;
-+} CK_X9_42_MQV_DERIVE_PARAMS;
-+
-+typedef CK_X9_42_MQV_DERIVE_PARAMS CK_PTR CK_X9_42_MQV_DERIVE_PARAMS_PTR;
-+
-+/* CK_KEA_DERIVE_PARAMS provides the parameters to the
-+ * CKM_KEA_DERIVE mechanism */
-+/* CK_KEA_DERIVE_PARAMS is new for v2.0 */
-+typedef struct CK_KEA_DERIVE_PARAMS {
-+  CK_BBOOL      isSender;
-+  CK_ULONG      ulRandomLen;
-+  CK_BYTE_PTR   pRandomA;
-+  CK_BYTE_PTR   pRandomB;
-+  CK_ULONG      ulPublicDataLen;
-+  CK_BYTE_PTR   pPublicData;
-+} CK_KEA_DERIVE_PARAMS;
-+
-+typedef CK_KEA_DERIVE_PARAMS CK_PTR CK_KEA_DERIVE_PARAMS_PTR;
-+
-+
-+/* CK_RC2_PARAMS provides the parameters to the CKM_RC2_ECB and
-+ * CKM_RC2_MAC mechanisms.  An instance of CK_RC2_PARAMS just
-+ * holds the effective keysize */
-+typedef CK_ULONG          CK_RC2_PARAMS;
-+
-+typedef CK_RC2_PARAMS CK_PTR CK_RC2_PARAMS_PTR;
-+
-+
-+/* CK_RC2_CBC_PARAMS provides the parameters to the CKM_RC2_CBC
-+ * mechanism */
-+typedef struct CK_RC2_CBC_PARAMS {
-+  /* ulEffectiveBits was changed from CK_USHORT to CK_ULONG for
-+   * v2.0 */
-+  CK_ULONG      ulEffectiveBits;  /* effective bits (1-1024) */
-+
-+  CK_BYTE       iv[8];            /* IV for CBC mode */
-+} CK_RC2_CBC_PARAMS;
-+
-+typedef CK_RC2_CBC_PARAMS CK_PTR CK_RC2_CBC_PARAMS_PTR;
-+
-+
-+/* CK_RC2_MAC_GENERAL_PARAMS provides the parameters for the
-+ * CKM_RC2_MAC_GENERAL mechanism */
-+/* CK_RC2_MAC_GENERAL_PARAMS is new for v2.0 */
-+typedef struct CK_RC2_MAC_GENERAL_PARAMS {
-+  CK_ULONG      ulEffectiveBits;  /* effective bits (1-1024) */
-+  CK_ULONG      ulMacLength;      /* Length of MAC in bytes */
-+} CK_RC2_MAC_GENERAL_PARAMS;
-+
-+typedef CK_RC2_MAC_GENERAL_PARAMS CK_PTR \
-+  CK_RC2_MAC_GENERAL_PARAMS_PTR;
-+
-+
-+/* CK_RC5_PARAMS provides the parameters to the CKM_RC5_ECB and
-+ * CKM_RC5_MAC mechanisms */
-+/* CK_RC5_PARAMS is new for v2.0 */
-+typedef struct CK_RC5_PARAMS {
-+  CK_ULONG      ulWordsize;  /* wordsize in bits */
-+  CK_ULONG      ulRounds;    /* number of rounds */
-+} CK_RC5_PARAMS;
-+
-+typedef CK_RC5_PARAMS CK_PTR CK_RC5_PARAMS_PTR;
-+
-+
-+/* CK_RC5_CBC_PARAMS provides the parameters to the CKM_RC5_CBC
-+ * mechanism */
-+/* CK_RC5_CBC_PARAMS is new for v2.0 */
-+typedef struct CK_RC5_CBC_PARAMS {
-+  CK_ULONG      ulWordsize;  /* wordsize in bits */
-+  CK_ULONG      ulRounds;    /* number of rounds */
-+  CK_BYTE_PTR   pIv;         /* pointer to IV */
-+  CK_ULONG      ulIvLen;     /* length of IV in bytes */
-+} CK_RC5_CBC_PARAMS;
-+
-+typedef CK_RC5_CBC_PARAMS CK_PTR CK_RC5_CBC_PARAMS_PTR;
-+
-+
-+/* CK_RC5_MAC_GENERAL_PARAMS provides the parameters for the
-+ * CKM_RC5_MAC_GENERAL mechanism */
-+/* CK_RC5_MAC_GENERAL_PARAMS is new for v2.0 */
-+typedef struct CK_RC5_MAC_GENERAL_PARAMS {
-+  CK_ULONG      ulWordsize;   /* wordsize in bits */
-+  CK_ULONG      ulRounds;     /* number of rounds */
-+  CK_ULONG      ulMacLength;  /* Length of MAC in bytes */
-+} CK_RC5_MAC_GENERAL_PARAMS;
-+
-+typedef CK_RC5_MAC_GENERAL_PARAMS CK_PTR \
-+  CK_RC5_MAC_GENERAL_PARAMS_PTR;
-+
-+
-+/* CK_MAC_GENERAL_PARAMS provides the parameters to most block
-+ * ciphers' MAC_GENERAL mechanisms.  Its value is the length of
-+ * the MAC */
-+/* CK_MAC_GENERAL_PARAMS is new for v2.0 */
-+typedef CK_ULONG          CK_MAC_GENERAL_PARAMS;
-+
-+typedef CK_MAC_GENERAL_PARAMS CK_PTR CK_MAC_GENERAL_PARAMS_PTR;
-+
-+/* CK_DES/AES_ECB/CBC_ENCRYPT_DATA_PARAMS are new for v2.20 */
-+typedef struct CK_DES_CBC_ENCRYPT_DATA_PARAMS {
-+  CK_BYTE      iv[8];
-+  CK_BYTE_PTR  pData;
-+  CK_ULONG     length;
-+} CK_DES_CBC_ENCRYPT_DATA_PARAMS;
-+
-+typedef CK_DES_CBC_ENCRYPT_DATA_PARAMS CK_PTR CK_DES_CBC_ENCRYPT_DATA_PARAMS_PTR;
-+
-+typedef struct CK_AES_CBC_ENCRYPT_DATA_PARAMS {
-+  CK_BYTE      iv[16];
-+  CK_BYTE_PTR  pData;
-+  CK_ULONG     length;
-+} CK_AES_CBC_ENCRYPT_DATA_PARAMS;
-+
-+typedef CK_AES_CBC_ENCRYPT_DATA_PARAMS CK_PTR CK_AES_CBC_ENCRYPT_DATA_PARAMS_PTR;
-+
-+/* CK_SKIPJACK_PRIVATE_WRAP_PARAMS provides the parameters to the
-+ * CKM_SKIPJACK_PRIVATE_WRAP mechanism */
-+/* CK_SKIPJACK_PRIVATE_WRAP_PARAMS is new for v2.0 */
-+typedef struct CK_SKIPJACK_PRIVATE_WRAP_PARAMS {
-+  CK_ULONG      ulPasswordLen;
-+  CK_BYTE_PTR   pPassword;
-+  CK_ULONG      ulPublicDataLen;
-+  CK_BYTE_PTR   pPublicData;
-+  CK_ULONG      ulPAndGLen;
-+  CK_ULONG      ulQLen;
-+  CK_ULONG      ulRandomLen;
-+  CK_BYTE_PTR   pRandomA;
-+  CK_BYTE_PTR   pPrimeP;
-+  CK_BYTE_PTR   pBaseG;
-+  CK_BYTE_PTR   pSubprimeQ;
-+} CK_SKIPJACK_PRIVATE_WRAP_PARAMS;
-+
-+typedef CK_SKIPJACK_PRIVATE_WRAP_PARAMS CK_PTR \
-+  CK_SKIPJACK_PRIVATE_WRAP_PTR;
-+
-+
-+/* CK_SKIPJACK_RELAYX_PARAMS provides the parameters to the
-+ * CKM_SKIPJACK_RELAYX mechanism */
-+/* CK_SKIPJACK_RELAYX_PARAMS is new for v2.0 */
-+typedef struct CK_SKIPJACK_RELAYX_PARAMS {
-+  CK_ULONG      ulOldWrappedXLen;
-+  CK_BYTE_PTR   pOldWrappedX;
-+  CK_ULONG      ulOldPasswordLen;
-+  CK_BYTE_PTR   pOldPassword;
-+  CK_ULONG      ulOldPublicDataLen;
-+  CK_BYTE_PTR   pOldPublicData;
-+  CK_ULONG      ulOldRandomLen;
-+  CK_BYTE_PTR   pOldRandomA;
-+  CK_ULONG      ulNewPasswordLen;
-+  CK_BYTE_PTR   pNewPassword;
-+  CK_ULONG      ulNewPublicDataLen;
-+  CK_BYTE_PTR   pNewPublicData;
-+  CK_ULONG      ulNewRandomLen;
-+  CK_BYTE_PTR   pNewRandomA;
-+} CK_SKIPJACK_RELAYX_PARAMS;
-+
-+typedef CK_SKIPJACK_RELAYX_PARAMS CK_PTR \
-+  CK_SKIPJACK_RELAYX_PARAMS_PTR;
-+
-+
-+typedef struct CK_PBE_PARAMS {
-+  CK_BYTE_PTR      pInitVector;
-+  CK_UTF8CHAR_PTR  pPassword;
-+  CK_ULONG         ulPasswordLen;
-+  CK_BYTE_PTR      pSalt;
-+  CK_ULONG         ulSaltLen;
-+  CK_ULONG         ulIteration;
-+} CK_PBE_PARAMS;
-+
-+typedef CK_PBE_PARAMS CK_PTR CK_PBE_PARAMS_PTR;
-+
-+
-+/* CK_KEY_WRAP_SET_OAEP_PARAMS provides the parameters to the
-+ * CKM_KEY_WRAP_SET_OAEP mechanism */
-+/* CK_KEY_WRAP_SET_OAEP_PARAMS is new for v2.0 */
-+typedef struct CK_KEY_WRAP_SET_OAEP_PARAMS {
-+  CK_BYTE       bBC;     /* block contents byte */
-+  CK_BYTE_PTR   pX;      /* extra data */
-+  CK_ULONG      ulXLen;  /* length of extra data in bytes */
-+} CK_KEY_WRAP_SET_OAEP_PARAMS;
-+
-+typedef CK_KEY_WRAP_SET_OAEP_PARAMS CK_PTR \
-+  CK_KEY_WRAP_SET_OAEP_PARAMS_PTR;
-+
-+
-+typedef struct CK_SSL3_RANDOM_DATA {
-+  CK_BYTE_PTR  pClientRandom;
-+  CK_ULONG     ulClientRandomLen;
-+  CK_BYTE_PTR  pServerRandom;
-+  CK_ULONG     ulServerRandomLen;
-+} CK_SSL3_RANDOM_DATA;
-+
-+
-+typedef struct CK_SSL3_MASTER_KEY_DERIVE_PARAMS {
-+  CK_SSL3_RANDOM_DATA RandomInfo;
-+  CK_VERSION_PTR pVersion;
-+} CK_SSL3_MASTER_KEY_DERIVE_PARAMS;
-+
-+typedef struct CK_SSL3_MASTER_KEY_DERIVE_PARAMS CK_PTR \
-+  CK_SSL3_MASTER_KEY_DERIVE_PARAMS_PTR;
-+
-+
-+typedef struct CK_SSL3_KEY_MAT_OUT {
-+  CK_OBJECT_HANDLE hClientMacSecret;
-+  CK_OBJECT_HANDLE hServerMacSecret;
-+  CK_OBJECT_HANDLE hClientKey;
-+  CK_OBJECT_HANDLE hServerKey;
-+  CK_BYTE_PTR      pIVClient;
-+  CK_BYTE_PTR      pIVServer;
-+} CK_SSL3_KEY_MAT_OUT;
-+
-+typedef CK_SSL3_KEY_MAT_OUT CK_PTR CK_SSL3_KEY_MAT_OUT_PTR;
-+
-+
-+typedef struct CK_SSL3_KEY_MAT_PARAMS {
-+  CK_ULONG                ulMacSizeInBits;
-+  CK_ULONG                ulKeySizeInBits;
-+  CK_ULONG                ulIVSizeInBits;
-+  CK_BBOOL                bIsExport;
-+  CK_SSL3_RANDOM_DATA     RandomInfo;
-+  CK_SSL3_KEY_MAT_OUT_PTR pReturnedKeyMaterial;
-+} CK_SSL3_KEY_MAT_PARAMS;
-+
-+typedef CK_SSL3_KEY_MAT_PARAMS CK_PTR CK_SSL3_KEY_MAT_PARAMS_PTR;
-+
-+/* CK_TLS_PRF_PARAMS is new for version 2.20 */
-+typedef struct CK_TLS_PRF_PARAMS {
-+  CK_BYTE_PTR  pSeed;
-+  CK_ULONG     ulSeedLen;
-+  CK_BYTE_PTR  pLabel;
-+  CK_ULONG     ulLabelLen;
-+  CK_BYTE_PTR  pOutput;
-+  CK_ULONG_PTR pulOutputLen;
-+} CK_TLS_PRF_PARAMS;
-+
-+typedef CK_TLS_PRF_PARAMS CK_PTR CK_TLS_PRF_PARAMS_PTR;
-+
-+/* WTLS is new for version 2.20 */
-+typedef struct CK_WTLS_RANDOM_DATA {
-+  CK_BYTE_PTR pClientRandom;
-+  CK_ULONG    ulClientRandomLen;
-+  CK_BYTE_PTR pServerRandom;
-+  CK_ULONG    ulServerRandomLen;
-+} CK_WTLS_RANDOM_DATA;
-+
-+typedef CK_WTLS_RANDOM_DATA CK_PTR CK_WTLS_RANDOM_DATA_PTR;
-+
-+typedef struct CK_WTLS_MASTER_KEY_DERIVE_PARAMS {
-+  CK_MECHANISM_TYPE   DigestMechanism;
-+  CK_WTLS_RANDOM_DATA RandomInfo;
-+  CK_BYTE_PTR         pVersion;
-+} CK_WTLS_MASTER_KEY_DERIVE_PARAMS;
-+
-+typedef CK_WTLS_MASTER_KEY_DERIVE_PARAMS CK_PTR \
-+  CK_WTLS_MASTER_KEY_DERIVE_PARAMS_PTR;
-+
-+typedef struct CK_WTLS_PRF_PARAMS {
-+  CK_MECHANISM_TYPE DigestMechanism;
-+  CK_BYTE_PTR       pSeed;
-+  CK_ULONG          ulSeedLen;
-+  CK_BYTE_PTR       pLabel;
-+  CK_ULONG          ulLabelLen;
-+  CK_BYTE_PTR       pOutput;
-+  CK_ULONG_PTR      pulOutputLen;
-+} CK_WTLS_PRF_PARAMS;
-+
-+typedef CK_WTLS_PRF_PARAMS CK_PTR CK_WTLS_PRF_PARAMS_PTR;
-+
-+typedef struct CK_WTLS_KEY_MAT_OUT {
-+  CK_OBJECT_HANDLE hMacSecret;
-+  CK_OBJECT_HANDLE hKey;
-+  CK_BYTE_PTR      pIV;
-+} CK_WTLS_KEY_MAT_OUT;
-+
-+typedef CK_WTLS_KEY_MAT_OUT CK_PTR CK_WTLS_KEY_MAT_OUT_PTR;
-+
-+typedef struct CK_WTLS_KEY_MAT_PARAMS {
-+  CK_MECHANISM_TYPE       DigestMechanism;
-+  CK_ULONG                ulMacSizeInBits;
-+  CK_ULONG                ulKeySizeInBits;
-+  CK_ULONG                ulIVSizeInBits;
-+  CK_ULONG                ulSequenceNumber;
-+  CK_BBOOL                bIsExport;
-+  CK_WTLS_RANDOM_DATA     RandomInfo;
-+  CK_WTLS_KEY_MAT_OUT_PTR pReturnedKeyMaterial;
-+} CK_WTLS_KEY_MAT_PARAMS;
-+
-+typedef CK_WTLS_KEY_MAT_PARAMS CK_PTR CK_WTLS_KEY_MAT_PARAMS_PTR;
-+
-+/* CMS is new for version 2.20 */
-+typedef struct CK_CMS_SIG_PARAMS {
-+  CK_OBJECT_HANDLE      certificateHandle;
-+  CK_MECHANISM_PTR      pSigningMechanism;
-+  CK_MECHANISM_PTR      pDigestMechanism;
-+  CK_UTF8CHAR_PTR       pContentType;
-+  CK_BYTE_PTR           pRequestedAttributes;
-+  CK_ULONG              ulRequestedAttributesLen;
-+  CK_BYTE_PTR           pRequiredAttributes;
-+  CK_ULONG              ulRequiredAttributesLen;
-+} CK_CMS_SIG_PARAMS;
-+
-+typedef CK_CMS_SIG_PARAMS CK_PTR CK_CMS_SIG_PARAMS_PTR;
-+
-+typedef struct CK_KEY_DERIVATION_STRING_DATA {
-+  CK_BYTE_PTR pData;
-+  CK_ULONG    ulLen;
-+} CK_KEY_DERIVATION_STRING_DATA;
-+
-+typedef CK_KEY_DERIVATION_STRING_DATA CK_PTR \
-+  CK_KEY_DERIVATION_STRING_DATA_PTR;
-+
-+
-+/* The CK_EXTRACT_PARAMS is used for the
-+ * CKM_EXTRACT_KEY_FROM_KEY mechanism.  It specifies which bit
-+ * of the base key should be used as the first bit of the
-+ * derived key */
-+/* CK_EXTRACT_PARAMS is new for v2.0 */
-+typedef CK_ULONG CK_EXTRACT_PARAMS;
-+
-+typedef CK_EXTRACT_PARAMS CK_PTR CK_EXTRACT_PARAMS_PTR;
-+
-+/* CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE is new for v2.10.
-+ * CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE is used to
-+ * indicate the Pseudo-Random Function (PRF) used to generate
-+ * key bits using PKCS #5 PBKDF2. */
-+typedef CK_ULONG CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE;
-+
-+typedef CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE CK_PTR CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE_PTR;
-+
-+/* The following PRFs are defined in PKCS #5 v2.0. */
-+#define CKP_PKCS5_PBKD2_HMAC_SHA1 0x00000001
-+
-+
-+/* CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE is new for v2.10.
-+ * CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE is used to indicate the
-+ * source of the salt value when deriving a key using PKCS #5
-+ * PBKDF2. */
-+typedef CK_ULONG CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE;
-+
-+typedef CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE CK_PTR CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE_PTR;
-+
-+/* The following salt value sources are defined in PKCS #5 v2.0. */
-+#define CKZ_SALT_SPECIFIED        0x00000001
-+
-+/* CK_PKCS5_PBKD2_PARAMS is new for v2.10.
-+ * CK_PKCS5_PBKD2_PARAMS is a structure that provides the
-+ * parameters to the CKM_PKCS5_PBKD2 mechanism. */
-+typedef struct CK_PKCS5_PBKD2_PARAMS {
-+        CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE           saltSource;
-+        CK_VOID_PTR                                pSaltSourceData;
-+        CK_ULONG                                   ulSaltSourceDataLen;
-+        CK_ULONG                                   iterations;
-+        CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE prf;
-+        CK_VOID_PTR                                pPrfData;
-+        CK_ULONG                                   ulPrfDataLen;
-+        CK_UTF8CHAR_PTR                            pPassword;
-+        CK_ULONG_PTR                               ulPasswordLen;
-+} CK_PKCS5_PBKD2_PARAMS;
-+
-+typedef CK_PKCS5_PBKD2_PARAMS CK_PTR CK_PKCS5_PBKD2_PARAMS_PTR;
-+
-+/* All CK_OTP structs are new for PKCS #11 v2.20 amendment 3 */
-+
-+typedef CK_ULONG CK_OTP_PARAM_TYPE;
-+typedef CK_OTP_PARAM_TYPE CK_PARAM_TYPE; /* B/w compatibility */
-+
-+typedef struct CK_OTP_PARAM {
-+    CK_OTP_PARAM_TYPE type;
-+    CK_VOID_PTR pValue;
-+    CK_ULONG ulValueLen;
-+} CK_OTP_PARAM;
-+
-+typedef CK_OTP_PARAM CK_PTR CK_OTP_PARAM_PTR;
-+
-+typedef struct CK_OTP_PARAMS {
-+    CK_OTP_PARAM_PTR pParams;
-+    CK_ULONG ulCount;
-+} CK_OTP_PARAMS;
-+
-+typedef CK_OTP_PARAMS CK_PTR CK_OTP_PARAMS_PTR;
-+
-+typedef struct CK_OTP_SIGNATURE_INFO {
-+    CK_OTP_PARAM_PTR pParams;
-+    CK_ULONG ulCount;
-+} CK_OTP_SIGNATURE_INFO;
-+
-+typedef CK_OTP_SIGNATURE_INFO CK_PTR CK_OTP_SIGNATURE_INFO_PTR;
-+
-+/* The following OTP-related defines are new for PKCS #11 v2.20 amendment 1 */
-+#define CK_OTP_VALUE          0
-+#define CK_OTP_PIN            1
-+#define CK_OTP_CHALLENGE      2
-+#define CK_OTP_TIME           3
-+#define CK_OTP_COUNTER        4
-+#define CK_OTP_FLAGS          5
-+#define CK_OTP_OUTPUT_LENGTH  6
-+#define CK_OTP_OUTPUT_FORMAT  7
-+
-+/* The following OTP-related defines are new for PKCS #11 v2.20 amendment 1 */
-+#define CKF_NEXT_OTP          0x00000001
-+#define CKF_EXCLUDE_TIME      0x00000002
-+#define CKF_EXCLUDE_COUNTER   0x00000004
-+#define CKF_EXCLUDE_CHALLENGE 0x00000008
-+#define CKF_EXCLUDE_PIN       0x00000010
-+#define CKF_USER_FRIENDLY_OTP 0x00000020
-+
-+/* CK_KIP_PARAMS is new for PKCS #11 v2.20 amendment 2 */
-+typedef struct CK_KIP_PARAMS {
-+    CK_MECHANISM_PTR  pMechanism;
-+    CK_OBJECT_HANDLE  hKey;
-+    CK_BYTE_PTR       pSeed;
-+    CK_ULONG          ulSeedLen;
-+} CK_KIP_PARAMS;
-+
-+typedef CK_KIP_PARAMS CK_PTR CK_KIP_PARAMS_PTR;
-+
-+/* CK_AES_CTR_PARAMS is new for PKCS #11 v2.20 amendment 3 */
-+typedef struct CK_AES_CTR_PARAMS {
-+    CK_ULONG ulCounterBits;
-+    CK_BYTE cb[16];
-+} CK_AES_CTR_PARAMS;
-+
-+typedef CK_AES_CTR_PARAMS CK_PTR CK_AES_CTR_PARAMS_PTR;
-+
-+/* CK_CAMELLIA_CTR_PARAMS is new for PKCS #11 v2.20 amendment 3 */
-+typedef struct CK_CAMELLIA_CTR_PARAMS {
-+    CK_ULONG ulCounterBits;
-+    CK_BYTE cb[16];
-+} CK_CAMELLIA_CTR_PARAMS;
-+
-+typedef CK_CAMELLIA_CTR_PARAMS CK_PTR CK_CAMELLIA_CTR_PARAMS_PTR;
-+
-+/* CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS is new for PKCS #11 v2.20 amendment 3 */
-+typedef struct CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS {
-+    CK_BYTE      iv[16];
-+    CK_BYTE_PTR  pData;
-+    CK_ULONG     length;
-+} CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS;
-+
-+typedef CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS CK_PTR CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS_PTR;
-+
-+/* CK_ARIA_CBC_ENCRYPT_DATA_PARAMS is new for PKCS #11 v2.20 amendment 3 */
-+typedef struct CK_ARIA_CBC_ENCRYPT_DATA_PARAMS {
-+    CK_BYTE      iv[16];
-+    CK_BYTE_PTR  pData;
-+    CK_ULONG     length;
-+} CK_ARIA_CBC_ENCRYPT_DATA_PARAMS;
-+
-+typedef CK_ARIA_CBC_ENCRYPT_DATA_PARAMS CK_PTR CK_ARIA_CBC_ENCRYPT_DATA_PARAMS_PTR;
-+
-+#endif
-Index: openssl/util/libeay.num
-diff -u openssl/util/libeay.num:1.1.2.1 openssl/util/libeay.num:1.4
---- openssl/util/libeay.num:1.1.2.1	Sun Jun 22 01:10:04 2008
-+++ openssl/util/libeay.num	Wed Dec 17 14:54:59 2008
-@@ -3700,3 +3700,4 @@
- FIPS_dsa_sig_encode                     4089	NOEXIST::FUNCTION:
- CRYPTO_dbg_remove_all_info              4090	NOEXIST::FUNCTION:
- OPENSSL_init                            4091	NOEXIST::FUNCTION:
-+ENGINE_load_pk11                        4092	EXIST::FUNCTION:ENGINE
-Index: openssl/util/mk1mf.pl
-diff -u openssl/util/mk1mf.pl:1.1.2.1 openssl/util/mk1mf.pl:1.5
---- openssl/util/mk1mf.pl:1.1.2.1	Thu Jun  5 15:09:40 2008
-+++ openssl/util/mk1mf.pl	Wed Dec 17 16:56:20 2008
-@@ -299,6 +299,9 @@
- 	if ($key eq "ZLIB_INCLUDE")
- 		{ $cflags .= " $val" if $val ne "";}
- 
-+	if ($key eq "PK11_LIB_LOCATION")
-+		{ $cflags .= " -D$key=\\\"$val\\\"" if $val ne "";}
-+
- 	if ($key eq "LIBZLIB")
- 		{ $zlib_lib = "$val" if $val ne "";}
- 
-Index: openssl/util/pl/VC-32.pl
-diff -u openssl/util/pl/VC-32.pl:1.1.2.1 openssl/util/pl/VC-32.pl:1.4
---- openssl/util/pl/VC-32.pl:1.1.2.1	Fri Jun  6 20:48:57 2008
-+++ openssl/util/pl/VC-32.pl	Thu Jan  1 14:38:50 2009
-@@ -99,7 +99,7 @@
-     my $f = $shlib?' /MD':' /MT';
-     $lib_cflag='/Zl' if (!$shlib);	# remove /DEFAULTLIBs from static lib
-     $opt_cflags=$f.' /Ox /O2 /Ob2';
--    $dbg_cflags=$f.'d /Od -DDEBUG -D_DEBUG';
-+    $dbg_cflags=$f.'d /Od /Zi -DDEBUG -D_DEBUG';
-     $lflags="/nologo /subsystem:console /opt:ref";
-     }
- $mlflags='';
diff --git a/contrib/pkcs11-keygen/readkey.c b/contrib/pkcs11-keygen/readkey.c
deleted file mode 100644
index ced0fa9c..00000000
--- a/contrib/pkcs11-keygen/readkey.c
+++ /dev/null
@@ -1,225 +0,0 @@
-/* readkey [-s $slot] -l $label [-p $pin] -f $filename */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <fcntl.h>
-#include <errno.h>
-#include <string.h>
-#include <sys/types.h>
-#include <opencryptoki/pkcs11.h>
-#include <openssl/conf.h>
-#include <openssl/err.h>
-#include <openssl/rsa.h>
-#include <openssl/pem.h>
-
-static CK_BBOOL truevalue = TRUE;
-
-int
-main(int argc, char *argv[])
-{
-    RSA *rsa = NULL;
-    FILE *fp;
-    CK_RV rv;
-    CK_SLOT_ID slot = 0;
-    CK_SESSION_HANDLE hSession;
-    CK_UTF8CHAR *pin = NULL;
-    char *label;
-    CK_OBJECT_HANDLE key = CK_INVALID_HANDLE;
-    CK_OBJECT_CLASS kclass = CKO_PRIVATE_KEY;
-    char *filename;
-    int error = 0;
-    int i = 0;
-    int c, errflg = 0;
-    CK_ULONG ulObjectCount;
-    CK_ATTRIBUTE search_template[] = {
-	{CKA_LABEL, NULL, 0},
-        {CKA_TOKEN, &truevalue, sizeof (truevalue)},
-	{CKA_CLASS, &kclass, sizeof (kclass)}
-    };
-    CK_BYTE id[32];
-    CK_BYTE data[8][1024];
-    CK_ATTRIBUTE attr_template[] = {
-        {CKA_ID, &id, sizeof (id)},
-	{CKA_MODULUS, (void *)data[0], 1024},          /* n */
-	{CKA_PUBLIC_EXPONENT, (void *)data[1], 1024},  /* e */
-	{CKA_PRIVATE_EXPONENT, (void *)data[2], 1024}, /* d */
-	{CKA_PRIME_1, (void *)data[3], 1024},          /* p */
-	{CKA_PRIME_2, (void *)data[4], 1024},          /* q */
-	{CKA_EXPONENT_1, (void *)data[5], 1024},       /* dmp1 */
-	{CKA_EXPONENT_2, (void *)data[6], 1024},       /* dmq1 */
-	{CKA_COEFFICIENT, (void *)data[7], 1024}       /* iqmp */
-    };
-    extern char *optarg;
-    extern int optopt;
-
-    while ((c = getopt(argc, argv, ":s:l:p:f:")) != -1) {
-        switch (c) {
-	case 's':
-	    slot = atoi(optarg);
-	    break;
-        case 'l':
-            label = optarg;
-            break;
-        case 'p':
-            pin = (CK_UTF8CHAR *)optarg;
-            break;
-        case ':':
-            fprintf(stderr, "Option -%c requires an operand\n", optopt);
-            errflg++;
-            break;
-	case 'f':
-	    filename = optarg;
-	    break;
-        case '?':
-	default:
-            fprintf(stderr, "Unrecognised option: -%c\n", optopt);
-            errflg++;
-        }
-    }
-    if ((errflg) || (!label) || (!filename)) {
-        fprintf(stderr,
-		"usage: readkey [-s slot] -l label [-p pin] -f filename\n");
-        exit(1);
-    }
-    if (slot)
-        printf("slot %d\n", slot);
-
-    /* Initialize OpenSSL library */
-    OPENSSL_config(NULL);
-    rsa = RSA_new();
-    if (!rsa) {
-        fprintf(stderr, "RSA_new failed\n");
-	ERR_print_errors_fp(stderr);
-	exit(1);
-    }
-
-    /* Initialize the CRYPTOKI library */
-    rv = C_Initialize(NULL_PTR);
-    if ((rv != CKR_OK) && (rv != CKR_CRYPTOKI_ALREADY_INITIALIZED)) {
-        fprintf(stderr, "C_Initialize: Error = 0x%.8X\n", rv);
-        exit(1);
-    }
-
-    /* Open a session on the slot found */
-    rv = C_OpenSession(slot, CKF_SERIAL_SESSION,
-		       NULL_PTR, NULL_PTR, &hSession);
-    if (rv != CKR_OK) {
-        fprintf(stderr, "C_OpenSession: Error = 0x%.8X\n", rv);
-        error = 1;
-        goto exit_program;
-    }
-
-    /* Login to the Token (Keystore) */
-    if (!pin)
-#ifndef HAVE_GETPASS
-        pin = (CK_UTF8CHAR *)getpassphrase("Enter Pin: ");
-#else
-        pin = (CK_UTF8CHAR *)getpass("Enter Pin: ");
-#endif
-    rv = C_Login(hSession, CKU_USER, pin, strlen((char *)pin));
-    memset(pin, 0, strlen((char *)pin));
-    if (rv != CKR_OK) {
-        fprintf(stderr, "C_Login: Error = 0x%.8X\n", rv);
-        error = 1;
-        goto exit_session;
-    }
-
-    /* Set search template. */
-    if (strstr(label, "pkcs11:") == label)
-        label = strstr(label, ":") + 1;
-    search_template[0].pValue = label;
-    search_template[0].ulValueLen = strlen(label);
-
-    rv = C_FindObjectsInit(hSession, search_template, 3); 
-    if (rv != CKR_OK) {
-        fprintf(stderr, "C_FindObjectsInit: Error = 0x%.8X\n", rv);
-        error = 1;
-        goto exit_session;
-    }
-    
-    rv = C_FindObjects(hSession, &key, 1, &ulObjectCount);
-    if (rv != CKR_OK) {
-        fprintf(stderr, "C_FindObjects: Error = 0x%.8X\n", rv);
-	error = 1;
-	goto exit_search;
-    }
-    if (ulObjectCount == 0) {
-        fprintf(stderr, "C_FindObjects: can't find the key\n");
-	error = 1;
-	goto exit_search;
-    }
-
-    rv = C_GetAttributeValue(hSession, key, attr_template, 9);
-    if (rv != CKR_OK) {
-        fprintf(stderr, "C_GetAttributeValue: Error = 0x%.8X\n", rv);
-	error = 1;
-	goto exit_search;
-    }
-
-    printf("ID[%u]=", attr_template[0].ulValueLen);
-    for (i = 0; i < attr_template[0].ulValueLen; i++)
-        printf("%02x", id[i]);
-    printf("\n");
-
-    if (attr_template[1].ulValueLen > 0)
-        rsa->n = BN_bin2bn(data[0], attr_template[1].ulValueLen, NULL);
-    if (attr_template[2].ulValueLen > 0)
-        rsa->e = BN_bin2bn(data[1], attr_template[2].ulValueLen, NULL);
-    if (attr_template[3].ulValueLen > 0)
-        rsa->d = BN_bin2bn(data[2], attr_template[3].ulValueLen, NULL);
-    if (attr_template[4].ulValueLen > 0)
-        rsa->p = BN_bin2bn(data[3], attr_template[4].ulValueLen, NULL);
-    if (attr_template[5].ulValueLen > 0)
-        rsa->q = BN_bin2bn(data[4], attr_template[5].ulValueLen, NULL);
-    if (attr_template[6].ulValueLen > 0)
-        rsa->dmp1 = BN_bin2bn(data[5], attr_template[6].ulValueLen, NULL);
-    if (attr_template[7].ulValueLen > 0)
-        rsa->dmq1 = BN_bin2bn(data[6], attr_template[7].ulValueLen, NULL);
-    if (attr_template[8].ulValueLen > 0)
-        rsa->iqmp = BN_bin2bn(data[7], attr_template[8].ulValueLen, NULL);
-
-    rv = C_FindObjects(hSession, &key, 1, &ulObjectCount);
-    if (rv != CKR_OK) {
-        fprintf(stderr, "C_FindObjects: Error = 0x%.8X\n", rv);
-	error = 1;
-	goto exit_search;
-    }
-    if (ulObjectCount != 0) {
-        fprintf(stderr, "C_FindObjects: found extra keys?\n");
-	error = 1;
-	goto exit_search;
-    }
-
-    printf("RSA=");
-    RSA_print_fp(stdout, rsa, 4);
-
-    fp = fopen(filename, "w");
-    if (fp == NULL) {
-        printf("Error opening output file.\n");
-	error = 1;
-	goto exit_search;
-    }
-
-    if (!PEM_write_RSAPrivateKey(fp, rsa, NULL, NULL, 0, NULL, NULL)) {
-        printf("Error writing output file.\n");
-	ERR_print_errors_fp(stderr);
-	error = 1;
-	goto exit_search;
-    }
-
- exit_search:
-    rv = C_FindObjectsFinal(hSession);
-    if (rv != CKR_OK) {
-        fprintf(stderr, "C_FindObjectsFinal: Error = 0x%.8X\n", rv);
-        error = 1;
-    }
-
- exit_session:
-    (void) C_CloseSession(hSession);
-
- exit_program:
-    (void) C_Finalize(NULL_PTR);
-
-    exit(error);
-}
diff --git a/contrib/pkcs11-keygen/set_key_id.c b/contrib/pkcs11-keygen/set_key_id.c
deleted file mode 100644
index 3cb1cd3a..00000000
--- a/contrib/pkcs11-keygen/set_key_id.c
+++ /dev/null
@@ -1,154 +0,0 @@
-/* set_key_id [-s slot] [-p $pin] -n $keytag {-i $id | -l $label} */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <fcntl.h>
-#include <errno.h>
-#include <string.h>
-#include <sys/types.h>
-#include <opencryptoki/pkcs11.h>
-
-int
-main(int argc, char *argv[])
-{
-    CK_RV rv;
-    CK_SLOT_ID slot = 0;
-    CK_SESSION_HANDLE hSession;
-    CK_UTF8CHAR *pin = NULL;
-    CK_BYTE old_id[2], new_id[2];
-    CK_OBJECT_HANDLE akey;
-    int error = 0;
-    int i = 0;
-    int c, errflg = 0;
-    char *label = NULL;
-    CK_ULONG ulObjectCount;
-    int oid = 0, nid = 0;
-    CK_ATTRIBUTE search_template[] = {
-	{CKA_ID, &old_id, sizeof(old_id)}
-    };
-    extern char *optarg;
-    extern int optopt;
-
-    while ((c = getopt(argc, argv, ":s:i:n:l:p:")) != -1) {
-        switch (c) {
-	case 's':
-	    slot = atoi(optarg);
-	    break;
-        case 'i':
-            oid = atoi(optarg);
-	    oid &= 0xffff;
-	    old_id[0] = (oid >> 8) & 0xff;
-	    old_id[1] = oid & 0xff;
-            break;
-        case 'n':
-            nid = atoi(optarg);
-	    nid &= 0xffff;
-            new_id[0] = (nid >> 8) & 0xff;
-            new_id[1] = nid & 0xff;
-            break;
-	case 'l':
-	    label = optarg;
-	    break;
-        case 'p':
-            pin = (CK_UTF8CHAR *)optarg;
-            break;
-        case ':':
-            fprintf(stderr, "Option -%c requires an operand\n", optopt);
-            errflg++;
-            break;
-        case '?':
-	default:
-            fprintf(stderr, "Unrecognised option: -%c\n", optopt);
-            errflg++;
-        }
-    }
-    if ((errflg) || (!nid) || ((!oid) && (!label))) {
-        fprintf(stderr,
-		"usage: set_key_id [-s slot] [-p pin] -n new_id "
-		"{ -i old_id | -l label }\n");
-        exit(1);
-    }
-    if (!label)
-	printf("old %i new %i\n", oid, nid);
-    else {
-	printf("label %s new %i\n", label, nid);
-	search_template[0].type = CKA_LABEL;
-	search_template[0].pValue = label;
-	search_template[0].ulValueLen = strlen(label);
-    }
-
-    /* Initialize the CRYPTOKI library */
-    rv = C_Initialize(NULL_PTR);
-    if (rv != CKR_OK) {
-        fprintf(stderr, "C_Initialize: Error = 0x%.8X\n", rv);
-        exit(1);
-    }
-
-    /* Open a session on the slot found */
-    rv = C_OpenSession(slot, CKF_RW_SESSION+CKF_SERIAL_SESSION,
-		       NULL_PTR, NULL_PTR, &hSession);
-    if (rv != CKR_OK) {
-        fprintf(stderr, "C_OpenSession: Error = 0x%.8X\n", rv);
-        error = 1;
-        goto exit_program;
-    }
-
-    /* Login to the Token (Keystore) */
-    if (!pin)
-#ifndef HAVE_GETPASS
-        pin = (CK_UTF8CHAR *)getpassphrase("Enter Pin: ");
-#else
-        pin = (CK_UTF8CHAR *)getpass("Enter Pin: ");
-#endif
-    rv = C_Login(hSession, CKU_USER, pin, strlen((char *)pin));
-    memset(pin, 0, strlen((char *)pin));
-    if (rv != CKR_OK) {
-        fprintf(stderr, "C_Login: Error = 0x%.8X\n", rv);
-        error = 1;
-        goto exit_session;
-    }
-
-    rv = C_FindObjectsInit(hSession, search_template, 1); 
-    if (rv != CKR_OK) {
-        fprintf(stderr, "C_FindObjectsInit: Error = 0x%.8X\n", rv);
-        error = 1;
-        goto exit_session;
-    }
-    
-    ulObjectCount = 1;
-    while(ulObjectCount) {
-        rv = C_FindObjects(hSession, &akey, 1, &ulObjectCount);
-        if (rv != CKR_OK) {
-            fprintf(stderr, "C_FindObjects: Error = 0x%.8X\n", rv);
-            error = 1;
-            goto exit_search;
-        } else if (ulObjectCount) {       
-            /* Set update template. */
-            CK_ATTRIBUTE new_template[] = {
-                {CKA_ID, &new_id, sizeof(new_id)}
-            };
-
-            rv = C_SetAttributeValue(hSession, akey, new_template, 1);
-            if (rv != CKR_OK) {
-                fprintf(stderr, "C_SetAttributeValue: rv = 0x%.8X\n", rv);
-                error = 1;
-            }
-        }
-    }
-
- exit_search:
-    rv = C_FindObjectsFinal(hSession);
-    if (rv != CKR_OK) {
-        fprintf(stderr, "C_FindObjectsFinal: Error = 0x%.8X\n", rv);
-        error = 1;
-    }
-
- exit_session:
-    (void) C_CloseSession(hSession);
-
- exit_program:
-    (void) C_Finalize(NULL_PTR);
-
-    exit(error);
-}
diff --git a/contrib/pkcs11-keygen/writekey.c b/contrib/pkcs11-keygen/writekey.c
deleted file mode 100644
index b532963d..00000000
--- a/contrib/pkcs11-keygen/writekey.c
+++ /dev/null
@@ -1,355 +0,0 @@
-/* writekey [-s $slot] [-p $pin] -l $label -i $id -f $filename */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <fcntl.h>
-#include <errno.h>
-#include <string.h>
-#include <sys/types.h>
-#include <opencryptoki/pkcs11.h>
-#include <openssl/conf.h>
-#include <openssl/engine.h>
-#include <openssl/err.h>
-#include <openssl/rsa.h>
-#include <openssl/pem.h>
-
-/* Define static key template values */
-static CK_BBOOL truevalue = TRUE;
-static CK_BBOOL falsevalue = FALSE;
-
-int
-main(int argc, char *argv[])
-{
-    ENGINE *e;
-    RSA *rsa = NULL;
-    FILE *fp;
-    CK_RV rv;
-    CK_SLOT_ID slot = 0;
-    CK_SESSION_HANDLE hSession;
-    CK_UTF8CHAR *pin = NULL;
-    CK_BYTE new_id[2];
-    CK_OBJECT_HANDLE key = CK_INVALID_HANDLE;
-    CK_OBJECT_CLASS kclass;
-    CK_KEY_TYPE ktype = CKK_RSA;
-    CK_ATTRIBUTE template[50];
-    CK_ULONG template_size;
-    CK_BYTE data[8][1024];
-    CK_ULONG ulObjectCount;
-    char *label = NULL, *filename = NULL;
-    int id = 0;
-    int error = 0;
-    int c, errflg = 0;
-    extern char *optarg;
-    extern int optopt;
-    
-    while ((c = getopt(argc, argv, ":s:l:i:p:f:")) != -1) {
-        switch (c) {
-	case 's':
-	    slot = atoi(optarg);
-	    break;
-        case 'l':
-            label = optarg;
-            break;
-        case 'i':
-            id = atoi(optarg);
-	    id &= 0xffff;
-            break;
-        case 'p':
-            pin = (CK_UTF8CHAR *)optarg;
-            break;
-	case 'f':
-	    filename = optarg;
-	    break;
-        case ':':
-            fprintf(stderr, "Option -%c requires an operand\n", optopt);
-            errflg++;
-            break;
-        case '?':
-	default:
-            fprintf(stderr, "Unrecognised option: -%c\n", optopt);
-            errflg++;
-        }
-    }
-    if ((errflg) || (!label) || (!id) || (!filename)) {
-        fprintf(stderr,
-		"usage: writekey [-s slot] [-p pin] -l label -i id "
-		"-f filename\n");
-        exit(2);
-    }
-    
-    /* Load the config file */
-    OPENSSL_config(NULL);
-
-    /* Register engine */
-    e = ENGINE_by_id("pkcs11");
-    if (!e) {
-        /* the engine isn't available */
-        printf("The engine isn't available\n");
-	ERR_print_errors_fp(stderr);
-        exit(1);
-    }
-    
-    if (!ENGINE_init(e)) {
-        /* the engine couldn't initialise, release 'e' */
-        printf("The engine couldn't initialise\n");
-	ERR_print_errors_fp(stderr);
-        ENGINE_free(e);
-        exit(1);
-    }
-
-    /* Read the key */
-    fp = fopen(filename, "r");
-    if (fp == NULL) {
-        printf("Error opening input file.\n");
-	ENGINE_free(e);
-	exit(1);
-    }
-
-    rsa = PEM_read_RSAPrivateKey(fp, NULL, NULL, NULL);
-    (void) fclose(fp);
-    if (rsa == NULL) {
-        printf("Error reading input file.\n");
-	ERR_print_errors_fp(stderr);
-	ENGINE_free(e);
-	exit(1);
-    }
-
-    /* Initialize the CRYPTOKI library */
-    rv = C_Initialize(NULL_PTR);
-    if ((rv != CKR_OK) && (rv != CKR_CRYPTOKI_ALREADY_INITIALIZED)) {
-        fprintf(stderr, "C_Initialize: Error = 0x%.8X\n", rv);
-	ENGINE_free(e);
-	exit(1);
-    }
-
-    /* Open a session on the slot found */
-    rv = C_OpenSession(slot, CKF_RW_SESSION+CKF_SERIAL_SESSION,
-		       NULL_PTR, NULL_PTR, &hSession);
-    if (rv != CKR_OK) {
-	fprintf(stderr, "C_OpenSession: Error = 0x%.8X\n", rv);
-	error = 1;
-	goto exit_program;
-    }
-
-    /* Login to the Token (Keystore) */
-    if (!pin)
-#ifndef HAVE_GETPASS
-        pin = (CK_UTF8CHAR *)getpassphrase("Enter Pin: ");
-#else
-        pin = (CK_UTF8CHAR *)getpass("Enter Pin: ");
-#endif
-    rv = C_Login(hSession, CKU_USER, pin, strlen((char *)pin));
-    memset(pin, 0, strlen((char *)pin));
-    if (rv != CKR_OK) {
-	fprintf(stderr, "C_Login: Error = 0x%.8X\n", rv);
-        error = 1;
-        goto exit_session;
-    }
-   
-    /* fill the search template */
-    if (strstr(label, "pkcs11:") == label)
-        label = strstr(label, ":") + 1;
-    kclass = CKO_PRIVATE_KEY;
-    template[0].type = CKA_TOKEN;
-    template[0].pValue = &truevalue;
-    template[0].ulValueLen = sizeof (truevalue);
-    template[1].type = CKA_CLASS;
-    template[1].pValue = &kclass;
-    template[1].ulValueLen = sizeof (kclass);
-    template[2].type = CKA_LABEL;
-    template[2].pValue = label;
-    template[2].ulValueLen = strlen(label);
-
-    /* check if a key with the same label already exists */
-    rv = C_FindObjectsInit(hSession, template, 3); 
-    if (rv != CKR_OK) {
-        fprintf(stderr, "C_FindObjectsInit: Error = 0x%.8X\n", rv);
-        error = 1;
-        goto exit_session;
-    }
-    rv = C_FindObjects(hSession, &key, 1, &ulObjectCount);
-    if (rv != CKR_OK) {
-        fprintf(stderr, "C_FindObjects: Error = 0x%.8X\n", rv);
-        error = 1;
-        goto exit_search;
-    }
-    if (ulObjectCount != 0) {
-        fprintf(stderr, "Key already exists.\n");
-        error = 1;
-        goto exit_search;
-    }
-    
-    /* fill attributes for the public key */
-    new_id[0] = (id >> 8) & 0xff;
-    new_id[1] = id & 0xff;
-    kclass = CKO_PUBLIC_KEY;
-    if (BN_num_bytes(rsa->n) > 1024) {
-        fprintf(stderr, "RSA modulus too large\n");
-	error = 1;
-	goto exit_search;
-    }
-    BN_bn2bin(rsa->n, data[0]);
-    if (BN_num_bytes(rsa->e) > 1024) {
-        fprintf(stderr, "RSA public exponent too large\n");
-	error = 1;
-	goto exit_search;
-    }
-    BN_bn2bin(rsa->e, data[1]);
-    if (BN_num_bytes(rsa->d) > 1024) {
-        fprintf(stderr, "RSA private exponent too large\n");
-	error = 1;
-	goto exit_search;
-    }
-    BN_bn2bin(rsa->d, data[2]);
-    if (BN_num_bytes(rsa->p) > 1024) {
-        fprintf(stderr, "RSA prime 1 too large\n");
-	error = 1;
-	goto exit_search;
-    }
-    BN_bn2bin(rsa->p, data[3]);
-    if (BN_num_bytes(rsa->q) > 1024) {
-        fprintf(stderr, "RSA prime 2 too large\n");
-	error = 1;
-	goto exit_search;
-    }
-    BN_bn2bin(rsa->q, data[4]);
-    if (BN_num_bytes(rsa->dmp1) > 1024) {
-        fprintf(stderr, "RSA exponent 1 too large\n");
-	error = 1;
-	goto exit_search;
-    }
-    BN_bn2bin(rsa->dmp1, data[5]);
-    if (BN_num_bytes(rsa->dmq1) > 1024) {
-        fprintf(stderr, "RSA exponent 2 too large\n");
-	error = 1;
-	goto exit_search;
-    }
-    BN_bn2bin(rsa->dmq1, data[6]);
-    if (BN_num_bytes(rsa->iqmp) > 1024) {
-        fprintf(stderr, "RSA coefficient too large\n");
-	error = 1;
-	goto exit_search;
-    }
-    BN_bn2bin(rsa->iqmp, data[7]);
-
-    template[0].type = CKA_TOKEN;
-    template[0].pValue = &truevalue;
-    template[0].ulValueLen = sizeof (truevalue);
-    template[1].type = CKA_CLASS;
-    template[1].pValue = &kclass;
-    template[1].ulValueLen = sizeof (kclass);
-    template[2].type = CKA_LABEL;
-    template[2].pValue = label;
-    template[2].ulValueLen = strlen(label);
-    template[3].type = CKA_ID;
-    template[3].pValue = new_id;
-    template[3].ulValueLen = sizeof (new_id);
-    template[4].type = CKA_KEY_TYPE;
-    template[4].pValue = &ktype;
-    template[4].ulValueLen = sizeof (ktype);
-    template[5].type = CKA_ENCRYPT;
-    template[5].pValue = &truevalue;
-    template[5].ulValueLen = sizeof (truevalue);
-    template[6].type = CKA_VERIFY;
-    template[6].pValue = &truevalue;
-    template[6].ulValueLen = sizeof (truevalue);
-    template[7].type = CKA_VERIFY_RECOVER;
-    template[7].pValue = &truevalue;
-    template[7].ulValueLen = sizeof (truevalue);
-    template[8].type = CKA_MODULUS;
-    template[8].pValue = data[0];
-    template[8].ulValueLen = BN_num_bytes(rsa->n);
-    template[9].type = CKA_PUBLIC_EXPONENT;
-    template[9].pValue = data[1];
-    template[9].ulValueLen = BN_num_bytes(rsa->e);
-
-    rv = C_CreateObject(hSession, template, 10, &key);
-    if (rv != CKR_OK) {
-        fprintf(stderr, "C_CreateObject (pub): Error = 0x%.8X\n", rv);
-	error = 1;
-	goto exit_search;
-    }
-
-    /* fill attributes for the private key */
-    kclass = CKO_PRIVATE_KEY;
-    template[0].type = CKA_TOKEN;
-    template[0].pValue = &truevalue;
-    template[0].ulValueLen = sizeof (truevalue);
-    template[1].type = CKA_CLASS;
-    template[1].pValue = &kclass;
-    template[1].ulValueLen = sizeof (kclass);
-    template[2].type = CKA_LABEL;
-    template[2].pValue = label;
-    template[2].ulValueLen = strlen(label);
-    template[3].type = CKA_ID;
-    template[3].pValue = new_id;
-    template[3].ulValueLen = sizeof (new_id);
-    template[4].type = CKA_KEY_TYPE;
-    template[4].pValue = &ktype;
-    template[4].ulValueLen = sizeof (ktype);
-    template[5].type = CKA_SENSITIVE;
-    template[5].pValue = &falsevalue;
-    template[5].ulValueLen = sizeof (falsevalue);
-    template[6].type = CKA_EXTRACTABLE;
-    template[6].pValue = &truevalue;
-    template[6].ulValueLen = sizeof (truevalue);
-    template[7].type = CKA_DECRYPT;
-    template[7].pValue = &truevalue;
-    template[7].ulValueLen = sizeof (truevalue);
-    template[8].type = CKA_SIGN;
-    template[8].pValue = &truevalue;
-    template[8].ulValueLen = sizeof (truevalue);
-    template[9].type = CKA_SIGN_RECOVER;
-    template[9].pValue = &truevalue;
-    template[9].ulValueLen = sizeof (truevalue);
-    template[10].type = CKA_MODULUS;
-    template[10].pValue = data[0];
-    template[10].ulValueLen = BN_num_bytes(rsa->n);
-    template[11].type = CKA_PUBLIC_EXPONENT;
-    template[11].pValue = data[1];
-    template[11].ulValueLen = BN_num_bytes(rsa->e);
-    template[12].type = CKA_PRIVATE_EXPONENT;
-    template[12].pValue = data[2];
-    template[12].ulValueLen = BN_num_bytes(rsa->d);
-    template[13].type = CKA_PRIME_1;
-    template[13].pValue = data[3];
-    template[13].ulValueLen = BN_num_bytes(rsa->p);
-    template[14].type = CKA_PRIME_2;
-    template[14].pValue = data[4];
-    template[14].ulValueLen = BN_num_bytes(rsa->q);
-    template[15].type = CKA_EXPONENT_1;
-    template[15].pValue = data[5];
-    template[15].ulValueLen = BN_num_bytes(rsa->dmp1);
-    template[16].type = CKA_EXPONENT_2;
-    template[16].pValue = data[6];
-    template[16].ulValueLen = BN_num_bytes(rsa->dmq1);
-    template[17].type = CKA_COEFFICIENT;
-    template[17].pValue = data[7];
-    template[17].ulValueLen = BN_num_bytes(rsa->iqmp);
-
-    rv = C_CreateObject(hSession, template, 18, &key);
-    if (rv != CKR_OK) {
-        fprintf(stderr, "C_CreateObject (priv): Error = 0x%.8X\n", rv);
-	(void) C_DestroyObject(hSession, key);
-	error = 1;
-	goto exit_search;
-    }
-
- exit_search:
-    rv = C_FindObjectsFinal(hSession);
-    if (rv != CKR_OK) {
-        fprintf(stderr, "C_FindObjectsFinal: Error = 0x%.8X\n", rv);
-        error = 1;
-    }
-
- exit_session:
-    (void) C_CloseSession(hSession);
-
- exit_program:
-    (void) C_Finalize(NULL_PTR);
-    ENGINE_free(e);
-    ENGINE_cleanup();
-
-    exit(error);
-}
diff --git a/contrib/pkcs11-keygen/writekey.sh b/contrib/pkcs11-keygen/writekey.sh
deleted file mode 100755
index 9b235d09..00000000
--- a/contrib/pkcs11-keygen/writekey.sh
+++ /dev/null
@@ -1,73 +0,0 @@
-#!/bin/bash --debug
-
-usage="Usage: $0 -x ext -p pin -f keyrootname"
-tmp_file=/tmp/cur_pem.$$
-while getopts ":x:p:f:" opt; do
-  case $opt in
-    x  ) ext=$OPTARG ;;
-    p  ) pin=$OPTARG ;;
-    f  ) root=$OPTARG ;;
-    \? ) echo $usage 
-	 exit 1 ;;
-   esac
-done
-shift $(($OPTIND -1))
-
-if [ ! "$ext" -o ! "$pin" -o ! "$root" ] ; then
-  echo $usage
-  exit 1
-fi
-
-keyfile=${root}.key
-privfile=${root}.private
-file=`basename $root | sed 's/^K//'`
-zone=`echo $file | awk -F+ '{ print $1 }' | sed 's/\.$//'`
-algo=`echo $file | awk -F+ '{ print $2 }'`
-tag=`echo $file | awk -F+ '{ print $3 }'`
-
-# debug
-echo 'zone: ' $zone
-echo 'algo: ' $algo
-echo 'tag: ' $tag
-
-if [ ! -r "$keyfile" ] ; then
-  echo "can't read " $keyfile
-  exit 1
-fi
-if [ ! -r "$privfile" ] ; then
-  echo "can't read " $privfile
-  exit 1
-fi
-
-if [ "$algo" != "005" ] ; then
-  echo 'algorithm must be 005'
-  exit 1
-fi
-
-# for testing
-mypath=.
-
-echo 'Reading key files'
-flag=`$mypath/keydump.pl -k $keyfile -p $privfile -o $tmp_file`
-
-if [ "$flag" = "256" ] ; then
-  label=$zone,zsk,$ext
-elif [ "$flag" = "257" ] ; then
-  label=$zone,ksk,$ext
-else
-  echo 'flag must be 256 or 257'
-  rm $tmp_file
-  exit 1
-fi
-
-echo "Label will be '"$label"'"
-$mypath/writekey -p $pin -l $label -i $tag -f $tmp_file
-
-rm $tmp_file
-
-echo 'Now you can add at the end of ' $privfile
-/usr/bin/perl <<EOF
-use MIME::Base64;
-print "Engine: ", encode_base64("pkcs11\0",""), "\n";
-print "Label: ", encode_base64("pkcs11:"."$label"."\0",""), "\n";
-EOF
diff --git a/contrib/zkt/CHANGELOG b/contrib/zkt/CHANGELOG
index 33db8ee3..423797f9 100644
--- a/contrib/zkt/CHANGELOG
+++ b/contrib/zkt/CHANGELOG
@@ -1,4 +1,58 @@
-zkt 0.98 -- 30. Dec 2008
+zkt 0.99c -- 1. Aug 2009
+
+* misc	dnssec-signer command line option vars changed to storage
+	class static.
+
+* port	setenv() replaced by putenv() in misc.c
+
+* misc	Install binaries in prefix/bin instead of $HOME/bin.
+	Fixing some spelling errors in dnssec-signzone.8 and
+	dnssec-zkt.8.
+	Thanks to Mans Nilsson.
+
+* port	timegm() check added to configure.ac
+
+* misc	configure.ac, Makefile.in, and doc is now part of distribution
+
+* bug	off by one error fixed in splitpath()
+
+* misc	is_dotfile() renamed to is_dotfilename() (misc.c)
+
+* misc	inc_soaserial() sourced out to soaserial.c
+
+* misc	reload() functions sourced out to nscomm.c
+
+* bug	Introducing parameter "KeyAlgorithm" for both ZSK and
+	KSK keys instead of separate KSK and ZSK algorithms.
+	New functions dki_algo() and dki_findalgo().
+
+* bug	Redirect stderr message (additionally to stdout) of
+	dnssec-signzone command to pipe.
+	Pick up last line of output for logging.
+
+* misc	"Sig_GenerateDS" is no longer a hidden parameter.
+
+* misc	"make clean" now remove the binary files
+	New target "distclean" added to Makefile
+
+* bug	Wrong typecast in zconf.c parsing CONF_TIMEINT (Thanks to Frederick
+	Soderblum and Peter Norin for the patch)
+	Changed all TIMEINT parameter values to long.
+
+* bug	If someone changes the zone.db file in dynamic mode, this will be treated
+	the same way as an initial setup, so the zone.db file will be used as new
+	input file (Thanks to Shane Wegner for this patch)
+
+* bug	Option nsec3_param added to dnssec-signzone command for dynamic zones.
+
+* func	New option "NamedChrootDir" added to dnssec.conf to specify the
+	directory of a chrooted named. Without such an option
+	"dnssec-signer -N named.conf" couldn't find the zone file directory.
+
+* misc 	Default ZSK lifetime set to 12 weeks instead of 3 months (30days) to
+	suppress the warning message about ZSK keysize of 512 bits.
+
+zkt 0.98 -- 28. Dec 2008
 
 * misc 	Target "install-man" added to Makefile
 	man files moved to sub directory "man"
diff --git a/contrib/zkt/Makefile.in b/contrib/zkt/Makefile.in
index 2de9427c..7c61450e 100644
--- a/contrib/zkt/Makefile.in
+++ b/contrib/zkt/Makefile.in
@@ -6,7 +6,6 @@
 
 prefix	=	@prefix@
 mandir	=	@mandir@
-INSTALL_DIR =	$$HOME/bin
 
 CC	=	@CC@
 
@@ -25,11 +24,12 @@ VERSION =	@PACKAGE_VERSION@
 
 HEADER	=	dki.h misc.h domaincmp.h zconf.h config_zkt.h \
 		config.h.in strlist.h zone.h zkt.h debug.h \
-		ncparse.h log.h rollover.h
+		ncparse.h log.h rollover.h nscomm.h soaserial.h
 SRC_ALL	=	dki.c misc.c domaincmp.c zconf.c log.c
 OBJ_ALL	=	$(SRC_ALL:.c=.o)
 
-SRC_SIG	=	dnssec-signer.c zone.c ncparse.c rollover.c
+SRC_SIG	=	dnssec-signer.c zone.c ncparse.c rollover.c \
+		nscomm.c soaserial.c
 OBJ_SIG	=	$(SRC_SIG:.c=.o)
 MAN_SIG	=	dnssec-signer.8
 PROG_SIG=	dnssec-signer
@@ -47,17 +47,18 @@ PROG_SER=	zkt-soaserial
 MAN_ALL	=	$(MAN_ZKT) $(MAN_SIG) #$(MAN_SER)
 OTHER	=	README README.logging TODO LICENSE CHANGELOG tags Makefile.in \
 		configure examples
-SAVE	=	$(HEADER) $(SRC_ALL) $(SRC_SIG) $(SRC_ZKT) $(SRC_SER) man $(OTHER)
-MNTSAVE	=	$(SAVE) configure.ac config.h.in doc 
+SAVE	=	$(HEADER) $(SRC_ALL) $(SRC_SIG) $(SRC_ZKT) $(SRC_SER) $(OTHER) \
+		man configure.ac config.h.in doc
+#MNTSAVE	=	$(SAVE) configure.ac config.h.in doc 
 
 
 all:	$(PROG_ZKT) $(PROG_SIG) $(PROG_SER)
 
-macos:		## for MAC OS
+macos:		## for MAC OS (depreciated)
 macos:
 	$(MAKE) CFLAGS="$(CFLAGS) -D HAS_UTYPES=0" all
 
-solaris:	## for solaris
+solaris:	## for solaris (depreciated)
 solaris:
 	@$(MAKE) CFLAGS="$(CFLAGS) -D HAVE_GETOPT_LONG=0" all
 
@@ -74,13 +75,16 @@ $(PROG_ZKT):	$(OBJ_ZKT) $(OBJ_ALL) Makefile
 $(PROG_SER):	$(OBJ_SER) Makefile
 	$(CC) $(LDFLAGS) $(OBJ_SER) -o $(PROG_SER)
 
-install:	## install binaries in INSTALL_DIR
+install:	## install binaries in prefix/bin
 install:	$(PROG_ZKT) $(PROG_SIG) $(PROG_SER)
-	cp $(PROG_ZKT) $(PROG_SIG) $(PROG_SER) $(INSTALL_DIR)
+		test -d $(prefix)/bin || mkdir -p $(prefix)/bin
+		cp $(PROG_ZKT) $(PROG_SIG) $(PROG_SER) $(prefix)/bin/
 
 install-man:	## install man pages in mandir
 install-man:
-	test -d $(mandir)/man8/ && cp -p man/$(MAN_ZKT) man/$(MAN_SIG) $(mandir)/man8/
+	test -d $(mandir)/man8/ || mkdir -p $(mandir)/man8/
+	cp -p man/$(MAN_ZKT) man/$(MAN_SIG) $(mandir)/man8/
+
 
 
 tags:		## create tags file
@@ -89,20 +93,19 @@ tags:	$(SRC_ALL) $(SRC_SIG) $(SRC_ZKT) $(SRC_SER)
 
 clean:		## remove objectfiles and binaries
 clean:
-	rm -f $(OBJ_SIG) $(OBJ_ZKT) $(OBJ_SER) $(OBJ_ALL)
+	-rm -f $(OBJ_SIG) $(OBJ_ZKT) $(OBJ_SER) $(OBJ_ALL) \
+	$(PROG_ZKT) $(PROG_SIG) $(PROG_SER)
+
+distclean:	## remove objectfiles, binaries and distribution files
+distclean:	clean
+	-rm -f Makefile config.h config.log config.status config.cache \
+	$(PROJECT)-$(VERSION).tar.gz
 
-dist:		## create tar file for distribution
-dist:	$(PROJECT)-$(VERSION).tar.gz
 tar:		## create tar file for distribution
 tar:	$(PROJECT)-$(VERSION).tar.gz
 
-maintain:	## create configure script
-maintain:	configure
-
-mainttar:	## create tar file for maintenance
-mainttar:	$(PROJECT)-maint-$(VERSION).tar.gz
-
-configure:	configure.ac
+configure:	## create configure script
+configure:	configure.ac Makefile.in
 	autoconf && autoheader
 
 man:	man/$(MAN_ZKT).html man/$(MAN_ZKT).pdf man/$(MAN_SIG).html man/$(MAN_SIG).pdf
@@ -124,12 +127,6 @@ $(PROJECT)-$(VERSION).tar.gz:	$(SAVE)
 		cd .. && tar czvf $(PROJECT)-$(VERSION)/$(PROJECT)-$(VERSION).tar.gz $$distfiles ;\
 	)
 
-$(PROJECT)-maint-$(VERSION).tar.gz:	$(MNTSAVE)
-	(	\
-		distfiles=`ls -d $(MNTSAVE) | sed 's|^|$(PROJECT)-$(VERSION)/|'` ;\
-		cd .. && tar czvf $(PROJECT)-$(VERSION)/$(PROJECT)-maint-$(VERSION).tar.gz $$distfiles ;\
-	)
-
 depend:
 	$(CC) -MM $(SRC_SIG) $(SRC_ZKT) $(SRC_SER) $(SRC_ALL)
 
@@ -138,14 +135,17 @@ help:
 
 ## all dependicies
 #:r !make depend
-#gcc -MM dnssec-signer.c zone.c ncparse.c rollover.c dnssec-zkt.c strlist.c zkt.c zkt-soaserial.c dki.c misc.c domaincmp.c zconf.c log.c
+#gcc -MM dnssec-signer.c zone.c ncparse.c rollover.c nscomm.c soaserial.c dnssec-zkt.c strlist.c zkt.c zkt-soaserial.c dki.c misc.c domaincmp.c zconf.c log.c
 dnssec-signer.o: dnssec-signer.c config_zkt.h zconf.h debug.h misc.h \
-  ncparse.h zone.h dki.h rollover.h log.h
+  ncparse.h nscomm.h zone.h dki.h log.h soaserial.h rollover.h
 zone.o: zone.c config_zkt.h debug.h domaincmp.h misc.h zconf.h dki.h \
   zone.h
 ncparse.o: ncparse.c debug.h misc.h zconf.h log.h ncparse.h
 rollover.o: rollover.c config_zkt.h zconf.h debug.h misc.h zone.h dki.h \
   log.h rollover.h
+nscomm.o: nscomm.c config_zkt.h zconf.h nscomm.h zone.h dki.h log.h \
+  misc.h debug.h
+soaserial.o: soaserial.c config_zkt.h zconf.h log.h debug.h soaserial.h
 dnssec-zkt.o: dnssec-zkt.c config_zkt.h debug.h misc.h zconf.h strlist.h \
   dki.h zkt.h
 strlist.o: strlist.c strlist.h
diff --git a/contrib/zkt/README b/contrib/zkt/README
index 2009a44e..de95c08e 100644
--- a/contrib/zkt/README
+++ b/contrib/zkt/README
@@ -1,7 +1,7 @@
 #
 #	README  dnssec zone key tool
 #
-#	(c) March 2005 - Dec 2008 by  Holger Zuleger  hznet
+#	(c) March 2005 - Aug 2009 by  Holger Zuleger  hznet
 #	(c) for domaincmp Aug 2005 by Karle Boss & H. Zuleger (kaho)
 #	(c) for zconf.c by Jeroen Masar & Holger Zuleger
 #
@@ -16,13 +16,13 @@ The complete software stands under BSD licence (see LICENCE file)
 
 To build the software:
 a) Get the current version of zkt
-	$ wget http://www.hznet.de/dns/zkt/zkt-0.98.tar.gz
+	$ wget http://www.hznet.de/dns/zkt/zkt-0.99c.tar.gz
 
 b) Unpack
-	$ tar xzvf zkt-0.98.tar.gz
+	$ tar xzvf zkt-0.99c.tar.gz
 
 c) Change to dir
-	$ cd zkt-0.98
+	$ cd zkt-0.99c
 
 d) Run configure script
 	$ ./configure
@@ -33,7 +33,8 @@ f) Compile
 	$ make
 
 g) Install
-	$ make install	# this will copy the binarys to $HOME/bin
+	# make install
+	# make install-man
 
 h) (optional) Install and modify the default dnssec.conf file 
 	$ ./dnssec-zkt -c "" -Z > /var/named/dnssec.conf
diff --git a/contrib/zkt/README.logging b/contrib/zkt/README.logging
index e1307513..dc9293a9 100644
--- a/contrib/zkt/README.logging
+++ b/contrib/zkt/README.logging
@@ -55,6 +55,7 @@ Current logging messages:
 		Start and stop of dnssec-signer
 		Re-signing events 
 		Key rollover events
+		KSK key generation and revoking
 		Zone reload resp. freeze/thaw of dynamic zone
 	LG_INFO: Currently none
 		planned:
diff --git a/contrib/zkt/TODO b/contrib/zkt/TODO
index fc532105..12abdb05 100644
--- a/contrib/zkt/TODO
+++ b/contrib/zkt/TODO
@@ -1,16 +1,15 @@
-TODO list as of zkt-0.97
+TODO list as of zkt-0.99
 
 general:
 	Renaming of the tools to zkt-* ? 
 
 dnssec-zkt:
  feat	option to specify the key age as remaining lifetime
-	(Option -i inverse age ?) As of v0.95 the key lifetime
-	is stored at the key itself, so this could be possibly
-	implemented without big effort(?).
+	(Option -i inverse age ?).
 
 dnssec-signer:
- bug	Distribute_Cmd will not work properly on dynamic zones
+ bug	Distribute_Cmd wouldn't work properly on dynamic zones
+ 	(missing freeze, thaw; copy Keyfiles instead of signed zone file)
 
  bug	Automatic KSK rollover of dynamic zones will only work if the parent
  	uses the standard name for the signed zonefile (zonefile.db.signed).
@@ -19,7 +18,7 @@ dnssec-signer:
  	(Key removal is not recognized by dosigning () function )
 
  bug	There is no online checking of the key material by design.
- 	So the signer command checks the status of the key as they
+ 	The signer command checks the status of the key as they
 	are represented in the file system and not in the zone.
 	The dnssec maintainer is responsible for the lifeliness of the
 	data in the hosted domain.
diff --git a/contrib/zkt/config.h.in b/contrib/zkt/config.h.in
index fa6ef0fa..76b786b1 100644
--- a/contrib/zkt/config.h.in
+++ b/contrib/zkt/config.h.in
@@ -34,6 +34,9 @@
 /* Define to 1 if you have the `gettimeofday' function. */
 #undef HAVE_GETTIMEOFDAY
 
+/* Define to 1 if you have the `getuid' function. */
+#undef HAVE_GETUID
+
 /* Define to 1 if you have the <inttypes.h> header file. */
 #undef HAVE_INTTYPES_H
 
@@ -53,8 +56,8 @@
 /* Define to 1 if you have the <netdb.h> header file. */
 #undef HAVE_NETDB_H
 
-/* Define to 1 if you have the `setenv' function. */
-#undef HAVE_SETENV
+/* Define to 1 if you have the `putenv' function. */
+#undef HAVE_PUTENV
 
 /* Define to 1 if you have the `socket' function. */
 #undef HAVE_SOCKET
@@ -119,6 +122,9 @@
 /* Define to 1 if you have the <sys/types.h> header file. */
 #undef HAVE_SYS_TYPES_H
 
+/* Define to 1 if you have the `timegm' function. */
+#undef HAVE_TIMEGM
+
 /* Define to 1 if you have the `tzset' function. */
 #undef HAVE_TZSET
 
@@ -198,7 +204,7 @@
 /* Define to rpl_malloc if the replacement function should be used. */
 #undef malloc
 
-/* Define to `unsigned' if <sys/types.h> does not define. */
+/* Define to `unsigned int' if <sys/types.h> does not define. */
 #undef size_t
 
 /* Define to `unsigned char' if <sys/types.h> does not define. */
diff --git a/contrib/zkt/config_zkt.h b/contrib/zkt/config_zkt.h
index 96c0d890..b1035293 100644
--- a/contrib/zkt/config_zkt.h
+++ b/contrib/zkt/config_zkt.h
@@ -37,10 +37,6 @@
 #ifndef CONFIG_ZKT_H
 # define CONFIG_ZKT_H
 
-#ifndef HAS_TIMEGM
-# define	HAS_TIMEGM	1
-#endif
-
 #ifndef LOG_FNAMETMPL
 # define	LOG_FNAMETMPL	"/zkt-%04d-%02d-%02dT%02d%02d%02dZ.log"
 #endif
@@ -52,13 +48,9 @@
 # define	HAS_UTYPES	1
 #endif
 
-#ifndef HAVE_GETOPT_LONG
-# define	HAVE_GETOPT_LONG	1
-#endif
-
-#ifndef HAVE_STRFTIME
-# define	HAVE_STRFTIME	1
-#endif
+/* # define	HAVE_TIMEGM		1	*/
+/* # define	HAVE_GETOPT_LONG	1	*/
+/* # define	HAVE_STRFTIME		1	*/
 
 #ifndef TTL_IN_KEYFILE_ALLOWED
 # define	TTL_IN_KEYFILE_ALLOWED	1
@@ -84,6 +76,10 @@
 # define	LOG_WITH_LEVEL		1
 #endif
 
+#ifndef ALWAYS_CHECK_KEYSETFILES
+# define	ALWAYS_CHECK_KEYSETFILES	1
+#endif
+
 #ifndef CONFIG_PATH
 # define	CONFIG_PATH	"/var/named/"
 #endif
@@ -104,9 +100,9 @@
 
 #ifndef ZKT_VERSION
 # if defined(USE_TREE) && USE_TREE
-#  define	ZKT_VERSION	"vT0.98 (c) Feb 2005 - Sep 2008 Holger Zuleger hznet.de"
+#  define	ZKT_VERSION	"vT0.99c (c) Feb 2005 - Aug 2009 Holger Zuleger hznet.de"
 # else
-#  define	ZKT_VERSION	"v0.98 (c) Feb 2005 - Sep 2008 Holger Zuleger hznet.de"
+#  define	ZKT_VERSION	"v0.99c (c) Feb 2005 - Aug 2009 Holger Zuleger hznet.de"
 # endif
 #endif
 
diff --git a/contrib/zkt/configure b/contrib/zkt/configure
index cc796cdc..8d4d4963 100755
--- a/contrib/zkt/configure
+++ b/contrib/zkt/configure
@@ -1,27 +1,56 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.59 for ZKT 0.98.
+# Generated by GNU Autoconf 2.61 for ZKT 0.99c.
 #
 # Report bugs to <Holger Zuleger hznet.de>.
 #
-# Copyright (C) 2003 Free Software Foundation, Inc.
+# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
+# 2002, 2003, 2004, 2005, 2006 Free Software Foundation, Inc.
 # This configure script is free software; the Free Software Foundation
 # gives unlimited permission to copy, distribute and modify it.
 ## --------------------- ##
 ## M4sh Initialization.  ##
 ## --------------------- ##
 
-# Be Bourne compatible
+# Be more Bourne compatible
+DUALCASE=1; export DUALCASE # for MKS sh
 if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
   emulate sh
   NULLCMD=:
   # Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which
   # is contrary to our usage.  Disable this feature.
   alias -g '${1+"$@"}'='"$@"'
-elif test -n "${BASH_VERSION+set}" && (set -o posix) >/dev/null 2>&1; then
-  set -o posix
+  setopt NO_GLOB_SUBST
+else
+  case `(set -o) 2>/dev/null` in
+  *posix*) set -o posix ;;
+esac
+
+fi
+
+
+
+
+# PATH needs CR
+# Avoid depending upon Character Ranges.
+as_cr_letters='abcdefghijklmnopqrstuvwxyz'
+as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ'
+as_cr_Letters=$as_cr_letters$as_cr_LETTERS
+as_cr_digits='0123456789'
+as_cr_alnum=$as_cr_Letters$as_cr_digits
+
+# The user is always right.
+if test "${PATH_SEPARATOR+set}" != set; then
+  echo "#! /bin/sh" >conf$$.sh
+  echo  "exit 0"   >>conf$$.sh
+  chmod +x conf$$.sh
+  if (PATH="/nonexistent;."; conf$$.sh) >/dev/null 2>&1; then
+    PATH_SEPARATOR=';'
+  else
+    PATH_SEPARATOR=:
+  fi
+  rm -f conf$$.sh
 fi
-DUALCASE=1; export DUALCASE # for MKS sh
 
 # Support unset when possible.
 if ( (MAIL=60; unset MAIL) || exit) >/dev/null 2>&1; then
@@ -31,8 +60,43 @@ else
 fi
 
 
+# IFS
+# We need space, tab and new line, in precisely that order.  Quoting is
+# there to prevent editors from complaining about space-tab.
+# (If _AS_PATH_WALK were called with IFS unset, it would disable word
+# splitting by setting IFS to empty value.)
+as_nl='
+'
+IFS=" ""	$as_nl"
+
+# Find who we are.  Look in the path if we contain no directory separator.
+case $0 in
+  *[\\/]* ) as_myself=$0 ;;
+  *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break
+done
+IFS=$as_save_IFS
+
+     ;;
+esac
+# We did not find ourselves, most probably we were run as `sh COMMAND'
+# in which case we are not to be found in the path.
+if test "x$as_myself" = x; then
+  as_myself=$0
+fi
+if test ! -f "$as_myself"; then
+  echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2
+  { (exit 1); exit 1; }
+fi
+
 # Work around bugs in pre-3.0 UWIN ksh.
-$as_unset ENV MAIL MAILPATH
+for as_var in ENV MAIL MAILPATH
+do ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var
+done
 PS1='$ '
 PS2='> '
 PS4='+ '
@@ -46,18 +110,19 @@ do
   if (set +x; test -z "`(eval $as_var=C; export $as_var) 2>&1`"); then
     eval $as_var=C; export $as_var
   else
-    $as_unset $as_var
+    ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var
   fi
 done
 
 # Required to use basename.
-if expr a : '\(a\)' >/dev/null 2>&1; then
+if expr a : '\(a\)' >/dev/null 2>&1 &&
+   test "X`expr 00001 : '.*\(...\)'`" = X001; then
   as_expr=expr
 else
   as_expr=false
 fi
 
-if (basename /) >/dev/null 2>&1 && test "X`basename / 2>&1`" = "X/"; then
+if (basename -- /) >/dev/null 2>&1 && test "X`basename -- / 2>&1`" = "X/"; then
   as_basename=basename
 else
   as_basename=false
@@ -65,157 +130,388 @@ fi
 
 
 # Name of the executable.
-as_me=`$as_basename "$0" ||
+as_me=`$as_basename -- "$0" ||
 $as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \
 	 X"$0" : 'X\(//\)$' \| \
-	 X"$0" : 'X\(/\)$' \| \
-	 .     : '\(.\)' 2>/dev/null ||
+	 X"$0" : 'X\(/\)' \| . 2>/dev/null ||
 echo X/"$0" |
-    sed '/^.*\/\([^/][^/]*\)\/*$/{ s//\1/; q; }
-  	  /^X\/\(\/\/\)$/{ s//\1/; q; }
-  	  /^X\/\(\/\).*/{ s//\1/; q; }
-  	  s/.*/./; q'`
+    sed '/^.*\/\([^/][^/]*\)\/*$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\/\(\/\/\)$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\/\(\/\).*/{
+	    s//\1/
+	    q
+	  }
+	  s/.*/./; q'`
 
+# CDPATH.
+$as_unset CDPATH
 
-# PATH needs CR, and LINENO needs CR and PATH.
-# Avoid depending upon Character Ranges.
-as_cr_letters='abcdefghijklmnopqrstuvwxyz'
-as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ'
-as_cr_Letters=$as_cr_letters$as_cr_LETTERS
-as_cr_digits='0123456789'
-as_cr_alnum=$as_cr_Letters$as_cr_digits
 
-# The user is always right.
-if test "${PATH_SEPARATOR+set}" != set; then
-  echo "#! /bin/sh" >conf$$.sh
-  echo  "exit 0"   >>conf$$.sh
-  chmod +x conf$$.sh
-  if (PATH="/nonexistent;."; conf$$.sh) >/dev/null 2>&1; then
-    PATH_SEPARATOR=';'
-  else
-    PATH_SEPARATOR=:
-  fi
-  rm -f conf$$.sh
+if test "x$CONFIG_SHELL" = x; then
+  if (eval ":") 2>/dev/null; then
+  as_have_required=yes
+else
+  as_have_required=no
 fi
 
+  if test $as_have_required = yes && 	 (eval ":
+(as_func_return () {
+  (exit \$1)
+}
+as_func_success () {
+  as_func_return 0
+}
+as_func_failure () {
+  as_func_return 1
+}
+as_func_ret_success () {
+  return 0
+}
+as_func_ret_failure () {
+  return 1
+}
 
-  as_lineno_1=$LINENO
-  as_lineno_2=$LINENO
-  as_lineno_3=`(expr $as_lineno_1 + 1) 2>/dev/null`
-  test "x$as_lineno_1" != "x$as_lineno_2" &&
-  test "x$as_lineno_3"  = "x$as_lineno_2"  || {
-  # Find who we are.  Look in the path if we contain no path at all
-  # relative or not.
-  case $0 in
-    *[\\/]* ) as_myself=$0 ;;
-    *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break
-done
+exitcode=0
+if as_func_success; then
+  :
+else
+  exitcode=1
+  echo as_func_success failed.
+fi
 
-       ;;
-  esac
-  # We did not find ourselves, most probably we were run as `sh COMMAND'
-  # in which case we are not to be found in the path.
-  if test "x$as_myself" = x; then
-    as_myself=$0
-  fi
-  if test ! -f "$as_myself"; then
-    { echo "$as_me: error: cannot find myself; rerun with an absolute path" >&2
-   { (exit 1); exit 1; }; }
-  fi
-  case $CONFIG_SHELL in
-  '')
+if as_func_failure; then
+  exitcode=1
+  echo as_func_failure succeeded.
+fi
+
+if as_func_ret_success; then
+  :
+else
+  exitcode=1
+  echo as_func_ret_success failed.
+fi
+
+if as_func_ret_failure; then
+  exitcode=1
+  echo as_func_ret_failure succeeded.
+fi
+
+if ( set x; as_func_ret_success y && test x = \"\$1\" ); then
+  :
+else
+  exitcode=1
+  echo positional parameters were not saved.
+fi
+
+test \$exitcode = 0) || { (exit 1); exit 1; }
+
+(
+  as_lineno_1=\$LINENO
+  as_lineno_2=\$LINENO
+  test \"x\$as_lineno_1\" != \"x\$as_lineno_2\" &&
+  test \"x\`expr \$as_lineno_1 + 1\`\" = \"x\$as_lineno_2\") || { (exit 1); exit 1; }
+") 2> /dev/null; then
+  :
+else
+  as_candidate_shells=
     as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
 for as_dir in /bin$PATH_SEPARATOR/usr/bin$PATH_SEPARATOR$PATH
 do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
-  for as_base in sh bash ksh sh5; do
-	 case $as_dir in
+  case $as_dir in
 	 /*)
-	   if ("$as_dir/$as_base" -c '
+	   for as_base in sh bash ksh sh5; do
+	     as_candidate_shells="$as_candidate_shells $as_dir/$as_base"
+	   done;;
+       esac
+done
+IFS=$as_save_IFS
+
+
+      for as_shell in $as_candidate_shells $SHELL; do
+	 # Try only shells that exist, to save several forks.
+	 if { test -f "$as_shell" || test -f "$as_shell.exe"; } &&
+		{ ("$as_shell") 2> /dev/null <<\_ASEOF
+if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
+  emulate sh
+  NULLCMD=:
+  # Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which
+  # is contrary to our usage.  Disable this feature.
+  alias -g '${1+"$@"}'='"$@"'
+  setopt NO_GLOB_SUBST
+else
+  case `(set -o) 2>/dev/null` in
+  *posix*) set -o posix ;;
+esac
+
+fi
+
+
+:
+_ASEOF
+}; then
+  CONFIG_SHELL=$as_shell
+	       as_have_required=yes
+	       if { "$as_shell" 2> /dev/null <<\_ASEOF
+if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
+  emulate sh
+  NULLCMD=:
+  # Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which
+  # is contrary to our usage.  Disable this feature.
+  alias -g '${1+"$@"}'='"$@"'
+  setopt NO_GLOB_SUBST
+else
+  case `(set -o) 2>/dev/null` in
+  *posix*) set -o posix ;;
+esac
+
+fi
+
+
+:
+(as_func_return () {
+  (exit $1)
+}
+as_func_success () {
+  as_func_return 0
+}
+as_func_failure () {
+  as_func_return 1
+}
+as_func_ret_success () {
+  return 0
+}
+as_func_ret_failure () {
+  return 1
+}
+
+exitcode=0
+if as_func_success; then
+  :
+else
+  exitcode=1
+  echo as_func_success failed.
+fi
+
+if as_func_failure; then
+  exitcode=1
+  echo as_func_failure succeeded.
+fi
+
+if as_func_ret_success; then
+  :
+else
+  exitcode=1
+  echo as_func_ret_success failed.
+fi
+
+if as_func_ret_failure; then
+  exitcode=1
+  echo as_func_ret_failure succeeded.
+fi
+
+if ( set x; as_func_ret_success y && test x = "$1" ); then
+  :
+else
+  exitcode=1
+  echo positional parameters were not saved.
+fi
+
+test $exitcode = 0) || { (exit 1); exit 1; }
+
+(
   as_lineno_1=$LINENO
   as_lineno_2=$LINENO
-  as_lineno_3=`(expr $as_lineno_1 + 1) 2>/dev/null`
   test "x$as_lineno_1" != "x$as_lineno_2" &&
-  test "x$as_lineno_3"  = "x$as_lineno_2" ') 2>/dev/null; then
-	     $as_unset BASH_ENV || test "${BASH_ENV+set}" != set || { BASH_ENV=; export BASH_ENV; }
-	     $as_unset ENV || test "${ENV+set}" != set || { ENV=; export ENV; }
-	     CONFIG_SHELL=$as_dir/$as_base
-	     export CONFIG_SHELL
-	     exec "$CONFIG_SHELL" "$0" ${1+"$@"}
-	   fi;;
-	 esac
-       done
-done
-;;
-  esac
+  test "x`expr $as_lineno_1 + 1`" = "x$as_lineno_2") || { (exit 1); exit 1; }
+
+_ASEOF
+}; then
+  break
+fi
+
+fi
+
+      done
+
+      if test "x$CONFIG_SHELL" != x; then
+  for as_var in BASH_ENV ENV
+        do ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var
+        done
+        export CONFIG_SHELL
+        exec "$CONFIG_SHELL" "$as_myself" ${1+"$@"}
+fi
+
+
+    if test $as_have_required = no; then
+  echo This script requires a shell more modern than all the
+      echo shells that I found on your system.  Please install a
+      echo modern shell, or manually run the script under such a
+      echo shell if you do have one.
+      { (exit 1); exit 1; }
+fi
+
+
+fi
+
+fi
+
+
+
+(eval "as_func_return () {
+  (exit \$1)
+}
+as_func_success () {
+  as_func_return 0
+}
+as_func_failure () {
+  as_func_return 1
+}
+as_func_ret_success () {
+  return 0
+}
+as_func_ret_failure () {
+  return 1
+}
+
+exitcode=0
+if as_func_success; then
+  :
+else
+  exitcode=1
+  echo as_func_success failed.
+fi
+
+if as_func_failure; then
+  exitcode=1
+  echo as_func_failure succeeded.
+fi
+
+if as_func_ret_success; then
+  :
+else
+  exitcode=1
+  echo as_func_ret_success failed.
+fi
+
+if as_func_ret_failure; then
+  exitcode=1
+  echo as_func_ret_failure succeeded.
+fi
+
+if ( set x; as_func_ret_success y && test x = \"\$1\" ); then
+  :
+else
+  exitcode=1
+  echo positional parameters were not saved.
+fi
+
+test \$exitcode = 0") || {
+  echo No shell found that supports shell functions.
+  echo Please tell autoconf@gnu.org about your system,
+  echo including any error possibly output before this
+  echo message
+}
+
+
+
+  as_lineno_1=$LINENO
+  as_lineno_2=$LINENO
+  test "x$as_lineno_1" != "x$as_lineno_2" &&
+  test "x`expr $as_lineno_1 + 1`" = "x$as_lineno_2" || {
 
   # Create $as_me.lineno as a copy of $as_myself, but with $LINENO
   # uniformly replaced by the line number.  The first 'sed' inserts a
-  # line-number line before each line; the second 'sed' does the real
-  # work.  The second script uses 'N' to pair each line-number line
-  # with the numbered line, and appends trailing '-' during
-  # substitution so that $LINENO is not a special case at line end.
+  # line-number line after each line using $LINENO; the second 'sed'
+  # does the real work.  The second script uses 'N' to pair each
+  # line-number line with the line containing $LINENO, and appends
+  # trailing '-' during substitution so that $LINENO is not a special
+  # case at line end.
   # (Raja R Harinath suggested sed '=', and Paul Eggert wrote the
-  # second 'sed' script.  Blame Lee E. McMahon for sed's syntax.  :-)
-  sed '=' <$as_myself |
+  # scripts with optimization help from Paolo Bonzini.  Blame Lee
+  # E. McMahon (1931-1989) for sed's syntax.  :-)
+  sed -n '
+    p
+    /[$]LINENO/=
+  ' <$as_myself |
     sed '
+      s/[$]LINENO.*/&-/
+      t lineno
+      b
+      :lineno
       N
-      s,$,-,
-      : loop
-      s,^\(['$as_cr_digits']*\)\(.*\)[$]LINENO\([^'$as_cr_alnum'_]\),\1\2\1\3,
+      :loop
+      s/[$]LINENO\([^'$as_cr_alnum'_].*\n\)\(.*\)/\2\1\2/
       t loop
-      s,-$,,
-      s,^['$as_cr_digits']*\n,,
+      s/-\n.*//
     ' >$as_me.lineno &&
-  chmod +x $as_me.lineno ||
+  chmod +x "$as_me.lineno" ||
     { echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2
    { (exit 1); exit 1; }; }
 
   # Don't try to exec as it changes $[0], causing all sort of problems
   # (the dirname of $[0] is not the place where we might find the
-  # original and so on.  Autoconf is especially sensible to this).
-  . ./$as_me.lineno
+  # original and so on.  Autoconf is especially sensitive to this).
+  . "./$as_me.lineno"
   # Exit status is that of the last command.
   exit
 }
 
 
-case `echo "testing\c"; echo 1,2,3`,`echo -n testing; echo 1,2,3` in
-  *c*,-n*) ECHO_N= ECHO_C='
-' ECHO_T='	' ;;
-  *c*,*  ) ECHO_N=-n ECHO_C= ECHO_T= ;;
-  *)       ECHO_N= ECHO_C='\c' ECHO_T= ;;
+if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then
+  as_dirname=dirname
+else
+  as_dirname=false
+fi
+
+ECHO_C= ECHO_N= ECHO_T=
+case `echo -n x` in
+-n*)
+  case `echo 'x\c'` in
+  *c*) ECHO_T='	';;	# ECHO_T is single tab character.
+  *)   ECHO_C='\c';;
+  esac;;
+*)
+  ECHO_N='-n';;
 esac
 
-if expr a : '\(a\)' >/dev/null 2>&1; then
+if expr a : '\(a\)' >/dev/null 2>&1 &&
+   test "X`expr 00001 : '.*\(...\)'`" = X001; then
   as_expr=expr
 else
   as_expr=false
 fi
 
 rm -f conf$$ conf$$.exe conf$$.file
+if test -d conf$$.dir; then
+  rm -f conf$$.dir/conf$$.file
+else
+  rm -f conf$$.dir
+  mkdir conf$$.dir
+fi
 echo >conf$$.file
 if ln -s conf$$.file conf$$ 2>/dev/null; then
-  # We could just check for DJGPP; but this test a) works b) is more generic
-  # and c) will remain valid once DJGPP supports symlinks (DJGPP 2.04).
-  if test -f conf$$.exe; then
-    # Don't use ln at all; we don't have any links
+  as_ln_s='ln -s'
+  # ... but there are two gotchas:
+  # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail.
+  # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable.
+  # In both cases, we have to default to `cp -p'.
+  ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe ||
     as_ln_s='cp -p'
-  else
-    as_ln_s='ln -s'
-  fi
 elif ln conf$$.file conf$$ 2>/dev/null; then
   as_ln_s=ln
 else
   as_ln_s='cp -p'
 fi
-rm -f conf$$ conf$$.exe conf$$.file
+rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file
+rmdir conf$$.dir 2>/dev/null
 
 if mkdir -p . 2>/dev/null; then
   as_mkdir_p=:
@@ -224,7 +520,28 @@ else
   as_mkdir_p=false
 fi
 
-as_executable_p="test -f"
+if test -x / >/dev/null 2>&1; then
+  as_test_x='test -x'
+else
+  if ls -dL / >/dev/null 2>&1; then
+    as_ls_L_option=L
+  else
+    as_ls_L_option=
+  fi
+  as_test_x='
+    eval sh -c '\''
+      if test -d "$1"; then
+        test -d "$1/.";
+      else
+	case $1 in
+        -*)set "./$1";;
+	esac;
+	case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in
+	???[sx]*):;;*)false;;esac;fi
+    '\'' sh
+  '
+fi
+as_executable_p=$as_test_x
 
 # Sed expression to map a string onto a valid CPP name.
 as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'"
@@ -233,86 +550,134 @@ as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'"
 as_tr_sh="eval sed 'y%*+%pp%;s%[^_$as_cr_alnum]%_%g'"
 
 
-# IFS
-# We need space, tab and new line, in precisely that order.
-as_nl='
-'
-IFS=" 	$as_nl"
-
-# CDPATH.
-$as_unset CDPATH
 
+exec 7<&0 </dev/null 6>&1
 
 # Name of the host.
 # hostname on some systems (SVR3.2, Linux) returns a bogus exit status,
 # so uname gets run too.
 ac_hostname=`(hostname || uname -n) 2>/dev/null | sed 1q`
 
-exec 6>&1
-
 #
 # Initializations.
 #
 ac_default_prefix=/usr/local
+ac_clean_files=
 ac_config_libobj_dir=.
+LIBOBJS=
 cross_compiling=no
 subdirs=
 MFLAGS=
 MAKEFLAGS=
 SHELL=${CONFIG_SHELL-/bin/sh}
 
-# Maximum number of lines to put in a shell here document.
-# This variable seems obsolete.  It should probably be removed, and
-# only ac_max_sed_lines should be used.
-: ${ac_max_here_lines=38}
-
 # Identity of this package.
 PACKAGE_NAME='ZKT'
 PACKAGE_TARNAME='zkt'
-PACKAGE_VERSION='0.98'
-PACKAGE_STRING='ZKT 0.98'
+PACKAGE_VERSION='0.99c'
+PACKAGE_STRING='ZKT 0.99c'
 PACKAGE_BUGREPORT='Holger Zuleger hznet.de'
 
 ac_unique_file="dnssec-zkt.c"
 # Factoring default headers for most tests.
 ac_includes_default="\
 #include <stdio.h>
-#if HAVE_SYS_TYPES_H
+#ifdef HAVE_SYS_TYPES_H
 # include <sys/types.h>
 #endif
-#if HAVE_SYS_STAT_H
+#ifdef HAVE_SYS_STAT_H
 # include <sys/stat.h>
 #endif
-#if STDC_HEADERS
+#ifdef STDC_HEADERS
 # include <stdlib.h>
 # include <stddef.h>
 #else
-# if HAVE_STDLIB_H
+# ifdef HAVE_STDLIB_H
 #  include <stdlib.h>
 # endif
 #endif
-#if HAVE_STRING_H
-# if !STDC_HEADERS && HAVE_MEMORY_H
+#ifdef HAVE_STRING_H
+# if !defined STDC_HEADERS && defined HAVE_MEMORY_H
 #  include <memory.h>
 # endif
 # include <string.h>
 #endif
-#if HAVE_STRINGS_H
+#ifdef HAVE_STRINGS_H
 # include <strings.h>
 #endif
-#if HAVE_INTTYPES_H
+#ifdef HAVE_INTTYPES_H
 # include <inttypes.h>
-#else
-# if HAVE_STDINT_H
-#  include <stdint.h>
-# endif
 #endif
-#if HAVE_UNISTD_H
+#ifdef HAVE_STDINT_H
+# include <stdint.h>
+#endif
+#ifdef HAVE_UNISTD_H
 # include <unistd.h>
 #endif"
 
-ac_subst_vars='SHELL PATH_SEPARATOR PACKAGE_NAME PACKAGE_TARNAME PACKAGE_VERSION PACKAGE_STRING PACKAGE_BUGREPORT exec_prefix prefix program_transform_name bindir sbindir libexecdir datadir sysconfdir sharedstatedir localstatedir libdir includedir oldincludedir infodir mandir build_alias host_alias target_alias DEFS ECHO_C ECHO_N ECHO_T LIBS CC CFLAGS LDFLAGS CPPFLAGS ac_ct_CC EXEEXT OBJEXT SIGNZONE_PROG CPP EGREP LIBOBJS LTLIBOBJS'
+ac_header_list=
+ac_func_list=
+ac_subst_vars='SHELL
+PATH_SEPARATOR
+PACKAGE_NAME
+PACKAGE_TARNAME
+PACKAGE_VERSION
+PACKAGE_STRING
+PACKAGE_BUGREPORT
+exec_prefix
+prefix
+program_transform_name
+bindir
+sbindir
+libexecdir
+datarootdir
+datadir
+sysconfdir
+sharedstatedir
+localstatedir
+includedir
+oldincludedir
+docdir
+infodir
+htmldir
+dvidir
+pdfdir
+psdir
+libdir
+localedir
+mandir
+DEFS
+ECHO_C
+ECHO_N
+ECHO_T
+LIBS
+build_alias
+host_alias
+target_alias
+CC
+CFLAGS
+LDFLAGS
+CPPFLAGS
+ac_ct_CC
+EXEEXT
+OBJEXT
+SIGNZONE_PROG
+CPP
+GREP
+EGREP
+LIBOBJS
+LTLIBOBJS'
 ac_subst_files=''
+      ac_precious_vars='build_alias
+host_alias
+target_alias
+CC
+CFLAGS
+LDFLAGS
+LIBS
+CPPFLAGS
+CPP'
+
 
 # Initialize some variables set by options.
 ac_init_help=
@@ -339,34 +704,48 @@ x_libraries=NONE
 # and all the variables that are supposed to be based on exec_prefix
 # by default will actually change.
 # Use braces instead of parens because sh, perl, etc. also accept them.
+# (The list follows the same order as the GNU Coding Standards.)
 bindir='${exec_prefix}/bin'
 sbindir='${exec_prefix}/sbin'
 libexecdir='${exec_prefix}/libexec'
-datadir='${prefix}/share'
+datarootdir='${prefix}/share'
+datadir='${datarootdir}'
 sysconfdir='${prefix}/etc'
 sharedstatedir='${prefix}/com'
 localstatedir='${prefix}/var'
-libdir='${exec_prefix}/lib'
 includedir='${prefix}/include'
 oldincludedir='/usr/include'
-infodir='${prefix}/info'
-mandir='${prefix}/man'
+docdir='${datarootdir}/doc/${PACKAGE_TARNAME}'
+infodir='${datarootdir}/info'
+htmldir='${docdir}'
+dvidir='${docdir}'
+pdfdir='${docdir}'
+psdir='${docdir}'
+libdir='${exec_prefix}/lib'
+localedir='${datarootdir}/locale'
+mandir='${datarootdir}/man'
 
 ac_prev=
+ac_dashdash=
 for ac_option
 do
   # If the previous option needs an argument, assign it.
   if test -n "$ac_prev"; then
-    eval "$ac_prev=\$ac_option"
+    eval $ac_prev=\$ac_option
     ac_prev=
     continue
   fi
 
-  ac_optarg=`expr "x$ac_option" : 'x[^=]*=\(.*\)'`
+  case $ac_option in
+  *=*)	ac_optarg=`expr "X$ac_option" : '[^=]*=\(.*\)'` ;;
+  *)	ac_optarg=yes ;;
+  esac
 
   # Accept the important Cygnus configure options, so we can diagnose typos.
 
-  case $ac_option in
+  case $ac_dashdash$ac_option in
+  --)
+    ac_dashdash=yes ;;
 
   -bindir | --bindir | --bindi | --bind | --bin | --bi)
     ac_prev=bindir ;;
@@ -388,33 +767,45 @@ do
   --config-cache | -C)
     cache_file=config.cache ;;
 
-  -datadir | --datadir | --datadi | --datad | --data | --dat | --da)
+  -datadir | --datadir | --datadi | --datad)
     ac_prev=datadir ;;
-  -datadir=* | --datadir=* | --datadi=* | --datad=* | --data=* | --dat=* \
-  | --da=*)
+  -datadir=* | --datadir=* | --datadi=* | --datad=*)
     datadir=$ac_optarg ;;
 
+  -datarootdir | --datarootdir | --datarootdi | --datarootd | --dataroot \
+  | --dataroo | --dataro | --datar)
+    ac_prev=datarootdir ;;
+  -datarootdir=* | --datarootdir=* | --datarootdi=* | --datarootd=* \
+  | --dataroot=* | --dataroo=* | --dataro=* | --datar=*)
+    datarootdir=$ac_optarg ;;
+
   -disable-* | --disable-*)
     ac_feature=`expr "x$ac_option" : 'x-*disable-\(.*\)'`
     # Reject names that are not valid shell variable names.
-    expr "x$ac_feature" : ".*[^-_$as_cr_alnum]" >/dev/null &&
+    expr "x$ac_feature" : ".*[^-._$as_cr_alnum]" >/dev/null &&
       { echo "$as_me: error: invalid feature name: $ac_feature" >&2
    { (exit 1); exit 1; }; }
-    ac_feature=`echo $ac_feature | sed 's/-/_/g'`
-    eval "enable_$ac_feature=no" ;;
+    ac_feature=`echo $ac_feature | sed 's/[-.]/_/g'`
+    eval enable_$ac_feature=no ;;
+
+  -docdir | --docdir | --docdi | --doc | --do)
+    ac_prev=docdir ;;
+  -docdir=* | --docdir=* | --docdi=* | --doc=* | --do=*)
+    docdir=$ac_optarg ;;
+
+  -dvidir | --dvidir | --dvidi | --dvid | --dvi | --dv)
+    ac_prev=dvidir ;;
+  -dvidir=* | --dvidir=* | --dvidi=* | --dvid=* | --dvi=* | --dv=*)
+    dvidir=$ac_optarg ;;
 
   -enable-* | --enable-*)
     ac_feature=`expr "x$ac_option" : 'x-*enable-\([^=]*\)'`
     # Reject names that are not valid shell variable names.
-    expr "x$ac_feature" : ".*[^-_$as_cr_alnum]" >/dev/null &&
+    expr "x$ac_feature" : ".*[^-._$as_cr_alnum]" >/dev/null &&
       { echo "$as_me: error: invalid feature name: $ac_feature" >&2
    { (exit 1); exit 1; }; }
-    ac_feature=`echo $ac_feature | sed 's/-/_/g'`
-    case $ac_option in
-      *=*) ac_optarg=`echo "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"`;;
-      *) ac_optarg=yes ;;
-    esac
-    eval "enable_$ac_feature='$ac_optarg'" ;;
+    ac_feature=`echo $ac_feature | sed 's/[-.]/_/g'`
+    eval enable_$ac_feature=\$ac_optarg ;;
 
   -exec-prefix | --exec_prefix | --exec-prefix | --exec-prefi \
   | --exec-pref | --exec-pre | --exec-pr | --exec-p | --exec- \
@@ -441,6 +832,12 @@ do
   -host=* | --host=* | --hos=* | --ho=*)
     host_alias=$ac_optarg ;;
 
+  -htmldir | --htmldir | --htmldi | --htmld | --html | --htm | --ht)
+    ac_prev=htmldir ;;
+  -htmldir=* | --htmldir=* | --htmldi=* | --htmld=* | --html=* | --htm=* \
+  | --ht=*)
+    htmldir=$ac_optarg ;;
+
   -includedir | --includedir | --includedi | --included | --include \
   | --includ | --inclu | --incl | --inc)
     ac_prev=includedir ;;
@@ -465,13 +862,16 @@ do
   | --libexe=* | --libex=* | --libe=*)
     libexecdir=$ac_optarg ;;
 
+  -localedir | --localedir | --localedi | --localed | --locale)
+    ac_prev=localedir ;;
+  -localedir=* | --localedir=* | --localedi=* | --localed=* | --locale=*)
+    localedir=$ac_optarg ;;
+
   -localstatedir | --localstatedir | --localstatedi | --localstated \
-  | --localstate | --localstat | --localsta | --localst \
-  | --locals | --local | --loca | --loc | --lo)
+  | --localstate | --localstat | --localsta | --localst | --locals)
     ac_prev=localstatedir ;;
   -localstatedir=* | --localstatedir=* | --localstatedi=* | --localstated=* \
-  | --localstate=* | --localstat=* | --localsta=* | --localst=* \
-  | --locals=* | --local=* | --loca=* | --loc=* | --lo=*)
+  | --localstate=* | --localstat=* | --localsta=* | --localst=* | --locals=*)
     localstatedir=$ac_optarg ;;
 
   -mandir | --mandir | --mandi | --mand | --man | --ma | --m)
@@ -536,6 +936,16 @@ do
   | --progr-tra=* | --program-tr=* | --program-t=*)
     program_transform_name=$ac_optarg ;;
 
+  -pdfdir | --pdfdir | --pdfdi | --pdfd | --pdf | --pd)
+    ac_prev=pdfdir ;;
+  -pdfdir=* | --pdfdir=* | --pdfdi=* | --pdfd=* | --pdf=* | --pd=*)
+    pdfdir=$ac_optarg ;;
+
+  -psdir | --psdir | --psdi | --psd | --ps)
+    ac_prev=psdir ;;
+  -psdir=* | --psdir=* | --psdi=* | --psd=* | --ps=*)
+    psdir=$ac_optarg ;;
+
   -q | -quiet | --quiet | --quie | --qui | --qu | --q \
   | -silent | --silent | --silen | --sile | --sil)
     silent=yes ;;
@@ -588,24 +998,20 @@ do
   -with-* | --with-*)
     ac_package=`expr "x$ac_option" : 'x-*with-\([^=]*\)'`
     # Reject names that are not valid shell variable names.
-    expr "x$ac_package" : ".*[^-_$as_cr_alnum]" >/dev/null &&
+    expr "x$ac_package" : ".*[^-._$as_cr_alnum]" >/dev/null &&
       { echo "$as_me: error: invalid package name: $ac_package" >&2
    { (exit 1); exit 1; }; }
-    ac_package=`echo $ac_package| sed 's/-/_/g'`
-    case $ac_option in
-      *=*) ac_optarg=`echo "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"`;;
-      *) ac_optarg=yes ;;
-    esac
-    eval "with_$ac_package='$ac_optarg'" ;;
+    ac_package=`echo $ac_package | sed 's/[-.]/_/g'`
+    eval with_$ac_package=\$ac_optarg ;;
 
   -without-* | --without-*)
     ac_package=`expr "x$ac_option" : 'x-*without-\(.*\)'`
     # Reject names that are not valid shell variable names.
-    expr "x$ac_package" : ".*[^-_$as_cr_alnum]" >/dev/null &&
+    expr "x$ac_package" : ".*[^-._$as_cr_alnum]" >/dev/null &&
       { echo "$as_me: error: invalid package name: $ac_package" >&2
    { (exit 1); exit 1; }; }
-    ac_package=`echo $ac_package | sed 's/-/_/g'`
-    eval "with_$ac_package=no" ;;
+    ac_package=`echo $ac_package | sed 's/[-.]/_/g'`
+    eval with_$ac_package=no ;;
 
   --x)
     # Obsolete; use --with-x.
@@ -636,8 +1042,7 @@ Try \`$0 --help' for more information." >&2
     expr "x$ac_envvar" : ".*[^_$as_cr_alnum]" >/dev/null &&
       { echo "$as_me: error: invalid variable name: $ac_envvar" >&2
    { (exit 1); exit 1; }; }
-    ac_optarg=`echo "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"`
-    eval "$ac_envvar='$ac_optarg'"
+    eval $ac_envvar=\$ac_optarg
     export $ac_envvar ;;
 
   *)
@@ -657,27 +1062,19 @@ if test -n "$ac_prev"; then
    { (exit 1); exit 1; }; }
 fi
 
-# Be sure to have absolute paths.
-for ac_var in exec_prefix prefix
+# Be sure to have absolute directory names.
+for ac_var in	exec_prefix prefix bindir sbindir libexecdir datarootdir \
+		datadir sysconfdir sharedstatedir localstatedir includedir \
+		oldincludedir docdir infodir htmldir dvidir pdfdir psdir \
+		libdir localedir mandir
 do
-  eval ac_val=$`echo $ac_var`
+  eval ac_val=\$$ac_var
   case $ac_val in
-    [\\/$]* | ?:[\\/]* | NONE | '' ) ;;
-    *)  { echo "$as_me: error: expected an absolute directory name for --$ac_var: $ac_val" >&2
-   { (exit 1); exit 1; }; };;
-  esac
-done
-
-# Be sure to have absolute paths.
-for ac_var in bindir sbindir libexecdir datadir sysconfdir sharedstatedir \
-	      localstatedir libdir includedir oldincludedir infodir mandir
-do
-  eval ac_val=$`echo $ac_var`
-  case $ac_val in
-    [\\/$]* | ?:[\\/]* ) ;;
-    *)  { echo "$as_me: error: expected an absolute directory name for --$ac_var: $ac_val" >&2
-   { (exit 1); exit 1; }; };;
+    [\\/$]* | ?:[\\/]* )  continue;;
+    NONE | '' ) case $ac_var in *prefix ) continue;; esac;;
   esac
+  { echo "$as_me: error: expected an absolute directory name for --$ac_var: $ac_val" >&2
+   { (exit 1); exit 1; }; }
 done
 
 # There might be people who depend on the old broken behavior: `$host'
@@ -704,74 +1101,76 @@ test -n "$host_alias" && ac_tool_prefix=$host_alias-
 test "$silent" = yes && exec 6>/dev/null
 
 
+ac_pwd=`pwd` && test -n "$ac_pwd" &&
+ac_ls_di=`ls -di .` &&
+ac_pwd_ls_di=`cd "$ac_pwd" && ls -di .` ||
+  { echo "$as_me: error: Working directory cannot be determined" >&2
+   { (exit 1); exit 1; }; }
+test "X$ac_ls_di" = "X$ac_pwd_ls_di" ||
+  { echo "$as_me: error: pwd does not report name of working directory" >&2
+   { (exit 1); exit 1; }; }
+
+
 # Find the source files, if location was not specified.
 if test -z "$srcdir"; then
   ac_srcdir_defaulted=yes
-  # Try the directory containing this script, then its parent.
-  ac_confdir=`(dirname "$0") 2>/dev/null ||
+  # Try the directory containing this script, then the parent directory.
+  ac_confdir=`$as_dirname -- "$0" ||
 $as_expr X"$0" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
 	 X"$0" : 'X\(//\)[^/]' \| \
 	 X"$0" : 'X\(//\)$' \| \
-	 X"$0" : 'X\(/\)' \| \
-	 .     : '\(.\)' 2>/dev/null ||
+	 X"$0" : 'X\(/\)' \| . 2>/dev/null ||
 echo X"$0" |
-    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/; q; }
-  	  /^X\(\/\/\)[^/].*/{ s//\1/; q; }
-  	  /^X\(\/\/\)$/{ s//\1/; q; }
-  	  /^X\(\/\).*/{ s//\1/; q; }
-  	  s/.*/./; q'`
+    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\/\)[^/].*/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\/\)$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\).*/{
+	    s//\1/
+	    q
+	  }
+	  s/.*/./; q'`
   srcdir=$ac_confdir
-  if test ! -r $srcdir/$ac_unique_file; then
+  if test ! -r "$srcdir/$ac_unique_file"; then
     srcdir=..
   fi
 else
   ac_srcdir_defaulted=no
 fi
-if test ! -r $srcdir/$ac_unique_file; then
-  if test "$ac_srcdir_defaulted" = yes; then
-    { echo "$as_me: error: cannot find sources ($ac_unique_file) in $ac_confdir or .." >&2
+if test ! -r "$srcdir/$ac_unique_file"; then
+  test "$ac_srcdir_defaulted" = yes && srcdir="$ac_confdir or .."
+  { echo "$as_me: error: cannot find sources ($ac_unique_file) in $srcdir" >&2
    { (exit 1); exit 1; }; }
-  else
-    { echo "$as_me: error: cannot find sources ($ac_unique_file) in $srcdir" >&2
-   { (exit 1); exit 1; }; }
-  fi
 fi
-(cd $srcdir && test -r ./$ac_unique_file) 2>/dev/null ||
-  { echo "$as_me: error: sources are in $srcdir, but \`cd $srcdir' does not work" >&2
+ac_msg="sources are in $srcdir, but \`cd $srcdir' does not work"
+ac_abs_confdir=`(
+	cd "$srcdir" && test -r "./$ac_unique_file" || { echo "$as_me: error: $ac_msg" >&2
    { (exit 1); exit 1; }; }
-srcdir=`echo "$srcdir" | sed 's%\([^\\/]\)[\\/]*$%\1%'`
-ac_env_build_alias_set=${build_alias+set}
-ac_env_build_alias_value=$build_alias
-ac_cv_env_build_alias_set=${build_alias+set}
-ac_cv_env_build_alias_value=$build_alias
-ac_env_host_alias_set=${host_alias+set}
-ac_env_host_alias_value=$host_alias
-ac_cv_env_host_alias_set=${host_alias+set}
-ac_cv_env_host_alias_value=$host_alias
-ac_env_target_alias_set=${target_alias+set}
-ac_env_target_alias_value=$target_alias
-ac_cv_env_target_alias_set=${target_alias+set}
-ac_cv_env_target_alias_value=$target_alias
-ac_env_CC_set=${CC+set}
-ac_env_CC_value=$CC
-ac_cv_env_CC_set=${CC+set}
-ac_cv_env_CC_value=$CC
-ac_env_CFLAGS_set=${CFLAGS+set}
-ac_env_CFLAGS_value=$CFLAGS
-ac_cv_env_CFLAGS_set=${CFLAGS+set}
-ac_cv_env_CFLAGS_value=$CFLAGS
-ac_env_LDFLAGS_set=${LDFLAGS+set}
-ac_env_LDFLAGS_value=$LDFLAGS
-ac_cv_env_LDFLAGS_set=${LDFLAGS+set}
-ac_cv_env_LDFLAGS_value=$LDFLAGS
-ac_env_CPPFLAGS_set=${CPPFLAGS+set}
-ac_env_CPPFLAGS_value=$CPPFLAGS
-ac_cv_env_CPPFLAGS_set=${CPPFLAGS+set}
-ac_cv_env_CPPFLAGS_value=$CPPFLAGS
-ac_env_CPP_set=${CPP+set}
-ac_env_CPP_value=$CPP
-ac_cv_env_CPP_set=${CPP+set}
-ac_cv_env_CPP_value=$CPP
+	pwd)`
+# When building in place, set srcdir=.
+if test "$ac_abs_confdir" = "$ac_pwd"; then
+  srcdir=.
+fi
+# Remove unnecessary trailing slashes from srcdir.
+# Double slashes in file names in object file debugging info
+# mess up M-x gdb in Emacs.
+case $srcdir in
+*/) srcdir=`expr "X$srcdir" : 'X\(.*[^/]\)' \| "X$srcdir" : 'X\(.*\)'`;;
+esac
+for ac_var in $ac_precious_vars; do
+  eval ac_env_${ac_var}_set=\${${ac_var}+set}
+  eval ac_env_${ac_var}_value=\$${ac_var}
+  eval ac_cv_env_${ac_var}_set=\${${ac_var}+set}
+  eval ac_cv_env_${ac_var}_value=\$${ac_var}
+done
 
 #
 # Report the --help message.
@@ -780,7 +1179,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures ZKT 0.98 to adapt to many kinds of systems.
+\`configure' configures ZKT 0.99c to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -800,9 +1199,6 @@ Configuration:
   -n, --no-create         do not create output files
       --srcdir=DIR        find the sources in DIR [configure dir or \`..']
 
-_ACEOF
-
-  cat <<_ACEOF
 Installation directories:
   --prefix=PREFIX         install architecture-independent files in PREFIX
 			  [$ac_default_prefix]
@@ -820,15 +1216,22 @@ Fine tuning of the installation directories:
   --bindir=DIR           user executables [EPREFIX/bin]
   --sbindir=DIR          system admin executables [EPREFIX/sbin]
   --libexecdir=DIR       program executables [EPREFIX/libexec]
-  --datadir=DIR          read-only architecture-independent data [PREFIX/share]
   --sysconfdir=DIR       read-only single-machine data [PREFIX/etc]
   --sharedstatedir=DIR   modifiable architecture-independent data [PREFIX/com]
   --localstatedir=DIR    modifiable single-machine data [PREFIX/var]
   --libdir=DIR           object code libraries [EPREFIX/lib]
   --includedir=DIR       C header files [PREFIX/include]
   --oldincludedir=DIR    C header files for non-gcc [/usr/include]
-  --infodir=DIR          info documentation [PREFIX/info]
-  --mandir=DIR           man documentation [PREFIX/man]
+  --datarootdir=DIR      read-only arch.-independent data root [PREFIX/share]
+  --datadir=DIR          read-only architecture-independent data [DATAROOTDIR]
+  --infodir=DIR          info documentation [DATAROOTDIR/info]
+  --localedir=DIR        locale-dependent data [DATAROOTDIR/locale]
+  --mandir=DIR           man documentation [DATAROOTDIR/man]
+  --docdir=DIR           documentation root [DATAROOTDIR/doc/zkt]
+  --htmldir=DIR          html documentation [DOCDIR]
+  --dvidir=DIR           dvi documentation [DOCDIR]
+  --pdfdir=DIR           pdf documentation [DOCDIR]
+  --psdir=DIR            ps documentation [DOCDIR]
 _ACEOF
 
   cat <<\_ACEOF
@@ -837,7 +1240,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of ZKT 0.98:";;
+     short | recursive ) echo "Configuration of ZKT 0.99c:";;
    esac
   cat <<\_ACEOF
 
@@ -861,8 +1264,9 @@ Some influential environment variables:
   CFLAGS      C compiler flags
   LDFLAGS     linker flags, e.g. -L<lib dir> if you have libraries in a
               nonstandard directory <lib dir>
-  CPPFLAGS    C/C++ preprocessor flags, e.g. -I<include dir> if you have
-              headers in a nonstandard directory <include dir>
+  LIBS        libraries to pass to the linker, e.g. -l<library>
+  CPPFLAGS    C/C++/Objective C preprocessor flags, e.g. -I<include dir> if
+              you have headers in a nonstandard directory <include dir>
   CPP         C preprocessor
 
 Use these variables to override the choices made by `configure' or to help
@@ -870,120 +1274,86 @@ it to find libraries and programs with nonstandard names/locations.
 
 Report bugs to <Holger Zuleger hznet.de>.
 _ACEOF
+ac_status=$?
 fi
 
 if test "$ac_init_help" = "recursive"; then
   # If there are subdirs, report their specific --help.
-  ac_popdir=`pwd`
   for ac_dir in : $ac_subdirs_all; do test "x$ac_dir" = x: && continue
-    test -d $ac_dir || continue
+    test -d "$ac_dir" || continue
     ac_builddir=.
 
-if test "$ac_dir" != .; then
+case "$ac_dir" in
+.) ac_dir_suffix= ac_top_builddir_sub=. ac_top_build_prefix= ;;
+*)
   ac_dir_suffix=/`echo "$ac_dir" | sed 's,^\.[\\/],,'`
-  # A "../" for each directory in $ac_dir_suffix.
-  ac_top_builddir=`echo "$ac_dir_suffix" | sed 's,/[^\\/]*,../,g'`
-else
-  ac_dir_suffix= ac_top_builddir=
-fi
+  # A ".." for each directory in $ac_dir_suffix.
+  ac_top_builddir_sub=`echo "$ac_dir_suffix" | sed 's,/[^\\/]*,/..,g;s,/,,'`
+  case $ac_top_builddir_sub in
+  "") ac_top_builddir_sub=. ac_top_build_prefix= ;;
+  *)  ac_top_build_prefix=$ac_top_builddir_sub/ ;;
+  esac ;;
+esac
+ac_abs_top_builddir=$ac_pwd
+ac_abs_builddir=$ac_pwd$ac_dir_suffix
+# for backward compatibility:
+ac_top_builddir=$ac_top_build_prefix
 
 case $srcdir in
-  .)  # No --srcdir option.  We are building in place.
+  .)  # We are building in place.
     ac_srcdir=.
-    if test -z "$ac_top_builddir"; then
-       ac_top_srcdir=.
-    else
-       ac_top_srcdir=`echo $ac_top_builddir | sed 's,/$,,'`
-    fi ;;
-  [\\/]* | ?:[\\/]* )  # Absolute path.
+    ac_top_srcdir=$ac_top_builddir_sub
+    ac_abs_top_srcdir=$ac_pwd ;;
+  [\\/]* | ?:[\\/]* )  # Absolute name.
     ac_srcdir=$srcdir$ac_dir_suffix;
-    ac_top_srcdir=$srcdir ;;
-  *) # Relative path.
-    ac_srcdir=$ac_top_builddir$srcdir$ac_dir_suffix
-    ac_top_srcdir=$ac_top_builddir$srcdir ;;
+    ac_top_srcdir=$srcdir
+    ac_abs_top_srcdir=$srcdir ;;
+  *) # Relative name.
+    ac_srcdir=$ac_top_build_prefix$srcdir$ac_dir_suffix
+    ac_top_srcdir=$ac_top_build_prefix$srcdir
+    ac_abs_top_srcdir=$ac_pwd/$srcdir ;;
 esac
-
-# Do not use `cd foo && pwd` to compute absolute paths, because
-# the directories may not exist.
-case `pwd` in
-.) ac_abs_builddir="$ac_dir";;
-*)
-  case "$ac_dir" in
-  .) ac_abs_builddir=`pwd`;;
-  [\\/]* | ?:[\\/]* ) ac_abs_builddir="$ac_dir";;
-  *) ac_abs_builddir=`pwd`/"$ac_dir";;
-  esac;;
-esac
-case $ac_abs_builddir in
-.) ac_abs_top_builddir=${ac_top_builddir}.;;
-*)
-  case ${ac_top_builddir}. in
-  .) ac_abs_top_builddir=$ac_abs_builddir;;
-  [\\/]* | ?:[\\/]* ) ac_abs_top_builddir=${ac_top_builddir}.;;
-  *) ac_abs_top_builddir=$ac_abs_builddir/${ac_top_builddir}.;;
-  esac;;
-esac
-case $ac_abs_builddir in
-.) ac_abs_srcdir=$ac_srcdir;;
-*)
-  case $ac_srcdir in
-  .) ac_abs_srcdir=$ac_abs_builddir;;
-  [\\/]* | ?:[\\/]* ) ac_abs_srcdir=$ac_srcdir;;
-  *) ac_abs_srcdir=$ac_abs_builddir/$ac_srcdir;;
-  esac;;
-esac
-case $ac_abs_builddir in
-.) ac_abs_top_srcdir=$ac_top_srcdir;;
-*)
-  case $ac_top_srcdir in
-  .) ac_abs_top_srcdir=$ac_abs_builddir;;
-  [\\/]* | ?:[\\/]* ) ac_abs_top_srcdir=$ac_top_srcdir;;
-  *) ac_abs_top_srcdir=$ac_abs_builddir/$ac_top_srcdir;;
-  esac;;
-esac
-
-    cd $ac_dir
-    # Check for guested configure; otherwise get Cygnus style configure.
-    if test -f $ac_srcdir/configure.gnu; then
-      echo
-      $SHELL $ac_srcdir/configure.gnu  --help=recursive
-    elif test -f $ac_srcdir/configure; then
-      echo
-      $SHELL $ac_srcdir/configure  --help=recursive
-    elif test -f $ac_srcdir/configure.ac ||
-	   test -f $ac_srcdir/configure.in; then
-      echo
-      $ac_configure --help
+ac_abs_srcdir=$ac_abs_top_srcdir$ac_dir_suffix
+
+    cd "$ac_dir" || { ac_status=$?; continue; }
+    # Check for guested configure.
+    if test -f "$ac_srcdir/configure.gnu"; then
+      echo &&
+      $SHELL "$ac_srcdir/configure.gnu" --help=recursive
+    elif test -f "$ac_srcdir/configure"; then
+      echo &&
+      $SHELL "$ac_srcdir/configure" --help=recursive
     else
       echo "$as_me: WARNING: no configuration information is in $ac_dir" >&2
-    fi
-    cd $ac_popdir
+    fi || ac_status=$?
+    cd "$ac_pwd" || { ac_status=$?; break; }
   done
 fi
 
-test -n "$ac_init_help" && exit 0
+test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-ZKT configure 0.98
-generated by GNU Autoconf 2.59
+ZKT configure 0.99c
+generated by GNU Autoconf 2.61
 
-Copyright (C) 2003 Free Software Foundation, Inc.
+Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
+2002, 2003, 2004, 2005, 2006 Free Software Foundation, Inc.
 This configure script is free software; the Free Software Foundation
 gives unlimited permission to copy, distribute and modify it.
 _ACEOF
-  exit 0
+  exit
 fi
-exec 5>config.log
-cat >&5 <<_ACEOF
+cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by ZKT $as_me 0.98, which was
-generated by GNU Autoconf 2.59.  Invocation command line was
+It was created by ZKT $as_me 0.99c, which was
+generated by GNU Autoconf 2.61.  Invocation command line was
 
   $ $0 $@
 
 _ACEOF
+exec 5>>config.log
 {
 cat <<_ASUNAME
 ## --------- ##
@@ -1002,7 +1372,7 @@ uname -v = `(uname -v) 2>/dev/null || echo unknown`
 /bin/arch              = `(/bin/arch) 2>/dev/null              || echo unknown`
 /usr/bin/arch -k       = `(/usr/bin/arch -k) 2>/dev/null       || echo unknown`
 /usr/convex/getsysinfo = `(/usr/convex/getsysinfo) 2>/dev/null || echo unknown`
-hostinfo               = `(hostinfo) 2>/dev/null               || echo unknown`
+/usr/bin/hostinfo      = `(/usr/bin/hostinfo) 2>/dev/null      || echo unknown`
 /bin/machine           = `(/bin/machine) 2>/dev/null           || echo unknown`
 /usr/bin/oslevel       = `(/usr/bin/oslevel) 2>/dev/null       || echo unknown`
 /bin/universe          = `(/bin/universe) 2>/dev/null          || echo unknown`
@@ -1016,6 +1386,7 @@ do
   test -z "$as_dir" && as_dir=.
   echo "PATH: $as_dir"
 done
+IFS=$as_save_IFS
 
 } >&5
 
@@ -1037,7 +1408,6 @@ _ACEOF
 ac_configure_args=
 ac_configure_args0=
 ac_configure_args1=
-ac_sep=
 ac_must_keep_next=false
 for ac_pass in 1 2
 do
@@ -1048,7 +1418,7 @@ do
     -q | -quiet | --quiet | --quie | --qui | --qu | --q \
     | -silent | --silent | --silen | --sile | --sil)
       continue ;;
-    *" "*|*"	"*|*[\[\]\~\#\$\^\&\*\(\)\{\}\\\|\;\<\>\?\"\']*)
+    *\'*)
       ac_arg=`echo "$ac_arg" | sed "s/'/'\\\\\\\\''/g"` ;;
     esac
     case $ac_pass in
@@ -1070,9 +1440,7 @@ do
 	  -* ) ac_must_keep_next=true ;;
 	esac
       fi
-      ac_configure_args="$ac_configure_args$ac_sep'$ac_arg'"
-      # Get rid of the leading space.
-      ac_sep=" "
+      ac_configure_args="$ac_configure_args '$ac_arg'"
       ;;
     esac
   done
@@ -1083,8 +1451,8 @@ $as_unset ac_configure_args1 || test "${ac_configure_args1+set}" != set || { ac_
 # When interrupted or exit'd, cleanup temporary files, and complete
 # config.log.  We remove comments because anyway the quotes in there
 # would cause problems or look ugly.
-# WARNING: Be sure not to use single quotes in there, as some shells,
-# such as our DU 5.0 friend, will then `close' the trap.
+# WARNING: Use '\'' to represent an apostrophe within the trap.
+# WARNING: Do not start the trap code with a newline, due to a FreeBSD 4.0 bug.
 trap 'exit_status=$?
   # Save into config.log some information that might help in debugging.
   {
@@ -1097,20 +1465,34 @@ trap 'exit_status=$?
 _ASBOX
     echo
     # The following way of writing the cache mishandles newlines in values,
-{
+(
+  for ac_var in `(set) 2>&1 | sed -n '\''s/^\([a-zA-Z_][a-zA-Z0-9_]*\)=.*/\1/p'\''`; do
+    eval ac_val=\$$ac_var
+    case $ac_val in #(
+    *${as_nl}*)
+      case $ac_var in #(
+      *_cv_*) { echo "$as_me:$LINENO: WARNING: Cache variable $ac_var contains a newline." >&5
+echo "$as_me: WARNING: Cache variable $ac_var contains a newline." >&2;} ;;
+      esac
+      case $ac_var in #(
+      _ | IFS | as_nl) ;; #(
+      *) $as_unset $ac_var ;;
+      esac ;;
+    esac
+  done
   (set) 2>&1 |
-    case `(ac_space='"'"' '"'"'; set | grep ac_space) 2>&1` in
-    *ac_space=\ *)
+    case $as_nl`(ac_space='\'' '\''; set) 2>&1` in #(
+    *${as_nl}ac_space=\ *)
       sed -n \
-	"s/'"'"'/'"'"'\\\\'"'"''"'"'/g;
-	  s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='"'"'\\2'"'"'/p"
-      ;;
+	"s/'\''/'\''\\\\'\'''\''/g;
+	  s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='\''\\2'\''/p"
+      ;; #(
     *)
-      sed -n \
-	"s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1=\\2/p"
+      sed -n "/^[_$as_cr_alnum]*_cv_[_$as_cr_alnum]*=/p"
       ;;
-    esac;
-}
+    esac |
+    sort
+)
     echo
 
     cat <<\_ASBOX
@@ -1121,22 +1503,28 @@ _ASBOX
     echo
     for ac_var in $ac_subst_vars
     do
-      eval ac_val=$`echo $ac_var`
-      echo "$ac_var='"'"'$ac_val'"'"'"
+      eval ac_val=\$$ac_var
+      case $ac_val in
+      *\'\''*) ac_val=`echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;;
+      esac
+      echo "$ac_var='\''$ac_val'\''"
     done | sort
     echo
 
     if test -n "$ac_subst_files"; then
       cat <<\_ASBOX
-## ------------- ##
-## Output files. ##
-## ------------- ##
+## ------------------- ##
+## File substitutions. ##
+## ------------------- ##
 _ASBOX
       echo
       for ac_var in $ac_subst_files
       do
-	eval ac_val=$`echo $ac_var`
-	echo "$ac_var='"'"'$ac_val'"'"'"
+	eval ac_val=\$$ac_var
+	case $ac_val in
+	*\'\''*) ac_val=`echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;;
+	esac
+	echo "$ac_var='\''$ac_val'\''"
       done | sort
       echo
     fi
@@ -1148,26 +1536,24 @@ _ASBOX
 ## ----------- ##
 _ASBOX
       echo
-      sed "/^$/d" confdefs.h | sort
+      cat confdefs.h
       echo
     fi
     test "$ac_signal" != 0 &&
       echo "$as_me: caught signal $ac_signal"
     echo "$as_me: exit $exit_status"
   } >&5
-  rm -f core *.core &&
-  rm -rf conftest* confdefs* conf$$* $ac_clean_files &&
+  rm -f core *.core core.conftest.* &&
+    rm -f -r conftest* confdefs* conf$$* $ac_clean_files &&
     exit $exit_status
-     ' 0
+' 0
 for ac_signal in 1 2 13 15; do
   trap 'ac_signal='$ac_signal'; { (exit 1); exit 1; }' $ac_signal
 done
 ac_signal=0
 
 # confdefs.h avoids OS command line length limits that DEFS can exceed.
-rm -rf conftest* confdefs.h
-# AIX cpp loses on an empty file, so make sure it contains at least a newline.
-echo >confdefs.h
+rm -f -r conftest* confdefs.h
 
 # Predefined preprocessor variables.
 
@@ -1198,14 +1584,17 @@ _ACEOF
 
 # Let the site file select an alternate cache file if it wants to.
 # Prefer explicitly selected file to automatically selected ones.
-if test -z "$CONFIG_SITE"; then
-  if test "x$prefix" != xNONE; then
-    CONFIG_SITE="$prefix/share/config.site $prefix/etc/config.site"
-  else
-    CONFIG_SITE="$ac_default_prefix/share/config.site $ac_default_prefix/etc/config.site"
-  fi
+if test -n "$CONFIG_SITE"; then
+  set x "$CONFIG_SITE"
+elif test "x$prefix" != xNONE; then
+  set x "$prefix/share/config.site" "$prefix/etc/config.site"
+else
+  set x "$ac_default_prefix/share/config.site" \
+	"$ac_default_prefix/etc/config.site"
 fi
-for ac_site_file in $CONFIG_SITE; do
+shift
+for ac_site_file
+do
   if test -r "$ac_site_file"; then
     { echo "$as_me:$LINENO: loading site script $ac_site_file" >&5
 echo "$as_me: loading site script $ac_site_file" >&6;}
@@ -1221,8 +1610,8 @@ if test -r "$cache_file"; then
     { echo "$as_me:$LINENO: loading cache $cache_file" >&5
 echo "$as_me: loading cache $cache_file" >&6;}
     case $cache_file in
-      [\\/]* | ?:[\\/]* ) . $cache_file;;
-      *)                      . ./$cache_file;;
+      [\\/]* | ?:[\\/]* ) . "$cache_file";;
+      *)                      . "./$cache_file";;
     esac
   fi
 else
@@ -1231,15 +1620,18 @@ echo "$as_me: creating cache $cache_file" >&6;}
   >$cache_file
 fi
 
+ac_header_list="$ac_header_list sys/time.h"
+ac_header_list="$ac_header_list unistd.h"
+ac_func_list="$ac_func_list alarm"
+ac_header_list="$ac_header_list utime.h"
 # Check that the precious variables saved in the cache have kept the same
 # value.
 ac_cache_corrupted=false
-for ac_var in `(set) 2>&1 |
-	       sed -n 's/^ac_env_\([a-zA-Z_0-9]*\)_set=.*/\1/p'`; do
+for ac_var in $ac_precious_vars; do
   eval ac_old_set=\$ac_cv_env_${ac_var}_set
   eval ac_new_set=\$ac_env_${ac_var}_set
-  eval ac_old_val="\$ac_cv_env_${ac_var}_value"
-  eval ac_new_val="\$ac_env_${ac_var}_value"
+  eval ac_old_val=\$ac_cv_env_${ac_var}_value
+  eval ac_new_val=\$ac_env_${ac_var}_value
   case $ac_old_set,$ac_new_set in
     set,)
       { echo "$as_me:$LINENO: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&5
@@ -1264,8 +1656,7 @@ echo "$as_me:   current value: $ac_new_val" >&2;}
   # Pass precious variables to config.status.
   if test "$ac_new_set" = set; then
     case $ac_new_val in
-    *" "*|*"	"*|*[\[\]\~\#\$\^\&\*\(\)\{\}\\\|\;\<\>\?\"\']*)
-      ac_arg=$ac_var=`echo "$ac_new_val" | sed "s/'/'\\\\\\\\''/g"` ;;
+    *\'*) ac_arg=$ac_var=`echo "$ac_new_val" | sed "s/'/'\\\\\\\\''/g"` ;;
     *) ac_arg=$ac_var=$ac_new_val ;;
     esac
     case " $ac_configure_args " in
@@ -1282,12 +1673,6 @@ echo "$as_me: error: run \`make distclean' and/or \`rm $cache_file' and start ov
    { (exit 1); exit 1; }; }
 fi
 
-ac_ext=c
-ac_cpp='$CPP $CPPFLAGS'
-ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
-ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
-ac_compiler_gnu=$ac_cv_c_compiler_gnu
-
 
 
 
@@ -1312,12 +1697,17 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu
 
 
 
+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
 
 
 
 ### Files to test to check if src dir contains the package
 
-          ac_config_headers="$ac_config_headers config.h"
+ac_config_headers="$ac_config_headers config.h"
 
 
 
@@ -1330,8 +1720,8 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu
 if test -n "$ac_tool_prefix"; then
   # Extract the first word of "${ac_tool_prefix}gcc", so it can be a program name with args.
 set dummy ${ac_tool_prefix}gcc; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
 if test "${ac_cv_prog_CC+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -1344,32 +1734,34 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
   for ac_exec_ext in '' $ac_executable_extensions; do
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_CC="${ac_tool_prefix}gcc"
     echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
 done
+IFS=$as_save_IFS
 
 fi
 fi
 CC=$ac_cv_prog_CC
 if test -n "$CC"; then
-  echo "$as_me:$LINENO: result: $CC" >&5
-echo "${ECHO_T}$CC" >&6
+  { echo "$as_me:$LINENO: result: $CC" >&5
+echo "${ECHO_T}$CC" >&6; }
 else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
 
+
 fi
 if test -z "$ac_cv_prog_CC"; then
   ac_ct_CC=$CC
   # Extract the first word of "gcc", so it can be a program name with args.
 set dummy gcc; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
 if test "${ac_cv_prog_ac_ct_CC+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -1382,36 +1774,51 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
   for ac_exec_ext in '' $ac_executable_extensions; do
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_ac_ct_CC="gcc"
     echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
 done
+IFS=$as_save_IFS
 
 fi
 fi
 ac_ct_CC=$ac_cv_prog_ac_ct_CC
 if test -n "$ac_ct_CC"; then
-  echo "$as_me:$LINENO: result: $ac_ct_CC" >&5
-echo "${ECHO_T}$ac_ct_CC" >&6
+  { echo "$as_me:$LINENO: result: $ac_ct_CC" >&5
+echo "${ECHO_T}$ac_ct_CC" >&6; }
 else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
 
-  CC=$ac_ct_CC
+  if test "x$ac_ct_CC" = x; then
+    CC=""
+  else
+    case $cross_compiling:$ac_tool_warned in
+yes:)
+{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet.  If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&5
+echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet.  If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&2;}
+ac_tool_warned=yes ;;
+esac
+    CC=$ac_ct_CC
+  fi
 else
   CC="$ac_cv_prog_CC"
 fi
 
 if test -z "$CC"; then
-  if test -n "$ac_tool_prefix"; then
-  # Extract the first word of "${ac_tool_prefix}cc", so it can be a program name with args.
+          if test -n "$ac_tool_prefix"; then
+    # Extract the first word of "${ac_tool_prefix}cc", so it can be a program name with args.
 set dummy ${ac_tool_prefix}cc; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
 if test "${ac_cv_prog_CC+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -1424,74 +1831,34 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
   for ac_exec_ext in '' $ac_executable_extensions; do
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_CC="${ac_tool_prefix}cc"
     echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
 done
+IFS=$as_save_IFS
 
 fi
 fi
 CC=$ac_cv_prog_CC
 if test -n "$CC"; then
-  echo "$as_me:$LINENO: result: $CC" >&5
-echo "${ECHO_T}$CC" >&6
-else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-fi
-
-fi
-if test -z "$ac_cv_prog_CC"; then
-  ac_ct_CC=$CC
-  # Extract the first word of "cc", so it can be a program name with args.
-set dummy cc; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
-if test "${ac_cv_prog_ac_ct_CC+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test -n "$ac_ct_CC"; then
-  ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test.
-else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
-    ac_cv_prog_ac_ct_CC="cc"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-done
-
-fi
-fi
-ac_ct_CC=$ac_cv_prog_ac_ct_CC
-if test -n "$ac_ct_CC"; then
-  echo "$as_me:$LINENO: result: $ac_ct_CC" >&5
-echo "${ECHO_T}$ac_ct_CC" >&6
+  { echo "$as_me:$LINENO: result: $CC" >&5
+echo "${ECHO_T}$CC" >&6; }
 else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
 
-  CC=$ac_ct_CC
-else
-  CC="$ac_cv_prog_CC"
-fi
 
+  fi
 fi
 if test -z "$CC"; then
   # Extract the first word of "cc", so it can be a program name with args.
 set dummy cc; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
 if test "${ac_cv_prog_CC+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -1505,7 +1872,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
   for ac_exec_ext in '' $ac_executable_extensions; do
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     if test "$as_dir/$ac_word$ac_exec_ext" = "/usr/ucb/cc"; then
        ac_prog_rejected=yes
        continue
@@ -1516,6 +1883,7 @@ do
   fi
 done
 done
+IFS=$as_save_IFS
 
 if test $ac_prog_rejected = yes; then
   # We found a bogon in the path, so make sure we never use it.
@@ -1533,22 +1901,23 @@ fi
 fi
 CC=$ac_cv_prog_CC
 if test -n "$CC"; then
-  echo "$as_me:$LINENO: result: $CC" >&5
-echo "${ECHO_T}$CC" >&6
+  { echo "$as_me:$LINENO: result: $CC" >&5
+echo "${ECHO_T}$CC" >&6; }
 else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
 
+
 fi
 if test -z "$CC"; then
   if test -n "$ac_tool_prefix"; then
-  for ac_prog in cl
+  for ac_prog in cl.exe
   do
     # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args.
 set dummy $ac_tool_prefix$ac_prog; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
 if test "${ac_cv_prog_CC+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -1561,36 +1930,38 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
   for ac_exec_ext in '' $ac_executable_extensions; do
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_CC="$ac_tool_prefix$ac_prog"
     echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
 done
+IFS=$as_save_IFS
 
 fi
 fi
 CC=$ac_cv_prog_CC
 if test -n "$CC"; then
-  echo "$as_me:$LINENO: result: $CC" >&5
-echo "${ECHO_T}$CC" >&6
+  { echo "$as_me:$LINENO: result: $CC" >&5
+echo "${ECHO_T}$CC" >&6; }
 else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
 
+
     test -n "$CC" && break
   done
 fi
 if test -z "$CC"; then
   ac_ct_CC=$CC
-  for ac_prog in cl
+  for ac_prog in cl.exe
 do
   # Extract the first word of "$ac_prog", so it can be a program name with args.
 set dummy $ac_prog; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
 if test "${ac_cv_prog_ac_ct_CC+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -1603,29 +1974,45 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
   for ac_exec_ext in '' $ac_executable_extensions; do
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_ac_ct_CC="$ac_prog"
     echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
 done
+IFS=$as_save_IFS
 
 fi
 fi
 ac_ct_CC=$ac_cv_prog_ac_ct_CC
 if test -n "$ac_ct_CC"; then
-  echo "$as_me:$LINENO: result: $ac_ct_CC" >&5
-echo "${ECHO_T}$ac_ct_CC" >&6
+  { echo "$as_me:$LINENO: result: $ac_ct_CC" >&5
+echo "${ECHO_T}$ac_ct_CC" >&6; }
 else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
 
+
   test -n "$ac_ct_CC" && break
 done
 
-  CC=$ac_ct_CC
+  if test "x$ac_ct_CC" = x; then
+    CC=""
+  else
+    case $cross_compiling:$ac_tool_warned in
+yes:)
+{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet.  If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&5
+echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet.  If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&2;}
+ac_tool_warned=yes ;;
+esac
+    CC=$ac_ct_CC
+  fi
 fi
 
 fi
@@ -1638,21 +2025,35 @@ See \`config.log' for more details." >&2;}
    { (exit 1); exit 1; }; }
 
 # Provide some information about the compiler.
-echo "$as_me:$LINENO:" \
-     "checking for C compiler version" >&5
+echo "$as_me:$LINENO: checking for C compiler version" >&5
 ac_compiler=`set X $ac_compile; echo $2`
-{ (eval echo "$as_me:$LINENO: \"$ac_compiler --version </dev/null >&5\"") >&5
-  (eval $ac_compiler --version </dev/null >&5) 2>&5
+{ (ac_try="$ac_compiler --version >&5"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compiler --version >&5") 2>&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }
-{ (eval echo "$as_me:$LINENO: \"$ac_compiler -v </dev/null >&5\"") >&5
-  (eval $ac_compiler -v </dev/null >&5) 2>&5
+{ (ac_try="$ac_compiler -v >&5"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compiler -v >&5") 2>&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }
-{ (eval echo "$as_me:$LINENO: \"$ac_compiler -V </dev/null >&5\"") >&5
-  (eval $ac_compiler -V </dev/null >&5) 2>&5
+{ (ac_try="$ac_compiler -V >&5"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compiler -V >&5") 2>&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }
@@ -1677,47 +2078,77 @@ ac_clean_files="$ac_clean_files a.out a.exe b.out"
 # Try to create an executable without -o first, disregard a.out.
 # It will help us diagnose broken compilers, and finding out an intuition
 # of exeext.
-echo "$as_me:$LINENO: checking for C compiler default output file name" >&5
-echo $ECHO_N "checking for C compiler default output file name... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for C compiler default output file name" >&5
+echo $ECHO_N "checking for C compiler default output file name... $ECHO_C" >&6; }
 ac_link_default=`echo "$ac_link" | sed 's/ -o *conftest[^ ]*//'`
-if { (eval echo "$as_me:$LINENO: \"$ac_link_default\"") >&5
-  (eval $ac_link_default) 2>&5
+#
+# List of possible output files, starting from the most likely.
+# The algorithm is not robust to junk in `.', hence go to wildcards (a.*)
+# only as a last resort.  b.out is created by i960 compilers.
+ac_files='a_out.exe a.exe conftest.exe a.out conftest a.* conftest.* b.out'
+#
+# The IRIX 6 linker writes into existing files which may not be
+# executable, retaining their permissions.  Remove them first so a
+# subsequent execution test works.
+ac_rmfiles=
+for ac_file in $ac_files
+do
+  case $ac_file in
+    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.o | *.obj ) ;;
+    * ) ac_rmfiles="$ac_rmfiles $ac_file";;
+  esac
+done
+rm -f $ac_rmfiles
+
+if { (ac_try="$ac_link_default"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link_default") 2>&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }; then
-  # Find the output, starting from the most likely.  This scheme is
-# not robust to junk in `.', hence go to wildcards (a.*) only as a last
-# resort.
-
-# Be careful to initialize this variable, since it used to be cached.
-# Otherwise an old cache value of `no' led to `EXEEXT = no' in a Makefile.
-ac_cv_exeext=
-# b.out is created by i960 compilers.
-for ac_file in a_out.exe a.exe conftest.exe a.out conftest a.* conftest.* b.out
+  # Autoconf-2.13 could set the ac_cv_exeext variable to `no'.
+# So ignore a value of `no', otherwise this would lead to `EXEEXT = no'
+# in a Makefile.  We should not override ac_cv_exeext if it was cached,
+# so that the user can short-circuit this test for compilers unknown to
+# Autoconf.
+for ac_file in $ac_files ''
 do
   test -f "$ac_file" || continue
   case $ac_file in
-    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.o | *.obj )
-	;;
-    conftest.$ac_ext )
-	# This is the source file.
+    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.o | *.obj )
 	;;
     [ab].out )
 	# We found the default executable, but exeext='' is most
 	# certainly right.
 	break;;
     *.* )
-	ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'`
-	# FIXME: I believe we export ac_cv_exeext for Libtool,
-	# but it would be cool to find out if it's true.  Does anybody
-	# maintain Libtool? --akim.
-	export ac_cv_exeext
+        if test "${ac_cv_exeext+set}" = set && test "$ac_cv_exeext" != no;
+	then :; else
+	   ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'`
+	fi
+	# We set ac_cv_exeext here because the later test for it is not
+	# safe: cross compilers may not add the suffix if given an `-o'
+	# argument, so we may need to know it at that point already.
+	# Even if this section looks crufty: it has the advantage of
+	# actually working.
 	break;;
     * )
 	break;;
   esac
 done
+test "$ac_cv_exeext" = no && ac_cv_exeext=
+
 else
+  ac_file=''
+fi
+
+{ echo "$as_me:$LINENO: result: $ac_file" >&5
+echo "${ECHO_T}$ac_file" >&6; }
+if test -z "$ac_file"; then
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
@@ -1729,19 +2160,21 @@ See \`config.log' for more details." >&2;}
 fi
 
 ac_exeext=$ac_cv_exeext
-echo "$as_me:$LINENO: result: $ac_file" >&5
-echo "${ECHO_T}$ac_file" >&6
 
-# Check the compiler produces executables we can run.  If not, either
+# Check that the compiler produces executables we can run.  If not, either
 # the compiler is broken, or we cross compile.
-echo "$as_me:$LINENO: checking whether the C compiler works" >&5
-echo $ECHO_N "checking whether the C compiler works... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking whether the C compiler works" >&5
+echo $ECHO_N "checking whether the C compiler works... $ECHO_C" >&6; }
 # FIXME: These cross compiler hacks should be removed for Autoconf 3.0
 # If not cross compiling, check that we can run a simple program.
 if test "$cross_compiling" != yes; then
   if { ac_try='./$ac_file'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
+  { (case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_try") 2>&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }; }; then
@@ -1760,22 +2193,27 @@ See \`config.log' for more details." >&2;}
     fi
   fi
 fi
-echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
+{ echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
 
 rm -f a.out a.exe conftest$ac_cv_exeext b.out
 ac_clean_files=$ac_clean_files_save
-# Check the compiler produces executables we can run.  If not, either
+# Check that the compiler produces executables we can run.  If not, either
 # the compiler is broken, or we cross compile.
-echo "$as_me:$LINENO: checking whether we are cross compiling" >&5
-echo $ECHO_N "checking whether we are cross compiling... $ECHO_C" >&6
-echo "$as_me:$LINENO: result: $cross_compiling" >&5
-echo "${ECHO_T}$cross_compiling" >&6
-
-echo "$as_me:$LINENO: checking for suffix of executables" >&5
-echo $ECHO_N "checking for suffix of executables... $ECHO_C" >&6
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>&5
+{ echo "$as_me:$LINENO: checking whether we are cross compiling" >&5
+echo $ECHO_N "checking whether we are cross compiling... $ECHO_C" >&6; }
+{ echo "$as_me:$LINENO: result: $cross_compiling" >&5
+echo "${ECHO_T}$cross_compiling" >&6; }
+
+{ echo "$as_me:$LINENO: checking for suffix of executables" >&5
+echo $ECHO_N "checking for suffix of executables... $ECHO_C" >&6; }
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }; then
@@ -1786,9 +2224,8 @@ if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
 for ac_file in conftest.exe conftest conftest.*; do
   test -f "$ac_file" || continue
   case $ac_file in
-    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.o | *.obj ) ;;
+    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.o | *.obj ) ;;
     *.* ) ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'`
-	  export ac_cv_exeext
 	  break;;
     * ) break;;
   esac
@@ -1802,14 +2239,14 @@ See \`config.log' for more details." >&2;}
 fi
 
 rm -f conftest$ac_cv_exeext
-echo "$as_me:$LINENO: result: $ac_cv_exeext" >&5
-echo "${ECHO_T}$ac_cv_exeext" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_exeext" >&5
+echo "${ECHO_T}$ac_cv_exeext" >&6; }
 
 rm -f conftest.$ac_ext
 EXEEXT=$ac_cv_exeext
 ac_exeext=$EXEEXT
-echo "$as_me:$LINENO: checking for suffix of object files" >&5
-echo $ECHO_N "checking for suffix of object files... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for suffix of object files" >&5
+echo $ECHO_N "checking for suffix of object files... $ECHO_C" >&6; }
 if test "${ac_cv_objext+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -1829,14 +2266,20 @@ main ()
 }
 _ACEOF
 rm -f conftest.o conftest.obj
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>&5
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }; then
-  for ac_file in `(ls conftest.o conftest.obj; ls conftest.*) 2>/dev/null`; do
+  for ac_file in conftest.o conftest.obj conftest.*; do
+  test -f "$ac_file" || continue;
   case $ac_file in
-    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg ) ;;
+    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf ) ;;
     *) ac_cv_objext=`expr "$ac_file" : '.*\.\(.*\)'`
        break;;
   esac
@@ -1854,12 +2297,12 @@ fi
 
 rm -f conftest.$ac_cv_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_objext" >&5
-echo "${ECHO_T}$ac_cv_objext" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_objext" >&5
+echo "${ECHO_T}$ac_cv_objext" >&6; }
 OBJEXT=$ac_cv_objext
 ac_objext=$OBJEXT
-echo "$as_me:$LINENO: checking whether we are using the GNU C compiler" >&5
-echo $ECHO_N "checking whether we are using the GNU C compiler... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking whether we are using the GNU C compiler" >&5
+echo $ECHO_N "checking whether we are using the GNU C compiler... $ECHO_C" >&6; }
 if test "${ac_cv_c_compiler_gnu+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -1882,50 +2325,49 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_compiler_gnu=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_compiler_gnu=no
+	ac_compiler_gnu=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 ac_cv_c_compiler_gnu=$ac_compiler_gnu
 
 fi
-echo "$as_me:$LINENO: result: $ac_cv_c_compiler_gnu" >&5
-echo "${ECHO_T}$ac_cv_c_compiler_gnu" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_c_compiler_gnu" >&5
+echo "${ECHO_T}$ac_cv_c_compiler_gnu" >&6; }
 GCC=`test $ac_compiler_gnu = yes && echo yes`
 ac_test_CFLAGS=${CFLAGS+set}
 ac_save_CFLAGS=$CFLAGS
-CFLAGS="-g"
-echo "$as_me:$LINENO: checking whether $CC accepts -g" >&5
-echo $ECHO_N "checking whether $CC accepts -g... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking whether $CC accepts -g" >&5
+echo $ECHO_N "checking whether $CC accepts -g... $ECHO_C" >&6; }
 if test "${ac_cv_prog_cc_g+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  cat >conftest.$ac_ext <<_ACEOF
+  ac_save_c_werror_flag=$ac_c_werror_flag
+   ac_c_werror_flag=yes
+   ac_cv_prog_cc_g=no
+   CFLAGS="-g"
+   cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
 cat confdefs.h >>conftest.$ac_ext
@@ -1941,38 +2383,118 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_cv_prog_cc_g=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	CFLAGS=""
+      cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  :
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	ac_c_werror_flag=$ac_save_c_werror_flag
+	 CFLAGS="-g"
+	 cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_cv_prog_cc_g=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_prog_cc_g=no
+
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+   ac_c_werror_flag=$ac_save_c_werror_flag
 fi
-echo "$as_me:$LINENO: result: $ac_cv_prog_cc_g" >&5
-echo "${ECHO_T}$ac_cv_prog_cc_g" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_prog_cc_g" >&5
+echo "${ECHO_T}$ac_cv_prog_cc_g" >&6; }
 if test "$ac_test_CFLAGS" = set; then
   CFLAGS=$ac_save_CFLAGS
 elif test $ac_cv_prog_cc_g = yes; then
@@ -1988,12 +2510,12 @@ else
     CFLAGS=
   fi
 fi
-echo "$as_me:$LINENO: checking for $CC option to accept ANSI C" >&5
-echo $ECHO_N "checking for $CC option to accept ANSI C... $ECHO_C" >&6
-if test "${ac_cv_prog_cc_stdc+set}" = set; then
+{ echo "$as_me:$LINENO: checking for $CC option to accept ISO C89" >&5
+echo $ECHO_N "checking for $CC option to accept ISO C89... $ECHO_C" >&6; }
+if test "${ac_cv_prog_cc_c89+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  ac_cv_prog_cc_stdc=no
+  ac_cv_prog_cc_c89=no
 ac_save_CC=$CC
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
@@ -2027,12 +2549,17 @@ static char *f (char * (*g) (char **, int), char **p, ...)
 /* OSF 4.0 Compaq cc is some sort of almost-ANSI by default.  It has
    function prototypes and stuff, but not '\xHH' hex character constants.
    These don't provoke an error unfortunately, instead are silently treated
-   as 'x'.  The following induces an error, until -std1 is added to get
+   as 'x'.  The following induces an error, until -std is added to get
    proper ANSI mode.  Curiously '\x00'!='x' always comes out true, for an
    array size at least.  It's necessary to write '\x00'==0 to get something
-   that's true only with -std1.  */
+   that's true only with -std.  */
 int osf4_cc_array ['\x00' == 0 ? 1 : -1];
 
+/* IBM C 6 for AIX is almost-ANSI by default, but it replaces macro parameters
+   inside strings and character constants.  */
+#define FOO(x) 'x'
+int xlc6_cc_array[FOO(a) == 'x' ? 1 : -1];
+
 int test (int i, double x);
 struct s1 {int (*f) (int a);};
 struct s2 {int (*f) (double a);};
@@ -2047,205 +2574,57 @@ return f (e, argv, 0) != argv[0]  ||  f (e, argv, 1) != argv[1];
   return 0;
 }
 _ACEOF
-# Don't try gcc -ansi; that turns off useful extensions and
-# breaks some systems' header files.
-# AIX			-qlanglvl=ansi
-# Ultrix and OSF/1	-std1
-# HP-UX 10.20 and later	-Ae
-# HP-UX older versions	-Aa -D_HPUX_SOURCE
-# SVR4			-Xc -D__EXTENSIONS__
-for ac_arg in "" -qlanglvl=ansi -std1 -Ae "-Aa -D_HPUX_SOURCE" "-Xc -D__EXTENSIONS__"
+for ac_arg in '' -qlanglvl=extc89 -qlanglvl=ansi -std \
+	-Ae "-Aa -D_HPUX_SOURCE" "-Xc -D__EXTENSIONS__"
 do
   CC="$ac_save_CC $ac_arg"
   rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_prog_cc_stdc=$ac_arg
-break
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_cv_prog_cc_c89=$ac_arg
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
+
 fi
-rm -f conftest.err conftest.$ac_objext
+
+rm -f core conftest.err conftest.$ac_objext
+  test "x$ac_cv_prog_cc_c89" != "xno" && break
 done
-rm -f conftest.$ac_ext conftest.$ac_objext
+rm -f conftest.$ac_ext
 CC=$ac_save_CC
 
 fi
-
-case "x$ac_cv_prog_cc_stdc" in
-  x|xno)
-    echo "$as_me:$LINENO: result: none needed" >&5
-echo "${ECHO_T}none needed" >&6 ;;
+# AC_CACHE_VAL
+case "x$ac_cv_prog_cc_c89" in
+  x)
+    { echo "$as_me:$LINENO: result: none needed" >&5
+echo "${ECHO_T}none needed" >&6; } ;;
+  xno)
+    { echo "$as_me:$LINENO: result: unsupported" >&5
+echo "${ECHO_T}unsupported" >&6; } ;;
   *)
-    echo "$as_me:$LINENO: result: $ac_cv_prog_cc_stdc" >&5
-echo "${ECHO_T}$ac_cv_prog_cc_stdc" >&6
-    CC="$CC $ac_cv_prog_cc_stdc" ;;
+    CC="$CC $ac_cv_prog_cc_c89"
+    { echo "$as_me:$LINENO: result: $ac_cv_prog_cc_c89" >&5
+echo "${ECHO_T}$ac_cv_prog_cc_c89" >&6; } ;;
 esac
 
-# Some people use a C++ compiler to compile C.  Since we use `exit',
-# in C++ we need to declare it.  In case someone uses the same compiler
-# for both compiling C and C++ we need to have the C++ compiler decide
-# the declaration of exit, since it's the most demanding environment.
-cat >conftest.$ac_ext <<_ACEOF
-#ifndef __cplusplus
-  choke me
-#endif
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  for ac_declaration in \
-   '' \
-   'extern "C" void std::exit (int) throw (); using std::exit;' \
-   'extern "C" void std::exit (int); using std::exit;' \
-   'extern "C" void exit (int) throw ();' \
-   'extern "C" void exit (int);' \
-   'void exit (int);'
-do
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_declaration
-#include <stdlib.h>
-int
-main ()
-{
-exit (42);
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  :
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-continue
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_declaration
-int
-main ()
-{
-exit (42);
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  break
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-done
-rm -f conftest*
-if test -n "$ac_declaration"; then
-  echo '#ifdef __cplusplus' >>confdefs.h
-  echo $ac_declaration      >>confdefs.h
-  echo '#endif'             >>confdefs.h
-fi
 
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
 ac_ext=c
 ac_cpp='$CPP $CPPFLAGS'
 ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
@@ -2256,8 +2635,8 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu
 ### find out the path to BIND utils and version
 # Extract the first word of "dnssec-signzone", so it can be a program name with args.
 set dummy dnssec-signzone; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
 if test "${ac_cv_path_SIGNZONE_PROG+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -2272,34 +2651,34 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
   for ac_exec_ext in '' $ac_executable_extensions; do
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_path_SIGNZONE_PROG="$as_dir/$ac_word$ac_exec_ext"
     echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
 done
+IFS=$as_save_IFS
 
   ;;
 esac
 fi
 SIGNZONE_PROG=$ac_cv_path_SIGNZONE_PROG
-
 if test -n "$SIGNZONE_PROG"; then
-  echo "$as_me:$LINENO: result: $SIGNZONE_PROG" >&5
-echo "${ECHO_T}$SIGNZONE_PROG" >&6
+  { echo "$as_me:$LINENO: result: $SIGNZONE_PROG" >&5
+echo "${ECHO_T}$SIGNZONE_PROG" >&6; }
 else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
 
-bind_util_path=`dirname "$SIGNZONE_PROG"`
+
 if test -z "$SIGNZONE_PROG" ; then
 #        AC_MSG_ERROR([*** 'BIND dnssec-signzone dnssec-keygen' missing, please install or fix your \$PATH ***])
         { echo "$as_me:$LINENO: WARNING: *** 'BIND dnssec-signzone' missing, use default BIND_UTIL_PATH and BIND_VERSION setting out of config_zkt.h ***" >&5
 echo "$as_me: WARNING: *** 'BIND dnssec-signzone' missing, use default BIND_UTIL_PATH and BIND_VERSION setting out of config_zkt.h ***" >&2;}
 else
-
+	bind_util_path=`dirname "$SIGNZONE_PROG"`
 	# define BIND_UTIL_PATH in config.h.in
 
 cat >>confdefs.h <<_ACEOF
@@ -2307,7 +2686,6 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
 
 	# define BIND_VERSION in config.h.in
-	#bind_version=`$SIGNZONE_PROG 2>&1 | sed -n -e "/Version:/s/Version: \(\[0-9\]\[0-9\.\]*\).*/\1/p" | tr -d "."`
 	bind_version=`$SIGNZONE_PROG 2>&1 | grep "Version:" | tr -cd "0-9" | sed "s/^\(...\).*/\1/"`
 
 cat >>confdefs.h <<_ACEOF
@@ -2322,8 +2700,8 @@ ac_cpp='$CPP $CPPFLAGS'
 ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
 ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
 ac_compiler_gnu=$ac_cv_c_compiler_gnu
-echo "$as_me:$LINENO: checking how to run the C preprocessor" >&5
-echo $ECHO_N "checking how to run the C preprocessor... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking how to run the C preprocessor" >&5
+echo $ECHO_N "checking how to run the C preprocessor... $ECHO_C" >&6; }
 # On Suns, sometimes $CPP names a directory.
 if test -n "$CPP" && test -d "$CPP"; then
   CPP=
@@ -2357,24 +2735,22 @@ cat >>conftest.$ac_ext <<_ACEOF
 #endif
 		     Syntax error
 _ACEOF
-if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
-  (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null; then
-  if test -s conftest.err; then
-    ac_cpp_err=$ac_c_preproc_warn_flag
-    ac_cpp_err=$ac_cpp_err$ac_c_werror_flag
-  else
-    ac_cpp_err=
-  fi
-else
-  ac_cpp_err=yes
-fi
-if test -z "$ac_cpp_err"; then
+  (exit $ac_status); } >/dev/null && {
+	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       }; then
   :
 else
   echo "$as_me: failed program was:" >&5
@@ -2383,9 +2759,10 @@ sed 's/^/| /' conftest.$ac_ext >&5
   # Broken: fails on valid input.
 continue
 fi
+
 rm -f conftest.err conftest.$ac_ext
 
-  # OK, works on sane cases.  Now check whether non-existent headers
+  # OK, works on sane cases.  Now check whether nonexistent headers
   # can be detected and how.
   cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
@@ -2395,24 +2772,22 @@ cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 #include <ac_nonexistent.h>
 _ACEOF
-if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
-  (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null; then
-  if test -s conftest.err; then
-    ac_cpp_err=$ac_c_preproc_warn_flag
-    ac_cpp_err=$ac_cpp_err$ac_c_werror_flag
-  else
-    ac_cpp_err=
-  fi
-else
-  ac_cpp_err=yes
-fi
-if test -z "$ac_cpp_err"; then
+  (exit $ac_status); } >/dev/null && {
+	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       }; then
   # Broken: success on invalid input.
 continue
 else
@@ -2423,6 +2798,7 @@ sed 's/^/| /' conftest.$ac_ext >&5
 ac_preproc_ok=:
 break
 fi
+
 rm -f conftest.err conftest.$ac_ext
 
 done
@@ -2440,8 +2816,8 @@ fi
 else
   ac_cv_prog_CPP=$CPP
 fi
-echo "$as_me:$LINENO: result: $CPP" >&5
-echo "${ECHO_T}$CPP" >&6
+{ echo "$as_me:$LINENO: result: $CPP" >&5
+echo "${ECHO_T}$CPP" >&6; }
 ac_preproc_ok=false
 for ac_c_preproc_warn_flag in '' yes
 do
@@ -2464,24 +2840,22 @@ cat >>conftest.$ac_ext <<_ACEOF
 #endif
 		     Syntax error
 _ACEOF
-if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
-  (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null; then
-  if test -s conftest.err; then
-    ac_cpp_err=$ac_c_preproc_warn_flag
-    ac_cpp_err=$ac_cpp_err$ac_c_werror_flag
-  else
-    ac_cpp_err=
-  fi
-else
-  ac_cpp_err=yes
-fi
-if test -z "$ac_cpp_err"; then
+  (exit $ac_status); } >/dev/null && {
+	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       }; then
   :
 else
   echo "$as_me: failed program was:" >&5
@@ -2490,9 +2864,10 @@ sed 's/^/| /' conftest.$ac_ext >&5
   # Broken: fails on valid input.
 continue
 fi
+
 rm -f conftest.err conftest.$ac_ext
 
-  # OK, works on sane cases.  Now check whether non-existent headers
+  # OK, works on sane cases.  Now check whether nonexistent headers
   # can be detected and how.
   cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
@@ -2502,24 +2877,22 @@ cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 #include <ac_nonexistent.h>
 _ACEOF
-if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
-  (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null; then
-  if test -s conftest.err; then
-    ac_cpp_err=$ac_c_preproc_warn_flag
-    ac_cpp_err=$ac_cpp_err$ac_c_werror_flag
-  else
-    ac_cpp_err=
-  fi
-else
-  ac_cpp_err=yes
-fi
-if test -z "$ac_cpp_err"; then
+  (exit $ac_status); } >/dev/null && {
+	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       }; then
   # Broken: success on invalid input.
 continue
 else
@@ -2530,6 +2903,7 @@ sed 's/^/| /' conftest.$ac_ext >&5
 ac_preproc_ok=:
 break
 fi
+
 rm -f conftest.err conftest.$ac_ext
 
 done
@@ -2552,23 +2926,170 @@ ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $
 ac_compiler_gnu=$ac_cv_c_compiler_gnu
 
 
-echo "$as_me:$LINENO: checking for egrep" >&5
-echo $ECHO_N "checking for egrep... $ECHO_C" >&6
-if test "${ac_cv_prog_egrep+set}" = set; then
+{ echo "$as_me:$LINENO: checking for grep that handles long lines and -e" >&5
+echo $ECHO_N "checking for grep that handles long lines and -e... $ECHO_C" >&6; }
+if test "${ac_cv_path_GREP+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  # Extract the first word of "grep ggrep" to use in msg output
+if test -z "$GREP"; then
+set dummy grep ggrep; ac_prog_name=$2
+if test "${ac_cv_path_GREP+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  if echo a | (grep -E '(a|b)') >/dev/null 2>&1
-    then ac_cv_prog_egrep='grep -E'
-    else ac_cv_prog_egrep='egrep'
+  ac_path_GREP_found=false
+# Loop through the user's path and test for each of PROGNAME-LIST
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH$PATH_SEPARATOR/usr/xpg4/bin
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_prog in grep ggrep; do
+  for ac_exec_ext in '' $ac_executable_extensions; do
+    ac_path_GREP="$as_dir/$ac_prog$ac_exec_ext"
+    { test -f "$ac_path_GREP" && $as_test_x "$ac_path_GREP"; } || continue
+    # Check for GNU ac_path_GREP and select it if it is found.
+  # Check for GNU $ac_path_GREP
+case `"$ac_path_GREP" --version 2>&1` in
+*GNU*)
+  ac_cv_path_GREP="$ac_path_GREP" ac_path_GREP_found=:;;
+*)
+  ac_count=0
+  echo $ECHO_N "0123456789$ECHO_C" >"conftest.in"
+  while :
+  do
+    cat "conftest.in" "conftest.in" >"conftest.tmp"
+    mv "conftest.tmp" "conftest.in"
+    cp "conftest.in" "conftest.nl"
+    echo 'GREP' >> "conftest.nl"
+    "$ac_path_GREP" -e 'GREP$' -e '-(cannot match)-' < "conftest.nl" >"conftest.out" 2>/dev/null || break
+    diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break
+    ac_count=`expr $ac_count + 1`
+    if test $ac_count -gt ${ac_path_GREP_max-0}; then
+      # Best one so far, save it but keep looking for a better one
+      ac_cv_path_GREP="$ac_path_GREP"
+      ac_path_GREP_max=$ac_count
     fi
+    # 10*(2^10) chars as input seems more than enough
+    test $ac_count -gt 10 && break
+  done
+  rm -f conftest.in conftest.tmp conftest.nl conftest.out;;
+esac
+
+
+    $ac_path_GREP_found && break 3
+  done
+done
+
+done
+IFS=$as_save_IFS
+
+
 fi
-echo "$as_me:$LINENO: result: $ac_cv_prog_egrep" >&5
-echo "${ECHO_T}$ac_cv_prog_egrep" >&6
- EGREP=$ac_cv_prog_egrep
 
+GREP="$ac_cv_path_GREP"
+if test -z "$GREP"; then
+  { { echo "$as_me:$LINENO: error: no acceptable $ac_prog_name could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" >&5
+echo "$as_me: error: no acceptable $ac_prog_name could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" >&2;}
+   { (exit 1); exit 1; }; }
+fi
+
+else
+  ac_cv_path_GREP=$GREP
+fi
 
-echo "$as_me:$LINENO: checking for ANSI C header files" >&5
-echo $ECHO_N "checking for ANSI C header files... $ECHO_C" >&6
+
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_path_GREP" >&5
+echo "${ECHO_T}$ac_cv_path_GREP" >&6; }
+ GREP="$ac_cv_path_GREP"
+
+
+{ echo "$as_me:$LINENO: checking for egrep" >&5
+echo $ECHO_N "checking for egrep... $ECHO_C" >&6; }
+if test "${ac_cv_path_EGREP+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if echo a | $GREP -E '(a|b)' >/dev/null 2>&1
+   then ac_cv_path_EGREP="$GREP -E"
+   else
+     # Extract the first word of "egrep" to use in msg output
+if test -z "$EGREP"; then
+set dummy egrep; ac_prog_name=$2
+if test "${ac_cv_path_EGREP+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_path_EGREP_found=false
+# Loop through the user's path and test for each of PROGNAME-LIST
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH$PATH_SEPARATOR/usr/xpg4/bin
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_prog in egrep; do
+  for ac_exec_ext in '' $ac_executable_extensions; do
+    ac_path_EGREP="$as_dir/$ac_prog$ac_exec_ext"
+    { test -f "$ac_path_EGREP" && $as_test_x "$ac_path_EGREP"; } || continue
+    # Check for GNU ac_path_EGREP and select it if it is found.
+  # Check for GNU $ac_path_EGREP
+case `"$ac_path_EGREP" --version 2>&1` in
+*GNU*)
+  ac_cv_path_EGREP="$ac_path_EGREP" ac_path_EGREP_found=:;;
+*)
+  ac_count=0
+  echo $ECHO_N "0123456789$ECHO_C" >"conftest.in"
+  while :
+  do
+    cat "conftest.in" "conftest.in" >"conftest.tmp"
+    mv "conftest.tmp" "conftest.in"
+    cp "conftest.in" "conftest.nl"
+    echo 'EGREP' >> "conftest.nl"
+    "$ac_path_EGREP" 'EGREP$' < "conftest.nl" >"conftest.out" 2>/dev/null || break
+    diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break
+    ac_count=`expr $ac_count + 1`
+    if test $ac_count -gt ${ac_path_EGREP_max-0}; then
+      # Best one so far, save it but keep looking for a better one
+      ac_cv_path_EGREP="$ac_path_EGREP"
+      ac_path_EGREP_max=$ac_count
+    fi
+    # 10*(2^10) chars as input seems more than enough
+    test $ac_count -gt 10 && break
+  done
+  rm -f conftest.in conftest.tmp conftest.nl conftest.out;;
+esac
+
+
+    $ac_path_EGREP_found && break 3
+  done
+done
+
+done
+IFS=$as_save_IFS
+
+
+fi
+
+EGREP="$ac_cv_path_EGREP"
+if test -z "$EGREP"; then
+  { { echo "$as_me:$LINENO: error: no acceptable $ac_prog_name could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" >&5
+echo "$as_me: error: no acceptable $ac_prog_name could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" >&2;}
+   { (exit 1); exit 1; }; }
+fi
+
+else
+  ac_cv_path_EGREP=$EGREP
+fi
+
+
+   fi
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_path_EGREP" >&5
+echo "${ECHO_T}$ac_cv_path_EGREP" >&6; }
+ EGREP="$ac_cv_path_EGREP"
+
+
+{ echo "$as_me:$LINENO: checking for ANSI C header files" >&5
+echo $ECHO_N "checking for ANSI C header files... $ECHO_C" >&6; }
 if test "${ac_cv_header_stdc+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -2592,35 +3113,31 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_cv_header_stdc=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_header_stdc=no
+	ac_cv_header_stdc=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 
 if test $ac_cv_header_stdc = yes; then
   # SunOS 4.x string.h does not declare mem*, contrary to ANSI.
@@ -2676,6 +3193,7 @@ cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 #include <ctype.h>
+#include <stdlib.h>
 #if ((' ' & 0x0FF) == 0x020)
 # define ISLOWER(c) ('a' <= (c) && (c) <= 'z')
 # define TOUPPER(c) (ISLOWER(c) ? 'A' + ((c) - 'a') : (c))
@@ -2695,18 +3213,27 @@ main ()
   for (i = 0; i < 256; i++)
     if (XOR (islower (i), ISLOWER (i))
 	|| toupper (i) != TOUPPER (i))
-      exit(2);
-  exit (0);
+      return 2;
+  return 0;
 }
 _ACEOF
 rm -f conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>&5
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
+  { (case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_try") 2>&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }; }; then
@@ -2719,12 +3246,14 @@ sed 's/^/| /' conftest.$ac_ext >&5
 ( exit $ac_status )
 ac_cv_header_stdc=no
 fi
-rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
 fi
+
+
 fi
 fi
-echo "$as_me:$LINENO: result: $ac_cv_header_stdc" >&5
-echo "${ECHO_T}$ac_cv_header_stdc" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_header_stdc" >&5
+echo "${ECHO_T}$ac_cv_header_stdc" >&6; }
 if test $ac_cv_header_stdc = yes; then
 
 cat >>confdefs.h <<\_ACEOF
@@ -2747,9 +3276,9 @@ for ac_header in sys/types.h sys/stat.h stdlib.h string.h memory.h strings.h \
 		  inttypes.h stdint.h unistd.h
 do
 as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
-echo "$as_me:$LINENO: checking for $ac_header" >&5
-echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
-if eval "test \"\${$as_ac_Header+set}\" = set"; then
+{ echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
@@ -2763,38 +3292,35 @@ $ac_includes_default
 #include <$ac_header>
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   eval "$as_ac_Header=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "$as_ac_Header=no"
+	eval "$as_ac_Header=no"
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 if test `eval echo '${'$as_ac_Header'}'` = yes; then
   cat >>confdefs.h <<_ACEOF
 #define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
@@ -2805,8 +3331,8 @@ fi
 done
 
 
-echo "$as_me:$LINENO: checking for uint" >&5
-echo $ECHO_N "checking for uint... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for uint" >&5
+echo $ECHO_N "checking for uint... $ECHO_C" >&6; }
 if test "${ac_cv_type_uint+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -2817,50 +3343,47 @@ cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 $ac_includes_default
+typedef uint ac__type_new_;
 int
 main ()
 {
-if ((uint *) 0)
+if ((ac__type_new_ *) 0)
   return 0;
-if (sizeof (uint))
+if (sizeof (ac__type_new_))
   return 0;
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_cv_type_uint=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_type_uint=no
+	ac_cv_type_uint=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_type_uint" >&5
-echo "${ECHO_T}$ac_cv_type_uint" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_type_uint" >&5
+echo "${ECHO_T}$ac_cv_type_uint" >&6; }
 if test $ac_cv_type_uint = yes; then
   :
 else
@@ -2871,8 +3394,8 @@ _ACEOF
 
 fi
 
-echo "$as_me:$LINENO: checking for ulong" >&5
-echo $ECHO_N "checking for ulong... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for ulong" >&5
+echo $ECHO_N "checking for ulong... $ECHO_C" >&6; }
 if test "${ac_cv_type_ulong+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -2883,50 +3406,47 @@ cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 $ac_includes_default
+typedef ulong ac__type_new_;
 int
 main ()
 {
-if ((ulong *) 0)
+if ((ac__type_new_ *) 0)
   return 0;
-if (sizeof (ulong))
+if (sizeof (ac__type_new_))
   return 0;
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_cv_type_ulong=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_type_ulong=no
+	ac_cv_type_ulong=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_type_ulong" >&5
-echo "${ECHO_T}$ac_cv_type_ulong" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_type_ulong" >&5
+echo "${ECHO_T}$ac_cv_type_ulong" >&6; }
 if test $ac_cv_type_ulong = yes; then
   :
 else
@@ -2937,8 +3457,8 @@ _ACEOF
 
 fi
 
-echo "$as_me:$LINENO: checking for ushort" >&5
-echo $ECHO_N "checking for ushort... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for ushort" >&5
+echo $ECHO_N "checking for ushort... $ECHO_C" >&6; }
 if test "${ac_cv_type_ushort+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -2949,50 +3469,47 @@ cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 $ac_includes_default
+typedef ushort ac__type_new_;
 int
 main ()
 {
-if ((ushort *) 0)
+if ((ac__type_new_ *) 0)
   return 0;
-if (sizeof (ushort))
+if (sizeof (ac__type_new_))
   return 0;
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_cv_type_ushort=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_type_ushort=no
+	ac_cv_type_ushort=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_type_ushort" >&5
-echo "${ECHO_T}$ac_cv_type_ushort" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_type_ushort" >&5
+echo "${ECHO_T}$ac_cv_type_ushort" >&6; }
 if test $ac_cv_type_ushort = yes; then
   :
 else
@@ -3003,8 +3520,8 @@ _ACEOF
 
 fi
 
-echo "$as_me:$LINENO: checking for uchar" >&5
-echo $ECHO_N "checking for uchar... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for uchar" >&5
+echo $ECHO_N "checking for uchar... $ECHO_C" >&6; }
 if test "${ac_cv_type_uchar+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -3015,50 +3532,47 @@ cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 $ac_includes_default
+typedef uchar ac__type_new_;
 int
 main ()
 {
-if ((uchar *) 0)
+if ((ac__type_new_ *) 0)
   return 0;
-if (sizeof (uchar))
+if (sizeof (ac__type_new_))
   return 0;
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_cv_type_uchar=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_type_uchar=no
+	ac_cv_type_uchar=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_type_uchar" >&5
-echo "${ECHO_T}$ac_cv_type_uchar" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_type_uchar" >&5
+echo "${ECHO_T}$ac_cv_type_uchar" >&6; }
 if test $ac_cv_type_uchar = yes; then
   :
 else
@@ -3071,11 +3585,11 @@ fi
 
 
 ### define configure arguments
-# Check whether --enable-printtimezone or --disable-printtimezone was given.
+# Check whether --enable-printtimezone was given.
 if test "${enable_printtimezone+set}" = set; then
-  enableval="$enable_printtimezone"
-  printtimezone=$enableval
-fi;
+  enableval=$enable_printtimezone; printtimezone=$enableval
+fi
+
 printtimezone=0
 test "$printtimezone" = yes && printtimezone=1
 
@@ -3084,11 +3598,11 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
 
 
-# Check whether --enable-printyear or --disable-printyear was given.
+# Check whether --enable-printyear was given.
 if test "${enable_printyear+set}" = set; then
-  enableval="$enable_printyear"
-  printyear=$enableval
-fi;
+  enableval=$enable_printyear; printyear=$enableval
+fi
+
 printyear=0
 test "$printyear" = yes && printyear=1
 
@@ -3097,11 +3611,11 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
 
 
-# Check whether --enable-logprogname or --disable-logprogname was given.
+# Check whether --enable-logprogname was given.
 if test "${enable_logprogname+set}" = set; then
-  enableval="$enable_logprogname"
-  logprogname=$enableval
-fi;
+  enableval=$enable_logprogname; logprogname=$enableval
+fi
+
 logprogname=0
 test "$logprogname" = yes && logprogname=1
 
@@ -3110,11 +3624,11 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
 
 
-# Check whether --enable-logtimestamp or --disable-logtimestamp was given.
+# Check whether --enable-logtimestamp was given.
 if test "${enable_logtimestamp+set}" = set; then
-  enableval="$enable_logtimestamp"
-  logtimestamp=$enableval
-fi;
+  enableval=$enable_logtimestamp; logtimestamp=$enableval
+fi
+
 logtimestamp=1
 test "$logtimestamp" = no && logtimestamp=0
 
@@ -3123,11 +3637,11 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
 
 
-# Check whether --enable-loglevel or --disable-loglevel was given.
+# Check whether --enable-loglevel was given.
 if test "${enable_loglevel+set}" = set; then
-  enableval="$enable_loglevel"
-  loglevel=$enableval
-fi;
+  enableval=$enable_loglevel; loglevel=$enableval
+fi
+
 loglevel=1
 test "$loglevel" = no && loglevel=0
 
@@ -3136,11 +3650,11 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
 
 
-# Check whether --enable-ttl_in_keyfile or --disable-ttl_in_keyfile was given.
+# Check whether --enable-ttl_in_keyfile was given.
 if test "${enable_ttl_in_keyfile+set}" = set; then
-  enableval="$enable_ttl_in_keyfile"
-  ttl_in_keyfile=$enableval
-fi;
+  enableval=$enable_ttl_in_keyfile; ttl_in_keyfile=$enableval
+fi
+
 ttl_in_keyfile=1
 test "$ttl_in_keyfile" = no && ttl_in_keyfile=0
 
@@ -3150,11 +3664,11 @@ _ACEOF
 
 
 configpath="/var/named"
-# Check whether --enable-configpath or --disable-configpath was given.
+# Check whether --enable-configpath was given.
 if test "${enable_configpath+set}" = set; then
-  enableval="$enable_configpath"
-  configpath=$enableval
-fi;
+  enableval=$enable_configpath; configpath=$enableval
+fi
+
 case "$configpath" in
 yes)
 	configpath="/var/named"
@@ -3173,11 +3687,11 @@ _ACEOF
 
 usetree=1
 t="T"
-# Check whether --enable-tree or --disable-tree was given.
+# Check whether --enable-tree was given.
 if test "${enable_tree+set}" = set; then
-  enableval="$enable_tree"
-  usetree=$enableval
-fi;
+  enableval=$enable_tree; usetree=$enableval
+fi
+
 if test "$usetree" = no
 then
 	usetree=0
@@ -3191,7 +3705,7 @@ _ACEOF
 
 
 cat >>confdefs.h <<_ACEOF
-#define ZKT_VERSION "v$t$PACKAGE_VERSION (c) Feb 2005 - Sep 2008 Holger Zuleger hznet.de"
+#define ZKT_VERSION "v$t$PACKAGE_VERSION (c) Feb 2005 - Aug 2009 Holger Zuleger hznet.de"
 _ACEOF
 
 
@@ -3207,9 +3721,9 @@ _ACEOF
 ac_header_dirent=no
 for ac_hdr in dirent.h sys/ndir.h sys/dir.h ndir.h; do
   as_ac_Header=`echo "ac_cv_header_dirent_$ac_hdr" | $as_tr_sh`
-echo "$as_me:$LINENO: checking for $ac_hdr that defines DIR" >&5
-echo $ECHO_N "checking for $ac_hdr that defines DIR... $ECHO_C" >&6
-if eval "test \"\${$as_ac_Header+set}\" = set"; then
+{ echo "$as_me:$LINENO: checking for $ac_hdr that defines DIR" >&5
+echo $ECHO_N "checking for $ac_hdr that defines DIR... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
@@ -3231,38 +3745,35 @@ return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   eval "$as_ac_Header=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "$as_ac_Header=no"
+	eval "$as_ac_Header=no"
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 if test `eval echo '${'$as_ac_Header'}'` = yes; then
   cat >>confdefs.h <<_ACEOF
 #define `echo "HAVE_$ac_hdr" | $as_tr_cpp` 1
@@ -3274,13 +3785,12 @@ fi
 done
 # Two versions of opendir et al. are in -ldir and -lx on SCO Xenix.
 if test $ac_header_dirent = dirent.h; then
-  echo "$as_me:$LINENO: checking for library containing opendir" >&5
-echo $ECHO_N "checking for library containing opendir... $ECHO_C" >&6
+  { echo "$as_me:$LINENO: checking for library containing opendir" >&5
+echo $ECHO_N "checking for library containing opendir... $ECHO_C" >&6; }
 if test "${ac_cv_search_opendir+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   ac_func_search_save_LIBS=$LIBS
-ac_cv_search_opendir=no
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -3288,126 +3798,83 @@ cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char opendir ();
 int
 main ()
 {
-opendir ();
+return opendir ();
   ;
   return 0;
 }
 _ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+for ac_lib in '' dir; do
+  if test -z "$ac_lib"; then
+    ac_res="none required"
+  else
+    ac_res=-l$ac_lib
+    LIBS="-l$ac_lib  $ac_func_search_save_LIBS"
+  fi
+  rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_search_opendir="none required"
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  ac_cv_search_opendir=$ac_res
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-if test "$ac_cv_search_opendir" = no; then
-  for ac_lib in dir; do
-    LIBS="-l$ac_lib  $ac_func_search_save_LIBS"
-    cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char opendir ();
-int
-main ()
-{
-opendir ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_search_opendir="-l$ac_lib"
-break
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+fi
 
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext
+  if test "${ac_cv_search_opendir+set}" = set; then
+  break
 fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-  done
+done
+if test "${ac_cv_search_opendir+set}" = set; then
+  :
+else
+  ac_cv_search_opendir=no
 fi
+rm conftest.$ac_ext
 LIBS=$ac_func_search_save_LIBS
 fi
-echo "$as_me:$LINENO: result: $ac_cv_search_opendir" >&5
-echo "${ECHO_T}$ac_cv_search_opendir" >&6
-if test "$ac_cv_search_opendir" != no; then
-  test "$ac_cv_search_opendir" = "none required" || LIBS="$ac_cv_search_opendir $LIBS"
+{ echo "$as_me:$LINENO: result: $ac_cv_search_opendir" >&5
+echo "${ECHO_T}$ac_cv_search_opendir" >&6; }
+ac_res=$ac_cv_search_opendir
+if test "$ac_res" != no; then
+  test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
 
 fi
 
 else
-  echo "$as_me:$LINENO: checking for library containing opendir" >&5
-echo $ECHO_N "checking for library containing opendir... $ECHO_C" >&6
+  { echo "$as_me:$LINENO: checking for library containing opendir" >&5
+echo $ECHO_N "checking for library containing opendir... $ECHO_C" >&6; }
 if test "${ac_cv_search_opendir+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   ac_func_search_save_LIBS=$LIBS
-ac_cv_search_opendir=no
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -3415,122 +3882,80 @@ cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char opendir ();
 int
 main ()
 {
-opendir ();
+return opendir ();
   ;
   return 0;
 }
 _ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+for ac_lib in '' x; do
+  if test -z "$ac_lib"; then
+    ac_res="none required"
+  else
+    ac_res=-l$ac_lib
+    LIBS="-l$ac_lib  $ac_func_search_save_LIBS"
+  fi
+  rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_search_opendir="none required"
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  ac_cv_search_opendir=$ac_res
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-if test "$ac_cv_search_opendir" = no; then
-  for ac_lib in x; do
-    LIBS="-l$ac_lib  $ac_func_search_save_LIBS"
-    cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char opendir ();
-int
-main ()
-{
-opendir ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_search_opendir="-l$ac_lib"
-break
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+fi
 
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext
+  if test "${ac_cv_search_opendir+set}" = set; then
+  break
 fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-  done
+done
+if test "${ac_cv_search_opendir+set}" = set; then
+  :
+else
+  ac_cv_search_opendir=no
 fi
+rm conftest.$ac_ext
 LIBS=$ac_func_search_save_LIBS
 fi
-echo "$as_me:$LINENO: result: $ac_cv_search_opendir" >&5
-echo "${ECHO_T}$ac_cv_search_opendir" >&6
-if test "$ac_cv_search_opendir" != no; then
-  test "$ac_cv_search_opendir" = "none required" || LIBS="$ac_cv_search_opendir $LIBS"
+{ echo "$as_me:$LINENO: result: $ac_cv_search_opendir" >&5
+echo "${ECHO_T}$ac_cv_search_opendir" >&6; }
+ac_res=$ac_cv_search_opendir
+if test "$ac_res" != no; then
+  test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
 
 fi
 
 fi
 
-echo "$as_me:$LINENO: checking for ANSI C header files" >&5
-echo $ECHO_N "checking for ANSI C header files... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for ANSI C header files" >&5
+echo $ECHO_N "checking for ANSI C header files... $ECHO_C" >&6; }
 if test "${ac_cv_header_stdc+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -3554,35 +3979,31 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_cv_header_stdc=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_header_stdc=no
+	ac_cv_header_stdc=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 
 if test $ac_cv_header_stdc = yes; then
   # SunOS 4.x string.h does not declare mem*, contrary to ANSI.
@@ -3638,6 +4059,7 @@ cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 #include <ctype.h>
+#include <stdlib.h>
 #if ((' ' & 0x0FF) == 0x020)
 # define ISLOWER(c) ('a' <= (c) && (c) <= 'z')
 # define TOUPPER(c) (ISLOWER(c) ? 'A' + ((c) - 'a') : (c))
@@ -3657,18 +4079,27 @@ main ()
   for (i = 0; i < 256; i++)
     if (XOR (islower (i), ISLOWER (i))
 	|| toupper (i) != TOUPPER (i))
-      exit(2);
-  exit (0);
+      return 2;
+  return 0;
 }
 _ACEOF
 rm -f conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>&5
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
+  { (case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_try") 2>&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }; }; then
@@ -3681,12 +4112,14 @@ sed 's/^/| /' conftest.$ac_ext >&5
 ( exit $ac_status )
 ac_cv_header_stdc=no
 fi
-rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
 fi
+
+
 fi
 fi
-echo "$as_me:$LINENO: result: $ac_cv_header_stdc" >&5
-echo "${ECHO_T}$ac_cv_header_stdc" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_header_stdc" >&5
+echo "${ECHO_T}$ac_cv_header_stdc" >&6; }
 if test $ac_cv_header_stdc = yes; then
 
 cat >>confdefs.h <<\_ACEOF
@@ -3710,18 +4143,19 @@ fi
 for ac_header in fcntl.h netdb.h stdlib.h getopt.h string.h strings.h sys/socket.h sys/time.h sys/types.h syslog.h unistd.h utime.h
 do
 as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
-if eval "test \"\${$as_ac_Header+set}\" = set"; then
-  echo "$as_me:$LINENO: checking for $ac_header" >&5
-echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
-if eval "test \"\${$as_ac_Header+set}\" = set"; then
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+  { echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 else
   # Is the header compilable?
-echo "$as_me:$LINENO: checking $ac_header usability" >&5
-echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking $ac_header usability" >&5
+echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -3732,41 +4166,37 @@ $ac_includes_default
 #include <$ac_header>
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_header_compiler=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_header_compiler=no
+	ac_header_compiler=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
-echo "${ECHO_T}$ac_header_compiler" >&6
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
+echo "${ECHO_T}$ac_header_compiler" >&6; }
 
 # Is the header present?
-echo "$as_me:$LINENO: checking $ac_header presence" >&5
-echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking $ac_header presence" >&5
+echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -3775,24 +4205,22 @@ cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 #include <$ac_header>
 _ACEOF
-if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
-  (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null; then
-  if test -s conftest.err; then
-    ac_cpp_err=$ac_c_preproc_warn_flag
-    ac_cpp_err=$ac_cpp_err$ac_c_werror_flag
-  else
-    ac_cpp_err=
-  fi
-else
-  ac_cpp_err=yes
-fi
-if test -z "$ac_cpp_err"; then
+  (exit $ac_status); } >/dev/null && {
+	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       }; then
   ac_header_preproc=yes
 else
   echo "$as_me: failed program was:" >&5
@@ -3800,9 +4228,10 @@ sed 's/^/| /' conftest.$ac_ext >&5
 
   ac_header_preproc=no
 fi
+
 rm -f conftest.err conftest.$ac_ext
-echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
-echo "${ECHO_T}$ac_header_preproc" >&6
+{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
+echo "${ECHO_T}$ac_header_preproc" >&6; }
 
 # So?  What about this header?
 case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
@@ -3826,25 +4255,24 @@ echo "$as_me: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\
 echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
     { echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5
 echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
-    (
-      cat <<\_ASBOX
+    ( cat <<\_ASBOX
 ## -------------------------------------- ##
 ## Report this to Holger Zuleger hznet.de ##
 ## -------------------------------------- ##
 _ASBOX
-    ) |
-      sed "s/^/$as_me: WARNING:     /" >&2
+     ) | sed "s/^/$as_me: WARNING:     /" >&2
     ;;
 esac
-echo "$as_me:$LINENO: checking for $ac_header" >&5
-echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
-if eval "test \"\${$as_ac_Header+set}\" = set"; then
+{ echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   eval "$as_ac_Header=\$ac_header_preproc"
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 
 fi
 if test `eval echo '${'$as_ac_Header'}'` = yes; then
@@ -3859,8 +4287,8 @@ done
 
 
 ### Checks for typedefs, structures, and compiler characteristics.
-echo "$as_me:$LINENO: checking for an ANSI C-conforming const" >&5
-echo $ECHO_N "checking for an ANSI C-conforming const... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for an ANSI C-conforming const" >&5
+echo $ECHO_N "checking for an ANSI C-conforming const... $ECHO_C" >&6; }
 if test "${ac_cv_c_const+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -3878,10 +4306,10 @@ main ()
 #ifndef __cplusplus
   /* Ultrix mips cc rejects this.  */
   typedef int charset[2];
-  const charset x;
+  const charset cs;
   /* SunOS 4.1.1 cc rejects this.  */
-  char const *const *ccp;
-  char **p;
+  char const *const *pcpcc;
+  char **ppc;
   /* NEC SVR4.0.2 mips cc rejects this.  */
   struct point {int x, y;};
   static struct point const zero = {0,0};
@@ -3890,16 +4318,17 @@ main ()
      an arm of an if-expression whose if-part is not a constant
      expression */
   const char *g = "string";
-  ccp = &g + (g ? g-g : 0);
+  pcpcc = &g + (g ? g-g : 0);
   /* HPUX 7.0 cc rejects these. */
-  ++ccp;
-  p = (char**) ccp;
-  ccp = (char const *const *) p;
+  ++pcpcc;
+  ppc = (char**) pcpcc;
+  pcpcc = (char const *const *) ppc;
   { /* SCO 3.2v4 cc rejects this.  */
     char *t;
     char const *s = 0 ? (char *) 0 : (char const *) 0;
 
     *t++ = 0;
+    if (s) return 0;
   }
   { /* Someone thinks the Sun supposedly-ANSI compiler will reject this.  */
     int x[] = {25, 17};
@@ -3918,7 +4347,9 @@ main ()
   }
   { /* ULTRIX-32 V3.1 (Rev 9) vcc rejects this */
     const int foo = 10;
+    if (!foo) return 0;
   }
+  return !cs[0] && !zero.x;
 #endif
 
   ;
@@ -3926,38 +4357,34 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_cv_c_const=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_c_const=no
+	ac_cv_c_const=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_c_const" >&5
-echo "${ECHO_T}$ac_cv_c_const" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_c_const" >&5
+echo "${ECHO_T}$ac_cv_c_const" >&6; }
 if test $ac_cv_c_const = no; then
 
 cat >>confdefs.h <<\_ACEOF
@@ -3966,8 +4393,8 @@ _ACEOF
 
 fi
 
-echo "$as_me:$LINENO: checking for size_t" >&5
-echo $ECHO_N "checking for size_t... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for size_t" >&5
+echo $ECHO_N "checking for size_t... $ECHO_C" >&6; }
 if test "${ac_cv_type_size_t+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -3978,62 +4405,59 @@ cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 $ac_includes_default
+typedef size_t ac__type_new_;
 int
 main ()
 {
-if ((size_t *) 0)
+if ((ac__type_new_ *) 0)
   return 0;
-if (sizeof (size_t))
+if (sizeof (ac__type_new_))
   return 0;
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_cv_type_size_t=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_type_size_t=no
+	ac_cv_type_size_t=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_type_size_t" >&5
-echo "${ECHO_T}$ac_cv_type_size_t" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_type_size_t" >&5
+echo "${ECHO_T}$ac_cv_type_size_t" >&6; }
 if test $ac_cv_type_size_t = yes; then
   :
 else
 
 cat >>confdefs.h <<_ACEOF
-#define size_t unsigned
+#define size_t unsigned int
 _ACEOF
 
 fi
 
-echo "$as_me:$LINENO: checking whether time.h and sys/time.h may both be included" >&5
-echo $ECHO_N "checking whether time.h and sys/time.h may both be included... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking whether time.h and sys/time.h may both be included" >&5
+echo $ECHO_N "checking whether time.h and sys/time.h may both be included... $ECHO_C" >&6; }
 if test "${ac_cv_header_time+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -4057,38 +4481,34 @@ return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_cv_header_time=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_header_time=no
+	ac_cv_header_time=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_header_time" >&5
-echo "${ECHO_T}$ac_cv_header_time" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_header_time" >&5
+echo "${ECHO_T}$ac_cv_header_time" >&6; }
 if test $ac_cv_header_time = yes; then
 
 cat >>confdefs.h <<\_ACEOF
@@ -4097,8 +4517,8 @@ _ACEOF
 
 fi
 
-echo "$as_me:$LINENO: checking whether struct tm is in sys/time.h or time.h" >&5
-echo $ECHO_N "checking whether struct tm is in sys/time.h or time.h... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking whether struct tm is in sys/time.h or time.h" >&5
+echo $ECHO_N "checking whether struct tm is in sys/time.h or time.h... $ECHO_C" >&6; }
 if test "${ac_cv_struct_tm+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -4114,44 +4534,42 @@ cat >>conftest.$ac_ext <<_ACEOF
 int
 main ()
 {
-struct tm *tp; tp->tm_sec;
+struct tm tm;
+				     int *p = &tm.tm_sec;
+ 				     return !p;
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_cv_struct_tm=time.h
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_struct_tm=sys/time.h
+	ac_cv_struct_tm=sys/time.h
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_struct_tm" >&5
-echo "${ECHO_T}$ac_cv_struct_tm" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_struct_tm" >&5
+echo "${ECHO_T}$ac_cv_struct_tm" >&6; }
 if test $ac_cv_struct_tm = sys/time.h; then
 
 cat >>confdefs.h <<\_ACEOF
@@ -4160,8 +4578,8 @@ _ACEOF
 
 fi
 
-echo "$as_me:$LINENO: checking for uid_t in sys/types.h" >&5
-echo $ECHO_N "checking for uid_t in sys/types.h... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for uid_t in sys/types.h" >&5
+echo $ECHO_N "checking for uid_t in sys/types.h... $ECHO_C" >&6; }
 if test "${ac_cv_type_uid_t+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -4183,8 +4601,8 @@ fi
 rm -f conftest*
 
 fi
-echo "$as_me:$LINENO: result: $ac_cv_type_uid_t" >&5
-echo "${ECHO_T}$ac_cv_type_uid_t" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_type_uid_t" >&5
+echo "${ECHO_T}$ac_cv_type_uid_t" >&6; }
 if test $ac_cv_type_uid_t = no; then
 
 cat >>confdefs.h <<\_ACEOF
@@ -4201,8 +4619,8 @@ fi
 
 
 ### Checks for library functions.
-echo "$as_me:$LINENO: checking whether closedir returns void" >&5
-echo $ECHO_N "checking whether closedir returns void... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking whether closedir returns void" >&5
+echo $ECHO_N "checking whether closedir returns void... $ECHO_C" >&6; }
 if test "${ac_cv_func_closedir_void+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -4224,19 +4642,28 @@ int closedir ();
 int
 main ()
 {
-exit (closedir (opendir (".")) != 0);
+return closedir (opendir (".")) != 0;
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>&5
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
+  { (case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_try") 2>&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }; }; then
@@ -4249,11 +4676,13 @@ sed 's/^/| /' conftest.$ac_ext >&5
 ( exit $ac_status )
 ac_cv_func_closedir_void=yes
 fi
-rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
 fi
+
+
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_closedir_void" >&5
-echo "${ECHO_T}$ac_cv_func_closedir_void" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_closedir_void" >&5
+echo "${ECHO_T}$ac_cv_func_closedir_void" >&6; }
 if test $ac_cv_func_closedir_void = yes; then
 
 cat >>confdefs.h <<\_ACEOF
@@ -4262,8 +4691,8 @@ _ACEOF
 
 fi
 
-echo "$as_me:$LINENO: checking for error_at_line" >&5
-echo $ECHO_N "checking for error_at_line... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for error_at_line" >&5
+echo $ECHO_N "checking for error_at_line... $ECHO_C" >&6; }
 if test "${ac_cv_lib_error_at_line+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -4273,56 +4702,51 @@ _ACEOF
 cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
-$ac_includes_default
+#include <error.h>
 int
 main ()
 {
-error_at_line (0, 0, "", 0, "");
+error_at_line (0, 0, "", 0, "an error occurred");
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_lib_error_at_line=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_lib_error_at_line=no
+	ac_cv_lib_error_at_line=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_error_at_line" >&5
-echo "${ECHO_T}$ac_cv_lib_error_at_line" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_error_at_line" >&5
+echo "${ECHO_T}$ac_cv_lib_error_at_line" >&6; }
 if test $ac_cv_lib_error_at_line = no; then
-  case $LIBOBJS in
-    "error.$ac_objext"   | \
-  *" error.$ac_objext"   | \
-    "error.$ac_objext "* | \
+  case " $LIBOBJS " in
   *" error.$ac_objext "* ) ;;
-  *) LIBOBJS="$LIBOBJS error.$ac_objext" ;;
+  *) LIBOBJS="$LIBOBJS error.$ac_objext"
+ ;;
 esac
 
 fi
@@ -4331,18 +4755,19 @@ fi
 for ac_header in stdlib.h
 do
 as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
-if eval "test \"\${$as_ac_Header+set}\" = set"; then
-  echo "$as_me:$LINENO: checking for $ac_header" >&5
-echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
-if eval "test \"\${$as_ac_Header+set}\" = set"; then
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+  { echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 else
   # Is the header compilable?
-echo "$as_me:$LINENO: checking $ac_header usability" >&5
-echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking $ac_header usability" >&5
+echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -4353,41 +4778,37 @@ $ac_includes_default
 #include <$ac_header>
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_header_compiler=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_header_compiler=no
+	ac_header_compiler=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
-echo "${ECHO_T}$ac_header_compiler" >&6
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
+echo "${ECHO_T}$ac_header_compiler" >&6; }
 
 # Is the header present?
-echo "$as_me:$LINENO: checking $ac_header presence" >&5
-echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking $ac_header presence" >&5
+echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -4396,24 +4817,22 @@ cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 #include <$ac_header>
 _ACEOF
-if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
-  (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null; then
-  if test -s conftest.err; then
-    ac_cpp_err=$ac_c_preproc_warn_flag
-    ac_cpp_err=$ac_cpp_err$ac_c_werror_flag
-  else
-    ac_cpp_err=
-  fi
-else
-  ac_cpp_err=yes
-fi
-if test -z "$ac_cpp_err"; then
+  (exit $ac_status); } >/dev/null && {
+	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       }; then
   ac_header_preproc=yes
 else
   echo "$as_me: failed program was:" >&5
@@ -4421,9 +4840,10 @@ sed 's/^/| /' conftest.$ac_ext >&5
 
   ac_header_preproc=no
 fi
+
 rm -f conftest.err conftest.$ac_ext
-echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
-echo "${ECHO_T}$ac_header_preproc" >&6
+{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
+echo "${ECHO_T}$ac_header_preproc" >&6; }
 
 # So?  What about this header?
 case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
@@ -4447,25 +4867,24 @@ echo "$as_me: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\
 echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
     { echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5
 echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
-    (
-      cat <<\_ASBOX
+    ( cat <<\_ASBOX
 ## -------------------------------------- ##
 ## Report this to Holger Zuleger hznet.de ##
 ## -------------------------------------- ##
 _ASBOX
-    ) |
-      sed "s/^/$as_me: WARNING:     /" >&2
+     ) | sed "s/^/$as_me: WARNING:     /" >&2
     ;;
 esac
-echo "$as_me:$LINENO: checking for $ac_header" >&5
-echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
-if eval "test \"\${$as_ac_Header+set}\" = set"; then
+{ echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   eval "$as_ac_Header=\$ac_header_preproc"
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 
 fi
 if test `eval echo '${'$as_ac_Header'}'` = yes; then
@@ -4477,8 +4896,8 @@ fi
 
 done
 
-echo "$as_me:$LINENO: checking for GNU libc compatible malloc" >&5
-echo $ECHO_N "checking for GNU libc compatible malloc... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for GNU libc compatible malloc" >&5
+echo $ECHO_N "checking for GNU libc compatible malloc... $ECHO_C" >&6; }
 if test "${ac_cv_func_malloc_0_nonnull+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -4491,7 +4910,7 @@ _ACEOF
 cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
-#if STDC_HEADERS || HAVE_STDLIB_H
+#if defined STDC_HEADERS || defined HAVE_STDLIB_H
 # include <stdlib.h>
 #else
 char *malloc ();
@@ -4500,19 +4919,28 @@ char *malloc ();
 int
 main ()
 {
-exit (malloc (0) ? 0 : 1);
+return ! malloc (0);
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>&5
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
+  { (case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_try") 2>&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }; }; then
@@ -4525,11 +4953,13 @@ sed 's/^/| /' conftest.$ac_ext >&5
 ( exit $ac_status )
 ac_cv_func_malloc_0_nonnull=no
 fi
-rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
 fi
+
+
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_malloc_0_nonnull" >&5
-echo "${ECHO_T}$ac_cv_func_malloc_0_nonnull" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_malloc_0_nonnull" >&5
+echo "${ECHO_T}$ac_cv_func_malloc_0_nonnull" >&6; }
 if test $ac_cv_func_malloc_0_nonnull = yes; then
 
 cat >>confdefs.h <<\_ACEOF
@@ -4541,12 +4971,10 @@ else
 #define HAVE_MALLOC 0
 _ACEOF
 
-   case $LIBOBJS in
-    "malloc.$ac_objext"   | \
-  *" malloc.$ac_objext"   | \
-    "malloc.$ac_objext "* | \
+   case " $LIBOBJS " in
   *" malloc.$ac_objext "* ) ;;
-  *) LIBOBJS="$LIBOBJS malloc.$ac_objext" ;;
+  *) LIBOBJS="$LIBOBJS malloc.$ac_objext"
+ ;;
 esac
 
 
@@ -4561,21 +4989,23 @@ fi
 
 
 
-for ac_header in stdlib.h sys/time.h unistd.h
+
+for ac_header in $ac_header_list
 do
 as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
-if eval "test \"\${$as_ac_Header+set}\" = set"; then
-  echo "$as_me:$LINENO: checking for $ac_header" >&5
-echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
-if eval "test \"\${$as_ac_Header+set}\" = set"; then
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+  { echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 else
   # Is the header compilable?
-echo "$as_me:$LINENO: checking $ac_header usability" >&5
-echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking $ac_header usability" >&5
+echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -4586,41 +5016,37 @@ $ac_includes_default
 #include <$ac_header>
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_header_compiler=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_header_compiler=no
+	ac_header_compiler=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
-echo "${ECHO_T}$ac_header_compiler" >&6
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
+echo "${ECHO_T}$ac_header_compiler" >&6; }
 
 # Is the header present?
-echo "$as_me:$LINENO: checking $ac_header presence" >&5
-echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking $ac_header presence" >&5
+echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -4629,24 +5055,22 @@ cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 #include <$ac_header>
 _ACEOF
-if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
-  (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null; then
-  if test -s conftest.err; then
-    ac_cpp_err=$ac_c_preproc_warn_flag
-    ac_cpp_err=$ac_cpp_err$ac_c_werror_flag
-  else
-    ac_cpp_err=
-  fi
-else
-  ac_cpp_err=yes
-fi
-if test -z "$ac_cpp_err"; then
+  (exit $ac_status); } >/dev/null && {
+	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       }; then
   ac_header_preproc=yes
 else
   echo "$as_me: failed program was:" >&5
@@ -4654,9 +5078,10 @@ sed 's/^/| /' conftest.$ac_ext >&5
 
   ac_header_preproc=no
 fi
+
 rm -f conftest.err conftest.$ac_ext
-echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
-echo "${ECHO_T}$ac_header_preproc" >&6
+{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
+echo "${ECHO_T}$ac_header_preproc" >&6; }
 
 # So?  What about this header?
 case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
@@ -4680,25 +5105,24 @@ echo "$as_me: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\
 echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
     { echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5
 echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
-    (
-      cat <<\_ASBOX
+    ( cat <<\_ASBOX
 ## -------------------------------------- ##
 ## Report this to Holger Zuleger hznet.de ##
 ## -------------------------------------- ##
 _ASBOX
-    ) |
-      sed "s/^/$as_me: WARNING:     /" >&2
+     ) | sed "s/^/$as_me: WARNING:     /" >&2
     ;;
 esac
-echo "$as_me:$LINENO: checking for $ac_header" >&5
-echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
-if eval "test \"\${$as_ac_Header+set}\" = set"; then
+{ echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   eval "$as_ac_Header=\$ac_header_preproc"
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 
 fi
 if test `eval echo '${'$as_ac_Header'}'` = yes; then
@@ -4711,12 +5135,19 @@ fi
 done
 
 
-for ac_func in alarm
+
+
+
+
+
+
+
+for ac_func in $ac_func_list
 do
 as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
-echo "$as_me:$LINENO: checking for $ac_func" >&5
-echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
-if eval "test \"\${$as_ac_var+set}\" = set"; then
+{ echo "$as_me:$LINENO: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; }
+if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
@@ -4742,68 +5173,60 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef $ac_func
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char $ac_func ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+#if defined __stub_$ac_func || defined __stub___$ac_func
 choke me
-#else
-char (*f) () = $ac_func;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != $ac_func;
+return $ac_func ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   eval "$as_ac_var=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "$as_ac_var=no"
+	eval "$as_ac_var=no"
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_var'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6
+ac_res=`eval echo '${'$as_ac_var'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 if test `eval echo '${'$as_ac_var'}'` = yes; then
   cat >>confdefs.h <<_ACEOF
 #define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
@@ -4812,8 +5235,24 @@ _ACEOF
 fi
 done
 
-echo "$as_me:$LINENO: checking for working mktime" >&5
-echo $ECHO_N "checking for working mktime... $ECHO_C" >&6
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+{ echo "$as_me:$LINENO: checking for working mktime" >&5
+echo $ECHO_N "checking for working mktime... $ECHO_C" >&6; }
 if test "${ac_cv_func_working_mktime+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -4827,26 +5266,24 @@ cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 /* Test program from Paul Eggert and Tony Leneis.  */
-#if TIME_WITH_SYS_TIME
+#ifdef TIME_WITH_SYS_TIME
 # include <sys/time.h>
 # include <time.h>
 #else
-# if HAVE_SYS_TIME_H
+# ifdef HAVE_SYS_TIME_H
 #  include <sys/time.h>
 # else
 #  include <time.h>
 # endif
 #endif
 
-#if HAVE_STDLIB_H
-# include <stdlib.h>
-#endif
+#include <stdlib.h>
 
-#if HAVE_UNISTD_H
+#ifdef HAVE_UNISTD_H
 # include <unistd.h>
 #endif
 
-#if !HAVE_ALARM
+#ifndef HAVE_ALARM
 # define alarm(X) /* empty */
 #endif
 
@@ -4863,9 +5300,9 @@ static char *tz_strings[] = {
 };
 #define N_STRINGS (sizeof (tz_strings) / sizeof (tz_strings[0]))
 
-/* Fail if mktime fails to convert a date in the spring-forward gap.
+/* Return 0 if mktime fails to convert a date in the spring-forward gap.
    Based on a problem report from Andreas Jaeger.  */
-static void
+static int
 spring_forward_gap ()
 {
   /* glibc (up to about 1998-10-07) failed this test. */
@@ -4884,29 +5321,27 @@ spring_forward_gap ()
   tm.tm_min = 0;
   tm.tm_sec = 0;
   tm.tm_isdst = -1;
-  if (mktime (&tm) == (time_t)-1)
-    exit (1);
+  return mktime (&tm) != (time_t) -1;
 }
 
-static void
+static int
 mktime_test1 (now)
      time_t now;
 {
   struct tm *lt;
-  if ((lt = localtime (&now)) && mktime (lt) != now)
-    exit (1);
+  return ! (lt = localtime (&now)) || mktime (lt) == now;
 }
 
-static void
+static int
 mktime_test (now)
      time_t now;
 {
-  mktime_test1 (now);
-  mktime_test1 ((time_t) (time_t_max - now));
-  mktime_test1 ((time_t) (time_t_min + now));
+  return (mktime_test1 (now)
+	  && mktime_test1 ((time_t) (time_t_max - now))
+	  && mktime_test1 ((time_t) (time_t_min + now)));
 }
 
-static void
+static int
 irix_6_4_bug ()
 {
   /* Based on code from Ariel Faigon.  */
@@ -4919,11 +5354,10 @@ irix_6_4_bug ()
   tm.tm_sec = 0;
   tm.tm_isdst = -1;
   mktime (&tm);
-  if (tm.tm_mon != 2 || tm.tm_mday != 31)
-    exit (1);
+  return tm.tm_mon == 2 && tm.tm_mday == 31;
 }
 
-static void
+static int
 bigtime_test (j)
      int j;
 {
@@ -4945,8 +5379,39 @@ bigtime_test (j)
 	     && lt->tm_wday == tm.tm_wday
 	     && ((lt->tm_isdst < 0 ? -1 : 0 < lt->tm_isdst)
 		  == (tm.tm_isdst < 0 ? -1 : 0 < tm.tm_isdst))))
-	exit (1);
+	return 0;
     }
+  return 1;
+}
+
+static int
+year_2050_test ()
+{
+  /* The correct answer for 2050-02-01 00:00:00 in Pacific time,
+     ignoring leap seconds.  */
+  unsigned long int answer = 2527315200UL;
+
+  struct tm tm;
+  time_t t;
+  tm.tm_year = 2050 - 1900;
+  tm.tm_mon = 2 - 1;
+  tm.tm_mday = 1;
+  tm.tm_hour = tm.tm_min = tm.tm_sec = 0;
+  tm.tm_isdst = -1;
+
+  /* Use the portable POSIX.1 specification "TZ=PST8PDT,M4.1.0,M10.5.0"
+     instead of "TZ=America/Vancouver" in order to detect the bug even
+     on systems that don't support the Olson extension, or don't have the
+     full zoneinfo tables installed.  */
+  putenv ("TZ=PST8PDT,M4.1.0,M10.5.0");
+
+  t = mktime (&tm);
+
+  /* Check that the result is either a failure, or close enough
+     to the correct answer that we can assume the discrepancy is
+     due to leap seconds.  */
+  return (t == (time_t) -1
+	  || (0 < t && answer - 120 <= t && t <= answer + 120));
 }
 
 int
@@ -4973,28 +5438,39 @@ main ()
 	putenv (tz_strings[i]);
 
       for (t = 0; t <= time_t_max - delta; t += delta)
-	mktime_test (t);
-      mktime_test ((time_t) 1);
-      mktime_test ((time_t) (60 * 60));
-      mktime_test ((time_t) (60 * 60 * 24));
+	if (! mktime_test (t))
+	  return 1;
+      if (! (mktime_test ((time_t) 1)
+	     && mktime_test ((time_t) (60 * 60))
+	     && mktime_test ((time_t) (60 * 60 * 24))))
+	return 1;
 
       for (j = 1; 0 < j; j *= 2)
-	bigtime_test (j);
-      bigtime_test (j - 1);
+	if (! bigtime_test (j))
+	  return 1;
+      if (! bigtime_test (j - 1))
+	return 1;
     }
-  irix_6_4_bug ();
-  spring_forward_gap ();
-  exit (0);
+  return ! (irix_6_4_bug () && spring_forward_gap () && year_2050_test ());
 }
 _ACEOF
 rm -f conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>&5
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
+  { (case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_try") 2>&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }; }; then
@@ -5007,24 +5483,24 @@ sed 's/^/| /' conftest.$ac_ext >&5
 ( exit $ac_status )
 ac_cv_func_working_mktime=no
 fi
-rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
 fi
+
+
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_working_mktime" >&5
-echo "${ECHO_T}$ac_cv_func_working_mktime" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_working_mktime" >&5
+echo "${ECHO_T}$ac_cv_func_working_mktime" >&6; }
 if test $ac_cv_func_working_mktime = no; then
-  case $LIBOBJS in
-    "mktime.$ac_objext"   | \
-  *" mktime.$ac_objext"   | \
-    "mktime.$ac_objext "* | \
+  case " $LIBOBJS " in
   *" mktime.$ac_objext "* ) ;;
-  *) LIBOBJS="$LIBOBJS mktime.$ac_objext" ;;
+  *) LIBOBJS="$LIBOBJS mktime.$ac_objext"
+ ;;
 esac
 
 fi
 
-echo "$as_me:$LINENO: checking whether lstat dereferences a symlink specified with a trailing slash" >&5
-echo $ECHO_N "checking whether lstat dereferences a symlink specified with a trailing slash... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking whether lstat dereferences a symlink specified with a trailing slash" >&5
+echo $ECHO_N "checking whether lstat dereferences a symlink specified with a trailing slash... $ECHO_C" >&6; }
 if test "${ac_cv_func_lstat_dereferences_slashed_symlink+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -5048,19 +5524,28 @@ struct stat sbuf;
      /* Linux will dereference the symlink and fail.
 	That is better in the sense that it means we will not
 	have to compile and use the lstat wrapper.  */
-     exit (lstat ("conftest.sym/", &sbuf) ? 0 : 1);
+     return lstat ("conftest.sym/", &sbuf) == 0;
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>&5
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
+  { (case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_try") 2>&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }; }; then
@@ -5073,8 +5558,10 @@ sed 's/^/| /' conftest.$ac_ext >&5
 ( exit $ac_status )
 ac_cv_func_lstat_dereferences_slashed_symlink=no
 fi
-rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
 fi
+
+
 else
   # If the `ln -s' command failed, then we probably don't even
   # have an lstat function.
@@ -5083,8 +5570,8 @@ fi
 rm -f conftest.sym conftest.file
 
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_lstat_dereferences_slashed_symlink" >&5
-echo "${ECHO_T}$ac_cv_func_lstat_dereferences_slashed_symlink" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_lstat_dereferences_slashed_symlink" >&5
+echo "${ECHO_T}$ac_cv_func_lstat_dereferences_slashed_symlink" >&6; }
 
 test $ac_cv_func_lstat_dereferences_slashed_symlink = yes &&
 
@@ -5094,18 +5581,16 @@ _ACEOF
 
 
 if test $ac_cv_func_lstat_dereferences_slashed_symlink = no; then
-  case $LIBOBJS in
-    "lstat.$ac_objext"   | \
-  *" lstat.$ac_objext"   | \
-    "lstat.$ac_objext "* | \
+  case " $LIBOBJS " in
   *" lstat.$ac_objext "* ) ;;
-  *) LIBOBJS="$LIBOBJS lstat.$ac_objext" ;;
+  *) LIBOBJS="$LIBOBJS lstat.$ac_objext"
+ ;;
 esac
 
 fi
 
-echo "$as_me:$LINENO: checking whether stat accepts an empty string" >&5
-echo $ECHO_N "checking whether stat accepts an empty string... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking whether stat accepts an empty string" >&5
+echo $ECHO_N "checking whether stat accepts an empty string... $ECHO_C" >&6; }
 if test "${ac_cv_func_stat_empty_string_bug+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -5123,43 +5608,52 @@ int
 main ()
 {
 struct stat sbuf;
-  exit (stat ("", &sbuf) ? 1 : 0);
+  return stat ("", &sbuf) == 0;
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>&5
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
+  { (case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_try") 2>&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }; }; then
-  ac_cv_func_stat_empty_string_bug=yes
+  ac_cv_func_stat_empty_string_bug=no
 else
   echo "$as_me: program exited with status $ac_status" >&5
 echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 ( exit $ac_status )
-ac_cv_func_stat_empty_string_bug=no
+ac_cv_func_stat_empty_string_bug=yes
 fi
-rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
 fi
+
+
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_stat_empty_string_bug" >&5
-echo "${ECHO_T}$ac_cv_func_stat_empty_string_bug" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_stat_empty_string_bug" >&5
+echo "${ECHO_T}$ac_cv_func_stat_empty_string_bug" >&6; }
 if test $ac_cv_func_stat_empty_string_bug = yes; then
-  case $LIBOBJS in
-    "stat.$ac_objext"   | \
-  *" stat.$ac_objext"   | \
-    "stat.$ac_objext "* | \
+  case " $LIBOBJS " in
   *" stat.$ac_objext "* ) ;;
-  *) LIBOBJS="$LIBOBJS stat.$ac_objext" ;;
+  *) LIBOBJS="$LIBOBJS stat.$ac_objext"
+ ;;
 esac
 
 
@@ -5173,9 +5667,9 @@ fi
 for ac_func in strftime
 do
 as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
-echo "$as_me:$LINENO: checking for $ac_func" >&5
-echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
-if eval "test \"\${$as_ac_var+set}\" = set"; then
+{ echo "$as_me:$LINENO: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; }
+if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
@@ -5201,68 +5695,60 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef $ac_func
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char $ac_func ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+#if defined __stub_$ac_func || defined __stub___$ac_func
 choke me
-#else
-char (*f) () = $ac_func;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != $ac_func;
+return $ac_func ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   eval "$as_ac_var=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "$as_ac_var=no"
+	eval "$as_ac_var=no"
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_var'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6
+ac_res=`eval echo '${'$as_ac_var'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 if test `eval echo '${'$as_ac_var'}'` = yes; then
   cat >>confdefs.h <<_ACEOF
 #define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
@@ -5270,8 +5756,8 @@ _ACEOF
 
 else
   # strftime is in -lintl on SCO UNIX.
-echo "$as_me:$LINENO: checking for strftime in -lintl" >&5
-echo $ECHO_N "checking for strftime in -lintl... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for strftime in -lintl" >&5
+echo $ECHO_N "checking for strftime in -lintl... $ECHO_C" >&6; }
 if test "${ac_cv_lib_intl_strftime+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -5284,56 +5770,53 @@ cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char strftime ();
 int
 main ()
 {
-strftime ();
+return strftime ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_lib_intl_strftime=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_lib_intl_strftime=no
+	ac_cv_lib_intl_strftime=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_intl_strftime" >&5
-echo "${ECHO_T}$ac_cv_lib_intl_strftime" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_intl_strftime" >&5
+echo "${ECHO_T}$ac_cv_lib_intl_strftime" >&6; }
 if test $ac_cv_lib_intl_strftime = yes; then
   cat >>confdefs.h <<\_ACEOF
 #define HAVE_STRFTIME 1
@@ -5345,8 +5828,16 @@ fi
 fi
 done
 
-echo "$as_me:$LINENO: checking whether utime accepts a null argument" >&5
-echo $ECHO_N "checking whether utime accepts a null argument... $ECHO_C" >&6
+
+
+
+
+
+
+
+
+{ echo "$as_me:$LINENO: checking whether utime accepts a null argument" >&5
+echo $ECHO_N "checking whether utime accepts a null argument... $ECHO_C" >&6; }
 if test "${ac_cv_func_utime_null+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -5362,27 +5853,39 @@ cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 $ac_includes_default
+	       #ifdef HAVE_UTIME_H
+	       # include <utime.h>
+	       #endif
 int
 main ()
 {
 struct stat s, t;
-  exit (!(stat ("conftest.data", &s) == 0
-	  && utime ("conftest.data", (long *)0) == 0
-	  && stat ("conftest.data", &t) == 0
-	  && t.st_mtime >= s.st_mtime
-	  && t.st_mtime - s.st_mtime < 120));
+  return ! (stat ("conftest.data", &s) == 0
+	    && utime ("conftest.data", 0) == 0
+	    && stat ("conftest.data", &t) == 0
+	    && t.st_mtime >= s.st_mtime
+	    && t.st_mtime - s.st_mtime < 120);
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>&5
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
+  { (case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_try") 2>&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }; }; then
@@ -5395,12 +5898,13 @@ sed 's/^/| /' conftest.$ac_ext >&5
 ( exit $ac_status )
 ac_cv_func_utime_null=no
 fi
-rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
 fi
-rm -f core *.core
+
+
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_utime_null" >&5
-echo "${ECHO_T}$ac_cv_func_utime_null" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_utime_null" >&5
+echo "${ECHO_T}$ac_cv_func_utime_null" >&6; }
 if test $ac_cv_func_utime_null = yes; then
 
 cat >>confdefs.h <<\_ACEOF
@@ -5414,9 +5918,9 @@ rm -f conftest.data
 for ac_func in vprintf
 do
 as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
-echo "$as_me:$LINENO: checking for $ac_func" >&5
-echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
-if eval "test \"\${$as_ac_var+set}\" = set"; then
+{ echo "$as_me:$LINENO: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; }
+if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
@@ -5442,75 +5946,67 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef $ac_func
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char $ac_func ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+#if defined __stub_$ac_func || defined __stub___$ac_func
 choke me
-#else
-char (*f) () = $ac_func;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != $ac_func;
+return $ac_func ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   eval "$as_ac_var=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "$as_ac_var=no"
+	eval "$as_ac_var=no"
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_var'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6
+ac_res=`eval echo '${'$as_ac_var'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 if test `eval echo '${'$as_ac_var'}'` = yes; then
   cat >>confdefs.h <<_ACEOF
 #define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
 _ACEOF
 
-echo "$as_me:$LINENO: checking for _doprnt" >&5
-echo $ECHO_N "checking for _doprnt... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for _doprnt" >&5
+echo $ECHO_N "checking for _doprnt... $ECHO_C" >&6; }
 if test "${ac_cv_func__doprnt+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -5537,68 +6033,59 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef _doprnt
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char _doprnt ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub__doprnt) || defined (__stub____doprnt)
+#if defined __stub__doprnt || defined __stub____doprnt
 choke me
-#else
-char (*f) () = _doprnt;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != _doprnt;
+return _doprnt ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func__doprnt=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_func__doprnt=no
+	ac_cv_func__doprnt=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func__doprnt" >&5
-echo "${ECHO_T}$ac_cv_func__doprnt" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func__doprnt" >&5
+echo "${ECHO_T}$ac_cv_func__doprnt" >&6; }
 if test $ac_cv_func__doprnt = yes; then
 
 cat >>confdefs.h <<\_ACEOF
@@ -5612,6 +6099,7 @@ done
 
 
 # 2008-07-04 getopt_long added
+# 2009-07-30 timegm added
 
 
 
@@ -5625,12 +6113,14 @@ done
 
 
 
-for ac_func in getopt_long gettimeofday memset setenv socket strcasecmp strchr strdup strerror strncasecmp strrchr tzset utime
+
+
+for ac_func in getopt_long gettimeofday memset putenv socket strcasecmp strchr strdup strerror strncasecmp strrchr tzset utime getuid timegm
 do
 as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
-echo "$as_me:$LINENO: checking for $ac_func" >&5
-echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
-if eval "test \"\${$as_ac_var+set}\" = set"; then
+{ echo "$as_me:$LINENO: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; }
+if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
@@ -5656,68 +6146,60 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef $ac_func
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char $ac_func ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+#if defined __stub_$ac_func || defined __stub___$ac_func
 choke me
-#else
-char (*f) () = $ac_func;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != $ac_func;
+return $ac_func ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   eval "$as_ac_var=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "$as_ac_var=no"
+	eval "$as_ac_var=no"
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_var'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6
+ac_res=`eval echo '${'$as_ac_var'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 if test `eval echo '${'$as_ac_var'}'` = yes; then
   cat >>confdefs.h <<_ACEOF
 #define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
@@ -5728,7 +6210,7 @@ done
 
 
 
-          ac_config_files="$ac_config_files Makefile"
+ac_config_files="$ac_config_files Makefile"
 
 cat >confcache <<\_ACEOF
 # This file is a shell script that caches the results of configure
@@ -5748,39 +6230,58 @@ _ACEOF
 
 # The following way of writing the cache mishandles newlines in values,
 # but we know of no workaround that is simple, portable, and efficient.
-# So, don't put newlines in cache variables' values.
+# So, we kill variables containing newlines.
 # Ultrix sh set writes to stderr and can't be redirected directly,
 # and sets the high bit in the cache file unless we assign to the vars.
-{
+(
+  for ac_var in `(set) 2>&1 | sed -n 's/^\([a-zA-Z_][a-zA-Z0-9_]*\)=.*/\1/p'`; do
+    eval ac_val=\$$ac_var
+    case $ac_val in #(
+    *${as_nl}*)
+      case $ac_var in #(
+      *_cv_*) { echo "$as_me:$LINENO: WARNING: Cache variable $ac_var contains a newline." >&5
+echo "$as_me: WARNING: Cache variable $ac_var contains a newline." >&2;} ;;
+      esac
+      case $ac_var in #(
+      _ | IFS | as_nl) ;; #(
+      *) $as_unset $ac_var ;;
+      esac ;;
+    esac
+  done
+
   (set) 2>&1 |
-    case `(ac_space=' '; set | grep ac_space) 2>&1` in
-    *ac_space=\ *)
+    case $as_nl`(ac_space=' '; set) 2>&1` in #(
+    *${as_nl}ac_space=\ *)
       # `set' does not quote correctly, so add quotes (double-quote
       # substitution turns \\\\ into \\, and sed turns \\ into \).
       sed -n \
 	"s/'/'\\\\''/g;
 	  s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='\\2'/p"
-      ;;
+      ;; #(
     *)
       # `set' quotes correctly as required by POSIX, so do not add quotes.
-      sed -n \
-	"s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1=\\2/p"
+      sed -n "/^[_$as_cr_alnum]*_cv_[_$as_cr_alnum]*=/p"
       ;;
-    esac;
-} |
+    esac |
+    sort
+) |
   sed '
+     /^ac_cv_env_/b end
      t clear
-     : clear
+     :clear
      s/^\([^=]*\)=\(.*[{}].*\)$/test "${\1+set}" = set || &/
      t end
-     /^ac_cv_env/!s/^\([^=]*\)=\(.*\)$/\1=${\1=\2}/
-     : end' >>confcache
-if diff $cache_file confcache >/dev/null 2>&1; then :; else
-  if test -w $cache_file; then
-    test "x$cache_file" != "x/dev/null" && echo "updating cache $cache_file"
+     s/^\([^=]*\)=\(.*\)$/\1=${\1=\2}/
+     :end' >>confcache
+if diff "$cache_file" confcache >/dev/null 2>&1; then :; else
+  if test -w "$cache_file"; then
+    test "x$cache_file" != "x/dev/null" &&
+      { echo "$as_me:$LINENO: updating cache $cache_file" >&5
+echo "$as_me: updating cache $cache_file" >&6;}
     cat confcache >$cache_file
   else
-    echo "not updating unwritable cache $cache_file"
+    { echo "$as_me:$LINENO: not updating unwritable cache $cache_file" >&5
+echo "$as_me: not updating unwritable cache $cache_file" >&6;}
   fi
 fi
 rm -f confcache
@@ -5789,32 +6290,18 @@ test "x$prefix" = xNONE && prefix=$ac_default_prefix
 # Let make expand exec_prefix.
 test "x$exec_prefix" = xNONE && exec_prefix='${prefix}'
 
-# VPATH may cause trouble with some makes, so we remove $(srcdir),
-# ${srcdir} and @srcdir@ from VPATH if srcdir is ".", strip leading and
-# trailing colons and then remove the whole line if VPATH becomes empty
-# (actually we leave an empty line to preserve line numbers).
-if test "x$srcdir" = x.; then
-  ac_vpsub='/^[	 ]*VPATH[	 ]*=/{
-s/:*\$(srcdir):*/:/;
-s/:*\${srcdir}:*/:/;
-s/:*@srcdir@:*/:/;
-s/^\([^=]*=[	 ]*\):*/\1/;
-s/:*$//;
-s/^[^=]*=[	 ]*$//;
-}'
-fi
-
 DEFS=-DHAVE_CONFIG_H
 
 ac_libobjs=
 ac_ltlibobjs=
 for ac_i in : $LIBOBJS; do test "x$ac_i" = x: && continue
   # 1. Remove the extension, and $U if already installed.
-  ac_i=`echo "$ac_i" |
-	 sed 's/\$U\././;s/\.o$//;s/\.obj$//'`
-  # 2. Add them.
-  ac_libobjs="$ac_libobjs $ac_i\$U.$ac_objext"
-  ac_ltlibobjs="$ac_ltlibobjs $ac_i"'$U.lo'
+  ac_script='s/\$U\././;s/\.o$//;s/\.obj$//'
+  ac_i=`echo "$ac_i" | sed "$ac_script"`
+  # 2. Prepend LIBOBJDIR.  When used with automake>=1.10 LIBOBJDIR
+  #    will be set to the directory where LIBOBJS objects are built.
+  ac_libobjs="$ac_libobjs \${LIBOBJDIR}$ac_i\$U.$ac_objext"
+  ac_ltlibobjs="$ac_ltlibobjs \${LIBOBJDIR}$ac_i"'$U.lo'
 done
 LIBOBJS=$ac_libobjs
 
@@ -5845,17 +6332,45 @@ cat >>$CONFIG_STATUS <<\_ACEOF
 ## M4sh Initialization.  ##
 ## --------------------- ##
 
-# Be Bourne compatible
+# Be more Bourne compatible
+DUALCASE=1; export DUALCASE # for MKS sh
 if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
   emulate sh
   NULLCMD=:
   # Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which
   # is contrary to our usage.  Disable this feature.
   alias -g '${1+"$@"}'='"$@"'
-elif test -n "${BASH_VERSION+set}" && (set -o posix) >/dev/null 2>&1; then
-  set -o posix
+  setopt NO_GLOB_SUBST
+else
+  case `(set -o) 2>/dev/null` in
+  *posix*) set -o posix ;;
+esac
+
+fi
+
+
+
+
+# PATH needs CR
+# Avoid depending upon Character Ranges.
+as_cr_letters='abcdefghijklmnopqrstuvwxyz'
+as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ'
+as_cr_Letters=$as_cr_letters$as_cr_LETTERS
+as_cr_digits='0123456789'
+as_cr_alnum=$as_cr_Letters$as_cr_digits
+
+# The user is always right.
+if test "${PATH_SEPARATOR+set}" != set; then
+  echo "#! /bin/sh" >conf$$.sh
+  echo  "exit 0"   >>conf$$.sh
+  chmod +x conf$$.sh
+  if (PATH="/nonexistent;."; conf$$.sh) >/dev/null 2>&1; then
+    PATH_SEPARATOR=';'
+  else
+    PATH_SEPARATOR=:
+  fi
+  rm -f conf$$.sh
 fi
-DUALCASE=1; export DUALCASE # for MKS sh
 
 # Support unset when possible.
 if ( (MAIL=60; unset MAIL) || exit) >/dev/null 2>&1; then
@@ -5865,8 +6380,43 @@ else
 fi
 
 
+# IFS
+# We need space, tab and new line, in precisely that order.  Quoting is
+# there to prevent editors from complaining about space-tab.
+# (If _AS_PATH_WALK were called with IFS unset, it would disable word
+# splitting by setting IFS to empty value.)
+as_nl='
+'
+IFS=" ""	$as_nl"
+
+# Find who we are.  Look in the path if we contain no directory separator.
+case $0 in
+  *[\\/]* ) as_myself=$0 ;;
+  *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break
+done
+IFS=$as_save_IFS
+
+     ;;
+esac
+# We did not find ourselves, most probably we were run as `sh COMMAND'
+# in which case we are not to be found in the path.
+if test "x$as_myself" = x; then
+  as_myself=$0
+fi
+if test ! -f "$as_myself"; then
+  echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2
+  { (exit 1); exit 1; }
+fi
+
 # Work around bugs in pre-3.0 UWIN ksh.
-$as_unset ENV MAIL MAILPATH
+for as_var in ENV MAIL MAILPATH
+do ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var
+done
 PS1='$ '
 PS2='> '
 PS4='+ '
@@ -5880,18 +6430,19 @@ do
   if (set +x; test -z "`(eval $as_var=C; export $as_var) 2>&1`"); then
     eval $as_var=C; export $as_var
   else
-    $as_unset $as_var
+    ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var
   fi
 done
 
 # Required to use basename.
-if expr a : '\(a\)' >/dev/null 2>&1; then
+if expr a : '\(a\)' >/dev/null 2>&1 &&
+   test "X`expr 00001 : '.*\(...\)'`" = X001; then
   as_expr=expr
 else
   as_expr=false
 fi
 
-if (basename /) >/dev/null 2>&1 && test "X`basename / 2>&1`" = "X/"; then
+if (basename -- /) >/dev/null 2>&1 && test "X`basename -- / 2>&1`" = "X/"; then
   as_basename=basename
 else
   as_basename=false
@@ -5899,159 +6450,120 @@ fi
 
 
 # Name of the executable.
-as_me=`$as_basename "$0" ||
+as_me=`$as_basename -- "$0" ||
 $as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \
 	 X"$0" : 'X\(//\)$' \| \
-	 X"$0" : 'X\(/\)$' \| \
-	 .     : '\(.\)' 2>/dev/null ||
+	 X"$0" : 'X\(/\)' \| . 2>/dev/null ||
 echo X/"$0" |
-    sed '/^.*\/\([^/][^/]*\)\/*$/{ s//\1/; q; }
-  	  /^X\/\(\/\/\)$/{ s//\1/; q; }
-  	  /^X\/\(\/\).*/{ s//\1/; q; }
-  	  s/.*/./; q'`
+    sed '/^.*\/\([^/][^/]*\)\/*$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\/\(\/\/\)$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\/\(\/\).*/{
+	    s//\1/
+	    q
+	  }
+	  s/.*/./; q'`
 
+# CDPATH.
+$as_unset CDPATH
 
-# PATH needs CR, and LINENO needs CR and PATH.
-# Avoid depending upon Character Ranges.
-as_cr_letters='abcdefghijklmnopqrstuvwxyz'
-as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ'
-as_cr_Letters=$as_cr_letters$as_cr_LETTERS
-as_cr_digits='0123456789'
-as_cr_alnum=$as_cr_Letters$as_cr_digits
-
-# The user is always right.
-if test "${PATH_SEPARATOR+set}" != set; then
-  echo "#! /bin/sh" >conf$$.sh
-  echo  "exit 0"   >>conf$$.sh
-  chmod +x conf$$.sh
-  if (PATH="/nonexistent;."; conf$$.sh) >/dev/null 2>&1; then
-    PATH_SEPARATOR=';'
-  else
-    PATH_SEPARATOR=:
-  fi
-  rm -f conf$$.sh
-fi
 
 
   as_lineno_1=$LINENO
   as_lineno_2=$LINENO
-  as_lineno_3=`(expr $as_lineno_1 + 1) 2>/dev/null`
   test "x$as_lineno_1" != "x$as_lineno_2" &&
-  test "x$as_lineno_3"  = "x$as_lineno_2"  || {
-  # Find who we are.  Look in the path if we contain no path at all
-  # relative or not.
-  case $0 in
-    *[\\/]* ) as_myself=$0 ;;
-    *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break
-done
-
-       ;;
-  esac
-  # We did not find ourselves, most probably we were run as `sh COMMAND'
-  # in which case we are not to be found in the path.
-  if test "x$as_myself" = x; then
-    as_myself=$0
-  fi
-  if test ! -f "$as_myself"; then
-    { { echo "$as_me:$LINENO: error: cannot find myself; rerun with an absolute path" >&5
-echo "$as_me: error: cannot find myself; rerun with an absolute path" >&2;}
-   { (exit 1); exit 1; }; }
-  fi
-  case $CONFIG_SHELL in
-  '')
-    as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in /bin$PATH_SEPARATOR/usr/bin$PATH_SEPARATOR$PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for as_base in sh bash ksh sh5; do
-	 case $as_dir in
-	 /*)
-	   if ("$as_dir/$as_base" -c '
-  as_lineno_1=$LINENO
-  as_lineno_2=$LINENO
-  as_lineno_3=`(expr $as_lineno_1 + 1) 2>/dev/null`
-  test "x$as_lineno_1" != "x$as_lineno_2" &&
-  test "x$as_lineno_3"  = "x$as_lineno_2" ') 2>/dev/null; then
-	     $as_unset BASH_ENV || test "${BASH_ENV+set}" != set || { BASH_ENV=; export BASH_ENV; }
-	     $as_unset ENV || test "${ENV+set}" != set || { ENV=; export ENV; }
-	     CONFIG_SHELL=$as_dir/$as_base
-	     export CONFIG_SHELL
-	     exec "$CONFIG_SHELL" "$0" ${1+"$@"}
-	   fi;;
-	 esac
-       done
-done
-;;
-  esac
+  test "x`expr $as_lineno_1 + 1`" = "x$as_lineno_2" || {
 
   # Create $as_me.lineno as a copy of $as_myself, but with $LINENO
   # uniformly replaced by the line number.  The first 'sed' inserts a
-  # line-number line before each line; the second 'sed' does the real
-  # work.  The second script uses 'N' to pair each line-number line
-  # with the numbered line, and appends trailing '-' during
-  # substitution so that $LINENO is not a special case at line end.
+  # line-number line after each line using $LINENO; the second 'sed'
+  # does the real work.  The second script uses 'N' to pair each
+  # line-number line with the line containing $LINENO, and appends
+  # trailing '-' during substitution so that $LINENO is not a special
+  # case at line end.
   # (Raja R Harinath suggested sed '=', and Paul Eggert wrote the
-  # second 'sed' script.  Blame Lee E. McMahon for sed's syntax.  :-)
-  sed '=' <$as_myself |
+  # scripts with optimization help from Paolo Bonzini.  Blame Lee
+  # E. McMahon (1931-1989) for sed's syntax.  :-)
+  sed -n '
+    p
+    /[$]LINENO/=
+  ' <$as_myself |
     sed '
+      s/[$]LINENO.*/&-/
+      t lineno
+      b
+      :lineno
       N
-      s,$,-,
-      : loop
-      s,^\(['$as_cr_digits']*\)\(.*\)[$]LINENO\([^'$as_cr_alnum'_]\),\1\2\1\3,
+      :loop
+      s/[$]LINENO\([^'$as_cr_alnum'_].*\n\)\(.*\)/\2\1\2/
       t loop
-      s,-$,,
-      s,^['$as_cr_digits']*\n,,
+      s/-\n.*//
     ' >$as_me.lineno &&
-  chmod +x $as_me.lineno ||
-    { { echo "$as_me:$LINENO: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&5
-echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2;}
+  chmod +x "$as_me.lineno" ||
+    { echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2
    { (exit 1); exit 1; }; }
 
   # Don't try to exec as it changes $[0], causing all sort of problems
   # (the dirname of $[0] is not the place where we might find the
-  # original and so on.  Autoconf is especially sensible to this).
-  . ./$as_me.lineno
+  # original and so on.  Autoconf is especially sensitive to this).
+  . "./$as_me.lineno"
   # Exit status is that of the last command.
   exit
 }
 
 
-case `echo "testing\c"; echo 1,2,3`,`echo -n testing; echo 1,2,3` in
-  *c*,-n*) ECHO_N= ECHO_C='
-' ECHO_T='	' ;;
-  *c*,*  ) ECHO_N=-n ECHO_C= ECHO_T= ;;
-  *)       ECHO_N= ECHO_C='\c' ECHO_T= ;;
+if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then
+  as_dirname=dirname
+else
+  as_dirname=false
+fi
+
+ECHO_C= ECHO_N= ECHO_T=
+case `echo -n x` in
+-n*)
+  case `echo 'x\c'` in
+  *c*) ECHO_T='	';;	# ECHO_T is single tab character.
+  *)   ECHO_C='\c';;
+  esac;;
+*)
+  ECHO_N='-n';;
 esac
 
-if expr a : '\(a\)' >/dev/null 2>&1; then
+if expr a : '\(a\)' >/dev/null 2>&1 &&
+   test "X`expr 00001 : '.*\(...\)'`" = X001; then
   as_expr=expr
 else
   as_expr=false
 fi
 
 rm -f conf$$ conf$$.exe conf$$.file
+if test -d conf$$.dir; then
+  rm -f conf$$.dir/conf$$.file
+else
+  rm -f conf$$.dir
+  mkdir conf$$.dir
+fi
 echo >conf$$.file
 if ln -s conf$$.file conf$$ 2>/dev/null; then
-  # We could just check for DJGPP; but this test a) works b) is more generic
-  # and c) will remain valid once DJGPP supports symlinks (DJGPP 2.04).
-  if test -f conf$$.exe; then
-    # Don't use ln at all; we don't have any links
+  as_ln_s='ln -s'
+  # ... but there are two gotchas:
+  # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail.
+  # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable.
+  # In both cases, we have to default to `cp -p'.
+  ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe ||
     as_ln_s='cp -p'
-  else
-    as_ln_s='ln -s'
-  fi
 elif ln conf$$.file conf$$ 2>/dev/null; then
   as_ln_s=ln
 else
   as_ln_s='cp -p'
 fi
-rm -f conf$$ conf$$.exe conf$$.file
+rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file
+rmdir conf$$.dir 2>/dev/null
 
 if mkdir -p . 2>/dev/null; then
   as_mkdir_p=:
@@ -6060,7 +6572,28 @@ else
   as_mkdir_p=false
 fi
 
-as_executable_p="test -f"
+if test -x / >/dev/null 2>&1; then
+  as_test_x='test -x'
+else
+  if ls -dL / >/dev/null 2>&1; then
+    as_ls_L_option=L
+  else
+    as_ls_L_option=
+  fi
+  as_test_x='
+    eval sh -c '\''
+      if test -d "$1"; then
+        test -d "$1/.";
+      else
+	case $1 in
+        -*)set "./$1";;
+	esac;
+	case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in
+	???[sx]*):;;*)false;;esac;fi
+    '\'' sh
+  '
+fi
+as_executable_p=$as_test_x
 
 # Sed expression to map a string onto a valid CPP name.
 as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'"
@@ -6069,31 +6602,14 @@ as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'"
 as_tr_sh="eval sed 'y%*+%pp%;s%[^_$as_cr_alnum]%_%g'"
 
 
-# IFS
-# We need space, tab and new line, in precisely that order.
-as_nl='
-'
-IFS=" 	$as_nl"
-
-# CDPATH.
-$as_unset CDPATH
-
 exec 6>&1
 
-# Open the log real soon, to keep \$[0] and so on meaningful, and to
+# Save the log message, to keep $[0] and so on meaningful, and to
 # report actual input values of CONFIG_FILES etc. instead of their
-# values after options handling.  Logging --version etc. is OK.
-exec 5>>config.log
-{
-  echo
-  sed 'h;s/./-/g;s/^.../## /;s/...$/ ##/;p;x;p;x' <<_ASBOX
-## Running $as_me. ##
-_ASBOX
-} >&5
-cat >&5 <<_CSEOF
-
-This file was extended by ZKT $as_me 0.98, which was
-generated by GNU Autoconf 2.59.  Invocation command line was
+# values after options handling.
+ac_log="
+This file was extended by ZKT $as_me 0.99c, which was
+generated by GNU Autoconf 2.61.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
   CONFIG_HEADERS  = $CONFIG_HEADERS
@@ -6101,30 +6617,19 @@ generated by GNU Autoconf 2.59.  Invocation command line was
   CONFIG_COMMANDS = $CONFIG_COMMANDS
   $ $0 $@
 
-_CSEOF
-echo "on `(hostname || uname -n) 2>/dev/null | sed 1q`" >&5
-echo >&5
+on `(hostname || uname -n) 2>/dev/null | sed 1q`
+"
+
 _ACEOF
 
+cat >>$CONFIG_STATUS <<_ACEOF
 # Files that config.status was made for.
-if test -n "$ac_config_files"; then
-  echo "config_files=\"$ac_config_files\"" >>$CONFIG_STATUS
-fi
-
-if test -n "$ac_config_headers"; then
-  echo "config_headers=\"$ac_config_headers\"" >>$CONFIG_STATUS
-fi
-
-if test -n "$ac_config_links"; then
-  echo "config_links=\"$ac_config_links\"" >>$CONFIG_STATUS
-fi
+config_files="$ac_config_files"
+config_headers="$ac_config_headers"
 
-if test -n "$ac_config_commands"; then
-  echo "config_commands=\"$ac_config_commands\"" >>$CONFIG_STATUS
-fi
+_ACEOF
 
 cat >>$CONFIG_STATUS <<\_ACEOF
-
 ac_cs_usage="\
 \`$as_me' instantiates files from templates according to the
 current configuration.
@@ -6132,7 +6637,7 @@ current configuration.
 Usage: $0 [OPTIONS] [FILE]...
 
   -h, --help       print this help, then exit
-  -V, --version    print version number, then exit
+  -V, --version    print version number and configuration settings, then exit
   -q, --quiet      do not print progress messages
   -d, --debug      don't remove temporary files
       --recheck    update $as_me by reconfiguring in the same conditions
@@ -6148,18 +6653,20 @@ Configuration headers:
 $config_headers
 
 Report bugs to <bug-autoconf@gnu.org>."
-_ACEOF
 
+_ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF
 ac_cs_version="\\
-ZKT config.status 0.98
-configured by $0, generated by GNU Autoconf 2.59,
-  with options \\"`echo "$ac_configure_args" | sed 's/[\\""\`\$]/\\\\&/g'`\\"
+ZKT config.status 0.99c
+configured by $0, generated by GNU Autoconf 2.61,
+  with options \\"`echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`\\"
 
-Copyright (C) 2003 Free Software Foundation, Inc.
+Copyright (C) 2006 Free Software Foundation, Inc.
 This config.status script is free software; the Free Software Foundation
 gives unlimited permission to copy, distribute and modify it."
-srcdir=$srcdir
+
+ac_pwd='$ac_pwd'
+srcdir='$srcdir'
 _ACEOF
 
 cat >>$CONFIG_STATUS <<\_ACEOF
@@ -6170,39 +6677,24 @@ while test $# != 0
 do
   case $1 in
   --*=*)
-    ac_option=`expr "x$1" : 'x\([^=]*\)='`
-    ac_optarg=`expr "x$1" : 'x[^=]*=\(.*\)'`
+    ac_option=`expr "X$1" : 'X\([^=]*\)='`
+    ac_optarg=`expr "X$1" : 'X[^=]*=\(.*\)'`
     ac_shift=:
     ;;
-  -*)
+  *)
     ac_option=$1
     ac_optarg=$2
     ac_shift=shift
     ;;
-  *) # This is not an option, so the user has probably given explicit
-     # arguments.
-     ac_option=$1
-     ac_need_defaults=false;;
   esac
 
   case $ac_option in
   # Handling of the options.
-_ACEOF
-cat >>$CONFIG_STATUS <<\_ACEOF
   -recheck | --recheck | --rechec | --reche | --rech | --rec | --re | --r)
     ac_cs_recheck=: ;;
-  --version | --vers* | -V )
-    echo "$ac_cs_version"; exit 0 ;;
-  --he | --h)
-    # Conflict between --help and --header
-    { { echo "$as_me:$LINENO: error: ambiguous option: $1
-Try \`$0 --help' for more information." >&5
-echo "$as_me: error: ambiguous option: $1
-Try \`$0 --help' for more information." >&2;}
-   { (exit 1); exit 1; }; };;
-  --help | --hel | -h )
-    echo "$ac_cs_usage"; exit 0 ;;
-  --debug | --d* | -d )
+  --version | --versio | --versi | --vers | --ver | --ve | --v | -V )
+    echo "$ac_cs_version"; exit ;;
+  --debug | --debu | --deb | --de | --d | -d )
     debug=: ;;
   --file | --fil | --fi | --f )
     $ac_shift
@@ -6212,18 +6704,24 @@ Try \`$0 --help' for more information." >&2;}
     $ac_shift
     CONFIG_HEADERS="$CONFIG_HEADERS $ac_optarg"
     ac_need_defaults=false;;
+  --he | --h)
+    # Conflict between --help and --header
+    { echo "$as_me: error: ambiguous option: $1
+Try \`$0 --help' for more information." >&2
+   { (exit 1); exit 1; }; };;
+  --help | --hel | -h )
+    echo "$ac_cs_usage"; exit ;;
   -q | -quiet | --quiet | --quie | --qui | --qu | --q \
   | -silent | --silent | --silen | --sile | --sil | --si | --s)
     ac_cs_silent=: ;;
 
   # This is an error.
-  -*) { { echo "$as_me:$LINENO: error: unrecognized option: $1
-Try \`$0 --help' for more information." >&5
-echo "$as_me: error: unrecognized option: $1
-Try \`$0 --help' for more information." >&2;}
+  -*) { echo "$as_me: error: unrecognized option: $1
+Try \`$0 --help' for more information." >&2
    { (exit 1); exit 1; }; } ;;
 
-  *) ac_config_targets="$ac_config_targets $1" ;;
+  *) ac_config_targets="$ac_config_targets $1"
+     ac_need_defaults=false ;;
 
   esac
   shift
@@ -6239,29 +6737,43 @@ fi
 _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF
 if \$ac_cs_recheck; then
-  echo "running $SHELL $0 " $ac_configure_args \$ac_configure_extra_args " --no-create --no-recursion" >&6
-  exec $SHELL $0 $ac_configure_args \$ac_configure_extra_args --no-create --no-recursion
+  echo "running CONFIG_SHELL=$SHELL $SHELL $0 "$ac_configure_args \$ac_configure_extra_args " --no-create --no-recursion" >&6
+  CONFIG_SHELL=$SHELL
+  export CONFIG_SHELL
+  exec $SHELL "$0"$ac_configure_args \$ac_configure_extra_args --no-create --no-recursion
 fi
 
 _ACEOF
+cat >>$CONFIG_STATUS <<\_ACEOF
+exec 5>>config.log
+{
+  echo
+  sed 'h;s/./-/g;s/^.../## /;s/...$/ ##/;p;x;p;x' <<_ASBOX
+## Running $as_me. ##
+_ASBOX
+  echo "$ac_log"
+} >&5
 
-
-
-
+_ACEOF
+cat >>$CONFIG_STATUS <<_ACEOF
+_ACEOF
 
 cat >>$CONFIG_STATUS <<\_ACEOF
+
+# Handling of arguments.
 for ac_config_target in $ac_config_targets
 do
-  case "$ac_config_target" in
-  # Handling of arguments.
-  "Makefile" ) CONFIG_FILES="$CONFIG_FILES Makefile" ;;
-  "config.h" ) CONFIG_HEADERS="$CONFIG_HEADERS config.h" ;;
+  case $ac_config_target in
+    "config.h") CONFIG_HEADERS="$CONFIG_HEADERS config.h" ;;
+    "Makefile") CONFIG_FILES="$CONFIG_FILES Makefile" ;;
+
   *) { { echo "$as_me:$LINENO: error: invalid argument: $ac_config_target" >&5
 echo "$as_me: error: invalid argument: $ac_config_target" >&2;}
    { (exit 1); exit 1; }; };;
   esac
 done
 
+
 # If the user did not use the arguments to specify the items to instantiate,
 # then the envvar interface is used.  Set only those that are not.
 # We use the long form for the default assignment because of an extremely
@@ -6272,292 +6784,360 @@ if $ac_need_defaults; then
 fi
 
 # Have a temporary directory for convenience.  Make it in the build tree
-# simply because there is no reason to put it here, and in addition,
+# simply because there is no reason against having it here, and in addition,
 # creating and moving files from /tmp can sometimes cause problems.
-# Create a temporary directory, and hook for its removal unless debugging.
+# Hook for its removal unless debugging.
+# Note that there is a small window in which the directory will not be cleaned:
+# after its creation but before its name has been assigned to `$tmp'.
 $debug ||
 {
-  trap 'exit_status=$?; rm -rf $tmp && exit $exit_status' 0
+  tmp=
+  trap 'exit_status=$?
+  { test -z "$tmp" || test ! -d "$tmp" || rm -fr "$tmp"; } && exit $exit_status
+' 0
   trap '{ (exit 1); exit 1; }' 1 2 13 15
 }
-
 # Create a (secure) tmp directory for tmp files.
 
 {
-  tmp=`(umask 077 && mktemp -d -q "./confstatXXXXXX") 2>/dev/null` &&
+  tmp=`(umask 077 && mktemp -d "./confXXXXXX") 2>/dev/null` &&
   test -n "$tmp" && test -d "$tmp"
 }  ||
 {
-  tmp=./confstat$$-$RANDOM
-  (umask 077 && mkdir $tmp)
+  tmp=./conf$$-$RANDOM
+  (umask 077 && mkdir "$tmp")
 } ||
 {
    echo "$me: cannot create a temporary directory in ." >&2
    { (exit 1); exit 1; }
 }
 
-_ACEOF
-
-cat >>$CONFIG_STATUS <<_ACEOF
-
 #
-# CONFIG_FILES section.
+# Set up the sed scripts for CONFIG_FILES section.
 #
 
 # No need to generate the scripts if there are no CONFIG_FILES.
 # This happens for instance when ./config.status config.h
-if test -n "\$CONFIG_FILES"; then
-  # Protect against being on the right side of a sed subst in config.status.
-  sed 's/,@/@@/; s/@,/@@/; s/,;t t\$/@;t t/; /@;t t\$/s/[\\\\&,]/\\\\&/g;
-   s/@@/,@/; s/@@/@,/; s/@;t t\$/,;t t/' >\$tmp/subs.sed <<\\CEOF
-s,@SHELL@,$SHELL,;t t
-s,@PATH_SEPARATOR@,$PATH_SEPARATOR,;t t
-s,@PACKAGE_NAME@,$PACKAGE_NAME,;t t
-s,@PACKAGE_TARNAME@,$PACKAGE_TARNAME,;t t
-s,@PACKAGE_VERSION@,$PACKAGE_VERSION,;t t
-s,@PACKAGE_STRING@,$PACKAGE_STRING,;t t
-s,@PACKAGE_BUGREPORT@,$PACKAGE_BUGREPORT,;t t
-s,@exec_prefix@,$exec_prefix,;t t
-s,@prefix@,$prefix,;t t
-s,@program_transform_name@,$program_transform_name,;t t
-s,@bindir@,$bindir,;t t
-s,@sbindir@,$sbindir,;t t
-s,@libexecdir@,$libexecdir,;t t
-s,@datadir@,$datadir,;t t
-s,@sysconfdir@,$sysconfdir,;t t
-s,@sharedstatedir@,$sharedstatedir,;t t
-s,@localstatedir@,$localstatedir,;t t
-s,@libdir@,$libdir,;t t
-s,@includedir@,$includedir,;t t
-s,@oldincludedir@,$oldincludedir,;t t
-s,@infodir@,$infodir,;t t
-s,@mandir@,$mandir,;t t
-s,@build_alias@,$build_alias,;t t
-s,@host_alias@,$host_alias,;t t
-s,@target_alias@,$target_alias,;t t
-s,@DEFS@,$DEFS,;t t
-s,@ECHO_C@,$ECHO_C,;t t
-s,@ECHO_N@,$ECHO_N,;t t
-s,@ECHO_T@,$ECHO_T,;t t
-s,@LIBS@,$LIBS,;t t
-s,@CC@,$CC,;t t
-s,@CFLAGS@,$CFLAGS,;t t
-s,@LDFLAGS@,$LDFLAGS,;t t
-s,@CPPFLAGS@,$CPPFLAGS,;t t
-s,@ac_ct_CC@,$ac_ct_CC,;t t
-s,@EXEEXT@,$EXEEXT,;t t
-s,@OBJEXT@,$OBJEXT,;t t
-s,@SIGNZONE_PROG@,$SIGNZONE_PROG,;t t
-s,@CPP@,$CPP,;t t
-s,@EGREP@,$EGREP,;t t
-s,@LIBOBJS@,$LIBOBJS,;t t
-s,@LTLIBOBJS@,$LTLIBOBJS,;t t
-CEOF
-
-_ACEOF
-
-  cat >>$CONFIG_STATUS <<\_ACEOF
-  # Split the substitutions into bite-sized pieces for seds with
-  # small command number limits, like on Digital OSF/1 and HP-UX.
-  ac_max_sed_lines=48
-  ac_sed_frag=1 # Number of current file.
-  ac_beg=1 # First line for current file.
-  ac_end=$ac_max_sed_lines # Line after last line for current file.
-  ac_more_lines=:
-  ac_sed_cmds=
-  while $ac_more_lines; do
-    if test $ac_beg -gt 1; then
-      sed "1,${ac_beg}d; ${ac_end}q" $tmp/subs.sed >$tmp/subs.frag
-    else
-      sed "${ac_end}q" $tmp/subs.sed >$tmp/subs.frag
-    fi
-    if test ! -s $tmp/subs.frag; then
-      ac_more_lines=false
-    else
-      # The purpose of the label and of the branching condition is to
-      # speed up the sed processing (if there are no `@' at all, there
-      # is no need to browse any of the substitutions).
-      # These are the two extra sed commands mentioned above.
-      (echo ':t
-  /@[a-zA-Z_][a-zA-Z_0-9]*@/!b' && cat $tmp/subs.frag) >$tmp/subs-$ac_sed_frag.sed
-      if test -z "$ac_sed_cmds"; then
-	ac_sed_cmds="sed -f $tmp/subs-$ac_sed_frag.sed"
-      else
-	ac_sed_cmds="$ac_sed_cmds | sed -f $tmp/subs-$ac_sed_frag.sed"
-      fi
-      ac_sed_frag=`expr $ac_sed_frag + 1`
-      ac_beg=$ac_end
-      ac_end=`expr $ac_end + $ac_max_sed_lines`
-    fi
-  done
-  if test -z "$ac_sed_cmds"; then
-    ac_sed_cmds=cat
+if test -n "$CONFIG_FILES"; then
+
+_ACEOF
+
+
+
+ac_delim='%!_!# '
+for ac_last_try in false false false false false :; do
+  cat >conf$$subs.sed <<_ACEOF
+SHELL!$SHELL$ac_delim
+PATH_SEPARATOR!$PATH_SEPARATOR$ac_delim
+PACKAGE_NAME!$PACKAGE_NAME$ac_delim
+PACKAGE_TARNAME!$PACKAGE_TARNAME$ac_delim
+PACKAGE_VERSION!$PACKAGE_VERSION$ac_delim
+PACKAGE_STRING!$PACKAGE_STRING$ac_delim
+PACKAGE_BUGREPORT!$PACKAGE_BUGREPORT$ac_delim
+exec_prefix!$exec_prefix$ac_delim
+prefix!$prefix$ac_delim
+program_transform_name!$program_transform_name$ac_delim
+bindir!$bindir$ac_delim
+sbindir!$sbindir$ac_delim
+libexecdir!$libexecdir$ac_delim
+datarootdir!$datarootdir$ac_delim
+datadir!$datadir$ac_delim
+sysconfdir!$sysconfdir$ac_delim
+sharedstatedir!$sharedstatedir$ac_delim
+localstatedir!$localstatedir$ac_delim
+includedir!$includedir$ac_delim
+oldincludedir!$oldincludedir$ac_delim
+docdir!$docdir$ac_delim
+infodir!$infodir$ac_delim
+htmldir!$htmldir$ac_delim
+dvidir!$dvidir$ac_delim
+pdfdir!$pdfdir$ac_delim
+psdir!$psdir$ac_delim
+libdir!$libdir$ac_delim
+localedir!$localedir$ac_delim
+mandir!$mandir$ac_delim
+DEFS!$DEFS$ac_delim
+ECHO_C!$ECHO_C$ac_delim
+ECHO_N!$ECHO_N$ac_delim
+ECHO_T!$ECHO_T$ac_delim
+LIBS!$LIBS$ac_delim
+build_alias!$build_alias$ac_delim
+host_alias!$host_alias$ac_delim
+target_alias!$target_alias$ac_delim
+CC!$CC$ac_delim
+CFLAGS!$CFLAGS$ac_delim
+LDFLAGS!$LDFLAGS$ac_delim
+CPPFLAGS!$CPPFLAGS$ac_delim
+ac_ct_CC!$ac_ct_CC$ac_delim
+EXEEXT!$EXEEXT$ac_delim
+OBJEXT!$OBJEXT$ac_delim
+SIGNZONE_PROG!$SIGNZONE_PROG$ac_delim
+CPP!$CPP$ac_delim
+GREP!$GREP$ac_delim
+EGREP!$EGREP$ac_delim
+LIBOBJS!$LIBOBJS$ac_delim
+LTLIBOBJS!$LTLIBOBJS$ac_delim
+_ACEOF
+
+  if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 50; then
+    break
+  elif $ac_last_try; then
+    { { echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5
+echo "$as_me: error: could not make $CONFIG_STATUS" >&2;}
+   { (exit 1); exit 1; }; }
+  else
+    ac_delim="$ac_delim!$ac_delim _$ac_delim!! "
   fi
-fi # test -n "$CONFIG_FILES"
+done
+
+ac_eof=`sed -n '/^CEOF[0-9]*$/s/CEOF/0/p' conf$$subs.sed`
+if test -n "$ac_eof"; then
+  ac_eof=`echo "$ac_eof" | sort -nru | sed 1q`
+  ac_eof=`expr $ac_eof + 1`
+fi
 
+cat >>$CONFIG_STATUS <<_ACEOF
+cat >"\$tmp/subs-1.sed" <<\CEOF$ac_eof
+/@[a-zA-Z_][a-zA-Z_0-9]*@/!b end
+_ACEOF
+sed '
+s/[,\\&]/\\&/g; s/@/@|#_!!_#|/g
+s/^/s,@/; s/!/@,|#_!!_#|/
+:n
+t n
+s/'"$ac_delim"'$/,g/; t
+s/$/\\/; p
+N; s/^.*\n//; s/[,\\&]/\\&/g; s/@/@|#_!!_#|/g; b n
+' >>$CONFIG_STATUS <conf$$subs.sed
+rm -f conf$$subs.sed
+cat >>$CONFIG_STATUS <<_ACEOF
+:end
+s/|#_!!_#|//g
+CEOF$ac_eof
 _ACEOF
+
+
+# VPATH may cause trouble with some makes, so we remove $(srcdir),
+# ${srcdir} and @srcdir@ from VPATH if srcdir is ".", strip leading and
+# trailing colons and then remove the whole line if VPATH becomes empty
+# (actually we leave an empty line to preserve line numbers).
+if test "x$srcdir" = x.; then
+  ac_vpsub='/^[	 ]*VPATH[	 ]*=/{
+s/:*\$(srcdir):*/:/
+s/:*\${srcdir}:*/:/
+s/:*@srcdir@:*/:/
+s/^\([^=]*=[	 ]*\):*/\1/
+s/:*$//
+s/^[^=]*=[	 ]*$//
+}'
+fi
+
 cat >>$CONFIG_STATUS <<\_ACEOF
-for ac_file in : $CONFIG_FILES; do test "x$ac_file" = x: && continue
-  # Support "outfile[:infile[:infile...]]", defaulting infile="outfile.in".
-  case $ac_file in
-  - | *:- | *:-:* ) # input from stdin
-	cat >$tmp/stdin
-	ac_file_in=`echo "$ac_file" | sed 's,[^:]*:,,'`
-	ac_file=`echo "$ac_file" | sed 's,:.*,,'` ;;
-  *:* ) ac_file_in=`echo "$ac_file" | sed 's,[^:]*:,,'`
-	ac_file=`echo "$ac_file" | sed 's,:.*,,'` ;;
-  * )   ac_file_in=$ac_file.in ;;
+fi # test -n "$CONFIG_FILES"
+
+
+for ac_tag in  :F $CONFIG_FILES  :H $CONFIG_HEADERS
+do
+  case $ac_tag in
+  :[FHLC]) ac_mode=$ac_tag; continue;;
+  esac
+  case $ac_mode$ac_tag in
+  :[FHL]*:*);;
+  :L* | :C*:*) { { echo "$as_me:$LINENO: error: Invalid tag $ac_tag." >&5
+echo "$as_me: error: Invalid tag $ac_tag." >&2;}
+   { (exit 1); exit 1; }; };;
+  :[FH]-) ac_tag=-:-;;
+  :[FH]*) ac_tag=$ac_tag:$ac_tag.in;;
   esac
+  ac_save_IFS=$IFS
+  IFS=:
+  set x $ac_tag
+  IFS=$ac_save_IFS
+  shift
+  ac_file=$1
+  shift
 
-  # Compute @srcdir@, @top_srcdir@, and @INSTALL@ for subdirectories.
-  ac_dir=`(dirname "$ac_file") 2>/dev/null ||
+  case $ac_mode in
+  :L) ac_source=$1;;
+  :[FH])
+    ac_file_inputs=
+    for ac_f
+    do
+      case $ac_f in
+      -) ac_f="$tmp/stdin";;
+      *) # Look for the file first in the build tree, then in the source tree
+	 # (if the path is not absolute).  The absolute path cannot be DOS-style,
+	 # because $ac_f cannot contain `:'.
+	 test -f "$ac_f" ||
+	   case $ac_f in
+	   [\\/$]*) false;;
+	   *) test -f "$srcdir/$ac_f" && ac_f="$srcdir/$ac_f";;
+	   esac ||
+	   { { echo "$as_me:$LINENO: error: cannot find input file: $ac_f" >&5
+echo "$as_me: error: cannot find input file: $ac_f" >&2;}
+   { (exit 1); exit 1; }; };;
+      esac
+      ac_file_inputs="$ac_file_inputs $ac_f"
+    done
+
+    # Let's still pretend it is `configure' which instantiates (i.e., don't
+    # use $as_me), people would be surprised to read:
+    #    /* config.h.  Generated by config.status.  */
+    configure_input="Generated from "`IFS=:
+	  echo $* | sed 's|^[^:]*/||;s|:[^:]*/|, |g'`" by configure."
+    if test x"$ac_file" != x-; then
+      configure_input="$ac_file.  $configure_input"
+      { echo "$as_me:$LINENO: creating $ac_file" >&5
+echo "$as_me: creating $ac_file" >&6;}
+    fi
+
+    case $ac_tag in
+    *:-:* | *:-) cat >"$tmp/stdin";;
+    esac
+    ;;
+  esac
+
+  ac_dir=`$as_dirname -- "$ac_file" ||
 $as_expr X"$ac_file" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
 	 X"$ac_file" : 'X\(//\)[^/]' \| \
 	 X"$ac_file" : 'X\(//\)$' \| \
-	 X"$ac_file" : 'X\(/\)' \| \
-	 .     : '\(.\)' 2>/dev/null ||
+	 X"$ac_file" : 'X\(/\)' \| . 2>/dev/null ||
 echo X"$ac_file" |
-    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/; q; }
-  	  /^X\(\/\/\)[^/].*/{ s//\1/; q; }
-  	  /^X\(\/\/\)$/{ s//\1/; q; }
-  	  /^X\(\/\).*/{ s//\1/; q; }
-  	  s/.*/./; q'`
-  { if $as_mkdir_p; then
-    mkdir -p "$ac_dir"
-  else
-    as_dir="$ac_dir"
+    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\/\)[^/].*/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\/\)$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\).*/{
+	    s//\1/
+	    q
+	  }
+	  s/.*/./; q'`
+  { as_dir="$ac_dir"
+  case $as_dir in #(
+  -*) as_dir=./$as_dir;;
+  esac
+  test -d "$as_dir" || { $as_mkdir_p && mkdir -p "$as_dir"; } || {
     as_dirs=
-    while test ! -d "$as_dir"; do
-      as_dirs="$as_dir $as_dirs"
-      as_dir=`(dirname "$as_dir") 2>/dev/null ||
+    while :; do
+      case $as_dir in #(
+      *\'*) as_qdir=`echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #(
+      *) as_qdir=$as_dir;;
+      esac
+      as_dirs="'$as_qdir' $as_dirs"
+      as_dir=`$as_dirname -- "$as_dir" ||
 $as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
 	 X"$as_dir" : 'X\(//\)[^/]' \| \
 	 X"$as_dir" : 'X\(//\)$' \| \
-	 X"$as_dir" : 'X\(/\)' \| \
-	 .     : '\(.\)' 2>/dev/null ||
+	 X"$as_dir" : 'X\(/\)' \| . 2>/dev/null ||
 echo X"$as_dir" |
-    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/; q; }
-  	  /^X\(\/\/\)[^/].*/{ s//\1/; q; }
-  	  /^X\(\/\/\)$/{ s//\1/; q; }
-  	  /^X\(\/\).*/{ s//\1/; q; }
-  	  s/.*/./; q'`
+    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\/\)[^/].*/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\/\)$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\).*/{
+	    s//\1/
+	    q
+	  }
+	  s/.*/./; q'`
+      test -d "$as_dir" && break
     done
-    test ! -n "$as_dirs" || mkdir $as_dirs
-  fi || { { echo "$as_me:$LINENO: error: cannot create directory \"$ac_dir\"" >&5
-echo "$as_me: error: cannot create directory \"$ac_dir\"" >&2;}
+    test -z "$as_dirs" || eval "mkdir $as_dirs"
+  } || test -d "$as_dir" || { { echo "$as_me:$LINENO: error: cannot create directory $as_dir" >&5
+echo "$as_me: error: cannot create directory $as_dir" >&2;}
    { (exit 1); exit 1; }; }; }
-
   ac_builddir=.
 
-if test "$ac_dir" != .; then
+case "$ac_dir" in
+.) ac_dir_suffix= ac_top_builddir_sub=. ac_top_build_prefix= ;;
+*)
   ac_dir_suffix=/`echo "$ac_dir" | sed 's,^\.[\\/],,'`
-  # A "../" for each directory in $ac_dir_suffix.
-  ac_top_builddir=`echo "$ac_dir_suffix" | sed 's,/[^\\/]*,../,g'`
-else
-  ac_dir_suffix= ac_top_builddir=
-fi
+  # A ".." for each directory in $ac_dir_suffix.
+  ac_top_builddir_sub=`echo "$ac_dir_suffix" | sed 's,/[^\\/]*,/..,g;s,/,,'`
+  case $ac_top_builddir_sub in
+  "") ac_top_builddir_sub=. ac_top_build_prefix= ;;
+  *)  ac_top_build_prefix=$ac_top_builddir_sub/ ;;
+  esac ;;
+esac
+ac_abs_top_builddir=$ac_pwd
+ac_abs_builddir=$ac_pwd$ac_dir_suffix
+# for backward compatibility:
+ac_top_builddir=$ac_top_build_prefix
 
 case $srcdir in
-  .)  # No --srcdir option.  We are building in place.
+  .)  # We are building in place.
     ac_srcdir=.
-    if test -z "$ac_top_builddir"; then
-       ac_top_srcdir=.
-    else
-       ac_top_srcdir=`echo $ac_top_builddir | sed 's,/$,,'`
-    fi ;;
-  [\\/]* | ?:[\\/]* )  # Absolute path.
+    ac_top_srcdir=$ac_top_builddir_sub
+    ac_abs_top_srcdir=$ac_pwd ;;
+  [\\/]* | ?:[\\/]* )  # Absolute name.
     ac_srcdir=$srcdir$ac_dir_suffix;
-    ac_top_srcdir=$srcdir ;;
-  *) # Relative path.
-    ac_srcdir=$ac_top_builddir$srcdir$ac_dir_suffix
-    ac_top_srcdir=$ac_top_builddir$srcdir ;;
+    ac_top_srcdir=$srcdir
+    ac_abs_top_srcdir=$srcdir ;;
+  *) # Relative name.
+    ac_srcdir=$ac_top_build_prefix$srcdir$ac_dir_suffix
+    ac_top_srcdir=$ac_top_build_prefix$srcdir
+    ac_abs_top_srcdir=$ac_pwd/$srcdir ;;
 esac
+ac_abs_srcdir=$ac_abs_top_srcdir$ac_dir_suffix
 
-# Do not use `cd foo && pwd` to compute absolute paths, because
-# the directories may not exist.
-case `pwd` in
-.) ac_abs_builddir="$ac_dir";;
-*)
-  case "$ac_dir" in
-  .) ac_abs_builddir=`pwd`;;
-  [\\/]* | ?:[\\/]* ) ac_abs_builddir="$ac_dir";;
-  *) ac_abs_builddir=`pwd`/"$ac_dir";;
-  esac;;
-esac
-case $ac_abs_builddir in
-.) ac_abs_top_builddir=${ac_top_builddir}.;;
-*)
-  case ${ac_top_builddir}. in
-  .) ac_abs_top_builddir=$ac_abs_builddir;;
-  [\\/]* | ?:[\\/]* ) ac_abs_top_builddir=${ac_top_builddir}.;;
-  *) ac_abs_top_builddir=$ac_abs_builddir/${ac_top_builddir}.;;
-  esac;;
-esac
-case $ac_abs_builddir in
-.) ac_abs_srcdir=$ac_srcdir;;
-*)
-  case $ac_srcdir in
-  .) ac_abs_srcdir=$ac_abs_builddir;;
-  [\\/]* | ?:[\\/]* ) ac_abs_srcdir=$ac_srcdir;;
-  *) ac_abs_srcdir=$ac_abs_builddir/$ac_srcdir;;
-  esac;;
-esac
-case $ac_abs_builddir in
-.) ac_abs_top_srcdir=$ac_top_srcdir;;
-*)
-  case $ac_top_srcdir in
-  .) ac_abs_top_srcdir=$ac_abs_builddir;;
-  [\\/]* | ?:[\\/]* ) ac_abs_top_srcdir=$ac_top_srcdir;;
-  *) ac_abs_top_srcdir=$ac_abs_builddir/$ac_top_srcdir;;
-  esac;;
-esac
 
+  case $ac_mode in
+  :F)
+  #
+  # CONFIG_FILE
+  #
 
+_ACEOF
 
-  if test x"$ac_file" != x-; then
-    { echo "$as_me:$LINENO: creating $ac_file" >&5
-echo "$as_me: creating $ac_file" >&6;}
-    rm -f "$ac_file"
-  fi
-  # Let's still pretend it is `configure' which instantiates (i.e., don't
-  # use $as_me), people would be surprised to read:
-  #    /* config.h.  Generated by config.status.  */
-  if test x"$ac_file" = x-; then
-    configure_input=
-  else
-    configure_input="$ac_file.  "
-  fi
-  configure_input=$configure_input"Generated from `echo $ac_file_in |
-				     sed 's,.*/,,'` by configure."
-
-  # First look for the input files in the build tree, otherwise in the
-  # src tree.
-  ac_file_inputs=`IFS=:
-    for f in $ac_file_in; do
-      case $f in
-      -) echo $tmp/stdin ;;
-      [\\/$]*)
-	 # Absolute (can't be DOS-style, as IFS=:)
-	 test -f "$f" || { { echo "$as_me:$LINENO: error: cannot find input file: $f" >&5
-echo "$as_me: error: cannot find input file: $f" >&2;}
-   { (exit 1); exit 1; }; }
-	 echo "$f";;
-      *) # Relative
-	 if test -f "$f"; then
-	   # Build tree
-	   echo "$f"
-	 elif test -f "$srcdir/$f"; then
-	   # Source tree
-	   echo "$srcdir/$f"
-	 else
-	   # /dev/null tree
-	   { { echo "$as_me:$LINENO: error: cannot find input file: $f" >&5
-echo "$as_me: error: cannot find input file: $f" >&2;}
-   { (exit 1); exit 1; }; }
-	 fi;;
-      esac
-    done` || { (exit 1); exit 1; }
+cat >>$CONFIG_STATUS <<\_ACEOF
+# If the template does not know about datarootdir, expand it.
+# FIXME: This hack should be removed a few years after 2.60.
+ac_datarootdir_hack=; ac_datarootdir_seen=
+
+case `sed -n '/datarootdir/ {
+  p
+  q
+}
+/@datadir@/p
+/@docdir@/p
+/@infodir@/p
+/@localedir@/p
+/@mandir@/p
+' $ac_file_inputs` in
+*datarootdir*) ac_datarootdir_seen=yes;;
+*@datadir@*|*@docdir@*|*@infodir@*|*@localedir@*|*@mandir@*)
+  { echo "$as_me:$LINENO: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&5
+echo "$as_me: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&2;}
+_ACEOF
+cat >>$CONFIG_STATUS <<_ACEOF
+  ac_datarootdir_hack='
+  s&@datadir@&$datadir&g
+  s&@docdir@&$docdir&g
+  s&@infodir@&$infodir&g
+  s&@localedir@&$localedir&g
+  s&@mandir@&$mandir&g
+    s&\\\${datarootdir}&$datarootdir&g' ;;
+esac
 _ACEOF
+
+# Neutralize VPATH when `$srcdir' = `.'.
+# Shell code in configure.ac might set extrasub.
+# FIXME: do we really want to maintain this feature?
 cat >>$CONFIG_STATUS <<_ACEOF
   sed "$ac_vpsub
 $extrasub
@@ -6565,251 +7145,136 @@ _ACEOF
 cat >>$CONFIG_STATUS <<\_ACEOF
 :t
 /@[a-zA-Z_][a-zA-Z_0-9]*@/!b
-s,@configure_input@,$configure_input,;t t
-s,@srcdir@,$ac_srcdir,;t t
-s,@abs_srcdir@,$ac_abs_srcdir,;t t
-s,@top_srcdir@,$ac_top_srcdir,;t t
-s,@abs_top_srcdir@,$ac_abs_top_srcdir,;t t
-s,@builddir@,$ac_builddir,;t t
-s,@abs_builddir@,$ac_abs_builddir,;t t
-s,@top_builddir@,$ac_top_builddir,;t t
-s,@abs_top_builddir@,$ac_abs_top_builddir,;t t
-" $ac_file_inputs | (eval "$ac_sed_cmds") >$tmp/out
-  rm -f $tmp/stdin
-  if test x"$ac_file" != x-; then
-    mv $tmp/out $ac_file
-  else
-    cat $tmp/out
-    rm -f $tmp/out
-  fi
-
-done
-_ACEOF
-cat >>$CONFIG_STATUS <<\_ACEOF
-
-#
-# CONFIG_HEADER section.
-#
-
-# These sed commands are passed to sed as "A NAME B NAME C VALUE D", where
-# NAME is the cpp macro being defined and VALUE is the value it is being given.
-#
-# ac_d sets the value in "#define NAME VALUE" lines.
-ac_dA='s,^\([	 ]*\)#\([	 ]*define[	 ][	 ]*\)'
-ac_dB='[	 ].*$,\1#\2'
-ac_dC=' '
-ac_dD=',;t'
-# ac_u turns "#undef NAME" without trailing blanks into "#define NAME VALUE".
-ac_uA='s,^\([	 ]*\)#\([	 ]*\)undef\([	 ][	 ]*\)'
-ac_uB='$,\1#\2define\3'
-ac_uC=' '
-ac_uD=',;t'
-
-for ac_file in : $CONFIG_HEADERS; do test "x$ac_file" = x: && continue
-  # Support "outfile[:infile[:infile...]]", defaulting infile="outfile.in".
+s&@configure_input@&$configure_input&;t t
+s&@top_builddir@&$ac_top_builddir_sub&;t t
+s&@srcdir@&$ac_srcdir&;t t
+s&@abs_srcdir@&$ac_abs_srcdir&;t t
+s&@top_srcdir@&$ac_top_srcdir&;t t
+s&@abs_top_srcdir@&$ac_abs_top_srcdir&;t t
+s&@builddir@&$ac_builddir&;t t
+s&@abs_builddir@&$ac_abs_builddir&;t t
+s&@abs_top_builddir@&$ac_abs_top_builddir&;t t
+$ac_datarootdir_hack
+" $ac_file_inputs | sed -f "$tmp/subs-1.sed" >$tmp/out
+
+test -z "$ac_datarootdir_hack$ac_datarootdir_seen" &&
+  { ac_out=`sed -n '/\${datarootdir}/p' "$tmp/out"`; test -n "$ac_out"; } &&
+  { ac_out=`sed -n '/^[	 ]*datarootdir[	 ]*:*=/p' "$tmp/out"`; test -z "$ac_out"; } &&
+  { echo "$as_me:$LINENO: WARNING: $ac_file contains a reference to the variable \`datarootdir'
+which seems to be undefined.  Please make sure it is defined." >&5
+echo "$as_me: WARNING: $ac_file contains a reference to the variable \`datarootdir'
+which seems to be undefined.  Please make sure it is defined." >&2;}
+
+  rm -f "$tmp/stdin"
   case $ac_file in
-  - | *:- | *:-:* ) # input from stdin
-	cat >$tmp/stdin
-	ac_file_in=`echo "$ac_file" | sed 's,[^:]*:,,'`
-	ac_file=`echo "$ac_file" | sed 's,:.*,,'` ;;
-  *:* ) ac_file_in=`echo "$ac_file" | sed 's,[^:]*:,,'`
-	ac_file=`echo "$ac_file" | sed 's,:.*,,'` ;;
-  * )   ac_file_in=$ac_file.in ;;
+  -) cat "$tmp/out"; rm -f "$tmp/out";;
+  *) rm -f "$ac_file"; mv "$tmp/out" $ac_file;;
   esac
-
-  test x"$ac_file" != x- && { echo "$as_me:$LINENO: creating $ac_file" >&5
-echo "$as_me: creating $ac_file" >&6;}
-
-  # First look for the input files in the build tree, otherwise in the
-  # src tree.
-  ac_file_inputs=`IFS=:
-    for f in $ac_file_in; do
-      case $f in
-      -) echo $tmp/stdin ;;
-      [\\/$]*)
-	 # Absolute (can't be DOS-style, as IFS=:)
-	 test -f "$f" || { { echo "$as_me:$LINENO: error: cannot find input file: $f" >&5
-echo "$as_me: error: cannot find input file: $f" >&2;}
-   { (exit 1); exit 1; }; }
-	 # Do quote $f, to prevent DOS paths from being IFS'd.
-	 echo "$f";;
-      *) # Relative
-	 if test -f "$f"; then
-	   # Build tree
-	   echo "$f"
-	 elif test -f "$srcdir/$f"; then
-	   # Source tree
-	   echo "$srcdir/$f"
-	 else
-	   # /dev/null tree
-	   { { echo "$as_me:$LINENO: error: cannot find input file: $f" >&5
-echo "$as_me: error: cannot find input file: $f" >&2;}
-   { (exit 1); exit 1; }; }
-	 fi;;
-      esac
-    done` || { (exit 1); exit 1; }
-  # Remove the trailing spaces.
-  sed 's/[	 ]*$//' $ac_file_inputs >$tmp/in
-
-_ACEOF
-
-# Transform confdefs.h into two sed scripts, `conftest.defines' and
-# `conftest.undefs', that substitutes the proper values into
-# config.h.in to produce config.h.  The first handles `#define'
-# templates, and the second `#undef' templates.
-# And first: Protect against being on the right side of a sed subst in
-# config.status.  Protect against being in an unquoted here document
-# in config.status.
-rm -f conftest.defines conftest.undefs
-# Using a here document instead of a string reduces the quoting nightmare.
-# Putting comments in sed scripts is not portable.
-#
-# `end' is used to avoid that the second main sed command (meant for
-# 0-ary CPP macros) applies to n-ary macro definitions.
-# See the Autoconf documentation for `clear'.
-cat >confdef2sed.sed <<\_ACEOF
-s/[\\&,]/\\&/g
-s,[\\$`],\\&,g
-t clear
-: clear
-s,^[	 ]*#[	 ]*define[	 ][	 ]*\([^	 (][^	 (]*\)\(([^)]*)\)[	 ]*\(.*\)$,${ac_dA}\1${ac_dB}\1\2${ac_dC}\3${ac_dD},gp
-t end
-s,^[	 ]*#[	 ]*define[	 ][	 ]*\([^	 ][^	 ]*\)[	 ]*\(.*\)$,${ac_dA}\1${ac_dB}\1${ac_dC}\2${ac_dD},gp
-: end
-_ACEOF
-# If some macros were called several times there might be several times
-# the same #defines, which is useless.  Nevertheless, we may not want to
-# sort them, since we want the *last* AC-DEFINE to be honored.
-uniq confdefs.h | sed -n -f confdef2sed.sed >conftest.defines
-sed 's/ac_d/ac_u/g' conftest.defines >conftest.undefs
-rm -f confdef2sed.sed
-
-# This sed command replaces #undef with comments.  This is necessary, for
+ ;;
+  :H)
+  #
+  # CONFIG_HEADER
+  #
+_ACEOF
+
+# Transform confdefs.h into a sed script `conftest.defines', that
+# substitutes the proper values into config.h.in to produce config.h.
+rm -f conftest.defines conftest.tail
+# First, append a space to every undef/define line, to ease matching.
+echo 's/$/ /' >conftest.defines
+# Then, protect against being on the right side of a sed subst, or in
+# an unquoted here document, in config.status.  If some macros were
+# called several times there might be several #defines for the same
+# symbol, which is useless.  But do not sort them, since the last
+# AC_DEFINE must be honored.
+ac_word_re=[_$as_cr_Letters][_$as_cr_alnum]*
+# These sed commands are passed to sed as "A NAME B PARAMS C VALUE D", where
+# NAME is the cpp macro being defined, VALUE is the value it is being given.
+# PARAMS is the parameter list in the macro definition--in most cases, it's
+# just an empty string.
+ac_dA='s,^\\([	 #]*\\)[^	 ]*\\([	 ]*'
+ac_dB='\\)[	 (].*,\\1define\\2'
+ac_dC=' '
+ac_dD=' ,'
+
+uniq confdefs.h |
+  sed -n '
+	t rset
+	:rset
+	s/^[	 ]*#[	 ]*define[	 ][	 ]*//
+	t ok
+	d
+	:ok
+	s/[\\&,]/\\&/g
+	s/^\('"$ac_word_re"'\)\(([^()]*)\)[	 ]*\(.*\)/ '"$ac_dA"'\1'"$ac_dB"'\2'"${ac_dC}"'\3'"$ac_dD"'/p
+	s/^\('"$ac_word_re"'\)[	 ]*\(.*\)/'"$ac_dA"'\1'"$ac_dB$ac_dC"'\2'"$ac_dD"'/p
+  ' >>conftest.defines
+
+# Remove the space that was appended to ease matching.
+# Then replace #undef with comments.  This is necessary, for
 # example, in the case of _POSIX_SOURCE, which is predefined and required
 # on some systems where configure will not decide to define it.
-cat >>conftest.undefs <<\_ACEOF
-s,^[	 ]*#[	 ]*undef[	 ][	 ]*[a-zA-Z_][a-zA-Z_0-9]*,/* & */,
-_ACEOF
-
-# Break up conftest.defines because some shells have a limit on the size
-# of here documents, and old seds have small limits too (100 cmds).
-echo '  # Handle all the #define templates only if necessary.' >>$CONFIG_STATUS
-echo '  if grep "^[	 ]*#[	 ]*define" $tmp/in >/dev/null; then' >>$CONFIG_STATUS
-echo '  # If there are no defines, we may have an empty if/fi' >>$CONFIG_STATUS
-echo '  :' >>$CONFIG_STATUS
-rm -f conftest.tail
-while grep . conftest.defines >/dev/null
+# (The regexp can be short, since the line contains either #define or #undef.)
+echo 's/ $//
+s,^[	 #]*u.*,/* & */,' >>conftest.defines
+
+# Break up conftest.defines:
+ac_max_sed_lines=50
+
+# First sed command is:	 sed -f defines.sed $ac_file_inputs >"$tmp/out1"
+# Second one is:	 sed -f defines.sed "$tmp/out1" >"$tmp/out2"
+# Third one will be:	 sed -f defines.sed "$tmp/out2" >"$tmp/out1"
+# et cetera.
+ac_in='$ac_file_inputs'
+ac_out='"$tmp/out1"'
+ac_nxt='"$tmp/out2"'
+
+while :
 do
-  # Write a limited-size here document to $tmp/defines.sed.
-  echo '  cat >$tmp/defines.sed <<CEOF' >>$CONFIG_STATUS
-  # Speed up: don't consider the non `#define' lines.
-  echo '/^[	 ]*#[	 ]*define/!b' >>$CONFIG_STATUS
-  # Work around the forget-to-reset-the-flag bug.
-  echo 't clr' >>$CONFIG_STATUS
-  echo ': clr' >>$CONFIG_STATUS
-  sed ${ac_max_here_lines}q conftest.defines >>$CONFIG_STATUS
+  # Write a here document:
+    cat >>$CONFIG_STATUS <<_ACEOF
+    # First, check the format of the line:
+    cat >"\$tmp/defines.sed" <<\\CEOF
+/^[	 ]*#[	 ]*undef[	 ][	 ]*$ac_word_re[	 ]*\$/b def
+/^[	 ]*#[	 ]*define[	 ][	 ]*$ac_word_re[(	 ]/b def
+b
+:def
+_ACEOF
+  sed ${ac_max_sed_lines}q conftest.defines >>$CONFIG_STATUS
   echo 'CEOF
-  sed -f $tmp/defines.sed $tmp/in >$tmp/out
-  rm -f $tmp/in
-  mv $tmp/out $tmp/in
-' >>$CONFIG_STATUS
-  sed 1,${ac_max_here_lines}d conftest.defines >conftest.tail
+    sed -f "$tmp/defines.sed"' "$ac_in >$ac_out" >>$CONFIG_STATUS
+  ac_in=$ac_out; ac_out=$ac_nxt; ac_nxt=$ac_in
+  sed 1,${ac_max_sed_lines}d conftest.defines >conftest.tail
+  grep . conftest.tail >/dev/null || break
   rm -f conftest.defines
   mv conftest.tail conftest.defines
 done
-rm -f conftest.defines
-echo '  fi # grep' >>$CONFIG_STATUS
-echo >>$CONFIG_STATUS
-
-# Break up conftest.undefs because some shells have a limit on the size
-# of here documents, and old seds have small limits too (100 cmds).
-echo '  # Handle all the #undef templates' >>$CONFIG_STATUS
-rm -f conftest.tail
-while grep . conftest.undefs >/dev/null
-do
-  # Write a limited-size here document to $tmp/undefs.sed.
-  echo '  cat >$tmp/undefs.sed <<CEOF' >>$CONFIG_STATUS
-  # Speed up: don't consider the non `#undef'
-  echo '/^[	 ]*#[	 ]*undef/!b' >>$CONFIG_STATUS
-  # Work around the forget-to-reset-the-flag bug.
-  echo 't clr' >>$CONFIG_STATUS
-  echo ': clr' >>$CONFIG_STATUS
-  sed ${ac_max_here_lines}q conftest.undefs >>$CONFIG_STATUS
-  echo 'CEOF
-  sed -f $tmp/undefs.sed $tmp/in >$tmp/out
-  rm -f $tmp/in
-  mv $tmp/out $tmp/in
-' >>$CONFIG_STATUS
-  sed 1,${ac_max_here_lines}d conftest.undefs >conftest.tail
-  rm -f conftest.undefs
-  mv conftest.tail conftest.undefs
-done
-rm -f conftest.undefs
+rm -f conftest.defines conftest.tail
 
+echo "ac_result=$ac_in" >>$CONFIG_STATUS
 cat >>$CONFIG_STATUS <<\_ACEOF
-  # Let's still pretend it is `configure' which instantiates (i.e., don't
-  # use $as_me), people would be surprised to read:
-  #    /* config.h.  Generated by config.status.  */
-  if test x"$ac_file" = x-; then
-    echo "/* Generated by configure.  */" >$tmp/config.h
-  else
-    echo "/* $ac_file.  Generated by configure.  */" >$tmp/config.h
-  fi
-  cat $tmp/in >>$tmp/config.h
-  rm -f $tmp/in
   if test x"$ac_file" != x-; then
-    if diff $ac_file $tmp/config.h >/dev/null 2>&1; then
+    echo "/* $configure_input  */" >"$tmp/config.h"
+    cat "$ac_result" >>"$tmp/config.h"
+    if diff $ac_file "$tmp/config.h" >/dev/null 2>&1; then
       { echo "$as_me:$LINENO: $ac_file is unchanged" >&5
 echo "$as_me: $ac_file is unchanged" >&6;}
     else
-      ac_dir=`(dirname "$ac_file") 2>/dev/null ||
-$as_expr X"$ac_file" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
-	 X"$ac_file" : 'X\(//\)[^/]' \| \
-	 X"$ac_file" : 'X\(//\)$' \| \
-	 X"$ac_file" : 'X\(/\)' \| \
-	 .     : '\(.\)' 2>/dev/null ||
-echo X"$ac_file" |
-    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/; q; }
-  	  /^X\(\/\/\)[^/].*/{ s//\1/; q; }
-  	  /^X\(\/\/\)$/{ s//\1/; q; }
-  	  /^X\(\/\).*/{ s//\1/; q; }
-  	  s/.*/./; q'`
-      { if $as_mkdir_p; then
-    mkdir -p "$ac_dir"
-  else
-    as_dir="$ac_dir"
-    as_dirs=
-    while test ! -d "$as_dir"; do
-      as_dirs="$as_dir $as_dirs"
-      as_dir=`(dirname "$as_dir") 2>/dev/null ||
-$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
-	 X"$as_dir" : 'X\(//\)[^/]' \| \
-	 X"$as_dir" : 'X\(//\)$' \| \
-	 X"$as_dir" : 'X\(/\)' \| \
-	 .     : '\(.\)' 2>/dev/null ||
-echo X"$as_dir" |
-    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/; q; }
-  	  /^X\(\/\/\)[^/].*/{ s//\1/; q; }
-  	  /^X\(\/\/\)$/{ s//\1/; q; }
-  	  /^X\(\/\).*/{ s//\1/; q; }
-  	  s/.*/./; q'`
-    done
-    test ! -n "$as_dirs" || mkdir $as_dirs
-  fi || { { echo "$as_me:$LINENO: error: cannot create directory \"$ac_dir\"" >&5
-echo "$as_me: error: cannot create directory \"$ac_dir\"" >&2;}
-   { (exit 1); exit 1; }; }; }
-
       rm -f $ac_file
-      mv $tmp/config.h $ac_file
+      mv "$tmp/config.h" $ac_file
     fi
   else
-    cat $tmp/config.h
-    rm -f $tmp/config.h
+    echo "/* $configure_input  */"
+    cat "$ac_result"
   fi
-done
-_ACEOF
+  rm -f "$tmp/out12"
+ ;;
+
+
+  esac
+
+done # for ac_tag
 
-cat >>$CONFIG_STATUS <<\_ACEOF
 
 { (exit 0); exit 0; }
 _ACEOF
diff --git a/contrib/zkt/configure.ac b/contrib/zkt/configure.ac
new file mode 100644
index 00000000..0b0f1c00
--- /dev/null
+++ b/contrib/zkt/configure.ac
@@ -0,0 +1,142 @@
+#                                               -*- Autoconf -*-
+# Process this file with autoconf to produce a configure script.
+#
+#	@(#) configure.ac 
+#
+#	2008-06-27	initial setup
+#	2008-06-29	add of BIND path checking
+#	2008-06-30	add of arg checkings
+#	2008-07-02	additional arg checkings
+#	2008-07-04	check for getopt_long() added
+#	2008-08-30	check for unsigned integer types
+#	2008-10-01	if BIND_UTIL_PATH check failed, use config_zkt.h setting as last resort
+#	2009-07-30	check for timegm() added
+#
+
+AC_PREREQ(2.59)
+
+### Package name and current version
+AC_INIT(ZKT, 0.99c, Holger Zuleger hznet.de)
+dnl AC_REVISION($Revision: 1.1 $)
+
+### Files to test to check if src dir contains the package
+AC_CONFIG_SRCDIR([dnssec-zkt.c])
+AC_CONFIG_HEADER([config.h])
+
+
+### Checks for programs.
+AC_PROG_CC
+
+### find out the path to BIND utils and version
+AC_PATH_PROG([SIGNZONE_PROG], dnssec-signzone)
+if test -z "$SIGNZONE_PROG" ; then
+#        AC_MSG_ERROR([*** 'BIND dnssec-signzone dnssec-keygen' missing, please install or fix your \$PATH ***])
+        AC_MSG_WARN([*** 'BIND dnssec-signzone' missing, use default BIND_UTIL_PATH and BIND_VERSION setting out of config_zkt.h ***])
+else
+	bind_util_path=`dirname "$SIGNZONE_PROG"`
+	# define BIND_UTIL_PATH in config.h.in
+	AC_DEFINE_UNQUOTED(BIND_UTIL_PATH, "$bind_util_path/", Path to BIND utilities)
+	# define BIND_VERSION in config.h.in
+	bind_version=`$SIGNZONE_PROG 2>&1 | grep "Version:" | tr -cd "0-9" | sed "s/^\(...\).*/\1/"`
+	AC_DEFINE_UNQUOTED(BIND_VERSION, $bind_version, BIND version as integer number without dots)
+fi
+
+AC_CHECK_TYPE(uint, unsigned int)
+AC_CHECK_TYPE(ulong, unsigned long)
+AC_CHECK_TYPE(ushort, unsigned short)
+AC_CHECK_TYPE(uchar, unsigned char)
+
+### define configure arguments
+AC_ARG_ENABLE([printtimezone], AC_HELP_STRING( [--enable-print-timezone], [print out timezone]), [printtimezone=$enableval])
+printtimezone=0
+test "$printtimezone" = yes && printtimezone=1
+AC_DEFINE_UNQUOTED(PRINT_TIMEZONE, $printtimezone, print out timezone)
+
+AC_ARG_ENABLE([printyear], AC_HELP_STRING( [--enable-print-age], [print age of year]), [printyear=$enableval])
+printyear=0
+test "$printyear" = yes && printyear=1
+AC_DEFINE_UNQUOTED(PRINT_AGE_OF_YEAR, $printyear, print age of year)
+
+AC_ARG_ENABLE([logprogname], AC_HELP_STRING( [--enable-log-progname], [log with progname]), [logprogname=$enableval])
+logprogname=0
+test "$logprogname" = yes && logprogname=1
+AC_DEFINE_UNQUOTED(LOG_WITH_PROGNAME, $logprogname, log with progname)
+
+AC_ARG_ENABLE([logtimestamp], AC_HELP_STRING( [--disable-log-timestamp], [do not log with timestamp]), [logtimestamp=$enableval])
+logtimestamp=1
+test "$logtimestamp" = no && logtimestamp=0
+AC_DEFINE_UNQUOTED(LOG_WITH_TIMESTAMP, $logtimestamp, log with timestamp)
+
+AC_ARG_ENABLE([loglevel], AC_HELP_STRING( [--disable-log-level], [do not log with level]), [loglevel=$enableval])
+loglevel=1
+test "$loglevel" = no && loglevel=0
+AC_DEFINE_UNQUOTED(LOG_WITH_LEVEL, $loglevel, log with level)
+
+AC_ARG_ENABLE([ttl_in_keyfile], AC_HELP_STRING( [--disable-ttl-in-keyfiles], [do not allow TTL values in keyfiles]), [ttl_in_keyfile=$enableval])
+ttl_in_keyfile=1
+test "$ttl_in_keyfile" = no && ttl_in_keyfile=0
+AC_DEFINE_UNQUOTED(TTL_IN_KEYFILE_ALLOWED, $ttl_in_keyfile, TTL in keyfiles allowed)
+
+configpath="/var/named"
+AC_ARG_ENABLE([configpath], 
+	AC_HELP_STRING( [--enable-configpath=PATH], [set path of config file (defaults to /var/named)]),
+	[configpath=$enableval])
+case "$configpath" in
+yes)
+	configpath="/var/named"
+	;;
+no)
+	configpath=""
+	;;
+*)
+	;;
+esac
+AC_DEFINE_UNQUOTED(CONFIG_PATH, "$configpath/", [set path of config file (defaults to /var/named)])
+
+usetree=1
+t="T"
+AC_ARG_ENABLE([tree], 
+	AC_HELP_STRING( [--disable-tree], [use single linked list instead of binary tree data structure for dnssec-zkt]),
+	[usetree=$enableval])
+if test "$usetree" = no
+then
+	usetree=0
+	t=""
+fi
+AC_DEFINE_UNQUOTED(USE_TREE, $usetree, Use TREE data structure for dnssec-zkt)
+
+AC_DEFINE_UNQUOTED(ZKT_VERSION, "v$t$PACKAGE_VERSION (c) Feb 2005 - Aug 2009 Holger Zuleger hznet.de", ZKT version string)
+
+### Checks for libraries.
+
+
+### Checks for header files.
+AC_HEADER_DIRENT
+AC_HEADER_STDC
+AC_CHECK_HEADERS([fcntl.h netdb.h stdlib.h getopt.h string.h strings.h sys/socket.h sys/time.h sys/types.h syslog.h unistd.h utime.h])
+
+
+### Checks for typedefs, structures, and compiler characteristics.
+AC_C_CONST
+AC_TYPE_SIZE_T
+AC_HEADER_TIME
+AC_STRUCT_TM
+AC_TYPE_UID_T
+
+
+### Checks for library functions.
+AC_FUNC_CLOSEDIR_VOID
+AC_FUNC_ERROR_AT_LINE
+AC_FUNC_MALLOC
+AC_FUNC_MKTIME
+AC_FUNC_STAT
+AC_FUNC_STRFTIME
+AC_FUNC_UTIME_NULL
+AC_FUNC_VPRINTF
+# 2008-07-04 getopt_long added
+# 2009-07-30 timegm added
+AC_CHECK_FUNCS([getopt_long gettimeofday memset putenv socket strcasecmp strchr strdup strerror strncasecmp strrchr tzset utime getuid timegm])
+
+
+AC_CONFIG_FILES([Makefile])
+AC_OUTPUT
diff --git a/contrib/zkt/dki.c b/contrib/zkt/dki.c
index c6320294..b6a68db4 100644
--- a/contrib/zkt/dki.c
+++ b/contrib/zkt/dki.c
@@ -400,7 +400,7 @@ int	dki_readdir (const char *dir, dki_t **listp, int recursive)
 
 	while ( (dentp = readdir (dirp)) != NULL )
 	{
-		if ( is_dotfile (dentp->d_name) )
+		if ( is_dotfilename (dentp->d_name) )
 			continue;
 
 		dbg_val ("directory: check %s\n", dentp->d_name);
@@ -679,7 +679,6 @@ int	dki_prt_dnskeyttl (const dki_t *dkp, FILE *fp, int ttl)
 {
 	char	*p;
 
-	dki_estr[0] = '\0';
 	if ( dkp == NULL )
 		return 0;
 
@@ -711,7 +710,6 @@ int	dki_prt_dnskey_raw (const dki_t *dkp, FILE *fp)
 {
 	int	days;
 
-	dki_estr[0] = '\0';
 	if ( dkp == NULL )
 		return 0;
 
@@ -741,7 +739,6 @@ int	dki_prt_comment (const dki_t *dkp, FILE *fp)
 {
 	int	len = 0;
 
-	dki_estr[0] = '\0';
 	if ( dkp == NULL )
 		return len;
 	len += fprintf (fp, "; %s  ", dkp->name);
@@ -761,7 +758,6 @@ int	dki_prt_trustedkey (const dki_t *dkp, FILE *fp)
 	int	spaces;
 	int	len = 0;
 
-	dki_estr[0] = '\0';
 	if ( dkp == NULL )
 		return len;
 	len += fprintf (fp, "\"%s\"  ", dkp->name);
@@ -792,7 +788,6 @@ int	dki_cmp (const dki_t *a, const dki_t *b)
 {
 	int	res;
 
-	dki_estr[0] = '\0';
 	if ( a == NULL ) return -1;
 	if ( b == NULL ) return 1;
 
@@ -816,7 +811,6 @@ int	dki_allcmp (const dki_t *a, const dki_t *b)
 {
 	int	res;
 
-	dki_estr[0] = '\0';
 	if ( a == NULL ) return -1;
 	if ( b == NULL ) return 1;
 
@@ -842,7 +836,6 @@ int	dki_allcmp (const dki_t *a, const dki_t *b)
 *****************************************************************/
 int	dki_namecmp (const dki_t *a, const dki_t *b)
 {
-	dki_estr[0] = '\0';
 	if ( a == NULL ) return -1;
 	if ( b == NULL ) return 1;
 
@@ -853,7 +846,6 @@ int	dki_namecmp (const dki_t *a, const dki_t *b)
 *****************************************************************/
 int	dki_tagcmp (const dki_t *a, const dki_t *b)
 {
-	dki_estr[0] = '\0';
 	if ( a == NULL ) return -1;
 	if ( b == NULL ) return 1;
 
@@ -866,7 +858,6 @@ int	dki_tagcmp (const dki_t *a, const dki_t *b)
 *****************************************************************/
 int	dki_timecmp (const dki_t *a, const dki_t *b)
 {
-	dki_estr[0] = '\0';
 	if ( a == NULL ) return -1;
 	if ( b == NULL ) return 1;
 
@@ -874,11 +865,19 @@ int	dki_timecmp (const dki_t *a, const dki_t *b)
 }
 
 /*****************************************************************
+**	dki_algo ()	return the algorithm of the key
+*****************************************************************/
+time_t	dki_algo (const dki_t *dkp)
+{
+	assert (dkp != NULL);
+	return (dkp->algo);
+}
+
+/*****************************************************************
 **	dki_time ()	return the timestamp of the key
 *****************************************************************/
 time_t	dki_time (const dki_t *dkp)
 {
-	dki_estr[0] = '\0';
 	assert (dkp != NULL);
 	return (dkp->time);
 }
@@ -888,7 +887,6 @@ time_t	dki_time (const dki_t *dkp)
 *****************************************************************/
 time_t	dki_exptime (const dki_t *dkp)
 {
-	dki_estr[0] = '\0';
 	assert (dkp != NULL);
 	return (dkp->exptime);
 }
@@ -898,7 +896,6 @@ time_t	dki_exptime (const dki_t *dkp)
 *****************************************************************/
 time_t	dki_lifetime (const dki_t *dkp)
 {
-	dki_estr[0] = '\0';
 	assert (dkp != NULL);
 	return (dkp->lifetime);
 }
@@ -908,7 +905,6 @@ time_t	dki_lifetime (const dki_t *dkp)
 *****************************************************************/
 ushort	dki_lifetimedays (const dki_t *dkp)
 {
-	dki_estr[0] = '\0';
 	assert (dkp != NULL);
 	return (dkp->lifetime / DAYSEC);
 }
@@ -918,7 +914,6 @@ ushort	dki_lifetimedays (const dki_t *dkp)
 *****************************************************************/
 time_t	dki_gentime (const dki_t *dkp)
 {
-	dki_estr[0] = '\0';
 	assert (dkp != NULL);
 	return (dkp->gentime > 0L ? dkp->gentime: dkp->time);
 }
@@ -933,7 +928,6 @@ ushort	dki_setlifetime (dki_t *dkp, int days)
 	ulong	lifetsec;
 	char	path[MAX_PATHSIZE+1];
 
-	dki_estr[0] = '\0';
 	assert (dkp != NULL);
 
 	lifetsec = dkp->lifetime;		/* old lifetime */
@@ -959,7 +953,6 @@ time_t	dki_setexptime (dki_t *dkp, time_t sec)
 	char	path[MAX_PATHSIZE+1];
 	time_t	oldexptime;
 
-	dki_estr[0] = '\0';
 	assert (dkp != NULL);
 
 	dbg_val1 ("dki_setexptime (%ld)\n", sec);
@@ -980,7 +973,6 @@ time_t	dki_setexptime (dki_t *dkp, time_t sec)
 *****************************************************************/
 int	dki_age (const dki_t *dkp, time_t curr)
 {
-	dki_estr[0] = '\0';
 	assert (dkp != NULL);
 	return ((ulong)curr - (ulong)dkp->time);
 }
@@ -990,7 +982,6 @@ int	dki_age (const dki_t *dkp, time_t curr)
 *****************************************************************/
 dk_flag_t	dki_getflag (const dki_t *dkp, time_t curr)
 {
-	dki_estr[0] = '\0';
 	return dkp->flags;
 }
 
@@ -999,7 +990,6 @@ dk_flag_t	dki_getflag (const dki_t *dkp, time_t curr)
 *****************************************************************/
 dk_flag_t	dki_setflag (dki_t *dkp, dk_flag_t flag)
 {
-	dki_estr[0] = '\0';
 	return dkp->flags |= (ushort)flag;
 }
 
@@ -1008,7 +998,6 @@ dk_flag_t	dki_setflag (dki_t *dkp, dk_flag_t flag)
 *****************************************************************/
 dk_flag_t	dki_unsetflag (dki_t *dkp, dk_flag_t flag)
 {
-	dki_estr[0] = '\0';
 	return dkp->flags &= ~((ushort)flag);
 }
 
@@ -1017,7 +1006,6 @@ dk_flag_t	dki_unsetflag (dki_t *dkp, dk_flag_t flag)
 *****************************************************************/
 int	dki_isksk (const dki_t *dkp)
 {
-	dki_estr[0] = '\0';
 	assert (dkp != NULL);
 	return (dkp->flags & DK_FLAG_KSK) == DK_FLAG_KSK;
 }
@@ -1027,7 +1015,6 @@ int	dki_isksk (const dki_t *dkp)
 *****************************************************************/
 int	dki_isrevoked (const dki_t *dkp)
 {
-	dki_estr[0] = '\0';
 	assert (dkp != NULL);
 	return (dkp->flags & DK_FLAG_REVOKE) == DK_FLAG_REVOKE;
 }
@@ -1037,7 +1024,6 @@ int	dki_isrevoked (const dki_t *dkp)
 *****************************************************************/
 int	dki_isdepreciated (const dki_t *dkp)
 {
-	dki_estr[0] = '\0';
 	return dki_status (dkp) == DKI_DEPRECIATED;
 }
 
@@ -1046,7 +1032,6 @@ int	dki_isdepreciated (const dki_t *dkp)
 *****************************************************************/
 int	dki_isactive (const dki_t *dkp)
 {
-	dki_estr[0] = '\0';
 	return dki_status (dkp) == DKI_ACTIVE;
 }
 
@@ -1055,7 +1040,6 @@ int	dki_isactive (const dki_t *dkp)
 *****************************************************************/
 int	dki_ispublished (const dki_t *dkp)
 {
-	dki_estr[0] = '\0';
 	return dki_status (dkp) == DKI_PUBLISHED;
 }
 
@@ -1065,7 +1049,6 @@ int	dki_ispublished (const dki_t *dkp)
 *****************************************************************/
 dk_status_t	dki_status (const dki_t *dkp)
 {
-	dki_estr[0] = '\0';
 	assert (dkp != NULL);
 	return (dkp->status);
 }
@@ -1075,7 +1058,6 @@ dk_status_t	dki_status (const dki_t *dkp)
 *****************************************************************/
 const	char	*dki_statusstr (const dki_t *dkp)
 {
-	dki_estr[0] = '\0';
 	assert (dkp != NULL);
 	switch ( dkp->status )
 	{
@@ -1099,7 +1081,6 @@ dki_t	*dki_add (dki_t **list, dki_t *new)
 	dki_t	*curr;
 	dki_t	*last;
 
-	dki_estr[0] = '\0';
 	if ( list == NULL )
 		return NULL;
 	if ( new == NULL )
@@ -1129,7 +1110,6 @@ const dki_t	*dki_search (const dki_t *list, int tag, const char *name)
 {
 	const dki_t	*curr;
 
-	dki_estr[0] = '\0';
 	curr = list;
 	if ( tag )
 		while ( curr && (tag != curr->tag ||
@@ -1152,7 +1132,6 @@ dki_t	*dki_tadd (dki_t **tree, dki_t *new)
 {
 	dki_t	**p;
 
-	dki_estr[0] = '\0';
 	p = tsearch (new, tree, dki_namecmp);
 	if ( *p == new )
 		dbg_val ("dki_tadd: New entry %s added\n", new->name);
@@ -1174,7 +1153,6 @@ const dki_t	*dki_tsearch (const dki_t *tree, int tag, const char *name)
 	dki_t	search;
 	dki_t	**p;
 
-	dki_estr[0] = '\0';
 	search.tag = tag;
 	snprintf (search.name, sizeof (search.name), "%s", name);
 	p = tfind (&search, &tree, dki_namecmp);
@@ -1193,7 +1171,6 @@ const dki_t	*dki_find (const dki_t *list, int ksk, int status, int no)
 	const	dki_t	*dkp;
 	const	dki_t	*last;
 
-	dki_estr[0] = '\0';
 	last = NULL;
 	for ( dkp = list; no > 0 && dkp; dkp = dkp->next )
 		if ( dki_isksk (dkp) == ksk && dki_status (dkp) == status )
@@ -1204,3 +1181,24 @@ const dki_t	*dki_find (const dki_t *list, int ksk, int status, int no)
 
 	return last;
 }
+
+/*****************************************************************
+**	dki_findalgo ()	find the n'th ksk or zsk key with given
+**			algorithm and status
+*****************************************************************/
+const dki_t	*dki_findalgo (const dki_t *list, int ksk, int alg, int status, int no)
+{
+	const	dki_t	*dkp;
+	const	dki_t	*last;
+
+	last = NULL;
+	for ( dkp = list; no > 0 && dkp; dkp = dkp->next )
+		if ( dki_isksk (dkp) == ksk && dki_algo (dkp) == alg &&
+						dki_status (dkp) == status )
+		{
+			no--;
+			last = dkp;
+		}
+
+	return last;
+}
diff --git a/contrib/zkt/dki.h b/contrib/zkt/dki.h
index e50c3a29..a8b34263 100644
--- a/contrib/zkt/dki.h
+++ b/contrib/zkt/dki.h
@@ -163,6 +163,7 @@ extern	int	dki_isdepreciated (const dki_t *dkp);
 extern	int	dki_isrevoked (const dki_t *dkp);
 extern	int	dki_isactive (const dki_t *dkp);
 extern	int	dki_ispublished (const dki_t *dkp);
+extern	time_t	dki_algo (const dki_t *dkp);
 extern	time_t	dki_time (const dki_t *dkp);
 extern	time_t	dki_exptime (const dki_t *dkp);
 extern	time_t	dki_gentime (const dki_t *dkp);
@@ -179,6 +180,7 @@ extern	dki_t	*dki_add (dki_t **dkp, dki_t *new);
 extern	const dki_t	*dki_tsearch (const dki_t *tree, int tag, const char *name);
 extern	const dki_t	*dki_search (const dki_t *list, int tag, const char *name);
 extern	const dki_t	*dki_find (const dki_t *list, int ksk, int status, int first);
+extern	const dki_t	*dki_findalgo (const dki_t *list, int ksk, int alg, int status, int no);
 extern	void	dki_free (dki_t *dkp);
 extern	void	dki_freelist (dki_t **listp);
 extern	char	*dki_algo2str (int algo);
diff --git a/contrib/zkt/dnssec-signer.c b/contrib/zkt/dnssec-signer.c
index a971cb2f..69b69d54 100644
--- a/contrib/zkt/dnssec-signer.c
+++ b/contrib/zkt/dnssec-signer.c
@@ -57,6 +57,8 @@
 # include "debug.h"
 # include "misc.h"
 # include "ncparse.h"
+# include "nscomm.h"
+# include "soaserial.h"
 # include "zone.h"
 # include "dki.h"
 # include "rollover.h"
@@ -100,9 +102,6 @@ static	int	check_keydb_timestamp (dki_t *keylist, time_t reftime);
 static	int	new_keysetfiles (const char *dir, time_t zone_signing_time);
 static	int	writekeyfile (const char *fname, const dki_t *list, int key_ttl);
 static	int	sign_zone (const char *dir, const char *domain, const char *file, const zconf_t *conf);
-static	int	dyn_update_freeze (const char *domain, const zconf_t *z, int freeze);
-static	int	reload_zone (const char *domain, const zconf_t *z);
-static	int	dist_and_reload (const zone_t *zp);
 static	void	register_key (dki_t *listp, const zconf_t *z);
 static	void	copy_keyset (const char *dir, const char *domain, const zconf_t *conf);
 
@@ -112,11 +111,11 @@ extern  int	opterr;
 extern  int	optind;
 extern  char	*optarg;
 const	char	*progname;
-const	char	*viewname = NULL;
-const	char	*logfile = NULL;
-const	char	*origin = NULL;
-const	char	*namedconf = NULL;
-const	char	*dirname = NULL;
+static	const	char	*viewname = NULL;
+static	const	char	*logfile = NULL;
+static	const	char	*origin = NULL;
+static	const	char	*namedconf = NULL;
+static	const	char	*dirname = NULL;
 static	int	verbose = 0;
 static	int	force = 0;
 static	int	reloadflag = 0;
@@ -135,7 +134,9 @@ int	main (int argc, char *const argv[])
 {
 	int	c;
 	int	errcnt;
+#if defined(HAVE_GETOPT_LONG) && HAVE_GETOPT_LONG
 	int	opt_index;
+#endif
 	char	errstr[255+1];
 	char	*p;
 	const	char	*defconfname;
@@ -147,7 +148,7 @@ int	main (int argc, char *const argv[])
 	viewname = getnameappendix (progname, "dnssec-signer");
 
 	defconfname = getdefconfname (viewname);
-	config = loadconfig ("", (zconf_t *)NULL);	/* load built in config */
+	config = loadconfig ("", (zconf_t *)NULL);	/* load build-in config */
 	if ( fileexist (defconfname) )			/* load default config file */
 		config = loadconfig (defconfname, config);
 	if ( config == NULL )
@@ -202,11 +203,11 @@ int	main (int argc, char *const argv[])
 			break;
 #if defined(BIND_VERSION) && BIND_VERSION >= 940
 		case 'd':
-#if BIND_VERSION >= 960
+# if BIND_VERSION >= 960
 			set_bind96_dynzone (dynamic_zone);
-#else
+# else
 			set_bind94_dynzone(dynamic_zone);
-#endif
+# endif
 			/* dynamic zone requires a name server reload... */
 			reloadflag = 0;		/* ...but "rndc thaw" reloads the zone anyway */
 			break;
@@ -215,7 +216,8 @@ int	main (int argc, char *const argv[])
 			noexec = 1;
 			break;
 		case 'r':
-			reloadflag = 1;
+			if ( !dynamic_zone )	/* dynamic zones don't need a rndc reload (see "-d" */
+				reloadflag = 1;
 			break;
 		case 'v':
 			verbose++;
@@ -238,6 +240,7 @@ int	main (int argc, char *const argv[])
 	/* store some of the commandline parameter in the config structure */
 	setconfigpar (config, "--view", viewname);
 	setconfigpar (config, "-v", &verbose);
+	setconfigpar (config, "--noexec", &noexec);
 	if ( logfile == NULL )
 		logfile = config->logfile;
 
@@ -276,7 +279,7 @@ int	main (int argc, char *const argv[])
 		memset (dir, '\0', sizeof (dir));
 		if ( config->zonedir )
 			strncpy (dir, config->zonedir, sizeof(dir));
-		if ( !parse_namedconf (namedconf, dir, sizeof (dir), add2zonelist) )
+		if ( !parse_namedconf (namedconf, config->chroot_dir, dir, sizeof (dir), add2zonelist) )
 			fatal ("Can't read file %s as namedconf file\n", namedconf);
 		if ( zonelist == NULL )
 			fatal ("No signed zone found in file %s\n", namedconf);
@@ -423,7 +426,7 @@ static	int	parsedir (const char *dir, zone_t **zp, const zconf_t *conf)
 
 	while ( (dentp = readdir (dirp)) != NULL )
 	{
-		if ( is_dotfile (dentp->d_name) )
+		if ( is_dotfilename (dentp->d_name) )
 			continue;
 
 		pathname (path, sizeof (path), dir, dentp->d_name, NULL);
@@ -496,10 +499,16 @@ static	int	dosigning (zone_t *zonelist, zone_t *zp)
 	if ( !newkey )
 		newkey = check_keydb_timestamp (zp->keys, file_mtime (path));
 
-	/* if we work in subdir mode, check if there is a new keyset- file */
 	newkeysetfile = 0;
+#if defined(ALWAYS_CHECK_KEYSETFILES) && ALWAYS_CHECK_KEYSETFILES	/* patch from Shane Wegner 15. June 2009 */
+	/* check if there is a new keyset- file */
+	if ( !newkey )
+		newkeysetfile = new_keysetfiles (zp->dir, zfilesig_time);
+#else
+	/* if we work in subdir mode, check if there is a new keyset- file */
 	if ( !newkey && zp->conf->keysetdir && strcmp (zp->conf->keysetdir, "..") == 0 )
 		newkeysetfile = new_keysetfiles (zp->dir, zfilesig_time);
+#endif
 
 	/**
 	** Check if it is time to do a re-sign. This is the case if
@@ -605,13 +614,21 @@ static	int	dosigning (zone_t *zonelist, zone_t *zp)
 
 			pathname (zfile, sizeof (zfile), zp->dir, zp->file, NULL);
 			pathname (path, sizeof (path), zp->dir, zp->sfile, NULL);
-			if ( filesize (path) == 0L )	/* initial signing request */
+			if ( filesize (path) == 0L )    /* initial signing request ? */
 			{
 				verbmesg (1, zp->conf, "\tDynamic Zone signing: Initial signing request: Add DNSKEYs to zonefile\n");
 				copyfile (zfile, path, zp->conf->keyfile);
 			}
+#if 1
+			else if ( zfile_time > zfilesig_time )  /* zone.db is newer than signed file */
+			{
+				verbmesg (1, zp->conf, "\tDynamic Zone signing: zone file manually edited: Use it as new input file\n");
+				copyfile (zfile, path, NULL);
+			}
+#endif
 			verbmesg (1, zp->conf, "\tDynamic Zone signing: copy old signed zone file %s to new input file %s\n",
 										path, zfile); 
+
 			if ( newkey )	/* if we have new keys, they should be added to the zone file */
 				copyzonefile (path, zfile, zp->conf->keyfile);
 			else		/* else we can do a simple file copy */
@@ -621,7 +638,7 @@ static	int	dosigning (zone_t *zonelist, zone_t *zp)
 		timer = start_timer ();
 		if ( (err = sign_zone (zp->dir, zp->zone, zp->file, zp->conf)) < 0 )
 		{
-			error ("Signing of zone %s failed (%d)!\n", zp->zone, err);
+			error ("\tSigning of zone %s failed (%d)!\n", zp->zone, err);
 			lg_mesg (LG_ERROR, "\"%s\": signing failed!", zp->zone);
 		}
 		timer = stop_timer (timer);
@@ -629,6 +646,7 @@ static	int	dosigning (zone_t *zonelist, zone_t *zp)
 		if ( dynamic_zone )
 			dyn_update_freeze (zp->zone, zp->conf, 0);	/* thaw dynamic zone file */
 
+		if ( err >= 0 )
 		{
 		const	char	*tstr = str_delspace (age2str (timer));
 
@@ -807,27 +825,12 @@ static	int	sign_zone (const char *dir, const char *domain, const char *file, con
 
 	nsec3param[0] = '\0';
 #if defined(BIND_VERSION) && BIND_VERSION >= 960
-	if ( conf->z_algo == DK_ALGO_NSEC3DSA || conf->z_algo == DK_ALGO_NSEC3RSASHA1 )
+	if ( conf->k_algo == DK_ALGO_NSEC3DSA || conf->k_algo == DK_ALGO_NSEC3RSASHA1 )
 	{
-		static	char	hexstr[] = "0123456789ABCDEF";
-		static	int	seed = 0;
 		char	salt[510+1];	/* salt has a maximum of 255 bytes == 510 hex nibbles */
-		int	saltlen = 0;	/* current length of salt in hex nibbles */
-		int	i;
-		int	hex;
-
-		if ( seed == 0 )
-			srandom (seed = (unsigned int)time (NULL));
 
-		saltlen = conf->saltbits / 4;
-		for ( i = 0; i < saltlen; i++ )
-		{
-			hex = random () % 16;
-			assert ( hex >= 0 && hex < 16 );
-			salt[i] = hexstr[hex];
-		}
-		salt[i] = '\0';
-		snprintf (nsec3param, sizeof (nsec3param), "-3 %s ", salt);
+		if ( gensalt (salt, sizeof (salt), conf->saltbits) )
+			snprintf (nsec3param, sizeof (nsec3param), "-3 %s ", salt);
 	}
 #endif
 
@@ -847,23 +850,34 @@ static	int	sign_zone (const char *dir, const char *domain, const char *file, con
 	dbg_line();
 #if defined(BIND_VERSION) && BIND_VERSION >= 940
 	if ( dynamic_zone )
-		snprintf (cmd, sizeof (cmd), "cd %s; %s %s %s%s%s%s-o %s -e +%d %s -N increment -f %s.dsigned %s K*.private",
-			dir, SIGNCMD, param, gends, pseudo, rparam, keysetdir, domain, conf->sigvalidity, str, file, file);
+		snprintf (cmd, sizeof (cmd), "cd %s; %s %s %s%s%s%s%s-o %s -e +%ld %s -N increment -f %s.dsigned %s K*.private 2>&1",
+			dir, SIGNCMD, param, nsec3param, gends, pseudo, rparam, keysetdir, domain, conf->sigvalidity, str, file, file);
 	else
 #endif
-		snprintf (cmd, sizeof (cmd), "cd %s; %s %s %s%s%s%s%s-o %s -e +%d %s %s K*.private",
+		snprintf (cmd, sizeof (cmd), "cd %s; %s %s %s%s%s%s%s-o %s -e +%ld %s %s K*.private 2>&1",
 			dir, SIGNCMD, param, nsec3param, gends, pseudo, rparam, keysetdir, domain, conf->sigvalidity, str, file);
 	verbmesg (2, conf, "\t  Run cmd \"%s\"\n", cmd);
 	*str = '\0';
 	if ( noexec == 0 )
 	{
+#if 0
 		if ( (fp = popen (cmd, "r")) == NULL || fgets (str, sizeof str, fp) == NULL )
 			return -1;
+#else
+		if ( (fp = popen (cmd, "r")) == NULL )
+			return -1;
+		str[0] = '\0';
+		while ( fgets (str, sizeof str, fp) != NULL )	/* eat up all output until the last line */
+			;
+#endif
 		pclose (fp);
 	}
 
 	dbg_line();
 	verbmesg (2, conf, "\t  Cmd dnssec-signzone return: \"%s\"\n", str_chop (str, '\n'));
+	len = strlen (str) - 6;
+	if ( len < 0 || strcmp (str+len, "signed") != 0 )
+		return -1;
 
 	return 0;
 }
@@ -897,155 +911,3 @@ static	void	copy_keyset (const char *dir, const char *domain, const zconf_t *con
 		}
 	}
 }
-
-static	int	dyn_update_freeze (const char *domain, const zconf_t *z, int freeze)
-{
-	char	cmdline[254+1];
-	char	str[254+1];
-	char	*action;
-	FILE	*fp;
-
-	assert (z != NULL);
-	if ( freeze )
-		action = "freeze";
-	else
-		action = "thaw";
-
-	if ( z->view )
-		snprintf (str, sizeof (str), "\"%s\" in view \"%s\"", domain, z->view);
-	else
-		snprintf (str, sizeof (str), "\"%s\"", domain);
-
-	lg_mesg (LG_NOTICE, "%s: %s dynamic zone", str, action);
-	verbmesg (1, z, "\t%s dynamic zone %s\n", action, str);
-
-	if ( z->view )
-		snprintf (cmdline, sizeof (cmdline), "%s %s %s IN %s", RELOADCMD, action, domain, z->view);
-	else
-		snprintf (cmdline, sizeof (cmdline), "%s %s %s", RELOADCMD, action, domain);
-
-	verbmesg (2, z, "\t  Run cmd \"%s\"\n", cmdline);
-	*str = '\0';
-	if ( noexec == 0 )
-	{
-		if ( (fp = popen (cmdline, "r")) == NULL || fgets (str, sizeof str, fp) == NULL )
-			return -1;
-		pclose (fp);
-	}
-
-	verbmesg (2, z, "\t  rndc %s return: \"%s\"\n", action, str_chop (str, '\n'));
-
-	return 0;
-}
-
-/*****************************************************************
-**	distribute and reload a zone via "distribute_command"
-*****************************************************************/
-static	int	dist_and_reload (const zone_t *zp)
-{
-	char	path[MAX_PATHSIZE+1];
-	char	cmdline[254+1];
-	char	zone[254+1];
-	char	str[254+1];
-	FILE	*fp;
-
-	assert (zp != NULL);
-	assert (zp->conf->dist_cmd != NULL);
-
-	if ( !is_exec_ok (zp->conf->dist_cmd) )
-	{
-		char	*mesg;
-
-		if ( getuid () == 0 )
-			mesg = "\tDistribution command %s not run as root\n";
-		else
-			mesg = "\tDistribution command %s not run due to strange file mode settings\n";
-
-		verbmesg (1, zp->conf, mesg, zp->conf->dist_cmd);
-		lg_mesg (LG_ERROR, "exec of distribution command %s disabled due to security reasons", zp->conf->dist_cmd);
-
-		return -1;
-	}
-
-	if ( zp->conf->view )
-		snprintf (zone, sizeof (zone), "\"%s\" in view \"%s\"", zp->zone, zp->conf->view);
-	else
-		snprintf (zone, sizeof (zone), "\"%s\"", zp->zone);
-
-
-	pathname (path, sizeof (path), zp->dir, zp->sfile, NULL);
-
-	lg_mesg (LG_NOTICE, "%s: distribution triggered", zone);
-	verbmesg (1, zp->conf, "\tDistribute zone %s\n", zone);
-	if ( zp->conf->view )
-		snprintf (cmdline, sizeof (cmdline), "%s distribute %s %s %s", zp->conf->dist_cmd, zp->zone, path, zp->conf->view);
-	else
-		snprintf (cmdline, sizeof (cmdline), "%s distribute %s %s", zp->conf->dist_cmd, zp->zone, path);
-
-	*str = '\0';
-	if ( noexec == 0 )
-	{
-		verbmesg (2, zp->conf, "\t  Run cmd \"%s\"\n", cmdline);
-		if ( (fp = popen (cmdline, "r")) == NULL || fgets (str, sizeof str, fp) == NULL )
-			return -2;
-		pclose (fp);
-		verbmesg (2, zp->conf, "\t  %s distribute return: \"%s\"\n", zp->conf->dist_cmd, str_chop (str, '\n'));
-	}
-
-
-	lg_mesg (LG_NOTICE, "%s: reload triggered", zone);
-	verbmesg (1, zp->conf, "\tReload zone %s\n", zone);
-	if ( zp->conf->view )
-		snprintf (cmdline, sizeof (cmdline), "%s reload %s %s %s", zp->conf->dist_cmd, zp->zone, path, zp->conf->view);
-	else
-		snprintf (cmdline, sizeof (cmdline), "%s reload %s %s", zp->conf->dist_cmd, zp->zone, path);
-
-	*str = '\0';
-	if ( noexec == 0 )
-	{
-		verbmesg (2, zp->conf, "\t  Run cmd \"%s\"\n", cmdline);
-		if ( (fp = popen (cmdline, "r")) == NULL || fgets (str, sizeof str, fp) == NULL )
-			return -2;
-		pclose (fp);
-		verbmesg (2, zp->conf, "\t  %s reload return: \"%s\"\n", zp->conf->dist_cmd, str_chop (str, '\n'));
-	}
-
-	return 0;
-}
-
-/*****************************************************************
-**	reload a zone via "rndc"
-*****************************************************************/
-static	int	reload_zone (const char *domain, const zconf_t *z)
-{
-	char	cmdline[254+1];
-	char	str[254+1];
-	FILE	*fp;
-
-	assert (z != NULL);
-	// fprintf (stderr, "reload_zone %d :%s: :%s:\n", z->verbosity, domain, z->view);
-	if ( z->view )
-		snprintf (str, sizeof (str), "\"%s\" in view \"%s\"", domain, z->view);
-	else
-		snprintf (str, sizeof (str), "\"%s\"", domain);
-
-	lg_mesg (LG_NOTICE, "%s: reload triggered", str);
-	verbmesg (1, z, "\tReload zone %s\n", str);
-
-	if ( z->view )
-		snprintf (cmdline, sizeof (cmdline), "%s reload %s IN %s", RELOADCMD, domain, z->view);
-	else
-		snprintf (cmdline, sizeof (cmdline), "%s reload %s", RELOADCMD, domain);
-
-	*str = '\0';
-	if ( noexec == 0 )
-	{
-		verbmesg (2, z, "\t  Run cmd \"%s\"\n", cmdline);
-		if ( (fp = popen (cmdline, "r")) == NULL || fgets (str, sizeof str, fp) == NULL )
-			return -1;
-		pclose (fp);
-		verbmesg (2, z, "\t  rndc reload return: \"%s\"\n", str_chop (str, '\n'));
-	}
-
-	return 0;
-}
diff --git a/contrib/zkt/dnssec-zkt.c b/contrib/zkt/dnssec-zkt.c
index 07ba6934..bfc92d9c 100644
--- a/contrib/zkt/dnssec-zkt.c
+++ b/contrib/zkt/dnssec-zkt.c
@@ -428,7 +428,7 @@ static	void    usage (char *mesg, zconf_t *cp)
         sopt_usage ("\tusage: %s -C <name> [-k] [-dpr] [-c config] [dir ...]\n", progname);
         lopt_usage ("\tusage: %s --create=<name> [-k] [-dpr] [-c config] [dir ...]\n", progname);
         fprintf (stderr, "\t\tKSK (use -k):  %s %d bits\n", dki_algo2str (cp->k_algo), cp->k_bits);
-        fprintf (stderr, "\t\tZSK (default): %s %d bits\n", dki_algo2str (cp->z_algo), cp->z_bits);
+        fprintf (stderr, "\t\tZSK (default): %s %d bits\n", dki_algo2str (cp->k_algo), cp->z_bits);
         fprintf (stderr, "\n");
         fprintf (stderr, "Change key status of specified key to published, active or depreciated\n");
         fprintf (stderr, "\t(<keyspec> := tag | tag:name) \n");
@@ -508,7 +508,7 @@ static	void	createkey (const char *keyname, const dki_t *list, const zconf_t *co
 	}
 	
 	if  ( zskflag )
-		dkp = dki_new (dir, keyname, DKI_ZSK, conf->z_algo, conf->z_bits, conf->z_random, conf->z_life / DAYSEC);
+		dkp = dki_new (dir, keyname, DKI_ZSK, conf->k_algo, conf->z_bits, conf->z_random, conf->z_life / DAYSEC);
 	else
 		dkp = dki_new (dir, keyname, DKI_KSK, conf->k_algo, conf->k_bits, conf->k_random, conf->k_life / DAYSEC);
 	if ( dkp == NULL )
@@ -657,7 +657,7 @@ static	void	ksk_roll (const char *keyname, int phase, const dki_t *list, const z
 		}
 
 		// dkp = keylist;	/* use old key to create the parent file */
-		if ( (dkp = (dki_t *)dki_find (keylist, 1, 'a', 1)) == NULL )	/* find the oldest active ksk to create the parent file */
+		if ( (dkp = (dki_t *)dki_findalgo (keylist, 1, conf->k_algo, 'a', 1)) == NULL )	/* find the oldest active ksk to create the parent file */
 			fatal ("ksk_rollover phase1: Couldn't find the old active key\n");
 		if ( !create_parent_file (path, phase, key_ttl, dkp) )
 			fatal ("Couldn't create parentfile %s\n", path);
@@ -743,7 +743,7 @@ static	int	parsedirectory (const char *dir, dki_t **listp)
 
 	while ( (dentp = readdir (dirp)) != NULL )
 	{
-		if ( is_dotfile (dentp->d_name) )
+		if ( is_dotfilename (dentp->d_name) )
 			continue;
 
 		dbg_val ("directory: check %s\n", dentp->d_name);
diff --git a/contrib/zkt/doc/KeyRollover.ms b/contrib/zkt/doc/KeyRollover.ms
new file mode 100644
index 00000000..d6d1a348
--- /dev/null
+++ b/contrib/zkt/doc/KeyRollover.ms
@@ -0,0 +1,95 @@
+.NH 1
+DNS Key Status Types and Filenames
+.PP
+.TS
+cfB	| cfB	  s	| cfB	s	| cfB	| cfB
+cfB	| cfB	| cfB	| cfB	| cfB	| cfB	| cfB
+l	| l	| n	| l	| l	| c	| lfCW	.
+Status	Key	Filename	used for	dnssec-zkt
+\^	Type	Flags	public	private	signing?	label
+_
+active	ZSK	256	.key	.private	y	act ive
+	KSK	257	.key	.private	y	act ive
+.sp 0.2
+published	ZSK	256	.key	.published	n	pub lished
+	KSK	257	.key	.private	n	sta ndby
+.sp 0.2
+depreciated (retired)	ZSK	256	.key	.depreciated	n	dep reciated
+.sp 0.2
+revoked	KSK	385	.key	.private	y	rev oked
+.sp 0.2
+removed	KSK	257	k*.key	k*.private	n	-
+.sp 0.2
+sep	KSK	257	.key	-	n	sep
+.ig
+.sp 0.2
+(master	KSK	257	M...key	.private	n	-)
+..
+.TE
+.SP 2
+.NH 1
+Key rollover 
+.PP
+.NH 2
+Zone signing key rollover (pre-publish RFC4641)
+.PP
+.TS
+rfB	 cfB	|cfB	|cfB	|cfB
+lfB	|cfB	|cfB	|cfB	|cfB
+l	|l	|l	|l	|l	.
+action		create	change	remove
+keys		newkey	sig key	old key
+_
+zsk1	active	active	depreciated	
+zsk2		published	active	active
+.sp 0.3
+RRSIG	zsk1	zsk1	zsk2	zsk2	
+.TE
+.SP 2
+.NH 2
+Key signing key rollover (double signature RFC4641)
+.PP
+.TS
+rfB	 cfB	|cfB	|cfB	|cfB
+lfB	|cfB	|cfB	|cfB	|cfB
+l	|l	|l	|l	|l	.
+action		create	change	remove
+keys		newkey	delegation	old key
+_
+ksk\d1\u	active	active	active	
+ksk\d2\u		active	active	active
+.sp 0.3
+DNSKEY RRSIG	ksk1	ksk1,ksk2	ksk1,ksk2	ksk2	
+.sp 0.3
+DS at parent	DS\d1\u	DS\d1\u	DS\d2\u	DS\d2\u
+.TE
+.\"RRSIG	DNSKEY\dksk1\u	DNSKEY\dksk1,ksk2\u	DNSKEY\dksk1,ksk2\u	DNSKEY\dksk2\u	
+.SP 2
+.NH 2
+Key signing key rollover (rfc5011)
+.PP
+.TS
+rfB	 cfB	|cfB	|cfB
+lfB	|cfB	|cfB	|cfB
+l	|l	|l	|l	.
+action		newkey 	change delegation
+keys		& rollover	& remove old key
+_
+ksk\d1\u	active	revoke\v'-0.2'\(dg\v'+0.2'		
+ksk\d2\u	standby	active	active
+ksk\d3\u		standby\v'-0.2'\(dd\v'+0.2'	standby
+.sp 0.3
+DNSKEY RRSIG	ksk1	ksk1,ksk2	ksk2
+.sp 0.3
+Parent DS	DS\d1\u	DS\d1\u	DS\d2\u
+	DS\d2\u	DS\d2\u	DS\d3\u
+.TE
+.LP
+\v'-0.2'\(dg\v'0.2'
+Have to remain until the remove hold-down time is expired,
+which is 30days at a minimum.
+.LP
+\v'-0.2'\(dd\v'0.2'
+Will be the standby key after the hold-down time is expired
+.br
+Add holdtime \(eq max(30days, TTL of DNSKEY)
diff --git a/contrib/zkt/doc/KeyRollover.ps b/contrib/zkt/doc/KeyRollover.ps
new file mode 100644
index 00000000..7f22fdea
--- /dev/null
+++ b/contrib/zkt/doc/KeyRollover.ps
@@ -0,0 +1,304 @@
+%!PS-Adobe-3.0
+%%Creator: groff version 1.19.2
+%%CreationDate: Mon Jul 14 23:23:30 2008
+%%DocumentNeededResources: font Times-Bold
+%%+ font Times-Roman
+%%+ font Courier
+%%+ font Symbol
+%%DocumentSuppliedResources: procset grops 1.19 2
+%%Pages: 1
+%%PageOrder: Ascend
+%%DocumentMedia: Default 595 842 0 () ()
+%%Orientation: Portrait
+%%EndComments
+%%BeginDefaults
+%%PageMedia: Default
+%%EndDefaults
+%%BeginProlog
+%%BeginResource: procset grops 1.19 2
+%!PS-Adobe-3.0 Resource-ProcSet
+/setpacking where{
+pop
+currentpacking
+true setpacking
+}if
+/grops 120 dict dup begin
+/SC 32 def
+/A/show load def
+/B{0 SC 3 -1 roll widthshow}bind def
+/C{0 exch ashow}bind def
+/D{0 exch 0 SC 5 2 roll awidthshow}bind def
+/E{0 rmoveto show}bind def
+/F{0 rmoveto 0 SC 3 -1 roll widthshow}bind def
+/G{0 rmoveto 0 exch ashow}bind def
+/H{0 rmoveto 0 exch 0 SC 5 2 roll awidthshow}bind def
+/I{0 exch rmoveto show}bind def
+/J{0 exch rmoveto 0 SC 3 -1 roll widthshow}bind def
+/K{0 exch rmoveto 0 exch ashow}bind def
+/L{0 exch rmoveto 0 exch 0 SC 5 2 roll awidthshow}bind def
+/M{rmoveto show}bind def
+/N{rmoveto 0 SC 3 -1 roll widthshow}bind def
+/O{rmoveto 0 exch ashow}bind def
+/P{rmoveto 0 exch 0 SC 5 2 roll awidthshow}bind def
+/Q{moveto show}bind def
+/R{moveto 0 SC 3 -1 roll widthshow}bind def
+/S{moveto 0 exch ashow}bind def
+/T{moveto 0 exch 0 SC 5 2 roll awidthshow}bind def
+/SF{
+findfont exch
+[exch dup 0 exch 0 exch neg 0 0]makefont
+dup setfont
+[exch/setfont cvx]cvx bind def
+}bind def
+/MF{
+findfont
+[5 2 roll
+0 3 1 roll
+neg 0 0]makefont
+dup setfont
+[exch/setfont cvx]cvx bind def
+}bind def
+/level0 0 def
+/RES 0 def
+/PL 0 def
+/LS 0 def
+/MANUAL{
+statusdict begin/manualfeed true store end
+}bind def
+/PLG{
+gsave newpath clippath pathbbox grestore
+exch pop add exch pop
+}bind def
+/BP{
+/level0 save def
+1 setlinecap
+1 setlinejoin
+72 RES div dup scale
+LS{
+90 rotate
+}{
+0 PL translate
+}ifelse
+1 -1 scale
+}bind def
+/EP{
+level0 restore
+showpage
+}def
+/DA{
+newpath arcn stroke
+}bind def
+/SN{
+transform
+.25 sub exch .25 sub exch
+round .25 add exch round .25 add exch
+itransform
+}bind def
+/DL{
+SN
+moveto
+SN
+lineto stroke
+}bind def
+/DC{
+newpath 0 360 arc closepath
+}bind def
+/TM matrix def
+/DE{
+TM currentmatrix pop
+translate scale newpath 0 0 .5 0 360 arc closepath
+TM setmatrix
+}bind def
+/RC/rcurveto load def
+/RL/rlineto load def
+/ST/stroke load def
+/MT/moveto load def
+/CL/closepath load def
+/Fr{
+setrgbcolor fill
+}bind def
+/setcmykcolor where{
+pop
+/Fk{
+setcmykcolor fill
+}bind def
+}if
+/Fg{
+setgray fill
+}bind def
+/FL/fill load def
+/LW/setlinewidth load def
+/Cr/setrgbcolor load def
+/setcmykcolor where{
+pop
+/Ck/setcmykcolor load def
+}if
+/Cg/setgray load def
+/RE{
+findfont
+dup maxlength 1 index/FontName known not{1 add}if dict begin
+{
+1 index/FID ne{def}{pop pop}ifelse
+}forall
+/Encoding exch def
+dup/FontName exch def
+currentdict end definefont pop
+}bind def
+/DEFS 0 def
+/EBEGIN{
+moveto
+DEFS begin
+}bind def
+/EEND/end load def
+/CNT 0 def
+/level1 0 def
+/PBEGIN{
+/level1 save def
+translate
+div 3 1 roll div exch scale
+neg exch neg exch translate
+0 setgray
+0 setlinecap
+1 setlinewidth
+0 setlinejoin
+10 setmiterlimit
+[]0 setdash
+/setstrokeadjust where{
+pop
+false setstrokeadjust
+}if
+/setoverprint where{
+pop
+false setoverprint
+}if
+newpath
+/CNT countdictstack def
+userdict begin
+/showpage{}def
+/setpagedevice{}def
+}bind def
+/PEND{
+countdictstack CNT sub{end}repeat
+level1 restore
+}bind def
+end def
+/setpacking where{
+pop
+setpacking
+}if
+%%EndResource
+%%EndProlog
+%%BeginSetup
+%%BeginFeature: *PageSize Default
+<< /PageSize [ 595 842 ] /ImagingBBox null >> setpagedevice
+%%EndFeature
+%%IncludeResource: font Times-Bold
+%%IncludeResource: font Times-Roman
+%%IncludeResource: font Courier
+%%IncludeResource: font Symbol
+grops begin/DEFS 1 dict def DEFS begin/u{.001 mul}bind def end/RES 72
+def/PL 841.89 def/LS false def/ENC0[/asciicircum/asciitilde/Scaron
+/Zcaron/scaron/zcaron/Ydieresis/trademark/quotesingle/Euro/.notdef
+/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef
+/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef
+/.notdef/.notdef/.notdef/space/exclam/quotedbl/numbersign/dollar/percent
+/ampersand/quoteright/parenleft/parenright/asterisk/plus/comma/hyphen
+/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon
+/semicolon/less/equal/greater/question/at/A/B/C/D/E/F/G/H/I/J/K/L/M/N/O
+/P/Q/R/S/T/U/V/W/X/Y/Z/bracketleft/backslash/bracketright/circumflex
+/underscore/quoteleft/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y
+/z/braceleft/bar/braceright/tilde/.notdef/quotesinglbase/guillemotleft
+/guillemotright/bullet/florin/fraction/perthousand/dagger/daggerdbl
+/endash/emdash/ff/fi/fl/ffi/ffl/dotlessi/dotlessj/grave/hungarumlaut
+/dotaccent/breve/caron/ring/ogonek/quotedblleft/quotedblright/oe/lslash
+/quotedblbase/OE/Lslash/.notdef/exclamdown/cent/sterling/currency/yen
+/brokenbar/section/dieresis/copyright/ordfeminine/guilsinglleft
+/logicalnot/minus/registered/macron/degree/plusminus/twosuperior
+/threesuperior/acute/mu/paragraph/periodcentered/cedilla/onesuperior
+/ordmasculine/guilsinglright/onequarter/onehalf/threequarters
+/questiondown/Agrave/Aacute/Acircumflex/Atilde/Adieresis/Aring/AE
+/Ccedilla/Egrave/Eacute/Ecircumflex/Edieresis/Igrave/Iacute/Icircumflex
+/Idieresis/Eth/Ntilde/Ograve/Oacute/Ocircumflex/Otilde/Odieresis
+/multiply/Oslash/Ugrave/Uacute/Ucircumflex/Udieresis/Yacute/Thorn
+/germandbls/agrave/aacute/acircumflex/atilde/adieresis/aring/ae/ccedilla
+/egrave/eacute/ecircumflex/edieresis/igrave/iacute/icircumflex/idieresis
+/eth/ntilde/ograve/oacute/ocircumflex/otilde/odieresis/divide/oslash
+/ugrave/uacute/ucircumflex/udieresis/yacute/thorn/ydieresis]def
+/Courier@0 ENC0/Courier RE/Times-Roman@0 ENC0/Times-Roman RE
+/Times-Bold@0 ENC0/Times-Bold RE
+%%EndSetup
+%%Page: 1 1
+%%BeginPageSetup
+BP
+%%EndPageSetup
+/F0 10/Times-Bold@0 SF 2.5(1. DNS)72 84 R -.25(Ke)2.5 G 2.5(yS).25 G
+(tatus T)-2.5 E(ypes and Filenames)-.74 E -.25(Ke)189.22 105.6 S 63.235
+(yF).25 G 40.415(ilename used)-63.235 F -.25(fo)2.5 G 29.33(rd).25 G
+(nssec-zkt)-29.33 E -.74(Ty)168.35 117.6 S 12.5(pe Flags).74 F 23.57
+(public pri)16.95 F -.1(va)-.1 G 21.62(te signing?).1 F(label)40.72 E
+(Status)99.34 111.6 Q .4 LW 473.8 122.1 72 122.1 DL/F1 10/Times-Roman@0
+SF(acti)72 131.6 Q 70.67 -.15(ve Z)-.25 H 18.43(SK 256).15 F(.k)18.89 E
+26.69 -.15(ey .)-.1 H(pri).15 E -.25(va)-.25 G 46.605(te y).25 F/F2 10
+/Courier@0 SF(act ive)30.285 E F1 17.32(KSK 257)168.35 143.6 R(.k)18.89
+E 26.69 -.15(ey .)-.1 H(pri).15 E -.25(va)-.25 G 46.605(te y).25 F F2
+(act ive)30.285 E F1 54.96(published ZSK)72 158 R 16.39(256 .k)20.93 F
+26.69 -.15(ey .)-.1 H 34.985(published n).15 F F2(pub lished)30.285 E F1
+17.32(KSK 257)168.35 170 R(.k)18.89 E 26.69 -.15(ey .)-.1 H(pri).15 E
+-.25(va)-.25 G 46.605(te n).25 F F2(sta ndby)30.285 E F1
+(depreciated \(retired\))72 184.4 Q 18.43(ZSK 256)15 F(.k)18.89 E 26.69
+-.15(ey .)-.1 H 27.785(depreciated n).15 F F2(dep reciated)30.285 E F1
+(re)72 198.8 Q -.2(vo)-.25 G -.1(ke).2 G 64.69(dK).1 G 17.32(SK 385)
+-64.69 F(.k)18.89 E 26.69 -.15(ey .)-.1 H(pri).15 E -.25(va)-.25 G
+46.605(te y).25 F F2(rev oked)30.285 E F1(remo)72 213.2 Q -.15(ve)-.15 G
+61.66(dK).15 G 17.32(SK 257)-61.66 F(k*.k)18.89 E 16.69 -.15(ey k)-.1 H
+(*.pri).15 E -.25(va)-.25 G 36.605(te n).25 F F2(-)30.285 E F1 80.52
+(sep KSK)72 227.6 R 16.39(257 .k)19.82 F 26.69 -.15(ey -)-.1 H(n)75.695
+E F2(sep)30.285 E 394.3 96.1 394.3 230.1 DL 343.73 96.1 343.73 230.1 DL
+280.14 108.1 280.14 230.1 DL 234.56 96.1 234.56 230.1 DL 196.78 108.1
+196.78 230.1 DL 160.85 96.1 160.85 230.1 DL F0 2.5(2. K)72 257.6 R(ey r)
+-.25 E(ollo)-.18 E -.1(ve)-.1 G(r).1 E 2.5(2.1. Zone)72 285.2 R
+(signing k)2.5 E(ey r)-.1 E(ollo)-.18 E -.1(ve)-.1 G 2.5(r\().1 G(pr)
+-2.5 E(e-publish RFC4641\))-.18 E 57.47(action cr)75.34 306.8 R 27.035
+(eate change)-.18 F -.18(re)23.045 G(mo).18 E -.1(ve)-.1 G -.1(ke)72
+318.8 S 65.025(ys newk).1 F 24.395(ey sig)-.1 F -.1(ke)2.5 G 23.775(yo)
+.1 G(ld k)-23.775 E(ey)-.1 E 301.18 323.3 72 323.3 DL F1 23.62
+(zsk1 acti)72 332.8 R 12.8 -.15(ve a)-.25 H(cti).15 E 28.21 -.15(ve d)
+-.25 H(epreciated).15 E 62.1(zsk2 published)72 344.8 R(acti)15 E 35.41
+-.15(ve a)-.25 H(cti).15 E -.15(ve)-.25 G 12.5(RRSIG zsk1)72 360.4 R
+33.06(zsk1 zsk2)20.15 F(zsk2)42.76 E 262.41 297.3 262.41 362.9 DL 201.32
+297.3 201.32 362.9 DL 147.43 297.3 147.43 362.9 DL 108.95 309.3 108.95
+362.9 DL F0 2.5(2.2. K)72 390.4 R(ey signing k)-.25 E(ey r)-.1 E(ollo)
+-.18 E -.1(ve)-.1 G 2.5(r\().1 G(double signatur)-2.5 E 2.5(eR)-.18 G
+(FC4641\))-2.5 E 58.165(action cr)118.39 412 R 26.63(eate change)-.18 F
+-.18(re)21.945 G(mo).18 E -.1(ve)-.1 G -.1(ke)72 424 S 108.77(ys newk).1
+F 16.58(ey delegation)-.1 F(old k)15.265 E(ey)-.1 E 343.42 428.5 72
+428.5 DL F1(ksk)72 438 Q(1)5 I(acti)68.61 -5 M 12.8 -.15(ve a)-.25 H
+(cti).15 E 29.6 -.15(ve a)-.25 H(cti).15 E -.15(ve)-.25 G(ksk)72 450 Q
+(2)5 I(acti)107.09 -5 M 29.6 -.15(ve a)-.25 H(cti).15 E 33.21 -.15(ve a)
+-.25 H(cti).15 E -.15(ve)-.25 G(DNSKEY RRSIG)72 465.6 Q 17.09
+(ksk1 ksk1,ksk2)15 F 16.11(ksk1,ksk2 ksk2)15 F(DS at parent)72 481.2 Q
+(DS)37.51 E(1)5 I(DS)20.7 -5 M(1)5 I(DS)37.5 -5 M(2)5 I(DS)41.11 -5 M(2)
+5 I 304.65 402.5 304.65 483.7 DL 245.76 402.5 245.76 483.7 DL 190.48
+402.5 190.48 483.7 DL 152 414.5 152 483.7 DL F0 2.5(2.3. K)72 511.2 R
+(ey signing k)-.25 E(ey r)-.1 E(ollo)-.18 E -.1(ve)-.1 G 2.5(r\().1 G
+(rfc5011\))-2.5 E 63.465(action newk)118.39 532.8 R 19.855(ey change)-.1
+F(delegation)2.5 E -.1(ke)72 544.8 S 112.32(ys &).1 F -.18(ro)2.5 G(llo)
+.18 E -.1(ve)-.1 G 15.525(r&).1 G -.18(re)-13.025 G(mo).18 E .2 -.1
+(ve o)-.1 H(ld k).1 E(ey)-.1 E 341.33 549.3 72 549.3 DL F1(ksk)72 558.8
+Q(1)5 I(acti)68.61 -5 M 20.43 -.15(ve r)-.25 H -2.2 -.25(ev o).15 H -.1
+(ke).25 G<87>.1 -2.4 M(ksk)72 570.8 Q(2)5 I 12.5(standby acti)68.61 -5 N
+33.65 -.15(ve a)-.25 H(cti).15 E -.15(ve)-.25 G(ksk)72 582.8 Q(3)5 I
+(standby)114.72 -5 M<88>-2.4 I(standby)23.22 2.4 M(DNSKEY RRSIG)72 598.4
+Q 24.72(ksk1 ksk1,ksk2)15 F(ksk2)19.05 E -.15(Pa)72 614 S(rent DS).15 E
+(DS)46.82 E(1)5 I(DS)28.33 -5 M(1)5 I(DS)41.55 -5 M(2)5 I(DS)159.5 626 Q
+(2)5 I(DS)28.33 -5 M(2)5 I(DS)41.55 -5 M(3)5 I 257.44 523.3 257.44 628.5
+DL 198.11 523.3 198.11 628.5 DL 152 535.3 152 628.5 DL<87>72 645.2 Q(Ha)
+2.5 2.4 M .3 -.15(ve t)-.2 H 2.5(or).15 G(emain until the remo)-2.5 E .3
+-.15(ve h)-.15 H(old-do).15 E(wn time is e)-.25 E
+(xpired, which is 30days at a minimum.)-.15 E<88>72 660.8 Q -.4(Wi)2.5
+2.4 O(ll be the standby k).4 E .3 -.15(ey a)-.1 H(fter the hold-do).15 E
+(wn time is e)-.25 E(xpired)-.15 E(Add holdtime)72 675.2 Q/F3 10/Symbol
+SF(=)2.5 E F1(max\(30days, TTL of DNSKEY\))2.5 E 0 Cg EP
+%%Trailer
+end
+%%EOF
diff --git a/contrib/zkt/doc/draft-gudmundsson-life-of-dnskey-00.txt b/contrib/zkt/doc/draft-gudmundsson-life-of-dnskey-00.txt
new file mode 100644
index 00000000..18cda6c7
--- /dev/null
+++ b/contrib/zkt/doc/draft-gudmundsson-life-of-dnskey-00.txt
@@ -0,0 +1,616 @@
+
+
+
+Intended Status: Informational                            O. Gudmundsson
+Network Working Group                                OGUD Consulting LLC
+Internet-Draft                                                  J. Ihren
+Expires: August 21, 2008                                             AAB
+                                                       February 18, 2008
+
+
+                Names of States in the life of a DNSKEY
+                  draft-gudmundsson-life-of-dnskey-00
+
+Status of this Memo
+
+   By submitting this Internet-Draft, each author represents that any
+   applicable patent or other IPR claims of which he or she is aware
+   have been or will be disclosed, and any of which he or she becomes
+   aware will be disclosed, in accordance with Section 6 of BCP 79.
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups.  Note that
+   other groups may also distribute working documents as Internet-
+   Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time.  It is inappropriate to use Internet-Drafts as reference
+   material or to cite them other than as "work in progress."
+
+   The list of current Internet-Drafts can be accessed at
+   http://www.ietf.org/ietf/1id-abstracts.txt.
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+   This Internet-Draft will expire on August 21, 2008.
+
+Copyright Notice
+
+   Copyright (C) The IETF Trust (2008).
+
+
+
+
+
+
+
+
+
+
+
+
+
+Gudmundsson & Ihren      Expires August 21, 2008                [Page 1]
+
+Internet-Draft           DNSSEC Key life stages.           February 2008
+
+
+Abstract
+
+   This document recommends a specific terminology to use when
+   expressing the state that a DNSKEY is in at particular time.  This
+   does not affect how the protocol operates in any way.
+
+
+Table of Contents
+
+   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
+   2.  DNSKEY timeline  . . . . . . . . . . . . . . . . . . . . . . .  4
+   3.  Life stages of a DNSKEY  . . . . . . . . . . . . . . . . . . .  5
+     3.1.  Generated  . . . . . . . . . . . . . . . . . . . . . . . .  5
+     3.2.  Published  . . . . . . . . . . . . . . . . . . . . . . . .  5
+       3.2.1.  Pre-Publication  . . . . . . . . . . . . . . . . . . .  5
+       3.2.2.  Out-Of-Band Publication  . . . . . . . . . . . . . . .  5
+     3.3.  Active . . . . . . . . . . . . . . . . . . . . . . . . . .  5
+     3.4.  Retired  . . . . . . . . . . . . . . . . . . . . . . . . .  5
+     3.5.  Removed  . . . . . . . . . . . . . . . . . . . . . . . . .  6
+       3.5.1.  Lame . . . . . . . . . . . . . . . . . . . . . . . . .  6
+       3.5.2.  Stale  . . . . . . . . . . . . . . . . . . . . . . . .  6
+     3.6.  Revoked  . . . . . . . . . . . . . . . . . . . . . . . . .  6
+   4.  Security considerations  . . . . . . . . . . . . . . . . . . .  7
+   5.  IANA considerations  . . . . . . . . . . . . . . . . . . . . .  8
+   6.  References . . . . . . . . . . . . . . . . . . . . . . . . . .  9
+     6.1.  Normative References . . . . . . . . . . . . . . . . . . .  9
+     6.2.  Informative References . . . . . . . . . . . . . . . . . .  9
+   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 10
+   Intellectual Property and Copyright Statements . . . . . . . . . . 11
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Gudmundsson & Ihren      Expires August 21, 2008                [Page 2]
+
+Internet-Draft           DNSSEC Key life stages.           February 2008
+
+
+1.  Introduction
+
+   When the editors of this document where comparing their DNSSEC key
+   management projects they discovered that they where discussing
+   roughly the same thing but using different terminology.
+
+   This document presents a unified terminology to use when describing
+   the current state of a DNSKEY.
+
+   The DNSSEC standards documents ([1], [2] and [3]) do not address the
+   required states for the key management of a DNSSEC key.  The DNSSEC
+   Operational Practices [4] document does propose that keys be
+   published before use but uses inconsistent or confusing terms.  This
+   document assumes basic understanding of DNSSEC and key management.
+
+   The terms proposed in this document attempt to avoid any confusion
+   and make the states of keys to be as clear as possible.  The terms
+   used in this document are intended as a operational supplement to the
+   terms defined in Section 2 of [1].
+
+   To large extent this discussion is motivated by Trust anchor keys but
+   the same terminology can be used for zone signing keys.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Gudmundsson & Ihren      Expires August 21, 2008                [Page 3]
+
+Internet-Draft           DNSSEC Key life stages.           February 2008
+
+
+2.  DNSKEY timeline
+
+   The model in this document is that keys progress through a state
+   machine along a one-way path, keys never move to an earlier states.
+
+
+
+   GENERATED----------> PUBLISHED ---> ACTIVE ---> RETIRED --> REMOVED
+    |                   ^       |        |            |         ^
+    |                   |       |        |            v         |
+    +--> Pre-PUBLISHED--+       +--------+---------> REVOKED ---+
+
+
+   DNSKEY time line.
+
+   There are few more states that are defined below but these apply only
+   to the publisher of TA's and the consumer of TA's.  Two of these are
+   sub-sets of the Published state, the other two are error states.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Gudmundsson & Ihren      Expires August 21, 2008                [Page 4]
+
+Internet-Draft           DNSSEC Key life stages.           February 2008
+
+
+3.  Life stages of a DNSKEY
+
+3.1.  Generated
+
+   Once a key is generated it enters state Generated and stays there
+   until the next state.  While in this state only the owner of the key
+   is aware of its existence and can prepare for its future use.
+
+3.2.  Published
+
+   Once the key is added to the DNSKEY set of a zone the key is there
+   for the world to see, or published.  The key needs to remain in this
+   state for some time to propagate to all validators that have cached
+   the prior version of the DNSKEY set.  In the case of KSK the key
+   should remain in this state for a longer time as documented in DNSSEC
+   Timers RFC [5].
+
+3.2.1.  Pre-Publication
+
+   In certain circumstances a zone owner may want to give out a new
+   Trust Anchor before exposing the actual public key.  In this case the
+   zone can publish a DS record of the key.  This allows others to
+   configure the trust anchor but will not be able to use the key until
+   the key is published in the DNSKEY RRset.
+
+3.2.2.  Out-Of-Band Publication
+
+   In certain circumstances a domain may want to give out a new Trust
+   Anchor outside DNS to give others a long lead time to configure the
+   new key as trust anchor.  The reason people may want to do this is to
+   keep the size of the DNSKEY set smaller and only add new trust anchor
+   just before the key goes into use.  One likely use for this is the
+   DNS "." root key as it does not have a parent that can publish a DS
+   record for it.  The publication mechanism does not matter it can be
+   any one of web-site, advertisement in Financial Times and other
+   international publication, e-mail to DNS related mailing lists, etc..
+
+3.3.  Active
+
+   The key is in ACTIVE state while it is actively signing data in the
+   zone it resides in.  It is one of the the keys that are signing the
+   zone or parts of the zone.
+
+3.4.  Retired
+
+   When the key is no longer used for signing the zone it enters state
+   Retired.  In this state there may still be signatures by the key in
+   cached data from the zone available at recursive servers, but the
+
+
+
+Gudmundsson & Ihren      Expires August 21, 2008                [Page 5]
+
+Internet-Draft           DNSSEC Key life stages.           February 2008
+
+
+   authoritative servers for the zone do no longer carry any signatures
+   generated by the key.
+
+3.5.  Removed
+
+   Once the key is removed from the DNSKEY RRset it enters the state
+   Removed.  At this point all signatures by the key that may still be
+   temporarily valid will fail to verify once the validator refreshes
+   the DNSKEY RRset in its memory.
+
+   Therefore "removal" of a key is typically not done until all the
+   cached signatures have expired.  Entering this state too early may
+   cause number of validators to end up with STALE Trust Anchors.
+
+3.5.1.  Lame
+
+   A Trust Anchor is Lame if the parent continues to publish DS pointing
+   to the key after it has been removed from the DNSKEY RRset.  A Trust
+   Anchor is arguably Lame if there are no signatures by a Retired KSK
+   in the zone.
+
+3.5.2.  Stale
+
+   A Stale Trust Anchor is an old TA that remains in a validators list
+   of active key(s) after the key has been removed from the zone's
+   DNSKEY RRset.
+
+3.6.  Revoked
+
+   There are times when a zone wants to signal that a particular key
+   should not be used at all.  The mechanism to do this is to set the
+   REVOKE bit [5].  Any key in any of the while the key is the DNSSKEY
+   set can be exited to Revoked state.  After some time in the Revoke
+   state the key will be Removed.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Gudmundsson & Ihren      Expires August 21, 2008                [Page 6]
+
+Internet-Draft           DNSSEC Key life stages.           February 2008
+
+
+4.  Security considerations
+
+   TBD
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Gudmundsson & Ihren      Expires August 21, 2008                [Page 7]
+
+Internet-Draft           DNSSEC Key life stages.           February 2008
+
+
+5.  IANA considerations
+
+   This document does not have any IANA actions.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Gudmundsson & Ihren      Expires August 21, 2008                [Page 8]
+
+Internet-Draft           DNSSEC Key life stages.           February 2008
+
+
+6.  References
+
+6.1.  Normative References
+
+6.2.  Informative References
+
+   [1]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+        "DNS Security Introduction and Requirements", RFC 4033,
+        March 2005.
+
+   [2]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+        "Resource Records for the DNS Security Extensions", RFC 4034,
+        March 2005.
+
+   [3]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+        "Protocol Modifications for the DNS Security Extensions",
+        RFC 4035, March 2005.
+
+   [4]  Kolkman, O. and R. Gieben, "DNSSEC Operational Practices",
+        RFC 4641, September 2006.
+
+   [5]  StJohns, M., "Automated Updates of DNS Security (DNSSEC) Trust
+        Anchors", RFC 5011, September 2007.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Gudmundsson & Ihren      Expires August 21, 2008                [Page 9]
+
+Internet-Draft           DNSSEC Key life stages.           February 2008
+
+
+Authors' Addresses
+
+   Olafur Gudmundsson
+   OGUD Consulting LLC
+   3821 Village Park Drive
+   Chevy Chase, MD  20815
+   USA
+
+   Email: ogud@ogud.com
+
+
+   Johan Ihren
+   Automatica, AB
+   Bellmansgatan 30
+   Stockholm,   SE-118 47
+   Sweden
+
+   Email: johani@automatica.se
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Gudmundsson & Ihren      Expires August 21, 2008               [Page 10]
+
+Internet-Draft           DNSSEC Key life stages.           February 2008
+
+
+Full Copyright Statement
+
+   Copyright (C) The IETF Trust (2008).
+
+   This document is subject to the rights, licenses and restrictions
+   contained in BCP 78, and except as set forth therein, the authors
+   retain all their rights.
+
+   This document and the information contained herein are provided on an
+   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
+   THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
+   OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
+   THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+Intellectual Property
+
+   The IETF takes no position regarding the validity or scope of any
+   Intellectual Property Rights or other rights that might be claimed to
+   pertain to the implementation or use of the technology described in
+   this document or the extent to which any license under such rights
+   might or might not be available; nor does it represent that it has
+   made any independent effort to identify any such rights.  Information
+   on the procedures with respect to rights in RFC documents can be
+   found in BCP 78 and BCP 79.
+
+   Copies of IPR disclosures made to the IETF Secretariat and any
+   assurances of licenses to be made available, or the result of an
+   attempt made to obtain a general license or permission for the use of
+   such proprietary rights by implementers or users of this
+   specification can be obtained from the IETF on-line IPR repository at
+   http://www.ietf.org/ipr.
+
+   The IETF invites any interested party to bring to its attention any
+   copyrights, patents or patent applications, or other proprietary
+   rights that may cover technology that may be required to implement
+   this standard.  Please address the information to the IETF at
+   ietf-ipr@ietf.org.
+
+
+Acknowledgment
+
+   Funding for the RFC Editor function is provided by the IETF
+   Administrative Support Activity (IASA).
+
+
+
+
+
+Gudmundsson & Ihren      Expires August 21, 2008               [Page 11]
+
diff --git a/contrib/zkt/doc/draft-ietf-dnsop-rfc4641bis-01.txt b/contrib/zkt/doc/draft-ietf-dnsop-rfc4641bis-01.txt
new file mode 100644
index 00000000..fbc46c11
--- /dev/null
+++ b/contrib/zkt/doc/draft-ietf-dnsop-rfc4641bis-01.txt
@@ -0,0 +1,2128 @@
+
+
+
+DNSOP                                                         O. Kolkman
+Internet-Draft                                                NLnet Labs
+Obsoletes: 2541 (if approved)                                  R. Gieben
+Intended status: BCP
+Expires: September 8, 2009                                 March 7, 2009
+
+
+                DNSSEC Operational Practices, Version 2
+                     draft-ietf-dnsop-rfc4641bis-01
+
+Status of This Memo
+
+   This Internet-Draft is submitted to IETF in full conformance with the
+   provisions of BCP 78 and BCP 79.  This document may contain material
+   from IETF Documents or IETF Contributions published or made publicly
+   available before November 10, 2008.  The person(s) controlling the
+   copyright in some of this material may not have granted the IETF
+   Trust the right to allow modifications of such material outside the
+   IETF Standards Process.  Without obtaining an adequate license from
+   the person(s) controlling the copyright in such materials, this
+   document may not be modified outside the IETF Standards Process, and
+   derivative works of it may not be created outside the IETF Standards
+   Process, except to format it for publication as an RFC or to
+   translate it into languages other than English.
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups.  Note that
+   other groups may also distribute working documents as Internet-
+   Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time.  It is inappropriate to use Internet-Drafts as reference
+   material or to cite them other than as "work in progress."
+
+   The list of current Internet-Drafts can be accessed at
+   http://www.ietf.org/ietf/1id-abstracts.txt.
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+   This Internet-Draft will expire on September 8, 2009.
+
+Copyright Notice
+
+   Copyright (c) 2009 IETF Trust and the persons identified as the
+   document authors.  All rights reserved.
+
+
+
+
+Kolkman & Gieben        Expires September 8, 2009               [Page 1]
+
+Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
+
+
+   This document is subject to BCP 78 and the IETF Trust's Legal
+   Provisions Relating to IETF Documents in effect on the date of
+   publication of this document (http://trustee.ietf.org/license-info).
+   Please review these documents carefully, as they describe your rights
+   and restrictions with respect to this document.
+
+Abstract
+
+   This document describes a set of practices for operating the DNS with
+   security extensions (DNSSEC).  The target audience is zone
+   administrators deploying DNSSEC.
+
+   The document discusses operational aspects of using keys and
+   signatures in the DNS.  It discusses issues of key generation, key
+   storage, signature generation, key rollover, and related policies.
+
+   This document obsoletes RFC 2541, as it covers more operational
+   ground and gives more up-to-date requirements with respect to key
+   sizes and the new DNSSEC specification.
+
+Table of Contents
+
+   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  4
+     1.1.  The Use of the Term 'key'  . . . . . . . . . . . . . . . .  5
+     1.2.  Time Definitions . . . . . . . . . . . . . . . . . . . . .  5
+   2.  Keeping the Chain of Trust Intact  . . . . . . . . . . . . . .  5
+   3.  Keys Generation and Storage  . . . . . . . . . . . . . . . . .  6
+     3.1.  Zone and Key Signing Keys  . . . . . . . . . . . . . . . .  6
+       3.1.1.  Motivations for the KSK and ZSK Separation . . . . . .  7
+       3.1.2.  Differentiation for 'High-Level' Zones . . . . . . . .  9
+     3.2.  Key Generation . . . . . . . . . . . . . . . . . . . . . .  9
+     3.3.  Key Effectivity Period . . . . . . . . . . . . . . . . . .  9
+     3.4.  Key Algorithm  . . . . . . . . . . . . . . . . . . . . . . 10
+     3.5.  Key Sizes  . . . . . . . . . . . . . . . . . . . . . . . . 10
+     3.6.  Private Key Storage  . . . . . . . . . . . . . . . . . . . 11
+   4.  Signature Generation, Key Rollover, and Related Policies . . . 12
+     4.1.  Time in DNSSEC . . . . . . . . . . . . . . . . . . . . . . 12
+       4.1.1.  Time Considerations  . . . . . . . . . . . . . . . . . 13
+     4.2.  Key Rollovers  . . . . . . . . . . . . . . . . . . . . . . 15
+       4.2.1.  Zone Signing Key Rollovers . . . . . . . . . . . . . . 15
+         4.2.1.1.  Pre-Publish Key Rollover . . . . . . . . . . . . . 15
+         4.2.1.2.  Double Signature Zone Signing Key Rollover . . . . 17
+         4.2.1.3.  Pros and Cons of the Schemes . . . . . . . . . . . 19
+       4.2.2.  Key Signing Key Rollovers  . . . . . . . . . . . . . . 19
+       4.2.3.  Difference Between ZSK and KSK Rollovers . . . . . . . 21
+       4.2.4.  Key algorithm rollover . . . . . . . . . . . . . . . . 22
+       4.2.5.  Automated Key Rollovers  . . . . . . . . . . . . . . . 23
+     4.3.  Planning for Emergency Key Rollover  . . . . . . . . . . . 24
+
+
+
+Kolkman & Gieben        Expires September 8, 2009               [Page 2]
+
+Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
+
+
+       4.3.1.  KSK Compromise . . . . . . . . . . . . . . . . . . . . 24
+         4.3.1.1.  Keeping the Chain of Trust Intact  . . . . . . . . 25
+         4.3.1.2.  Breaking the Chain of Trust  . . . . . . . . . . . 26
+       4.3.2.  ZSK Compromise . . . . . . . . . . . . . . . . . . . . 26
+       4.3.3.  Compromises of Keys Anchored in Resolvers  . . . . . . 26
+     4.4.  Parental Policies  . . . . . . . . . . . . . . . . . . . . 27
+       4.4.1.  Initial Key Exchanges and Parental Policies
+               Considerations . . . . . . . . . . . . . . . . . . . . 27
+       4.4.2.  Storing Keys or Hashes?  . . . . . . . . . . . . . . . 27
+       4.4.3.  Security Lameness  . . . . . . . . . . . . . . . . . . 28
+       4.4.4.  DS Signature Validity Period . . . . . . . . . . . . . 28
+       4.4.5.  (Non) Cooperating Registrars . . . . . . . . . . . . . 29
+   5.  Security Considerations  . . . . . . . . . . . . . . . . . . . 30
+   6.  IANA considerations  . . . . . . . . . . . . . . . . . . . . . 30
+   7.  Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . . 30
+   8.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 31
+     8.1.  Normative References . . . . . . . . . . . . . . . . . . . 31
+     8.2.  Informative References . . . . . . . . . . . . . . . . . . 31
+   Appendix A.  Terminology . . . . . . . . . . . . . . . . . . . . . 32
+   Appendix B.  Zone Signing Key Rollover How-To  . . . . . . . . . . 34
+   Appendix C.  Typographic Conventions . . . . . . . . . . . . . . . 34
+   Appendix D.  Document Editing History  . . . . . . . . . . . . . . 37
+     D.1.  draft-ietf-dnsop-rfc4641-00  . . . . . . . . . . . . . . . 37
+     D.2.  version 0->1 . . . . . . . . . . . . . . . . . . . . . . . 37
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Kolkman & Gieben        Expires September 8, 2009               [Page 3]
+
+Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
+
+
+1.  Introduction
+
+   This document describes how to run a DNS Security (DNSSEC)-enabled
+   environment.  It is intended for operators who have knowledge of the
+   DNS (see RFC 1034 [1] and RFC 1035 [2]) and want to deploy DNSSEC.
+   See RFC 4033 [3] for an introduction to DNSSEC, RFC 4034 [4] for the
+   newly introduced Resource Records (RRs), and RFC 4035 [5] for the
+   protocol changes.
+
+   During workshops and early operational deployment tests, operators
+   and system administrators have gained experience about operating the
+   DNS with security extensions (DNSSEC).  This document translates
+   these experiences into a set of practices for zone administrators.
+   At the time of writing, there exists very little experience with
+   DNSSEC in production environments; this document should therefore
+   explicitly not be seen as representing 'Best Current Practices'.
+   [OK: Is this document ripe enough to shoot for BCP?]
+
+   The procedures herein are focused on the maintenance of signed zones
+   (i.e., signing and publishing zones on authoritative servers).  It is
+   intended that maintenance of zones such as re-signing or key
+   rollovers be transparent to any verifying clients on the Internet.
+
+   The structure of this document is as follows.  In Section 2, we
+   discuss the importance of keeping the "chain of trust" intact.
+   Aspects of key generation and storage of private keys are discussed
+   in Section 3; the focus in this section is mainly on the private part
+   of the key(s).  Section 4 describes considerations concerning the
+   public part of the keys.  Since these public keys appear in the DNS
+   one has to take into account all kinds of timing issues, which are
+   discussed in Section 4.1.  Section 4.2 and Section 4.3 deal with the
+   rollover, or supercession, of keys.  Finally, Section 4.4 discusses
+   considerations on how parents deal with their children's public keys
+   in order to maintain chains of trust.
+
+   The typographic conventions used in this document are explained in
+   Appendix C.
+
+   Since this is a document with operational suggestions and there are
+   no protocol specifications, the RFC 2119 [6] language does not apply.
+
+   This document [OK: when approved] obsoletes RFC 4641 [16].
+
+   [OK: Editorial comments and questions are indicated by square
+   brackets and editor innitials]
+
+
+
+
+
+
+Kolkman & Gieben        Expires September 8, 2009               [Page 4]
+
+Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
+
+
+1.1.  The Use of the Term 'key'
+
+   It is assumed that the reader is familiar with the concept of
+   asymmetric keys on which DNSSEC is based (public key cryptography
+   RFC4949 [17]).  Therefore, this document will use the term 'key'
+   rather loosely.  Where it is written that 'a key is used to sign
+   data' it is assumed that the reader understands that it is the
+   private part of the key pair that is used for signing.  It is also
+   assumed that the reader understands that the public part of the key
+   pair is published in the DNSKEY Resource Record and that it is the
+   public part that is used in key exchanges.
+
+1.2.  Time Definitions
+
+   In this document, we will be using a number of time-related terms.
+   The following definitions apply:
+
+   o  "Signature validity period" The period that a signature is valid.
+      It starts at the time specified in the signature inception field
+      of the RRSIG RR and ends at the time specified in the expiration
+      field of the RRSIG RR.
+
+   o  "Signature publication period" Time after which a signature (made
+      with a specific key) is replaced with a new signature (made with
+      the same key).  This replacement takes place by publishing the
+      relevant RRSIG in the master zone file.  After one stops
+      publishing an RRSIG in a zone, it may take a while before the
+      RRSIG has expired from caches and has actually been removed from
+      the DNS.
+
+   o  "Key effectivity period" The period during which a key pair is
+      expected to be effective.  This period is defined as the time
+      between the first inception time stamp and the last expiration
+      date of any signature made with this key, regardless of any
+      discontinuity in the use of the key.  The key effectivity period
+      can span multiple signature validity periods.
+
+   o  "Maximum/Minimum Zone Time to Live (TTL)" The maximum or minimum
+      value of the TTLs from the complete set of RRs in a zone.  Note
+      that the minimum TTL is not the same as the MINIMUM field in the
+      SOA RR.  See [9] for more information.
+
+2.  Keeping the Chain of Trust Intact
+
+   Maintaining a valid chain of trust is important because broken chains
+   of trust will result in data being marked as Bogus (as defined in [3]
+   Section 5), which may cause entire (sub)domains to become invisible
+   to verifying clients.  The administrators of secured zones have to
+
+
+
+Kolkman & Gieben        Expires September 8, 2009               [Page 5]
+
+Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
+
+
+   realize that their zone is, to verifying clients, part of a chain of
+   trust.
+
+   As mentioned in the introduction, the procedures herein are intended
+   to ensure that maintenance of zones, such as re-signing or key
+   rollovers, will be transparent to the verifying clients on the
+   Internet.
+
+   Administrators of secured zones will have to keep in mind that data
+   published on an authoritative primary server will not be immediately
+   seen by verifying clients; it may take some time for the data to be
+   transferred to other secondary authoritative nameservers and clients
+   may be fetching data from caching non-authoritative servers.  In this
+   light, note that the time for a zone transfer from master to slave is
+   negligible when using NOTIFY [8] and incremental transfer (IXFR) [7].
+   It increases when full zone transfers (AXFR) are used in combination
+   with NOTIFY.  It increases even more if you rely on full zone
+   transfers based on only the SOA timing parameters for refresh.
+
+   For the verifying clients, it is important that data from secured
+   zones can be used to build chains of trust regardless of whether the
+   data came directly from an authoritative server, a caching
+   nameserver, or some middle box.  Only by carefully using the
+   available timing parameters can a zone administrator ensure that the
+   data necessary for verification can be obtained.
+
+   The responsibility for maintaining the chain of trust is shared by
+   administrators of secured zones in the chain of trust.  This is most
+   obvious in the case of a 'key compromise' when a trade-off between
+   maintaining a valid chain of trust and replacing the compromised keys
+   as soon as possible must be made.  Then zone administrators will have
+   to make a trade-off, between keeping the chain of trust intact --
+   thereby allowing for attacks with the compromised key -- or
+   deliberately breaking the chain of trust and making secured
+   subdomains invisible to security-aware resolvers.  Also see
+   Section 4.3.
+
+3.  Keys Generation and Storage
+
+   This section describes a number of considerations with respect to the
+   security of keys.  It deals with the generation, effectivity period,
+   size, and storage of private keys.
+
+3.1.  Zone and Key Signing Keys
+
+   The DNSSEC validation protocol does not distinguish between different
+   types of DNSKEYs.  All DNSKEYs can be used during the validation.  In
+   practice, operators use Key Signing and Zone Signing Keys and use the
+
+
+
+Kolkman & Gieben        Expires September 8, 2009               [Page 6]
+
+Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
+
+
+   so-called Secure Entry Point (SEP) [5] flag to distinguish between
+   them during operations.  The dynamics and considerations are
+   discussed below.
+
+   To make zone re-signing and key rollover procedures easier to
+   implement, it is possible to use one or more keys as Key Signing Keys
+   (KSKs).  These keys will only sign the apex DNSKEY RRSet in a zone.
+   Other keys can be used to sign all the RRSets in a zone and are
+   referred to as Zone Signing Keys (ZSKs).  In this document, we assume
+   that KSKs are the subset of keys that are used for key exchanges with
+   the parent and potentially for configuration as trusted anchors --
+   the SEP keys.  In this document, we assume a one-to-one mapping
+   between KSK and SEP keys and we assume the SEP flag to be set on all
+   KSKs.
+
+3.1.1.  Motivations for the KSK and ZSK Separation
+
+   Differentiating between the KSK and ZSK functions has several
+   advantages:
+
+   o  No parent/child interaction is required when ZSKs are updated.
+
+   o  [OK: Bullet removed, strawman Paul Hoffman]
+
+   o  As the KSK is only used to sign a key set, which is most probably
+      updated less frequently than other data in the zone, it can be
+      stored separately from and in a safer location than the ZSK.
+
+   o  A KSK can have a longer key effectivity period.
+
+   For almost any method of key management and zone signing, the KSK is
+   used less frequently than the ZSK.  Once a key set is signed with the
+   KSK, all the keys in the key set can be used as ZSKs.  If a ZSK is
+   compromised, it can be simply dropped from the key set.  The new key
+   set is then re-signed with the KSK.
+
+   Given the assumption that for KSKs the SEP flag is set, the KSK can
+   be distinguished from a ZSK by examining the flag field in the DNSKEY
+   RR.  If the flag field is an odd number it is a KSK.  If it is an
+   even number it is a ZSK.
+
+   The Zone Signing Key can be used to sign all the data in a zone on a
+   regular basis.  When a Zone Signing Key is to be rolled, no
+   interaction with the parent is needed.  This allows for signature
+   validity periods on the order of days.
+
+   The Key Signing Key is only to be used to sign the DNSKEY RRs in a
+   zone.  If a Key Signing Key is to be rolled over, there will be
+
+
+
+Kolkman & Gieben        Expires September 8, 2009               [Page 7]
+
+Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
+
+
+   interactions with parties other than the zone administrator.  If
+   there is a parent zone, these can include the registry of the parent
+   zone or administrators of verifying resolvers that have the
+   particular key configured as secure entry points.  If this is a trust
+   anchor, everyone relying on the trust anchor needs to roll over to
+   the new key.  The latter may be subject to stability costs if
+   automated trust-anchor rollover mechanisms (such as e.g.  RFC5011
+   [18]) are not in place.  Hence, the key effectivity period of these
+   keys can and should be made much longer.
+
+   There are two schools of thought on rolling a KSK that is not a trust
+   anchor [OK: One can never be sure a KSK is _not_ a trust anchor]:
+
+   o  It should be done regularly (possibly every few months) so that a
+      key rollover remains an operational routine.
+
+   o  It should only be done when it is known or strongly suspected that
+      the key has been compromised in order to reduce the stability
+      issues on systems where the rollover does not happen cleanly.
+
+   There is no widespread agreement on which of these two schools of
+   thought is better for different deployments of DNSSEC.  There is a
+   stability cost every time a non-anchor KSK is rolled over, but it is
+   possibly low if the communication between the child and the parent is
+   good.  On the other hand, the only completely effective way to tell
+   if the communication is good is to test it periodically.  Thus,
+   rolling a KSK with a parent is only done for two reasons: to test and
+   verify the rolling system to prepare for an emergency, and in the
+   case of an actual emergency.
+
+   [OK: The paragraph below is a straw-man by Paul Hoffman] Because of
+   the difficulty of getting all users of a trust anchor to replace an
+   old trust anchor with a new one, a KSK that is a trust anchor should
+   never be rolled unless it is known or strongly suspected that the key
+   has been compromised.
+
+   [OK: This is an alternative straw-man by Olaf Kolkman] The same
+   operational concerns apply to the rollover of KSKs that are used as
+   trust-anchors.  Since the administrator of a zone can not be certain
+   that the zone's KSK is in use as a trust-anchor she will have to
+   assume that a rollover will cause a stability cost for the users that
+   did configure her key as a trust-anchor.  Those costs can be
+   minimized by automating the rollover RFC5011 [18] and by rolling the
+   key regularly, and advertising such, so that the operators of
+   recursive nameservers will put the appropriate mechanism in place to
+   deal with these stability costs, or, in other words, budget for these
+   costs instead of incuring them unexpectedly.
+
+
+
+
+Kolkman & Gieben        Expires September 8, 2009               [Page 8]
+
+Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
+
+
+3.1.2.  Differentiation for 'High-Level' Zones
+
+   In an earlier version of this document we made a differentiation
+   between KSKs used for zones that are high in the DNS hierarchy versus
+   KSKs used for zones low in that hierarchy.  We have come to realize
+   that there are other considerations that argue such differentiation
+   does not need to be made.
+
+   Longer keys are not useful because the crypto guidance is that
+   everyone should use keys that no one can break.  Also, it is
+   impossible to judge which zones are more or less valuable to an
+   attacker.  An attack can only be used if the compromise is unnoticed
+   and the attacker can act as an man-in-the-middle attack (MITM) in an
+   unnoticed way.  If .example is compromised and the attacker forges
+   answers for somebank.example and sends them out as an MITM, when the
+   attack is discovered it will be simple to prove that .example has
+   been compromised and the KSK will be rolled.  Defining a long-term
+   successful attack is difficult for keys at any level.
+
+3.2.  Key Generation
+
+   Careful generation of all keys is a sometimes overlooked but
+   absolutely essential element in any cryptographically secure system.
+   The strongest algorithms used with the longest keys are still of no
+   use if an adversary can guess enough to lower the size of the likely
+   key space so that it can be exhaustively searched.  Technical
+   suggestions for the generation of random keys will be found in RFC
+   4086 [14] and NIST SP 800-900 [20].  One should carefully assess if
+   the random number generator used during key generation adheres to
+   these suggestions.
+
+   Keys with a long effectivity period are particularly sensitive as
+   they will represent a more valuable target and be subject to attack
+   for a longer time than short-period keys.  It is strongly recommended
+   that long-term key generation occur off-line in a manner isolated
+   from the network via an air gap or, at a minimum, high-level secure
+   hardware.
+
+3.3.  Key Effectivity Period
+
+   From a purely operational perspective, a reasonable key effectivity
+   period for KSKs that have a parent zone is 13 months, with the intent
+   to replace them after 12 months.  An intended key effectivity period
+   of a month is reasonable for Zone Signing Keys.  This annual rollover
+   gives operational practice to rollovers.
+
+   Ignoring the operational perspective, a reasonable effectivity period
+   for KSKs that have a parent zone is of the order of 2 decades or
+
+
+
+Kolkman & Gieben        Expires September 8, 2009               [Page 9]
+
+Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
+
+
+   longer.  That is, if one does not plan to test the rollover
+   procedure, the key should be effective essentially forever, and then
+   only rolled over in case of emergency.
+
+   The "operational habit" argument also applies to trust anchor
+   reconfiguration.  If a short key effectivity period is used and the
+   trust anchor configuration has to be revisited on a regular basis,
+   the odds that the configuration tends to be forgotten is smaller.
+   The trade-off is against a system that is so dynamic that
+   administrators of the validating clients will not be able to follow
+   the modifications.Note that if a trust anchor replacement is done
+   incorrectly, the entire zone that the trust anchor covers will become
+   bogus until the trust anchor is corrected.
+
+   Key effectivity periods can be made very short, as in a few minutes.
+   But when replacing keys one has to take the considerations from
+   Section 4.1 and Section 4.2 into account.
+
+3.4.  Key Algorithm
+
+   There are currently two types of signature algorithms that can be
+   used in DNSSEC: RSA and DSA.  Both are fully specified in many
+   freely-available documents, and both are widely considered to be
+   patent-free.  The creation of signatures wiht RSA and DSA takes
+   roughly the same time, but DSA is about ten times slower for
+   signature verification.
+
+   We suggest the use of either RSA/SHA-1 or RSA/SHA-256 as the
+   preferred signature algorithms.  Both have advantages and
+   disadvantages.  RSA/SHA-1 has been deployed for many years, while
+   RSA/SHA-256 has only begun to be deployed.  On the other hand, it is
+   expected that if effective attacks on either algorithm appeark, they
+   will appear for RSA/SHA-1 first.  RSA/MD5 should not be considered
+   for use because RSA/MD5 will very likely be the first common-use
+   signature algorithm to have an effective attack.
+
+   At the time of publication, it is known that the SHA-1 hash has
+   cryptanalysis issues.  There is work in progress on addressing these
+   issues.  We recommend the use of public key algorithms based on
+   hashes stronger than SHA-1 (e.g., SHA-256), as soon as these
+   algorithms are available in protocol specifications (see [21] and
+   [22]) and implementations.
+
+3.5.  Key Sizes
+
+   DNSSEC signing keys should be large enough to avoid all know
+   cryptographic attacks during the lifetime of the key.  To date,
+   despite huge efforts, no one has broken a regular 1024-bit key; in
+
+
+
+Kolkman & Gieben        Expires September 8, 2009              [Page 10]
+
+Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
+
+
+   fact, the best completed attack is estimated to be the equivalent of
+   a 700-bit key.  An attacker breaking a 1024-bit signing key would
+   need expend phenominal amounts of networked computing power in a way
+   that would not be detected in order to break a single key.  Because
+   of this, it is estimated that most zones can safely use 1024-bit keys
+   for at least the next ten years.  A 1024-bit asymmetric key has an
+   approximate equivalent strength of a symmetric 80-bit key.
+
+   Keys that are used as extremely high value trust anchors, or non-
+   anchor keys that may be difficult to roll over, may want to use
+   lengths longer than 1024 bits.  Typically, the next larger key size
+   used is 2048 bits, which have the approximate equivalent strength of
+   a symmetric 112-bit key.  In a standard CPU, it takes about four
+   times as long to sign or verify with a 2048-bit key as it does with a
+   1024-bit key.
+
+   Another way to decide on the size of key to use is to remember that
+   the phenominal effort it takes for an attacker to break a 1024-bit
+   key is the same regardless of how the key is used.  If an attacker
+   has the capability of breaking a 1024-bit DNSSEC key, he also has the
+   capability of breaking one of the many 1024-bit TLS trust anchor keys
+   that are installed with web browsers.  If the value of a DNSSEC key
+   is lower to the attacker than the value of a TLS trust anchor, the
+   attacker will use the resources to attack the TLS trust anchor.
+
+   It is possible that there is a unexpected improvement in the ability
+   for attackers to beak keys, and that such an attack would make it
+   feasible to break 1024-bit keys but not 2048-bit keys.  If such an
+   improvement happens, it is likely that there will be a huge amount of
+   publicity, particularly because of the large number of 1024-bit TLS
+   trust anchors build into popular web browsers.  At that time, all
+   1024-bit keys (both ones with parent zones and ones that are trust
+   anchors) can be rolled over and replaced with larger keys.
+
+   Earlier documents (including the previous version of this document)
+   urged the use of longer keys in situations where a particular key was
+   "heavily used".  That advice may have been true 15 years ago, but it
+   is not true today when using RSA or DSA algorithms and keys of 1024
+   bits or higher.
+
+3.6.  Private Key Storage
+
+   It is recommended that, where possible, zone private keys and the
+   zone file master copy that is to be signed be kept and used in off-
+   line, non-network-connected, physically secure machines only.
+   Periodically, an application can be run to add authentication to a
+   zone by adding RRSIG and NSEC RRs.  Then the augmented file can be
+   transferred.
+
+
+
+Kolkman & Gieben        Expires September 8, 2009              [Page 11]
+
+Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
+
+
+   When relying on dynamic update to manage a signed zone [11], be aware
+   that at least one private key of the zone will have to reside on the
+   master server.  This key is only as secure as the amount of exposure
+   the server receives to unknown clients and the security of the host.
+   Although not mandatory, one could administer the DNS in the following
+   way.  The master that processes the dynamic updates is unavailable
+   from generic hosts on the Internet, it is not listed in the NS RRSet,
+   although its name appears in the SOA RRs MNAME field.  The
+   nameservers in the NS RRSet are able to receive zone updates through
+   NOTIFY, IXFR, AXFR, or an out-of-band distribution mechanism.  This
+   approach is known as the "hidden master" setup.
+
+   The ideal situation is to have a one-way information flow to the
+   network to avoid the possibility of tampering from the network.
+   Keeping the zone master file on-line on the network and simply
+   cycling it through an off-line signer does not do this.  The on-line
+   version could still be tampered with if the host it resides on is
+   compromised.  For maximum security, the master copy of the zone file
+   should be off-net and should not be updated based on an unsecured
+   network mediated communication.
+
+   In general, keeping a zone file off-line will not be practical and
+   the machines on which zone files are maintained will be connected to
+   a network.  Operators are advised to take security measures to shield
+   unauthorized access to the master copy.
+
+   For dynamically updated secured zones [11], both the master copy and
+   the private key that is used to update signatures on updated RRs will
+   need to be on-line.
+
+4.  Signature Generation, Key Rollover, and Related Policies
+
+4.1.  Time in DNSSEC
+
+   Without DNSSEC, all times in the DNS are relative.  The SOA fields
+   REFRESH, RETRY, and EXPIRATION are timers used to determine the time
+   elapsed after a slave server synchronized with a master server.  The
+   Time to Live (TTL) value and the SOA RR minimum TTL parameter [9] are
+   used to determine how long a forwarder should cache data after it has
+   been fetched from an authoritative server.  By using a signature
+   validity period, DNSSEC introduces the notion of an absolute time in
+   the DNS.  Signatures in DNSSEC have an expiration date after which
+   the signature is marked as invalid and the signed data is to be
+   considered Bogus.
+
+
+
+
+
+
+
+Kolkman & Gieben        Expires September 8, 2009              [Page 12]
+
+Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
+
+
+4.1.1.  Time Considerations
+
+   Because of the expiration of signatures, one should consider the
+   following:
+
+   o  We suggest the Maximum Zone TTL of your zone data to be a fraction
+      of your signature validity period.
+
+         If the TTL would be of similar order as the signature validity
+         period, then all RRSets fetched during the validity period
+         would be cached until the signature expiration time.  Section
+         7.1 of [3] suggests that "the resolver may use the time
+         remaining before expiration of the signature validity period of
+         a signed RRSet as an upper bound for the TTL".  As a result,
+         query load on authoritative servers would peak at signature
+         expiration time, as this is also the time at which records
+         simultaneously expire from caches.
+
+         To avoid query load peaks, we suggest the TTL on all the RRs in
+         your zone to be at least a few times smaller than your
+         signature validity period.
+
+   o  We suggest the signature publication period to end at least one
+      Maximum Zone TTL duration before the end of the signature validity
+      period.
+
+         Re-signing a zone shortly before the end of the signature
+         validity period may cause simultaneous expiration of data from
+         caches.  This in turn may lead to peaks in the load on
+         authoritative servers.
+
+   o  We suggest the Minimum Zone TTL to be long enough to both fetch
+      and verify all the RRs in the trust chain.  In workshop
+      environments, it has been demonstrated [19] that a low TTL (under
+      5 to 10 minutes) caused disruptions because of the following two
+      problems:
+
+         1.  During validation, some data may expire before the
+         validation is complete.  The validator should be able to keep
+         all data until it is completed.  This applies to all RRs needed
+         to complete the chain of trust: DSes, DNSKEYs, RRSIGs, and the
+         final answers, i.e., the RRSet that is returned for the initial
+         query.
+
+         2.  Frequent verification causes load on recursive nameservers.
+         Data at delegation points, DSes, DNSKEYs, and RRSIGs benefit
+         from caching.  The TTL on those should be relatively long.
+
+
+
+
+Kolkman & Gieben        Expires September 8, 2009              [Page 13]
+
+Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
+
+
+   o  Slave servers will need to be able to fetch newly signed zones
+      well before the RRSIGs in the zone served by the slave server pass
+      their signature expiration time.
+
+         When a slave server is out of sync with its master and data in
+         a zone is signed by expired signatures, it may be better for
+         the slave server not to give out any answer.
+
+         Normally, a slave server that is not able to contact a master
+         server for an extended period will expire a zone.  When that
+         happens, the server will respond differently to queries for
+         that zone.  Some servers issue SERVFAIL, whereas others turn
+         off the 'AA' bit in the answers.  The time of expiration is set
+         in the SOA record and is relative to the last successful
+         refresh between the master and the slave servers.  There exists
+         no coupling between the signature expiration of RRSIGs in the
+         zone and the expire parameter in the SOA.
+
+         If the server serves a DNSSEC zone, then it may well happen
+         that the signatures expire well before the SOA expiration timer
+         counts down to zero.  It is not possible to completely prevent
+         this from happening by tweaking the SOA parameters.
+
+         However, the effects can be minimized where the SOA expiration
+         time is equal to or shorter than the signature validity period.
+
+         The consequence of an authoritative server not being able to
+         update a zone, whilst that zone includes expired signatures, is
+         that non-secure resolvers will continue to be able to resolve
+         data served by the particular slave servers while security-
+         aware resolvers will experience problems because of answers
+         being marked as Bogus.
+
+         We suggest the SOA expiration timer being approximately one
+         third or one fourth of the signature validity period.  It will
+         allow problems with transfers from the master server to be
+         noticed before the actual signature times out.
+
+         We also suggest that operators of nameservers that supply
+         secondary services develop 'watch dogs' to spot upcoming
+         signature expirations in zones they slave, and take appropriate
+         action.
+
+         When determining the value for the expiration parameter one has
+         to take the following into account: What are the chances that
+         all my secondaries expire the zone?  How quickly can I reach an
+         administrator of secondary servers to load a valid zone?  These
+         questions are not DNSSEC specific but may influence the choice
+
+
+
+Kolkman & Gieben        Expires September 8, 2009              [Page 14]
+
+Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
+
+
+         of your signature validity intervals.
+
+4.2.  Key Rollovers
+
+   Regardless of whether a zone uses periodic key rollovers in order to
+   practice for emergencies, or only rolls over keys in an emergency,
+   key rollovers are a fact of life when using DNSSEC.  Zone
+   administrators who are in the process of rolling their keys have to
+   take into account that data published in previous versions of their
+   zone still lives in caches.  When deploying DNSSEC, this becomes an
+   important consideration; ignoring data that may be in caches may lead
+   to loss of service for clients.
+
+   The most pressing example of this occurs when zone material signed
+   with an old key is being validated by a resolver that does not have
+   the old zone key cached.  If the old key is no longer present in the
+   current zone, this validation fails, marking the data "Bogus".
+   Alternatively, an attempt could be made to validate data that is
+   signed with a new key against an old key that lives in a local cache,
+   also resulting in data being marked "Bogus".
+
+4.2.1.  Zone Signing Key Rollovers
+
+   For "Zone Signing Key rollovers", there are two ways to make sure
+   that during the rollover data still cached can be verified with the
+   new key sets or newly generated signatures can be verified with the
+   keys still in caches.  One schema, described in Section 4.2.1.2, uses
+   double signatures; the other uses key pre-publication
+   (Section 4.2.1.1).  The pros, cons, and recommendations are described
+   in Section 4.2.1.3.
+
+4.2.1.1.  Pre-Publish Key Rollover
+
+   This section shows how to perform a ZSK rollover without the need to
+   sign all the data in a zone twice -- the "pre-publish key rollover".
+   This method has advantages in the case of a key compromise.  If the
+   old key is compromised, the new key has already been distributed in
+   the DNS.  The zone administrator is then able to quickly switch to
+   the new key and remove the compromised key from the zone.  Another
+   major advantage is that the zone size does not double, as is the case
+   with the double signature ZSK rollover.  A small "how-to" for this
+   kind of rollover can be found in Appendix B.
+
+
+
+
+
+
+
+
+
+Kolkman & Gieben        Expires September 8, 2009              [Page 15]
+
+Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
+
+
+   Pre-publish key rollover involves four stages as follows:
+
+   ----------------------------------------------------------------
+    initial         new DNSKEY       new RRSIGs      DNSKEY removal
+   ----------------------------------------------------------------
+    SOA0            SOA1             SOA2            SOA3
+    RRSIG10(SOA0)   RRSIG10(SOA1)    RRSIG11(SOA2)   RRSIG11(SOA3)
+
+    DNSKEY1         DNSKEY1          DNSKEY1         DNSKEY1
+    DNSKEY10        DNSKEY10         DNSKEY10        DNSKEY11
+                    DNSKEY11         DNSKEY11
+    RRSIG1 (DNSKEY) RRSIG1 (DNSKEY)  RRSIG1(DNSKEY)  RRSIG1 (DNSKEY)
+    RRSIG10(DNSKEY) RRSIG10(DNSKEY)  RRSIG11(DNSKEY) RRSIG11(DNSKEY)
+   ----------------------------------------------------------------
+
+   Pre-Publish Key Rollover
+
+   initial:  Initial version of the zone: DNSKEY 1 is the Key Signing
+      Key. DNSKEY 10 is used to sign all the data of the zone, the Zone
+      Signing Key.
+
+   new DNSKEY:  DNSKEY 11 is introduced into the key set.  Note that no
+      signatures are generated with this key yet, but this does not
+      secure against brute force attacks on the public key.  The minimum
+      duration of this pre-roll phase is the time it takes for the data
+      to propagate to the authoritative servers plus TTL value of the
+      key set.
+
+   new RRSIGs:  At the "new RRSIGs" stage (SOA serial 2), DNSKEY 11 is
+      used to sign the data in the zone exclusively (i.e., all the
+      signatures from DNSKEY 10 are removed from the zone).  DNSKEY 10
+      remains published in the key set.  This way data that was loaded
+      into caches from version 1 of the zone can still be verified with
+      key sets fetched from version 2 of the zone.  The minimum time
+      that the key set including DNSKEY 10 is to be published is the
+      time that it takes for zone data from the previous version of the
+      zone to expire from old caches, i.e., the time it takes for this
+      zone to propagate to all authoritative servers plus the Maximum
+      Zone TTL value of any of the data in the previous version of the
+      zone.
+
+   DNSKEY removal:  DNSKEY 10 is removed from the zone.  The key set,
+      now only containing DNSKEY 1 and DNSKEY 11, is re-signed with the
+      DNSKEY 1.
+
+   The above scheme can be simplified by always publishing the "future"
+   key immediately after the rollover.  The scheme would look as follows
+   (we show two rollovers); the future key is introduced in "new DNSKEY"
+
+
+
+Kolkman & Gieben        Expires September 8, 2009              [Page 16]
+
+Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
+
+
+   as DNSKEY 12 and again a newer one, numbered 13, in "new DNSKEY
+   (II)":
+
+
+       initial             new RRSIGs          new DNSKEY
+      -----------------------------------------------------------------
+       SOA0                SOA1                SOA2
+       RRSIG10(SOA0)       RRSIG11(SOA1)       RRSIG11(SOA2)
+
+       DNSKEY1             DNSKEY1             DNSKEY1
+       DNSKEY10            DNSKEY10            DNSKEY11
+       DNSKEY11            DNSKEY11            DNSKEY12
+       RRSIG1(DNSKEY)      RRSIG1 (DNSKEY)     RRSIG1(DNSKEY)
+       RRSIG10(DNSKEY)     RRSIG11(DNSKEY)     RRSIG11(DNSKEY)
+       ----------------------------------------------------------------
+
+       ----------------------------------------------------------------
+       new RRSIGs (II)     new DNSKEY (II)
+       ----------------------------------------------------------------
+       SOA3                SOA4
+       RRSIG12(SOA3)       RRSIG12(SOA4)
+
+       DNSKEY1             DNSKEY1
+       DNSKEY11            DNSKEY12
+       DNSKEY12            DNSKEY13
+       RRSIG1(DNSKEY)      RRSIG1(DNSKEY)
+       RRSIG12(DNSKEY)     RRSIG12(DNSKEY)
+       ----------------------------------------------------------------
+
+   Pre-Publish Key Rollover, Showing Two Rollovers
+
+   Note that the key introduced in the "new DNSKEY" phase is not used
+   for production yet; the private key can thus be stored in a
+   physically secure manner and does not need to be 'fetched' every time
+   a zone needs to be signed.
+
+4.2.1.2.  Double Signature Zone Signing Key Rollover
+
+   This section shows how to perform a ZSK key rollover using the double
+   zone data signature scheme, aptly named "double signature rollover".
+
+   During the "new DNSKEY" stage the new version of the zone file will
+   need to propagate to all authoritative servers and the data that
+   exists in (distant) caches will need to expire, requiring at least
+   the Maximum Zone TTL.
+
+
+
+
+
+
+Kolkman & Gieben        Expires September 8, 2009              [Page 17]
+
+Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
+
+
+   Double signature ZSK rollover involves three stages as follows:
+
+      ----------------------------------------------------------------
+      initial             new DNSKEY         DNSKEY removal
+      ----------------------------------------------------------------
+      SOA0                SOA1               SOA2
+      RRSIG10(SOA0)       RRSIG10(SOA1)      RRSIG11(SOA2)
+                          RRSIG11(SOA1)
+      DNSKEY1             DNSKEY1            DNSKEY1
+      DNSKEY10            DNSKEY10           DNSKEY11
+                          DNSKEY11
+      RRSIG1(DNSKEY)      RRSIG1(DNSKEY)     RRSIG1(DNSKEY)
+      RRSIG10(DNSKEY)     RRSIG10(DNSKEY)    RRSIG11(DNSKEY)
+                          RRSIG11(DNSKEY)
+      ----------------------------------------------------------------
+
+   Double Signature Zone Signing Key Rollover
+
+   initial:  Initial Version of the zone: DNSKEY 1 is the Key Signing
+      Key. DNSKEY 10 is used to sign all the data of the zone, the Zone
+      Signing Key.
+
+   new DNSKEY:  At the "New DNSKEY" stage (SOA serial 1) DNSKEY 11 is
+      introduced into the key set and all the data in the zone is signed
+      with DNSKEY 10 and DNSKEY 11.  The rollover period will need to
+      continue until all data from version 0 of the zone has expired
+      from remote caches.  This will take at least the Maximum Zone TTL
+      of version 0 of the zone.
+
+   DNSKEY removal:  DNSKEY 10 is removed from the zone.  All the
+      signatures from DNSKEY 10 are removed from the zone.  The key set,
+      now only containing DNSKEY 11, is re-signed with DNSKEY 1.
+
+   At every instance, RRSIGs from the previous version of the zone can
+   be verified with the DNSKEY RRSet from the current version and the
+   other way around.  The data from the current version can be verified
+   with the data from the previous version of the zone.  The duration of
+   the "new DNSKEY" phase and the period between rollovers should be at
+   least the Maximum Zone TTL.
+
+   Making sure that the "new DNSKEY" phase lasts until the signature
+   expiration time of the data in the initial version of the zone is
+   recommended.  This way all caches are cleared of the old signatures.
+   However, this duration could be considerably longer than the Maximum
+   Zone TTL, making the rollover a lengthy procedure.
+
+   Note that in this example we assumed that the zone was not modified
+   during the rollover.  New data can be introduced in the zone as long
+
+
+
+Kolkman & Gieben        Expires September 8, 2009              [Page 18]
+
+Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
+
+
+   as it is signed with both keys.
+
+4.2.1.3.  Pros and Cons of the Schemes
+
+   Pre-publish key rollover:  This rollover does not involve signing the
+      zone data twice.  Instead, before the actual rollover, the new key
+      is published in the key set and thus is available for
+      cryptanalysis attacks.  A small disadvantage is that this process
+      requires four steps.  Also the pre-publish scheme involves more
+      parental work when used for KSK rollovers as explained in
+      Section 4.2.3.
+
+   Double signature ZSK rollover:  The drawback of this signing scheme
+      is that during the rollover the number of signatures in your zone
+      doubles; this may be prohibitive if you have very big zones.  An
+      advantage is that it only requires three steps.
+
+4.2.2.  Key Signing Key Rollovers
+
+   For the rollover of a Key Signing Key, the same considerations as for
+   the rollover of a Zone Signing Key apply.  However, we can use a
+   double signature scheme to guarantee that old data (only the apex key
+   set) in caches can be verified with a new key set and vice versa.
+   Since only the key set is signed with a KSK, zone size considerations
+   do not apply.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Kolkman & Gieben        Expires September 8, 2009              [Page 19]
+
+Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
+
+
+   --------------------------------------------------------------------
+       initial        new DNSKEY        DS change       DNSKEY removal
+   --------------------------------------------------------------------
+     Parent:
+       SOA0           -------->         SOA1            -------->
+       RRSIGpar(SOA0) -------->         RRSIGpar(SOA1)  -------->
+       DS1            -------->         DS2             -------->
+       RRSIGpar(DS)   -------->         RRSIGpar(DS)    -------->
+
+
+     Child:
+       SOA0            SOA1             -------->       SOA2
+       RRSIG10(SOA0)   RRSIG10(SOA1)    -------->       RRSIG10(SOA2)
+                                        -------->
+       DNSKEY1         DNSKEY1          -------->       DNSKEY2
+                       DNSKEY2          -------->
+       DNSKEY10        DNSKEY10         -------->       DNSKEY10
+       RRSIG1 (DNSKEY) RRSIG1 (DNSKEY)  -------->       RRSIG2 (DNSKEY)
+                       RRSIG2 (DNSKEY)  -------->
+       RRSIG10(DNSKEY) RRSIG10(DNSKEY)  -------->       RRSIG10(DNSKEY)
+   --------------------------------------------------------------------
+
+   Stages of Deployment for a Double Signature Key Signing Key Rollover
+
+   initial:  Initial version of the zone.  The parental DS points to
+      DNSKEY1.  Before the rollover starts, the child will have to
+      verify what the TTL is of the DS RR that points to DNSKEY1 -- it
+      is needed during the rollover and we refer to the value as TTL_DS.
+
+   new DNSKEY:  During the "new DNSKEY" phase, the zone administrator
+      generates a second KSK, DNSKEY2.  The key is provided to the
+      parent, and the child will have to wait until a new DS RR has been
+      generated that points to DNSKEY2.  After that DS RR has been
+      published on all servers authoritative for the parent's zone, the
+      zone administrator has to wait at least TTL_DS to make sure that
+      the old DS RR has expired from caches.
+
+   DS change:  The parent replaces DS1 with DS2.
+
+   DNSKEY removal:  DNSKEY1 has been removed.
+
+   The scenario above puts the responsibility for maintaining a valid
+   chain of trust with the child.  It also is based on the premise that
+   the parent only has one DS RR (per algorithm) per zone.  An
+   alternative mechanism has been considered.  Using an established
+   trust relation, the interaction can be performed in-band, and the
+   removal of the keys by the child can possibly be signaled by the
+   parent.  In this mechanism, there are periods where there are two DS
+
+
+
+Kolkman & Gieben        Expires September 8, 2009              [Page 20]
+
+Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
+
+
+   RRs at the parent.  Since at the moment of writing the protocol for
+   this interaction has not been developed, further discussion is out of
+   scope for this document.
+
+4.2.3.  Difference Between ZSK and KSK Rollovers
+
+   Note that KSK rollovers and ZSK rollovers are different in the sense
+   that a KSK rollover requires interaction with the parent (and
+   possibly replacing of trust anchors) and the ensuing delay while
+   waiting for it.
+
+   A zone key rollover can be handled in two different ways: pre-publish
+   (Section 4.2.1.1) and double signature (Section 4.2.1.2).
+
+   As the KSK is used to validate the key set and because the KSK is not
+   changed during a ZSK rollover, a cache is able to validate the new
+   key set of the zone.  The pre-publish method would also work for a
+   KSK rollover.  The records that are to be pre-published are the
+   parental DS RRs.  The pre-publish method has some drawbacks for KSKs.
+   We first describe the rollover scheme and then indicate these
+   drawbacks.
+
+
+   --------------------------------------------------------------------
+     initial         new DS           new DNSKEY      DS/DNSKEY removal
+   --------------------------------------------------------------------
+   Parent:
+     SOA0            SOA1             -------->       SOA2
+     RRSIGpar(SOA0)  RRSIGpar(SOA1)   -------->       RRSIGpar(SOA2)
+     DS1             DS1              -------->       DS2
+                     DS2              -------->
+     RRSIGpar(DS)    RRSIGpar(DS)     -------->       RRSIGpar(DS)
+
+   Child:
+     SOA0            -------->        SOA1            SOA1
+     RRSIG10(SOA0)   -------->        RRSIG10(SOA1)   RRSIG10(SOA1)
+                     -------->
+     DNSKEY1         -------->        DNSKEY2         DNSKEY2
+                     -------->
+     DNSKEY10        -------->        DNSKEY10        DNSKEY10
+     RRSIG1 (DNSKEY) -------->        RRSIG2(DNSKEY)  RRSIG2 (DNSKEY)
+     RRSIG10(DNSKEY) -------->        RRSIG10(DNSKEY) RRSIG10(DNSKEY)
+   --------------------------------------------------------------------
+
+   Stages of Deployment for a Pre-Publish Key Signing Key Rollover
+
+   When the child zone wants to roll, it notifies the parent during the
+   "new DS" phase and submits the new key (or the corresponding DS) to
+
+
+
+Kolkman & Gieben        Expires September 8, 2009              [Page 21]
+
+Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
+
+
+   the parent.  The parent publishes DS1 and DS2, pointing to DNSKEY1
+   and DNSKEY2, respectively.  During the rollover ("new DNSKEY" phase),
+   which can take place as soon as the new DS set propagated through the
+   DNS, the child replaces DNSKEY1 with DNSKEY2.  Immediately after that
+   ("DS/DNSKEY removal" phase), it can notify the parent that the old DS
+   record can be deleted.
+
+   The drawbacks of this scheme are that during the "new DS" phase the
+   parent cannot verify the match between the DS2 RR and DNSKEY2 using
+   the DNS -- as DNSKEY2 is not yet published.  Besides, we introduce a
+   "security lame" key (see Section 4.4.3).  Finally, the child-parent
+   interaction consists of two steps.  The "double signature" method
+   only needs one interaction.
+
+4.2.4.  Key algorithm rollover
+
+   [OK: The txt of this section is a strawman for the issue in: http://
+   www.nlnetlabs.nl/svn/rfc4641bis/trunk/open-issues/Key_algorithm_roll
+   ]
+
+   A special class of keyrollover is the rollover of key algorithms
+   (either adding a new algorithm, removing an old algorithm, or both),
+   additional steps are needed to retain integrity during the rollover.
+
+   Because of the algorithm downgrade protection in RFC4035 section 2.2,
+   you may not have a key of an algorithm for which you do not have
+   signatures.
+
+   When adding a new algorithm, the signatures should be added first.
+   After the TTL has expired, and caches have dropped the old data
+   covered by those signatures, the DNSKEY with the new algorithm can be
+   added.  When removing an old algorithm, the DNSKEY should be removed
+   first.
+
+   To do both, the following steps can be used.  For simplicity, we use
+   a zone that is only signed by one zone signing key.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Kolkman & Gieben        Expires September 8, 2009              [Page 22]
+
+Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
+
+
+   ----------------------------------------------------------------
+   1 Initial           2 New RRSIGS       3 New DNSKEY
+   ----------------------------------------------------------------
+   SOA0                SOA1               SOA2
+   RRSIG1(SOA0)        RRSIG1(SOA1)       RRSIG1(SOA2)
+                       RRSIG2(SOA1)       RRSIG2(SOA2)
+
+   DNSKEY1             DNSKEY1            DNSKEY1
+   RRSIG1(DNSKEY)      RRSIG1(DNSKEY)     DNSKEY2
+                       RRSIG2(DNSKEY)     RRSIG1(DNSKEY)
+                                          RRSIG2(DNSKEY)
+   ----------------------------------------------------------------
+   4 Remove DNSKEY     5 Remove RRSIGS
+   ----------------------------------------------------------------
+   SOA3                SOA4
+   RRSIG1(SOA3)        RRSIG2(SOA4)
+   RRSIG2(SOA3)
+
+   DNSKEY2             DNSKEY2
+   RRSIG1(DNSKEY)      RRSIG2(DNSKEY)
+   RRSIG2(DNSKEY)
+   ----------------------------------------------------------------
+
+   Stages of Deployment during an Algorithm Rollover.
+
+   In step 2, the signatures for the new key are added, but the key
+   itself is not.  While in theory, the signatures of the keyset should
+   always be synchronized with the keyset itself, it can be possible
+   that RRSIGS are requested separately, so it might be prudent to also
+   sign the DNSKEY set with the new signature.
+
+   After the cache data has expired, the new key can be added to the
+   zone, as done in step 3.
+
+   The next step is to remove the old algorithm.  This time the key
+   needs to be removed first, before removing the signatures.  The key
+   is removed in step 4, and after the cache data has expired, the
+   signatures can be removed in step 5.
+
+   The above steps ensure that during the rollover to a new algorithm,
+   the integrity of the zone is never broken.
+
+4.2.5.  Automated Key Rollovers
+
+   As keys must be renewed periodically, there is some motivation to
+   automate the rollover process.  Consider the following:
+
+
+
+
+
+Kolkman & Gieben        Expires September 8, 2009              [Page 23]
+
+Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
+
+
+   o  ZSK rollovers are easy to automate as only the child zone is
+      involved.
+
+   o  A KSK rollover needs interaction between parent and child.  Data
+      exchange is needed to provide the new keys to the parent;
+      consequently, this data must be authenticated and integrity must
+      be guaranteed in order to avoid attacks on the rollover.
+
+4.3.  Planning for Emergency Key Rollover
+
+   This section deals with preparation for a possible key compromise.
+   Our advice is to have a documented procedure ready for when a key
+   compromise is suspected or confirmed.
+
+   When the private material of one of your keys is compromised it can
+   be used for as long as a valid trust chain exists.  A trust chain
+   remains intact for
+
+   o  as long as a signature over the compromised key in the trust chain
+      is valid,
+
+   o  as long as a parental DS RR (and signature) points to the
+      compromised key,
+
+   o  as long as the key is anchored in a resolver and is used as a
+      starting point for validation (this is generally the hardest to
+      update).
+
+   While a trust chain to your compromised key exists, your namespace is
+   vulnerable to abuse by anyone who has obtained illegitimate
+   possession of the key.  Zone operators have to make a trade-off if
+   the abuse of the compromised key is worse than having data in caches
+   that cannot be validated.  If the zone operator chooses to break the
+   trust chain to the compromised key, data in caches signed with this
+   key cannot be validated.  However, if the zone administrator chooses
+   to take the path of a regular rollover, the malicious key holder can
+   spoof data so that it appears to be valid.
+
+4.3.1.  KSK Compromise
+
+   A zone containing a DNSKEY RRSet with a compromised KSK is vulnerable
+   as long as the compromised KSK is configured as trust anchor or a
+   parental DS points to it.
+
+   A compromised KSK can be used to sign the key set of an attacker's
+   zone.  That zone could be used to poison the DNS.
+
+   Therefore, when the KSK has been compromised, the trust anchor or the
+
+
+
+Kolkman & Gieben        Expires September 8, 2009              [Page 24]
+
+Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
+
+
+   parental DS should be replaced as soon as possible.  It is local
+   policy whether to break the trust chain during the emergency
+   rollover.  The trust chain would be broken when the compromised KSK
+   is removed from the child's zone while the parent still has a DS
+   pointing to the compromised KSK (the assumption is that there is only
+   one DS at the parent.  If there are multiple DSes this does not apply
+   -- however the chain of trust of this particular key is broken).
+
+   Note that an attacker's zone still uses the compromised KSK and the
+   presence of a parental DS would cause the data in this zone to appear
+   as valid.  Removing the compromised key would cause the attacker's
+   zone to appear as valid and the child's zone as Bogus.  Therefore, we
+   advise not to remove the KSK before the parent has a DS to a new KSK
+   in place.
+
+4.3.1.1.  Keeping the Chain of Trust Intact
+
+   If we follow this advice, the timing of the replacement of the KSK is
+   somewhat critical.  The goal is to remove the compromised KSK as soon
+   as the new DS RR is available at the parent.  And also make sure that
+   the signature made with a new KSK over the key set with the
+   compromised KSK in it expires just after the new DS appears at the
+   parent, thus removing the old cruft in one swoop.
+
+   The procedure is as follows:
+
+   1.  Introduce a new KSK into the key set, keep the compromised KSK in
+       the key set.
+
+   2.  Sign the key set, with a short validity period.  The validity
+       period should expire shortly after the DS is expected to appear
+       in the parent and the old DSes have expired from caches.
+
+   3.  Upload the DS for this new key to the parent.
+
+   4.  Follow the procedure of the regular KSK rollover: Wait for the DS
+       to appear in the authoritative servers and then wait as long as
+       the TTL of the old DS RRs.  If necessary re-sign the DNSKEY RRSet
+       and modify/extend the expiration time.
+
+   5.  Remove the compromised DNSKEY RR from the zone and re-sign the
+       key set using your "normal" validity interval.
+
+   An additional danger of a key compromise is that the compromised key
+   could be used to facilitate a legitimate DNSKEY/DS rollover and/or
+   nameserver changes at the parent.  When that happens, the domain may
+   be in dispute.  An authenticated out-of-band and secure notify
+   mechanism to contact a parent is needed in this case.
+
+
+
+Kolkman & Gieben        Expires September 8, 2009              [Page 25]
+
+Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
+
+
+   Note that this is only a problem when the DNSKEY and or DS records
+   are used for authentication at the parent.
+
+4.3.1.2.  Breaking the Chain of Trust
+
+   There are two methods to break the chain of trust.  The first method
+   causes the child zone to appear 'Bogus' to validating resolvers.  The
+   other causes the child zone to appear 'insecure'.  These are
+   described below.
+
+   In the method that causes the child zone to appear 'Bogus' to
+   validating resolvers, the child zone replaces the current KSK with a
+   new one and re-signs the key set.  Next it sends the DS of the new
+   key to the parent.  Only after the parent has placed the new DS in
+   the zone is the child's chain of trust repaired.
+
+   An alternative method of breaking the chain of trust is by removing
+   the DS RRs from the parent zone altogether.  As a result, the child
+   zone would become insecure.
+
+4.3.2.  ZSK Compromise
+
+   Primarily because there is no parental interaction required when a
+   ZSK is compromised, the situation is less severe than with a KSK
+   compromise.  The zone must still be re-signed with a new ZSK as soon
+   as possible.  As this is a local operation and requires no
+   communication between the parent and child, this can be achieved
+   fairly quickly.  However, one has to take into account that just as
+   with a normal rollover the immediate disappearance of the old
+   compromised key may lead to verification problems.  Also note that as
+   long as the RRSIG over the compromised ZSK is not expired the zone
+   may be still at risk.
+
+4.3.3.  Compromises of Keys Anchored in Resolvers
+
+   A key can also be pre-configured in resolvers.  For instance, if
+   DNSSEC is successfully deployed the root key may be pre-configured in
+   most security aware resolvers.
+
+   If trust-anchor keys are compromised, the resolvers using these keys
+   should be notified of this fact.  Zone administrators may consider
+   setting up a mailing list to communicate the fact that a SEP key is
+   about to be rolled over.  This communication will of course need to
+   be authenticated, e.g., by using digital signatures.
+
+   End-users faced with the task of updating an anchored key should
+   always validate the new key.  New keys should be authenticated out-
+   of-band, for example, through the use of an announcement website that
+
+
+
+Kolkman & Gieben        Expires September 8, 2009              [Page 26]
+
+Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
+
+
+   is secured using secure sockets (TLS) [23].
+
+4.4.  Parental Policies
+
+4.4.1.  Initial Key Exchanges and Parental Policies Considerations
+
+   The initial key exchange is always subject to the policies set by the
+   parent.  When designing a key exchange policy one should take into
+   account that the authentication and authorization mechanisms used
+   during a key exchange should be as strong as the authentication and
+   authorization mechanisms used for the exchange of delegation
+   information between parent and child.  That is, there is no implicit
+   need in DNSSEC to make the authentication process stronger than it
+   was in DNS.
+
+   Using the DNS itself as the source for the actual DNSKEY material,
+   with an out-of-band check on the validity of the DNSKEY, has the
+   benefit that it reduces the chances of user error.  A DNSKEY query
+   tool can make use of the SEP bit [5] to select the proper key from a
+   DNSSEC key set, thereby reducing the chance that the wrong DNSKEY is
+   sent.  It can validate the self-signature over a key; thereby
+   verifying the ownership of the private key material.  Fetching the
+   DNSKEY from the DNS ensures that the chain of trust remains intact
+   once the parent publishes the DS RR indicating the child is secure.
+
+   Note: the out-of-band verification is still needed when the key
+   material is fetched via the DNS.  The parent can never be sure
+   whether or not the DNSKEY RRs have been spoofed.
+
+4.4.2.  Storing Keys or Hashes?
+
+   When designing a registry system one should consider which of the
+   DNSKEYs and/or the corresponding DSes to store.  Since a child zone
+   might wish to have a DS published using a message digest algorithm
+   not yet understood by the registry, the registry can't count on being
+   able to generate the DS record from a raw DNSKEY.  Thus, we recommend
+   that registry systems at least support storing DS records.
+
+   It may also be useful to store DNSKEYs, since having them may help
+   during troubleshooting and, as long as the child's chosen message
+   digest is supported, the overhead of generating DS records from them
+   is minimal.  Having an out-of-band mechanism, such as a registry
+   directory (e.g., Whois), to find out which keys are used to generate
+   DS Resource Records for specific owners and/or zones may also help
+   with troubleshooting.
+
+   The storage considerations also relate to the design of the customer
+   interface and the method by which data is transferred between
+
+
+
+Kolkman & Gieben        Expires September 8, 2009              [Page 27]
+
+Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
+
+
+   registrant and registry; Will the child zone administrator be able to
+   upload DS RRs with unknown hash algorithms or does the interface only
+   allow DNSKEYs?  In the registry-registrar model, one can use the
+   DNSSEC extensions to the Extensible Provisioning Protocol (EPP) [15],
+   which allows transfer of DS RRs and optionally DNSKEY RRs.
+
+4.4.3.  Security Lameness
+
+   Security lameness is defined as what happens when a parent has a DS
+   RR pointing to a non-existing DNSKEY RR.  When this happens, the
+   child's zone may be marked "Bogus" by verifying DNS clients.
+
+   As part of a comprehensive delegation check, the parent could, at key
+   exchange time, verify that the child's key is actually configured in
+   the DNS.  However, if a parent does not understand the hashing
+   algorithm used by child, the parental checks are limited to only
+   comparing the key id.
+
+   Child zones should be very careful in removing DNSKEY material,
+   specifically SEP keys, for which a DS RR exists.
+
+   Once a zone is "security lame", a fix (e.g., removing a DS RR) will
+   take time to propagate through the DNS.
+
+4.4.4.  DS Signature Validity Period
+
+   Since the DS can be replayed as long as it has a valid signature, a
+   short signature validity period over the DS minimizes the time a
+   child is vulnerable in the case of a compromise of the child's
+   KSK(s).  A signature validity period that is too short introduces the
+   possibility that a zone is marked "Bogus" in case of a configuration
+   error in the signer.  There may not be enough time to fix the
+   problems before signatures expire.  Something as mundane as operator
+   unavailability during weekends shows the need for DS signature
+   validity periods longer than 2 days.  We recommend an absolute
+   minimum for a DS signature validity period of a few days.
+
+   The maximum signature validity period of the DS record depends on how
+   long child zones are willing to be vulnerable after a key compromise.
+   On the other hand, shortening the DS signature validity interval
+   increases the operational risk for the parent.  Therefore, the parent
+   may have policy to use a signature validity interval that is
+   considerably longer than the child would hope for.
+
+   A compromise between the operational constraints of the parent and
+   minimizing damage for the child may result in a DS signature validity
+   period somewhere between a week and months.
+
+
+
+
+Kolkman & Gieben        Expires September 8, 2009              [Page 28]
+
+Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
+
+
+   In addition to the signature validity period, which sets a lower
+   bound on the number of times the zone owner will need to sign the
+   zone data and which sets an upper bound to the time a child is
+   vulnerable after key compromise, there is the TTL value on the DS
+   RRs.  Shortening the TTL means that the authoritative servers will
+   see more queries.  But on the other hand, a short TTL lowers the
+   persistence of DS RRSets in caches thereby increasing the speed with
+   which updated DS RRSets propagate through the DNS.
+
+4.4.5.  (Non) Cooperating Registrars
+
+   [OK: this is a first strawman, and is intended to start the
+   discussion of the issue.  By no means this is intended to be a final
+   text.]
+
+   The parent-child relation is often described in terms of a (thin)
+   registry model.  Where a registry maintains the parent zone, and the
+   registrant (the user of the child-domain name), deals with the
+   registry through an intermediary called a registrar.  (See [12] for a
+   comprehensive definition).  Registrants may out-source the
+   maintenance of their DNS system, including the maintenance of DNSSEC
+   key material, to the registrar or to another third party.  The entity
+   that has control over the DNS zone and its keys may prevent the
+   registrant to make a timely move to a different registrar.  [OK: I
+   use the term registrar below while it is the operator of the DNS zone
+   who is the actual culprit.  For instance, the case also applies when
+   a registrant passes a zone to another registrant.  Should I just use
+   "DNS Administrator"?]
+
+   Suppose that the registrant wants to move from losing registrar A to
+   gaining registrar B. Let us first look what would happen in a
+   cooperative environment.  The assumption is that registrar A will not
+   hand off any private key material to registrar B because that would
+   be a trivial case.
+
+   In a cooperating environment one could proceed with a pre-publish ZSK
+   rollover whereby registrar A pre-publishes the ZSK of registrar B,
+   combined with a double signature KSK rollover where the two
+   registrars exchange public keys and independently generate a
+   signature over the keysets that they combine and both publish in the
+   zone.
+
+   In the non-cooperative case matters are more complicated.  The
+   loosing registrar A may not cooperate and leave the data in the DNS
+   as is.  In the extreme case registrar A may become obstructive and
+   publish a DNSKEY RR with a high TTL and corresponding signature
+   validity so that registrar A's DNSKEY, would end up in caches for, in
+   theory, tens of years.
+
+
+
+Kolkman & Gieben        Expires September 8, 2009              [Page 29]
+
+Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
+
+
+   The problem arises when a validator tries to validate with A's key
+   and there is no signature material produced with Registrars A
+   available in the delegation path after redelegation from registrar A
+   to registrar B has taken place.  One could imagine a rollover
+   scenario where registrar B pulls all RRSIGs created by registar A and
+   publishes those in conjunction with its own signatures, but that
+   would not allow any changes in the zone content.  Since a
+   redelegation took place the NS RRset has -- per definition-- changed
+   so such rollover scenario will not work.  Besides if zone transfers
+   are not allowed by A and NSEC3 is deployed in the A's zone then
+   registrar B will not have certainty that all of A's RRSIGs are
+   transfered.
+
+   The only viable option for the registrant is to publish its zone
+   unsigned and ask the registry to remove the DS pointing to registrar
+   A for as long as the DNSKEY of registrar A, or any of the signatures
+   produced by registrar A are likely to appear in caches, which as
+   mentioned above could in theory be for tens of years.  [OK: Some
+   implementations limit the time data is cached.  Although that is not
+   a protocol requirement (and may even be considered a protocol
+   violation) it seems that that practice may limit the impact of this
+   problem, is that worth mentioning?]
+
+   [OK: This is really the point that I'm trying to make, is the above
+   text needed?]  There is no operational methodology to work around
+   this business issue and proper contractual relations ships between
+   registrants and their registrars seem to be the only solution to cope
+   with these problems.
+
+5.  Security Considerations
+
+   DNSSEC adds data integrity to the DNS.  This document tries to assess
+   the operational considerations to maintain a stable and secure DNSSEC
+   service.  Not taking into account the 'data propagation' properties
+   in the DNS will cause validation failures and may make secured zones
+   unavailable to security-aware resolvers.
+
+6.  IANA considerations
+
+   There are no IANA considerations with respect to this document
+
+7.  Acknowledgments
+
+   Most of the text of this document is copied from RFC4641 [16] people
+   involved in that work were in random order: Rip Loomis, Olafur
+   Gudmundsson, Wesley Griffin, Michael Richardson, Scott Rose, Rick van
+   Rein, Tim McGinnis, Gilles Guette Olivier Courtay, Sam Weiler, Jelte
+   Jansen, Niall O'Reilly, Holger Zuleger, Ed Lewis, Hilarie Orman,
+
+
+
+Kolkman & Gieben        Expires September 8, 2009              [Page 30]
+
+Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
+
+
+   Marcos Sanz, Peter Koch, Mike StJohns, Emmar Bretherick, Adrian
+   Bedford, and Lindy Foster, G. Guette, and O. Courtay.
+
+   For this version of the document we would like to acknowldge:
+
+   o  Paul Hoffman for his contribution on the choice of cryptographic
+      paramenters and addressing some of the trust anchor issues.
+
+   o  Jelte Jansen provided the text in Section 4.2.4
+
+8.  References
+
+8.1.  Normative References
+
+   [1]   Mockapetris, P., "Domain names - concepts and facilities",
+         STD 13, RFC 1034, November 1987.
+
+   [2]   Mockapetris, P., "Domain names - implementation and
+         specification", STD 13, RFC 1035, November 1987.
+
+   [3]   Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+         "DNS Security Introduction and Requirements", RFC 4033,
+         March 2005.
+
+   [4]   Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+         "Resource Records for the DNS Security Extensions", RFC 4034,
+         March 2005.
+
+   [5]   Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+         "Protocol Modifications for the DNS Security Extensions",
+         RFC 4035, March 2005.
+
+8.2.  Informative References
+
+   [6]   Bradner, S., "Key words for use in RFCs to Indicate Requirement
+         Levels", BCP 14, RFC 2119, March 1997.
+
+   [7]   Ohta, M., "Incremental Zone Transfer in DNS", RFC 1995,
+         August 1996.
+
+   [8]   Vixie, P., "A Mechanism for Prompt Notification of Zone Changes
+         (DNS NOTIFY)", RFC 1996, August 1996.
+
+   [9]   Andrews, M., "Negative Caching of DNS Queries (DNS NCACHE)",
+         RFC 2308, March 1998.
+
+   [10]  Eastlake, D., "DNS Security Operational Considerations",
+         RFC 2541, March 1999.
+
+
+
+Kolkman & Gieben        Expires September 8, 2009              [Page 31]
+
+Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
+
+
+   [11]  Wellington, B., "Secure Domain Name System (DNS) Dynamic
+         Update", RFC 3007, November 2000.
+
+   [12]  Hollenbeck, S., "Generic Registry-Registrar Protocol
+         Requirements", RFC 3375, September 2002.
+
+   [13]  Orman, H. and P. Hoffman, "Determining Strengths For Public
+         Keys Used For Exchanging Symmetric Keys", BCP 86, RFC 3766,
+         April 2004.
+
+   [14]  Eastlake, D., Schiller, J., and S. Crocker, "Randomness
+         Requirements for Security", BCP 106, RFC 4086, June 2005.
+
+   [15]  Hollenbeck, S., "Domain Name System (DNS) Security Extensions
+         Mapping for the Extensible Provisioning Protocol (EPP)",
+         RFC 4310, December 2005.
+
+   [16]  Kolkman, O. and R. Gieben, "DNSSEC Operational Practices",
+         RFC 4641, September 2006.
+
+   [17]  Shirey, R., "Internet Security Glossary, Version 2", RFC 4949,
+         August 2007.
+
+   [18]  StJohns, M., "Automated Updates of DNS Security (DNSSEC) Trust
+         Anchors", RFC 5011, September 2007.
+
+   [19]  Rose, S., "NIST DNSSEC workshop notes",  , June 2001.
+
+   [20]  Barker, E. and J. Kelsey, "Recommendation for Random Number
+         Generation Using Deterministic Random Bit Generators
+         (Revised)", Nist Special Publication 800-90, March 2007.
+
+   [21]  Jansen, J., "Use of SHA-2 algorithms with RSA in DNSKEY and
+         RRSIG Resource Records for  DNSSEC",
+         draft-ietf-dnsext-dnssec-rsasha256-05 (work in progress),
+         July 2008.
+
+   [22]  Hardaker, W., "Use of SHA-256 in DNSSEC Delegation Signer (DS)
+         Resource Records (RRs)", RFC 4509, May 2006.
+
+   [23]  Blake-Wilson, S., Nystrom, M., Hopwood, D., Mikkelsen, J., and
+         T. Wright, "Transport Layer Security (TLS) Extensions",
+         RFC 4366, April 2006.
+
+Appendix A.  Terminology
+
+   In this document, there is some jargon used that is defined in other
+   documents.  In most cases, we have not copied the text from the
+
+
+
+Kolkman & Gieben        Expires September 8, 2009              [Page 32]
+
+Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
+
+
+   documents defining the terms but have given a more elaborate
+   explanation of the meaning.  Note that these explanations should not
+   be seen as authoritative.
+
+   Anchored key:  A DNSKEY configured in resolvers around the globe.
+      This key is hard to update, hence the term anchored.
+
+   Bogus:  Also see Section 5 of [3].  An RRSet in DNSSEC is marked
+      "Bogus" when a signature of an RRSet does not validate against a
+      DNSKEY.
+
+   Key Signing Key or KSK:  A Key Signing Key (KSK) is a key that is
+      used exclusively for signing the apex key set.  The fact that a
+      key is a KSK is only relevant to the signing tool.
+
+   Key size:  The term 'key size' can be substituted by 'modulus size'
+      throughout the document.  It is mathematically more correct to use
+      modulus size, but as this is a document directed at operators we
+      feel more at ease with the term key size.
+
+   Private and public keys:  DNSSEC secures the DNS through the use of
+      public key cryptography.  Public key cryptography is based on the
+      existence of two (mathematically related) keys, a public key and a
+      private key.  The public keys are published in the DNS by use of
+      the DNSKEY Resource Record (DNSKEY RR).  Private keys should
+      remain private.
+
+   Key rollover:  A key rollover (also called key supercession in some
+      environments) is the act of replacing one key pair with another at
+      the end of a key effectivity period.
+
+   Secure Entry Point (SEP) key:  A KSK that has a parental DS record
+      pointing to it or is configured as a trust anchor.  Although not
+      required by the protocol, we recommend that the SEP flag [5] is
+      set on these keys.
+
+   Self-signature:  This only applies to signatures over DNSKEYs; a
+      signature made with DNSKEY x, over DNSKEY x is called a self-
+      signature.  Note: without further information, self-signatures
+      convey no trust.  They are useful to check the authenticity of the
+      DNSKEY, i.e., they can be used as a hash.
+
+   Singing the zone file:  The term used for the event where an
+      administrator joyfully signs its zone file while producing melodic
+      sound patterns.
+
+
+
+
+
+
+Kolkman & Gieben        Expires September 8, 2009              [Page 33]
+
+Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
+
+
+   Signer:  The system that has access to the private key material and
+      signs the Resource Record sets in a zone.  A signer may be
+      configured to sign only parts of the zone, e.g., only those RRSets
+      for which existing signatures are about to expire.
+
+   Zone Signing Key (ZSK):  A key that is used for signing all data in a
+      zone (except, perhaps, the DNSKEY RRSet).  The fact that a key is
+      a ZSK is only relevant to the signing tool.
+
+   Zone administrator:  The 'role' that is responsible for signing a
+      zone and publishing it on the primary authoritative server.
+
+Appendix B.  Zone Signing Key Rollover How-To
+
+   Using the pre-published signature scheme and the most conservative
+   method to assure oneself that data does not live in caches, here
+   follows the "how-to".
+
+   Step 0:  The preparation: Create two keys and publish both in your
+      key set.  Mark one of the keys "active" and the other "published".
+      Use the "active" key for signing your zone data.  Store the
+      private part of the "published" key, preferably off-line.  The
+      protocol does not provide for attributes to mark a key as active
+      or published.  This is something you have to do on your own,
+      through the use of a notebook or key management tool.
+
+   Step 1:  Determine expiration: At the beginning of the rollover make
+      a note of the highest expiration time of signatures in your zone
+      file created with the current key marked as active.  Wait until
+      the expiration time marked in Step 1 has passed.
+
+   Step 2:  Then start using the key that was marked "published" to sign
+      your data (i.e., mark it "active").  Stop using the key that was
+      marked "active"; mark it "rolled".
+
+   Step 3:  It is safe to engage in a new rollover (Step 1) after at
+      least one signature validity period.
+
+Appendix C.  Typographic Conventions
+
+   The following typographic conventions are used in this document:
+
+   Key notation:  A key is denoted by DNSKEYx, where x is a number or an
+      identifier, x could be thought of as the key id.
+
+
+
+
+
+
+
+Kolkman & Gieben        Expires September 8, 2009              [Page 34]
+
+Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
+
+
+   RRSet notations:  RRs are only denoted by the type.  All other
+      information -- owner, class, rdata, and TTL -- is left out.  Thus:
+      "example.com 3600 IN A 192.0.2.1" is reduced to "A".  RRSets are a
+      list of RRs.  A example of this would be "A1, A2", specifying the
+      RRSet containing two "A" records.  This could again be abbreviated
+      to just "A".
+
+   Signature notation:  Signatures are denoted as RRSIGx(RRSet), which
+      means that RRSet is signed with DNSKEYx.
+
+   Zone representation:  Using the above notation we have simplified the
+      representation of a signed zone by leaving out all unnecessary
+      details such as the names and by representing all data by "SOAx"
+
+   SOA representation:  SOAs are represented as SOAx, where x is the
+      serial number.
+
+   Using this notation the following signed zone:
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Kolkman & Gieben        Expires September 8, 2009              [Page 35]
+
+Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
+
+
+   example.net.      86400  IN SOA  ns.example.net. bert.example.net. (
+                            2006022100   ; serial
+                            86400        ; refresh (  24 hours)
+                            7200         ; retry   (   2 hours)
+                            3600000      ; expire  (1000 hours)
+                            28800 )      ; minimum (   8 hours)
+                     86400  RRSIG   SOA 5 2 86400 20130522213204 (
+                                  20130422213204 14 example.net.
+                                  cmL62SI6iAX46xGNQAdQ... )
+                     86400  NS      a.example.net.
+                     86400  NS      b.example.net.
+                     86400  RRSIG   NS 5 2 86400 20130507213204 (
+                                  20130407213204 14 example.net.
+                                  SO5epiJei19AjXoUpFnQ ... )
+                     86400  DNSKEY  256 3 5 (
+                                  EtRB9MP5/AvOuVO0I8XDxy0... ) ; id = 14
+                     86400  DNSKEY  257 3 5 (
+                                  gsPW/Yy19GzYIY+Gnr8HABU... ) ; id = 15
+                     86400  RRSIG   DNSKEY 5 2 86400 20130522213204 (
+                                  20130422213204 14 example.net.
+                                  J4zCe8QX4tXVGjV4e1r9... )
+                     86400  RRSIG   DNSKEY 5 2 86400 20130522213204 (
+                                  20130422213204 15 example.net.
+                                  keVDCOpsSeDReyV6O... )
+                     86400  RRSIG   NSEC 5 2 86400 20130507213204 (
+                                  20130407213204 14 example.net.
+                                  obj3HEp1GjnmhRjX... )
+   a.example.net.    86400  IN TXT  "A label"
+                     86400  RRSIG   TXT 5 3 86400 20130507213204 (
+                                  20130407213204 14 example.net.
+                                  IkDMlRdYLmXH7QJnuF3v... )
+                     86400  NSEC    b.example.com. TXT RRSIG NSEC
+                     86400  RRSIG   NSEC 5 3 86400 20130507213204 (
+                                  20130407213204 14 example.net.
+                                  bZMjoZ3bHjnEz0nIsPMM... )
+                     ...
+
+   is reduced to the following representation:
+
+       SOA2006022100
+       RRSIG14(SOA2006022100)
+       DNSKEY14
+       DNSKEY15
+
+       RRSIG14(KEY)
+       RRSIG15(KEY)
+
+   The rest of the zone data has the same signature as the SOA record,
+
+
+
+Kolkman & Gieben        Expires September 8, 2009              [Page 36]
+
+Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
+
+
+   i.e., an RRSIG created with DNSKEY 14.
+
+Appendix D.  Document Editing History
+
+   [To be removed prior to publication as an RFC]
+
+D.1.  draft-ietf-dnsop-rfc4641-00
+
+   Version 0 was differs from RFC4641 in the following ways.
+
+   o  Status of this memo appropriate for I-D
+
+   o  TOC formatting differs.
+
+   o  Whitespaces, linebreaks, and pagebreaks may be slightly different
+      because of xml2rfc generation.
+
+   o  References slightly reordered.
+
+   o  Applied the errata from
+      http://www.rfc-editor.org/errata_search.php?rfc=4641
+
+   o  Inserted trivial "IANA considertations" section.
+
+   In other words it should not contain substantive changes in content
+   as intended by the workinggroup for the original RFC4641.
+
+D.2.  version 0->1
+
+   Cryptography details rewritten.  (See http://www.nlnetlabs.nl/svn/
+   rfc4641bis/trunk/open-issues/cryptography_flawed)
+
+   o  Reference to NIST 800-90 added
+
+   o  RSA/SHA256 is being recommended in addition to RSA/SHA1.
+
+   o  Complete rewrite of Section 3.5 removing the table and suggesting
+      a keysize of 1024 for keys in use for less than 8 years, issued up
+      to at least 2015.
+
+   o  Replaced the reference to Schneiers' applied cryptograpy with a
+      reference to RFC4949.
+
+   o  Removed the KSK for high level zones consideration
+
+   Applied some differentiation with respect of the use of a KSK for
+   parent or trust-anchor relation http://www.nlnetlabs.nl/svn/
+   rfc4641bis/trunk/open-issues/differentiation_trustanchor_parent
+
+
+
+Kolkman & Gieben        Expires September 8, 2009              [Page 37]
+
+Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
+
+
+   http://www.nlnetlabs.nl/svn/rfc4641bis/trunk/open-issues/
+   rollover_assumptions
+
+   Added Section 4.2.4 as suggested by Jelte Jansen in http://
+   www.nlnetlabs.nl/svn/rfc4641bis/trunk/open-issues/Key_algorithm_roll
+
+   Added Section 4.4.5 Issue identified by Antoin Verschuur http://
+   www.nlnetlabs.nl/svn/rfc4641bis/trunk/open-issues/
+   non-cooperative-registrars
+
+   In Appendix A: ZSK does not nescessarily sign the DNSKEY RRset.
+
+   $Id: draft-ietf-dnsop-rfc4641bis-01.txt,v 1.1 2009/09/23 13:22:50 fdupont Exp $
+
+Authors' Addresses
+
+   Olaf M. Kolkman
+   NLnet Labs
+   Kruislaan 419
+   Amsterdam  1098 VA
+   The Netherlands
+
+   EMail: olaf@nlnetlabs.nl
+   URI:   http://www.nlnetlabs.nl
+
+
+   Miek Gieben
+
+
+   EMail: miek@miek.nl
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Kolkman & Gieben        Expires September 8, 2009              [Page 38]
+
diff --git a/contrib/zkt/doc/rfc4641.txt b/contrib/zkt/doc/rfc4641.txt
new file mode 100644
index 00000000..0a013bcb
--- /dev/null
+++ b/contrib/zkt/doc/rfc4641.txt
@@ -0,0 +1,1963 @@
+
+
+
+
+
+
+Network Working Group                                         O. Kolkman
+Request for Comments: 4641                                     R. Gieben
+Obsoletes: 2541                                               NLnet Labs
+Category: Informational                                   September 2006
+
+
+                      DNSSEC Operational Practices
+
+Status of This Memo
+
+   This memo provides information for the Internet community.  It does
+   not specify an Internet standard of any kind.  Distribution of this
+   memo is unlimited.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (2006).
+
+Abstract
+
+   This document describes a set of practices for operating the DNS with
+   security extensions (DNSSEC).  The target audience is zone
+   administrators deploying DNSSEC.
+
+   The document discusses operational aspects of using keys and
+   signatures in the DNS.  It discusses issues of key generation, key
+   storage, signature generation, key rollover, and related policies.
+
+   This document obsoletes RFC 2541, as it covers more operational
+   ground and gives more up-to-date requirements with respect to key
+   sizes and the new DNSSEC specification.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Kolkman & Gieben             Informational                      [Page 1]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
+
+
+Table of Contents
+
+   1. Introduction ....................................................3
+      1.1. The Use of the Term 'key' ..................................4
+      1.2. Time Definitions ...........................................4
+   2. Keeping the Chain of Trust Intact ...............................5
+   3. Keys Generation and Storage .....................................6
+      3.1. Zone and Key Signing Keys ..................................6
+           3.1.1. Motivations for the KSK and ZSK Separation ..........6
+           3.1.2. KSKs for High-Level Zones ...........................7
+      3.2. Key Generation .............................................8
+      3.3. Key Effectivity Period .....................................8
+      3.4. Key Algorithm ..............................................9
+      3.5. Key Sizes ..................................................9
+      3.6. Private Key Storage .......................................11
+   4. Signature Generation, Key Rollover, and Related Policies .......12
+      4.1. Time in DNSSEC ............................................12
+           4.1.1. Time Considerations ................................12
+      4.2. Key Rollovers .............................................14
+           4.2.1. Zone Signing Key Rollovers .........................14
+                  4.2.1.1. Pre-Publish Key Rollover ..................15
+                  4.2.1.2. Double Signature Zone Signing Key
+                           Rollover ..................................17
+                  4.2.1.3. Pros and Cons of the Schemes ..............18
+           4.2.2. Key Signing Key Rollovers ..........................18
+           4.2.3. Difference Between ZSK and KSK Rollovers ...........20
+           4.2.4. Automated Key Rollovers ............................21
+      4.3. Planning for Emergency Key Rollover .......................21
+           4.3.1. KSK Compromise .....................................22
+                  4.3.1.1. Keeping the Chain of Trust Intact .........22
+                  4.3.1.2. Breaking the Chain of Trust ...............23
+           4.3.2. ZSK Compromise .....................................23
+           4.3.3. Compromises of Keys Anchored in Resolvers ..........24
+      4.4. Parental Policies .........................................24
+           4.4.1. Initial Key Exchanges and Parental Policies
+                  Considerations .....................................24
+           4.4.2. Storing Keys or Hashes? ............................25
+           4.4.3. Security Lameness ..................................25
+           4.4.4. DS Signature Validity Period .......................26
+   5. Security Considerations ........................................26
+   6. Acknowledgments ................................................26
+   7. References .....................................................27
+      7.1. Normative References ......................................27
+      7.2. Informative References ....................................28
+   Appendix A. Terminology ...........................................30
+   Appendix B. Zone Signing Key Rollover How-To ......................31
+   Appendix C. Typographic Conventions ...............................32
+
+
+
+
+Kolkman & Gieben             Informational                      [Page 2]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
+
+
+1.  Introduction
+
+   This document describes how to run a DNS Security (DNSSEC)-enabled
+   environment.  It is intended for operators who have knowledge of the
+   DNS (see RFC 1034 [1] and RFC 1035 [2]) and want to deploy DNSSEC.
+   See RFC 4033 [4] for an introduction to DNSSEC, RFC 4034 [5] for the
+   newly introduced Resource Records (RRs), and RFC 4035 [6] for the
+   protocol changes.
+
+   During workshops and early operational deployment tests, operators
+   and system administrators have gained experience about operating the
+   DNS with security extensions (DNSSEC).  This document translates
+   these experiences into a set of practices for zone administrators.
+   At the time of writing, there exists very little experience with
+   DNSSEC in production environments; this document should therefore
+   explicitly not be seen as representing 'Best Current Practices'.
+
+   The procedures herein are focused on the maintenance of signed zones
+   (i.e., signing and publishing zones on authoritative servers).  It is
+   intended that maintenance of zones such as re-signing or key
+   rollovers be transparent to any verifying clients on the Internet.
+
+   The structure of this document is as follows.  In Section 2, we
+   discuss the importance of keeping the "chain of trust" intact.
+   Aspects of key generation and storage of private keys are discussed
+   in Section 3; the focus in this section is mainly on the private part
+   of the key(s).  Section 4 describes considerations concerning the
+   public part of the keys.  Since these public keys appear in the DNS
+   one has to take into account all kinds of timing issues, which are
+   discussed in Section 4.1.  Section 4.2 and Section 4.3 deal with the
+   rollover, or supercession, of keys.  Finally, Section 4.4 discusses
+   considerations on how parents deal with their children's public keys
+   in order to maintain chains of trust.
+
+   The typographic conventions used in this document are explained in
+   Appendix C.
+
+   Since this is a document with operational suggestions and there are
+   no protocol specifications, the RFC 2119 [7] language does not apply.
+
+   This document obsoletes RFC 2541 [12] to reflect the evolution of the
+   underlying DNSSEC protocol since then.  Changes in the choice of
+   cryptographic algorithms, DNS record types and type names, and the
+   parent-child key and signature exchange demanded a major rewrite and
+   additional information and explanation.
+
+
+
+
+
+
+Kolkman & Gieben             Informational                      [Page 3]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
+
+
+1.1.  The Use of the Term 'key'
+
+   It is assumed that the reader is familiar with the concept of
+   asymmetric keys on which DNSSEC is based (public key cryptography
+   [17]).  Therefore, this document will use the term 'key' rather
+   loosely.  Where it is written that 'a key is used to sign data' it is
+   assumed that the reader understands that it is the private part of
+   the key pair that is used for signing.  It is also assumed that the
+   reader understands that the public part of the key pair is published
+   in the DNSKEY Resource Record and that it is the public part that is
+   used in key exchanges.
+
+1.2.  Time Definitions
+
+   In this document, we will be using a number of time-related terms.
+   The following definitions apply:
+
+   o  "Signature validity period" The period that a signature is valid.
+      It starts at the time specified in the signature inception field
+      of the RRSIG RR and ends at the time specified in the expiration
+      field of the RRSIG RR.
+
+   o  "Signature publication period" Time after which a signature (made
+      with a specific key) is replaced with a new signature (made with
+      the same key).  This replacement takes place by publishing the
+      relevant RRSIG in the master zone file.  After one stops
+      publishing an RRSIG in a zone, it may take a while before the
+      RRSIG has expired from caches and has actually been removed from
+      the DNS.
+
+   o  "Key effectivity period" The period during which a key pair is
+      expected to be effective.  This period is defined as the time
+      between the first inception time stamp and the last expiration
+      date of any signature made with this key, regardless of any
+      discontinuity in the use of the key.  The key effectivity period
+      can span multiple signature validity periods.
+
+   o  "Maximum/Minimum Zone Time to Live (TTL)" The maximum or minimum
+      value of the TTLs from the complete set of RRs in a zone.  Note
+      that the minimum TTL is not the same as the MINIMUM field in the
+      SOA RR.  See [11] for more information.
+
+
+
+
+
+
+
+
+
+
+Kolkman & Gieben             Informational                      [Page 4]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
+
+
+2.  Keeping the Chain of Trust Intact
+
+   Maintaining a valid chain of trust is important because broken chains
+   of trust will result in data being marked as Bogus (as defined in [4]
+   Section 5), which may cause entire (sub)domains to become invisible
+   to verifying clients.  The administrators of secured zones have to
+   realize that their zone is, to verifying clients, part of a chain of
+   trust.
+
+   As mentioned in the introduction, the procedures herein are intended
+   to ensure that maintenance of zones, such as re-signing or key
+   rollovers, will be transparent to the verifying clients on the
+   Internet.
+
+   Administrators of secured zones will have to keep in mind that data
+   published on an authoritative primary server will not be immediately
+   seen by verifying clients; it may take some time for the data to be
+   transferred to other secondary authoritative nameservers and clients
+   may be fetching data from caching non-authoritative servers.  In this
+   light, note that the time for a zone transfer from master to slave is
+   negligible when using NOTIFY [9] and incremental transfer (IXFR) [8].
+   It increases when full zone transfers (AXFR) are used in combination
+   with NOTIFY.  It increases even more if you rely on full zone
+   transfers based on only the SOA timing parameters for refresh.
+
+   For the verifying clients, it is important that data from secured
+   zones can be used to build chains of trust regardless of whether the
+   data came directly from an authoritative server, a caching
+   nameserver, or some middle box.  Only by carefully using the
+   available timing parameters can a zone administrator ensure that the
+   data necessary for verification can be obtained.
+
+   The responsibility for maintaining the chain of trust is shared by
+   administrators of secured zones in the chain of trust.  This is most
+   obvious in the case of a 'key compromise' when a trade-off between
+   maintaining a valid chain of trust and replacing the compromised keys
+   as soon as possible must be made.  Then zone administrators will have
+   to make a trade-off, between keeping the chain of trust intact --
+   thereby allowing for attacks with the compromised key -- or
+   deliberately breaking the chain of trust and making secured
+   subdomains invisible to security-aware resolvers.  Also see Section
+   4.3.
+
+
+
+
+
+
+
+
+
+Kolkman & Gieben             Informational                      [Page 5]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
+
+
+3.  Keys Generation and Storage
+
+   This section describes a number of considerations with respect to the
+   security of keys.  It deals with the generation, effectivity period,
+   size, and storage of private keys.
+
+3.1.  Zone and Key Signing Keys
+
+   The DNSSEC validation protocol does not distinguish between different
+   types of DNSKEYs.  All DNSKEYs can be used during the validation.  In
+   practice, operators use Key Signing and Zone Signing Keys and use the
+   so-called Secure Entry Point (SEP) [3] flag to distinguish between
+   them during operations.  The dynamics and considerations are
+   discussed below.
+
+   To make zone re-signing and key rollover procedures easier to
+   implement, it is possible to use one or more keys as Key Signing Keys
+   (KSKs).  These keys will only sign the apex DNSKEY RRSet in a zone.
+   Other keys can be used to sign all the RRSets in a zone and are
+   referred to as Zone Signing Keys (ZSKs).  In this document, we assume
+   that KSKs are the subset of keys that are used for key exchanges with
+   the parent and potentially for configuration as trusted anchors --
+   the SEP keys.  In this document, we assume a one-to-one mapping
+   between KSK and SEP keys and we assume the SEP flag to be set on all
+   KSKs.
+
+3.1.1.  Motivations for the KSK and ZSK Separation
+
+   Differentiating between the KSK and ZSK functions has several
+   advantages:
+
+   o  No parent/child interaction is required when ZSKs are updated.
+
+   o  The KSK can be made stronger (i.e., using more bits in the key
+      material).  This has little operational impact since it is only
+      used to sign a small fraction of the zone data.  Also, the KSK is
+      only used to verify the zone's key set, not for other RRSets in
+      the zone.
+
+   o  As the KSK is only used to sign a key set, which is most probably
+      updated less frequently than other data in the zone, it can be
+      stored separately from and in a safer location than the ZSK.
+
+   o  A KSK can have a longer key effectivity period.
+
+   For almost any method of key management and zone signing, the KSK is
+   used less frequently than the ZSK.  Once a key set is signed with the
+   KSK, all the keys in the key set can be used as ZSKs.  If a ZSK is
+
+
+
+Kolkman & Gieben             Informational                      [Page 6]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
+
+
+   compromised, it can be simply dropped from the key set.  The new key
+   set is then re-signed with the KSK.
+
+   Given the assumption that for KSKs the SEP flag is set, the KSK can
+   be distinguished from a ZSK by examining the flag field in the DNSKEY
+   RR.  If the flag field is an odd number it is a KSK.  If it is an
+   even number it is a ZSK.
+
+   The Zone Signing Key can be used to sign all the data in a zone on a
+   regular basis.  When a Zone Signing Key is to be rolled, no
+   interaction with the parent is needed.  This allows for signature
+   validity periods on the order of days.
+
+   The Key Signing Key is only to be used to sign the DNSKEY RRs in a
+   zone.  If a Key Signing Key is to be rolled over, there will be
+   interactions with parties other than the zone administrator.  These
+   can include the registry of the parent zone or administrators of
+   verifying resolvers that have the particular key configured as secure
+   entry points.  Hence, the key effectivity period of these keys can
+   and should be made much longer.  Although, given a long enough key,
+   the key effectivity period can be on the order of years, we suggest
+   planning for a key effectivity on the order of a few months so that a
+   key rollover remains an operational routine.
+
+3.1.2.  KSKs for High-Level Zones
+
+   Higher-level zones are generally more sensitive than lower-level
+   zones.  Anyone controlling or breaking the security of a zone thereby
+   obtains authority over all of its subdomains (except in the case of
+   resolvers that have locally configured the public key of a subdomain,
+   in which case this, and only this, subdomain wouldn't be affected by
+   the compromise of the parent zone).  Therefore, extra care should be
+   taken with high-level zones, and strong keys should be used.
+
+   The root zone is the most critical of all zones.  Someone controlling
+   or compromising the security of the root zone would control the
+   entire DNS namespace of all resolvers using that root zone (except in
+   the case of resolvers that have locally configured the public key of
+   a subdomain).  Therefore, the utmost care must be taken in the
+   securing of the root zone.  The strongest and most carefully handled
+   keys should be used.  The root zone private key should always be kept
+   off-line.
+
+   Many resolvers will start at a root server for their access to and
+   authentication of DNS data.  Securely updating the trust anchors in
+   an enormous population of resolvers around the world will be
+   extremely difficult.
+
+
+
+
+Kolkman & Gieben             Informational                      [Page 7]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
+
+
+3.2.  Key Generation
+
+   Careful generation of all keys is a sometimes overlooked but
+   absolutely essential element in any cryptographically secure system.
+   The strongest algorithms used with the longest keys are still of no
+   use if an adversary can guess enough to lower the size of the likely
+   key space so that it can be exhaustively searched.  Technical
+   suggestions for the generation of random keys will be found in RFC
+   4086 [14].  One should carefully assess if the random number
+   generator used during key generation adheres to these suggestions.
+
+   Keys with a long effectivity period are particularly sensitive as
+   they will represent a more valuable target and be subject to attack
+   for a longer time than short-period keys.  It is strongly recommended
+   that long-term key generation occur off-line in a manner isolated
+   from the network via an air gap or, at a minimum, high-level secure
+   hardware.
+
+3.3.  Key Effectivity Period
+
+   For various reasons, keys in DNSSEC need to be changed once in a
+   while.  The longer a key is in use, the greater the probability that
+   it will have been compromised through carelessness, accident,
+   espionage, or cryptanalysis.  Furthermore, when key rollovers are too
+   rare an event, they will not become part of the operational habit and
+   there is risk that nobody on-site will remember the procedure for
+   rollover when the need is there.
+
+   From a purely operational perspective, a reasonable key effectivity
+   period for Key Signing Keys is 13 months, with the intent to replace
+   them after 12 months.  An intended key effectivity period of a month
+   is reasonable for Zone Signing Keys.
+
+   For key sizes that match these effectivity periods, see Section 3.5.
+
+   As argued in Section 3.1.2, securely updating trust anchors will be
+   extremely difficult.  On the other hand, the "operational habit"
+   argument does also apply to trust anchor reconfiguration.  If a short
+   key effectivity period is used and the trust anchor configuration has
+   to be revisited on a regular basis, the odds that the configuration
+   tends to be forgotten is smaller.  The trade-off is against a system
+   that is so dynamic that administrators of the validating clients will
+   not be able to follow the modifications.
+
+   Key effectivity periods can be made very short, as in a few minutes.
+   But when replacing keys one has to take the considerations from
+   Section 4.1 and Section 4.2 into account.
+
+
+
+
+Kolkman & Gieben             Informational                      [Page 8]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
+
+
+3.4.  Key Algorithm
+
+   There are currently three different types of algorithms that can be
+   used in DNSSEC: RSA, DSA, and elliptic curve cryptography.  The
+   latter is fairly new and has yet to be standardized for usage in
+   DNSSEC.
+
+   RSA has been developed in an open and transparent manner.  As the
+   patent on RSA expired in 2000, its use is now also free.
+
+   DSA has been developed by the National Institute of Standards and
+   Technology (NIST).  The creation of signatures takes roughly the same
+   time as with RSA, but is 10 to 40 times as slow for verification
+   [17].
+
+   We suggest the use of RSA/SHA-1 as the preferred algorithm for the
+   key.  The current known attacks on RSA can be defeated by making your
+   key longer.  As the MD5 hashing algorithm is showing cracks, we
+   recommend the usage of SHA-1.
+
+   At the time of publication, it is known that the SHA-1 hash has
+   cryptanalysis issues.  There is work in progress on addressing these
+   issues.  We recommend the use of public key algorithms based on
+   hashes stronger than SHA-1 (e.g., SHA-256), as soon as these
+   algorithms are available in protocol specifications (see [19] and
+   [20]) and implementations.
+
+3.5.  Key Sizes
+
+   When choosing key sizes, zone administrators will need to take into
+   account how long a key will be used, how much data will be signed
+   during the key publication period (see Section 8.10 of [17]), and,
+   optionally, how large the key size of the parent is.  As the chain of
+   trust really is "a chain", there is not much sense in making one of
+   the keys in the chain several times larger then the others.  As
+   always, it's the weakest link that defines the strength of the entire
+   chain.  Also see Section 3.1.1 for a discussion of how keys serving
+   different roles (ZSK vs. KSK) may need different key sizes.
+
+   Generating a key of the correct size is a difficult problem; RFC 3766
+   [13] tries to deal with that problem.  The first part of the
+   selection procedure in Section 1 of the RFC states:
+
+      1. Determine the attack resistance necessary to satisfy the
+         security requirements of the application.  Do this by
+         estimating the minimum number of computer operations that the
+         attacker will be forced to do in order to compromise the
+
+
+
+
+Kolkman & Gieben             Informational                      [Page 9]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
+
+
+         security of the system and then take the logarithm base two of
+         that number.  Call that logarithm value "n".
+
+         A 1996 report recommended 90 bits as a good all-around choice
+         for system security.  The 90 bit number should be increased by
+         about 2/3 bit/year, or about 96 bits in 2005.
+
+   [13] goes on to explain how this number "n" can be used to calculate
+   the key sizes in public key cryptography.  This culminated in the
+   table given below (slightly modified for our purpose):
+
+      +-------------+-----------+--------------+
+      | System      |           |              |
+      | requirement | Symmetric | RSA or DSA   |
+      | for attack  | key size  | modulus size |
+      | resistance  | (bits)    | (bits)       |
+      | (bits)      |           |              |
+      +-------------+-----------+--------------+
+      |     70      |     70    |      947     |
+      |     80      |     80    |     1228     |
+      |     90      |     90    |     1553     |
+      |    100      |    100    |     1926     |
+      |    150      |    150    |     4575     |
+      |    200      |    200    |     8719     |
+      |    250      |    250    |    14596     |
+      +-------------+-----------+--------------+
+
+   The key sizes given are rather large.  This is because these keys are
+   resilient against a trillionaire attacker.  Assuming this rich
+   attacker will not attack your key and that the key is rolled over
+   once a year, we come to the following recommendations about KSK
+   sizes: 1024 bits for low-value domains, 1300 bits for medium-value
+   domains, and 2048 bits for high-value domains.
+
+   Whether a domain is of low, medium, or high value depends solely on
+   the views of the zone owner.  One could, for instance, view leaf
+   nodes in the DNS as of low value, and top-level domains (TLDs) or the
+   root zone of high value.  The suggested key sizes should be safe for
+   the next 5 years.
+
+   As ZSKs can be rolled over more easily (and thus more often), the key
+   sizes can be made smaller.  But as said in the introduction of this
+   paragraph, making the ZSKs' key sizes too small (in relation to the
+   KSKs' sizes) doesn't make much sense.  Try to limit the difference in
+   size to about 100 bits.
+
+
+
+
+
+
+Kolkman & Gieben             Informational                     [Page 10]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
+
+
+   Note that nobody can see into the future and that these key sizes are
+   only provided here as a guide.  Further information can be found in
+   [16] and Section 7.5 of [17].  It should be noted though that [16] is
+   already considered overly optimistic about what key sizes are
+   considered safe.
+
+   One final note concerning key sizes.  Larger keys will increase the
+   sizes of the RRSIG and DNSKEY records and will therefore increase the
+   chance of DNS UDP packet overflow.  Also, the time it takes to
+   validate and create RRSIGs increases with larger keys, so don't
+   needlessly double your key sizes.
+
+3.6.  Private Key Storage
+
+   It is recommended that, where possible, zone private keys and the
+   zone file master copy that is to be signed be kept and used in off-
+   line, non-network-connected, physically secure machines only.
+   Periodically, an application can be run to add authentication to a
+   zone by adding RRSIG and NSEC RRs.  Then the augmented file can be
+   transferred.
+
+   When relying on dynamic update to manage a signed zone [10], be aware
+   that at least one private key of the zone will have to reside on the
+   master server.  This key is only as secure as the amount of exposure
+   the server receives to unknown clients and the security of the host.
+   Although not mandatory, one could administer the DNS in the following
+   way.  The master that processes the dynamic updates is unavailable
+   from generic hosts on the Internet, it is not listed in the NS RR
+   set, although its name appears in the SOA RRs MNAME field.  The
+   nameservers in the NS RRSet are able to receive zone updates through
+   NOTIFY, IXFR, AXFR, or an out-of-band distribution mechanism.  This
+   approach is known as the "hidden master" setup.
+
+   The ideal situation is to have a one-way information flow to the
+   network to avoid the possibility of tampering from the network.
+   Keeping the zone master file on-line on the network and simply
+   cycling it through an off-line signer does not do this.  The on-line
+   version could still be tampered with if the host it resides on is
+   compromised.  For maximum security, the master copy of the zone file
+   should be off-net and should not be updated based on an unsecured
+   network mediated communication.
+
+   In general, keeping a zone file off-line will not be practical and
+   the machines on which zone files are maintained will be connected to
+   a network.  Operators are advised to take security measures to shield
+   unauthorized access to the master copy.
+
+
+
+
+
+Kolkman & Gieben             Informational                     [Page 11]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
+
+
+   For dynamically updated secured zones [10], both the master copy and
+   the private key that is used to update signatures on updated RRs will
+   need to be on-line.
+
+4.  Signature Generation, Key Rollover, and Related Policies
+
+4.1.  Time in DNSSEC
+
+   Without DNSSEC, all times in the DNS are relative.  The SOA fields
+   REFRESH, RETRY, and EXPIRATION are timers used to determine the time
+   elapsed after a slave server synchronized with a master server.  The
+   Time to Live (TTL) value and the SOA RR minimum TTL parameter [11]
+   are used to determine how long a forwarder should cache data after it
+   has been fetched from an authoritative server.  By using a signature
+   validity period, DNSSEC introduces the notion of an absolute time in
+   the DNS.  Signatures in DNSSEC have an expiration date after which
+   the signature is marked as invalid and the signed data is to be
+   considered Bogus.
+
+4.1.1.  Time Considerations
+
+   Because of the expiration of signatures, one should consider the
+   following:
+
+   o  We suggest the Maximum Zone TTL of your zone data to be a fraction
+      of your signature validity period.
+
+         If the TTL would be of similar order as the signature validity
+         period, then all RRSets fetched during the validity period
+         would be cached until the signature expiration time.  Section
+         7.1 of [4] suggests that "the resolver may use the time
+         remaining before expiration of the signature validity period of
+         a signed RRSet as an upper bound for the TTL".  As a result,
+         query load on authoritative servers would peak at signature
+         expiration time, as this is also the time at which records
+         simultaneously expire from caches.
+
+         To avoid query load peaks, we suggest the TTL on all the RRs in
+         your zone to be at least a few times smaller than your
+         signature validity period.
+
+   o  We suggest the signature publication period to end at least one
+      Maximum Zone TTL duration before the end of the signature validity
+      period.
+
+
+
+
+
+
+
+Kolkman & Gieben             Informational                     [Page 12]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
+
+
+         Re-signing a zone shortly before the end of the signature
+         validity period may cause simultaneous expiration of data from
+         caches.  This in turn may lead to peaks in the load on
+         authoritative servers.
+
+   o  We suggest the Minimum Zone TTL to be long enough to both fetch
+      and verify all the RRs in the trust chain.  In workshop
+      environments, it has been demonstrated [18] that a low TTL (under
+      5 to 10 minutes) caused disruptions because of the following two
+      problems:
+
+         1.  During validation, some data may expire before the
+             validation is complete.  The validator should be able to
+             keep all data until it is completed.  This applies to all
+             RRs needed to complete the chain of trust: DSes, DNSKEYs,
+             RRSIGs, and the final answers, i.e., the RRSet that is
+             returned for the initial query.
+
+         2.  Frequent verification causes load on recursive nameservers.
+             Data at delegation points, DSes, DNSKEYs, and RRSIGs
+             benefit from caching.  The TTL on those should be
+             relatively long.
+
+   o  Slave servers will need to be able to fetch newly signed zones
+      well before the RRSIGs in the zone served by the slave server pass
+      their signature expiration time.
+
+         When a slave server is out of sync with its master and data in
+         a zone is signed by expired signatures, it may be better for
+         the slave server not to give out any answer.
+
+         Normally, a slave server that is not able to contact a master
+         server for an extended period will expire a zone.  When that
+         happens, the server will respond differently to queries for
+         that zone.  Some servers issue SERVFAIL, whereas others turn
+         off the 'AA' bit in the answers.  The time of expiration is set
+         in the SOA record and is relative to the last successful
+         refresh between the master and the slave servers.  There exists
+         no coupling between the signature expiration of RRSIGs in the
+         zone and the expire parameter in the SOA.
+
+         If the server serves a DNSSEC zone, then it may well happen
+         that the signatures expire well before the SOA expiration timer
+         counts down to zero.  It is not possible to completely prevent
+         this from happening by tweaking the SOA parameters.  However,
+         the effects can be minimized where the SOA expiration time is
+         equal to or shorter than the signature validity period.  The
+         consequence of an authoritative server not being able to update
+
+
+
+Kolkman & Gieben             Informational                     [Page 13]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
+
+
+         a zone, whilst that zone includes expired signatures, is that
+         non-secure resolvers will continue to be able to resolve data
+         served by the particular slave servers while security-aware
+         resolvers will experience problems because of answers being
+         marked as Bogus.
+
+         We suggest the SOA expiration timer being approximately one
+         third or one fourth of the signature validity period.  It will
+         allow problems with transfers from the master server to be
+         noticed before the actual signature times out.  We also suggest
+         that operators of nameservers that supply secondary services
+         develop 'watch dogs' to spot upcoming signature expirations in
+         zones they slave, and take appropriate action.
+
+         When determining the value for the expiration parameter one has
+         to take the following into account: What are the chances that
+         all my secondaries expire the zone? How quickly can I reach an
+         administrator of secondary servers to load a valid zone?  These
+         questions are not DNSSEC specific but may influence the choice
+         of your signature validity intervals.
+
+4.2.  Key Rollovers
+
+   A DNSSEC key cannot be used forever (see Section 3.3).  So key
+   rollovers -- or supercessions, as they are sometimes called -- are a
+   fact of life when using DNSSEC.  Zone administrators who are in the
+   process of rolling their keys have to take into account that data
+   published in previous versions of their zone still lives in caches.
+   When deploying DNSSEC, this becomes an important consideration;
+   ignoring data that may be in caches may lead to loss of service for
+   clients.
+
+   The most pressing example of this occurs when zone material signed
+   with an old key is being validated by a resolver that does not have
+   the old zone key cached.  If the old key is no longer present in the
+   current zone, this validation fails, marking the data "Bogus".
+   Alternatively, an attempt could be made to validate data that is
+   signed with a new key against an old key that lives in a local cache,
+   also resulting in data being marked "Bogus".
+
+4.2.1.  Zone Signing Key Rollovers
+
+   For "Zone Signing Key rollovers", there are two ways to make sure
+   that during the rollover data still cached can be verified with the
+   new key sets or newly generated signatures can be verified with the
+   keys still in caches.  One schema, described in Section 4.2.1.2, uses
+
+
+
+
+
+Kolkman & Gieben             Informational                     [Page 14]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
+
+
+   double signatures; the other uses key pre-publication (Section
+   4.2.1.1).  The pros, cons, and recommendations are described in
+   Section 4.2.1.3.
+
+4.2.1.1.  Pre-Publish Key Rollover
+
+   This section shows how to perform a ZSK rollover without the need to
+   sign all the data in a zone twice -- the "pre-publish key rollover".
+   This method has advantages in the case of a key compromise.  If the
+   old key is compromised, the new key has already been distributed in
+   the DNS.  The zone administrator is then able to quickly switch to
+   the new key and remove the compromised key from the zone.  Another
+   major advantage is that the zone size does not double, as is the case
+   with the double signature ZSK rollover.  A small "how-to" for this
+   kind of rollover can be found in Appendix B.
+
+   Pre-publish key rollover involves four stages as follows:
+
+      ----------------------------------------------------------------
+      initial         new DNSKEY       new RRSIGs      DNSKEY removal
+      ----------------------------------------------------------------
+      SOA0            SOA1             SOA2            SOA3
+      RRSIG10(SOA0)   RRSIG10(SOA1)    RRSIG11(SOA2)   RRSIG11(SOA3)
+
+      DNSKEY1         DNSKEY1          DNSKEY1         DNSKEY1
+      DNSKEY10        DNSKEY10         DNSKEY10        DNSKEY11
+      DNSKEY11         DNSKEY11
+      RRSIG1 (DNSKEY) RRSIG1 (DNSKEY)  RRSIG1(DNSKEY)  RRSIG1 (DNSKEY)
+      RRSIG10(DNSKEY) RRSIG10(DNSKEY)  RRSIG11(DNSKEY) RRSIG11(DNSKEY)
+      ----------------------------------------------------------------
+
+                         Pre-Publish Key Rollover
+
+   initial: Initial version of the zone: DNSKEY 1 is the Key Signing
+      Key.  DNSKEY 10 is used to sign all the data of the zone, the Zone
+      Signing Key.
+
+   new DNSKEY: DNSKEY 11 is introduced into the key set.  Note that no
+      signatures are generated with this key yet, but this does not
+      secure against brute force attacks on the public key.  The minimum
+      duration of this pre-roll phase is the time it takes for the data
+      to propagate to the authoritative servers plus TTL value of the
+      key set.
+
+   new RRSIGs: At the "new RRSIGs" stage (SOA serial 2), DNSKEY 11 is
+      used to sign the data in the zone exclusively (i.e., all the
+      signatures from DNSKEY 10 are removed from the zone).  DNSKEY 10
+      remains published in the key set.  This way data that was loaded
+
+
+
+Kolkman & Gieben             Informational                     [Page 15]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
+
+
+      into caches from version 1 of the zone can still be verified with
+      key sets fetched from version 2 of the zone.  The minimum time
+      that the key set including DNSKEY 10 is to be published is the
+      time that it takes for zone data from the previous version of the
+      zone to expire from old caches, i.e., the time it takes for this
+      zone to propagate to all authoritative servers plus the Maximum
+      Zone TTL value of any of the data in the previous version of the
+      zone.
+
+   DNSKEY removal: DNSKEY 10 is removed from the zone.  The key set, now
+      only containing DNSKEY 1 and DNSKEY 11, is re-signed with the
+      DNSKEY 1.
+
+   The above scheme can be simplified by always publishing the "future"
+   key immediately after the rollover.  The scheme would look as follows
+   (we show two rollovers); the future key is introduced in "new DNSKEY"
+   as DNSKEY 12 and again a newer one, numbered 13, in "new DNSKEY
+   (II)":
+
+      ----------------------------------------------------------------
+      initial             new RRSIGs          new DNSKEY
+      ----------------------------------------------------------------
+      SOA0                SOA1                SOA2
+      RRSIG10(SOA0)       RRSIG11(SOA1)       RRSIG11(SOA2)
+
+      DNSKEY1             DNSKEY1             DNSKEY1
+      DNSKEY10            DNSKEY10            DNSKEY11
+      DNSKEY11            DNSKEY11            DNSKEY12
+      RRSIG1(DNSKEY)      RRSIG1 (DNSKEY)     RRSIG1(DNSKEY)
+      RRSIG10(DNSKEY)     RRSIG11(DNSKEY)     RRSIG11(DNSKEY)
+      ----------------------------------------------------------------
+
+      ----------------------------------------------------------------
+      new RRSIGs (II)     new DNSKEY (II)
+      ----------------------------------------------------------------
+      SOA3                SOA4
+      RRSIG12(SOA3)       RRSIG12(SOA4)
+
+      DNSKEY1             DNSKEY1
+      DNSKEY11            DNSKEY12
+      DNSKEY12            DNSKEY13
+      RRSIG1(DNSKEY)      RRSIG1(DNSKEY)
+      RRSIG12(DNSKEY)     RRSIG12(DNSKEY)
+      ----------------------------------------------------------------
+
+              Pre-Publish Key Rollover, Showing Two Rollovers
+
+
+
+
+
+Kolkman & Gieben             Informational                     [Page 16]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
+
+
+   Note that the key introduced in the "new DNSKEY" phase is not used
+   for production yet; the private key can thus be stored in a
+   physically secure manner and does not need to be 'fetched' every time
+   a zone needs to be signed.
+
+4.2.1.2.  Double Signature Zone Signing Key Rollover
+
+   This section shows how to perform a ZSK key rollover using the double
+   zone data signature scheme, aptly named "double signature rollover".
+
+   During the "new DNSKEY" stage the new version of the zone file will
+   need to propagate to all authoritative servers and the data that
+   exists in (distant) caches will need to expire, requiring at least
+   the Maximum Zone TTL.
+
+   Double signature ZSK rollover involves three stages as follows:
+
+      ----------------------------------------------------------------
+      initial             new DNSKEY         DNSKEY removal
+      ----------------------------------------------------------------
+      SOA0                SOA1               SOA2
+      RRSIG10(SOA0)       RRSIG10(SOA1)      RRSIG11(SOA2)
+      RRSIG11(SOA1)
+
+      DNSKEY1             DNSKEY1            DNSKEY1
+      DNSKEY10            DNSKEY10           DNSKEY11
+      DNSKEY11
+      RRSIG1(DNSKEY)      RRSIG1(DNSKEY)     RRSIG1(DNSKEY)
+      RRSIG10(DNSKEY)     RRSIG10(DNSKEY)    RRSIG11(DNSKEY)
+      RRSIG11(DNSKEY)
+      ----------------------------------------------------------------
+
+                Double Signature Zone Signing Key Rollover
+
+   initial: Initial Version of the zone: DNSKEY 1 is the Key Signing
+      Key.  DNSKEY 10 is used to sign all the data of the zone, the Zone
+      Signing Key.
+
+   new DNSKEY: At the "New DNSKEY" stage (SOA serial 1) DNSKEY 11 is
+      introduced into the key set and all the data in the zone is signed
+      with DNSKEY 10 and DNSKEY 11.  The rollover period will need to
+      continue until all data from version 0 of the zone has expired
+      from remote caches.  This will take at least the Maximum Zone TTL
+      of version 0 of the zone.
+
+   DNSKEY removal: DNSKEY 10 is removed from the zone.  All the
+      signatures from DNSKEY 10 are removed from the zone.  The key set,
+      now only containing DNSKEY 11, is re-signed with DNSKEY 1.
+
+
+
+Kolkman & Gieben             Informational                     [Page 17]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
+
+
+   At every instance, RRSIGs from the previous version of the zone can
+   be verified with the DNSKEY RRSet from the current version and the
+   other way around.  The data from the current version can be verified
+   with the data from the previous version of the zone.  The duration of
+   the "new DNSKEY" phase and the period between rollovers should be at
+   least the Maximum Zone TTL.
+
+   Making sure that the "new DNSKEY" phase lasts until the signature
+   expiration time of the data in initial version of the zone is
+   recommended.  This way all caches are cleared of the old signatures.
+   However, this duration could be considerably longer than the Maximum
+   Zone TTL, making the rollover a lengthy procedure.
+
+   Note that in this example we assumed that the zone was not modified
+   during the rollover.  New data can be introduced in the zone as long
+   as it is signed with both keys.
+
+4.2.1.3.  Pros and Cons of the Schemes
+
+   Pre-publish key rollover: This rollover does not involve signing the
+      zone data twice.  Instead, before the actual rollover, the new key
+      is published in the key set and thus is available for
+      cryptanalysis attacks.  A small disadvantage is that this process
+      requires four steps.  Also the pre-publish scheme involves more
+      parental work when used for KSK rollovers as explained in Section
+      4.2.3.
+
+   Double signature ZSK rollover: The drawback of this signing scheme is
+      that during the rollover the number of signatures in your zone
+      doubles; this may be prohibitive if you have very big zones.  An
+      advantage is that it only requires three steps.
+
+4.2.2.  Key Signing Key Rollovers
+
+   For the rollover of a Key Signing Key, the same considerations as for
+   the rollover of a Zone Signing Key apply.  However, we can use a
+   double signature scheme to guarantee that old data (only the apex key
+   set) in caches can be verified with a new key set and vice versa.
+   Since only the key set is signed with a KSK, zone size considerations
+   do not apply.
+
+
+
+
+
+
+
+
+
+
+
+Kolkman & Gieben             Informational                     [Page 18]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
+
+
+   --------------------------------------------------------------------
+       initial        new DNSKEY        DS change       DNSKEY removal
+   --------------------------------------------------------------------
+     Parent:
+       SOA0           -------->         SOA1            -------->
+       RRSIGpar(SOA0) -------->         RRSIGpar(SOA1)  -------->
+       DS1            -------->         DS2             -------->
+       RRSIGpar(DS)   -------->         RRSIGpar(DS)    -------->
+
+
+     Child:
+       SOA0            SOA1             -------->       SOA2
+       RRSIG10(SOA0)   RRSIG10(SOA1)    -------->       RRSIG10(SOA2)
+                                        -------->
+       DNSKEY1         DNSKEY1          -------->       DNSKEY2
+                       DNSKEY2          -------->
+       DNSKEY10        DNSKEY10         -------->       DNSKEY10
+       RRSIG1 (DNSKEY) RRSIG1 (DNSKEY)  -------->       RRSIG2 (DNSKEY)
+                       RRSIG2 (DNSKEY)  -------->
+       RRSIG10(DNSKEY) RRSIG10(DNSKEY)  -------->       RRSIG10(DNSKEY)
+   --------------------------------------------------------------------
+
+   Stages of Deployment for a Double Signature Key Signing Key Rollover
+
+   initial: Initial version of the zone.  The parental DS points to
+      DNSKEY1.  Before the rollover starts, the child will have to
+      verify what the TTL is of the DS RR that points to DNSKEY1 -- it
+      is needed during the rollover and we refer to the value as TTL_DS.
+
+   new DNSKEY: During the "new DNSKEY" phase, the zone administrator
+      generates a second KSK, DNSKEY2.  The key is provided to the
+      parent, and the child will have to wait until a new DS RR has been
+      generated that points to DNSKEY2.  After that DS RR has been
+      published on all servers authoritative for the parent's zone, the
+      zone administrator has to wait at least TTL_DS to make sure that
+      the old DS RR has expired from caches.
+
+   DS change: The parent replaces DS1 with DS2.
+
+   DNSKEY removal: DNSKEY1 has been removed.
+
+   The scenario above puts the responsibility for maintaining a valid
+   chain of trust with the child.  It also is based on the premise that
+   the parent only has one DS RR (per algorithm) per zone.  An
+   alternative mechanism has been considered.  Using an established
+   trust relation, the interaction can be performed in-band, and the
+   removal of the keys by the child can possibly be signaled by the
+   parent.  In this mechanism, there are periods where there are two DS
+
+
+
+Kolkman & Gieben             Informational                     [Page 19]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
+
+
+   RRs at the parent.  Since at the moment of writing the protocol for
+   this interaction has not been developed, further discussion is out of
+   scope for this document.
+
+4.2.3.  Difference Between ZSK and KSK Rollovers
+
+   Note that KSK rollovers and ZSK rollovers are different in the sense
+   that a KSK rollover requires interaction with the parent (and
+   possibly replacing of trust anchors) and the ensuing delay while
+   waiting for it.
+
+   A zone key rollover can be handled in two different ways: pre-publish
+   (Section 4.2.1.1) and double signature (Section 4.2.1.2).
+
+   As the KSK is used to validate the key set and because the KSK is not
+   changed during a ZSK rollover, a cache is able to validate the new
+   key set of the zone.  The pre-publish method would also work for a
+   KSK rollover.  The records that are to be pre-published are the
+   parental DS RRs.  The pre-publish method has some drawbacks for KSKs.
+   We first describe the rollover scheme and then indicate these
+   drawbacks.
+
+   --------------------------------------------------------------------
+     initial         new DS           new DNSKEY      DS/DNSKEY removal
+   --------------------------------------------------------------------
+   Parent:
+     SOA0            SOA1             -------->       SOA2
+     RRSIGpar(SOA0)  RRSIGpar(SOA1)   -------->       RRSIGpar(SOA2)
+     DS1             DS1              -------->       DS2
+                     DS2              -------->
+     RRSIGpar(DS)    RRSIGpar(DS)     -------->       RRSIGpar(DS)
+
+
+   Child:
+     SOA0            -------->        SOA1            SOA1
+     RRSIG10(SOA0)   -------->        RRSIG10(SOA1)   RRSIG10(SOA1)
+                     -------->
+     DNSKEY1         -------->        DNSKEY2         DNSKEY2
+                     -------->
+     DNSKEY10        -------->        DNSKEY10        DNSKEY10
+     RRSIG1 (DNSKEY) -------->        RRSIG2(DNSKEY)  RRSIG2 (DNSKEY)
+     RRSIG10(DNSKEY) -------->        RRSIG10(DNSKEY) RRSIG10(DNSKEY)
+   --------------------------------------------------------------------
+
+      Stages of Deployment for a Pre-Publish Key Signing Key Rollover
+
+
+
+
+
+
+Kolkman & Gieben             Informational                     [Page 20]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
+
+
+   When the child zone wants to roll, it notifies the parent during the
+   "new DS" phase and submits the new key (or the corresponding DS) to
+   the parent.  The parent publishes DS1 and DS2, pointing to DNSKEY1
+   and DNSKEY2, respectively.  During the rollover ("new DNSKEY" phase),
+   which can take place as soon as the new DS set propagated through the
+   DNS, the child replaces DNSKEY1 with DNSKEY2.  Immediately after that
+   ("DS/DNSKEY removal" phase), it can notify the parent that the old DS
+   record can be deleted.
+
+   The drawbacks of this scheme are that during the "new DS" phase the
+   parent cannot verify the match between the DS2 RR and DNSKEY2 using
+   the DNS -- as DNSKEY2 is not yet published.  Besides, we introduce a
+   "security lame" key (see Section 4.4.3).  Finally, the child-parent
+   interaction consists of two steps.  The "double signature" method
+   only needs one interaction.
+
+4.2.4.  Automated Key Rollovers
+
+   As keys must be renewed periodically, there is some motivation to
+   automate the rollover process.  Consider the following:
+
+   o  ZSK rollovers are easy to automate as only the child zone is
+      involved.
+
+   o  A KSK rollover needs interaction between parent and child.  Data
+      exchange is needed to provide the new keys to the parent;
+      consequently, this data must be authenticated and integrity must
+      be guaranteed in order to avoid attacks on the rollover.
+
+4.3.  Planning for Emergency Key Rollover
+
+   This section deals with preparation for a possible key compromise.
+   Our advice is to have a documented procedure ready for when a key
+   compromise is suspected or confirmed.
+
+   When the private material of one of your keys is compromised it can
+   be used for as long as a valid trust chain exists.  A trust chain
+   remains intact for
+
+   o  as long as a signature over the compromised key in the trust chain
+      is valid,
+
+   o  as long as a parental DS RR (and signature) points to the
+      compromised key,
+
+   o  as long as the key is anchored in a resolver and is used as a
+      starting point for validation (this is generally the hardest to
+      update).
+
+
+
+Kolkman & Gieben             Informational                     [Page 21]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
+
+
+   While a trust chain to your compromised key exists, your namespace is
+   vulnerable to abuse by anyone who has obtained illegitimate
+   possession of the key.  Zone operators have to make a trade-off if
+   the abuse of the compromised key is worse than having data in caches
+   that cannot be validated.  If the zone operator chooses to break the
+   trust chain to the compromised key, data in caches signed with this
+   key cannot be validated.  However, if the zone administrator chooses
+   to take the path of a regular rollover, the malicious key holder can
+   spoof data so that it appears to be valid.
+
+4.3.1.  KSK Compromise
+
+   A zone containing a DNSKEY RRSet with a compromised KSK is vulnerable
+   as long as the compromised KSK is configured as trust anchor or a
+   parental DS points to it.
+
+   A compromised KSK can be used to sign the key set of an attacker's
+   zone.  That zone could be used to poison the DNS.
+
+   Therefore, when the KSK has been compromised, the trust anchor or the
+   parental DS should be replaced as soon as possible.  It is local
+   policy whether to break the trust chain during the emergency
+   rollover.  The trust chain would be broken when the compromised KSK
+   is removed from the child's zone while the parent still has a DS
+   pointing to the compromised KSK (the assumption is that there is only
+   one DS at the parent.  If there are multiple DSes this does not apply
+   -- however the chain of trust of this particular key is broken).
+
+   Note that an attacker's zone still uses the compromised KSK and the
+   presence of a parental DS would cause the data in this zone to appear
+   as valid.  Removing the compromised key would cause the attacker's
+   zone to appear as valid and the child's zone as Bogus.  Therefore, we
+   advise not to remove the KSK before the parent has a DS to a new KSK
+   in place.
+
+4.3.1.1.  Keeping the Chain of Trust Intact
+
+   If we follow this advice, the timing of the replacement of the KSK is
+   somewhat critical.  The goal is to remove the compromised KSK as soon
+   as the new DS RR is available at the parent.  And also make sure that
+   the signature made with a new KSK over the key set with the
+   compromised KSK in it expires just after the new DS appears at the
+   parent, thus removing the old cruft in one swoop.
+
+   The procedure is as follows:
+
+   1.  Introduce a new KSK into the key set, keep the compromised KSK in
+       the key set.
+
+
+
+Kolkman & Gieben             Informational                     [Page 22]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
+
+
+   2.  Sign the key set, with a short validity period.  The validity
+       period should expire shortly after the DS is expected to appear
+       in the parent and the old DSes have expired from caches.
+
+   3.  Upload the DS for this new key to the parent.
+
+   4.  Follow the procedure of the regular KSK rollover: Wait for the DS
+       to appear in the authoritative servers and then wait as long as
+       the TTL of the old DS RRs.  If necessary re-sign the DNSKEY RRSet
+       and modify/extend the expiration time.
+
+   5.  Remove the compromised DNSKEY RR from the zone and re-sign the
+       key set using your "normal" validity interval.
+
+   An additional danger of a key compromise is that the compromised key
+   could be used to facilitate a legitimate DNSKEY/DS rollover and/or
+   nameserver changes at the parent.  When that happens, the domain may
+   be in dispute.  An authenticated out-of-band and secure notify
+   mechanism to contact a parent is needed in this case.
+
+   Note that this is only a problem when the DNSKEY and or DS records
+   are used for authentication at the parent.
+
+4.3.1.2.  Breaking the Chain of Trust
+
+   There are two methods to break the chain of trust.  The first method
+   causes the child zone to appear 'Bogus' to validating resolvers.  The
+   other causes the child zone to appear 'insecure'.  These are
+   described below.
+
+   In the method that causes the child zone to appear 'Bogus' to
+   validating resolvers, the child zone replaces the current KSK with a
+   new one and re-signs the key set.  Next it sends the DS of the new
+   key to the parent.  Only after the parent has placed the new DS in
+   the zone is the child's chain of trust repaired.
+
+   An alternative method of breaking the chain of trust is by removing
+   the DS RRs from the parent zone altogether.  As a result, the child
+   zone would become insecure.
+
+4.3.2.  ZSK Compromise
+
+   Primarily because there is no parental interaction required when a
+   ZSK is compromised, the situation is less severe than with a KSK
+   compromise.  The zone must still be re-signed with a new ZSK as soon
+   as possible.  As this is a local operation and requires no
+   communication between the parent and child, this can be achieved
+   fairly quickly.  However, one has to take into account that just as
+
+
+
+Kolkman & Gieben             Informational                     [Page 23]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
+
+
+   with a normal rollover the immediate disappearance of the old
+   compromised key may lead to verification problems.  Also note that as
+   long as the RRSIG over the compromised ZSK is not expired the zone
+   may be still at risk.
+
+4.3.3.  Compromises of Keys Anchored in Resolvers
+
+   A key can also be pre-configured in resolvers.  For instance, if
+   DNSSEC is successfully deployed the root key may be pre-configured in
+   most security aware resolvers.
+
+   If trust-anchor keys are compromised, the resolvers using these keys
+   should be notified of this fact.  Zone administrators may consider
+   setting up a mailing list to communicate the fact that a SEP key is
+   about to be rolled over.  This communication will of course need to
+   be authenticated, e.g., by using digital signatures.
+
+   End-users faced with the task of updating an anchored key should
+   always validate the new key.  New keys should be authenticated out-
+   of-band, for example, through the use of an announcement website that
+   is secured using secure sockets (TLS) [21].
+
+4.4.  Parental Policies
+
+4.4.1.  Initial Key Exchanges and Parental Policies Considerations
+
+   The initial key exchange is always subject to the policies set by the
+   parent.  When designing a key exchange policy one should take into
+   account that the authentication and authorization mechanisms used
+   during a key exchange should be as strong as the authentication and
+   authorization mechanisms used for the exchange of delegation
+   information between parent and child.  That is, there is no implicit
+   need in DNSSEC to make the authentication process stronger than it
+   was in DNS.
+
+   Using the DNS itself as the source for the actual DNSKEY material,
+   with an out-of-band check on the validity of the DNSKEY, has the
+   benefit that it reduces the chances of user error.  A DNSKEY query
+   tool can make use of the SEP bit [3] to select the proper key from a
+   DNSSEC key set, thereby reducing the chance that the wrong DNSKEY is
+   sent.  It can validate the self-signature over a key; thereby
+   verifying the ownership of the private key material.  Fetching the
+   DNSKEY from the DNS ensures that the chain of trust remains intact
+   once the parent publishes the DS RR indicating the child is secure.
+
+   Note: the out-of-band verification is still needed when the key
+   material is fetched via the DNS.  The parent can never be sure
+   whether or not the DNSKEY RRs have been spoofed.
+
+
+
+Kolkman & Gieben             Informational                     [Page 24]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
+
+
+4.4.2.  Storing Keys or Hashes?
+
+   When designing a registry system one should consider which of the
+   DNSKEYs and/or the corresponding DSes to store.  Since a child zone
+   might wish to have a DS published using a message digest algorithm
+   not yet understood by the registry, the registry can't count on being
+   able to generate the DS record from a raw DNSKEY.  Thus, we recommend
+   that registry systems at least support storing DS records.
+
+   It may also be useful to store DNSKEYs, since having them may help
+   during troubleshooting and, as long as the child's chosen message
+   digest is supported, the overhead of generating DS records from them
+   is minimal.  Having an out-of-band mechanism, such as a registry
+   directory (e.g., Whois), to find out which keys are used to generate
+   DS Resource Records for specific owners and/or zones may also help
+   with troubleshooting.
+
+   The storage considerations also relate to the design of the customer
+   interface and the method by which data is transferred between
+   registrant and registry; Will the child zone administrator be able to
+   upload DS RRs with unknown hash algorithms or does the interface only
+   allow DNSKEYs?  In the registry-registrar model, one can use the
+   DNSSEC extensions to the Extensible Provisioning Protocol (EPP) [15],
+   which allows transfer of DS RRs and optionally DNSKEY RRs.
+
+4.4.3.  Security Lameness
+
+   Security lameness is defined as what happens when a parent has a DS
+   RR pointing to a non-existing DNSKEY RR.  When this happens, the
+   child's zone may be marked "Bogus" by verifying DNS clients.
+
+   As part of a comprehensive delegation check, the parent could, at key
+   exchange time, verify that the child's key is actually configured in
+   the DNS.  However, if a parent does not understand the hashing
+   algorithm used by child, the parental checks are limited to only
+   comparing the key id.
+
+   Child zones should be very careful in removing DNSKEY material,
+   specifically SEP keys, for which a DS RR exists.
+
+   Once a zone is "security lame", a fix (e.g., removing a DS RR) will
+   take time to propagate through the DNS.
+
+
+
+
+
+
+
+
+
+Kolkman & Gieben             Informational                     [Page 25]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
+
+
+4.4.4.  DS Signature Validity Period
+
+   Since the DS can be replayed as long as it has a valid signature, a
+   short signature validity period over the DS minimizes the time a
+   child is vulnerable in the case of a compromise of the child's
+   KSK(s).  A signature validity period that is too short introduces the
+   possibility that a zone is marked "Bogus" in case of a configuration
+   error in the signer.  There may not be enough time to fix the
+   problems before signatures expire.  Something as mundane as operator
+   unavailability during weekends shows the need for DS signature
+   validity periods longer than 2 days.  We recommend an absolute
+   minimum for a DS signature validity period of a few days.
+
+   The maximum signature validity period of the DS record depends on how
+   long child zones are willing to be vulnerable after a key compromise.
+   On the other hand, shortening the DS signature validity interval
+   increases the operational risk for the parent.  Therefore, the parent
+   may have policy to use a signature validity interval that is
+   considerably longer than the child would hope for.
+
+   A compromise between the operational constraints of the parent and
+   minimizing damage for the child may result in a DS signature validity
+   period somewhere between a week and months.
+
+   In addition to the signature validity period, which sets a lower
+   bound on the number of times the zone owner will need to sign the
+   zone data and which sets an upper bound to the time a child is
+   vulnerable after key compromise, there is the TTL value on the DS
+   RRs.  Shortening the TTL means that the authoritative servers will
+   see more queries.  But on the other hand, a short TTL lowers the
+   persistence of DS RRSets in caches thereby increasing the speed with
+   which updated DS RRSets propagate through the DNS.
+
+5.  Security Considerations
+
+   DNSSEC adds data integrity to the DNS.  This document tries to assess
+   the operational considerations to maintain a stable and secure DNSSEC
+   service.  Not taking into account the 'data propagation' properties
+   in the DNS will cause validation failures and may make secured zones
+   unavailable to security-aware resolvers.
+
+6.  Acknowledgments
+
+   Most of the ideas in this document were the result of collective
+   efforts during workshops, discussions, and tryouts.
+
+   At the risk of forgetting individuals who were the original
+   contributors of the ideas, we would like to acknowledge people who
+
+
+
+Kolkman & Gieben             Informational                     [Page 26]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
+
+
+   were actively involved in the compilation of this document.  In
+   random order: Rip Loomis, Olafur Gudmundsson, Wesley Griffin, Michael
+   Richardson, Scott Rose, Rick van Rein, Tim McGinnis, Gilles Guette
+   Olivier Courtay, Sam Weiler, Jelte Jansen, Niall O'Reilly, Holger
+   Zuleger, Ed Lewis, Hilarie Orman, Marcos Sanz, and Peter Koch.
+
+   Some material in this document has been copied from RFC 2541 [12].
+
+   Mike StJohns designed the key exchange between parent and child
+   mentioned in the last paragraph of Section 4.2.2
+
+   Section 4.2.4 was supplied by G. Guette and O. Courtay.
+
+   Emma Bretherick, Adrian Bedford, and Lindy Foster corrected many of
+   the spelling and style issues.
+
+   Kolkman and Gieben take the blame for introducing all miscakes (sic).
+
+   While working on this document, Kolkman was employed by the RIPE NCC
+   and Gieben was employed by NLnet Labs.
+
+7.  References
+
+7.1.  Normative References
+
+   [1]   Mockapetris, P., "Domain names - concepts and facilities", STD
+         13, RFC 1034, November 1987.
+
+   [2]   Mockapetris, P., "Domain names - implementation and
+         specification", STD 13, RFC 1035, November 1987.
+
+   [3]   Kolkman, O., Schlyter, J., and E. Lewis, "Domain Name System
+         KEY (DNSKEY) Resource Record (RR) Secure Entry Point (SEP)
+         Flag", RFC 3757, May 2004.
+
+   [4]   Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+         "DNS Security Introduction and Requirements", RFC 4033, March
+         2005.
+
+   [5]   Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+         "Resource Records for the DNS Security Extensions", RFC 4034,
+         March 2005.
+
+   [6]   Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+         "Protocol Modifications for the DNS Security Extensions", RFC
+         4035, March 2005.
+
+
+
+
+
+Kolkman & Gieben             Informational                     [Page 27]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
+
+
+7.2.  Informative References
+
+   [7]   Bradner, S., "Key words for use in RFCs to Indicate Requirement
+         Levels", BCP 14, RFC 2119, March 1997.
+
+   [8]   Ohta, M., "Incremental Zone Transfer in DNS", RFC 1995, August
+         1996.
+
+   [9]   Vixie, P., "A Mechanism for Prompt Notification of Zone Changes
+         (DNS NOTIFY)", RFC 1996, August 1996.
+
+   [10]  Wellington, B., "Secure Domain Name System (DNS) Dynamic
+         Update", RFC 3007, November 2000.
+
+   [11]  Andrews, M., "Negative Caching of DNS Queries (DNS NCACHE)",
+         RFC 2308, March 1998.
+
+   [12]  Eastlake, D., "DNS Security Operational Considerations", RFC
+         2541, March 1999.
+
+   [13]  Orman, H. and P. Hoffman, "Determining Strengths For Public
+         Keys Used For Exchanging Symmetric Keys", BCP 86, RFC 3766,
+         April 2004.
+
+   [14]  Eastlake, D., Schiller, J., and S. Crocker, "Randomness
+         Requirements for Security", BCP 106, RFC 4086, June 2005.
+
+   [15]  Hollenbeck, S., "Domain Name System (DNS) Security Extensions
+         Mapping for the Extensible Provisioning Protocol (EPP)", RFC
+         4310, December 2005.
+
+   [16]  Lenstra, A. and E. Verheul, "Selecting Cryptographic Key
+         Sizes", The Journal of Cryptology 14 (255-293), 2001.
+
+   [17]  Schneier, B., "Applied Cryptography: Protocols, Algorithms, and
+         Source Code in C", ISBN (hardcover) 0-471-12845-7, ISBN
+         (paperback) 0-471-59756-2, Published by John Wiley & Sons Inc.,
+         1996.
+
+   [18]  Rose, S., "NIST DNSSEC workshop notes", June 2001.
+
+   [19]  Jansen, J., "Use of RSA/SHA-256 DNSKEY and RRSIG Resource
+         Records in DNSSEC", Work in Progress, January 2006.
+
+   [20]  Hardaker, W., "Use of SHA-256 in DNSSEC Delegation Signer (DS)
+         Resource Records (RRs)", RFC 4509, May 2006.
+
+
+
+
+
+Kolkman & Gieben             Informational                     [Page 28]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
+
+
+   [21]  Blake-Wilson, S., Nystrom, M., Hopwood, D., Mikkelsen, J., and
+         T. Wright, "Transport Layer Security (TLS) Extensions", RFC
+         4366, April 2006.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Kolkman & Gieben             Informational                     [Page 29]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
+
+
+Appendix A.  Terminology
+
+   In this document, there is some jargon used that is defined in other
+   documents.  In most cases, we have not copied the text from the
+   documents defining the terms but have given a more elaborate
+   explanation of the meaning.  Note that these explanations should not
+   be seen as authoritative.
+
+   Anchored key: A DNSKEY configured in resolvers around the globe.
+      This key is hard to update, hence the term anchored.
+
+   Bogus: Also see Section 5 of [4].  An RRSet in DNSSEC is marked
+      "Bogus" when a signature of an RRSet does not validate against a
+      DNSKEY.
+
+   Key Signing Key or KSK: A Key Signing Key (KSK) is a key that is used
+      exclusively for signing the apex key set.  The fact that a key is
+      a KSK is only relevant to the signing tool.
+
+   Key size: The term 'key size' can be substituted by 'modulus size'
+      throughout the document.  It is mathematically more correct to use
+      modulus size, but as this is a document directed at operators we
+      feel more at ease with the term key size.
+
+   Private and public keys: DNSSEC secures the DNS through the use of
+      public key cryptography.  Public key cryptography is based on the
+      existence of two (mathematically related) keys, a public key and a
+      private key.  The public keys are published in the DNS by use of
+      the DNSKEY Resource Record (DNSKEY RR).  Private keys should
+      remain private.
+
+   Key rollover: A key rollover (also called key supercession in some
+      environments) is the act of replacing one key pair with another at
+      the end of a key effectivity period.
+
+   Secure Entry Point (SEP) key: A KSK that has a parental DS record
+      pointing to it or is configured as a trust anchor.  Although not
+      required by the protocol, we recommend that the SEP flag [3] is
+      set on these keys.
+
+   Self-signature: This only applies to signatures over DNSKEYs; a
+      signature made with DNSKEY x, over DNSKEY x is called a self-
+      signature.  Note: without further information, self-signatures
+      convey no trust.  They are useful to check the authenticity of the
+      DNSKEY, i.e., they can be used as a hash.
+
+
+
+
+
+
+Kolkman & Gieben             Informational                     [Page 30]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
+
+
+   Singing the zone file: The term used for the event where an
+      administrator joyfully signs its zone file while producing melodic
+      sound patterns.
+
+   Signer: The system that has access to the private key material and
+      signs the Resource Record sets in a zone.  A signer may be
+      configured to sign only parts of the zone, e.g., only those RRSets
+      for which existing signatures are about to expire.
+
+   Zone Signing Key (ZSK): A key that is used for signing all data in a
+      zone.  The fact that a key is a ZSK is only relevant to the
+      signing tool.
+
+   Zone administrator: The 'role' that is responsible for signing a zone
+      and publishing it on the primary authoritative server.
+
+Appendix B.  Zone Signing Key Rollover How-To
+
+   Using the pre-published signature scheme and the most conservative
+   method to assure oneself that data does not live in caches, here
+   follows the "how-to".
+
+   Step 0: The preparation: Create two keys and publish both in your key
+      set.  Mark one of the keys "active" and the other "published".
+      Use the "active" key for signing your zone data.  Store the
+      private part of the "published" key, preferably off-line.  The
+      protocol does not provide for attributes to mark a key as active
+      or published.  This is something you have to do on your own,
+      through the use of a notebook or key management tool.
+
+   Step 1: Determine expiration: At the beginning of the rollover make a
+      note of the highest expiration time of signatures in your zone
+      file created with the current key marked as active.  Wait until
+      the expiration time marked in Step 1 has passed.
+
+   Step 2: Then start using the key that was marked "published" to sign
+      your data (i.e., mark it "active").  Stop using the key that was
+      marked "active"; mark it "rolled".
+
+   Step 3: It is safe to engage in a new rollover (Step 1) after at
+      least one signature validity period.
+
+
+
+
+
+
+
+
+
+
+Kolkman & Gieben             Informational                     [Page 31]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
+
+
+Appendix C.  Typographic Conventions
+
+   The following typographic conventions are used in this document:
+
+   Key notation: A key is denoted by DNSKEYx, where x is a number or an
+   identifier, x could be thought of as the key id.
+
+   RRSet notations: RRs are only denoted by the type.  All other
+   information -- owner, class, rdata, and TTL--is left out.  Thus:
+   "example.com 3600 IN A 192.0.2.1" is reduced to "A".  RRSets are a
+   list of RRs.  A example of this would be "A1, A2", specifying the
+   RRSet containing two "A" records.  This could again be abbreviated to
+   just "A".
+
+   Signature notation: Signatures are denoted as RRSIGx(RRSet), which
+   means that RRSet is signed with DNSKEYx.
+
+   Zone representation: Using the above notation we have simplified the
+   representation of a signed zone by leaving out all unnecessary
+   details such as the names and by representing all data by "SOAx"
+
+   SOA representation: SOAs are represented as SOAx, where x is the
+   serial number.
+
+   Using this notation the following signed zone:
+
+   example.net.      86400  IN SOA  ns.example.net. bert.example.net. (
+                            2006022100   ; serial
+                            86400        ; refresh (  24 hours)
+                            7200         ; retry   (   2 hours)
+                            3600000      ; expire  (1000 hours)
+                            28800 )      ; minimum (   8 hours)
+                     86400  RRSIG   SOA 5 2 86400 20130522213204 (
+                                  20130422213204 14 example.net.
+                                  cmL62SI6iAX46xGNQAdQ... )
+                     86400  NS      a.iana-servers.net.
+                     86400  NS      b.iana-servers.net.
+                     86400  RRSIG   NS 5 2 86400 20130507213204 (
+                                  20130407213204 14 example.net.
+                                  SO5epiJei19AjXoUpFnQ ... )
+                     86400  DNSKEY  256 3 5 (
+                                  EtRB9MP5/AvOuVO0I8XDxy0... ) ; id = 14
+                     86400  DNSKEY  257 3 5 (
+                                  gsPW/Yy19GzYIY+Gnr8HABU... ) ; id = 15
+                     86400  RRSIG   DNSKEY 5 2 86400 20130522213204 (
+                                  20130422213204 14 example.net.
+                                  J4zCe8QX4tXVGjV4e1r9... )
+
+
+
+
+Kolkman & Gieben             Informational                     [Page 32]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
+
+
+                     86400  RRSIG   DNSKEY 5 2 86400 20130522213204 (
+                                  20130422213204 15 example.net.
+                                  keVDCOpsSeDReyV6O... )
+                     86400  RRSIG   NSEC 5 2 86400 20130507213204 (
+                                  20130407213204 14 example.net.
+                                  obj3HEp1GjnmhRjX... )
+   a.example.net.    86400  IN TXT  "A label"
+                     86400  RRSIG   TXT 5 3 86400 20130507213204 (
+                                  20130407213204 14 example.net.
+                                  IkDMlRdYLmXH7QJnuF3v... )
+                     86400  NSEC    b.example.com. TXT RRSIG NSEC
+                     86400  RRSIG   NSEC 5 3 86400 20130507213204 (
+                                  20130407213204 14 example.net.
+                                  bZMjoZ3bHjnEz0nIsPMM... )
+                     ...
+
+   is reduced to the following representation:
+
+       SOA2006022100
+       RRSIG14(SOA2006022100)
+       DNSKEY14
+       DNSKEY15
+
+       RRSIG14(KEY)
+       RRSIG15(KEY)
+
+   The rest of the zone data has the same signature as the SOA record,
+   i.e., an RRSIG created with DNSKEY 14.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Kolkman & Gieben             Informational                     [Page 33]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
+
+
+Authors' Addresses
+
+   Olaf M. Kolkman
+   NLnet Labs
+   Kruislaan 419
+   Amsterdam  1098 VA
+   The Netherlands
+
+   EMail: olaf@nlnetlabs.nl
+   URI:   http://www.nlnetlabs.nl
+
+
+   R. (Miek) Gieben
+
+   EMail: miek@miek.nl
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Kolkman & Gieben             Informational                     [Page 34]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
+
+
+Full Copyright Statement
+
+   Copyright (C) The Internet Society (2006).
+
+   This document is subject to the rights, licenses and restrictions
+   contained in BCP 78, and except as set forth therein, the authors
+   retain all their rights.
+
+   This document and the information contained herein are provided on an
+   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Intellectual Property
+
+   The IETF takes no position regarding the validity or scope of any
+   Intellectual Property Rights or other rights that might be claimed to
+   pertain to the implementation or use of the technology described in
+   this document or the extent to which any license under such rights
+   might or might not be available; nor does it represent that it has
+   made any independent effort to identify any such rights.  Information
+   on the procedures with respect to rights in RFC documents can be
+   found in BCP 78 and BCP 79.
+
+   Copies of IPR disclosures made to the IETF Secretariat and any
+   assurances of licenses to be made available, or the result of an
+   attempt made to obtain a general license or permission for the use of
+   such proprietary rights by implementers or users of this
+   specification can be obtained from the IETF on-line IPR repository at
+   http://www.ietf.org/ipr.
+
+   The IETF invites any interested party to bring to its attention any
+   copyrights, patents or patent applications, or other proprietary
+   rights that may cover technology that may be required to implement
+   this standard.  Please address the information to the IETF at
+   ietf-ipr@ietf.org.
+
+Acknowledgement
+
+   Funding for the RFC Editor function is provided by the IETF
+   Administrative Support Activity (IASA).
+
+
+
+
+
+
+
+Kolkman & Gieben             Informational                     [Page 35]
+
diff --git a/contrib/zkt/doc/rfc5011.txt b/contrib/zkt/doc/rfc5011.txt
new file mode 100644
index 00000000..42235e97
--- /dev/null
+++ b/contrib/zkt/doc/rfc5011.txt
@@ -0,0 +1,787 @@
+
+
+
+
+
+
+Network Working Group                                         M. StJohns
+Request for Comments: 5011                                   Independent
+Category: Standards Track                                 September 2007
+
+
+        Automated Updates of DNS Security (DNSSEC) Trust Anchors
+
+Status of This Memo
+
+   This document specifies an Internet standards track protocol for the
+   Internet community, and requests discussion and suggestions for
+   improvements.  Please refer to the current edition of the "Internet
+   Official Protocol Standards" (STD 1) for the standardization state
+   and status of this protocol.  Distribution of this memo is unlimited.
+
+Abstract
+
+   This document describes a means for automated, authenticated, and
+   authorized updating of DNSSEC "trust anchors".  The method provides
+   protection against N-1 key compromises of N keys in the trust point
+   key set.  Based on the trust established by the presence of a current
+   anchor, other anchors may be added at the same place in the
+   hierarchy, and, ultimately, supplant the existing anchor(s).
+
+   This mechanism will require changes to resolver management behavior
+   (but not resolver resolution behavior), and the addition of a single
+   flag bit to the DNSKEY record.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+StJohns                     Standards Track                     [Page 1]
+
+RFC 5011                  Trust Anchor Update             September 2007
+
+
+Table of Contents
+
+   1. Introduction ....................................................2
+      1.1. Compliance Nomenclature ....................................3
+   2. Theory of Operation .............................................3
+      2.1. Revocation .................................................4
+      2.2. Add Hold-Down ..............................................4
+      2.3. Active Refresh .............................................5
+      2.4. Resolver Parameters ........................................6
+           2.4.1. Add Hold-Down Time ..................................6
+           2.4.2. Remove Hold-Down Time ...............................6
+           2.4.3. Minimum Trust Anchors per Trust Point ...............6
+   3. Changes to DNSKEY RDATA Wire Format .............................6
+   4. State Table .....................................................6
+      4.1. Events .....................................................7
+      4.2. States .....................................................7
+   5. Trust Point Deletion ............................................8
+   6. Scenarios - Informative .........................................9
+      6.1. Adding a Trust Anchor ......................................9
+      6.2. Deleting a Trust Anchor ....................................9
+      6.3. Key Roll-Over .............................................10
+      6.4. Active Key Compromised ....................................10
+      6.5. Stand-by Key Compromised ..................................10
+      6.6. Trust Point Deletion ......................................10
+   7. IANA Considerations ............................................11
+   8. Security Considerations ........................................11
+      8.1. Key Ownership vs. Acceptance Policy .......................11
+      8.2. Multiple Key Compromise ...................................12
+      8.3. Dynamic Updates ...........................................12
+   9. Normative References ...........................................12
+   10. Informative References ........................................12
+
+1.  Introduction
+
+   As part of the reality of fielding DNSSEC (Domain Name System
+   Security Extensions) [RFC4033] [RFC4034] [RFC4035], the community has
+   come to the realization that there will not be one signed name space,
+   but rather islands of signed name spaces each originating from
+   specific points (i.e., 'trust points') in the DNS tree.  Each of
+   those islands will be identified by the trust point name, and
+   validated by at least one associated public key.  For the purpose of
+   this document, we'll call the association of that name and a
+   particular key a 'trust anchor'.  A particular trust point can have
+   more than one key designated as a trust anchor.
+
+   For a DNSSEC-aware resolver to validate information in a DNSSEC
+   protected branch of the hierarchy, it must have knowledge of a trust
+   anchor applicable to that branch.  It may also have more than one
+
+
+
+StJohns                     Standards Track                     [Page 2]
+
+RFC 5011                  Trust Anchor Update             September 2007
+
+
+   trust anchor for any given trust point.  Under current rules, a chain
+   of trust for DNSSEC-protected data that chains its way back to ANY
+   known trust anchor is considered 'secure'.
+
+   Because of the probable balkanization of the DNSSEC tree due to
+   signing voids at key locations, a resolver may need to know literally
+   thousands of trust anchors to perform its duties (e.g., consider an
+   unsigned ".COM").  Requiring the owner of the resolver to manually
+   manage these many relationships is problematic.  It's even more
+   problematic when considering the eventual requirement for key
+   replacement/update for a given trust anchor.  The mechanism described
+   herein won't help with the initial configuration of the trust anchors
+   in the resolvers, but should make trust point key
+   replacement/rollover more viable.
+
+   As mentioned above, this document describes a mechanism whereby a
+   resolver can update the trust anchors for a given trust point, mainly
+   without human intervention at the resolver.  There are some corner
+   cases discussed (e.g., multiple key compromise) that may require
+   manual intervention, but they should be few and far between.  This
+   document DOES NOT discuss the general problem of the initial
+   configuration of trust anchors for the resolver.
+
+1.1.  Compliance Nomenclature
+
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+   document are to be interpreted as described in BCP 14, [RFC2119].
+
+2.  Theory of Operation
+
+   The general concept of this mechanism is that existing trust anchors
+   can be used to authenticate new trust anchors at the same point in
+   the DNS hierarchy.  When a zone operator adds a new SEP key (i.e., a
+   DNSKEY with the Secure Entry Point bit set) (see [RFC4034], Section
+   2.1.1) to a trust point DNSKEY RRSet, and when that RRSet is
+   validated by an existing trust anchor, then the resolver can add the
+   new key to its set of valid trust anchors for that trust point.
+
+   There are some issues with this approach that need to be mitigated.
+   For example, a compromise of one of the existing keys could allow an
+   attacker to add their own 'valid' data.  This implies a need for a
+   method to revoke an existing key regardless of whether or not that
+   key is compromised.  As another example, assuming a single key
+   compromise, we need to prevent an attacker from adding a new key and
+   revoking all the other old keys.
+
+
+
+
+
+StJohns                     Standards Track                     [Page 3]
+
+RFC 5011                  Trust Anchor Update             September 2007
+
+
+2.1.  Revocation
+
+   Assume two trust anchor keys A and B.  Assume that B has been
+   compromised.  Without a specific revocation bit, B could invalidate A
+   simply by sending out a signed trust point key set that didn't
+   contain A.  To fix this, we add a mechanism that requires knowledge
+   of the private key of a DNSKEY to revoke that DNSKEY.
+
+   A key is considered revoked when the resolver sees the key in a
+   self-signed RRSet and the key has the REVOKE bit (see Section 7
+   below) set to '1'.  Once the resolver sees the REVOKE bit, it MUST
+   NOT use this key as a trust anchor or for any other purpose except to
+   validate the RRSIG it signed over the DNSKEY RRSet specifically for
+   the purpose of validating the revocation.  Unlike the 'Add' operation
+   below, revocation is immediate and permanent upon receipt of a valid
+   revocation at the resolver.
+
+   A self-signed RRSet is a DNSKEY RRSet that contains the specific
+   DNSKEY and for which there is a corresponding validated RRSIG record.
+   It's not a special DNSKEY RRSet, just a way of describing the
+   validation requirements for that RRSet.
+
+   N.B.: A DNSKEY with the REVOKE bit set has a different fingerprint
+   than one without the bit set.  This affects the matching of a DNSKEY
+   to DS records in the parent [RFC3755], or the fingerprint stored at a
+   resolver used to configure a trust point.
+
+   In the given example, the attacker could revoke B because it has
+   knowledge of B's private key, but could not revoke A.
+
+2.2.  Add Hold-Down
+
+   Assume two trust point keys A and B.  Assume that B has been
+   compromised.  An attacker could generate and add a new trust anchor
+   key C (by adding C to the DNSKEY RRSet and signing it with B), and
+   then invalidate the compromised key.  This would result in both the
+   attacker and owner being able to sign data in the zone and have it
+   accepted as valid by resolvers.
+
+   To mitigate but not completely solve this problem, we add a hold-down
+   time to the addition of the trust anchor.  When the resolver sees a
+   new SEP key in a validated trust point DNSKEY RRSet, the resolver
+   starts an acceptance timer, and remembers all the keys that validated
+   the RRSet.  If the resolver ever sees the DNSKEY RRSet without the
+   new key but validly signed, it stops the acceptance process for that
+   key and resets the acceptance timer.  If all of the keys that were
+
+
+
+
+
+StJohns                     Standards Track                     [Page 4]
+
+RFC 5011                  Trust Anchor Update             September 2007
+
+
+   originally used to validate this key are revoked prior to the timer
+   expiring, the resolver stops the acceptance process and resets the
+   timer.
+
+   Once the timer expires, the new key will be added as a trust anchor
+   the next time the validated RRSet with the new key is seen at the
+   resolver.  The resolver MUST NOT treat the new key as a trust anchor
+   until the hold-down time expires AND it has retrieved and validated a
+   DNSKEY RRSet after the hold-down time that contains the new key.
+
+   N.B.: Once the resolver has accepted a key as a trust anchor, the key
+   MUST be considered a valid trust anchor by that resolver until
+   explicitly revoked as described above.
+
+   In the given example, the zone owner can recover from a compromise by
+   revoking B and adding a new key D and signing the DNSKEY RRSet with
+   both A and B.
+
+   The reason this does not completely solve the problem has to do with
+   the distributed nature of DNS.  The resolver only knows what it sees.
+   A determined attacker who holds one compromised key could keep a
+   single resolver from realizing that the key had been compromised by
+   intercepting 'real' data from the originating zone and substituting
+   their own (e.g., using the example, signed only by B).  This is no
+   worse than the current situation assuming a compromised key.
+
+2.3.  Active Refresh
+
+   A resolver that has been configured for an automatic update of keys
+   from a particular trust point MUST query that trust point (e.g., do a
+   lookup for the DNSKEY RRSet and related RRSIG records) no less often
+   than the lesser of 15 days, half the original TTL for the DNSKEY
+   RRSet, or half the RRSIG expiration interval and no more often than
+   once per hour.  The expiration interval is the amount of time from
+   when the RRSIG was last retrieved until the expiration time in the
+   RRSIG.  That is, queryInterval = MAX(1 hr, MIN (15 days, 1/2*OrigTTL,
+   1/2*RRSigExpirationInterval))
+
+   If the query fails, the resolver MUST repeat the query until
+   satisfied no more often than once an hour and no less often than the
+   lesser of 1 day, 10% of the original TTL, or 10% of the original
+   expiration interval.  That is, retryTime = MAX (1 hour, MIN (1 day,
+   .1 * origTTL, .1 * expireInterval)).
+
+
+
+
+
+
+
+
+StJohns                     Standards Track                     [Page 5]
+
+RFC 5011                  Trust Anchor Update             September 2007
+
+
+2.4.  Resolver Parameters
+
+2.4.1.  Add Hold-Down Time
+
+   The add hold-down time is 30 days or the expiration time of the
+   original TTL of the first trust point DNSKEY RRSet that contained the
+   new key, whichever is greater.  This ensures that at least two
+   validated DNSKEY RRSets that contain the new key MUST be seen by the
+   resolver prior to the key's acceptance.
+
+2.4.2.  Remove Hold-Down Time
+
+   The remove hold-down time is 30 days.  This parameter is solely a key
+   management database bookeeping parameter.  Failure to remove
+   information about the state of defunct keys from the database will
+   not adversely impact the security of this protocol, but may end up
+   with a database cluttered with obsolete key information.
+
+2.4.3.  Minimum Trust Anchors per Trust Point
+
+   A compliant resolver MUST be able to manage at least five SEP keys
+   per trust point.
+
+3.  Changes to DNSKEY RDATA Wire Format
+
+   Bit 8 of the DNSKEY Flags field is designated as the 'REVOKE' flag.
+   If this bit is set to '1', AND the resolver sees an RRSIG(DNSKEY)
+   signed by the associated key, then the resolver MUST consider this
+   key permanently invalid for all purposes except for validating the
+   revocation.
+
+4.  State Table
+
+   The most important thing to understand is the resolver's view of any
+   key at a trust point.  The following state table describes this view
+   at various points in the key's lifetime.  The table is a normative
+   part of this specification.  The initial state of the key is 'Start'.
+   The resolver's view of the state of the key changes as various events
+   occur.
+
+   This is the state of a trust-point key as seen from the resolver.
+   The column on the left indicates the current state.  The header at
+   the top shows the next state.  The intersection of the two shows the
+   event that will cause the state to transition from the current state
+   to the next.
+
+
+
+
+
+
+StJohns                     Standards Track                     [Page 6]
+
+RFC 5011                  Trust Anchor Update             September 2007
+
+
+                             NEXT STATE
+           --------------------------------------------------
+    FROM   |Start  |AddPend |Valid  |Missing|Revoked|Removed|
+   ----------------------------------------------------------
+   Start   |       |NewKey  |       |       |       |       |
+   ----------------------------------------------------------
+   AddPend |KeyRem |        |AddTime|       |       |       |
+   ----------------------------------------------------------
+   Valid   |       |        |       |KeyRem |Revbit |       |
+   ----------------------------------------------------------
+   Missing |       |        |KeyPres|       |Revbit |       |
+   ----------------------------------------------------------
+   Revoked |       |        |       |       |       |RemTime|
+   ----------------------------------------------------------
+   Removed |       |        |       |       |       |       |
+   ----------------------------------------------------------
+
+                           State Table
+
+4.1.  Events
+
+   NewKey   The resolver sees a valid DNSKEY RRSet with a new SEP key.
+            That key will become a new trust anchor for the named trust
+            point after it's been present in the RRSet for at least 'add
+            time'.
+
+   KeyPres  The key has returned to the valid DNSKEY RRSet.
+
+   KeyRem   The resolver sees a valid DNSKEY RRSet that does not contain
+            this key.
+
+   AddTime  The key has been in every valid DNSKEY RRSet seen for at
+            least the 'add time'.
+
+   RemTime  A revoked key has been missing from the trust-point DNSKEY
+            RRSet for sufficient time to be removed from the trust set.
+
+   RevBit   The key has appeared in the trust anchor DNSKEY RRSet with
+            its "REVOKED" bit set, and there is an RRSig over the DNSKEY
+            RRSet signed by this key.
+
+4.2.  States
+
+   Start    The key doesn't yet exist as a trust anchor at the resolver.
+            It may or may not exist at the zone server, but either
+            hasn't yet been seen at the resolver or was seen but was
+            absent from the last DNSKEY RRSet (e.g., KeyRem event).
+
+
+
+
+StJohns                     Standards Track                     [Page 7]
+
+RFC 5011                  Trust Anchor Update             September 2007
+
+
+   AddPend  The key has been seen at the resolver, has its 'SEP' bit
+            set, and has been included in a validated DNSKEY RRSet.
+            There is a hold-down time for the key before it can be used
+            as a trust anchor.
+
+   Valid    The key has been seen at the resolver and has been included
+            in all validated DNSKEY RRSets from the time it was first
+            seen through the hold-down time.  It is now valid for
+            verifying RRSets that arrive after the hold-down time.
+            Clarification: The DNSKEY RRSet does not need to be
+            continuously present at the resolver (e.g., its TTL might
+            expire).  If the RRSet is seen and is validated (i.e.,
+            verifies against an existing trust anchor), this key MUST be
+            in the RRSet, otherwise a 'KeyRem' event is triggered.
+
+   Missing  This is an abnormal state.  The key remains a valid trust-
+            point key, but was not seen at the resolver in the last
+            validated DNSKEY RRSet.  This is an abnormal state because
+            the zone operator should be using the REVOKE bit prior to
+            removal.
+
+   Revoked  This is the state a key moves to once the resolver sees an
+            RRSIG(DNSKEY) signed by this key where that DNSKEY RRSet
+            contains this key with its REVOKE bit set to '1'.  Once in
+            this state, this key MUST permanently be considered invalid
+            as a trust anchor.
+
+   Removed  After a fairly long hold-down time, information about this
+            key may be purged from the resolver.  A key in the removed
+            state MUST NOT be considered a valid trust anchor.  (Note:
+            this state is more or less equivalent to the "Start" state,
+            except that it's bad practice to re-introduce previously
+            used keys -- think of this as the holding state for all the
+            old keys for which the resolver no longer needs to track
+            state.)
+
+5.  Trust Point Deletion
+
+   A trust point that has all of its trust anchors revoked is considered
+   deleted and is treated as if the trust point was never configured.
+   If there are no superior configured trust points, data at and below
+   the deleted trust point are considered insecure by the resolver.  If
+   there ARE superior configured trust points, data at and below the
+   deleted trust point are evaluated with respect to the superior trust
+   point(s).
+
+   Alternately, a trust point that is subordinate to another configured
+   trust point MAY be deleted by a resolver after 180 days, where such a
+
+
+
+StJohns                     Standards Track                     [Page 8]
+
+RFC 5011                  Trust Anchor Update             September 2007
+
+
+   subordinate trust point validly chains to a superior trust point.
+   The decision to delete the subordinate trust anchor is a local
+   configuration decision.  Once the subordinate trust point is deleted,
+   validation of the subordinate zone is dependent on validating the
+   chain of trust to the superior trust point.
+
+6.  Scenarios - Informative
+
+   The suggested model for operation is to have one active key and one
+   stand-by key at each trust point.  The active key will be used to
+   sign the DNSKEY RRSet.  The stand-by key will not normally sign this
+   RRSet, but the resolver will accept it as a trust anchor if/when it
+   sees the signature on the trust point DNSKEY RRSet.
+
+   Since the stand-by key is not in active signing use, the associated
+   private key may (and should) be provided with additional protections
+   not normally available to a key that must be used frequently (e.g.,
+   locked in a safe, split among many parties, etc).  Notionally, the
+   stand-by key should be less subject to compromise than an active key,
+   but that will be dependent on operational concerns not addressed
+   here.
+
+6.1.  Adding a Trust Anchor
+
+   Assume an existing trust anchor key 'A'.
+
+   1.  Generate a new key pair.
+
+   2.  Create a DNSKEY record from the key pair and set the SEP and Zone
+       Key bits.
+
+   3.  Add the DNSKEY to the RRSet.
+
+   4.  Sign the DNSKEY RRSet ONLY with the existing trust anchor key -
+       'A'.
+
+   5.  Wait for various resolvers' timers to go off and for them to
+       retrieve the new DNSKEY RRSet and signatures.
+
+   6.  The new trust anchor will be populated at the resolvers on the
+       schedule described by the state table and update algorithm -- see
+       Sections 2 and 4 above.
+
+6.2.  Deleting a Trust Anchor
+
+   Assume existing trust anchors 'A' and 'B' and that you want to revoke
+   and delete 'A'.
+
+
+
+
+StJohns                     Standards Track                     [Page 9]
+
+RFC 5011                  Trust Anchor Update             September 2007
+
+
+   1.  Set the revocation bit on key 'A'.
+
+   2.  Sign the DNSKEY RRSet with both 'A' and 'B'.  'A' is now revoked.
+       The operator should include the revoked 'A' in the RRSet for at
+       least the remove hold-down time, but then may remove it from the
+       DNSKEY RRSet.
+
+6.3.  Key Roll-Over
+
+   Assume existing keys A and B. 'A' is actively in use (i.e. has been
+   signing the DNSKEY RRSet).  'B' was the stand-by key. (i.e. has been
+   in the DNSKEY RRSet and is a valid trust anchor, but wasn't being
+   used to sign the RRSet).
+
+      1.  Generate a new key pair 'C'.
+      2.  Add 'C' to the DNSKEY RRSet.
+      3.  Set the revocation bit on key 'A'.
+      4.  Sign the RRSet with 'A' and 'B'.
+
+   'A' is now revoked, 'B' is now the active key, and 'C' will be the
+   stand-by key once the hold-down expires.  The operator should include
+   the revoked 'A' in the RRSet for at least the remove hold-down time,
+   but may then remove it from the DNSKEY RRSet.
+
+6.4.  Active Key Compromised
+
+   This is the same as the mechanism for Key Roll-Over (Section 6.3)
+   above, assuming 'A' is the active key.
+
+6.5.  Stand-by Key Compromised
+
+   Using the same assumptions and naming conventions as Key Roll-Over
+   (Section 6.3) above:
+
+      1.  Generate a new key pair 'C'.
+      2.  Add 'C' to the DNSKEY RRSet.
+      3.  Set the revocation bit on key 'B'.
+      4.  Sign the RRSet with 'A' and 'B'.
+
+   'B' is now revoked, 'A' remains the active key, and 'C' will be the
+   stand-by key once the hold-down expires.  'B' should continue to be
+   included in the RRSet for the remove hold-down time.
+
+6.6.  Trust Point Deletion
+
+   To delete a trust point that is subordinate to another configured
+   trust point (e.g., example.com to .com) requires some juggling of the
+   data.  The specific process is:
+
+
+
+StJohns                     Standards Track                    [Page 10]
+
+RFC 5011                  Trust Anchor Update             September 2007
+
+
+   1.  Generate a new DNSKEY and DS record and provide the DS record to
+       the parent along with DS records for the old keys.
+
+   2.  Once the parent has published the DSs, add the new DNSKEY to the
+       RRSet and revoke ALL of the old keys at the same time, while
+       signing the DNSKEY RRSet with all of the old and new keys.
+
+   3.  After 30 days, stop publishing the old, revoked keys and remove
+       any corresponding DS records in the parent.
+
+   Revoking the old trust-point keys at the same time as adding new keys
+   that chain to a superior trust prevents the resolver from adding the
+   new keys as trust anchors.  Adding DS records for the old keys avoids
+   a race condition where either the subordinate zone becomes unsecure
+   (because the trust point was deleted) or becomes bogus (because it
+   didn't chain to the superior zone).
+
+7.  IANA Considerations
+
+   The IANA has assigned a bit in the DNSKEY flags field (see Section 7
+   of [RFC4034]) for the REVOKE bit (8).
+
+8.  Security Considerations
+
+   In addition to the following sections, see also Theory of Operation
+   above (Section 2) and especially Section 2.2 for related discussions.
+
+   Security considerations for trust anchor rollover not specific to
+   this protocol are discussed in [RFC4986].
+
+8.1.  Key Ownership vs. Acceptance Policy
+
+   The reader should note that, while the zone owner is responsible for
+   creating and distributing keys, it's wholly the decision of the
+   resolver owner as to whether to accept such keys for the
+   authentication of the zone information.  This implies the decision to
+   update trust-anchor keys based on trusting a current trust-anchor key
+   is also the resolver owner's decision.
+
+   The resolver owner (and resolver implementers) MAY choose to permit
+   or prevent key status updates based on this mechanism for specific
+   trust points.  If they choose to prevent the automated updates, they
+   will need to establish a mechanism for manual or other out-of-band
+   updates, which are outside the scope of this document.
+
+
+
+
+
+
+
+StJohns                     Standards Track                    [Page 11]
+
+RFC 5011                  Trust Anchor Update             September 2007
+
+
+8.2.  Multiple Key Compromise
+
+   This scheme permits recovery as long as at least one valid trust-
+   anchor key remains uncompromised, e.g., if there are three keys, you
+   can recover if two of them are compromised.  The zone owner should
+   determine their own level of comfort with respect to the number of
+   active, valid trust anchors in a zone and should be prepared to
+   implement recovery procedures once they detect a compromise.  A
+   manual or other out-of-band update of all resolvers will be required
+   if all trust-anchor keys at a trust point are compromised.
+
+8.3.  Dynamic Updates
+
+   Allowing a resolver to update its trust anchor set based on in-band
+   key information is potentially less secure than a manual process.
+   However, given the nature of the DNS, the number of resolvers that
+   would require update if a trust anchor key were compromised, and the
+   lack of a standard management framework for DNS, this approach is no
+   worse than the existing situation.
+
+9.  Normative References
+
+   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
+              Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+   [RFC3755]  Weiler, S., "Legacy Resolver Compatibility for Delegation
+              Signer (DS)", RFC 3755, May 2004.
+
+   [RFC4033]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
+              Rose, "DNS Security Introduction and Requirements", RFC
+              4033, March 2005.
+
+   [RFC4034]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
+              Rose, "Resource Records for the DNS Security Extensions",
+              RFC 4034, March 2005.
+
+   [RFC4035]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
+              Rose, "Protocol Modifications for the DNS Security
+              Extensions", RFC 4035, March 2005.
+
+10.  Informative References
+
+   [RFC4986]  Eland, H., Mundy, R., Crocker, S., and S. Krishnaswamy,
+              "Requirements Related to DNS Security (DNSSEC) Trust
+              Anchor Rollover", RFC 4986, August 2007.
+
+
+
+
+
+
+StJohns                     Standards Track                    [Page 12]
+
+RFC 5011                  Trust Anchor Update             September 2007
+
+
+Author's Address
+
+   Michael StJohns
+   Independent
+
+   EMail: mstjohns@comcast.net
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+StJohns                     Standards Track                    [Page 13]
+
+RFC 5011                  Trust Anchor Update             September 2007
+
+
+Full Copyright Statement
+
+   Copyright (C) The IETF Trust (2007).
+
+   This document is subject to the rights, licenses and restrictions
+   contained in BCP 78, and except as set forth therein, the authors
+   retain all their rights.
+
+   This document and the information contained herein are provided on an
+   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
+   THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
+   OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
+   THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Intellectual Property
+
+   The IETF takes no position regarding the validity or scope of any
+   Intellectual Property Rights or other rights that might be claimed to
+   pertain to the implementation or use of the technology described in
+   this document or the extent to which any license under such rights
+   might or might not be available; nor does it represent that it has
+   made any independent effort to identify any such rights.  Information
+   on the procedures with respect to rights in RFC documents can be
+   found in BCP 78 and BCP 79.
+
+   Copies of IPR disclosures made to the IETF Secretariat and any
+   assurances of licenses to be made available, or the result of an
+   attempt made to obtain a general license or permission for the use of
+   such proprietary rights by implementers or users of this
+   specification can be obtained from the IETF on-line IPR repository at
+   http://www.ietf.org/ipr.
+
+   The IETF invites any interested party to bring to its attention any
+   copyrights, patents or patent applications, or other proprietary
+   rights that may cover technology that may be required to implement
+   this standard.  Please address the information to the IETF at
+   ietf-ipr@ietf.org.
+
+
+
+
+
+
+
+
+
+
+
+
+StJohns                     Standards Track                    [Page 14]
+
diff --git a/contrib/zkt/examples/flat/dist.sh b/contrib/zkt/examples/flat/dist.sh
index c112f559..e2131ee9 100755
--- a/contrib/zkt/examples/flat/dist.sh
+++ b/contrib/zkt/examples/flat/dist.sh
@@ -60,8 +60,8 @@ distribute)
 	fi
 	;;
 reload)
-	echo "rndc $action $zone $view"
-	: rndc $action $zone $view
+	echo "rndc $action $domain $view"
+	: rndc $action $domain $view
 	;;
 *)
 	usage "illegal action $action"
diff --git a/contrib/zkt/examples/flat/dnssec-signer.sh b/contrib/zkt/examples/flat/dnssec-signer.sh
new file mode 100755
index 00000000..435909dc
--- /dev/null
+++ b/contrib/zkt/examples/flat/dnssec-signer.sh
@@ -0,0 +1,14 @@
+#!/bin/sh
+#
+#	Shell script to start the dnssec-signer
+#	command out of the example directory
+#
+
+chroot `pwd` ZKT_CONFFILE=`pwd`/dnssec.conf ../../dnssec-signer "$@"
+
+if test ! -f dnssec.conf
+then
+	echo Please start this skript out of the flat or hierarchical sub directory
+	exit 1
+fi
+ZKT_CONFFILE=`pwd`/dnssec.conf ../../dnssec-signer "$@"
diff --git a/contrib/zkt/examples/flat/dnssec.conf b/contrib/zkt/examples/flat/dnssec.conf
index 19961845..80b411ff 100644
--- a/contrib/zkt/examples/flat/dnssec.conf
+++ b/contrib/zkt/examples/flat/dnssec.conf
@@ -1,5 +1,5 @@
 #   
-#   	@(#) dnssec.conf vT0.98 (c) Feb 2005 - Sep 2008 Holger Zuleger hznet.de
+#   	@(#) dnssec.conf vT0.99a (c) Feb 2005 - Jul 2009 Holger Zuleger hznet.de
 #   
 
 #   dnssec-zkt options
@@ -18,12 +18,11 @@ KEY_TTL:	1h	# (3600 seconds)
 Serialformat:	incremental
 
 #   signing key parameters
+Key_algo:	RSASHA1	# (Algorithm ID 5)
 KSK_lifetime:	60d	# (5184000 seconds)
-KSK_algo:	RSASHA1	# (Algorithm ID 5)
 KSK_bits:	1300
 KSK_randfile:	"/dev/urandom"
 ZSK_lifetime:	2w	# (1209600 seconds)
-ZSK_algo:	RSASHA1	# (Algorithm ID 5)
 ZSK_bits:	512
 ZSK_randfile:	"/dev/urandom"
 SaltBits:	24
@@ -39,5 +38,6 @@ Zonefile:	"zone.db"
 KeySetDir:	"../keysets"
 DLV_Domain:	""
 Sig_Pseudorand:	True
-Sig_Parameter:	""
+Sig_GenerateDS:	True
+Sig_Parameter:	"-n 1"
 Distribute_Cmd:	"./dist.sh"
diff --git a/contrib/zkt/examples/flat/example.net/Kexample.net.+005+04157.key b/contrib/zkt/examples/flat/example.net/Kexample.net.+005+04157.key
deleted file mode 100644
index 5dc79b5d..00000000
--- a/contrib/zkt/examples/flat/example.net/Kexample.net.+005+04157.key
+++ /dev/null
@@ -1,3 +0,0 @@
-;%	generationtime=20081116175850
-;%	lifetime=90d
-example.net. IN DNSKEY  256 3 5 BQEAAAAByh7oI/YjOdxlfjCWa2Qowuujjst1y5L0ayZ23+17ira2IBRS ouCHAmIYYR+JqGMjc0IQF7PAryhN2olWcINK/w==
diff --git a/contrib/zkt/examples/flat/example.net/Kexample.net.+005+04157.private b/contrib/zkt/examples/flat/example.net/Kexample.net.+005+04157.private
deleted file mode 100644
index e9a79372..00000000
--- a/contrib/zkt/examples/flat/example.net/Kexample.net.+005+04157.private
+++ /dev/null
@@ -1,10 +0,0 @@
-Private-key-format: v1.2
-Algorithm: 5 (RSASHA1)
-Modulus: yh7oI/YjOdxlfjCWa2Qowuujjst1y5L0ayZ23+17ira2IBRSouCHAmIYYR+JqGMjc0IQF7PAryhN2olWcINK/w==
-PublicExponent: AQAAAAE=
-PrivateExponent: XHrB+Ib/yjBFNUQoB66abHOazbj5hDkaprg0ygOwDdrxLSpwrYHQAn5H6JPlGhcTZHN5X1nF4M7GlGlbRah0oQ==
-Prime1: 7T9UFlW1S4Dnditz/D0PmPdJ+fiozB+wz8xxRuOT4zE=
-Prime2: 2hjLgVBakXblbcuQ08UYHkP00pMp+45mK+L5M35OpS8=
-Exponent1: CPzNNspgw6XVf63vdcnEP55k7wMVttStCJw8+r3T5FE=
-Exponent2: t8JDeQOEiO2L0dbIkuANjXOBiCauM6fnRHanvKcwmrs=
-Coefficient: ObUC9ojBjcCKuGvPqXfWD20iXRpkzVsHjrJqcLXRqw4=
diff --git a/contrib/zkt/examples/flat/example.net/Kexample.net.+005+07308.published b/contrib/zkt/examples/flat/example.net/Kexample.net.+005+07308.private
index 91dcde1e..91dcde1e 100644
--- a/contrib/zkt/examples/flat/example.net/Kexample.net.+005+07308.published
+++ b/contrib/zkt/examples/flat/example.net/Kexample.net.+005+07308.private
diff --git a/contrib/zkt/examples/flat/example.net/Kexample.net.+005+24545.key b/contrib/zkt/examples/flat/example.net/Kexample.net.+005+24545.key
new file mode 100644
index 00000000..a28a8891
--- /dev/null
+++ b/contrib/zkt/examples/flat/example.net/Kexample.net.+005+24545.key
@@ -0,0 +1,3 @@
+;%	generationtime=20090730151357
+;%	lifetime=84d
+example.net. IN DNSKEY  256 3 5 BQEAAAAB12pqReCbmKHzRtk4wbc6xRCSXZoA1G78HQ8W+LsPz3UTQxKZ WhmAhB2LZqK2t4rcoAhDVW0hZ6DSDuV/0kouMQ==
diff --git a/contrib/zkt/examples/flat/example.net/Kexample.net.+005+24545.published b/contrib/zkt/examples/flat/example.net/Kexample.net.+005+24545.published
new file mode 100644
index 00000000..6ed54839
--- /dev/null
+++ b/contrib/zkt/examples/flat/example.net/Kexample.net.+005+24545.published
@@ -0,0 +1,10 @@
+Private-key-format: v1.2
+Algorithm: 5 (RSASHA1)
+Modulus: 12pqReCbmKHzRtk4wbc6xRCSXZoA1G78HQ8W+LsPz3UTQxKZWhmAhB2LZqK2t4rcoAhDVW0hZ6DSDuV/0kouMQ==
+PublicExponent: AQAAAAE=
+PrivateExponent: QGedp/HTzh6rYQGFLCnFHIM8mo5AxWZng293NH1AjxjGas5dmGZazN7l1XVRC3vsrkJnEo4vufmn3PiXEN5+cQ==
+Prime1: 9xNBI9Hnmg90Tt4dTmbd3vwYOnPMY3bUT8LK7ST9AW8=
+Prime2: 3zJmVknraflkD8SdS8KS30TnMdS45kfTLrLfGapkul8=
+Exponent1: 3QgVQB/5/207T9FsSmaLCerWRHXc2rhk2SzIgkizh+k=
+Exponent2: jFPAst+viSJxygltwZn3WPEL1+JeMFK99nilMa7YVLc=
+Coefficient: 7duJdlOhBkQ0IDwI5Hiedteo7phE7GPedy5MVHpPcjM=
diff --git a/contrib/zkt/examples/flat/example.net/Kexample.net.+005+33840.key b/contrib/zkt/examples/flat/example.net/Kexample.net.+005+33840.key
new file mode 100644
index 00000000..abf941e0
--- /dev/null
+++ b/contrib/zkt/examples/flat/example.net/Kexample.net.+005+33840.key
@@ -0,0 +1,3 @@
+;%	generationtime=20090228113129
+;%	lifetime=60d
+example.net. IN DNSKEY  257 3 5 BQEAAAABCwxfQLjMaLsvSPFYMFyi/Z5l6f/y1fNROZtCrUSAFca8c4Dc +MK9phlqEtBihnMSBjFsuhyq1w++ubzZF3rVduVXP+loeEW5cGXneM4n m52unLpZfQu0B0h/zwDLrfmedyqqZYb7grXDqFwT0EnI4cL/Ybr40H7u SUyVyLM3c5a8V5RDA2t1PImy7UURv6qusCsRslw+mM5jG0S7Il5cqhug aQ==
diff --git a/contrib/zkt/examples/flat/example.net/Kexample.net.+005+33840.published b/contrib/zkt/examples/flat/example.net/Kexample.net.+005+33840.published
new file mode 100644
index 00000000..443b143c
--- /dev/null
+++ b/contrib/zkt/examples/flat/example.net/Kexample.net.+005+33840.published
@@ -0,0 +1,10 @@
+Private-key-format: v1.2
+Algorithm: 5 (RSASHA1)
+Modulus: CwxfQLjMaLsvSPFYMFyi/Z5l6f/y1fNROZtCrUSAFca8c4Dc+MK9phlqEtBihnMSBjFsuhyq1w++ubzZF3rVduVXP+loeEW5cGXneM4nm52unLpZfQu0B0h/zwDLrfmedyqqZYb7grXDqFwT0EnI4cL/Ybr40H7uSUyVyLM3c5a8V5RDA2t1PImy7UURv6qusCsRslw+mM5jG0S7Il5cqhugaQ==
+PublicExponent: AQAAAAE=
+PrivateExponent: BhlkW6GKcOvDGyVAj7rEqpvEVd+t8H3WkifdhulioLIppKBuJlzzhSORjGojm6KYwcQl78F/7kHgKn2S5jBVk0FZr3vUR7Z6wbO80Ic9lOaFMBz0uYvUIYLGpFJvsVAFWv9sOkLK5iwFs6JehrSgxDbMfyBd8hpdN7mWOYD51p5HJMVvdqAw82mZoELQdlWM5tUzZdyx0jnAPtnYV+IxVa5CgQ==
+Prime1: A41vXEkXlyvOuNbnByXKgw4BfHHp4LjpDsm4F35SD56Pvw1BFHtrgm/U7oJZQUBvyW2CcCe0Ria1iY4OjB/jdv2c4+GPhq1LizHquadfwHfAzw==
+Prime2: AxwrEOiIRMkPEobov43MiBtbFKGA7QnN7DOD/QTFOA8a7IMhUDHU7pQbJASXpUaLKLSrAMeRNKwSyHXq34WFUzP4HK6ubuLn2k5YxhWRDbwpRw==
+Exponent1: Ao+dprhY0qEAYGjF6wdwxyIDFAoU/g+1gwS566bRiIrYdXN9OoLRHHH7r3v8tfgjKckQAXbjVKfV9MYNpnW8jYqmSOvAXXjLtHtyBcJQOs89gQ==
+Exponent2: 9AwIcMdFNsAzAsXHLQwN3lvQUce4cpuxw/GKnKTu9rsmqtbz9Al4qLSTsXYxErdSZ7xwIxX/PYeCywc0zZjd5fbGGOBv/fApfRgECVQWSNpJ
+Coefficient: 1hDGT7Cnck4tyDJDUZHVK2ejowz2RlqzqN/BAMEfi+k3b/Ild6pdHNHu2mDYkFRqSIU4zVAVxeplrTKoXvVmmb8iWF/3jNLL/eKxYinNHe1P
diff --git a/contrib/zkt/examples/flat/example.net/Kexample.net.+005+34925.depreciated b/contrib/zkt/examples/flat/example.net/Kexample.net.+005+34925.depreciated
new file mode 100644
index 00000000..8e89f265
--- /dev/null
+++ b/contrib/zkt/examples/flat/example.net/Kexample.net.+005+34925.depreciated
@@ -0,0 +1,10 @@
+Private-key-format: v1.2
+Algorithm: 5 (RSASHA1)
+Modulus: pYc2cSHkPcRoLfvndzNke696mmWkmp9lsX3C7xkqd8eYwXWjw2ijRq0QPahQxqFYm/hhC77xJoVwSeOtXdmKiQ==
+PublicExponent: AQAAAAE=
+PrivateExponent: ZF1rC+0JIyhAQNFXPtcPW8S3iggmyY5AH+yXDDqpM1qx3a3NY5/BfuHFYDtsfHAB2DOjgqQmADly2B9NMhoJ4Q==
+Prime1: 2jtxQTZzjZuyqSRk4PBk/nx+VqrVFdSvHUyXb2EjNrU=
+Prime2: wizFiwOCJBiVDOjA0Zq9VuWk4+Fa7TNpkXp0//Y+NQU=
+Exponent1: ORIEM1AkgXP+KkRQcZI6qW+fXhrdUsegVW42eGRzEmk=
+Exponent2: YHsutgi+2qKtY/38Uu3e7bnHVhpUO7ZAcgPh00vd1yk=
+Coefficient: Z5qDNIXQpU91m32R1HPPK75ASx5ah4/Gd4jw/SHsnDk=
diff --git a/contrib/zkt/examples/flat/example.net/Kexample.net.+005+34925.key b/contrib/zkt/examples/flat/example.net/Kexample.net.+005+34925.key
new file mode 100644
index 00000000..7678a29c
--- /dev/null
+++ b/contrib/zkt/examples/flat/example.net/Kexample.net.+005+34925.key
@@ -0,0 +1,3 @@
+;%	generationtime=20090615075841
+;%	lifetime=14d
+example.net. IN DNSKEY  256 3 5 BQEAAAABpYc2cSHkPcRoLfvndzNke696mmWkmp9lsX3C7xkqd8eYwXWj w2ijRq0QPahQxqFYm/hhC77xJoVwSeOtXdmKiQ==
diff --git a/contrib/zkt/examples/flat/example.net/Kexample.net.+005+48089.key b/contrib/zkt/examples/flat/example.net/Kexample.net.+005+48089.key
new file mode 100644
index 00000000..f1df500b
--- /dev/null
+++ b/contrib/zkt/examples/flat/example.net/Kexample.net.+005+48089.key
@@ -0,0 +1,3 @@
+;%	generationtime=20090630093509
+;%	lifetime=14d
+example.net. IN DNSKEY  256 3 5 BQEAAAABzN3RkyF1Kvf3Go97BN7rNERR86F0nxfyHfXpMdwtqrMFSrkd IboUDtNZBsw+LJmadHRQZDfu79tEz8MUid7aOw==
diff --git a/contrib/zkt/examples/flat/example.net/Kexample.net.+005+48089.private b/contrib/zkt/examples/flat/example.net/Kexample.net.+005+48089.private
new file mode 100644
index 00000000..fe31c85d
--- /dev/null
+++ b/contrib/zkt/examples/flat/example.net/Kexample.net.+005+48089.private
@@ -0,0 +1,10 @@
+Private-key-format: v1.2
+Algorithm: 5 (RSASHA1)
+Modulus: zN3RkyF1Kvf3Go97BN7rNERR86F0nxfyHfXpMdwtqrMFSrkdIboUDtNZBsw+LJmadHRQZDfu79tEz8MUid7aOw==
+PublicExponent: AQAAAAE=
+PrivateExponent: a9MzQ8dBy0kkwjUECnf6X02Q8URTNL+8IuJIOjD0sVbtt04trek0iioQkWNVBn7m7o1vrIijQ4AuMe9xqyiRyQ==
+Prime1: /m1HDAGWnLeuYTLhlNxQBg+vUDjDPXOFXFvOg5Vkjlc=
+Prime2: ziIYCdlrKqZkIpyt6AuPsRDqs2kNlkiwWT8D4D7J3L0=
+Exponent1: Sd/Kn+FrTrMRZucUyXyGoKyfX6uReD4Kv0XYAqtk9+s=
+Exponent2: KAcgSeMQeZPaabpFZMR9O4h2j4WwD5PysJsQKq1i9DE=
+Coefficient: NBFD1eKzJOpi9G1tF88xmnNvNBbyEtgf0EuV4JAwTrs=
diff --git a/contrib/zkt/examples/flat/example.net/dnskey.db b/contrib/zkt/examples/flat/example.net/dnskey.db
index d1828cc6..90a6e5b1 100644
--- a/contrib/zkt/examples/flat/example.net/dnskey.db
+++ b/contrib/zkt/examples/flat/example.net/dnskey.db
@@ -2,21 +2,21 @@
 ;	!!! Don't edit this file by hand.
 ;	!!! It will be generated by dnssec-signer.
 ;
-;	 Last generation time Dec 28 2008 23:08:02
+;	 Last generation time Jul 30 2009 17:13:57
 ;
 
 ;  ***  List of Key Signing Keys  ***
-; example.net.  tag=1764  algo=RSASHA1  generated Nov 16 2008 18:58:50
-example.net. 3600 IN DNSKEY  257 3 5 (
-			BQEAAAABDUi2uSUlDjESbnrnY5wd8+pXxhYVY4wCi2UVjhcehvIb2bF8
-			VJH2Q9/0ubQR1vQ2VJhsGUj3A7bdTfbMETPxKkZaDpc9lCYrm0z5HDrs
-			lyx4bSb4JX/iCyhgYZXrTVb9WyLXjUtmDUktDjZgsyVshFHVJShBUSj+
-			YpnfQkndGViDAbJRycXDYEF1hCNmTK3KsR1JS9dXMKI3WidH+B9rLlBU
-			8w==
-		) ; key id = 1764
+; example.net.  tag=33840  algo=RSASHA1  generated Feb 28 2009 12:31:29
+example.net. 14400 IN DNSKEY  257 3 5 (
+			BQEAAAABCwxfQLjMaLsvSPFYMFyi/Z5l6f/y1fNROZtCrUSAFca8c4Dc
+			+MK9phlqEtBihnMSBjFsuhyq1w++ubzZF3rVduVXP+loeEW5cGXneM4n
+			m52unLpZfQu0B0h/zwDLrfmedyqqZYb7grXDqFwT0EnI4cL/Ybr40H7u
+			SUyVyLM3c5a8V5RDA2t1PImy7UURv6qusCsRslw+mM5jG0S7Il5cqhug
+			aQ==
+		) ; key id = 33840
 
-; example.net.  tag=7308  algo=RSASHA1  generated Nov 16 2008 18:58:50
-example.net. 3600 IN DNSKEY  257 3 5 (
+; example.net.  tag=7308  algo=RSASHA1  generated Feb 28 2009 12:31:29
+example.net. 14400 IN DNSKEY  257 3 5 (
 			BQEAAAABDG+2bUQuvTgeYA99bx5wXDsiaQnhJc5oFj+sQLmCvj6hGFfQ
 			oUkI67jTMkIzQlflQ3UHBfAnQMeFAhhQLrG+/cMXldZN3360Q+YlSbGJ
 			w2vVXcBr463AUAlENzSDS35D1x8zOgZOg34rL+1uFn0HBSI0xusYRAlU
@@ -25,9 +25,21 @@ example.net. 3600 IN DNSKEY  257 3 5 (
 		) ; key id = 7308
 
 ; ***  List of Zone Signing Keys  ***
-; example.net.  tag=4157  algo=RSASHA1  generated Dec 09 2008 14:08:16
-example.net. 3600 IN DNSKEY  256 3 5 (
-			BQEAAAAByh7oI/YjOdxlfjCWa2Qowuujjst1y5L0ayZ23+17ira2IBRS
-			ouCHAmIYYR+JqGMjc0IQF7PAryhN2olWcINK/w==
-		) ; key id = 4157
+; example.net.  tag=34925  algo=RSASHA1  generated Jun 17 2009 16:36:16
+example.net. 14400 IN DNSKEY  256 3 5 (
+			BQEAAAABpYc2cSHkPcRoLfvndzNke696mmWkmp9lsX3C7xkqd8eYwXWj
+			w2ijRq0QPahQxqFYm/hhC77xJoVwSeOtXdmKiQ==
+		) ; key id = 34925
+
+; example.net.  tag=48089  algo=RSASHA1  generated Jun 30 2009 11:35:09
+example.net. 14400 IN DNSKEY  256 3 5 (
+			BQEAAAABzN3RkyF1Kvf3Go97BN7rNERR86F0nxfyHfXpMdwtqrMFSrkd
+			IboUDtNZBsw+LJmadHRQZDfu79tEz8MUid7aOw==
+		) ; key id = 48089
+
+; example.net.  tag=24545  algo=RSASHA1  generated Jul 30 2009 17:13:57
+example.net. 14400 IN DNSKEY  256 3 5 (
+			BQEAAAAB12pqReCbmKHzRtk4wbc6xRCSXZoA1G78HQ8W+LsPz3UTQxKZ
+			WhmAhB2LZqK2t4rcoAhDVW0hZ6DSDuV/0kouMQ==
+		) ; key id = 24545
 
diff --git a/contrib/zkt/examples/flat/example.net/dsset-example.net. b/contrib/zkt/examples/flat/example.net/dsset-example.net.
index f07c9b9c..ec2e0223 100644
--- a/contrib/zkt/examples/flat/example.net/dsset-example.net.
+++ b/contrib/zkt/examples/flat/example.net/dsset-example.net.
@@ -1,4 +1,4 @@
-example.net.		IN DS 1764 5 1 A6F060DDE8DE45CA7FD1C21E2F39C477F214795F
-example.net.		IN DS 1764 5 2 B7109245C60ACEDD1630E145477FDF574D5BD9CABE530AAC6D7192DB 7FBFAA3F
 example.net.		IN DS 7308 5 1 16CD09D37EC1FEC2952BE41A5C5E2485C1B0C445
 example.net.		IN DS 7308 5 2 FD31B2F54526FAA8131A3311452729467FA7AD5D7D14CA6584B4C41B 0B384D8E
+example.net.		IN DS 33840 5 1 A554D150A7F958080235B9A361082937B65EB7C4
+example.net.		IN DS 33840 5 2 044406C788E4B659573DEED74F4EAEC9E7FAC431CB6932C39DABF704 30A6102B
diff --git a/contrib/zkt/examples/flat/example.net/Kexample.net.+005+01764.key b/contrib/zkt/examples/flat/example.net/kexample.net.+005+01764.key
index bd273d37..a0d65e84 100644
--- a/contrib/zkt/examples/flat/example.net/Kexample.net.+005+01764.key
+++ b/contrib/zkt/examples/flat/example.net/kexample.net.+005+01764.key
@@ -1,3 +1,4 @@
 ;%	generationtime=20080506212634
 ;%	lifetime=60d
-example.net. IN DNSKEY  257 3 5 BQEAAAABDUi2uSUlDjESbnrnY5wd8+pXxhYVY4wCi2UVjhcehvIb2bF8 VJH2Q9/0ubQR1vQ2VJhsGUj3A7bdTfbMETPxKkZaDpc9lCYrm0z5HDrs lyx4bSb4JX/iCyhgYZXrTVb9WyLXjUtmDUktDjZgsyVshFHVJShBUSj+ YpnfQkndGViDAbJRycXDYEF1hCNmTK3KsR1JS9dXMKI3WidH+B9rLlBU 8w==
+;%	expirationtime=20090228113128
+example.net. IN DNSKEY  385 3 5 BQEAAAABDUi2uSUlDjESbnrnY5wd8+pXxhYVY4wCi2UVjhcehvIb2bF8 VJH2Q9/0ubQR1vQ2VJhsGUj3A7bdTfbMETPxKkZaDpc9lCYrm0z5HDrs lyx4bSb4JX/iCyhgYZXrTVb9WyLXjUtmDUktDjZgsyVshFHVJShBUSj+ YpnfQkndGViDAbJRycXDYEF1hCNmTK3KsR1JS9dXMKI3WidH+B9rLlBU 8w==
diff --git a/contrib/zkt/examples/flat/example.net/Kexample.net.+005+01764.private b/contrib/zkt/examples/flat/example.net/kexample.net.+005+01764.private
index 42b8b806..42b8b806 100644
--- a/contrib/zkt/examples/flat/example.net/Kexample.net.+005+01764.private
+++ b/contrib/zkt/examples/flat/example.net/kexample.net.+005+01764.private
diff --git a/contrib/zkt/examples/flat/example.net/keyset-example.net. b/contrib/zkt/examples/flat/example.net/keyset-example.net.
index 47311feb..eba52b9c 100644
--- a/contrib/zkt/examples/flat/example.net/keyset-example.net.
+++ b/contrib/zkt/examples/flat/example.net/keyset-example.net.
@@ -1,5 +1,14 @@
 $ORIGIN .
 example.net		7200	IN DNSKEY 257 3 5 (
+					BQEAAAABCwxfQLjMaLsvSPFYMFyi/Z5l6f/y
+					1fNROZtCrUSAFca8c4Dc+MK9phlqEtBihnMS
+					BjFsuhyq1w++ubzZF3rVduVXP+loeEW5cGXn
+					eM4nm52unLpZfQu0B0h/zwDLrfmedyqqZYb7
+					grXDqFwT0EnI4cL/Ybr40H7uSUyVyLM3c5a8
+					V5RDA2t1PImy7UURv6qusCsRslw+mM5jG0S7
+					Il5cqhugaQ==
+					) ; key id = 33840
+			7200	IN DNSKEY 257 3 5 (
 					BQEAAAABDG+2bUQuvTgeYA99bx5wXDsiaQnh
 					Jc5oFj+sQLmCvj6hGFfQoUkI67jTMkIzQlfl
 					Q3UHBfAnQMeFAhhQLrG+/cMXldZN3360Q+Yl
@@ -8,12 +17,3 @@ example.net		7200	IN DNSKEY 257 3 5 (
 					A1e/wVthbnx1DGbuy+fM5g1inAAbgmGwyaX5
 					JT9+p0yB/Q==
 					) ; key id = 7308
-			7200	IN DNSKEY 257 3 5 (
-					BQEAAAABDUi2uSUlDjESbnrnY5wd8+pXxhYV
-					Y4wCi2UVjhcehvIb2bF8VJH2Q9/0ubQR1vQ2
-					VJhsGUj3A7bdTfbMETPxKkZaDpc9lCYrm0z5
-					HDrslyx4bSb4JX/iCyhgYZXrTVb9WyLXjUtm
-					DUktDjZgsyVshFHVJShBUSj+YpnfQkndGViD
-					AbJRycXDYEF1hCNmTK3KsR1JS9dXMKI3WidH
-					+B9rLlBU8w==
-					) ; key id = 1764
diff --git a/contrib/zkt/examples/flat/example.net/zone.db b/contrib/zkt/examples/flat/example.net/zone.db
index 98fdfd67..9310d403 100644
--- a/contrib/zkt/examples/flat/example.net/zone.db
+++ b/contrib/zkt/examples/flat/example.net/zone.db
@@ -11,7 +11,7 @@ $TTL	7200
 ;				0123456789;
 ;	It's also possible to use the date format e.g. 2005040101
 @	IN SOA	ns1.example.net. hostmaster.example.net.  (
-				333       ; Serial	
+				350       ; Serial	
 				43200	; Refresh
 				1800	; Retry
 				2W	; Expire
diff --git a/contrib/zkt/examples/flat/example.net/zone.db.signed b/contrib/zkt/examples/flat/example.net/zone.db.signed
index 8795d222..761f0c4b 100644
--- a/contrib/zkt/examples/flat/example.net/zone.db.signed
+++ b/contrib/zkt/examples/flat/example.net/zone.db.signed
@@ -1,36 +1,55 @@
-; File written on Sun Dec 28 23:08:02 2008
-; dnssec_signzone version 9.6.0
+; File written on Thu Jul 30 17:13:57 2009
+; dnssec_signzone version 9.7.0a1
 example.net.		7200	IN SOA	ns1.example.net. hostmaster.example.net. (
-					333        ; serial
+					350        ; serial
 					43200      ; refresh (12 hours)
 					1800       ; retry (30 minutes)
 					1209600    ; expire (2 weeks)
 					7200       ; minimum (2 hours)
 					)
-			7200	RRSIG	SOA 5 2 7200 20090103210802 (
-					20081228210802 4157 example.net.
-					UqDcRU7Et3DQF9VF+1AmHFXLa9L2x6LYA1ZS
-					shG02/N9gH+2uNnxxBvuGDkSzTl5C52csvbw
-					LZnWW56sPCShiw== )
+			7200	RRSIG	SOA 5 2 7200 20090809141357 (
+					20090730141357 48089 example.net.
+					ef9jaM2b3mfW7Kt8CfONPqtWve+OA7+sxDph
+					ffNDdF4G2wd9hosI5S9Sz8BOIJGzcg2tsgaB
+					gOjVmH4Ywf+oKg== )
 			7200	NS	ns1.example.net.
 			7200	NS	ns2.example.net.
-			7200	RRSIG	NS 5 2 7200 20090103210802 (
-					20081228210802 4157 example.net.
-					i4OCvNnG2BWy6gYbUnwv1xi6MRQjbDl6ts8o
-					28CxUNmBX/r3RWlewQiyO8acGC2UJUdWz7So
-					gbHJqojIAjjpbA== )
+			7200	RRSIG	NS 5 2 7200 20090809141357 (
+					20090730141357 48089 example.net.
+					F05kFb45lMYUbgimn1ACKyIU61+oYOg3sMHU
+					FxJd+qg9erf2//q7k4sFC9KPqpuLoLxeq7zl
+					Mk6meHS+9wsneQ== )
 			7200	NSEC	a.example.net. NS SOA RRSIG NSEC DNSKEY
-			7200	RRSIG	NSEC 5 2 7200 20090103210802 (
-					20081228210802 4157 example.net.
-					g963zm5F91sPNl955WRBExCcKJehXmTjyw0K
-					ISKE7Dq77Z8zKkTpgf1QWhVe3UOLRRbXwRnC
-					aQh+jaXNE3vIag== )
-			3600	DNSKEY	256 3 5 (
-					BQEAAAAByh7oI/YjOdxlfjCWa2Qowuujjst1
-					y5L0ayZ23+17ira2IBRSouCHAmIYYR+JqGMj
-					c0IQF7PAryhN2olWcINK/w==
-					) ; key id = 4157
-			3600	DNSKEY	257 3 5 (
+			7200	RRSIG	NSEC 5 2 7200 20090809141357 (
+					20090730141357 48089 example.net.
+					OGO1Xb1nWaMl1cgCatUx3MbFzS/3N78l2FWJ
+					9nj41937o+SaC///0hsrluM8NWCj1ROyZU3e
+					olkU38g+o0fkPQ== )
+			14400	DNSKEY	256 3 5 (
+					BQEAAAABpYc2cSHkPcRoLfvndzNke696mmWk
+					mp9lsX3C7xkqd8eYwXWjw2ijRq0QPahQxqFY
+					m/hhC77xJoVwSeOtXdmKiQ==
+					) ; key id = 34925
+			14400	DNSKEY	256 3 5 (
+					BQEAAAABzN3RkyF1Kvf3Go97BN7rNERR86F0
+					nxfyHfXpMdwtqrMFSrkdIboUDtNZBsw+LJma
+					dHRQZDfu79tEz8MUid7aOw==
+					) ; key id = 48089
+			14400	DNSKEY	256 3 5 (
+					BQEAAAAB12pqReCbmKHzRtk4wbc6xRCSXZoA
+					1G78HQ8W+LsPz3UTQxKZWhmAhB2LZqK2t4rc
+					oAhDVW0hZ6DSDuV/0kouMQ==
+					) ; key id = 24545
+			14400	DNSKEY	257 3 5 (
+					BQEAAAABCwxfQLjMaLsvSPFYMFyi/Z5l6f/y
+					1fNROZtCrUSAFca8c4Dc+MK9phlqEtBihnMS
+					BjFsuhyq1w++ubzZF3rVduVXP+loeEW5cGXn
+					eM4nm52unLpZfQu0B0h/zwDLrfmedyqqZYb7
+					grXDqFwT0EnI4cL/Ybr40H7uSUyVyLM3c5a8
+					V5RDA2t1PImy7UURv6qusCsRslw+mM5jG0S7
+					Il5cqhugaQ==
+					) ; key id = 33840
+			14400	DNSKEY	257 3 5 (
 					BQEAAAABDG+2bUQuvTgeYA99bx5wXDsiaQnh
 					Jc5oFj+sQLmCvj6hGFfQoUkI67jTMkIzQlfl
 					Q3UHBfAnQMeFAhhQLrG+/cMXldZN3360Q+Yl
@@ -39,128 +58,108 @@ example.net.		7200	IN SOA	ns1.example.net. hostmaster.example.net. (
 					A1e/wVthbnx1DGbuy+fM5g1inAAbgmGwyaX5
 					JT9+p0yB/Q==
 					) ; key id = 7308
-			3600	DNSKEY	257 3 5 (
-					BQEAAAABDUi2uSUlDjESbnrnY5wd8+pXxhYV
-					Y4wCi2UVjhcehvIb2bF8VJH2Q9/0ubQR1vQ2
-					VJhsGUj3A7bdTfbMETPxKkZaDpc9lCYrm0z5
-					HDrslyx4bSb4JX/iCyhgYZXrTVb9WyLXjUtm
-					DUktDjZgsyVshFHVJShBUSj+YpnfQkndGViD
-					AbJRycXDYEF1hCNmTK3KsR1JS9dXMKI3WidH
-					+B9rLlBU8w==
-					) ; key id = 1764
-			3600	RRSIG	DNSKEY 5 2 3600 20090103210802 (
-					20081228210802 1764 example.net.
-					DMU1/sQwNC9bxNCo+SGM1JpHAkWGCRoSEswb
-					2EV/YDWwF19IM2J/sz+9JB6h7esETapCg4qY
-					5SCBrgbMEvQNRL0t16K7ciAHYNKLTbMG0uaP
-					yEOVQ0/ZofoDEsYJYScyO3hC58F2Vl/YSBFo
-					hfkYvtrjrrDQqU9Uh8U1rcROIXNJF/FyDSuj
-					Ca2fzHlCvnJRfF/Djg7DOjXIlWBThc4kI12v
-					xw== )
-			3600	RRSIG	DNSKEY 5 2 3600 20090103210802 (
-					20081228210802 4157 example.net.
-					gH+J4h1fRmX5QS/wocZKerd9RqgrFR/0m1HE
-					O+GYS4Q4X19TnGQW4Bq6w/QRI/5OiJH3YR2R
-					9MW3EmYMKX9Tuw== )
+			14400	RRSIG	DNSKEY 5 2 14400 20090809141357 (
+					20090730141357 7308 example.net.
+					CblyOQR4HbF8PQi+tJYtrbqGQzk6tHz2XUTN
+					UVGYKgU/J/bs3VtuuAze57v0rCLf90wH2tGv
+					PonbPBacTW0dULrtxDH0Y3bNeT6IiRNWtNi/
+					r54PttqJO++MX9f1KkV2g5Y0R5rOuefVTqO8
+					ww9SUO3GPc0W16tyFboziOhwN9XSlJsIAeNN
+					B8jeltRi5KAxUZXpWHS0XqkpcREZOVPHVEEq
+					YQ== )
+			14400	RRSIG	DNSKEY 5 2 14400 20090809141357 (
+					20090730141357 48089 example.net.
+					XbZb9oFt54WIQrIaTh8YyzJ+uzIah7bCO0yg
+					XHUHAIbf1xu9sljmwlzBNLJFq5hPj+q1kvJc
+					62464sVZH+EfWg== )
 a.example.net.		7200	IN A	1.2.3.1
-			7200	RRSIG	A 5 3 7200 20090103210802 (
-					20081228210802 4157 example.net.
-					nh9TDSy8L61ccYJiLAL632N4FIvUpDCvsdcf
-					0HhGA8b++YADE5gX346coX1L0Oy+DB9eHIAZ
-					PCfli582EhPwKA== )
+			7200	RRSIG	A 5 3 7200 20090809141357 (
+					20090730141357 48089 example.net.
+					st9XUmF9rcxpT3yqZzHmRh1iCA7BHpzKVQPg
+					1iVLZatjDPcqeA2UDHBqbxE3RA6CGrHsONEs
+					nzR8X0uN22BTIA== )
 			7200	NSEC	b.example.net. A RRSIG NSEC
-			7200	RRSIG	NSEC 5 3 7200 20090103210802 (
-					20081228210802 4157 example.net.
-					LCe66yRV1gez4AbSq7/SaPznvzuUPRnf+vh2
-					Fuv3IlCszc0Bdo/fAyUQcc9LRo8hrvfYFDjI
-					TFe3Mm0U0A5Lew== )
+			7200	RRSIG	NSEC 5 3 7200 20090809141357 (
+					20090730141357 48089 example.net.
+					qEtyoL6etYfuriLJuEo0R2gxeCLM7n05FE4s
+					ig0NeorNk7ic89SY24owmYYJ/FbI532vhLHv
+					0n6P1jVIBVTNOg== )
 b.example.net.		7200	IN MX	10 a.example.net.
-			7200	RRSIG	MX 5 3 7200 20090103210802 (
-					20081228210802 4157 example.net.
-					oQuNvNDrqblLnEl5arNz+3YlBC9j33tp7OzF
-					MptYqb32rDNB/YivuxeiBWNt7ykFmdXh1P94
-					DZ8Qq2J8lIW1DA== )
+			7200	RRSIG	MX 5 3 7200 20090809141357 (
+					20090730141357 48089 example.net.
+					oEeEMSxEXtlVpp1Rm5Z2Je6gAIggCRWUxthN
+					S1aEOIwVYcxIDlwLqbXoUVpcSaPGMATdGZnH
+					UGStzfIl/8troQ== )
 			7200	NSEC	d.example.net. MX RRSIG NSEC
-			7200	RRSIG	NSEC 5 3 7200 20090103210802 (
-					20081228210802 4157 example.net.
-					GF6J2HjZ4xrkdT2a6Zjukl5sUSwejQkzzx2+
-					pLRQ/RXtfkcMrO5xpsOZ8AqeZjySUMEGjS2U
-					RUlbzM0y/70x4g== )
+			7200	RRSIG	NSEC 5 3 7200 20090809141357 (
+					20090730141357 48089 example.net.
+					fdtI/Qb/Smf6p0sD10Zx5oDgD0GsX0WUAMLQ
+					sDy3SFatpYio68dSfEP1cnayp/px2eLvTfVm
+					5lDVj28RqfZ7Pw== )
 d.example.net.		7200	IN A	1.2.3.3
-			7200	RRSIG	A 5 3 7200 20090103210802 (
-					20081228210802 4157 example.net.
-					T9LBUwsAKM+3yh1wizaGqWvqfLOqfuTzZhpm
-					tmpDPZXzSjJ8pj4KO3f8eA7ygo52bY8hNzTh
-					2hwGBAQlb1ACpA== )
+			7200	RRSIG	A 5 3 7200 20090809141357 (
+					20090730141357 48089 example.net.
+					nTtV5w9QKqFLl164G4vTcAsMT5v09tpyvTVh
+					Oe7MYeRnN2SBxHt1ScJdjQ5/bLYwLE0eeCYn
+					4OEF4w8WGhL67A== )
 			7200	AAAA	2001:db8::3
-			7200	RRSIG	AAAA 5 3 7200 20090103210802 (
-					20081228210802 4157 example.net.
-					gpBuR+r14AbjVJLx48k8plwo52RG6taN03XU
-					8uUgfOSpJSprjpvhEzKt1h87aGtmZScoS/WH
-					3D3f2Xz4e+r6QA== )
+			7200	RRSIG	AAAA 5 3 7200 20090809141357 (
+					20090730141357 48089 example.net.
+					d+E/L0pu10u6zO8ZwsES0OCxBJmSvFm1QUkd
+					qgHxZXZi7pj2bOtZGOCxQwMHg0CvNQ9mVxL0
+					J3JSNlXGbwHSgQ== )
 			7200	NSEC	localhost.example.net. A AAAA RRSIG NSEC
-			7200	RRSIG	NSEC 5 3 7200 20090103210802 (
-					20081228210802 4157 example.net.
-					fSM90YN/6UVuUPbVTuhSj2Zzxdn+3TkVIXq6
-					CjpGxAxDGa5Uh3x6ExZUg3n7N7TWcuyN2fZV
-					va8VlkEJeAHd/g== )
+			7200	RRSIG	NSEC 5 3 7200 20090809141357 (
+					20090730141357 48089 example.net.
+					D8lZPkhs2FOYW9hyLryxKnx0NPzIDqOI4keb
+					YhrJuCmLLRe4vyEbdNLmV76g6ZKG9oCkgh3a
+					zgIUX0pOt281Bw== )
 localhost.example.net.	7200	IN A	127.0.0.1
-			7200	RRSIG	A 5 3 7200 20090103210802 (
-					20081228210802 4157 example.net.
-					I0tSvJaBTdG0RTfOTkzDyW2iSKdX555aN5Ux
-					a4l5gJhiY4tpN1NNofQK8xbdZvJi+F0JBsb4
-					qctstfW97RAnZw== )
+			7200	RRSIG	A 5 3 7200 20090809141357 (
+					20090730141357 48089 example.net.
+					jvmKKKCZ6sDIrQROwXMzPTEd9qgriYYRyMLw
+					EkOuubrkDlJkWVs7rx4d4zmrtoU5qr0sNB3m
+					kNSeEuoa+qR+eg== )
 			7200	NSEC	ns1.example.net. A RRSIG NSEC
-			7200	RRSIG	NSEC 5 3 7200 20090103210802 (
-					20081228210802 4157 example.net.
-					pORPHi5yJId4IynH/UcNM1kL9kyJqO65+iku
-					G5z9A2CS+aJy39Am6Nbr11GN6SAVcOmSjjeA
-					SOAdxGlWWpwAvA== )
+			7200	RRSIG	NSEC 5 3 7200 20090809141357 (
+					20090730141357 48089 example.net.
+					oAMInMyMsQj9TZVQfJq6TmBONduujt6kcQpP
+					0qFe7WI4Cc4AH+hy1cGkeBCPS1+0WoG4rqBw
+					3OFb0GRqEXDc5w== )
 ns1.example.net.	7200	IN A	1.0.0.5
-			7200	RRSIG	A 5 3 7200 20090103210802 (
-					20081228210802 4157 example.net.
-					mPktHGQ4Cvn6JwysjndL8/dZhtht6bGq1OZI
-					qR4SSqIc14Yfbbee819fwuw/JGaaTFyItDU2
-					AIU8Ix2FrNLcQA== )
+			7200	RRSIG	A 5 3 7200 20090809141357 (
+					20090730141357 48089 example.net.
+					W5E+VE/68hF1gjsyZM6FU1Ynao1/78xNYnAr
+					o4fwADHCCXw1/TDbMbp9LCzgNoUfKjWjJCn6
+					89OCX/es/0rTtA== )
 			7200	AAAA	2001:db8::53
-			7200	RRSIG	AAAA 5 3 7200 20090103210802 (
-					20081228210802 4157 example.net.
-					I+i9d3dewJTTmK1J5gbMlsjodEDjV57fHDbv
-					3haEPH6WHn/9W3P9eTDRIVEIvSVCEObAJyem
-					ItOMKZOxlRTF5Q== )
+			7200	RRSIG	AAAA 5 3 7200 20090809141357 (
+					20090730141357 48089 example.net.
+					wUAOaDeX1NQh5pm8VfjXJ9QCE0HK5rdyXcyP
+					Sreh+AjyA2UVksG6Rd8/8WWv2YPwD8LtOZfv
+					OVzIQY+ltEOSvg== )
 			7200	NSEC	ns2.example.net. A AAAA RRSIG NSEC
-			7200	RRSIG	NSEC 5 3 7200 20090103210802 (
-					20081228210802 4157 example.net.
-					KF6bVYTEEuOgaYTrD1BhY6dyYtp1k7uPQAbe
-					+8aDk4OJwtL681t91XIT/TRXvKwiSVH4M7Un
-					ZOFI4o33/oIJag== )
+			7200	RRSIG	NSEC 5 3 7200 20090809141357 (
+					20090730141357 48089 example.net.
+					cu58jBfTX3IrVthmTxmvKuj76N7OtkuRWqkz
+					wNqyKtLjTaW2hEvt6Wnd/F7Py/xiKS6aEFIK
+					iovzZNBDetmiBg== )
 ns2.example.net.	7200	IN A	1.2.0.6
-			7200	RRSIG	A 5 3 7200 20090103210802 (
-					20081228210802 4157 example.net.
-					pLL55Ja/b/pGnWdYP2tAOtx84xyKiEdD/oPC
-					7prF8HCXLJgbFdnJ3JkZ1umAPbsRrEkFIFII
-					wGwfrjMkM9c8zw== )
+			7200	RRSIG	A 5 3 7200 20090809141357 (
+					20090730141357 48089 example.net.
+					Qs5E1Bc10de+JJW26BhWzvDvxA4ssyB57QN2
+					3uk1jgoqi4f91/xvvoy45eQtOIflmNlKV1up
+					ZESuqA8PJwq9hQ== )
 			7200	NSEC	sub.example.net. A RRSIG NSEC
-			7200	RRSIG	NSEC 5 3 7200 20090103210802 (
-					20081228210802 4157 example.net.
-					b5AfO/ekdK8rQBAiyGcjCSFHOLCYfdVJP7DD
-					FsNKBjkJj+jLz3P1lJClTrgc4gv7EmRlZncd
-					YOzblBcjylZqAw== )
+			7200	RRSIG	NSEC 5 3 7200 20090809141357 (
+					20090730141357 48089 example.net.
+					DIqhTgeHJasScNvLEnUzqLectmRRQhKpFINK
+					+NWEL/CM27SCiOLLYu5Mz2YHLVpz2VoV/V32
+					YVpaLtAlA5Gc1g== )
 sub.example.net.	7200	IN NS	ns1.example.net.
-			7200	DS	18846 7 1 (
-					71103B8D50793E190E48D99E95B48D9F20C4
-					04C6 )
-			7200	DS	18846 7 2 (
-					42A13BAC66BEB451B6BF17A51FC2C141B765
-					D3E9B952C689BA4B572DC1AF2FCC )
-			7200	RRSIG	DS 5 3 7200 20090103210802 (
-					20081228210802 4157 example.net.
-					HeLgZtRjTPXR8HDw0uHiavKTmJTJU2ryunVf
-					JR8vASP8QT2D4hD0BvCUzQdIB23+oB9eY2dx
-					f9WtEwKY89dcTQ== )
-			7200	NSEC	example.net. NS DS RRSIG NSEC
-			7200	RRSIG	NSEC 5 3 7200 20090103210802 (
-					20081228210802 4157 example.net.
-					XViJS+mWV3mddMCV25zV9i3ZpRlBsQIr/Guq
-					wJYzIiBP3F5cY+GbzOyjLdRnuy9pIeCUmEIN
-					0XsanfbJHcTm8w== )
+			7200	NSEC	example.net. NS RRSIG NSEC
+			7200	RRSIG	NSEC 5 3 7200 20090809141357 (
+					20090730141357 48089 example.net.
+					qRqoIDBDuxWo403SI0B3ZPiAMSWV48HWUDi/
+					bUPuGtKCaw43OuG4RgMBlItzxrmw5AMlcsGw
+					+dpIoVdHzGqmdg== )
diff --git a/contrib/zkt/examples/flat/keysets/dlvset-sub.example.net. b/contrib/zkt/examples/flat/keysets/dlvset-sub.example.net.
index 8537da02..b9d00174 100644
--- a/contrib/zkt/examples/flat/keysets/dlvset-sub.example.net.
+++ b/contrib/zkt/examples/flat/keysets/dlvset-sub.example.net.
@@ -1,2 +1,2 @@
-sub.example.net.dlv.trusted-keys.de. IN	DLV 18846 7 1 71103B8D50793E190E48D99E95B48D9F20C404C6
-sub.example.net.dlv.trusted-keys.de. IN	DLV 18846 7 2 42A13BAC66BEB451B6BF17A51FC2C141B765D3E9B952C689BA4B572D C1AF2FCC
+sub.example.net.dlv.trusted-keys.de. IN	DLV 48516 7 1 CC5E20F75F02BE11BC040960669A3F5058F30DC0
+sub.example.net.dlv.trusted-keys.de. IN	DLV 48516 7 2 D124B0B50CF51780707FFBF91DC305617832C09E21F32F28B8A88EFB E1F03ACE
diff --git a/contrib/zkt/examples/flat/keysets/dsset-example.net. b/contrib/zkt/examples/flat/keysets/dsset-example.net.
index f07c9b9c..ec2e0223 100644
--- a/contrib/zkt/examples/flat/keysets/dsset-example.net.
+++ b/contrib/zkt/examples/flat/keysets/dsset-example.net.
@@ -1,4 +1,4 @@
-example.net.		IN DS 1764 5 1 A6F060DDE8DE45CA7FD1C21E2F39C477F214795F
-example.net.		IN DS 1764 5 2 B7109245C60ACEDD1630E145477FDF574D5BD9CABE530AAC6D7192DB 7FBFAA3F
 example.net.		IN DS 7308 5 1 16CD09D37EC1FEC2952BE41A5C5E2485C1B0C445
 example.net.		IN DS 7308 5 2 FD31B2F54526FAA8131A3311452729467FA7AD5D7D14CA6584B4C41B 0B384D8E
+example.net.		IN DS 33840 5 1 A554D150A7F958080235B9A361082937B65EB7C4
+example.net.		IN DS 33840 5 2 044406C788E4B659573DEED74F4EAEC9E7FAC431CB6932C39DABF704 30A6102B
diff --git a/contrib/zkt/examples/flat/keysets/dsset-sub.example.net. b/contrib/zkt/examples/flat/keysets/dsset-sub.example.net.
index f35581d0..0ae4af62 100644
--- a/contrib/zkt/examples/flat/keysets/dsset-sub.example.net.
+++ b/contrib/zkt/examples/flat/keysets/dsset-sub.example.net.
@@ -1,2 +1,2 @@
-sub.example.net.	IN DS 18846 7 1 71103B8D50793E190E48D99E95B48D9F20C404C6
-sub.example.net.	IN DS 18846 7 2 42A13BAC66BEB451B6BF17A51FC2C141B765D3E9B952C689BA4B572D C1AF2FCC
+sub.example.net.	IN DS 48516 7 1 CC5E20F75F02BE11BC040960669A3F5058F30DC0
+sub.example.net.	IN DS 48516 7 2 D124B0B50CF51780707FFBF91DC305617832C09E21F32F28B8A88EFB E1F03ACE
diff --git a/contrib/zkt/examples/flat/keysets/keyset-example.net. b/contrib/zkt/examples/flat/keysets/keyset-example.net.
index 47311feb..eba52b9c 100644
--- a/contrib/zkt/examples/flat/keysets/keyset-example.net.
+++ b/contrib/zkt/examples/flat/keysets/keyset-example.net.
@@ -1,5 +1,14 @@
 $ORIGIN .
 example.net		7200	IN DNSKEY 257 3 5 (
+					BQEAAAABCwxfQLjMaLsvSPFYMFyi/Z5l6f/y
+					1fNROZtCrUSAFca8c4Dc+MK9phlqEtBihnMS
+					BjFsuhyq1w++ubzZF3rVduVXP+loeEW5cGXn
+					eM4nm52unLpZfQu0B0h/zwDLrfmedyqqZYb7
+					grXDqFwT0EnI4cL/Ybr40H7uSUyVyLM3c5a8
+					V5RDA2t1PImy7UURv6qusCsRslw+mM5jG0S7
+					Il5cqhugaQ==
+					) ; key id = 33840
+			7200	IN DNSKEY 257 3 5 (
 					BQEAAAABDG+2bUQuvTgeYA99bx5wXDsiaQnh
 					Jc5oFj+sQLmCvj6hGFfQoUkI67jTMkIzQlfl
 					Q3UHBfAnQMeFAhhQLrG+/cMXldZN3360Q+Yl
@@ -8,12 +17,3 @@ example.net		7200	IN DNSKEY 257 3 5 (
 					A1e/wVthbnx1DGbuy+fM5g1inAAbgmGwyaX5
 					JT9+p0yB/Q==
 					) ; key id = 7308
-			7200	IN DNSKEY 257 3 5 (
-					BQEAAAABDUi2uSUlDjESbnrnY5wd8+pXxhYV
-					Y4wCi2UVjhcehvIb2bF8VJH2Q9/0ubQR1vQ2
-					VJhsGUj3A7bdTfbMETPxKkZaDpc9lCYrm0z5
-					HDrslyx4bSb4JX/iCyhgYZXrTVb9WyLXjUtm
-					DUktDjZgsyVshFHVJShBUSj+YpnfQkndGViD
-					AbJRycXDYEF1hCNmTK3KsR1JS9dXMKI3WidH
-					+B9rLlBU8w==
-					) ; key id = 1764
diff --git a/contrib/zkt/examples/flat/keysets/keyset-sub.example.net. b/contrib/zkt/examples/flat/keysets/keyset-sub.example.net.
index 5c58fad5..17e31b83 100644
--- a/contrib/zkt/examples/flat/keysets/keyset-sub.example.net.
+++ b/contrib/zkt/examples/flat/keysets/keyset-sub.example.net.
@@ -1,8 +1,8 @@
 $ORIGIN .
 sub.example.net		7200	IN DNSKEY 257 3 7 (
-					AwEAAeOdfq7cwfhl3aL8BlURGngPA+3I2E3G
-					3XPRE7Yaw/Nco7aXorHKJgRFMoM30q7jDBau
-					dLeXC//fOQAw2P5vCwyuHmIFo4flXn51sMeF
-					pWdP7E8fmi4k/YoCESu+vBvf+rZWDMVosj8V
-					VEIbKTcJE16Nsd1ls1FIGfiqfu8SrJ0f
-					) ; key id = 18846
+					AwEAAcVJgMf71y0M2KfrhiAKIHkhS8MlgmKb
+					jkaBY56zZRAQMwHJyMODZcIgBQvPkxGw/1Yr
+					/5v3ZbOwVCj7zeYfve+tRsXXBEYTvo7POLE9
+					H0iMf69vq7Qxh82/q+LpBH1818iDhBn6q0f7
+					ww4Flo7B3u5zJf6FHul8JPx5UPSENnx3
+					) ; key id = 48516
diff --git a/contrib/zkt/examples/flat/named.conf b/contrib/zkt/examples/flat/named.conf
index 0e8551c0..2d4cb9f0 100644
--- a/contrib/zkt/examples/flat/named.conf
+++ b/contrib/zkt/examples/flat/named.conf
@@ -96,4 +96,14 @@ zone "0.0.127.in-addr.ARPA" in {
 	file "127.0.0.zone";
 };
 
-include "zone.conf";
+#include "zone.conf";
+
+zone "example.NET." in {
+	type master;
+	file "example.net/zone.db.signed";
+};
+
+zone "sub.example.NET." in {
+	type master;
+	file "sub.example.net/zone.db.signed";
+};
diff --git a/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+006+04710.key b/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+006+04710.key
deleted file mode 100644
index 80d1ca0c..00000000
--- a/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+006+04710.key
+++ /dev/null
@@ -1,3 +0,0 @@
-;%	generationtime=20081228220628
-;%	lifetime=3d
-sub.example.net. IN DNSKEY  256 3 6 AKh40WuaLB5icdjaU/WvsAlgOwi5vkFZckOUzy7Bj+uFawiZePzJ376i jMX7LHr8z1NNhNOBRhUNxd3yJUjLVzWmoPu6oilpY0T/7JM2IQO3At1z gbfUKNyiPZ6oWgPYv71zph2oeEv/imIItqFoz+s9rJLBevzRINvunS1n n4Fiq7gi21miJiG63hHEoNr5Y/kbB02t91IQ7Ts8qrKZZHDk36K83OzW KnF1OGkSIki7kfoWyUi6cJAMdnc33uPf+7inEguN4Sr2h4QXGNm42hKI v8lZ
diff --git a/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+006+04710.published b/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+006+04710.published
deleted file mode 100644
index f10110da..00000000
--- a/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+006+04710.published
+++ /dev/null
@@ -1,7 +0,0 @@
-Private-key-format: v1.2
-Algorithm: 6 (?)
-Prime(p): vkFZckOUzy7Bj+uFawiZePzJ376ijMX7LHr8z1NNhNOBRhUNxd3yJUjLVzWmoPu6oilpY0T/7JM2IQO3At1zgQ==
-Subprime(q): qHjRa5osHmJx2NpT9a+wCWA7CLk=
-Base(g): t9Qo3KI9nqhaA9i/vXOmHah4S/+KYgi2oWjP6z2sksF6/NEg2+6dLWefgWKruCLbWaImIbreEcSg2vlj+RsHTQ==
-Private_value(x): J9kC0094M4urh22UyajBvYp6OUU=
-Public_value(y): rfdSEO07PKqymWRw5N+ivNzs1ipxdThpEiJIu5H6FslIunCQDHZ3N97j3/u4pxILjeEq9oeEFxjZuNoSiL/JWQ==
diff --git a/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+006+05823.key b/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+006+05823.key
deleted file mode 100644
index 2cb92c46..00000000
--- a/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+006+05823.key
+++ /dev/null
@@ -1,3 +0,0 @@
-;%	generationtime=20081216133130
-;%	lifetime=3d
-sub.example.net. IN DNSKEY  256 3 6 AM1UxbjTGN5tGzLFwt1CwRx4mlDP50c8zvi1zrCvWeR2s851pF1lyqoi 7w+KlRmWrsEyyGS+HmnxyQDaY1+TYi+gJzHVS1kVv98x1ggg8Gb1EtNp +U1bNU2DyopLKhZR5+6SN5u7R7tlQCGlmesE4yAD2kLBYAvBoSXgPhPn /UDQWz08x3IaYVvVcQccBAgue4Nh/RE3A325wgodhZ4VOghCsKojF+u0 DXLuWYY6h6KWn4yuto6NMBb5hXSDaYMTgiJYO5MS79d876LIPJyv3mls lfy1
diff --git a/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+006+05823.private b/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+006+05823.private
deleted file mode 100644
index 50a0c942..00000000
--- a/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+006+05823.private
+++ /dev/null
@@ -1,7 +0,0 @@
-Private-key-format: v1.2
-Algorithm: 6 (?)
-Prime(p): 50c8zvi1zrCvWeR2s851pF1lyqoi7w+KlRmWrsEyyGS+HmnxyQDaY1+TYi+gJzHVS1kVv98x1ggg8Gb1EtNp+Q==
-Subprime(q): zVTFuNMY3m0bMsXC3ULBHHiaUM8=
-Base(g): TVs1TYPKiksqFlHn7pI3m7tHu2VAIaWZ6wTjIAPaQsFgC8GhJeA+E+f9QNBbPTzHchphW9VxBxwECC57g2H9EQ==
-Private_value(x): LnevSOPwRhakaa7vYh1YBwGWIh8=
-Public_value(y): NwN9ucIKHYWeFToIQrCqIxfrtA1y7lmGOoeilp+MrraOjTAW+YV0g2mDE4IiWDuTEu/XfO+iyDycr95pbJX8tQ==
diff --git a/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+006+22440.depreciated b/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+006+22440.depreciated
deleted file mode 100644
index 14edffd1..00000000
--- a/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+006+22440.depreciated
+++ /dev/null
@@ -1,7 +0,0 @@
-Private-key-format: v1.2
-Algorithm: 6 (?)
-Prime(p): j+A/58oThRkOD+cmyxsyLP0qrQcozEPyY+SI5/7cj1chepu4me5ek8kaxKMxecDzP79mSCiX60J/Zl73x4qPoQ==
-Subprime(q): kuawB/eONoc0BjGmDIKOerRKBkM=
-Base(g): C/CRAij2ID/BEajrSxPOHaMWdQ06G5zfI6el3MIZtMFvNxBQypZ3VRawKbBeOncxvSMSX/ecw5MeJDKXCWfi7Q==
-Private_value(x): HZ/c+Fa0T/qv5IwEmPEF681ckVw=
-Public_value(y): bvjS4V5v38HzFvDmzxxq09i13mBupQ79O5ZLNyxoyE17kHNcKD6/ggVPSVx1jDymtgE9FLYgo1OoKh9qdNrG0w==
diff --git a/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+006+22440.key b/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+006+22440.key
deleted file mode 100644
index 0269761c..00000000
--- a/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+006+22440.key
+++ /dev/null
@@ -1,3 +0,0 @@
-;%	generationtime=20081209130816
-;%	lifetime=3d
-sub.example.net. IN DNSKEY  256 3 6 AJLmsAf3jjaHNAYxpgyCjnq0SgZDj+A/58oThRkOD+cmyxsyLP0qrQco zEPyY+SI5/7cj1chepu4me5ek8kaxKMxecDzP79mSCiX60J/Zl73x4qP oQvwkQIo9iA/wRGo60sTzh2jFnUNOhuc3yOnpdzCGbTBbzcQUMqWd1UW sCmwXjp3Mb0jEl/3nMOTHiQylwln4u1u+NLhXm/fwfMW8ObPHGrT2LXe YG6lDv07lks3LGjITXuQc1woPr+CBU9JXHWMPKa2AT0UtiCjU6gqH2p0 2sbT
diff --git a/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+14600.depreciated b/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+14600.depreciated
new file mode 100644
index 00000000..27036fe6
--- /dev/null
+++ b/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+14600.depreciated
@@ -0,0 +1,10 @@
+Private-key-format: v1.2
+Algorithm: 7 (NSEC3RSASHA1)
+Modulus: vwuuUkg4CTWLdI8+DIv9NW1dPbKQA6QZVcv+QgjmV7ewfxR31/n7c5usrUUQ+j1YHXM3AgIXhCN62OpQa1rgCQ==
+PublicExponent: AQAB
+PrivateExponent: LiSPHRaOWkMRhLyYOwWQyde5Xo6DVC3NZLiZl694mxS63YmbB5SYh9OILMunQCxRpxya94lqgt9DvSEGMvzlgQ==
+Prime1: 56furA32AKokZoRN8W/SC+l9MsENy1BFI4rodT3YNRE=
+Prime2: 0x89E2ZEeaPUp/Ox2qnRTXlB6h25P/SBxiGA31WBG3k=
+Exponent1: Km5UBSe5e32ulSh+rk5xBsWJrRY3VJorT8tNsMvXIkE=
+Exponent2: Caa/8AcY0ka/Df6B/vEMdHI6pS0+rsHKvPgDIDKUeGE=
+Coefficient: 1lvL+tM8iRj7MttO3zC4lQsO+8nPruMDBnYMzTVPGAI=
diff --git a/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+14600.key b/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+14600.key
new file mode 100644
index 00000000..98cb5afb
--- /dev/null
+++ b/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+14600.key
@@ -0,0 +1,3 @@
+;%	generationtime=20090624144422
+;%	lifetime=3d
+sub.example.net. IN DNSKEY  256 3 7 AwEAAb8LrlJIOAk1i3SPPgyL/TVtXT2ykAOkGVXL/kII5le3sH8Ud9f5 +3ObrK1FEPo9WB1zNwICF4QjetjqUGta4Ak=
diff --git a/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+18846.key b/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+18846.key
deleted file mode 100644
index 688d4212..00000000
--- a/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+18846.key
+++ /dev/null
@@ -1,3 +0,0 @@
-;%	generationtime=20081125154049
-;%	lifetime=60d
-sub.example.net. IN DNSKEY  257 3 7 AwEAAeOdfq7cwfhl3aL8BlURGngPA+3I2E3G3XPRE7Yaw/Nco7aXorHK JgRFMoM30q7jDBaudLeXC//fOQAw2P5vCwyuHmIFo4flXn51sMeFpWdP 7E8fmi4k/YoCESu+vBvf+rZWDMVosj8VVEIbKTcJE16Nsd1ls1FIGfiq fu8SrJ0f
diff --git a/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+18846.private b/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+18846.private
deleted file mode 100644
index 5b5edbb3..00000000
--- a/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+18846.private
+++ /dev/null
@@ -1,10 +0,0 @@
-Private-key-format: v1.2
-Algorithm: 7 (?)
-Modulus: 451+rtzB+GXdovwGVREaeA8D7cjYTcbdc9ETthrD81yjtpeiscomBEUygzfSruMMFq50t5cL/985ADDY/m8LDK4eYgWjh+VefnWwx4WlZ0/sTx+aLiT9igIRK768G9/6tlYMxWiyPxVUQhspNwkTXo2x3WWzUUgZ+Kp+7xKsnR8=
-PublicExponent: AQAB
-PrivateExponent: J0mYBDa2hFmQ2AEIVsaM+wwccX6pV0NsFgGQlW4pRGhJGcsymd16kmIfRebsxqMKAyA5pTa9K30sKYxE6CXikgpm1+TqQtH3CQJGEz81gf5/c/RgHdG4+bygPrKeW1vA7dI5jsEQ8wnhBAJa0jDIt8f0bP9G5rGYyxctmmC8mgE=
-Prime1: 8gsI7gGw1oPDMLhQHMx3NorrKgy1wMu3/anCcIEEe1OflmSNHzb0Y4hQ8Zl97EyU6ZuPAGlnI4MfykK2V35orw==
-Prime2: 8L163OyeS3aLn+Bxfxlc/6OZGat5b6C5RKFzvdJ9/7ZxM1woegJCe8DD0wwuKwNs7go+venTI4O7L1ZB0jJOkQ==
-Exponent1: aJiOLlQ6uCjOk+JCdH+DUOWthEljzcH7a7oNlZKbfjP/9fzT41ZbPBvvZsh+2zuo6l7X6ESkVntWpJA5vguZbw==
-Exponent2: a4mIh4VfFICI0Er3B/pxc3RF4JSbc0TNXZ3tUL7lL8P0fyfMoOu/fP5Xuz+2o9os34xOCJGZkkS26edTEa0NMQ==
-Coefficient: sEYTrLAosmx+x8M2BBdTYLddTSbv3xXDlqHeCNxajW4bhhbjkn3oMCWQfaq7Oke4zeUXPOAYjaf8Ve2oLD9fzg==
diff --git a/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+32345.key b/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+32345.key
new file mode 100644
index 00000000..bd7002d9
--- /dev/null
+++ b/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+32345.key
@@ -0,0 +1,3 @@
+;%	generationtime=20090630093509
+;%	lifetime=3d
+sub.example.net. IN DNSKEY  256 3 7 AwEAAduKKWu4sKycg54OYJnc4/Tzb1OFvxGwhAh4pVpl003JrxT/pQjI w/zJFEnUgwCDDmGffNq73SbkyknTyXYRe2k=
diff --git a/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+32345.private b/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+32345.private
new file mode 100644
index 00000000..03dfe535
--- /dev/null
+++ b/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+32345.private
@@ -0,0 +1,10 @@
+Private-key-format: v1.2
+Algorithm: 7 (NSEC3RSASHA1)
+Modulus: 24opa7iwrJyDng5gmdzj9PNvU4W/EbCECHilWmXTTcmvFP+lCMjD/MkUSdSDAIMOYZ982rvdJuTKSdPJdhF7aQ==
+PublicExponent: AQAB
+PrivateExponent: M7mksrWsIq8pr4axqe7KYr8sXqBneTJ+mURbqSXOmEfZrlUlW0GwbOoVcDwrStuknXF+34wo5Q3cMwk0DX95UQ==
+Prime1: +rQpJtsPO9HubmItf5eIz0quciGA5CnaMrhkB00JGEU=
+Prime2: 4C12MHLPRcYtMLNzbTOkqBWhRiBRy33Q/djerAxswtU=
+Exponent1: zyXjxtZEPRJWJ2D55S5JfbZgc69ZN62ZPEV9aUbu190=
+Exponent2: NMpf367Zopu1fpdzog6cQry9Oq9Xs6zQL0cHwMo4PnU=
+Coefficient: dT+ysdkCUq1RU+toH16kAW5F7eQ3dAMGsYIII+scCYo=
diff --git a/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+48516.key b/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+48516.key
new file mode 100644
index 00000000..717e2bed
--- /dev/null
+++ b/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+48516.key
@@ -0,0 +1,3 @@
+;%	generationtime=20090624144206
+;%	lifetime=7d
+sub.example.net. IN DNSKEY  257 3 7 AwEAAcVJgMf71y0M2KfrhiAKIHkhS8MlgmKbjkaBY56zZRAQMwHJyMOD ZcIgBQvPkxGw/1Yr/5v3ZbOwVCj7zeYfve+tRsXXBEYTvo7POLE9H0iM f69vq7Qxh82/q+LpBH1818iDhBn6q0f7ww4Flo7B3u5zJf6FHul8JPx5 UPSENnx3
diff --git a/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+48516.private b/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+48516.private
new file mode 100644
index 00000000..78137a95
--- /dev/null
+++ b/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+48516.private
@@ -0,0 +1,10 @@
+Private-key-format: v1.2
+Algorithm: 7 (NSEC3RSASHA1)
+Modulus: xUmAx/vXLQzYp+uGIAogeSFLwyWCYpuORoFjnrNlEBAzAcnIw4NlwiAFC8+TEbD/Viv/m/dls7BUKPvN5h+9761GxdcERhO+js84sT0fSIx/r2+rtDGHzb+r4ukEfXzXyIOEGfqrR/vDDgWWjsHe7nMl/oUe6Xwk/HlQ9IQ2fHc=
+PublicExponent: AQAB
+PrivateExponent: pXM0BgLE/KnmVESnsdzsSMlMkTa2tt1/ns9J7UDDQ4piTGCd9qEOSJOzx6jnzJFkQS8a6QC8EMqSeeBaV2BNVucg336ie2jH+VVwBsrRzFdTTEr5Wouw62PWiW/FV285oxootXoGHeCTmVbwVBKfYrX6Wputp/sUc1haLL54COk=
+Prime1: 5zo/AB88LX6pEk65CGtBjkB6Jx0RcR2Ekq0Q/GU8HkAsZxPhwnJAbp3pZs65g/Od4vh/lz/Uv/FTLX8efOTMKw==
+Prime2: 2mxkQwk63bu3aeoAR1T1uwf7V9rty0QLZlyeVSGasfB+dv9Dihh9f7IXBX88VsMUIp7DPINm87sMi+jEJOSO5Q==
+Exponent1: vUjIJABt0cxa+VqqTAMJQjr0BCreiVuhmDTGr+brhNQBxUvYRsYiiqsIUxmtciAuwousXxNoxMv3zEnAmnrtyw==
+Exponent2: NhajWWpetmv2xnaY7REf7NnUJvRi8HQAMq/60XAJ48h/OK6LphXcdhO+2bChW4bhZJVWGZUcmHyYZckVUWF79Q==
+Coefficient: tA/0qGPPL9RkgGhV4Bz/cBi6vOTTan0zpOPE+R/jabmSIrF9k9igghZvhHPG9bnMi5mY8cekzUm6bbOejZjy3g==
diff --git a/contrib/zkt/examples/flat/sub.example.net/dnskey.db b/contrib/zkt/examples/flat/sub.example.net/dnskey.db
index 7d4c4acb..e312396e 100644
--- a/contrib/zkt/examples/flat/sub.example.net/dnskey.db
+++ b/contrib/zkt/examples/flat/sub.example.net/dnskey.db
@@ -2,46 +2,28 @@
 ;	!!! Don't edit this file by hand.
 ;	!!! It will be generated by dnssec-signer.
 ;
-;	 Last generation time Dec 28 2008 23:08:02
+;	 Last generation time Jun 30 2009 13:02:21
 ;
 
 ;  ***  List of Key Signing Keys  ***
-; sub.example.net.  tag=18846  algo=NSEC3RSASHA1  generated Nov 25 2008 16:40:49
+; sub.example.net.  tag=48516  algo=NSEC3RSASHA1  generated Jun 24 2009 16:42:06
 sub.example.net. 3600 IN DNSKEY  257 3 7 (
-			AwEAAeOdfq7cwfhl3aL8BlURGngPA+3I2E3G3XPRE7Yaw/Nco7aXorHK
-			JgRFMoM30q7jDBaudLeXC//fOQAw2P5vCwyuHmIFo4flXn51sMeFpWdP
-			7E8fmi4k/YoCESu+vBvf+rZWDMVosj8VVEIbKTcJE16Nsd1ls1FIGfiq
-			fu8SrJ0f
-		) ; key id = 18846
+			AwEAAcVJgMf71y0M2KfrhiAKIHkhS8MlgmKbjkaBY56zZRAQMwHJyMOD
+			ZcIgBQvPkxGw/1Yr/5v3ZbOwVCj7zeYfve+tRsXXBEYTvo7POLE9H0iM
+			f69vq7Qxh82/q+LpBH1818iDhBn6q0f7ww4Flo7B3u5zJf6FHul8JPx5
+			UPSENnx3
+		) ; key id = 48516
 
 ; ***  List of Zone Signing Keys  ***
-; sub.example.net.  tag=5823  algo=NSEC3DSA  generated Dec 28 2008 23:06:27
-sub.example.net. 3600 IN DNSKEY  256 3 6 (
-			AM1UxbjTGN5tGzLFwt1CwRx4mlDP50c8zvi1zrCvWeR2s851pF1lyqoi
-			7w+KlRmWrsEyyGS+HmnxyQDaY1+TYi+gJzHVS1kVv98x1ggg8Gb1EtNp
-			+U1bNU2DyopLKhZR5+6SN5u7R7tlQCGlmesE4yAD2kLBYAvBoSXgPhPn
-			/UDQWz08x3IaYVvVcQccBAgue4Nh/RE3A325wgodhZ4VOghCsKojF+u0
-			DXLuWYY6h6KWn4yuto6NMBb5hXSDaYMTgiJYO5MS79d876LIPJyv3mls
-			lfy1
-		) ; key id = 5823
+; sub.example.net.  tag=32345  algo=NSEC3RSASHA1  generated Jun 30 2009 13:02:04
+sub.example.net. 3600 IN DNSKEY  256 3 7 (
+			AwEAAduKKWu4sKycg54OYJnc4/Tzb1OFvxGwhAh4pVpl003JrxT/pQjI
+			w/zJFEnUgwCDDmGffNq73SbkyknTyXYRe2k=
+		) ; key id = 32345
 
-; sub.example.net.  tag=22440  algo=NSEC3DSA  generated Dec 28 2008 23:06:27
-sub.example.net. 3600 IN DNSKEY  256 3 6 (
-			AJLmsAf3jjaHNAYxpgyCjnq0SgZDj+A/58oThRkOD+cmyxsyLP0qrQco
-			zEPyY+SI5/7cj1chepu4me5ek8kaxKMxecDzP79mSCiX60J/Zl73x4qP
-			oQvwkQIo9iA/wRGo60sTzh2jFnUNOhuc3yOnpdzCGbTBbzcQUMqWd1UW
-			sCmwXjp3Mb0jEl/3nMOTHiQylwln4u1u+NLhXm/fwfMW8ObPHGrT2LXe
-			YG6lDv07lks3LGjITXuQc1woPr+CBU9JXHWMPKa2AT0UtiCjU6gqH2p0
-			2sbT
-		) ; key id = 22440
-
-; sub.example.net.  tag=4710  algo=NSEC3DSA  generated Dec 28 2008 23:06:28
-sub.example.net. 3600 IN DNSKEY  256 3 6 (
-			AKh40WuaLB5icdjaU/WvsAlgOwi5vkFZckOUzy7Bj+uFawiZePzJ376i
-			jMX7LHr8z1NNhNOBRhUNxd3yJUjLVzWmoPu6oilpY0T/7JM2IQO3At1z
-			gbfUKNyiPZ6oWgPYv71zph2oeEv/imIItqFoz+s9rJLBevzRINvunS1n
-			n4Fiq7gi21miJiG63hHEoNr5Y/kbB02t91IQ7Ts8qrKZZHDk36K83OzW
-			KnF1OGkSIki7kfoWyUi6cJAMdnc33uPf+7inEguN4Sr2h4QXGNm42hKI
-			v8lZ
-		) ; key id = 4710
+; sub.example.net.  tag=14600  algo=NSEC3RSASHA1  generated Jun 30 2009 13:02:04
+sub.example.net. 3600 IN DNSKEY  256 3 7 (
+			AwEAAb8LrlJIOAk1i3SPPgyL/TVtXT2ykAOkGVXL/kII5le3sH8Ud9f5
+			+3ObrK1FEPo9WB1zNwICF4QjetjqUGta4Ak=
+		) ; key id = 14600
 
diff --git a/contrib/zkt/examples/flat/sub.example.net/dnssec.conf b/contrib/zkt/examples/flat/sub.example.net/dnssec.conf
index 30ae923c..8f90edb1 100644
--- a/contrib/zkt/examples/flat/sub.example.net/dnssec.conf
+++ b/contrib/zkt/examples/flat/sub.example.net/dnssec.conf
@@ -4,12 +4,12 @@ sigvalidity 	2d
 max_ttl 	90s
 
 Serialformat:	unixtime
-zsk_lifetime 	3m
+ksk_lifetime 	1w
 ksk_algo 	N3RSASHA1
 ksk_bits 	1024
 
 zsk_lifetime 	3d
-zsk_algo 	NSEC3DSA
+zsk_algo 	N3RSASHA1
 zsk_bits 	512
 
 dlv_domain	"dlv.trusted-keys.de"
diff --git a/contrib/zkt/examples/flat/sub.example.net/zone.db.signed b/contrib/zkt/examples/flat/sub.example.net/zone.db.signed
index 79cc5e73..c82f3ff0 100644
--- a/contrib/zkt/examples/flat/sub.example.net/zone.db.signed
+++ b/contrib/zkt/examples/flat/sub.example.net/zone.db.signed
@@ -1,116 +1,109 @@
-; File written on Sun Dec 28 23:08:02 2008
-; dnssec_signzone version 9.6.0
+; File written on Tue Jun 30 13:02:21 2009
+; dnssec_signzone version 9.7.0a1
 sub.example.net.	7200	IN SOA	ns1.example.net. hostmaster.example.net. (
-					1230502082 ; serial
+					1246359741 ; serial
 					86400      ; refresh (1 day)
 					1800       ; retry (30 minutes)
 					1209600    ; expire (2 weeks)
 					7200       ; minimum (2 hours)
 					)
-			7200	RRSIG	SOA 6 3 7200 20081230210802 (
-					20081228210802 5823 sub.example.net.
-					AMwSbl1AvSw6nz/6SAX26uwD5BAKYAxmfBIq
-					ynkaiFplhArpE1dTqlU= )
+			7200	RRSIG	SOA 7 3 7200 20090702100221 (
+					20090630100221 32345 sub.example.net.
+					xaNZK008xUwN1mWIUMpMNljZ7mOsYyzQ89ug
+					Ephuttdlqm5KdMAlopa9Qfgw+83YQzyonAKj
+					beUBuNmOKBwgQw== )
 			7200	NS	ns1.example.net.
-			7200	RRSIG	NS 6 3 7200 20081230210802 (
-					20081228210802 5823 sub.example.net.
-					AFIZX6ddVm4v+ae2F4zcVgp0jJHow+jKe+LC
-					YYNpRqF42vDPsri4shw= )
-			3600	DNSKEY	256 3 6 (
-					AJLmsAf3jjaHNAYxpgyCjnq0SgZDj+A/58oT
-					hRkOD+cmyxsyLP0qrQcozEPyY+SI5/7cj1ch
-					epu4me5ek8kaxKMxecDzP79mSCiX60J/Zl73
-					x4qPoQvwkQIo9iA/wRGo60sTzh2jFnUNOhuc
-					3yOnpdzCGbTBbzcQUMqWd1UWsCmwXjp3Mb0j
-					El/3nMOTHiQylwln4u1u+NLhXm/fwfMW8ObP
-					HGrT2LXeYG6lDv07lks3LGjITXuQc1woPr+C
-					BU9JXHWMPKa2AT0UtiCjU6gqH2p02sbT
-					) ; key id = 22440
-			3600	DNSKEY	256 3 6 (
-					AKh40WuaLB5icdjaU/WvsAlgOwi5vkFZckOU
-					zy7Bj+uFawiZePzJ376ijMX7LHr8z1NNhNOB
-					RhUNxd3yJUjLVzWmoPu6oilpY0T/7JM2IQO3
-					At1zgbfUKNyiPZ6oWgPYv71zph2oeEv/imII
-					tqFoz+s9rJLBevzRINvunS1nn4Fiq7gi21mi
-					JiG63hHEoNr5Y/kbB02t91IQ7Ts8qrKZZHDk
-					36K83OzWKnF1OGkSIki7kfoWyUi6cJAMdnc3
-					3uPf+7inEguN4Sr2h4QXGNm42hKIv8lZ
-					) ; key id = 4710
-			3600	DNSKEY	256 3 6 (
-					AM1UxbjTGN5tGzLFwt1CwRx4mlDP50c8zvi1
-					zrCvWeR2s851pF1lyqoi7w+KlRmWrsEyyGS+
-					HmnxyQDaY1+TYi+gJzHVS1kVv98x1ggg8Gb1
-					EtNp+U1bNU2DyopLKhZR5+6SN5u7R7tlQCGl
-					mesE4yAD2kLBYAvBoSXgPhPn/UDQWz08x3Ia
-					YVvVcQccBAgue4Nh/RE3A325wgodhZ4VOghC
-					sKojF+u0DXLuWYY6h6KWn4yuto6NMBb5hXSD
-					aYMTgiJYO5MS79d876LIPJyv3mlslfy1
-					) ; key id = 5823
+			7200	RRSIG	NS 7 3 7200 20090702100221 (
+					20090630100221 32345 sub.example.net.
+					xVsGH4dLDwHBhRo/R+BlQMgdXW5Y80xVEiYY
+					jrPH3A1j8i+PotbNA0F7eKA/0fKFmj4biCAK
+					LPErXQ8ObaggQA== )
+			3600	DNSKEY	256 3 7 (
+					AwEAAb8LrlJIOAk1i3SPPgyL/TVtXT2ykAOk
+					GVXL/kII5le3sH8Ud9f5+3ObrK1FEPo9WB1z
+					NwICF4QjetjqUGta4Ak=
+					) ; key id = 14600
+			3600	DNSKEY	256 3 7 (
+					AwEAAduKKWu4sKycg54OYJnc4/Tzb1OFvxGw
+					hAh4pVpl003JrxT/pQjIw/zJFEnUgwCDDmGf
+					fNq73SbkyknTyXYRe2k=
+					) ; key id = 32345
 			3600	DNSKEY	257 3 7 (
-					AwEAAeOdfq7cwfhl3aL8BlURGngPA+3I2E3G
-					3XPRE7Yaw/Nco7aXorHKJgRFMoM30q7jDBau
-					dLeXC//fOQAw2P5vCwyuHmIFo4flXn51sMeF
-					pWdP7E8fmi4k/YoCESu+vBvf+rZWDMVosj8V
-					VEIbKTcJE16Nsd1ls1FIGfiqfu8SrJ0f
-					) ; key id = 18846
-			3600	RRSIG	DNSKEY 6 3 3600 20081230210802 (
-					20081228210802 5823 sub.example.net.
-					AMh2mLe04LwOikgp7Djk5OD+VjsxHWFIrM5K
-					eZ9TwWum0+c3KRc0Ye0= )
-			3600	RRSIG	DNSKEY 7 3 3600 20081230210802 (
-					20081228210802 18846 sub.example.net.
-					oXtpSP1gJIoDZ4HUjdlGV6wyS0VPHp9pv7hB
-					t8sOWSTxSAQ2D1u+2bHK97lE7c1TJUqNsQO7
-					YiTwCvfeypt/9QWSFg8d8TrUTaFvUyZO9yJM
-					HEeJvoV9+TmRsqT1M4vYNO6OY9zBrqQF8Jov
-					gblJkg3ftGhllMDdz8JlIe3m35U= )
-			0	NSEC3PARAM 1 0 100 B5EA98
-			0	RRSIG	NSEC3PARAM 6 3 0 20081230210802 (
-					20081228210802 5823 sub.example.net.
-					AEK69arso3M/F6qdvHBnEaS7PYoMPzkXeut8
-					f7tQNJi/n/57iOXxBtY= )
+					AwEAAcVJgMf71y0M2KfrhiAKIHkhS8MlgmKb
+					jkaBY56zZRAQMwHJyMODZcIgBQvPkxGw/1Yr
+					/5v3ZbOwVCj7zeYfve+tRsXXBEYTvo7POLE9
+					H0iMf69vq7Qxh82/q+LpBH1818iDhBn6q0f7
+					ww4Flo7B3u5zJf6FHul8JPx5UPSENnx3
+					) ; key id = 48516
+			3600	RRSIG	DNSKEY 7 3 3600 20090702100221 (
+					20090630100221 32345 sub.example.net.
+					2P0CEAUnKV6Pa3Ryl1naH9Ve/va1k7oKyJyB
+					dinSyD/UVnGV7+iipUgDOcOAbNCYBCUVfKE9
+					GcBg3KQvJl0+AQ== )
+			3600	RRSIG	DNSKEY 7 3 3600 20090702100221 (
+					20090630100221 48516 sub.example.net.
+					PB5I2/PuswNIxwDykcQEc/4+aUx/dJg9YfXx
+					f1gZL5ayZK01dVYsoZ8USV9IEX27NqFwjQO/
+					iTgB3eAEeBf4283XZ3VeXQRJ4iaMbL42TVid
+					qlKHQgniTPJAoytNRFVDvU3196YJECb8Z7L5
+					F6avz0sLu3gtDu/nwyyK/5Hf3kM= )
+			0	NSEC3PARAM 1 0 100 86F43F
+			0	RRSIG	NSEC3PARAM 7 3 0 20090702100221 (
+					20090630100221 32345 sub.example.net.
+					e6ABPEvRsRxDn/6VaDlZWctckrXmO3KhmTF0
+					gtn7V+kR5J07XF+iS7jnfpEDUJWSRhJDTtVV
+					3uTWjwSs7kyfDQ== )
 a.sub.example.net.	7200	IN A	1.2.3.4
-			7200	RRSIG	A 6 4 7200 20081230210802 (
-					20081228210802 5823 sub.example.net.
-					ACtzcM76XGO0nQg0MNi/3xIA17I/Zl7dpLie
-					L+UWpvdyC01FhiJ9nBc= )
+			7200	RRSIG	A 7 4 7200 20090702100221 (
+					20090630100221 32345 sub.example.net.
+					GEvo0V/h1H5LQz1hAd6FtgN1cX/FR1ADLDjD
+					LEcrzGVBqPCB7OjyXVsHqjq3uGmFI7uZn+K/
+					hXTkHJif/0w78g== )
 b.sub.example.net.	7200	IN A	1.2.3.5
-			7200	RRSIG	A 6 4 7200 20081230210802 (
-					20081228210802 5823 sub.example.net.
-					AMvlob5onyssxa/DQ13dtCp9pL9sHw4pruqq
-					PI85Joh+QNgM26VGXRA= )
+			7200	RRSIG	A 7 4 7200 20090702100221 (
+					20090630100221 32345 sub.example.net.
+					OVvrujb8/jziQqf37zHnTOQCz2e5RAVCpdt4
+					rqd8U/Jzf36tKkPD1qSIJ8zJaAY3LfOLNYDU
+					T10UWy4dnxfoNQ== )
 c.sub.example.net.	7200	IN A	1.2.3.6
-			7200	RRSIG	A 6 4 7200 20081230210802 (
-					20081228210802 5823 sub.example.net.
-					AJAcwAkedEjx4i28vF/Uu31BDly6Hmc5LI9R
-					19PqH1vAijma5No2x5Q= )
+			7200	RRSIG	A 7 4 7200 20090702100221 (
+					20090630100221 32345 sub.example.net.
+					b8A0VTnFi194xkeSKpK6iHcgDvuKGSFzZHSd
+					qPmMwJzflTmsLTxgXEZ9KY4BDbccSTaJVEwr
+					JJ+/QuqBHFyISQ== )
 localhost.sub.example.net. 7200	IN A	127.0.0.1
-			7200	RRSIG	A 6 4 7200 20081230210802 (
-					20081228210802 5823 sub.example.net.
-					ACgSEXi/TbpF35NNFs8zocciqhZtwDL5C4e/
-					6hTGwvl3Z+IjCjf8oDc= )
-ANQ08MJB3Q48CAVL5MEKLHUA2EG2808A.sub.example.net. 7200 IN NSEC3	1 0 100 B5EA98 FLIRT946Q32FSU4Q1ISRK4UJAFMRNHEE A RRSIG
-			7200	RRSIG	NSEC3 6 4 7200 20081230210802 (
-					20081228210802 5823 sub.example.net.
-					AGjJ1uwyqNVcHgz3aFQZhvNFpBEPXdQaEeKo
-					/1Joi1+1g5r7AqEPgbU= )
-FLIRT946Q32FSU4Q1ISRK4UJAFMRNHEE.sub.example.net. 7200 IN NSEC3	1 0 100 B5EA98 J961TISKA95UUNS1JAV5OMBDNS342B6O A RRSIG
-			7200	RRSIG	NSEC3 6 4 7200 20081230210802 (
-					20081228210802 5823 sub.example.net.
-					AERaVeALOfnnt/33oq5dDu08p3oyfYET59xd
-					x6I2CRIOFUr7LkHm2ro= )
-J961TISKA95UUNS1JAV5OMBDNS342B6O.sub.example.net. 7200 IN NSEC3	1 0 100 B5EA98 KJVHLHHLAADEDFM1ONPEIBM68DIIPI6O A RRSIG
-			7200	RRSIG	NSEC3 6 4 7200 20081230210802 (
-					20081228210802 5823 sub.example.net.
-					ADgp7RYKJ95X9iLaS/O0N75fzc/yjA3NhVnv
-					hDKrUluwi2qYv1/AOIk= )
-KJVHLHHLAADEDFM1ONPEIBM68DIIPI6O.sub.example.net. 7200 IN NSEC3	1 0 100 B5EA98 TE1BL0NOCKMSQ7ARERPVQTM4NBVRN6CN A RRSIG
-			7200	RRSIG	NSEC3 6 4 7200 20081230210802 (
-					20081228210802 5823 sub.example.net.
-					AMkFnz9tj86fr4NmFDnrqDNFlkgMAhRY/fR3
-					SGzdb8LfKdbWCRwYtu0= )
-TE1BL0NOCKMSQ7ARERPVQTM4NBVRN6CN.sub.example.net. 7200 IN NSEC3	1 0 100 B5EA98 ANQ08MJB3Q48CAVL5MEKLHUA2EG2808A NS SOA RRSIG DNSKEY NSEC3PARAM
-			7200	RRSIG	NSEC3 6 4 7200 20081230210802 (
-					20081228210802 5823 sub.example.net.
-					AHYEmiF12gwP5LOpUfqK+uHzj7cwuxlGXNT7
-					OdhDcXznJd5bkkQuoFY= )
+			7200	RRSIG	A 7 4 7200 20090702100221 (
+					20090630100221 32345 sub.example.net.
+					HtRrjUhpveofocEBNMEc++mYg9oYfZgnANA5
+					TyuS20tcCw/rAhGh3E3vMyhBBq4Ps1QT74+f
+					S06Z9C5YaKI7ig== )
+7EJ08VDH70TNH3I9SD4MDBVA4S00PALI.sub.example.net. 7200 IN NSEC3	1 0 100 86F43F AFRQ27Q7JGUJ2SA0AVDKT2DLILIGBLUG A RRSIG
+			7200	RRSIG	NSEC3 7 4 7200 20090702100221 (
+					20090630100221 32345 sub.example.net.
+					L1QIfw4hfGk4jSWBeWWGviTAt/2i1wRXE2Qe
+					yspyHNhG38jzGKXR5WH7FLdBzbqMHUHv9i+k
+					/t2mOvXB11pLqQ== )
+AFRQ27Q7JGUJ2SA0AVDKT2DLILIGBLUG.sub.example.net. 7200 IN NSEC3	1 0 100 86F43F D0RE91KNGIR4STOQOPTK16C5C63NN2S0 NS SOA RRSIG DNSKEY NSEC3PARAM
+			7200	RRSIG	NSEC3 7 4 7200 20090702100221 (
+					20090630100221 32345 sub.example.net.
+					I7JJTzzkJF3lB/A68KCuihWUMUY9PCW39PEa
+					axi5WDld4ceWVoGx18mPePrlmvjwepo9UGqc
+					ivGHaozr64hBjg== )
+D0RE91KNGIR4STOQOPTK16C5C63NN2S0.sub.example.net. 7200 IN NSEC3	1 0 100 86F43F K46BIT3RVSBTLC8I8H312CFSNECEJ3S4 A RRSIG
+			7200	RRSIG	NSEC3 7 4 7200 20090702100221 (
+					20090630100221 32345 sub.example.net.
+					Q1g/fnqJl9tq35CoDFccQ7Ba7BcSzcsY35J5
+					h5DgaHkaAmj6QOX1pdfIuVhw0Ow9aBB4XrZo
+					wHjm0Ab+ez7COg== )
+K46BIT3RVSBTLC8I8H312CFSNECEJ3S4.sub.example.net. 7200 IN NSEC3	1 0 100 86F43F L5LI4EFLKNFCE0APSP91SBRCOT0PHLQ0 A RRSIG
+			7200	RRSIG	NSEC3 7 4 7200 20090702100221 (
+					20090630100221 32345 sub.example.net.
+					AIfEvkwdU9GE5bBp8OBc0xJtjfF7NAVMkquB
+					2UQzZgZP+63/nq2+uml+79Gwlc7KBjLjLfRr
+					eARbsKjcsRJF7A== )
+L5LI4EFLKNFCE0APSP91SBRCOT0PHLQ0.sub.example.net. 7200 IN NSEC3	1 0 100 86F43F 7EJ08VDH70TNH3I9SD4MDBVA4S00PALI A RRSIG
+			7200	RRSIG	NSEC3 7 4 7200 20090702100221 (
+					20090630100221 32345 sub.example.net.
+					IVMkxbD3eWr39sqXSJ6ARCyiMjeFB6xs+Bxc
+					BRKJ6TCRBRHDlp1Rf7AM+jQgKMAe3Tm+OqVn
+					zBrGA0FxGvo4Pg== )
diff --git a/contrib/zkt/examples/flat/zkt.log b/contrib/zkt/examples/flat/zkt.log
index 40729a83..74582ddf 100644
--- a/contrib/zkt/examples/flat/zkt.log
+++ b/contrib/zkt/examples/flat/zkt.log
@@ -137,3 +137,895 @@
 2008-12-28 23:08:02.534: debug: 	Signing completed after 0s.
 2008-12-28 23:08:02.534: debug: 
 2008-12-28 23:08:02.534: notice: end of run: 0 errors occured
+2009-02-28 12:31:26.082: notice: ------------------------------------------------------------
+2009-02-28 12:31:26.083: notice: running ../../dnssec-signer -N named.conf 
+2009-02-28 12:31:26.100: debug: parsing zone "sub.example.net." in dir "././sub.example.net"
+2009-02-28 12:31:26.100: debug: 	Check RFC5011 status
+2009-02-28 12:31:26.100: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2009-02-28 12:31:26.100: debug: 	Check KSK status
+2009-02-28 12:31:26.100: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 1d12h35m58s
+2009-02-28 12:31:26.100: debug: 	Check ZSK status
+2009-02-28 12:31:26.100: debug: 	Lifetime(390 sec) of depreciated key 22440 exceeded (5315758 sec)
+2009-02-28 12:31:26.100: info: "sub.example.net.": old ZSK 22440 removed
+2009-02-28 12:31:26.101: debug: 		->remove it
+2009-02-28 12:31:26.101: debug: 	Lifetime(259200 +/-150 sec) of active key 5823 exceeded (5315758 sec)
+2009-02-28 12:31:26.101: debug: 		->depreciate it
+2009-02-28 12:31:26.101: debug: 		->activate published key 4710
+2009-02-28 12:31:26.101: notice: "sub.example.net.": lifetime of zone signing key 5823 exceeded: ZSK rollover done
+2009-02-28 12:31:26.101: debug: 	New key for publishing needed
+2009-02-28 12:31:28.559: debug: 		->creating new key 32820
+2009-02-28 12:31:28.559: info: "sub.example.net.": new key 32820 generated for publishing
+2009-02-28 12:31:28.559: debug: 	Re-signing necessary: Modfied zone key set
+2009-02-28 12:31:28.560: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
+2009-02-28 12:31:28.560: debug: 	Writing key file "././sub.example.net/dnskey.db"
+2009-02-28 12:31:28.560: debug: 	Signing zone "sub.example.net."
+2009-02-28 12:31:28.560: debug: 	  Run cmd "cd ././sub.example.net; /usr/local/sbin/dnssec-signzone  -3 FC6C7C -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
+2009-02-28 12:31:28.803: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
+2009-02-28 12:31:28.803: debug: 	Signing completed after 0s.
+2009-02-28 12:31:28.803: debug: 
+2009-02-28 12:31:28.803: debug: parsing zone "example.net." in dir "././example.net"
+2009-02-28 12:31:28.803: debug: 	Check RFC5011 status
+2009-02-28 12:31:28.803: notice: "example.net.": starting rfc5011 rollover
+2009-02-28 12:31:28.803: debug: 	Lifetime of Key Signing Key 1764 exceeded (8w5d12h36m): Starting rfc5011 rollover!
+2009-02-28 12:31:28.803: debug: 		=>Generating new standby key signing key
+2009-02-28 12:31:29.067: info: "example.net.": generated new standby KSK 33840
+2009-02-28 12:31:29.067: debug: 		=>Activating old standby key 7308 
+2009-02-28 12:31:29.068: debug: 		=>Revoking old active key 1764 
+2009-02-28 12:31:29.068: debug: 	Check ZSK status
+2009-02-28 12:31:29.068: debug: 	Re-signing necessary: Modfied zone key set
+2009-02-28 12:31:29.068: notice: "example.net.": re-signing triggered: Modfied zone key set
+2009-02-28 12:31:29.068: debug: 	Writing key file "././example.net/dnskey.db"
+2009-02-28 12:31:29.069: debug: 	Incrementing serial number in file "././example.net/zone.db"
+2009-02-28 12:31:29.069: debug: 	Signing zone "example.net."
+2009-02-28 12:31:29.069: debug: 	  Run cmd "cd ././example.net; /usr/local/sbin/dnssec-signzone  -g -p -d ../keysets -o example.net. -e +518400  zone.db K*.private"
+2009-02-28 12:31:29.206: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
+2009-02-28 12:31:29.206: debug: 	Signing completed after 0s.
+2009-02-28 12:31:29.206: debug: 
+2009-02-28 12:31:29.206: notice: end of run: 0 errors occured
+2009-02-28 12:31:34.121: notice: ------------------------------------------------------------
+2009-02-28 12:31:34.121: notice: running ../../dnssec-signer -v -v -N named.conf 
+2009-02-28 12:31:34.126: debug: parsing zone "sub.example.net." in dir "././sub.example.net"
+2009-02-28 12:31:34.126: debug: 	Check RFC5011 status
+2009-02-28 12:31:34.126: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2009-02-28 12:31:34.126: debug: 	Check KSK status
+2009-02-28 12:31:34.126: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 1d12h36m6s
+2009-02-28 12:31:34.126: debug: 	Check ZSK status
+2009-02-28 12:31:34.126: debug: 	Re-signing not necessary!
+2009-02-28 12:31:34.126: debug: 	Check if there is a parent file to copy
+2009-02-28 12:31:34.126: debug: 
+2009-02-28 12:31:34.126: debug: parsing zone "example.net." in dir "././example.net"
+2009-02-28 12:31:34.126: debug: 	Check RFC5011 status
+2009-02-28 12:31:34.126: debug: zone "example.net.": found revoked key with exptime of: Feb 28 2009 12:31:28
+2009-02-28 12:31:34.126: debug: 	Check ZSK status
+2009-02-28 12:31:34.126: debug: 	Re-signing not necessary!
+2009-02-28 12:31:34.126: debug: 	Check if there is a parent file to copy
+2009-02-28 12:31:34.126: debug: 
+2009-02-28 12:31:34.126: notice: end of run: 0 errors occured
+2009-02-28 12:32:49.522: notice: ------------------------------------------------------------
+2009-02-28 12:32:49.522: notice: running ../../dnssec-signer -v -v -N named.conf 
+2009-02-28 12:32:49.525: debug: parsing zone "sub.example.net." in dir "././sub.example.net"
+2009-02-28 12:32:49.525: debug: 	Check RFC5011 status
+2009-02-28 12:32:49.525: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2009-02-28 12:32:49.525: debug: 	Check KSK status
+2009-02-28 12:32:49.525: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 1d12h37m21s
+2009-02-28 12:32:49.525: debug: 	Check ZSK status
+2009-02-28 12:32:49.526: debug: 	Re-signing not necessary!
+2009-02-28 12:32:49.526: debug: 	Check if there is a parent file to copy
+2009-02-28 12:32:49.526: debug: 
+2009-02-28 12:32:49.526: debug: parsing zone "example.net." in dir "././example.net"
+2009-02-28 12:32:49.526: debug: 	Check RFC5011 status
+2009-02-28 12:32:49.526: debug: zone "example.net.": found revoked key with exptime of: Feb 28 2009 12:31:28
+2009-02-28 12:32:49.526: debug: 	Check ZSK status
+2009-02-28 12:32:49.526: debug: 	Re-signing not necessary!
+2009-02-28 12:32:49.526: debug: 	Check if there is a parent file to copy
+2009-02-28 12:32:49.527: debug: 
+2009-02-28 12:32:49.527: notice: end of run: 0 errors occured
+2009-02-28 12:42:47.999: notice: ------------------------------------------------------------
+2009-02-28 12:42:48.000: notice: running ../../dnssec-signer -v -v -N named.conf 
+2009-02-28 12:45:56.491: notice: ------------------------------------------------------------
+2009-02-28 12:45:56.491: notice: running ../../dnssec-signer -v -v -N named.conf 
+2009-02-28 12:50:13.057: notice: ------------------------------------------------------------
+2009-02-28 12:50:13.057: notice: running ../../dnssec-signer -v -v -N named.conf 
+2009-02-28 12:50:54.700: notice: ------------------------------------------------------------
+2009-02-28 12:50:54.700: notice: running ../../dnssec-signer -v -v -N named.conf 
+2009-02-28 12:52:23.926: notice: ------------------------------------------------------------
+2009-02-28 12:52:23.926: notice: running ../../dnssec-signer -v -v -N named.conf 
+2009-02-28 12:52:23.933: debug: parsing zone "sub.example.net." in dir "././sub.example.net"
+2009-02-28 12:52:23.934: debug: 	Check RFC5011 status
+2009-02-28 12:52:23.934: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2009-02-28 12:52:23.934: debug: 	Check KSK status
+2009-02-28 12:52:23.934: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 1d12h56m55s
+2009-02-28 12:52:23.934: debug: 	Check ZSK status
+2009-02-28 12:52:23.934: debug: 	Lifetime(390 sec) of depreciated key 5823 exceeded (1257 sec)
+2009-02-28 12:52:23.934: info: "sub.example.net.": old ZSK 5823 removed
+2009-02-28 12:52:23.934: debug: 		->remove it
+2009-02-28 12:52:23.934: debug: 	Re-signing necessary: Modfied zone key set
+2009-02-28 12:52:23.934: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
+2009-02-28 12:52:23.934: debug: 	Writing key file "././sub.example.net/dnskey.db"
+2009-02-28 12:52:23.935: debug: 	Signing zone "sub.example.net."
+2009-02-28 12:52:23.935: debug: 	  Run cmd "cd ././sub.example.net; /usr/local/sbin/dnssec-signzone  -3 A4756D -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
+2009-02-28 12:52:24.701: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
+2009-02-28 12:52:24.701: debug: 	Signing completed after 1s.
+2009-02-28 12:52:24.701: debug: 
+2009-02-28 12:52:24.701: debug: parsing zone "example.net." in dir "././example.net"
+2009-02-28 12:52:24.701: debug: 	Check RFC5011 status
+2009-02-28 12:52:24.701: debug: zone "example.net.": found revoked key with exptime of: Feb 28 2009 12:31:28
+2009-02-28 12:52:24.701: debug: 	Check ZSK status
+2009-02-28 12:52:24.701: debug: 	Re-signing not necessary!
+2009-02-28 12:52:24.701: debug: 	Check if there is a parent file to copy
+2009-02-28 12:52:24.701: debug: 
+2009-02-28 12:52:24.701: notice: end of run: 0 errors occured
+2009-02-28 12:53:08.325: notice: ------------------------------------------------------------
+2009-02-28 12:53:08.325: notice: running ../../dnssec-signer -v -v -N named.conf 
+2009-02-28 12:53:48.858: notice: ------------------------------------------------------------
+2009-02-28 12:53:48.858: notice: running ../../dnssec-signer -v -v -N named.conf 
+2009-02-28 12:54:09.878: notice: ------------------------------------------------------------
+2009-02-28 12:54:09.878: notice: running ../../dnssec-signer -v -v -N named.conf 
+2009-02-28 12:54:09.885: debug: parsing zone "sub.example.net." in dir "/home/hoz/share/named/dnssec-signer/zkt-0.99/examples/flat/./sub.example.net"
+2009-02-28 12:54:09.885: debug: 	Check RFC5011 status
+2009-02-28 12:54:09.885: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2009-02-28 12:54:09.885: debug: 	Check KSK status
+2009-02-28 12:54:09.886: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 1d12h58m41s
+2009-02-28 12:54:09.886: debug: 	Check ZSK status
+2009-02-28 12:54:09.886: debug: 	Re-signing not necessary!
+2009-02-28 12:54:09.886: debug: 	Check if there is a parent file to copy
+2009-02-28 12:54:09.886: debug: 
+2009-02-28 12:54:09.886: debug: parsing zone "example.net." in dir "/home/hoz/share/named/dnssec-signer/zkt-0.99/examples/flat/./example.net"
+2009-02-28 12:54:09.886: debug: 	Check RFC5011 status
+2009-02-28 12:54:09.886: debug: zone "example.net.": found revoked key with exptime of: Feb 28 2009 12:31:28
+2009-02-28 12:54:09.886: debug: 	Check ZSK status
+2009-02-28 12:54:09.886: debug: 	Re-signing not necessary!
+2009-02-28 12:54:09.886: debug: 	Check if there is a parent file to copy
+2009-02-28 12:54:09.886: debug: 
+2009-02-28 12:54:09.886: notice: end of run: 0 errors occured
+2009-02-28 12:55:02.579: notice: ------------------------------------------------------------
+2009-02-28 12:55:02.579: notice: running ../../dnssec-signer -v -v -N named.conf 
+2009-03-03 19:13:47.524: notice: ------------------------------------------------------------
+2009-03-03 19:13:47.524: notice: running ../../dnssec-signer -v -v -N named.conf 
+2009-03-03 19:13:47.532: debug: parsing zone "sub.example.net." in dir "/home/hoz/share/named/dnssec-signer/zkt-0.99/examples/flat/./sub.example.net"
+2009-03-03 19:13:47.532: debug: 	Check RFC5011 status
+2009-03-03 19:13:47.532: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2009-03-03 19:13:47.532: debug: 	Check KSK status
+2009-03-03 19:13:47.533: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 4d19h18m19s
+2009-03-03 19:13:47.533: debug: 	Check ZSK status
+2009-03-03 19:13:47.533: debug: 	Lifetime(259200 +/-150 sec) of active key 4710 exceeded (283341 sec)
+2009-03-03 19:13:47.533: debug: 		->depreciate it
+2009-03-03 19:13:47.533: debug: 		->activate published key 32820
+2009-03-03 19:13:47.533: notice: "sub.example.net.": lifetime of zone signing key 4710 exceeded: ZSK rollover done
+2009-03-03 19:13:47.533: debug: 	New key for publishing needed
+2009-03-03 19:13:48.366: debug: 		->creating new key 49656
+2009-03-03 19:13:48.366: info: "sub.example.net.": new key 49656 generated for publishing
+2009-03-03 19:13:48.366: debug: 	Re-signing necessary: Modfied zone key set
+2009-03-03 19:13:48.366: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
+2009-03-03 19:13:48.367: debug: 	Writing key file "/home/hoz/share/named/dnssec-signer/zkt-0.99/examples/flat/./sub.example.net/dnskey.db"
+2009-03-03 19:13:48.367: debug: 	Signing zone "sub.example.net."
+2009-03-03 19:13:48.367: debug: 	  Run cmd "cd /home/hoz/share/named/dnssec-signer/zkt-0.99/examples/flat/./sub.example.net; /usr/local/sbin/dnssec-signzone  -3 BCB121 -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
+2009-03-03 19:13:48.543: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
+2009-03-03 19:13:48.543: debug: 	Signing completed after 0s.
+2009-03-03 19:13:48.543: debug: 
+2009-03-03 19:13:48.543: debug: parsing zone "example.net." in dir "/home/hoz/share/named/dnssec-signer/zkt-0.99/examples/flat/./example.net"
+2009-03-03 19:13:48.543: debug: 	Check RFC5011 status
+2009-03-03 19:13:48.543: debug: zone "example.net.": found revoked key with exptime of: Feb 28 2009 12:31:28
+2009-03-03 19:13:48.543: debug: 	Check ZSK status
+2009-03-03 19:13:48.543: debug: 	Re-signing necessary: re-signing interval (2d) reached
+2009-03-03 19:13:48.543: notice: "example.net.": re-signing triggered: re-signing interval (2d) reached
+2009-03-03 19:13:48.543: debug: 	Writing key file "/home/hoz/share/named/dnssec-signer/zkt-0.99/examples/flat/./example.net/dnskey.db"
+2009-03-03 19:13:48.544: debug: 	Incrementing serial number in file "/home/hoz/share/named/dnssec-signer/zkt-0.99/examples/flat/./example.net/zone.db"
+2009-03-03 19:13:48.544: debug: 	Signing zone "example.net."
+2009-03-03 19:13:48.544: debug: 	  Run cmd "cd /home/hoz/share/named/dnssec-signer/zkt-0.99/examples/flat/./example.net; /usr/local/sbin/dnssec-signzone  -g -p -d ../keysets -o example.net. -e +518400  zone.db K*.private"
+2009-03-03 19:13:48.723: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
+2009-03-03 19:13:48.723: debug: 	Signing completed after 0s.
+2009-03-03 19:13:48.723: debug: 
+2009-03-03 19:13:48.724: notice: end of run: 0 errors occured
+2009-03-03 19:14:16.121: notice: ------------------------------------------------------------
+2009-03-03 19:14:16.121: notice: running ../../dnssec-signer -O namedchrootdir: /var/named -v -v -N named.conf 
+2009-03-03 19:14:30.231: notice: ------------------------------------------------------------
+2009-03-03 19:14:30.231: notice: running ../../dnssec-signer -O namedchrootdir: . -v -v -N named.conf 
+2009-03-03 19:15:37.851: notice: ------------------------------------------------------------
+2009-03-03 19:15:37.851: notice: running ../../dnssec-signer -O namedchrootdir: . -v -v -N named.conf 
+2009-03-03 19:15:37.853: debug: parsing zone "sub.example.net." in dir "./././sub.example.net"
+2009-03-03 19:15:37.853: debug: 	Check RFC5011 status
+2009-03-03 19:15:37.853: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2009-03-03 19:15:37.853: debug: 	Check KSK status
+2009-03-03 19:15:37.853: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 4d19h20m9s
+2009-03-03 19:15:37.853: debug: 	Check ZSK status
+2009-03-03 19:15:37.853: debug: 	Re-signing not necessary!
+2009-03-03 19:15:37.853: debug: 	Check if there is a parent file to copy
+2009-03-03 19:15:37.853: debug: 
+2009-03-03 19:15:37.853: debug: parsing zone "example.net." in dir "./././example.net"
+2009-03-03 19:15:37.853: debug: 	Check RFC5011 status
+2009-03-03 19:15:37.853: debug: zone "example.net.": found revoked key with exptime of: Feb 28 2009 12:31:28
+2009-03-03 19:15:37.853: debug: 	Check ZSK status
+2009-03-03 19:15:37.853: debug: 	Re-signing not necessary!
+2009-03-03 19:15:37.853: debug: 	Check if there is a parent file to copy
+2009-03-03 19:15:37.853: debug: 
+2009-03-03 19:15:37.853: notice: end of run: 0 errors occured
+2009-03-03 19:15:44.219: notice: ------------------------------------------------------------
+2009-03-03 19:15:44.219: notice: running ../../dnssec-signer -O namedchrootdir: /var/named -v -v -N named.conf 
+2009-03-03 19:15:49.305: notice: ------------------------------------------------------------
+2009-03-03 19:15:49.305: notice: running ../../dnssec-signer -v -v -N named.conf 
+2009-03-03 19:15:49.308: debug: parsing zone "sub.example.net." in dir "././sub.example.net"
+2009-03-03 19:15:49.308: debug: 	Check RFC5011 status
+2009-03-03 19:15:49.308: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2009-03-03 19:15:49.308: debug: 	Check KSK status
+2009-03-03 19:15:49.309: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 4d19h20m21s
+2009-03-03 19:15:49.309: debug: 	Check ZSK status
+2009-03-03 19:15:49.309: debug: 	Re-signing not necessary!
+2009-03-03 19:15:49.309: debug: 	Check if there is a parent file to copy
+2009-03-03 19:15:49.309: debug: 
+2009-03-03 19:15:49.309: debug: parsing zone "example.net." in dir "././example.net"
+2009-03-03 19:15:49.310: debug: 	Check RFC5011 status
+2009-03-03 19:15:49.310: debug: zone "example.net.": found revoked key with exptime of: Feb 28 2009 12:31:28
+2009-03-03 19:15:49.310: debug: 	Check ZSK status
+2009-03-03 19:15:49.310: debug: 	Re-signing not necessary!
+2009-03-03 19:15:49.310: debug: 	Check if there is a parent file to copy
+2009-03-03 19:15:49.310: debug: 
+2009-03-03 19:15:49.310: notice: end of run: 0 errors occured
+2009-03-04 18:07:38.441: notice: ------------------------------------------------------------
+2009-03-04 18:07:38.441: notice: running ../../dnssec-signer -v -v -N named.conf 
+2009-03-04 18:07:38.459: debug: parsing zone "sub.example.net." in dir "././sub.example.net"
+2009-03-04 18:07:38.459: debug: 	Check RFC5011 status
+2009-03-04 18:07:38.459: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2009-03-04 18:07:38.459: debug: 	Check KSK status
+2009-03-04 18:07:38.459: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 5d18h12m10s
+2009-03-04 18:07:38.459: debug: 	Check ZSK status
+2009-03-04 18:07:38.459: debug: 	Lifetime(390 sec) of depreciated key 4710 exceeded (82431 sec)
+2009-03-04 18:07:38.459: info: "sub.example.net.": old ZSK 4710 removed
+2009-03-04 18:07:38.459: debug: 		->remove it
+2009-03-04 18:07:38.459: debug: 	Re-signing necessary: Modfied zone key set
+2009-03-04 18:07:38.459: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
+2009-03-04 18:07:38.459: debug: 	Writing key file "././sub.example.net/dnskey.db"
+2009-03-04 18:07:38.460: debug: 	Signing zone "sub.example.net."
+2009-03-04 18:07:38.460: debug: 	  Run cmd "cd ././sub.example.net; /usr/local/sbin/dnssec-signzone -n 0 -3 33B698 -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
+2009-03-04 18:07:38.635: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
+2009-03-04 18:07:38.635: debug: 	Signing completed after 0s.
+2009-03-04 18:07:38.635: debug: 
+2009-03-04 18:07:38.635: debug: parsing zone "example.net." in dir "././example.net"
+2009-03-04 18:07:38.635: debug: 	Check RFC5011 status
+2009-03-04 18:07:38.635: debug: zone "example.net.": found revoked key (id=1764 exptime=Feb 28 2009 12:31:28); waiting for remove hold down time
+2009-03-04 18:07:38.636: debug: 	Check ZSK status
+2009-03-04 18:07:38.636: debug: 	Re-signing not necessary!
+2009-03-04 18:07:38.636: debug: 	Check if there is a parent file to copy
+2009-03-04 18:07:38.636: debug: 
+2009-03-04 18:07:38.636: notice: end of run: 0 errors occured
+2009-03-04 18:07:54.353: notice: ------------------------------------------------------------
+2009-03-04 18:07:54.353: notice: running ../../dnssec-signer -r -v -v -N named.conf 
+2009-03-04 18:07:54.357: debug: parsing zone "sub.example.net." in dir "././sub.example.net"
+2009-03-04 18:07:54.357: debug: 	Check RFC5011 status
+2009-03-04 18:07:54.357: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2009-03-04 18:07:54.357: debug: 	Check KSK status
+2009-03-04 18:07:54.357: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 5d18h12m26s
+2009-03-04 18:07:54.357: debug: 	Check ZSK status
+2009-03-04 18:07:54.357: debug: 	Re-signing not necessary!
+2009-03-04 18:07:54.357: debug: 	Check if there is a parent file to copy
+2009-03-04 18:07:54.357: debug: 
+2009-03-04 18:07:54.357: debug: parsing zone "example.net." in dir "././example.net"
+2009-03-04 18:07:54.357: debug: 	Check RFC5011 status
+2009-03-04 18:07:54.357: debug: zone "example.net.": found revoked key (id=1764 exptime=Feb 28 2009 12:31:28); waiting for remove hold down time
+2009-03-04 18:07:54.358: debug: 	Check ZSK status
+2009-03-04 18:07:54.358: debug: 	Re-signing not necessary!
+2009-03-04 18:07:54.358: debug: 	Check if there is a parent file to copy
+2009-03-04 18:07:54.358: debug: 
+2009-03-04 18:07:54.358: notice: end of run: 0 errors occured
+2009-03-04 18:08:25.210: notice: ------------------------------------------------------------
+2009-03-04 18:08:25.210: notice: running ../../dnssec-signer -r -v -v -N named.conf 
+2009-03-04 18:08:25.212: debug: parsing zone "sub.example.net." in dir "././sub.example.net"
+2009-03-04 18:08:25.212: debug: 	Check RFC5011 status
+2009-03-04 18:08:25.213: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2009-03-04 18:08:25.213: debug: 	Check KSK status
+2009-03-04 18:08:25.213: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 5d18h12m57s
+2009-03-04 18:08:25.213: debug: 	Check ZSK status
+2009-03-04 18:08:25.213: debug: 	Re-signing not necessary!
+2009-03-04 18:08:25.213: debug: 	Check if there is a parent file to copy
+2009-03-04 18:08:25.213: debug: 
+2009-03-04 18:08:25.214: debug: parsing zone "example.net." in dir "././example.net"
+2009-03-04 18:08:25.214: debug: 	Check RFC5011 status
+2009-03-04 18:08:25.214: debug: zone "example.net.": found revoked key (id=1764 exptime=Feb 28 2009 12:31:28); waiting for remove hold down time
+2009-03-04 18:08:25.214: debug: 	Check ZSK status
+2009-03-04 18:08:25.214: debug: 	Re-signing not necessary!
+2009-03-04 18:08:25.214: debug: 	Check if there is a parent file to copy
+2009-03-04 18:08:25.214: debug: 
+2009-03-04 18:08:25.216: notice: end of run: 0 errors occured
+2009-03-04 18:08:32.379: notice: ------------------------------------------------------------
+2009-03-04 18:08:32.379: notice: running ../../dnssec-signer -f -v -v -N named.conf 
+2009-03-04 18:08:32.381: debug: parsing zone "sub.example.net." in dir "././sub.example.net"
+2009-03-04 18:08:32.381: debug: 	Check RFC5011 status
+2009-03-04 18:08:32.381: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2009-03-04 18:08:32.381: debug: 	Check KSK status
+2009-03-04 18:08:32.381: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 5d18h13m4s
+2009-03-04 18:08:32.381: debug: 	Check ZSK status
+2009-03-04 18:08:32.381: debug: 	Re-signing necessary: Option -f
+2009-03-04 18:08:32.381: notice: "sub.example.net.": re-signing triggered: Option -f
+2009-03-04 18:08:32.381: debug: 	Writing key file "././sub.example.net/dnskey.db"
+2009-03-04 18:08:32.382: debug: 	Signing zone "sub.example.net."
+2009-03-04 18:08:32.382: debug: 	  Run cmd "cd ././sub.example.net; /usr/local/sbin/dnssec-signzone -n 2 -3 A0BEB8 -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
+2009-03-04 18:08:32.896: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
+2009-03-04 18:08:32.896: debug: 	Signing completed after 0s.
+2009-03-04 18:08:32.896: debug: 
+2009-03-04 18:08:32.896: debug: parsing zone "example.net." in dir "././example.net"
+2009-03-04 18:08:32.896: debug: 	Check RFC5011 status
+2009-03-04 18:08:32.896: debug: zone "example.net.": found revoked key (id=1764 exptime=Feb 28 2009 12:31:28); waiting for remove hold down time
+2009-03-04 18:08:32.896: debug: 	Check ZSK status
+2009-03-04 18:08:32.896: debug: 	Re-signing necessary: Option -f
+2009-03-04 18:08:32.896: notice: "example.net.": re-signing triggered: Option -f
+2009-03-04 18:08:32.896: debug: 	Writing key file "././example.net/dnskey.db"
+2009-03-04 18:08:32.897: debug: 	Incrementing serial number in file "././example.net/zone.db"
+2009-03-04 18:08:32.897: debug: 	Signing zone "example.net."
+2009-03-04 18:08:32.897: debug: 	  Run cmd "cd ././example.net; /usr/local/sbin/dnssec-signzone -n 2 -g -p -d ../keysets -o example.net. -e +518400  zone.db K*.private"
+2009-03-04 18:08:33.042: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
+2009-03-04 18:08:33.042: debug: 	Signing completed after 1s.
+2009-03-04 18:08:33.042: debug: 
+2009-03-04 18:08:33.043: notice: end of run: 0 errors occured
+2009-03-04 18:08:46.381: notice: ------------------------------------------------------------
+2009-03-04 18:08:46.381: notice: running ../../dnssec-signer -f -v -v -N named.conf 
+2009-03-04 18:08:46.385: debug: parsing zone "sub.example.net." in dir "././sub.example.net"
+2009-03-04 18:08:46.385: debug: 	Check RFC5011 status
+2009-03-04 18:08:46.385: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2009-03-04 18:08:46.385: debug: 	Check KSK status
+2009-03-04 18:08:46.385: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 5d18h13m18s
+2009-03-04 18:08:46.385: debug: 	Check ZSK status
+2009-03-04 18:08:46.385: debug: 	Re-signing necessary: Option -f
+2009-03-04 18:08:46.385: notice: "sub.example.net.": re-signing triggered: Option -f
+2009-03-04 18:08:46.385: debug: 	Writing key file "././sub.example.net/dnskey.db"
+2009-03-04 18:08:46.386: debug: 	Signing zone "sub.example.net."
+2009-03-04 18:08:46.386: debug: 	  Run cmd "cd ././sub.example.net; /usr/local/sbin/dnssec-signzone -n 0 -3 1864E1 -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
+2009-03-04 18:08:46.990: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
+2009-03-04 18:08:46.991: debug: 	Signing completed after 0s.
+2009-03-04 18:08:46.991: debug: 
+2009-03-04 18:08:46.991: debug: parsing zone "example.net." in dir "././example.net"
+2009-03-04 18:08:46.991: debug: 	Check RFC5011 status
+2009-03-04 18:08:46.991: debug: zone "example.net.": found revoked key (id=1764 exptime=Feb 28 2009 12:31:28); waiting for remove hold down time
+2009-03-04 18:08:46.991: debug: 	Check ZSK status
+2009-03-04 18:08:46.991: debug: 	Re-signing necessary: Option -f
+2009-03-04 18:08:46.991: notice: "example.net.": re-signing triggered: Option -f
+2009-03-04 18:08:46.991: debug: 	Writing key file "././example.net/dnskey.db"
+2009-03-04 18:08:46.992: debug: 	Incrementing serial number in file "././example.net/zone.db"
+2009-03-04 18:08:46.992: debug: 	Signing zone "example.net."
+2009-03-04 18:08:46.993: debug: 	  Run cmd "cd ././example.net; /usr/local/sbin/dnssec-signzone -n 0 -g -p -d ../keysets -o example.net. -e +518400  zone.db K*.private"
+2009-03-04 18:08:47.149: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
+2009-03-04 18:08:47.149: debug: 	Signing completed after 1s.
+2009-03-04 18:08:47.149: debug: 
+2009-03-04 18:08:47.149: notice: end of run: 0 errors occured
+2009-03-04 18:08:59.141: notice: ------------------------------------------------------------
+2009-03-04 18:08:59.141: notice: running ../../dnssec-signer -f -v -v -N named.conf 
+2009-03-04 18:08:59.145: debug: parsing zone "sub.example.net." in dir "././sub.example.net"
+2009-03-04 18:08:59.145: debug: 	Check RFC5011 status
+2009-03-04 18:08:59.145: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2009-03-04 18:08:59.145: debug: 	Check KSK status
+2009-03-04 18:08:59.145: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 5d18h13m31s
+2009-03-04 18:08:59.145: debug: 	Check ZSK status
+2009-03-04 18:08:59.145: debug: 	Re-signing necessary: Option -f
+2009-03-04 18:08:59.146: notice: "sub.example.net.": re-signing triggered: Option -f
+2009-03-04 18:08:59.146: debug: 	Writing key file "././sub.example.net/dnskey.db"
+2009-03-04 18:08:59.146: debug: 	Signing zone "sub.example.net."
+2009-03-04 18:08:59.146: debug: 	  Run cmd "cd ././sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 945691 -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
+2009-03-04 18:09:00.082: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
+2009-03-04 18:09:00.082: debug: 	Signing completed after 1s.
+2009-03-04 18:09:00.082: debug: 
+2009-03-04 18:09:00.083: debug: parsing zone "example.net." in dir "././example.net"
+2009-03-04 18:09:00.083: debug: 	Check RFC5011 status
+2009-03-04 18:09:00.083: debug: zone "example.net.": found revoked key (id=1764 exptime=Feb 28 2009 12:31:28); waiting for remove hold down time
+2009-03-04 18:09:00.083: debug: 	Check ZSK status
+2009-03-04 18:09:00.083: debug: 	Re-signing necessary: Option -f
+2009-03-04 18:09:00.083: notice: "example.net.": re-signing triggered: Option -f
+2009-03-04 18:09:00.083: debug: 	Writing key file "././example.net/dnskey.db"
+2009-03-04 18:09:00.084: debug: 	Incrementing serial number in file "././example.net/zone.db"
+2009-03-04 18:09:00.084: debug: 	Signing zone "example.net."
+2009-03-04 18:09:00.084: debug: 	  Run cmd "cd ././example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o example.net. -e +518400  zone.db K*.private"
+2009-03-04 18:09:00.238: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
+2009-03-04 18:09:00.238: debug: 	Signing completed after 0s.
+2009-03-04 18:09:00.238: debug: 
+2009-03-04 18:09:00.238: notice: end of run: 0 errors occured
+2009-06-15 09:58:41.205: notice: ------------------------------------------------------------
+2009-06-15 09:58:41.205: notice: running ../../dnssec-signer -v -v 
+2009-06-15 09:58:41.226: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2009-06-15 09:58:41.226: debug: 	Check RFC5011 status
+2009-06-15 09:58:41.226: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2009-06-15 09:58:41.226: debug: 	Check KSK status
+2009-06-15 09:58:41.227: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 15w3d9h3m13s
+2009-06-15 09:58:41.227: debug: 	Check ZSK status
+2009-06-15 09:58:41.227: debug: 	Lifetime(259200 +/-150 sec) of active key 32820 exceeded (8948694 sec)
+2009-06-15 09:58:41.227: debug: 		->depreciate it
+2009-06-15 09:58:41.227: debug: 		->activate published key 49656
+2009-06-15 09:58:41.227: notice: "sub.example.net.": lifetime of zone signing key 32820 exceeded: ZSK rollover done
+2009-06-15 09:58:41.227: debug: 	New key for publishing needed
+2009-06-15 09:58:41.346: debug: 		->creating new key 37135
+2009-06-15 09:58:41.346: info: "sub.example.net.": new key 37135 generated for publishing
+2009-06-15 09:58:41.346: debug: 	Re-signing necessary: Modfied zone key set
+2009-06-15 09:58:41.346: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
+2009-06-15 09:58:41.346: debug: 	Writing key file "./sub.example.net/dnskey.db"
+2009-06-15 09:58:41.346: debug: 	Signing zone "sub.example.net."
+2009-06-15 09:58:41.346: debug: 	  Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 11D7FD -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
+2009-06-15 09:58:41.399: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
+2009-06-15 09:58:41.399: debug: 	Signing completed after 0s.
+2009-06-15 09:58:41.399: debug: 
+2009-06-15 09:58:41.399: debug: parsing zone "example.net." in dir "./example.net"
+2009-06-15 09:58:41.399: debug: 	Check RFC5011 status
+2009-06-15 09:58:41.399: debug: zone "example.net.": found revoked key (id=1764 exptime=Feb 28 2009 12:31:28); waiting for remove hold down time
+2009-06-15 09:58:41.399: debug: 	Remove revoked key 1764 which is older than 30 days
+2009-06-15 09:58:41.400: notice: zone "example.net.": removing revoked key 1764
+2009-06-15 09:58:41.400: debug: 	Check ZSK status
+2009-06-15 09:58:41.400: debug: 	Lifetime(7776000 +/-150 sec) of active key 4157 exceeded (14547793 sec)
+2009-06-15 09:58:41.400: debug: 		->waiting for published key
+2009-06-15 09:58:41.400: notice: "example.net.": lifetime of zone signing key 4157 exceeded since 11w1d9h3m13s: ZSK rollover deferred: waiting for published key
+2009-06-15 09:58:41.400: debug: 	New key for publishing needed
+2009-06-15 09:58:41.499: debug: 		->creating new key 34925
+2009-06-15 09:58:41.499: info: "example.net.": new key 34925 generated for publishing
+2009-06-15 09:58:41.499: debug: 	Re-signing necessary: Modfied zone key set
+2009-06-15 09:58:41.499: notice: "example.net.": re-signing triggered: Modfied zone key set
+2009-06-15 09:58:41.499: debug: 	Writing key file "./example.net/dnskey.db"
+2009-06-15 09:58:41.499: debug: 	Incrementing serial number in file "./example.net/zone.db"
+2009-06-15 09:58:41.499: debug: 	Signing zone "example.net."
+2009-06-15 09:58:41.499: debug: 	  Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o example.net. -e +518400  zone.db K*.private"
+2009-06-15 09:58:41.543: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
+2009-06-15 09:58:41.543: debug: 	Signing completed after 0s.
+2009-06-15 09:58:41.543: debug: 
+2009-06-15 09:58:41.543: notice: end of run: 0 errors occured
+2009-06-17 16:36:16.761: notice: ------------------------------------------------------------
+2009-06-17 16:36:16.761: notice: running ../../dnssec-signer -v -v 
+2009-06-17 16:36:16.792: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2009-06-17 16:36:16.792: debug: 	Check RFC5011 status
+2009-06-17 16:36:16.792: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2009-06-17 16:36:16.792: debug: 	Check KSK status
+2009-06-17 16:36:16.792: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 15w5d15h40m48s
+2009-06-17 16:36:16.792: debug: 	Check ZSK status
+2009-06-17 16:36:16.792: debug: 	Lifetime(390 sec) of depreciated key 32820 exceeded (196655 sec)
+2009-06-17 16:36:16.792: info: "sub.example.net.": old ZSK 32820 removed
+2009-06-17 16:36:16.792: debug: 		->remove it
+2009-06-17 16:36:16.792: debug: 	Re-signing necessary: Modfied zone key set
+2009-06-17 16:36:16.792: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
+2009-06-17 16:36:16.792: debug: 	Writing key file "./sub.example.net/dnskey.db"
+2009-06-17 16:36:16.793: debug: 	Signing zone "sub.example.net."
+2009-06-17 16:36:16.793: debug: 	  Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 4214E6 -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
+2009-06-17 16:36:16.984: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
+2009-06-17 16:36:16.984: debug: 	Signing completed after 0s.
+2009-06-17 16:36:16.984: debug: 
+2009-06-17 16:36:16.984: debug: parsing zone "example.net." in dir "./example.net"
+2009-06-17 16:36:16.984: debug: 	Check RFC5011 status
+2009-06-17 16:36:16.984: debug: 	Check ZSK status
+2009-06-17 16:36:16.984: debug: 	Lifetime(7776000 +/-150 sec) of active key 4157 exceeded (14744448 sec)
+2009-06-17 16:36:16.984: debug: 		->depreciate it
+2009-06-17 16:36:16.984: debug: 		->activate published key 34925
+2009-06-17 16:36:16.984: notice: "example.net.": lifetime of zone signing key 4157 exceeded: ZSK rollover done
+2009-06-17 16:36:16.984: debug: 	Re-signing necessary: Modfied zone key set
+2009-06-17 16:36:16.984: notice: "example.net.": re-signing triggered: Modfied zone key set
+2009-06-17 16:36:16.984: debug: 	Writing key file "./example.net/dnskey.db"
+2009-06-17 16:36:16.985: debug: 	Incrementing serial number in file "./example.net/zone.db"
+2009-06-17 16:36:16.985: debug: 	Signing zone "example.net."
+2009-06-17 16:36:16.985: debug: 	  Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o example.net. -e +518400  zone.db K*.private"
+2009-06-17 16:36:17.102: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
+2009-06-17 16:36:17.102: debug: 	Signing completed after 1s.
+2009-06-17 16:36:17.102: debug: 
+2009-06-17 16:36:17.102: notice: end of run: 0 errors occured
+2009-06-24 16:33:27.617: notice: ------------------------------------------------------------
+2009-06-24 16:33:27.617: notice: running ../../dnssec-signer -v -v 
+2009-06-24 16:33:27.619: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2009-06-24 16:33:27.619: debug: 	Check RFC5011 status
+2009-06-24 16:33:27.620: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2009-06-24 16:33:27.620: debug: 	Check KSK status
+2009-06-24 16:33:27.620: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 16w5d15h37m59s
+2009-06-24 16:33:27.620: debug: 	Check ZSK status
+2009-06-24 16:33:27.620: debug: 	Lifetime(259200 +/-150 sec) of active key 49656 exceeded (801286 sec)
+2009-06-24 16:33:27.620: debug: 		->depreciate it
+2009-06-24 16:33:27.620: debug: 		->activate published key 37135
+2009-06-24 16:33:27.620: notice: "sub.example.net.": lifetime of zone signing key 49656 exceeded: ZSK rollover done
+2009-06-24 16:33:27.620: debug: 	New key for publishing needed
+2009-06-24 16:33:27.751: debug: 		->creating new key 25272
+2009-06-24 16:33:27.751: info: "sub.example.net.": new key 25272 generated for publishing
+2009-06-24 16:33:27.751: debug: 	Re-signing necessary: Modfied zone key set
+2009-06-24 16:33:27.751: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
+2009-06-24 16:33:27.751: debug: 	Writing key file "./sub.example.net/dnskey.db"
+2009-06-24 16:33:27.751: debug: 	Signing zone "sub.example.net."
+2009-06-24 16:33:27.751: debug: 	  Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 50C9C8 -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
+2009-06-24 16:33:27.859: error: "sub.example.net.": signing failed!
+2009-06-24 16:33:27.859: debug: 	Signing completed after 0s.
+2009-06-24 16:33:27.859: debug: 
+2009-06-24 16:33:27.859: debug: parsing zone "example.net." in dir "./example.net"
+2009-06-24 16:33:27.859: debug: 	Check RFC5011 status
+2009-06-24 16:33:27.859: debug: 	Check ZSK status
+2009-06-24 16:33:27.859: debug: 	Lifetime(29100 sec) of depreciated key 4157 exceeded (604631 sec)
+2009-06-24 16:33:27.859: info: "example.net.": old ZSK 4157 removed
+2009-06-24 16:33:27.860: debug: 		->remove it
+2009-06-24 16:33:27.860: debug: 	Re-signing necessary: Modfied zone key set
+2009-06-24 16:33:27.860: notice: "example.net.": re-signing triggered: Modfied zone key set
+2009-06-24 16:33:27.860: debug: 	Writing key file "./example.net/dnskey.db"
+2009-06-24 16:33:27.860: debug: 	Incrementing serial number in file "./example.net/zone.db"
+2009-06-24 16:33:27.860: debug: 	Signing zone "example.net."
+2009-06-24 16:33:27.860: debug: 	  Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o example.net. -e +518400  zone.db K*.private"
+2009-06-24 16:33:27.966: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
+2009-06-24 16:33:27.966: debug: 	Signing completed after 0s.
+2009-06-24 16:33:27.966: debug: 
+2009-06-24 16:33:27.966: notice: end of run: 1 error occured
+2009-06-24 16:42:06.709: notice: ------------------------------------------------------------
+2009-06-24 16:42:06.709: notice: running ../../dnssec-signer -v -v 
+2009-06-24 16:42:06.711: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2009-06-24 16:42:06.711: debug: 	Check RFC5011 status
+2009-06-24 16:42:06.711: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2009-06-24 16:42:06.711: debug: 	Check KSK status
+2009-06-24 16:42:06.711: debug: 	No active KSK found: generate new one
+2009-06-24 16:42:06.855: info: "sub.example.net.": generated new KSK 48516
+2009-06-24 16:42:06.855: debug: 	Check ZSK status
+2009-06-24 16:42:06.855: debug: 	No active ZSK found: generate new one
+2009-06-24 16:42:06.883: info: "sub.example.net.": generated new ZSK 33383
+2009-06-24 16:42:06.883: debug: 	Re-signing necessary: Modfied zone key set
+2009-06-24 16:42:06.883: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
+2009-06-24 16:42:06.883: debug: 	Writing key file "./sub.example.net/dnskey.db"
+2009-06-24 16:42:06.883: debug: 	Signing zone "sub.example.net."
+2009-06-24 16:42:06.883: debug: 	  Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
+2009-06-24 16:42:06.905: error: "sub.example.net.": signing failed!
+2009-06-24 16:42:06.905: debug: 	Signing completed after 0s.
+2009-06-24 16:42:06.905: debug: 
+2009-06-24 16:42:06.905: debug: parsing zone "example.net." in dir "./example.net"
+2009-06-24 16:42:06.905: debug: 	Check RFC5011 status
+2009-06-24 16:42:06.905: debug: 	Check ZSK status
+2009-06-24 16:42:06.905: debug: 	Re-signing not necessary!
+2009-06-24 16:42:06.905: debug: 	Check if there is a parent file to copy
+2009-06-24 16:42:06.905: debug: 
+2009-06-24 16:42:06.905: notice: end of run: 1 error occured
+2009-06-24 16:42:31.402: notice: ------------------------------------------------------------
+2009-06-24 16:42:31.402: notice: running ../../dnssec-signer -v -v 
+2009-06-24 16:42:31.404: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2009-06-24 16:42:31.404: debug: 	Check RFC5011 status
+2009-06-24 16:42:31.404: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2009-06-24 16:42:31.404: debug: 	Check KSK status
+2009-06-24 16:42:31.404: debug: 	Check ZSK status
+2009-06-24 16:42:31.404: debug: 	Re-signing necessary: Modified keys
+2009-06-24 16:42:31.405: notice: "sub.example.net.": re-signing triggered: Modified keys
+2009-06-24 16:42:31.405: debug: 	Writing key file "./sub.example.net/dnskey.db"
+2009-06-24 16:42:31.405: debug: 	Signing zone "sub.example.net."
+2009-06-24 16:42:31.405: debug: 	  Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
+2009-06-24 16:42:31.449: error: "sub.example.net.": signing failed!
+2009-06-24 16:42:31.450: debug: 	Signing completed after 0s.
+2009-06-24 16:42:31.450: debug: 
+2009-06-24 16:42:31.450: debug: parsing zone "example.net." in dir "./example.net"
+2009-06-24 16:42:31.450: debug: 	Check RFC5011 status
+2009-06-24 16:42:31.450: debug: 	Check ZSK status
+2009-06-24 16:42:31.450: debug: 	Re-signing not necessary!
+2009-06-24 16:42:31.450: debug: 	Check if there is a parent file to copy
+2009-06-24 16:42:31.450: debug: 
+2009-06-24 16:42:31.450: notice: end of run: 1 error occured
+2009-06-24 16:42:48.193: notice: ------------------------------------------------------------
+2009-06-24 16:42:48.193: notice: running ../../dnssec-signer -v -v 
+2009-06-24 16:42:48.195: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2009-06-24 16:42:48.195: debug: 	Check RFC5011 status
+2009-06-24 16:42:48.195: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2009-06-24 16:42:48.195: debug: 	Check KSK status
+2009-06-24 16:42:48.195: debug: 	Check ZSK status
+2009-06-24 16:42:48.195: debug: 	Re-signing necessary: Modified keys
+2009-06-24 16:42:48.195: notice: "sub.example.net.": re-signing triggered: Modified keys
+2009-06-24 16:42:48.195: debug: 	Writing key file "./sub.example.net/dnskey.db"
+2009-06-24 16:42:48.195: debug: 	Signing zone "sub.example.net."
+2009-06-24 16:42:48.195: debug: 	  Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 F46ADF -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
+2009-06-24 16:42:48.212: error: "sub.example.net.": signing failed!
+2009-06-24 16:42:48.212: debug: 	Signing completed after 0s.
+2009-06-24 16:42:48.212: debug: 
+2009-06-24 16:42:48.212: debug: parsing zone "example.net." in dir "./example.net"
+2009-06-24 16:42:48.212: debug: 	Check RFC5011 status
+2009-06-24 16:42:48.212: debug: 	Check ZSK status
+2009-06-24 16:42:48.212: debug: 	Re-signing not necessary!
+2009-06-24 16:42:48.212: debug: 	Check if there is a parent file to copy
+2009-06-24 16:42:48.212: debug: 
+2009-06-24 16:42:48.212: notice: end of run: 1 error occured
+2009-06-24 16:44:22.959: notice: ------------------------------------------------------------
+2009-06-24 16:44:22.959: notice: running ../../dnssec-signer -v -v 
+2009-06-24 16:44:22.961: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2009-06-24 16:44:22.961: debug: 	Check RFC5011 status
+2009-06-24 16:44:22.961: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2009-06-24 16:44:22.961: debug: 	Check KSK status
+2009-06-24 16:44:22.961: debug: 	Check ZSK status
+2009-06-24 16:44:22.961: debug: 	No active ZSK found: generate new one
+2009-06-24 16:44:23.008: info: "sub.example.net.": generated new ZSK 14600
+2009-06-24 16:44:23.008: debug: 	Re-signing necessary: Modfied zone key set
+2009-06-24 16:44:23.008: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
+2009-06-24 16:44:23.009: debug: 	Writing key file "./sub.example.net/dnskey.db"
+2009-06-24 16:44:23.009: debug: 	Signing zone "sub.example.net."
+2009-06-24 16:44:23.009: debug: 	  Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 86BF2F -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
+2009-06-24 16:44:23.040: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
+2009-06-24 16:44:23.040: debug: 	Signing completed after 0s.
+2009-06-24 16:44:23.040: debug: 
+2009-06-24 16:44:23.040: debug: parsing zone "example.net." in dir "./example.net"
+2009-06-24 16:44:23.040: debug: 	Check RFC5011 status
+2009-06-24 16:44:23.040: debug: 	Check ZSK status
+2009-06-24 16:44:23.040: debug: 	Re-signing not necessary!
+2009-06-24 16:44:23.040: debug: 	Check if there is a parent file to copy
+2009-06-24 16:44:23.040: debug: 
+2009-06-24 16:44:23.040: notice: end of run: 0 errors occured
+2009-06-24 16:50:36.189: notice: ------------------------------------------------------------
+2009-06-24 16:50:36.189: notice: running ../../dnssec-signer -v -v 
+2009-06-24 16:50:36.191: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2009-06-24 16:50:36.191: debug: 	Check RFC5011 status
+2009-06-24 16:50:36.191: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2009-06-24 16:50:36.191: debug: 	Check KSK status
+2009-06-24 16:50:36.192: debug: 	Check ZSK status
+2009-06-24 16:50:36.192: debug: 	Re-signing not necessary!
+2009-06-24 16:50:36.192: debug: 	Check if there is a parent file to copy
+2009-06-24 16:50:36.192: debug: 
+2009-06-24 16:50:36.192: debug: parsing zone "example.net." in dir "./example.net"
+2009-06-24 16:50:36.192: debug: 	Check RFC5011 status
+2009-06-24 16:50:36.192: debug: 	Check ZSK status
+2009-06-24 16:50:36.193: debug: 	Re-signing not necessary!
+2009-06-24 16:50:36.193: debug: 	Check if there is a parent file to copy
+2009-06-24 16:50:36.193: debug: 
+2009-06-24 16:50:36.193: notice: end of run: 0 errors occured
+2009-06-24 16:50:42.877: notice: ------------------------------------------------------------
+2009-06-24 16:50:42.877: notice: running ../../dnssec-signer -v -v -f 
+2009-06-24 16:50:42.879: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2009-06-24 16:50:42.879: debug: 	Check RFC5011 status
+2009-06-24 16:50:42.879: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2009-06-24 16:50:42.879: debug: 	Check KSK status
+2009-06-24 16:50:42.879: debug: 	Check ZSK status
+2009-06-24 16:50:42.879: debug: 	Re-signing necessary: Option -f
+2009-06-24 16:50:42.879: notice: "sub.example.net.": re-signing triggered: Option -f
+2009-06-24 16:50:42.879: debug: 	Writing key file "./sub.example.net/dnskey.db"
+2009-06-24 16:50:42.879: debug: 	Signing zone "sub.example.net."
+2009-06-24 16:50:42.879: debug: 	  Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 FB37DB -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
+2009-06-24 16:50:42.932: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
+2009-06-24 16:50:42.932: debug: 	Signing completed after 0s.
+2009-06-24 16:50:42.932: debug: 
+2009-06-24 16:50:42.932: debug: parsing zone "example.net." in dir "./example.net"
+2009-06-24 16:50:42.932: debug: 	Check RFC5011 status
+2009-06-24 16:50:42.932: debug: 	Check ZSK status
+2009-06-24 16:50:42.932: debug: 	Re-signing necessary: Option -f
+2009-06-24 16:50:42.932: notice: "example.net.": re-signing triggered: Option -f
+2009-06-24 16:50:42.932: debug: 	Writing key file "./example.net/dnskey.db"
+2009-06-24 16:50:42.933: debug: 	Incrementing serial number in file "./example.net/zone.db"
+2009-06-24 16:50:42.933: debug: 	Signing zone "example.net."
+2009-06-24 16:50:42.933: debug: 	  Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o example.net. -e +518400  zone.db K*.private"
+2009-06-24 16:50:42.978: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
+2009-06-24 16:50:42.978: debug: 	Signing completed after 0s.
+2009-06-24 16:50:42.978: debug: 
+2009-06-24 16:50:42.979: notice: end of run: 0 errors occured
+2009-06-24 16:50:51.923: notice: ------------------------------------------------------------
+2009-06-24 16:50:51.923: notice: running ../../dnssec-signer -v -v -f 
+2009-06-24 16:50:51.924: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2009-06-24 16:50:51.924: debug: 	Check RFC5011 status
+2009-06-24 16:50:51.924: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2009-06-24 16:50:51.924: debug: 	Check KSK status
+2009-06-24 16:50:51.924: debug: 	Check ZSK status
+2009-06-24 16:50:51.925: debug: 	Re-signing necessary: Option -f
+2009-06-24 16:50:51.925: notice: "sub.example.net.": re-signing triggered: Option -f
+2009-06-24 16:50:51.925: debug: 	Writing key file "./sub.example.net/dnskey.db"
+2009-06-24 16:50:51.925: debug: 	Signing zone "sub.example.net."
+2009-06-24 16:50:51.925: debug: 	  Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 E830EA -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
+2009-06-24 16:50:51.972: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
+2009-06-24 16:50:51.973: debug: 	Signing completed after 0s.
+2009-06-24 16:50:51.973: debug: 
+2009-06-24 16:50:51.973: debug: parsing zone "example.net." in dir "./example.net"
+2009-06-24 16:50:51.973: debug: 	Check RFC5011 status
+2009-06-24 16:50:51.973: debug: 	Check ZSK status
+2009-06-24 16:50:51.973: debug: 	Re-signing necessary: Option -f
+2009-06-24 16:50:51.973: notice: "example.net.": re-signing triggered: Option -f
+2009-06-24 16:50:51.973: debug: 	Writing key file "./example.net/dnskey.db"
+2009-06-24 16:50:51.973: debug: 	Incrementing serial number in file "./example.net/zone.db"
+2009-06-24 16:50:51.973: debug: 	Signing zone "example.net."
+2009-06-24 16:50:51.973: debug: 	  Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o example.net. -e +518400  zone.db K*.private"
+2009-06-24 16:50:52.017: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
+2009-06-24 16:50:52.017: debug: 	Signing completed after 1s.
+2009-06-24 16:50:52.017: debug: 
+2009-06-24 16:50:52.017: notice: end of run: 0 errors occured
+2009-06-24 16:51:19.914: notice: ------------------------------------------------------------
+2009-06-24 16:51:19.914: notice: running ../../dnssec-signer -v -v -f 
+2009-06-24 16:51:19.916: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2009-06-24 16:51:19.916: debug: 	Check RFC5011 status
+2009-06-24 16:51:19.916: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2009-06-24 16:51:19.916: debug: 	Check KSK status
+2009-06-24 16:51:19.916: debug: 	Check ZSK status
+2009-06-24 16:51:19.916: debug: 	Re-signing necessary: Option -f
+2009-06-24 16:51:19.916: notice: "sub.example.net.": re-signing triggered: Option -f
+2009-06-24 16:51:19.916: debug: 	Writing key file "./sub.example.net/dnskey.db"
+2009-06-24 16:51:19.917: debug: 	Signing zone "sub.example.net."
+2009-06-24 16:51:19.917: debug: 	  Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 8DBC26 -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
+2009-06-24 16:51:19.969: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
+2009-06-24 16:51:19.969: debug: 	Signing completed after 0s.
+2009-06-24 16:51:19.969: debug: 
+2009-06-24 16:51:19.969: debug: parsing zone "example.net." in dir "./example.net"
+2009-06-24 16:51:19.969: debug: 	Check RFC5011 status
+2009-06-24 16:51:19.969: debug: 	Check ZSK status
+2009-06-24 16:51:19.969: debug: 	Re-signing necessary: Option -f
+2009-06-24 16:51:19.969: notice: "example.net.": re-signing triggered: Option -f
+2009-06-24 16:51:19.969: debug: 	Writing key file "./example.net/dnskey.db"
+2009-06-24 16:51:19.969: debug: 	Incrementing serial number in file "./example.net/zone.db"
+2009-06-24 16:51:19.969: debug: 	Signing zone "example.net."
+2009-06-24 16:51:19.969: debug: 	  Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o example.net. -e +518400  zone.db K*.private"
+2009-06-24 16:51:20.018: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
+2009-06-24 16:51:20.018: debug: 	Signing completed after 1s.
+2009-06-24 16:51:20.018: debug: 
+2009-06-24 16:51:20.018: notice: end of run: 0 errors occured
+2009-06-24 16:55:38.094: notice: ------------------------------------------------------------
+2009-06-24 16:55:38.094: notice: running ../../dnssec-signer -v -v -f 
+2009-06-24 16:55:38.096: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2009-06-24 16:55:38.096: debug: 	Check RFC5011 status
+2009-06-24 16:55:38.096: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2009-06-24 16:55:38.096: debug: 	Check KSK status
+2009-06-24 16:55:38.096: debug: 	Check ZSK status
+2009-06-24 16:55:38.096: debug: 	Re-signing necessary: Option -f
+2009-06-24 16:55:38.096: notice: "sub.example.net.": re-signing triggered: Option -f
+2009-06-24 16:55:38.096: debug: 	Writing key file "./sub.example.net/dnskey.db"
+2009-06-24 16:55:38.097: debug: 	Signing zone "sub.example.net."
+2009-06-24 16:55:38.097: debug: 	  Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 69AB8E -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private 2>&1"
+2009-06-24 16:55:38.144: debug: 	  Cmd dnssec-signzone return: "Verifying the zone using the following algorithms: NSEC3RSASHA1."
+2009-06-24 16:55:38.144: debug: 	Signing completed after 0s.
+2009-06-24 16:55:38.144: debug: 
+2009-06-24 16:55:38.144: debug: parsing zone "example.net." in dir "./example.net"
+2009-06-24 16:55:38.144: debug: 	Check RFC5011 status
+2009-06-24 16:55:38.144: debug: 	Check ZSK status
+2009-06-24 16:55:38.144: debug: 	Re-signing necessary: Option -f
+2009-06-24 16:55:38.144: notice: "example.net.": re-signing triggered: Option -f
+2009-06-24 16:55:38.144: debug: 	Writing key file "./example.net/dnskey.db"
+2009-06-24 16:55:38.144: debug: 	Incrementing serial number in file "./example.net/zone.db"
+2009-06-24 16:55:38.144: debug: 	Signing zone "example.net."
+2009-06-24 16:55:38.144: debug: 	  Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o example.net. -e +518400  zone.db K*.private 2>&1"
+2009-06-24 16:55:38.182: debug: 	  Cmd dnssec-signzone return: "Verifying the zone using the following algorithms: RSASHA1."
+2009-06-24 16:55:38.182: debug: 	Signing completed after 0s.
+2009-06-24 16:55:38.182: debug: 
+2009-06-24 16:55:38.182: notice: end of run: 0 errors occured
+2009-06-24 17:12:06.145: notice: ------------------------------------------------------------
+2009-06-24 17:12:06.145: notice: running ../../dnssec-signer -v -v -f 
+2009-06-24 17:12:06.147: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2009-06-24 17:12:06.147: debug: 	Check RFC5011 status
+2009-06-24 17:12:06.147: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2009-06-24 17:12:06.147: debug: 	Check KSK status
+2009-06-24 17:12:06.147: debug: 	Check ZSK status
+2009-06-24 17:12:06.147: debug: 	Re-signing necessary: Option -f
+2009-06-24 17:12:06.147: notice: "sub.example.net.": re-signing triggered: Option -f
+2009-06-24 17:12:06.147: debug: 	Writing key file "./sub.example.net/dnskey.db"
+2009-06-24 17:12:06.147: debug: 	Signing zone "sub.example.net."
+2009-06-24 17:12:06.147: debug: 	  Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 589BFC -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private 2>&1"
+2009-06-24 17:12:06.204: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
+2009-06-24 17:12:06.204: debug: 	Signing completed after 0s.
+2009-06-24 17:12:06.204: debug: 
+2009-06-24 17:12:06.204: debug: parsing zone "example.net." in dir "./example.net"
+2009-06-24 17:12:06.204: debug: 	Check RFC5011 status
+2009-06-24 17:12:06.204: debug: 	Check ZSK status
+2009-06-24 17:12:06.204: debug: 	Re-signing necessary: Option -f
+2009-06-24 17:12:06.205: notice: "example.net.": re-signing triggered: Option -f
+2009-06-24 17:12:06.205: debug: 	Writing key file "./example.net/dnskey.db"
+2009-06-24 17:12:06.205: debug: 	Incrementing serial number in file "./example.net/zone.db"
+2009-06-24 17:12:06.205: debug: 	Signing zone "example.net."
+2009-06-24 17:12:06.205: debug: 	  Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o example.net. -e +518400  zone.db K*.private 2>&1"
+2009-06-24 17:12:06.259: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
+2009-06-24 17:12:06.259: debug: 	Signing completed after 0s.
+2009-06-24 17:12:06.259: debug: 
+2009-06-24 17:12:06.259: notice: end of run: 0 errors occured
+2009-06-30 11:35:09.298: notice: ------------------------------------------------------------
+2009-06-30 11:35:09.298: notice: running ../../dnssec-signer -v -v 
+2009-06-30 11:35:09.326: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2009-06-30 11:35:09.326: debug: 	Check RFC5011 status
+2009-06-30 11:35:09.326: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2009-06-30 11:35:09.326: debug: 	Check KSK status
+2009-06-30 11:35:09.326: debug: 	Check ZSK status
+2009-06-30 11:35:09.326: debug: 	Lifetime(259200 +/-150 sec) of active key 14600 exceeded (499847 sec)
+2009-06-30 11:35:09.326: debug: 		->waiting for published key
+2009-06-30 11:35:09.326: notice: "sub.example.net.": lifetime of zone signing key 14600 exceeded since 2d18h50m47s: ZSK rollover deferred: waiting for published key
+2009-06-30 11:35:09.326: debug: 	New key for publishing needed
+2009-06-30 11:35:09.482: debug: 		->creating new key 32345
+2009-06-30 11:35:09.482: info: "sub.example.net.": new key 32345 generated for publishing
+2009-06-30 11:35:09.482: debug: 	Re-signing necessary: Modfied zone key set
+2009-06-30 11:35:09.483: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
+2009-06-30 11:35:09.483: debug: 	Writing key file "./sub.example.net/dnskey.db"
+2009-06-30 11:35:09.483: debug: 	Signing zone "sub.example.net."
+2009-06-30 11:35:09.483: debug: 	  Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 E84B0F -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private 2>&1"
+2009-06-30 11:35:09.838: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
+2009-06-30 11:35:09.838: debug: 	Signing completed after 0s.
+2009-06-30 11:35:09.838: debug: 
+2009-06-30 11:35:09.838: debug: parsing zone "example.net." in dir "./example.net"
+2009-06-30 11:35:09.838: debug: 	Check RFC5011 status
+2009-06-30 11:35:09.838: debug: 	Check ZSK status
+2009-06-30 11:35:09.838: debug: 	New key for publishing needed
+2009-06-30 11:35:09.896: debug: 		->creating new key 48089
+2009-06-30 11:35:09.896: info: "example.net.": new key 48089 generated for publishing
+2009-06-30 11:35:09.896: debug: 	Re-signing necessary: Modfied zone key set
+2009-06-30 11:35:09.897: notice: "example.net.": re-signing triggered: Modfied zone key set
+2009-06-30 11:35:09.897: debug: 	Writing key file "./example.net/dnskey.db"
+2009-06-30 11:35:09.897: debug: 	Incrementing serial number in file "./example.net/zone.db"
+2009-06-30 11:35:09.897: debug: 	Signing zone "example.net."
+2009-06-30 11:35:09.897: debug: 	  Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o example.net. -e +518400  zone.db K*.private 2>&1"
+2009-06-30 11:35:09.997: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
+2009-06-30 11:35:09.997: debug: 	Signing completed after 0s.
+2009-06-30 11:35:09.997: debug: 
+2009-06-30 11:35:09.997: notice: end of run: 0 errors occured
+2009-06-30 12:01:53.878: notice: ------------------------------------------------------------
+2009-06-30 12:01:53.878: notice: running ../../dnssec-signer -v -v 
+2009-06-30 12:01:53.880: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2009-06-30 12:01:53.881: debug: 	Check RFC5011 status
+2009-06-30 12:01:53.881: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2009-06-30 12:01:53.881: debug: 	Check KSK status
+2009-06-30 12:01:53.881: debug: 	Check ZSK status
+2009-06-30 12:01:53.881: debug: 	Lifetime(259200 +/-150 sec) of active key 14600 exceeded (501451 sec)
+2009-06-30 12:01:53.881: debug: 		->waiting for published key
+2009-06-30 12:01:53.881: notice: "sub.example.net.": lifetime of zone signing key 14600 exceeded since 2d19h17m31s: ZSK rollover deferred: waiting for published key
+2009-06-30 12:01:53.881: debug: 	Re-signing not necessary!
+2009-06-30 12:01:53.881: debug: 	Check if there is a parent file to copy
+2009-06-30 12:01:53.881: debug: 
+2009-06-30 12:01:53.881: debug: parsing zone "example.net." in dir "./example.net"
+2009-06-30 12:01:53.881: debug: 	Check RFC5011 status
+2009-06-30 12:01:53.881: debug: 	Check ZSK status
+2009-06-30 12:01:53.881: debug: 	Re-signing not necessary!
+2009-06-30 12:01:53.881: debug: 	Check if there is a parent file to copy
+2009-06-30 12:01:53.881: debug: 
+2009-06-30 12:01:53.881: notice: end of run: 0 errors occured
+2009-06-30 12:02:05.490: notice: ------------------------------------------------------------
+2009-06-30 12:02:05.490: notice: running ../../dnssec-signer -f -v -v 
+2009-06-30 12:02:05.492: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2009-06-30 12:02:05.492: debug: 	Check RFC5011 status
+2009-06-30 12:02:05.492: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2009-06-30 12:02:05.492: debug: 	Check KSK status
+2009-06-30 12:02:05.492: debug: 	Check ZSK status
+2009-06-30 12:02:05.492: debug: 	Lifetime(259200 +/-150 sec) of active key 14600 exceeded (501463 sec)
+2009-06-30 12:02:05.492: debug: 		->waiting for published key
+2009-06-30 12:02:05.492: notice: "sub.example.net.": lifetime of zone signing key 14600 exceeded since 2d19h17m43s: ZSK rollover deferred: waiting for published key
+2009-06-30 12:02:05.492: debug: 	Re-signing necessary: Option -f
+2009-06-30 12:02:05.492: notice: "sub.example.net.": re-signing triggered: Option -f
+2009-06-30 12:02:05.492: debug: 	Writing key file "./sub.example.net/dnskey.db"
+2009-06-30 12:02:05.492: debug: 	Signing zone "sub.example.net."
+2009-06-30 12:02:05.492: debug: 	  Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 50B303 -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private 2>&1"
+2009-06-30 12:02:05.543: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
+2009-06-30 12:02:05.543: debug: 	Signing completed after 0s.
+2009-06-30 12:02:05.543: debug: 
+2009-06-30 12:02:05.543: debug: parsing zone "example.net." in dir "./example.net"
+2009-06-30 12:02:05.543: debug: 	Check RFC5011 status
+2009-06-30 12:02:05.543: debug: 	Check ZSK status
+2009-06-30 12:02:05.543: debug: 	Re-signing necessary: Option -f
+2009-06-30 12:02:05.543: notice: "example.net.": re-signing triggered: Option -f
+2009-06-30 12:02:05.543: debug: 	Writing key file "./example.net/dnskey.db"
+2009-06-30 12:02:05.544: debug: 	Incrementing serial number in file "./example.net/zone.db"
+2009-06-30 12:02:05.544: debug: 	Signing zone "example.net."
+2009-06-30 12:02:05.544: debug: 	  Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o example.net. -e +518400  zone.db K*.private 2>&1"
+2009-06-30 12:02:05.602: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
+2009-06-30 12:02:05.602: debug: 	Signing completed after 0s.
+2009-06-30 12:02:05.602: debug: 
+2009-06-30 12:02:05.602: notice: end of run: 0 errors occured
+2009-06-30 13:02:04.436: notice: ------------------------------------------------------------
+2009-06-30 13:02:04.436: notice: running ../../dnssec-signer -v -v 
+2009-06-30 13:02:04.438: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2009-06-30 13:02:04.438: debug: 	Check RFC5011 status
+2009-06-30 13:02:04.438: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2009-06-30 13:02:04.438: debug: 	Check KSK status
+2009-06-30 13:02:04.438: debug: 	Check ZSK status
+2009-06-30 13:02:04.438: debug: 	Lifetime(259200 +/-150 sec) of active key 14600 exceeded (505062 sec)
+2009-06-30 13:02:04.438: debug: 		->depreciate it
+2009-06-30 13:02:04.439: debug: 		->activate published key 32345
+2009-06-30 13:02:04.439: notice: "sub.example.net.": lifetime of zone signing key 14600 exceeded: ZSK rollover done
+2009-06-30 13:02:04.439: debug: 	Re-signing necessary: Modfied zone key set
+2009-06-30 13:02:04.439: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
+2009-06-30 13:02:04.439: debug: 	Writing key file "./sub.example.net/dnskey.db"
+2009-06-30 13:02:04.439: debug: 	Signing zone "sub.example.net."
+2009-06-30 13:02:04.439: debug: 	  Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 0140D2 -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private 2>&1"
+2009-06-30 13:02:04.491: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
+2009-06-30 13:02:04.491: debug: 	Signing completed after 0s.
+2009-06-30 13:02:04.491: debug: 
+2009-06-30 13:02:04.491: debug: parsing zone "example.net." in dir "./example.net"
+2009-06-30 13:02:04.491: debug: 	Check RFC5011 status
+2009-06-30 13:02:04.491: debug: 	Check ZSK status
+2009-06-30 13:02:04.491: debug: 	Re-signing not necessary!
+2009-06-30 13:02:04.491: debug: 	Check if there is a parent file to copy
+2009-06-30 13:02:04.491: debug: 
+2009-06-30 13:02:04.491: notice: end of run: 0 errors occured
+2009-06-30 13:02:21.019: notice: ------------------------------------------------------------
+2009-06-30 13:02:21.019: notice: running ../../dnssec-signer -f -v -v 
+2009-06-30 13:02:21.021: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2009-06-30 13:02:21.021: debug: 	Check RFC5011 status
+2009-06-30 13:02:21.021: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2009-06-30 13:02:21.021: debug: 	Check KSK status
+2009-06-30 13:02:21.021: debug: 	Check ZSK status
+2009-06-30 13:02:21.022: debug: 	Re-signing necessary: Option -f
+2009-06-30 13:02:21.022: notice: "sub.example.net.": re-signing triggered: Option -f
+2009-06-30 13:02:21.022: debug: 	Writing key file "./sub.example.net/dnskey.db"
+2009-06-30 13:02:21.022: debug: 	Signing zone "sub.example.net."
+2009-06-30 13:02:21.022: debug: 	  Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 86F43F -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private 2>&1"
+2009-06-30 13:02:21.070: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
+2009-06-30 13:02:21.070: debug: 	Signing completed after 0s.
+2009-06-30 13:02:21.070: debug: 
+2009-06-30 13:02:21.070: debug: parsing zone "example.net." in dir "./example.net"
+2009-06-30 13:02:21.070: debug: 	Check RFC5011 status
+2009-06-30 13:02:21.070: debug: 	Check ZSK status
+2009-06-30 13:02:21.070: debug: 	Re-signing necessary: Option -f
+2009-06-30 13:02:21.070: notice: "example.net.": re-signing triggered: Option -f
+2009-06-30 13:02:21.071: debug: 	Writing key file "./example.net/dnskey.db"
+2009-06-30 13:02:21.071: debug: 	Incrementing serial number in file "./example.net/zone.db"
+2009-06-30 13:02:21.071: debug: 	Signing zone "example.net."
+2009-06-30 13:02:21.071: debug: 	  Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o example.net. -e +518400  zone.db K*.private 2>&1"
+2009-06-30 13:02:21.121: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
+2009-06-30 13:02:21.121: debug: 	Signing completed after 0s.
+2009-06-30 13:02:21.121: debug: 
+2009-06-30 13:02:21.121: notice: end of run: 0 errors occured
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+11327.key b/contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+11327.key
deleted file mode 100644
index 554986d5..00000000
--- a/contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+11327.key
+++ /dev/null
@@ -1,3 +0,0 @@
-;%	generationtime=20080914221502
-;%	lifetime=90d
-example.de. IN DNSKEY  256 3 5 BQEAAAABqbCqCu2ncgLw+0oWWiveBVK3zchYFYUD2lnvJKeq7ATwesuR Npn17Erjz09GhDn9l2J92dAy8m4uofcdFkYKnQ==
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+11327.private b/contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+11327.private
deleted file mode 100644
index dda12aa8..00000000
--- a/contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+11327.private
+++ /dev/null
@@ -1,10 +0,0 @@
-Private-key-format: v1.2
-Algorithm: 5 (RSASHA1)
-Modulus: qbCqCu2ncgLw+0oWWiveBVK3zchYFYUD2lnvJKeq7ATwesuRNpn17Erjz09GhDn9l2J92dAy8m4uofcdFkYKnQ==
-PublicExponent: AQAAAAE=
-PrivateExponent: h7mIMjyW6H7MpJIYWhTgerkh5pR9LbSJbuA/cKp9AU18blpyk4xOzIYGw0SXBqFezHpF0I6BEzSikgwyF1RDAQ==
-Prime1: 1YdJ1XTzsyvAgEjhutvSA4RSkCyPGsTZ81wxZcifWtE=
-Prime2: y3EofwE/nv2kF6/I2STrb3A8gbsBx5D4/6SiKFuHDg0=
-Exponent1: vjWx9G8qNVnlPPWD9uc/6um1vS2+yvriFV3MIMIZL/E=
-Exponent2: o/Jlw/TZ/IrlSvzNCc+xeF8qpip51onZ6fOFFjQ+QQ==
-Coefficient: K/UescJkRXWQr6FmABrKx3kalg748qkaWqvrY101OeY=
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+55529.key b/contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+55529.key
new file mode 100644
index 00000000..d59a2238
--- /dev/null
+++ b/contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+55529.key
@@ -0,0 +1,3 @@
+;%	generationtime=20090615065826
+;%	lifetime=28d
+example.de. IN DNSKEY  256 3 5 BQEAAAABty5HRSBzUDY5SVgORw+KKE64SjmqEpFtFNiG4JOre/bnmzAC XE/jgr5BK4Fd1hqBk/zizzUe4+dbj+jORPirtQ==
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+55529.private b/contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+55529.private
new file mode 100644
index 00000000..e9662eb0
--- /dev/null
+++ b/contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+55529.private
@@ -0,0 +1,10 @@
+Private-key-format: v1.2
+Algorithm: 5 (RSASHA1)
+Modulus: ty5HRSBzUDY5SVgORw+KKE64SjmqEpFtFNiG4JOre/bnmzACXE/jgr5BK4Fd1hqBk/zizzUe4+dbj+jORPirtQ==
+PublicExponent: AQAAAAE=
+PrivateExponent: Sgdg/vt18JrFh/MgiSh6g/DUiIosmsQlu5QWp5Zep+rUNf0aUZkS4ywyMGGlfUE4LyzvAJD8HkxI3/Xt8rIm1Q==
+Prime1: 3TyP1P5STSSTQDaPCYf/H6kJZ92k9X9OaGLoZHSjQoM=
+Prime2: 0/bjZ7845gImcCtvCthOPQMiVZcAhEzlrS8A6bs7I2c=
+Exponent1: OjNeVeQqqqpfClERHq9yR/OmkMQBY7Zw5ArUZNCbXG0=
+Exponent2: mEFLtn8DnI1G8b583qzvs5Qwa9cYjTiZU3WHjs6ROfc=
+Coefficient: IT6JOaFB5uiS9EzlTAA1zJD44EpkTAggFoPkRfJG4Ao=
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/dnskey.db b/contrib/zkt/examples/hierarchical/de/example.de/dnskey.db
index 6fb2c44a..71d47f26 100644
--- a/contrib/zkt/examples/hierarchical/de/example.de/dnskey.db
+++ b/contrib/zkt/examples/hierarchical/de/example.de/dnskey.db
@@ -2,11 +2,11 @@
 ;	!!! Don't edit this file by hand.
 ;	!!! It will be generated by dnssec-signer.
 ;
-;	 Last generation time Dec 28 2008 23:06:40
+;	 Last generation time Jul 04 2009 01:30:24
 ;
 
 ;  ***  List of Key Signing Keys  ***
-; example.de.  tag=47280  algo=RSASHA1  generated Nov 16 2008 19:00:40
+; example.de.  tag=47280  algo=RSASHA1  generated Dec 28 2008 23:55:28
 example.de. 3600 IN DNSKEY  257 3 5 (
 			BQEAAAABDV7kFHqVcWLoSAShdlXU5LKUdyU4LlsJGYMr8oIpjEzvwonR
 			mX5pRiEjVhTwx+vx6eWluv6txXVu+F0g2ykmqUQdMfPYWmD9AJOqvc2t
@@ -15,7 +15,7 @@ example.de. 3600 IN DNSKEY  257 3 5 (
 			uw==
 		) ; key id = 47280
 
-; example.de.  tag=37983  algo=RSASHA1  generated Nov 16 2008 19:00:40
+; example.de.  tag=37983  algo=RSASHA1  generated Dec 28 2008 23:55:28
 example.de. 3600 IN DNSKEY  257 3 5 (
 			BQEAAAABDOkPawC/tCqSITj6lvzcIPwcMEX+Nvz17GBu85jmigMuvZQU
 			YZBVUmJNNBbCNStlz+Y+1pGg9HbWFvn0tpH/bm4mZPlJmk+WxQhHz7eT
@@ -25,9 +25,9 @@ example.de. 3600 IN DNSKEY  257 3 5 (
 		) ; key id = 37983
 
 ; ***  List of Zone Signing Keys  ***
-; example.de.  tag=11327  algo=RSASHA1  generated Nov 16 2008 19:00:40
+; example.de.  tag=55529  algo=RSASHA1  generated Jun 24 2009 17:12:33
 example.de. 3600 IN DNSKEY  256 3 5 (
-			BQEAAAABqbCqCu2ncgLw+0oWWiveBVK3zchYFYUD2lnvJKeq7ATwesuR
-			Npn17Erjz09GhDn9l2J92dAy8m4uofcdFkYKnQ==
-		) ; key id = 11327
+			BQEAAAABty5HRSBzUDY5SVgORw+KKE64SjmqEpFtFNiG4JOre/bnmzAC
+			XE/jgr5BK4Fd1hqBk/zizzUe4+dbj+jORPirtQ==
+		) ; key id = 55529
 
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/keyset-sub.example.de. b/contrib/zkt/examples/hierarchical/de/example.de/keyset-sub.example.de.
index 27cb7b9e..9b0fba30 100644
--- a/contrib/zkt/examples/hierarchical/de/example.de/keyset-sub.example.de.
+++ b/contrib/zkt/examples/hierarchical/de/example.de/keyset-sub.example.de.
@@ -1,7 +1,7 @@
 ; KSK rollover phase2 (this is the new key)
 sub.example.de. 3600 IN DNSKEY  257 3 5 (
-			BQEAAAABolXOM+J0RdjVTzlptvXKqtwxQQkc7uzNfjzrCL9VNvD4Aayd
-			pGIqeqC05rLCILe62RRgCnQOs62kcUySrxRkmuAkkfONwU5PhXBAjrbl
-			cV1T2xziS0rUBHMtgQlp3da0xOAqZVmBcCJChytISJJmtuh0qryY1Z3n
-			GLv3a4BbGFc=
-		) ; key id = 56595
+			BQEAAAABu2BSOupQez5A9uJYlPzNwRyAwP4qW+F6A0PuQnYdH4autBzn
+			W7kseAHbH8ABl8XryOiVwt2zRwyYjkujA0yOPE83mD/o9Y+J/PU/ZGny
+			j51lpTZU2Hazr1hMJpA/KevtDPjkraGY0UxtfF32I/xfOlYixImhZHlY
+			04a9eVgvhME=
+		) ; key id = 26451
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+04031.key b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+04031.key
deleted file mode 100644
index 19151efe..00000000
--- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+04031.key
+++ /dev/null
@@ -1,3 +0,0 @@
-;%	generationtime=20081228220640
-;%	lifetime=2d
-sub.example.de. IN DNSKEY  256 3 1 BQEAAAAB6ULnEaSHOrlAYtx8LDD0KvOoyJE10FHTeLeGsVUxBx+O/HgN cV4elmXG/wGBvDjx4vQsbPO5WDiIoXmDUg+/sQ==
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+04031.published b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+04031.published
deleted file mode 100644
index ea99d83d..00000000
--- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+04031.published
+++ /dev/null
@@ -1,10 +0,0 @@
-Private-key-format: v1.2
-Algorithm: 1 (RSA)
-Modulus: 6ULnEaSHOrlAYtx8LDD0KvOoyJE10FHTeLeGsVUxBx+O/HgNcV4elmXG/wGBvDjx4vQsbPO5WDiIoXmDUg+/sQ==
-PublicExponent: AQAAAAE=
-PrivateExponent: uXBzw9Ow7+rVGZ4XZlUjLoBxRUAdN207E+mvZ+OadkH4f7l3PNYJYVn2hTvTZb8v6vhKc/sOoenMRAMavK2oCQ==
-Prime1: 97fUb9zU6zIQ6P53ykjHwpMriBptXWkqH4LUKrtqAYs=
-Prime2: 8Q9XIHa/vuddNXGbnv1WjhQ+BLULtEHoAor6Zz/AczM=
-Exponent1: lys3DhbjPd0964qLcwyI0qZ5lMviMzFBbB/IOthfYnc=
-Exponent2: 2csu2XGtql2o+T1SXeXc6JtC8prIJ+mJuXa0FapeHBc=
-Coefficient: 0+x8jSWVmxWNuZlQNW0mZBFS5cEgll+u0t17KXdh6nI=
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+11091.key b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+11091.key
new file mode 100644
index 00000000..2448a3d3
--- /dev/null
+++ b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+11091.key
@@ -0,0 +1,3 @@
+;%	generationtime=20090624151233
+;%	lifetime=2d
+sub.example.de. IN DNSKEY  256 3 1 BQEAAAABuRBoscD6vMybohNhieTSpbBgZSpvStPAUwu8gkgIr6FDAWf+ 2J9ZbvLQ8hGBESwQeuyJ87LiXfGpR/X/MCtTEQ==
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+11091.published b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+11091.published
new file mode 100644
index 00000000..e3416b95
--- /dev/null
+++ b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+11091.published
@@ -0,0 +1,10 @@
+Private-key-format: v1.2
+Algorithm: 1 (RSA)
+Modulus: uRBoscD6vMybohNhieTSpbBgZSpvStPAUwu8gkgIr6FDAWf+2J9ZbvLQ8hGBESwQeuyJ87LiXfGpR/X/MCtTEQ==
+PublicExponent: AQAAAAE=
+PrivateExponent: aSzCu6CvJa0ABmgFOLLsIpvCHkuGUUszn56T6JrEqbFrVapdYaYlaw76m6aQ/esEx5jRqBjmbjTlbI3mtblxQQ==
+Prime1: 6k517gzC9UDjFcveMB+lfD18Q/2SO3yiy+ugDdxtzok=
+Prime2: yjLNwFrUyQvebLb3EeUpvaPyFAru/KFhbskaGlKUfkk=
+Exponent1: xMVCDp0L87uIsqvOGWoXvzO5uyK1ING1Eff/EAwWCzE=
+Exponent2: g4KaqnwxQrZdgAPma04NWpQk7vEgzKdKOBCVILhW+QE=
+Coefficient: fZsDNVAIdQYAD281j3BfVnraBU/jnNTCxxz/zAKJexw=
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+38598.key b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+38598.key
new file mode 100644
index 00000000..901a1ff9
--- /dev/null
+++ b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+38598.key
@@ -0,0 +1,3 @@
+;%	generationtime=20090615065624
+;%	lifetime=2d
+sub.example.de. IN DNSKEY  256 3 1 BQEAAAABstcKWFjuZzMhpTjdJzom5hleqOmlgVCmx8eHJbUVZr5AZQJe zC1dsF5FrZi6LEVUBgwiMj4XdqFLLuNzjJbGiw==
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+38598.private b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+38598.private
new file mode 100644
index 00000000..ea34cfea
--- /dev/null
+++ b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+38598.private
@@ -0,0 +1,10 @@
+Private-key-format: v1.2
+Algorithm: 1 (RSA)
+Modulus: stcKWFjuZzMhpTjdJzom5hleqOmlgVCmx8eHJbUVZr5AZQJezC1dsF5FrZi6LEVUBgwiMj4XdqFLLuNzjJbGiw==
+PublicExponent: AQAAAAE=
+PrivateExponent: p47j7xj0y+cF9AFjsRfak8KNTAyzUmw31PNlocOWNArcC7YzNA/E1xdjsdTICI6f47Ozuk0XSCS26Evd9D0UIQ==
+Prime1: 40dBU3fjj3rXcUO9bgSVeMwJjbeXFi+x8WZ5v0UQjPE=
+Prime2: yXC+OLWVbVu0NOCHolcQfyk2SepCknuZZ/DCn3j2+zs=
+Exponent1: hlGqyB1o6RWsLL3V2bTKssQYn6smvuUCHQrdyWira/E=
+Exponent2: xKKBa6eOsCOygJAI9OK8k1jUp8HQKQTNUJ3lUWEVn88=
+Coefficient: pCt9BOElLNatY5c0uSpUav2GbAyIkJ6ngFLj39q4Om8=
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+39146.key b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+39146.key
deleted file mode 100644
index 16443f99..00000000
--- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+39146.key
+++ /dev/null
@@ -1,3 +0,0 @@
-;%	generationtime=20081216163027
-;%	lifetime=2d
-sub.example.de. IN DNSKEY  256 3 1 BQEAAAAB46KNL8HNsVPnvBw24iONL++CrObjeSZsRLJkmrYa+cWJSqmw 9b7xlpaO+uBE5pkz/9GKXXOH+o/q+dBCoZjqTQ==
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+39146.private b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+39146.private
deleted file mode 100644
index fe9768c2..00000000
--- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+39146.private
+++ /dev/null
@@ -1,10 +0,0 @@
-Private-key-format: v1.2
-Algorithm: 1 (RSA)
-Modulus: 46KNL8HNsVPnvBw24iONL++CrObjeSZsRLJkmrYa+cWJSqmw9b7xlpaO+uBE5pkz/9GKXXOH+o/q+dBCoZjqTQ==
-PublicExponent: AQAAAAE=
-PrivateExponent: pqVDVhiSmZyjz4IM3xFkks4yc4MToD2EWbPKp4j8v4RETHjec3F9YYIMpkGaYoNqkx3+yvWpYPPy4YideIu3wQ==
-Prime1: +1CFbP41B3shnGApkHvZYr3439pvg5KO60ykyewDDUU=
-Prime2: 5+EDE42uEwgwiaPs+n4hXruj+K3ewL7cTY1HS7rPpWk=
-Exponent1: tuWKUuBr0ajPkrvq1OdN0EcuggHhuizHNMl9ApAxBYU=
-Exponent2: CHyQ5qkbFlgzbbfyXvjS6aonXu0vRQXN6xEpDrTAiek=
-Coefficient: i4dbOUlePz8KFhOt0/8FImz2TAd2zZ0hryj4uAQbtUY=
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+59924.depreciated b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+59924.depreciated
deleted file mode 100644
index 08c0368d..00000000
--- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+59924.depreciated
+++ /dev/null
@@ -1,10 +0,0 @@
-Private-key-format: v1.2
-Algorithm: 1 (RSA)
-Modulus: mjp7RFegQjGnrXbRQ4uk0Wdxj4+cU4MucX+3xq6Emve8Q/jBeymytqtCmRli/G0ROBlid0KE2rxJ7rDekuoUiw==
-PublicExponent: AQAAAAE=
-PrivateExponent: MPsUwCUqooIUfhCOmRxnn6ZhxzH+CpJOfJ1K0njPwjaQKm8ACnVpM7Fr3mv5b9m0TXNn3jpfQgD+mHzopnR8gQ==
-Prime1: y24Ur3BJ40hhvFGqAPXaUEJcrEZIy4aCq2TxRSfFWs8=
-Prime2: whV4QY7Syoe/CDglpRb/X1ZROUYNLo1y+uXMoSNtaYU=
-Exponent1: DQywtacomS2IXan7sOtmkcWxxe7P6jTtI5KjlN4IhD0=
-Exponent2: N/KfPaxytWiti6+d2E9B00TCwndDQq/vnJ2iYGdNp9k=
-Coefficient: Lp80HvUH/WDwsH1akU1UWbN2n4m3g/hLtihVVuzf0s0=
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+59924.key b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+59924.key
deleted file mode 100644
index d5ded3a0..00000000
--- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+59924.key
+++ /dev/null
@@ -1,3 +0,0 @@
-;%	generationtime=20081120072448
-;%	lifetime=2d
-sub.example.de. IN DNSKEY  256 3 1 BQEAAAABmjp7RFegQjGnrXbRQ4uk0Wdxj4+cU4MucX+3xq6Emve8Q/jB eymytqtCmRli/G0ROBlid0KE2rxJ7rDekuoUiw==
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+60332.key b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+60332.key
new file mode 100644
index 00000000..eb466736
--- /dev/null
+++ b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+60332.key
@@ -0,0 +1,3 @@
+;%	generationtime=20090703233023
+;%	lifetime=5d
+sub.example.de. IN DNSKEY  257 3 1 BQEAAAABxmEeZyUrN83wG66weBOurn/+nds4LHa2gARHpalrNFJp6jwQ f7bXR0SaPU+gpcJW/iJzkZemr+1gQOe0rwSjd4W1FGIW0WRG6LR6gYYg oSaUsOc7Px2vVF1YE1jHcBu7BYtXfgKbvV6X9KPqu0lMFpLDk+7Q/NUZ jyZPu//rrNM=
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+60332.private b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+60332.private
new file mode 100644
index 00000000..819b8ec9
--- /dev/null
+++ b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+60332.private
@@ -0,0 +1,10 @@
+Private-key-format: v1.2
+Algorithm: 1 (RSA)
+Modulus: xmEeZyUrN83wG66weBOurn/+nds4LHa2gARHpalrNFJp6jwQf7bXR0SaPU+gpcJW/iJzkZemr+1gQOe0rwSjd4W1FGIW0WRG6LR6gYYgoSaUsOc7Px2vVF1YE1jHcBu7BYtXfgKbvV6X9KPqu0lMFpLDk+7Q/NUZjyZPu//rrNM=
+PublicExponent: AQAAAAE=
+PrivateExponent: XlDWosjdpEbIW8ZRePu+4sLTs+RCmA9bvovqke/u0Ihkf6zWx6J2DnYj182ohyoJlVr1NnLILTkNhJn6JI0uBqJ7KRDVXl+U2mHnQNwGqbBu2X7Jie4xFMp233n6Z/HNpj5RM5THQ5tFEJk+TIvq/Hm9z8fvAaeYnHVhrTTJL8E=
+Prime1: /igp3zZZKfWKdgOkCgHxL8hHemOTtGfEpi6ZYkffjLKiSOZJdMNHjLXEBCxsYN/z0nB0XXhIbSoUAv/EQVoiGw==
+Prime2: x9Fnz8jP/a1OIK9P0BDnEmjXFB8oa5T9/qpKGA39mH/8qUnlrjlXOYfD/3tWSdEJYFVVnfC5j+toAL+S0xwLqQ==
+Exponent1: 8Jzwnn7H+XAirDxPLBq1LUGyVU6HwB5iBzomgzRwIYcVyZ42703Hj+EWJDDcA8do637glysqT+TJspaoJHwOLQ==
+Exponent2: AcOgKCzXdN3++cGAJxOS/MSETfFCWn1msgTeTw744kqGLVdnN3qX5yXGrneVjZGziKYLzLnKOs07AkT2uthRuQ==
+Coefficient: czI2hMFi9kfCMkcNwKWk+3sGUD7bXNI7HVmkTS6dnCmB6jGIlN3gtqDlNFLd7RcHhicOMGpIHE6JVT8vSkfouA==
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+24426.key b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+24426.key
new file mode 100644
index 00000000..66523d4e
--- /dev/null
+++ b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+24426.key
@@ -0,0 +1,3 @@
+;%	generationtime=20090630103352
+;%	lifetime=5d
+sub.example.de. IN DNSKEY  257 3 5 BQEAAAABtnNSJcG6PU7RTitfJ4aVUM6Pclu4WPKm0H4fm0zLnRldMT/D xRX4I8Lc2Iq+oQ2cpOAhHvtsJ+boTX0j4aQjIPolRFZUfhr7o0wQuRrp 3f4fMGzezcR1UsqRLG7+2KF9cq4H7u1X0KBLqokJHyy9Chp+ui188878 vlXrwWNo4Pk=
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+24426.private b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+24426.private
new file mode 100644
index 00000000..fd152040
--- /dev/null
+++ b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+24426.private
@@ -0,0 +1,10 @@
+Private-key-format: v1.2
+Algorithm: 5 (RSASHA1)
+Modulus: tnNSJcG6PU7RTitfJ4aVUM6Pclu4WPKm0H4fm0zLnRldMT/DxRX4I8Lc2Iq+oQ2cpOAhHvtsJ+boTX0j4aQjIPolRFZUfhr7o0wQuRrp3f4fMGzezcR1UsqRLG7+2KF9cq4H7u1X0KBLqokJHyy9Chp+ui188878vlXrwWNo4Pk=
+PublicExponent: AQAAAAE=
+PrivateExponent: WGyscUMH71EaEXIbZdRFZ6J951l/3sXPtaivtQkOHt0E0bmHhqqqLta8HN/2xZR0w1+W/VAV6sCHXoTzhs82qUQOV6QpkR2tmN+etB/CNdGKrT+VvXrD75TJbCeegPeCvjnWbivAsmC2l46ogTMY0M1VZxJrWPKxpmEeQhxNFz0=
+Prime1: 5s6qRA7112fgOe/e+nq85LK/PkwOOoyOabhoJOL7I/5i9F5eBWBel4PCEaemGrGNk0zKqRFmE/Zs4DU2JsUMGw==
+Prime2: yl1x7nEIDegqhVwO/dvATBC0v8oVNRmqo8aBB/6apdOcuToBTSPrq+qPnq3ehRNK2Oz4CVYtoNtF9Xt+GtUwew==
+Exponent1: WoQRwLNR/Gu7SXDr4Y6A6eZ4YmwPqeistIcAmUaDxFREAn6eDxTJVA/tYeDKZ8L8sREOsdURTzkdePR+fHF/6w==
+Exponent2: U3eTb0W5WVGW+v7jyBGlzoZciU7nZNajKLo0X6GriGfpcfctnjsSQL3hjQzZRk0y7YIIdgtv0ApV5iTmQ9FUvw==
+Coefficient: hdjOg1UkqrwW5sVyS4o1KEW0Sipue+s3O8AZ11BVa2jt6ijqazZRQTMQBSoRpu8N+h5+jA1CvJmXUYTCRocSew==
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+26451.key b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+26451.key
new file mode 100644
index 00000000..abcbd117
--- /dev/null
+++ b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+26451.key
@@ -0,0 +1,3 @@
+;%	generationtime=20090615065826
+;%	lifetime=5d
+sub.example.de. IN DNSKEY  257 3 5 BQEAAAABu2BSOupQez5A9uJYlPzNwRyAwP4qW+F6A0PuQnYdH4autBzn W7kseAHbH8ABl8XryOiVwt2zRwyYjkujA0yOPE83mD/o9Y+J/PU/ZGny j51lpTZU2Hazr1hMJpA/KevtDPjkraGY0UxtfF32I/xfOlYixImhZHlY 04a9eVgvhME=
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+26451.private b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+26451.private
new file mode 100644
index 00000000..78a8c1f1
--- /dev/null
+++ b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+26451.private
@@ -0,0 +1,10 @@
+Private-key-format: v1.2
+Algorithm: 5 (RSASHA1)
+Modulus: u2BSOupQez5A9uJYlPzNwRyAwP4qW+F6A0PuQnYdH4autBznW7kseAHbH8ABl8XryOiVwt2zRwyYjkujA0yOPE83mD/o9Y+J/PU/ZGnyj51lpTZU2Hazr1hMJpA/KevtDPjkraGY0UxtfF32I/xfOlYixImhZHlY04a9eVgvhME=
+PublicExponent: AQAAAAE=
+PrivateExponent: opFdHZAmZ2/cdNYkJs+CD0jU3nK/atMHKnKtsczlAC7p4eqmS2vRj54oe+yG204gZ3yzLp6yIp3TALfutc5HICmuyfMUdliiaUn3dcbzcc6QK9XgcEJPSz2X5Ot04CdgafNZ5g6s4r2zWSSRBYsZtCeZbevIH4KJcJjh/D5IDF0=
+Prime1: 7SZBGa/9lloRYImdEH5auLkCDGezv+AGKFtMm/UjQ8KwezpxtjFz+KsWckEtyUkDIIPWAQ3t4iND118Nb7L8Uw==
+Prime2: ykU794Iygwej+0ZsLsDju3Iulniy2qtvQ4CrS6zu6D0BzuiQyAEI9V1PThMnIfHlIA3g8rGRK8AAARiCrNh4Gw==
+Exponent1: tcJZs75GusGfQ7z3N//r+rp67thZlOV3RY//4mm+t3Hg4qZEw02A9kSmNdiBb0VzVhKIHd3OFvXCkdKa5fj6Qw==
+Exponent2: nyGlgUHTHESEFHfdJEIxVvRNa12iG179Mfu7ytWNpKUV9EvAP1WfyoGlLEmhhwENii/xK1e4qwxNk1yjBtQ8CQ==
+Coefficient: r2Nfc/szQ0mm/kJdfenPpWVbdvAML1RSt7CxaNUfYqmnuMRP12LMJazAApIweJKNI0u4qDBLIHhAwbXKFtLm1A==
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+37547.key b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+37547.key
new file mode 100644
index 00000000..c621dacc
--- /dev/null
+++ b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+37547.key
@@ -0,0 +1,3 @@
+;%	generationtime=20090630100243
+;%	lifetime=2d
+sub.example.de. IN DNSKEY  256 3 5 BQEAAAABzVGXoctTcq8a4MnjhW78Z4z/S7yGBvbmgX1vpzCF1Rqor1qy 5p2KvSGtgCFOclqeabWDGzKm3MbybdKLLtGD/w==
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+37547.private b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+37547.private
new file mode 100644
index 00000000..0cfadf35
--- /dev/null
+++ b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+37547.private
@@ -0,0 +1,10 @@
+Private-key-format: v1.2
+Algorithm: 5 (RSASHA1)
+Modulus: zVGXoctTcq8a4MnjhW78Z4z/S7yGBvbmgX1vpzCF1Rqor1qy5p2KvSGtgCFOclqeabWDGzKm3MbybdKLLtGD/w==
+PublicExponent: AQAAAAE=
+PrivateExponent: v0UmLwzL0RBea93NN1Q/yMFvFHSI30Np9yxdVCxDjq6zYrCiv2UTwXzPCyG1JWhclopzNII3DYR9ISgha58QCQ==
+Prime1: +Bo/midKqM2wRrPj4owYKZuocaTi9oEWb+MstOkOWe0=
+Prime2: 09q0bHeQfNY3OQsry+f2Csa2koLUcmfxxf23bzElKBs=
+Exponent1: DORw4XBF3dMjMygLL0A7KTeQlW0iDgSD7tAPMTKSmhk=
+Exponent2: BLC9fqcbNVq9EslHvNzhH6ElMO1bysgB3rAUKhk4Srs=
+Coefficient: jtQYbg6K63W4zqe6HCxXpI9N5vqwlZ/bK9T0JQZjX94=
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+57863.key b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+57863.key
new file mode 100644
index 00000000..abcde696
--- /dev/null
+++ b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+57863.key
@@ -0,0 +1,3 @@
+;%	generationtime=20090703233023
+;%	lifetime=2d
+sub.example.de. IN DNSKEY  256 3 5 BQEAAAABumjaO1Ql3WqOqRVP+u/N8FMumGjtYHmyAd2vQwfIXZeKkzK1 XC7eFCuXuLk+A+hxCoFgziaYXEnU0OjHM/Vatw==
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+57863.published b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+57863.published
new file mode 100644
index 00000000..dbaaaea9
--- /dev/null
+++ b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+57863.published
@@ -0,0 +1,10 @@
+Private-key-format: v1.2
+Algorithm: 5 (RSASHA1)
+Modulus: umjaO1Ql3WqOqRVP+u/N8FMumGjtYHmyAd2vQwfIXZeKkzK1XC7eFCuXuLk+A+hxCoFgziaYXEnU0OjHM/Vatw==
+PublicExponent: AQAAAAE=
+PrivateExponent: QuAiyiQQUiopUhjwXZa0E5s+tj4pf/de2jaKwQKGaXbhZMX3ispK85LKkvjGr1ABA4+w59cnMHaeKk7nHRVDCQ==
+Prime1: 3eK3/XpauQNk2f7fpzOZOYokiS4Nx55XmGxUu3gTPiU=
+Prime2: 1xHRlPz8vYslUMhZxgNZY9fzczJzjbjFP005iokb+Ks=
+Exponent1: CjTZf3NTj0mEQLOYF6HIoIkNlBTQjLHIauAjx16Er1k=
+Exponent2: z10pNT3TMAYu/V+nkLnw0afwXjvF8KtgwIw8j5rD7B0=
+Coefficient: wAh2F+9cb8rF+bp/spymV25IGtBq+ht/TU8Rt7PRrLc=
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/dlvset-sub.example.de. b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/dlvset-sub.example.de.
index d2b84f70..0a83288d 100644
--- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/dlvset-sub.example.de.
+++ b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/dlvset-sub.example.de.
@@ -1,6 +1,8 @@
-sub.example.de.dlv.trusted-keys.net. IN	DLV 31785 5 1 3D56DD760ECF5184EAAE810F523934239F3D5AA5
-sub.example.de.dlv.trusted-keys.net. IN	DLV 31785 5 2 BAF6AFA18EED60E28AFFDB6094DCE3095A0C6B039D2DF8020580F6BD E43B76F9
+sub.example.de.dlv.trusted-keys.net. IN	DLV 24426 5 1 564822662A51682C216B0DEABD5DDE6F54865961
+sub.example.de.dlv.trusted-keys.net. IN	DLV 24426 5 2 A5CC9112ED2FA79C2BEDABD7437A80BC0B72803FDDCC028068A10926 38556CA2
+sub.example.de.dlv.trusted-keys.net. IN	DLV 26451 5 1 317B8B00E2518957ED982C4872659A5E7F85783E
+sub.example.de.dlv.trusted-keys.net. IN	DLV 26451 5 2 C5492796671C24EA74C30B39371E94AD1A3DD2EA8977B4949B08422C 16217B2A
 sub.example.de.dlv.trusted-keys.net. IN	DLV 40956 5 1 F3BC3C3D8EF9A21CCCD983FA01D308C36824E79A
 sub.example.de.dlv.trusted-keys.net. IN	DLV 40956 5 2 F276443895C23D052089011BED4BB2683067C1397D62EEF726BFF4F2 4B5981A1
-sub.example.de.dlv.trusted-keys.net. IN	DLV 56595 5 1 839C43F0267473F1335354384D91BFD70145AC01
-sub.example.de.dlv.trusted-keys.net. IN	DLV 56595 5 2 37F3AA854D2B7B2A9FAE3868EB37FFB08E1EDE2E14AF4D259E6C46B0 27D5C5B7
+sub.example.de.dlv.trusted-keys.net. IN	DLV 60332 1 1 88D80941398321D0137C2780DD685C62696D3E75
+sub.example.de.dlv.trusted-keys.net. IN	DLV 60332 1 2 D1F7B2A3EA5C5248E5B88AB4E98D3BA5E7B8247728B97F197AEAAEF2 A35A1BD4
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/dnskey.db b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/dnskey.db
index 38c3c70e..68d9dfb6 100644
--- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/dnskey.db
+++ b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/dnskey.db
@@ -2,11 +2,11 @@
 ;	!!! Don't edit this file by hand.
 ;	!!! It will be generated by dnssec-signer.
 ;
-;	 Last generation time Dec 28 2008 23:06:40
+;	 Last generation time Jul 04 2009 01:30:24
 ;
 
 ;  ***  List of Key Signing Keys  ***
-; sub.example.de.  tag=40956  algo=RSASHA1  generated Oct 03 2008 01:02:19
+; sub.example.de.  tag=40956  algo=RSASHA1  generated Dec 28 2008 23:55:28
 sub.example.de. 3600 IN DNSKEY  257 3 5 (
 			BQEAAAAB1c44bXfWMzPJQ0k35Gz0euAPGkw48XBb+ECUiiiI5wklFOjg
 			CyN1Yr9j1QYsvsYvyVxF4uMSbQ4p0JDyYwtxwVG3EACUK6vUsvTidHO/
@@ -14,38 +14,52 @@ sub.example.de. 3600 IN DNSKEY  257 3 5 (
 			ISRyLtFdi10=
 		) ; key id = 40956
 
-; sub.example.de.  tag=56595  algo=RSASHA1  generated Oct 03 2008 23:27:15
+; sub.example.de.  tag=26451  algo=RSASHA1  generated Jun 15 2009 08:58:26
 sub.example.de. 3600 IN DNSKEY  257 3 5 (
-			BQEAAAABolXOM+J0RdjVTzlptvXKqtwxQQkc7uzNfjzrCL9VNvD4Aayd
-			pGIqeqC05rLCILe62RRgCnQOs62kcUySrxRkmuAkkfONwU5PhXBAjrbl
-			cV1T2xziS0rUBHMtgQlp3da0xOAqZVmBcCJChytISJJmtuh0qryY1Z3n
-			GLv3a4BbGFc=
-		) ; key id = 56595
+			BQEAAAABu2BSOupQez5A9uJYlPzNwRyAwP4qW+F6A0PuQnYdH4autBzn
+			W7kseAHbH8ABl8XryOiVwt2zRwyYjkujA0yOPE83mD/o9Y+J/PU/ZGny
+			j51lpTZU2Hazr1hMJpA/KevtDPjkraGY0UxtfF32I/xfOlYixImhZHlY
+			04a9eVgvhME=
+		) ; key id = 26451
 
-; sub.example.de.  tag=31785  algo=RSASHA1  generated Dec 16 2008 17:32:13
+; sub.example.de.  tag=24426  algo=RSASHA1  generated Jun 30 2009 12:33:52
 sub.example.de. 3600 IN DNSKEY  257 3 5 (
-			BQEAAAABvFi0FuW1hnSuYpaWPBhN7/hQo59igc30zlVBFugkWd9wjsxX
-			T5mNmmg8pceNgOgV4+0bHBgQlAkC0I605MlTdljra6dLBsxIneJxfWEE
-			J9LOQPPbnEPAJrEQzqtt5crVc687oyWYg9UGZBconBIAeefO2h19hVji
-			qj6JGXl48/0=
-		) ; key id = 31785
+			BQEAAAABtnNSJcG6PU7RTitfJ4aVUM6Pclu4WPKm0H4fm0zLnRldMT/D
+			xRX4I8Lc2Iq+oQ2cpOAhHvtsJ+boTX0j4aQjIPolRFZUfhr7o0wQuRrp
+			3f4fMGzezcR1UsqRLG7+2KF9cq4H7u1X0KBLqokJHyy9Chp+ui188878
+			vlXrwWNo4Pk=
+		) ; key id = 24426
+
+; sub.example.de.  tag=60332  algo=RSAMD5  generated Jul 04 2009 01:30:23
+sub.example.de. 3600 IN DNSKEY  257 3 1 (
+			BQEAAAABxmEeZyUrN83wG66weBOurn/+nds4LHa2gARHpalrNFJp6jwQ
+			f7bXR0SaPU+gpcJW/iJzkZemr+1gQOe0rwSjd4W1FGIW0WRG6LR6gYYg
+			oSaUsOc7Px2vVF1YE1jHcBu7BYtXfgKbvV6X9KPqu0lMFpLDk+7Q/NUZ
+			jyZPu//rrNM=
+		) ; key id = 60332
 
 ; ***  List of Zone Signing Keys  ***
-; sub.example.de.  tag=59924  algo=RSAMD5  generated Dec 16 2008 17:30:27
+; sub.example.de.  tag=11091  algo=RSAMD5  generated Jun 24 2009 17:12:33
 sub.example.de. 3600 IN DNSKEY  256 3 1 (
-			BQEAAAABmjp7RFegQjGnrXbRQ4uk0Wdxj4+cU4MucX+3xq6Emve8Q/jB
-			eymytqtCmRli/G0ROBlid0KE2rxJ7rDekuoUiw==
-		) ; key id = 59924
+			BQEAAAABuRBoscD6vMybohNhieTSpbBgZSpvStPAUwu8gkgIr6FDAWf+
+			2J9ZbvLQ8hGBESwQeuyJ87LiXfGpR/X/MCtTEQ==
+		) ; key id = 11091
 
-; sub.example.de.  tag=39146  algo=RSAMD5  generated Dec 16 2008 17:30:27
+; sub.example.de.  tag=38598  algo=RSAMD5  generated Jun 24 2009 17:12:33
 sub.example.de. 3600 IN DNSKEY  256 3 1 (
-			BQEAAAAB46KNL8HNsVPnvBw24iONL++CrObjeSZsRLJkmrYa+cWJSqmw
-			9b7xlpaO+uBE5pkz/9GKXXOH+o/q+dBCoZjqTQ==
-		) ; key id = 39146
+			BQEAAAABstcKWFjuZzMhpTjdJzom5hleqOmlgVCmx8eHJbUVZr5AZQJe
+			zC1dsF5FrZi6LEVUBgwiMj4XdqFLLuNzjJbGiw==
+		) ; key id = 38598
 
-; sub.example.de.  tag=4031  algo=RSAMD5  generated Dec 28 2008 23:06:40
-sub.example.de. 3600 IN DNSKEY  256 3 1 (
-			BQEAAAAB6ULnEaSHOrlAYtx8LDD0KvOoyJE10FHTeLeGsVUxBx+O/HgN
-			cV4elmXG/wGBvDjx4vQsbPO5WDiIoXmDUg+/sQ==
-		) ; key id = 4031
+; sub.example.de.  tag=37547  algo=RSASHA1  generated Jun 30 2009 12:02:43
+sub.example.de. 3600 IN DNSKEY  256 3 5 (
+			BQEAAAABzVGXoctTcq8a4MnjhW78Z4z/S7yGBvbmgX1vpzCF1Rqor1qy
+			5p2KvSGtgCFOclqeabWDGzKm3MbybdKLLtGD/w==
+		) ; key id = 37547
+
+; sub.example.de.  tag=57863  algo=RSASHA1  generated Jul 04 2009 01:30:23
+sub.example.de. 3600 IN DNSKEY  256 3 5 (
+			BQEAAAABumjaO1Ql3WqOqRVP+u/N8FMumGjtYHmyAd2vQwfIXZeKkzK1
+			XC7eFCuXuLk+A+hxCoFgziaYXEnU0OjHM/Vatw==
+		) ; key id = 57863
 
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/dsset-sub.example.de. b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/dsset-sub.example.de.
index 9e2970a9..e34d70d4 100644
--- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/dsset-sub.example.de.
+++ b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/dsset-sub.example.de.
@@ -1,6 +1,8 @@
-sub.example.de.		IN DS 31785 5 1 3D56DD760ECF5184EAAE810F523934239F3D5AA5
-sub.example.de.		IN DS 31785 5 2 BAF6AFA18EED60E28AFFDB6094DCE3095A0C6B039D2DF8020580F6BD E43B76F9
+sub.example.de.		IN DS 24426 5 1 564822662A51682C216B0DEABD5DDE6F54865961
+sub.example.de.		IN DS 24426 5 2 A5CC9112ED2FA79C2BEDABD7437A80BC0B72803FDDCC028068A10926 38556CA2
+sub.example.de.		IN DS 26451 5 1 317B8B00E2518957ED982C4872659A5E7F85783E
+sub.example.de.		IN DS 26451 5 2 C5492796671C24EA74C30B39371E94AD1A3DD2EA8977B4949B08422C 16217B2A
 sub.example.de.		IN DS 40956 5 1 F3BC3C3D8EF9A21CCCD983FA01D308C36824E79A
 sub.example.de.		IN DS 40956 5 2 F276443895C23D052089011BED4BB2683067C1397D62EEF726BFF4F2 4B5981A1
-sub.example.de.		IN DS 56595 5 1 839C43F0267473F1335354384D91BFD70145AC01
-sub.example.de.		IN DS 56595 5 2 37F3AA854D2B7B2A9FAE3868EB37FFB08E1EDE2E14AF4D259E6C46B0 27D5C5B7
+sub.example.de.		IN DS 60332 1 1 88D80941398321D0137C2780DD685C62696D3E75
+sub.example.de.		IN DS 60332 1 2 D1F7B2A3EA5C5248E5B88AB4E98D3BA5E7B8247728B97F197AEAAEF2 A35A1BD4
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/keyset-sub.example.de. b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/keyset-sub.example.de.
index 2535a309..d2f21e17 100644
--- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/keyset-sub.example.de.
+++ b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/keyset-sub.example.de.
@@ -1,18 +1,25 @@
 $ORIGIN .
-sub.example.de		7200	IN DNSKEY 257 3 5 (
-					BQEAAAABolXOM+J0RdjVTzlptvXKqtwxQQkc
-					7uzNfjzrCL9VNvD4AaydpGIqeqC05rLCILe6
-					2RRgCnQOs62kcUySrxRkmuAkkfONwU5PhXBA
-					jrblcV1T2xziS0rUBHMtgQlp3da0xOAqZVmB
-					cCJChytISJJmtuh0qryY1Z3nGLv3a4BbGFc=
-					) ; key id = 56595
+sub.example.de		7200	IN DNSKEY 257 3 1 (
+					BQEAAAABxmEeZyUrN83wG66weBOurn/+nds4
+					LHa2gARHpalrNFJp6jwQf7bXR0SaPU+gpcJW
+					/iJzkZemr+1gQOe0rwSjd4W1FGIW0WRG6LR6
+					gYYgoSaUsOc7Px2vVF1YE1jHcBu7BYtXfgKb
+					vV6X9KPqu0lMFpLDk+7Q/NUZjyZPu//rrNM=
+					) ; key id = 60332
 			7200	IN DNSKEY 257 3 5 (
-					BQEAAAABvFi0FuW1hnSuYpaWPBhN7/hQo59i
-					gc30zlVBFugkWd9wjsxXT5mNmmg8pceNgOgV
-					4+0bHBgQlAkC0I605MlTdljra6dLBsxIneJx
-					fWEEJ9LOQPPbnEPAJrEQzqtt5crVc687oyWY
-					g9UGZBconBIAeefO2h19hVjiqj6JGXl48/0=
-					) ; key id = 31785
+					BQEAAAABtnNSJcG6PU7RTitfJ4aVUM6Pclu4
+					WPKm0H4fm0zLnRldMT/DxRX4I8Lc2Iq+oQ2c
+					pOAhHvtsJ+boTX0j4aQjIPolRFZUfhr7o0wQ
+					uRrp3f4fMGzezcR1UsqRLG7+2KF9cq4H7u1X
+					0KBLqokJHyy9Chp+ui188878vlXrwWNo4Pk=
+					) ; key id = 24426
+			7200	IN DNSKEY 257 3 5 (
+					BQEAAAABu2BSOupQez5A9uJYlPzNwRyAwP4q
+					W+F6A0PuQnYdH4autBznW7kseAHbH8ABl8Xr
+					yOiVwt2zRwyYjkujA0yOPE83mD/o9Y+J/PU/
+					ZGnyj51lpTZU2Hazr1hMJpA/KevtDPjkraGY
+					0UxtfF32I/xfOlYixImhZHlY04a9eVgvhME=
+					) ; key id = 26451
 			7200	IN DNSKEY 257 3 5 (
 					BQEAAAAB1c44bXfWMzPJQ0k35Gz0euAPGkw4
 					8XBb+ECUiiiI5wklFOjgCyN1Yr9j1QYsvsYv
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+31785.key b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+31785.key
index 1ff71b83..1ff71b83 100644
--- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+31785.key
+++ b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+31785.key
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+31785.private b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+31785.private
index 2bf7a995..2bf7a995 100644
--- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+31785.private
+++ b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+31785.private
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+56595.key b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+56595.key
index 1ee44bbb..1ee44bbb 100644
--- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+56595.key
+++ b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+56595.key
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+56595.private b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+56595.private
index 4b444504..4b444504 100644
--- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+56595.private
+++ b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+56595.private
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/parent-sub.example.de. b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/parent-sub.example.de.
index 27cb7b9e..9b0fba30 100644
--- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/parent-sub.example.de.
+++ b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/parent-sub.example.de.
@@ -1,7 +1,7 @@
 ; KSK rollover phase2 (this is the new key)
 sub.example.de. 3600 IN DNSKEY  257 3 5 (
-			BQEAAAABolXOM+J0RdjVTzlptvXKqtwxQQkc7uzNfjzrCL9VNvD4Aayd
-			pGIqeqC05rLCILe62RRgCnQOs62kcUySrxRkmuAkkfONwU5PhXBAjrbl
-			cV1T2xziS0rUBHMtgQlp3da0xOAqZVmBcCJChytISJJmtuh0qryY1Z3n
-			GLv3a4BbGFc=
-		) ; key id = 56595
+			BQEAAAABu2BSOupQez5A9uJYlPzNwRyAwP4qW+F6A0PuQnYdH4autBzn
+			W7kseAHbH8ABl8XryOiVwt2zRwyYjkujA0yOPE83mD/o9Y+J/PU/ZGny
+			j51lpTZU2Hazr1hMJpA/KevtDPjkraGY0UxtfF32I/xfOlYixImhZHlY
+			04a9eVgvhME=
+		) ; key id = 26451
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/zone.db b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/zone.db
index f04c19a2..466908a2 100644
--- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/zone.db
+++ b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/zone.db
@@ -7,7 +7,7 @@
 $TTL 7200
 
 @ 	IN SOA	ns1.example.de. hostmaster.example.de.  (
-				2008122801; Serial (up to 10 digits)
+				2009070301; Serial (up to 10 digits)
 				86400	; Refresh	(RIPE recommendation if NOTIFY is used)
 				1800	; Retry
 				2W	; Expire
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/zone.db.signed b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/zone.db.signed
index 066477c5..ef53f574 100644
--- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/zone.db.signed
+++ b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/zone.db.signed
@@ -1,58 +1,85 @@
-; File written on Sun Dec 28 23:06:40 2008
-; dnssec_signzone version 9.6.0
+; File written on Sat Jul  4 01:32:17 2009
+; dnssec_signzone version 9.7.0a1
 sub.example.de.		7200	IN SOA	ns1.example.de. hostmaster.example.de. (
-					2008122801 ; serial
+					2009070301 ; serial
 					86400      ; refresh (1 day)
 					1800       ; retry (30 minutes)
 					1209600    ; expire (2 weeks)
 					7200       ; minimum (2 hours)
 					)
-			7200	RRSIG	SOA 1 3 7200 20081230210417 (
-					20081228210640 39146 sub.example.de.
-					XM/3402boromtkWjxtvE0SHpUW3J5ITudixH
-					Ol/DXfSIUiv5Km5ekQueBMgMIEMFkYHxRYH/
-					CRDCu4gTzYJElw== )
+			7200	RRSIG	SOA 1 3 7200 20090705220522 (
+					20090703223217 38598 sub.example.de.
+					JgCBS7//ArxzV4ZFw1uu5ermsqBelp/HnmeF
+					1V/2j71/lSIS+1H/o2appt6Ox11KnAqML0Zi
+					D6KRnBt1xAbXmA== )
+			7200	RRSIG	SOA 5 3 7200 20090705220711 (
+					20090703223217 37547 sub.example.de.
+					gt/Cnm3ltYYKX1h1xUEM8xfGlovwilUCf9TK
+					E6lUZL9w56DY8WDaz+5kdh4FfiXbprTgzjGA
+					LMGc9HSP79dRuA== )
 			7200	NS	ns1.example.de.
-			7200	RRSIG	NS 1 3 7200 20081230210435 (
-					20081228210640 39146 sub.example.de.
-					YGkNNi+q2byWBB2AnRrZ0fY9eOzOkcvlW98U
-					Ti/2LoJhn+LrVNSOG5Xbd7o3KfoxnyyFS+lh
-					IwcTPCxkYyTv2A== )
+			7200	RRSIG	NS 1 3 7200 20090705222744 (
+					20090703223217 38598 sub.example.de.
+					Gor5vVdsREkojunDB1+1EOzQcsOhjO+RP+CQ
+					9MEdAtqXqfJaqn2BxAkjANy7UWiPbIei3QnT
+					MBmpop2wmSzjHg== )
+			7200	RRSIG	NS 5 3 7200 20090705221546 (
+					20090703223217 37547 sub.example.de.
+					GOWmEt+2ye6zuH1BdUrzEpmjbLTjrqzTwpOP
+					CBop0iM/TeSKv3OIpzbCscn68XsKdALKx6J5
+					vsnk1e7z4qdMnQ== )
 			7200	NSEC	a.sub.example.de. NS SOA RRSIG NSEC DNSKEY
-			7200	RRSIG	NSEC 1 3 7200 20081230205813 (
-					20081228210640 39146 sub.example.de.
-					dR8j2F8b+725x9Ipuym92XPF0CfLywcU8rVd
-					kMwIEHYqvxHtAGgMS7Rg6ehc1Dyu/4AxK5Le
-					xQpUFau71SR5zA== )
+			7200	RRSIG	NSEC 1 3 7200 20090705222040 (
+					20090703223217 38598 sub.example.de.
+					DzeJgkKvZsVnlRG6x1CjJsqE7ZW7STTfq0ND
+					v3whxX6+ODSLWtttakOYZU5ih6YKKbqtxxOi
+					WpV1PcoUZ0g2PQ== )
+			7200	RRSIG	NSEC 5 3 7200 20090705222545 (
+					20090703223217 37547 sub.example.de.
+					fG3D1B9ERox7BwFF2pFOT7D89+6f/3Ti1xUK
+					rc/kv17mlcxJDzzNtBx7dmKl/jPIccWFEe+d
+					WaeKi5AZKRsCsg== )
 			3600	DNSKEY	256 3 1 (
-					BQEAAAABmjp7RFegQjGnrXbRQ4uk0Wdxj4+c
-					U4MucX+3xq6Emve8Q/jBeymytqtCmRli/G0R
-					OBlid0KE2rxJ7rDekuoUiw==
-					) ; key id = 59924
+					BQEAAAABstcKWFjuZzMhpTjdJzom5hleqOml
+					gVCmx8eHJbUVZr5AZQJezC1dsF5FrZi6LEVU
+					BgwiMj4XdqFLLuNzjJbGiw==
+					) ; key id = 38598
 			3600	DNSKEY	256 3 1 (
-					BQEAAAAB46KNL8HNsVPnvBw24iONL++CrObj
-					eSZsRLJkmrYa+cWJSqmw9b7xlpaO+uBE5pkz
-					/9GKXXOH+o/q+dBCoZjqTQ==
-					) ; key id = 39146
-			3600	DNSKEY	256 3 1 (
-					BQEAAAAB6ULnEaSHOrlAYtx8LDD0KvOoyJE1
-					0FHTeLeGsVUxBx+O/HgNcV4elmXG/wGBvDjx
-					4vQsbPO5WDiIoXmDUg+/sQ==
-					) ; key id = 4031
+					BQEAAAABuRBoscD6vMybohNhieTSpbBgZSpv
+					StPAUwu8gkgIr6FDAWf+2J9ZbvLQ8hGBESwQ
+					euyJ87LiXfGpR/X/MCtTEQ==
+					) ; key id = 11091
+			3600	DNSKEY	256 3 5 (
+					BQEAAAABumjaO1Ql3WqOqRVP+u/N8FMumGjt
+					YHmyAd2vQwfIXZeKkzK1XC7eFCuXuLk+A+hx
+					CoFgziaYXEnU0OjHM/Vatw==
+					) ; key id = 57863
+			3600	DNSKEY	256 3 5 (
+					BQEAAAABzVGXoctTcq8a4MnjhW78Z4z/S7yG
+					BvbmgX1vpzCF1Rqor1qy5p2KvSGtgCFOclqe
+					abWDGzKm3MbybdKLLtGD/w==
+					) ; key id = 37547
+			3600	DNSKEY	257 3 1 (
+					BQEAAAABxmEeZyUrN83wG66weBOurn/+nds4
+					LHa2gARHpalrNFJp6jwQf7bXR0SaPU+gpcJW
+					/iJzkZemr+1gQOe0rwSjd4W1FGIW0WRG6LR6
+					gYYgoSaUsOc7Px2vVF1YE1jHcBu7BYtXfgKb
+					vV6X9KPqu0lMFpLDk+7Q/NUZjyZPu//rrNM=
+					) ; key id = 60332
 			3600	DNSKEY	257 3 5 (
-					BQEAAAABolXOM+J0RdjVTzlptvXKqtwxQQkc
-					7uzNfjzrCL9VNvD4AaydpGIqeqC05rLCILe6
-					2RRgCnQOs62kcUySrxRkmuAkkfONwU5PhXBA
-					jrblcV1T2xziS0rUBHMtgQlp3da0xOAqZVmB
-					cCJChytISJJmtuh0qryY1Z3nGLv3a4BbGFc=
-					) ; key id = 56595
+					BQEAAAABtnNSJcG6PU7RTitfJ4aVUM6Pclu4
+					WPKm0H4fm0zLnRldMT/DxRX4I8Lc2Iq+oQ2c
+					pOAhHvtsJ+boTX0j4aQjIPolRFZUfhr7o0wQ
+					uRrp3f4fMGzezcR1UsqRLG7+2KF9cq4H7u1X
+					0KBLqokJHyy9Chp+ui188878vlXrwWNo4Pk=
+					) ; key id = 24426
 			3600	DNSKEY	257 3 5 (
-					BQEAAAABvFi0FuW1hnSuYpaWPBhN7/hQo59i
-					gc30zlVBFugkWd9wjsxXT5mNmmg8pceNgOgV
-					4+0bHBgQlAkC0I605MlTdljra6dLBsxIneJx
-					fWEEJ9LOQPPbnEPAJrEQzqtt5crVc687oyWY
-					g9UGZBconBIAeefO2h19hVjiqj6JGXl48/0=
-					) ; key id = 31785
+					BQEAAAABu2BSOupQez5A9uJYlPzNwRyAwP4q
+					W+F6A0PuQnYdH4autBznW7kseAHbH8ABl8Xr
+					yOiVwt2zRwyYjkujA0yOPE83mD/o9Y+J/PU/
+					ZGnyj51lpTZU2Hazr1hMJpA/KevtDPjkraGY
+					0UxtfF32I/xfOlYixImhZHlY04a9eVgvhME=
+					) ; key id = 26451
 			3600	DNSKEY	257 3 5 (
 					BQEAAAAB1c44bXfWMzPJQ0k35Gz0euAPGkw4
 					8XBb+ECUiiiI5wklFOjgCyN1Yr9j1QYsvsYv
@@ -60,77 +87,129 @@ sub.example.de.		7200	IN SOA	ns1.example.de. hostmaster.example.de. (
 					dHO/zxIflx5YGrB6ENTJcztRsp40EO1wBOmB
 					geX+aCC07zpu3SuKxzaiwTnUISRyLtFdi10=
 					) ; key id = 40956
-			3600	RRSIG	DNSKEY 1 3 3600 20081230204044 (
-					20081228210640 39146 sub.example.de.
-					rdyBfWCdLqJSLOIg22HSMNpLQTV1GLsg2w5Q
-					thtAdJWWdN+YDJfeeD+jkJvwWoQSouleSRdM
-					MHZ69c4Fp0KlUg== )
-			3600	RRSIG	DNSKEY 5 3 3600 20081230204405 (
-					20081228210640 56595 sub.example.de.
-					B4kvh0gQqHNBdwiABmUwMJ+Iqi2dKSsDQTKj
-					0rtquoGkVbbB1mKqGeA0EWjts9g388evvZGz
-					hpHVeXQQds4OxRTpt+XlQejbL98RB+8xM+I9
-					clj31Dg22MYkzogVqk7VBYTfZN/frK5co5WO
-					E+aX97skAkBO8C9rZshwsISbFR0= )
-			3600	RRSIG	DNSKEY 5 3 3600 20081230205150 (
-					20081228210640 31785 sub.example.de.
-					SiQmiuudpKBGbtKxHupnbvkksCBkYwihgyhl
-					kznLuR+GjrZKE4GuzYNAspe5CkDCSbNUHbl2
-					CbPFjU4lvGyShA3UtzSM2Cx4SAGi4JtRh7XC
-					DtXNIuZK4GBwprUD5nffYAH9Q7Pck9fhl8u8
-					YP0JapJ+GV9dx2iSKdbb1JKE8zk= )
-			3600	RRSIG	DNSKEY 5 3 3600 20081230205404 (
-					20081228210640 40956 sub.example.de.
-					jQty/hjEoHR/lx/tNopuPFNZQ0VF4Qdi37I0
-					q2A084KeBTh4v2hgTUA0B00hVncllfgUlOYl
-					HbvgHzqhLZPrx2qvtvFlPRmj7FlwjJbXRt5T
-					5JBAMP4IMfd0W6SDsuo1saVVZuiAQPicBbN8
-					Rc0Tgde1NEy2rlyVLkk7uKLB0pU= )
+			3600	RRSIG	DNSKEY 1 3 3600 20090705221028 (
+					20090703223217 60332 sub.example.de.
+					xVnKSgfSjfIEzeJVBlSPfJWDmkG/sGvQQaUc
+					P6kHUugus9z+MwnPpXKCwvSufQQJHzmUuMG4
+					hk29luebSAK+bm8s6lExQQDpUTNWnOxlIrb/
+					pQJp7tsBfN8wfZnOg+FrtLSiWzbN+jRyq+Us
+					6IUopL10tPSalhTp9UleZSUkZyA= )
+			3600	RRSIG	DNSKEY 1 3 3600 20090705221035 (
+					20090703223217 38598 sub.example.de.
+					fq6OWIKGHtdavvZx8pkieeF+DdA7P13nvW1c
+					cSmrRsfFFBx8SMJ6H9zFX4FPuoDSsNb8xnNB
+					i7LKN5hMK+uKvw== )
+			3600	RRSIG	DNSKEY 5 3 3600 20090705220958 (
+					20090703223217 40956 sub.example.de.
+					z3M5xdXXWOywAa9BPtVMzsMWmHumq4rbYyNB
+					e/in7ijwMwRTZ2pOfK5ccOBMhFE8TaRQrZD5
+					2eP2uqdUE4Jkhr42y5e8+o8ShuKxXIlkGao3
+					oFdCIwPElIUswnWs3i44Hz2SCFVnnCz8PXQL
+					VtxuyGMtrFGuRFh3xC14bi/U5LE= )
+			3600	RRSIG	DNSKEY 5 3 3600 20090705221542 (
+					20090703223217 37547 sub.example.de.
+					bRPadfI4qu6Xl4SCQ+i97/IANaCsE78L+LTG
+					1ckVTUmWbDZwj6RjJofdx5Mm1LlM6pi5hAJ2
+					7vDjTlynq0uFyg== )
+			3600	RRSIG	DNSKEY 5 3 3600 20090705222555 (
+					20090703223217 26451 sub.example.de.
+					Eu2lW/SJDyKHZ0zLIV3Co80+D9ykkULXEJpR
+					BpvhG6wa9R9i0z/QEQc3QWUt2sDPOYDX61wh
+					iP87yVmb2B1IFMU/VW33d2xZgcK2NGSMk0QI
+					g2T6jXk+uWd9ribgfWT57Xf3Qr2D+Zl23mOR
+					Q/C/bJgOmq9mZt4vNOBTvgmuHqw= )
+			3600	RRSIG	DNSKEY 5 3 3600 20090705222912 (
+					20090703223217 24426 sub.example.de.
+					ktIrKORfmsOtyUj47zBb1p/3wp/aA2GIT9dI
+					e+mDK6Kvvc3Rb+UZe2689vAMwq7/lMvRhHQR
+					25Od0UIU77XuW/trIczippIl78ISPwKSiEN0
+					LUO9kUf9yZ2dqsZMxMKXWZMSVYXY0ja8zSY5
+					v9HafpYQx24FTD99v6DcjMvQu/M= )
 a.sub.example.de.	7200	IN A	1.2.3.4
-			7200	RRSIG	A 1 4 7200 20081230210029 (
-					20081228210640 39146 sub.example.de.
-					Mfh4ntlgKOlE1vleYbD8tN8VfvHEYbIZ1/bG
-					TWEu2pQNK2YLC7mLfVQWW3bcpzlmOucmWFJq
-					XXH+nnsftjxZog== )
+			7200	RRSIG	A 1 4 7200 20090705222143 (
+					20090703223217 38598 sub.example.de.
+					A9WVnbcBJW3L+GOND3BJdtrzK3G/klcIWp8l
+					0WW1HTbiJAFMxizNWVjyGKU3ciydtawT7gVS
+					guDWYW++F1vv4w== )
+			7200	RRSIG	A 5 4 7200 20090705223053 (
+					20090703223217 37547 sub.example.de.
+					kZWrAPgslp1YjZtfWhSgQfpegRrVVjVGLPhi
+					5OAwpJ14sWmXe+Ty7PbDM1icKdt3DwmGHtk7
+					jkFkcdEu6pH3rQ== )
 			7200	NSEC	b.sub.example.de. A RRSIG NSEC
-			7200	RRSIG	NSEC 1 4 7200 20081230210434 (
-					20081228210640 39146 sub.example.de.
-					hKTSoLDwWufmjaQnW53kLzog9MfMK3eUcjHr
-					98uOCfKY3xRFqxHn0UmUvfaHSrCaMGRuwH0H
-					84fk3FvVO3Sg4g== )
+			7200	RRSIG	NSEC 1 4 7200 20090705221732 (
+					20090703223217 38598 sub.example.de.
+					Jb666TyzO/8OaJKtEsg/baMAwV3WgLzplwKi
+					0FcSu89AMMTEtYDkJx3PSinttrkK/74SHCQI
+					QprLeptnAT88wQ== )
+			7200	RRSIG	NSEC 5 4 7200 20090705223013 (
+					20090703223217 37547 sub.example.de.
+					L7pmPJgNOV4XpcN2BsUti0OyVNp3SZu58z8w
+					nJk6Na21sO6gorCh0T9r9GYK0JbJVk6BC+9D
+					BBQkH4YqqkPxXQ== )
 b.sub.example.de.	7200	IN A	1.2.3.5
-			7200	RRSIG	A 1 4 7200 20081230210628 (
-					20081228210640 39146 sub.example.de.
-					LP1xgEzTIlc0w57Ohv9HwJ9eAeGFGeMDM3Ag
-					9oA18G8lUWpzTX66D9sHKdpDxCo8IX8IuosE
-					AO4BjHjFytWPLQ== )
+			7200	RRSIG	A 1 4 7200 20090705223139 (
+					20090703223217 38598 sub.example.de.
+					gaoCOBLTR+bfk7O73vH80nP37xchqjh4S8gk
+					aIhiXZwmVYwWatlzhB8ZK/qhs4mRLqs3Rpte
+					QVYtDIC2+AOstw== )
+			7200	RRSIG	A 5 4 7200 20090705221720 (
+					20090703223217 37547 sub.example.de.
+					A4+jPotrDIV4JgxRNjH/2vtFW9RNM4g0acRI
+					tpEoOAphse9Ki7/KDJDYRyjlNqNOYoPSlDlz
+					rWlKXai3MYg7VQ== )
 			7200	NSEC	c.sub.example.de. A RRSIG NSEC
-			7200	RRSIG	NSEC 1 4 7200 20081230204400 (
-					20081228210640 39146 sub.example.de.
-					2tmWQXRQEOF5tojcBhFRMVe5pp0V1tA+Jk8M
-					svsYT1ukbaJ3QeDOaTGUA604hLEm7J+uapy+
-					LTvOcKZl65st6g== )
+			7200	RRSIG	NSEC 1 4 7200 20090705223117 (
+					20090703223217 38598 sub.example.de.
+					DuFAapyfyrTDnYkgkkGZG6JyiWa2yWbSbvB/
+					EbiaA//ffEEFvoHPt+md+ctHtw7inP3WZ0jf
+					IBAStKfocnPfxA== )
+			7200	RRSIG	NSEC 5 4 7200 20090705222451 (
+					20090703223217 37547 sub.example.de.
+					y4eQUHYVVEDsXXjtx3YZ5mGtrdL8x7e3F5HK
+					J/jTwHDYvCq+/xqaXdOGIDl1TZYN4Z+/mgud
+					ePUilJqZI7+d0A== )
 c.sub.example.de.	7200	IN A	1.2.3.6
-			7200	RRSIG	A 1 4 7200 20081230205321 (
-					20081228210640 39146 sub.example.de.
-					m5/r/M1tF0d3rEU/kmubSZdV5ZmdKWmcCWTo
-					kv+oTux07+5dS7XisCHT+ufjiFkIgI3cf9I6
-					bbtEMaChCRmwhA== )
+			7200	RRSIG	A 1 4 7200 20090705220747 (
+					20090703223217 38598 sub.example.de.
+					AhUeZDcL2x0nT4K1ueLzpti37wP0p+nBCO1h
+					N1asQJycnjayQ49nVwXuOPjFtO5SpUijl/gf
+					rsvFrG2Eyf8KyQ== )
+			7200	RRSIG	A 5 4 7200 20090705221402 (
+					20090703223217 37547 sub.example.de.
+					I9UX1XpqYmFXZKfS0SJn7eAahEGlDvTO/miW
+					5sAvWS1PDIPiGs6eNIKEjmCcy1bTCR8TdCF4
+					eDzbZncW5J57bA== )
 			7200	NSEC	localhost.sub.example.de. A RRSIG NSEC
-			7200	RRSIG	NSEC 1 4 7200 20081230204731 (
-					20081228210640 39146 sub.example.de.
-					WZAiKmtmMVq69fGpQAxKXFj9179lZm1qd7qs
-					gyiutFjWtQTRQFI6wxHyhh1WXdagtI2AjR9V
-					eGdKUuoZ9n22yA== )
+			7200	RRSIG	NSEC 1 4 7200 20090705221655 (
+					20090703223217 38598 sub.example.de.
+					spoeS9+UVDFk3i6OuzJDg+dYm1UGVd1dd/1H
+					c0Cg7Wn5FjKwAuxVh6Fkwo+gnfFeuNqXULp7
+					2oZVaizjK0xxdA== )
+			7200	RRSIG	NSEC 5 4 7200 20090705220501 (
+					20090703223217 37547 sub.example.de.
+					qjJcnn8GAR948AasHOuT3grziFXevNKdIdd0
+					JsThsXekPAFoe/o/Wj7a/aRBQpdSQHfbHs66
+					ehXm31OmY1Z1MQ== )
 localhost.sub.example.de. 7200	IN A	127.0.0.1
-			7200	RRSIG	A 1 4 7200 20081230205746 (
-					20081228210640 39146 sub.example.de.
-					Vc48b7SkFZO1e4lNIti+Iw9vPSgxANdhakP/
-					oqjKgxMMr+dmk0Vn29DYBTH+bkR7nBpccP9l
-					qe0UCeieNSgqOg== )
+			7200	RRSIG	A 1 4 7200 20090705223018 (
+					20090703223217 38598 sub.example.de.
+					KKzhk8TIfVygE1HXHyno+5JRUa/HjZXlCyqO
+					IXPpEh2AGQjbEy9lJOXbfH15explsbFUl8iS
+					oFdkIwDqvk/ldw== )
+			7200	RRSIG	A 5 4 7200 20090705221933 (
+					20090703223217 37547 sub.example.de.
+					X5HZEaT+hbuvxoOng20cDqYGepR2ud7q7ASs
+					ADVuZx38VBtj02Gbp0xyM8LnjjrKD6McQC35
+					lqRrrcEvaMIFYA== )
 			7200	NSEC	sub.example.de. A RRSIG NSEC
-			7200	RRSIG	NSEC 1 4 7200 20081230203757 (
-					20081228210640 39146 sub.example.de.
-					StI4gda9HqSmD1/1zcW/wJaFXvd8zKRHnH89
-					nrUy4C6PWJ+9Tqs4QhYm1AzAtZRwSEasS0jX
-					g0mFyc6p12gXqg== )
+			7200	RRSIG	NSEC 1 4 7200 20090705223031 (
+					20090703223217 38598 sub.example.de.
+					nUE795F1yE6+61N2UQb2Kmm4PpTBpdwGiPD5
+					RfETf5J3Y/7M6GuUw7Rrl5G5FHN9vzz4IJLB
+					XeLxR6WY4FdXFg== )
+			7200	RRSIG	NSEC 5 4 7200 20090705222830 (
+					20090703223217 37547 sub.example.de.
+					YitlICV/U/5iwY5vYd4Huwpyx3O317WuufiP
+					8Ci4kDa6pp7bzM+q5INYGn5ZuFUb6bk1LrJG
+					hu9IzPp4IpAwhQ== )
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/zone.db b/contrib/zkt/examples/hierarchical/de/example.de/zone.db
index 917cd79f..b3d00343 100644
--- a/contrib/zkt/examples/hierarchical/de/example.de/zone.db
+++ b/contrib/zkt/examples/hierarchical/de/example.de/zone.db
@@ -11,7 +11,7 @@ $TTL	7200
 ;				0123456789;
 ;	It's also possible to use the date format e.g. 2005040101
 @	IN SOA	ns1.example.de. hostmaster.example.de.  (
-				269       ; Serial	
+				277       ; Serial	
 				43200	; Refresh
 				1800	; Retry
 				2W	; Expire
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/zone.db.signed b/contrib/zkt/examples/hierarchical/de/example.de/zone.db.signed
index 9fdf5dfb..1bfd112b 100644
--- a/contrib/zkt/examples/hierarchical/de/example.de/zone.db.signed
+++ b/contrib/zkt/examples/hierarchical/de/example.de/zone.db.signed
@@ -1,35 +1,35 @@
-; File written on Sun Dec 28 23:06:40 2008
-; dnssec_signzone version 9.6.0
+; File written on Sat Jul  4 01:33:59 2009
+; dnssec_signzone version 9.7.0a1
 example.de.		7200	IN SOA	ns1.example.de. hostmaster.example.de. (
-					269        ; serial
+					277        ; serial
 					43200      ; refresh (12 hours)
 					1800       ; retry (30 minutes)
 					1209600    ; expire (2 weeks)
 					7200       ; minimum (2 hours)
 					)
-			7200	RRSIG	SOA 5 2 7200 20090107205708 (
-					20081228210640 11327 example.de.
-					KC6gXko+4iRmpofCb+uOs5e0Jgq4CJVUgsw3
-					jjXDsra7FXWybJj9FgO5cdy2KHbV/cQJ5Li6
-					bgH2E0gZpcYrvA== )
+			7200	RRSIG	SOA 5 2 7200 20090713220611 (
+					20090703223359 55529 example.de.
+					rwMt/rMQ9Ioun/qZlL4nTW9J7rg3hZs+8Jxu
+					+GJ3IWDRFzf3ri9A5+ZWubnZs+eXkDtlxDQ5
+					hsQYk04gxowbNw== )
 			7200	NS	ns1.example.de.
 			7200	NS	ns2.example.de.
-			7200	RRSIG	NS 5 2 7200 20090107205857 (
-					20081228210640 11327 example.de.
-					P5GvCnGqZ3+rGh4fZtGmYfezyI4swQXFVdtp
-					UkhR8SBDRgC9HQU5qZw7g7cbuO/CrRUWZLuf
-					NYgJvaeyoL8Khw== )
+			7200	RRSIG	NS 5 2 7200 20090713221949 (
+					20090703223359 55529 example.de.
+					ehIVNiOaHHevfb3GkYt79MSmwzzMUCHvOGOf
+					MSI3QqG+Z0rS+wjI1pXdJxnVbzLldkZThBAZ
+					wwZVvOnfyye+Bg== )
 			7200	NSEC	localhost.example.de. NS SOA RRSIG NSEC DNSKEY
-			7200	RRSIG	NSEC 5 2 7200 20090107204400 (
-					20081228210640 11327 example.de.
-					cdjSIAQDouZldROWir7R4/k6xcwbvOUcOmNO
-					rkGROzjrQf3IdE7vCwxLj/KavLqK5OIhSztf
-					Xx9lY5RJWhhxQA== )
+			7200	RRSIG	NSEC 5 2 7200 20090713221831 (
+					20090703223359 55529 example.de.
+					B4vUFaDg29C95e0nstt6d6hsOYqiGWfMchp3
+					MHb2FuYZN369T+OjJxBO3jaxhB6JLhQQT+CA
+					Kbdednz3+3mpbw== )
 			3600	DNSKEY	256 3 5 (
-					BQEAAAABqbCqCu2ncgLw+0oWWiveBVK3zchY
-					FYUD2lnvJKeq7ATwesuRNpn17Erjz09GhDn9
-					l2J92dAy8m4uofcdFkYKnQ==
-					) ; key id = 11327
+					BQEAAAABty5HRSBzUDY5SVgORw+KKE64Sjmq
+					EpFtFNiG4JOre/bnmzACXE/jgr5BK4Fd1hqB
+					k/zizzUe4+dbj+jORPirtQ==
+					) ; key id = 55529
 			3600	DNSKEY	257 3 5 (
 					BQEAAAABDOkPawC/tCqSITj6lvzcIPwcMEX+
 					Nvz17GBu85jmigMuvZQUYZBVUmJNNBbCNStl
@@ -48,77 +48,77 @@ example.de.		7200	IN SOA	ns1.example.de. hostmaster.example.de. (
 					GDjN4zQce8rHCe+LNB1GfaIASkMWjdgxNNAs
 					K9bqDM8Euw==
 					) ; key id = 47280
-			3600	RRSIG	DNSKEY 5 2 3600 20090107203935 (
-					20081228210640 47280 example.de.
-					Bk6rghHHe5smNETUq9iRY6JWr4gSZirMv6Pr
-					Sv6AuRNYbHz1K0ZMhQxdjkYbz7WidOtjtolm
-					lO2LGZreuNuU8vTbBNxJYTLHUDtncncuYQZR
-					htD5hsgGVyeYgEo5X+aIz0+NjrdJrkh3aDZd
-					k6FO0ga5+kmbg9My/C1vvnLgjWUaqjP3vnFB
-					9mO5sb30X6qv3VT2d6A4DDqzCucYAphCSuSP
-					jw== )
-			3600	RRSIG	DNSKEY 5 2 3600 20090107205931 (
-					20081228210640 11327 example.de.
-					EW0xShpQjjJnNl94XIe3SBqW/Ml2o5J5R5pf
-					pIp2NAVwE2lrBzukxjHQ+M4PPF2EtIUW9lF4
-					AFrLMfn3ymVnCw== )
+			3600	RRSIG	DNSKEY 5 2 3600 20090713222248 (
+					20090703223359 47280 example.de.
+					AnxgMlrm0RcJPTcgO40Ul+k8T0B5YYF3PE4O
+					DjZ6GwdU0RGtIswtrD5JQoaEm0rJcckU7zaP
+					372CkCbdapzMbTafjx90KpnPGNka2umUEoU+
+					wE1T0EmEHPsNy1UnxXpNgrtUlLQ7+wypX85h
+					H4xIhkZLt3rc/xfztObawFkw1PvjdBMp1ySY
+					9jz8TPWSotfItRz2UDSWmFz2+Mt3fuKhvnWp
+					sw== )
+			3600	RRSIG	DNSKEY 5 2 3600 20090713222256 (
+					20090703223359 55529 example.de.
+					kahO5eo6d+HIuROuIhprEG5vMnsVK1c8jueZ
+					ThPa3YVVL3hSP7h79FPugMb6paqBSi0CW/0x
+					X32Vx3fHL2R7Cw== )
 localhost.example.de.	7200	IN A	127.0.0.1
-			7200	RRSIG	A 5 3 7200 20090107205407 (
-					20081228210640 11327 example.de.
-					WSfYUmVVSaPb9nKWyCzczQDcjqlY+QsUSFlx
-					FN7OuARdi5JHQ6b/z3y9zrsUJOhuqM1XiF7H
-					+Y9WEsWuNjmzmw== )
+			7200	RRSIG	A 5 3 7200 20090713220920 (
+					20090703223359 55529 example.de.
+					hQddObpj6XKM06r/fZB3uXW5K44vepmmJs9Z
+					4IDPRBwG+YzZCkUly58N5soSFxiF50Ieaq4M
+					pmC47X42c1EHKg== )
 			7200	NSEC	ns1.example.de. A RRSIG NSEC
-			7200	RRSIG	NSEC 5 3 7200 20090107204235 (
-					20081228210640 11327 example.de.
-					URFD9Qy9xizej4LokkN8xqqGE4A4Fbe7S33O
-					vlUr1mw1Kx4zlzscUtGYAuMsHZgi/Rlyppib
-					XW+Fd3NHsYhisg== )
+			7200	RRSIG	NSEC 5 3 7200 20090713222053 (
+					20090703223359 55529 example.de.
+					OednWdOSDAxJXwuc3OugwSYPvOFl29c98R1s
+					cPyovg8NoQnSAyXlqANUrOEHKzXekelzGV53
+					wzfFHCmIuJZ5Fw== )
 ns1.example.de.		7200	IN A	1.0.0.5
-			7200	RRSIG	A 5 3 7200 20090107204603 (
-					20081228210640 11327 example.de.
-					ZO17IgiAhdKtukAJEHIQyN+RqUHWOMvsDod8
-					XAFuBfunAeul+LiSjupWQDOijQoOfa5uVMRT
-					1wFhEqz//YgXkQ== )
+			7200	RRSIG	A 5 3 7200 20090713221855 (
+					20090703223359 55529 example.de.
+					TXWHh/P5XR0krzYb0io4o1/42AeNGcPcdHob
+					iiFJCKHmyX8hVVysHfvvN6wB1XqLOWsSNxsZ
+					pwPbr9JcTJDMPA== )
 			7200	AAAA	2001:db8::53
-			7200	RRSIG	AAAA 5 3 7200 20090107204610 (
-					20081228210640 11327 example.de.
-					S4aYxgu/DoVFaM0xdQ7WhfMaPK5sPt4ksZXx
-					rsNKCpL1JdNP9S78H4Iy1RUJ0I9i1EAFiWOl
-					0JhVSprPJJiOIg== )
+			7200	RRSIG	AAAA 5 3 7200 20090713221023 (
+					20090703223359 55529 example.de.
+					meShWaTBanhROgGlnwQq0KNmEKJbjLluTj7Z
+					ELbMUvgmTc1qLBCDHzWtp8sWWXz5UbMacL9X
+					F7Ncp5dAbBO2lQ== )
 			7200	NSEC	ns2.example.de. A AAAA RRSIG NSEC
-			7200	RRSIG	NSEC 5 3 7200 20090107210249 (
-					20081228210640 11327 example.de.
-					XVIz/mWN2RQ5mm20RYOytSl5Q7n9LNMenB6d
-					HpT1kaDLYSdPXd3ZlvBCNNMdNhMFmZTBxAxL
-					b0Mz8eoLdsy6Lg== )
+			7200	RRSIG	NSEC 5 3 7200 20090713221918 (
+					20090703223359 55529 example.de.
+					B4mBvLOjzjuahaarR0UJwf+2IpLo0Hj6Jxj9
+					WfKlMrUVJOmm2Hbq0Amk/L0NSeqD+W1eNlux
+					6EVYdyJm4f+wlw== )
 ns2.example.de.		7200	IN A	1.2.0.6
-			7200	RRSIG	A 5 3 7200 20090107204524 (
-					20081228210640 11327 example.de.
-					fCtOEIQlgh4XDJTZdmh0MBBHOlXvvCR4L+bR
-					gKBOUUtzaeL+FuXo8zyrWKuOp6hXj8eOceEL
-					oZCrKrjJBbHrJA== )
+			7200	RRSIG	A 5 3 7200 20090713221339 (
+					20090703223359 55529 example.de.
+					FPMu/4JWrPbRMPXm8Hyx3AD+lRn4jCZ70WZh
+					LSADXIx3lZfEGy14x4UD7iLUiC/9TPl1aY6w
+					q9R3ZLNhVmMbyw== )
 			7200	NSEC	sub.example.de. A RRSIG NSEC
-			7200	RRSIG	NSEC 5 3 7200 20090107210617 (
-					20081228210640 11327 example.de.
-					R4s8H352jY7amgr0bNRmhW4oXD++1itgbk33
-					OMDY3cbEEmZ+NonMRDkIOb4cTjDh4in9otMs
-					Cl2vNscx9VO9QQ== )
+			7200	RRSIG	NSEC 5 3 7200 20090713221447 (
+					20090703223359 55529 example.de.
+					DINiU0MiPkSyMjyJzKYuj3FgRlE92LubLU7v
+					eFufAQJM8hXe7oc+JfOSVDhpKdyF2ayd+w/e
+					TTnmaF7c65FZvw== )
 sub.example.de.		7200	IN NS	ns1.example.de.
-			7200	DS	56595 5 1 (
-					839C43F0267473F1335354384D91BFD70145
-					AC01 )
-			7200	DS	56595 5 2 (
-					37F3AA854D2B7B2A9FAE3868EB37FFB08E1E
-					DE2E14AF4D259E6C46B027D5C5B7 )
-			7200	RRSIG	DS 5 3 7200 20090107204420 (
-					20081228210640 11327 example.de.
-					ksOzuWcVDmEEipMetLHeNfWjhSiGizHN5qUL
-					H78iOQsu9/zGDuMlLt1ysY+B2vAASCl5jVTp
-					B5vr9CTvewcyAA== )
+			7200	DS	26451 5 1 (
+					317B8B00E2518957ED982C4872659A5E7F85
+					783E )
+			7200	DS	26451 5 2 (
+					C5492796671C24EA74C30B39371E94AD1A3D
+					D2EA8977B4949B08422C16217B2A )
+			7200	RRSIG	DS 5 3 7200 20090713222900 (
+					20090703223359 55529 example.de.
+					hfoghbLW7Xd1CnLwcA/k6NM54/U34M1j5ELo
+					0S+r5jbhy6rBj3kE8PRWCvLkpFclVyTAt0nq
+					pS69INoz+7pmeg== )
 			7200	NSEC	example.de. NS DS RRSIG NSEC
-			7200	RRSIG	NSEC 5 3 7200 20090107204025 (
-					20081228210640 11327 example.de.
-					pyIEOLCMXk7H4wDJ2IwJdoUxvm7UdDlHpsVR
-					gsgyogrsRb7xjnWQJ/lwHso+cmcGwvMoD/Qz
-					IjVpouYPkbRe3w== )
+			7200	RRSIG	NSEC 5 3 7200 20090713220837 (
+					20090703223359 55529 example.de.
+					mrR2sfL826pwQ3+/3X3/z8b3eOecBVYTdAmT
+					tVml23Zegq0EYJlQUiaTH5uP47vu/tsBRba8
+					TzIh0TVdyfiFyw== )
diff --git a/contrib/zkt/man/dnssec-signer.8 b/contrib/zkt/man/dnssec-signer.8
index 62ee1fcb..45c1d612 100644
--- a/contrib/zkt/man/dnssec-signer.8
+++ b/contrib/zkt/man/dnssec-signer.8
@@ -1,4 +1,4 @@
-.TH dnssec-signer 8 "December 28, 2008" "ZKT 0.98" ""
+.TH dnssec-signer 8 "Aug 1, 2009" "ZKT 0.99b" ""
 \" turn off hyphenation
 .\"	if n .nh
 .nh
@@ -59,7 +59,7 @@ command is a wrapper around
 and
 .I dnssec-keygen(8)
 to sign a zone and manage the necessary zone keys.
-It's able to increment the serial number before signing the zone
+It is able to increment the serial number before signing the zone
 and can trigger
 .I named(8)
 to reload the signed zone file.
@@ -82,10 +82,10 @@ All master zone statements will be scanned for filenames
 ending with ".signed".
 These zones will be checked if the necessary zone- and key signing keys
 are existent and fresh enough to be used in the signing process.
-If some out-dated keys where found, new keying material will be generated via
+If one or more  out-dated keys are found, new keying material will be generated via
 the
 .I dnssec-keygen(8)
-command and the old ones will be marked as depreciated.
+command and the old keys will be marked as depreciated.
 So the command do anything needed for a zone key rollover as defined by [2].
 .PP
 If the resigning interval is reached or any new key must be announced,
@@ -99,14 +99,14 @@ is given, the
 command will be called to reload the zone on the
 nameserver.
 .PP
-In the second form of the command it's possible to specify a directory
+In the second form of the command it is possible to specify a directory
 tree with the option
 .B \-D
 .IR dir .
 Every secure zone found in a subdirectory below
 .I dir
 will be signed.
-However, it's also possible to reduce the signing to those
+However, it is also possible to reduce the signing to those
 zones given as arguments.
 In directory mode the pre-requisite is, that the directory name is
 exactly (including the trailing dot) the same as the zone name.
@@ -115,7 +115,7 @@ In the last form of the command, the functionality is more or less the same
 as the
 .I dnssec-signzone (8)
 command.
-The parameter specify the zone file name and the option
+The parameter specifies the zone file name and the option
 .B \-o
 takes the name of the zone.
 .PP
@@ -142,7 +142,7 @@ logfiles are created with a name like
 .fam T
 .\" \&.
 If the argument is not an absolute path name and a zone directory
-is specified in the config file, this will prepend the given name.
+is specified in the config file, this will be prepended to the given name.
 This option is also settable in the dnssec.conf file via the parameter
 .BI LogFile .
 .br
@@ -170,7 +170,7 @@ to file and syslog.
 Try to read the default configuration out of a file named
 .I dnssec-<view>.conf .
 Instead of specifying the \-V or --view option every time,
-it's also possible to create a hard or softlink to the
+it is also possible to create a hard- or softlink to the
 executable file with an additional name like 
 .I dnssec-zkt-<view> .
 .TP
@@ -181,7 +181,7 @@ will be used.
 .TP
 .BI \-O " optstr" ", \-\-config-option=" optstr
 Set any config file option via the commandline.
-Several config file options could be specified at the argument string
+Several config file options can be specified via the argument string
 but have to be delimited by semicolon (or newline).
 .TP
 .BR \-f ", " \-\-force
@@ -198,9 +198,9 @@ Currently this option is of very limited usage.
 Reload the zone via
 .I rndc(8)
 after successful signing.
-In a production environment it's recommended to use this option
+In a production environment it is recommended to use this option
 to be sure that a freshly signed zone will be immediately propagated.
-However, that's only feasable if the named runs on the signing
+However, that's only feasable if named runs on the signing
 machine, which is not recommended.
 Otherwise the signed zonefile must be copied to the production
 server before reloading the zone.
@@ -261,7 +261,7 @@ files.
 .B ZSK_lifetime 2d;' \-v \-v \-o example.net. zone.db
 .fam T
 .br
-Sign the example.net zone but overwrite some config file values with the parameters
+Sign the example.net zone but override some config file values with parameters
 given on the commandline.
 
 .SH Zone setup and initial preparation
@@ -349,7 +349,7 @@ left justified in a field of at least 10 spaces!
 .fi
 .fam T
 .\}
-If you use a BIND Verison of 9.4 or greater and
+If you use BIND version 9.4 or later and
 use the unixtime format for the serial number (See parameter
 Serialformat in 
 .IR dnssec.conf )
@@ -409,16 +409,14 @@ file (parameter
 
 .SH BUGS
 .PP
-The zone name given as an argument must be ending with a dot.
-.PP
 The named.conf parser is a bit rudimental and not
 very well tested.
 
-.SH AUTHOR
-Holger Zuleger 
+.SH AUTHORS
+Holger Zuleger, Mans Nilsson
 
 .SH COPYRIGHT
-Copyright (c) 2005 \- 2008 by Holger Zuleger.
+Copyright (c) 2005 \- 2009 by Holger Zuleger.
 Licensed under the BSD Licence. There is NO warranty; not even for MERCHANTABILITY or
 FITNESS FOR A PARTICULAR PURPOSE.
 .\"--------------------------------------------------
diff --git a/contrib/zkt/man/dnssec-signer.8.html b/contrib/zkt/man/dnssec-signer.8.html
index a0c362d9..ffe6a74e 100644
--- a/contrib/zkt/man/dnssec-signer.8.html
+++ b/contrib/zkt/man/dnssec-signer.8.html
@@ -1,5 +1,5 @@
-<!-- Creator     : groff version 1.19.2 -->
-<!-- CreationDate: Sun Dec 28 23:15:25 2008 -->
+<!-- Creator     : groff version 1.20.1 -->
+<!-- CreationDate: Tue Aug  4 21:33:41 2009 -->
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
 "http://www.w3.org/TR/html4/loose.dtd">
 <html>
@@ -8,16 +8,17 @@
 <meta http-equiv="Content-Type" content="text/html; charset=US-ASCII">
 <meta name="Content-Style" content="text/css">
 <style type="text/css">
-       p     { margin-top: 0; margin-bottom: 0; }
-       pre   { margin-top: 0; margin-bottom: 0; }
-       table { margin-top: 0; margin-bottom: 0; }
+       p       { margin-top: 0; margin-bottom: 0; vertical-align: top }
+       pre     { margin-top: 0; margin-bottom: 0; vertical-align: top }
+       table   { margin-top: 0; margin-bottom: 0; vertical-align: top }
+       h1      { text-align: center }
 </style>
 <title>dnssec-signer</title>
 
 </head>
 <body>
 
-<h1 align=center>dnssec-signer</h1>
+<h1 align="center">dnssec-signer</h1>
 
 <a href="#NAME">NAME</a><br>
 <a href="#SYNOPSYS">SYNOPSYS</a><br>
@@ -28,22 +29,24 @@
 <a href="#ENVIRONMENT VARIABLES">ENVIRONMENT VARIABLES</a><br>
 <a href="#FILES">FILES</a><br>
 <a href="#BUGS">BUGS</a><br>
-<a href="#AUTHOR">AUTHOR</a><br>
+<a href="#AUTHORS">AUTHORS</a><br>
 <a href="#COPYRIGHT">COPYRIGHT</a><br>
 <a href="#SEE ALSO">SEE ALSO</a><br>
 
 <hr>
 
 
+<h2>NAME
 <a name="NAME"></a>
-<h2>NAME</h2>
+</h2>
 
 
 <p style="margin-left:11%; margin-top: 1em">dnssec-signer
 &mdash; Secure DNS zone signing tool</p>
 
+<h2>SYNOPSYS
 <a name="SYNOPSYS"></a>
-<h2>SYNOPSYS</h2>
+</h2>
 
 
 
@@ -64,19 +67,20 @@ dnssec-signer</b> [<b>&minus;L|--logfile</b> <i>file</i>]
 [<b>&minus;v</b>]] <b>&minus;o</b> <i>origin</i>
 [<i>zonefile</i>]</p>
 
+<h2>DESCRIPTION
 <a name="DESCRIPTION"></a>
-<h2>DESCRIPTION</h2>
+</h2>
 
 
 <p style="margin-left:11%; margin-top: 1em">The
 <i>dnssec-signer</i> command is a wrapper around
 <i>dnssec-signzone(8)</i> and <i>dnssec-keygen(8)</i> to
-sign a zone and manage the necessary zone keys. It&rsquo;s
-able to increment the serial number before signing the zone
-and can trigger <i>named(8)</i> to reload the signed zone
-file. The command controls several secure zones and, if
-started in regular intervals via <i>cron(8)</i>, can do all
-that stuff automatically.</p>
+sign a zone and manage the necessary zone keys. It is able
+to increment the serial number before signing the zone and
+can trigger <i>named(8)</i> to reload the signed zone file.
+The command controls several secure zones and, if started in
+regular intervals via <i>cron(8)</i>, can do all that stuff
+automatically.</p>
 
 <p style="margin-left:11%; margin-top: 1em">In the most
 useful usage scenario the command will be called with option
@@ -90,11 +94,12 @@ specify the name of the view. All master zone statements
 will be scanned for filenames ending with
 &quot;.signed&quot;. These zones will be checked if the
 necessary zone- and key signing keys are existent and fresh
-enough to be used in the signing process. If some out-dated
-keys where found, new keying material will be generated via
-the <i>dnssec-keygen(8)</i> command and the old ones will be
-marked as depreciated. So the command do anything needed for
-a zone key rollover as defined by [2].</p>
+enough to be used in the signing process. If one or more
+out-dated keys are found, new keying material will be
+generated via the <i>dnssec-keygen(8)</i> command and the
+old keys will be marked as depreciated. So the command do
+anything needed for a zone key rollover as defined by
+[2].</p>
 
 <p style="margin-left:11%; margin-top: 1em">If the
 resigning interval is reached or any new key must be
@@ -105,19 +110,18 @@ given, the <i>rndc(8)</i> command will be called to reload
 the zone on the nameserver.</p>
 
 <p style="margin-left:11%; margin-top: 1em">In the second
-form of the command it&rsquo;s possible to specify a
-directory tree with the option <b>&minus;D</b> <i>dir</i>.
-Every secure zone found in a subdirectory below <i>dir</i>
-will be signed. However, it&rsquo;s also possible to reduce
-the signing to those zones given as arguments. In directory
-mode the pre-requisite is, that the directory name is
-exactly (including the trailing dot) the same as the zone
-name.</p>
+form of the command it is possible to specify a directory
+tree with the option <b>&minus;D</b> <i>dir</i>. Every
+secure zone found in a subdirectory below <i>dir</i> will be
+signed. However, it is also possible to reduce the signing
+to those zones given as arguments. In directory mode the
+pre-requisite is, that the directory name is exactly
+(including the trailing dot) the same as the zone name.</p>
 
 <p style="margin-left:11%; margin-top: 1em">In the last
 form of the command, the functionality is more or less the
 same as the <i>dnssec-signzone (8)</i> command. The
-parameter specify the zone file name and the option
+parameter specifies the zone file name and the option
 <b>&minus;o</b> takes the name of the zone.</p>
 
 <p style="margin-left:11%; margin-top: 1em">If neither
@@ -126,8 +130,9 @@ given, then the default directory specified in the
 <i>dnssec.conf</i> file by the parameter <i>zonedir</i> will
 be used as top level directory.</p>
 
+<h2>OPTIONS
 <a name="OPTIONS"></a>
-<h2>OPTIONS</h2>
+</h2>
 
 
 
@@ -139,9 +144,10 @@ be used as top level directory.</p>
 or a directory where logfiles are created with a name like
 zkt-<i>YYYY-MM-DD</i>T<i>hhmmss</i>Z.log<i>.</i> If the
 argument is not an absolute path name and a zone directory
-is specified in the config file, this will prepend the given
-name. This option is also settable in the dnssec.conf file
-via the parameter <b>LogFile</b><i>.</i> <br>
+is specified in the config file, this will be prepended to
+the given name. This option is also settable in the
+dnssec.conf file via the parameter <b>LogFile</b><i>.</i>
+<br>
 The default is no file logging, but error logging to syslog
 with facility <b>USER</b> at level <b>ERROR</b> is enabled
 by default. These parameters are settable via the config
@@ -158,10 +164,9 @@ logged with level <b>DEBUG</b> to file and syslog.</p>
 <p style="margin-left:22%;">Try to read the default
 configuration out of a file named
 <i>dnssec-&lt;view&gt;.conf .</i> Instead of specifying the
-&minus;V or --view option every time, it&rsquo;s also
-possible to create a hard or softlink to the executable file
-with an additional name like <i>dnssec-zkt-&lt;view&gt;
-.</i></p>
+&minus;V or --view option every time, it is also possible to
+create a hard- or softlink to the executable file with an
+additional name like <i>dnssec-zkt-&lt;view&gt; .</i></p>
 
 <p style="margin-left:11%;"><b>&minus;c</b> <i>file</i><b>,
 &minus;&minus;config=</b><i>file</i></p>
@@ -175,9 +180,9 @@ read or build-in defaults will be used.</p>
 &minus;&minus;config-option=</b><i>optstr</i></p>
 
 <p style="margin-left:22%;">Set any config file option via
-the commandline. Several config file options could be
-specified at the argument string but have to be delimited by
-semicolon (or newline).</p>
+the commandline. Several config file options can be
+specified via the argument string but have to be delimited
+by semicolon (or newline).</p>
 
 <p style="margin-left:11%;"><b>&minus;f</b>,
 <b>&minus;&minus;force</b></p>
@@ -198,15 +203,14 @@ of very limited usage.</p>
 
 <p style="margin-left:22%;">Reload the zone via
 <i>rndc(8)</i> after successful signing. In a production
-environment it&rsquo;s recommended to use this option to be
-sure that a freshly signed zone will be immediately
-propagated. However, that&rsquo;s only feasable if the named
-runs on the signing machine, which is not recommended.
-Otherwise the signed zonefile must be copied to the
-production server before reloading the zone. If this is the
-case, the parameter <i>propagation</i> in the
-<i>dnssec.conf</i> file must be set to a reasonable
-value.</p>
+environment it is recommended to use this option to be sure
+that a freshly signed zone will be immediately propagated.
+However, that&rsquo;s only feasable if named runs on the
+signing machine, which is not recommended. Otherwise the
+signed zonefile must be copied to the production server
+before reloading the zone. If this is the case, the
+parameter <i>propagation</i> in the <i>dnssec.conf</i> file
+must be set to a reasonable value.</p>
 
 <p style="margin-left:11%;"><b>&minus;v</b>,
 <b>&minus;&minus;verbose</b></p>
@@ -219,8 +223,9 @@ second <b>&minus;v</b> will be a little more verbose.</p>
 
 <p style="margin-left:22%;">Print out the online help.</p>
 
+<h2>SAMPLE USAGE
 <a name="SAMPLE USAGE"></a>
-<h2>SAMPLE USAGE</h2>
+</h2>
 
 
 
@@ -263,11 +268,12 @@ Sigvalidity 28h; \</b></p>
 
 <p style="margin-left:22%;"><b>ZSK_lifetime 2d;&rsquo;
 &minus;v &minus;v &minus;o example.net. zone.db</b> <br>
-Sign the example.net zone but overwrite some config file
-values with the parameters given on the commandline.</p>
+Sign the example.net zone but override some config file
+values with parameters given on the commandline.</p>
 
+<h2>Zone setup and initial preparation
 <a name="Zone setup and initial preparation"></a>
-<h2>Zone setup and initial preparation</h2>
+</h2>
 
 
 <p style="margin-left:11%; margin-top: 1em">Create a
@@ -322,10 +328,10 @@ SOA-Record</p>
 <p style="margin-left:22%;">For automatic incrementation of
 the serial number, the SOA-Record must be formated, so that
 the serial number is on a single line and left justified in
-a field of at least 10 spaces! If you use a BIND Verison of
-9.4 or greater and use the unixtime format for the serial
-number (See parameter Serialformat in <i>dnssec.conf</i>)
-than this is not necessary.</p>
+a field of at least 10 spaces! If you use BIND version 9.4
+or later and use the unixtime format for the serial number
+(See parameter Serialformat in <i>dnssec.conf</i>) than this
+is not necessary.</p>
 
 <p style="margin-left:11%;">Try to sign the zone</p>
 
@@ -338,8 +344,9 @@ $ dnssec-signer &minus;o example.net. <br>
 to create the initial keying material and a signed zone
 file. Then try to load the file on the name server.</p>
 
+<h2>ENVIRONMENT VARIABLES
 <a name="ENVIRONMENT VARIABLES"></a>
-<h2>ENVIRONMENT VARIABLES</h2>
+</h2>
 
 
 
@@ -348,8 +355,9 @@ file. Then try to load the file on the name server.</p>
 <p style="margin-left:22%;">Specifies the name of the
 default global configuration files.</p>
 
+<h2>FILES
 <a name="FILES"></a>
-<h2>FILES</h2>
+</h2>
 
 
 
@@ -385,34 +393,35 @@ via the dnssec configuration file (parameter
 of the file is settable via the dnssec configuration file
 (parameter <i>zonefile</i>).</p>
 
+<h2>BUGS
 <a name="BUGS"></a>
-<h2>BUGS</h2>
-
+</h2>
 
-<p style="margin-left:11%; margin-top: 1em">The zone name
-given as an argument must be ending with a dot.</p>
 
 <p style="margin-left:11%; margin-top: 1em">The named.conf
 parser is a bit rudimental and not very well tested.</p>
 
-<a name="AUTHOR"></a>
-<h2>AUTHOR</h2>
+<h2>AUTHORS
+<a name="AUTHORS"></a>
+</h2>
 
 
-<p style="margin-left:11%; margin-top: 1em">Holger
-Zuleger</p>
+<p style="margin-left:11%; margin-top: 1em">Holger Zuleger,
+Mans Nilsson</p>
 
+<h2>COPYRIGHT
 <a name="COPYRIGHT"></a>
-<h2>COPYRIGHT</h2>
+</h2>
 
 
 <p style="margin-left:11%; margin-top: 1em">Copyright (c)
-2005 &minus; 2008 by Holger Zuleger. Licensed under the BSD
+2005 &minus; 2009 by Holger Zuleger. Licensed under the BSD
 Licence. There is NO warranty; not even for MERCHANTABILITY
 or FITNESS FOR A PARTICULAR PURPOSE.</p>
 
+<h2>SEE ALSO
 <a name="SEE ALSO"></a>
-<h2>SEE ALSO</h2>
+</h2>
 
 
 
diff --git a/contrib/zkt/man/dnssec-signer.8.pdf b/contrib/zkt/man/dnssec-signer.8.pdf
new file mode 100644
index 00000000..a9845652
--- /dev/null
+++ b/contrib/zkt/man/dnssec-signer.8.pdf
diff --git a/contrib/zkt/man/dnssec-zkt.8 b/contrib/zkt/man/dnssec-zkt.8
index fa824c22..790f59a2 100644
--- a/contrib/zkt/man/dnssec-zkt.8
+++ b/contrib/zkt/man/dnssec-zkt.8
@@ -1,4 +1,4 @@
-.TH dnssec-zkt 8 "December 28, 2008" "ZKT 0.98" ""
+.TH dnssec-zkt 8 "August 1, 2009" "ZKT 0.99b" ""
 \" turn off hyphenation
 .\"	if n .nh
 .nh
@@ -206,7 +206,7 @@ to assist in dnssec zone key management.
 .PP
 In the common usage the command prints out information about
 all dnssec (zone) keys found in the given (or predefined default) directory.
-It's also possible to specify keyfiles (K*.key) as arguments.
+It is also possible to specify keyfiles (K*.key) as arguments.
 With option
 .B \-r
 subdirectories will be searched recursively, and all dnssec keys found
@@ -219,7 +219,7 @@ Other forms of the command print out keys in a format suitable for
 a trusted-key section or as a DNSKEY resource record.
 .PP
 The command is also useful in dns key management.
-It allows key livetime monitoring and status change.
+It offers monitoring of key lifetime and modification of key status.
 
 .SH GENERAL OPTIONS
 .TP
@@ -227,7 +227,7 @@ It allows key livetime monitoring and status change.
 Try to read the default configuration out of a file named
 .I dnssec-<view>.conf .
 Instead of specifying the \-V or --view option every time,
-it's also possible to create a hard or softlink to the
+it is also possible to create a hard or softlink to the
 executable file to give it an additional name like 
 .I dnssec-zkt-<view> .
 .TP
@@ -252,7 +252,7 @@ This will be useful in combination with wildcard arguments
 to prevent dnsssec-zkt to list all keys found in subdirectories. 
 For example "dnssec-zkt -d *" will print out a list of all keys only found in
 the current directory.
-Maybe it's easier to use "dnssec-zkt ." instead (without -r set).
+Maybe it is easier to use "dnssec-zkt ." instead (without -r set).
 The option works similar to the \-d option of
 .IR ls(1) .
 .TP
@@ -417,6 +417,7 @@ Depreciate the key with tag "12345" below the current directory,
 .TP
 .fam C
 .B "dnssec-zkt --view intern 
+.fam T
 Print out a list of all zone keys found below the directory where all
 the zones of view intern live.
 There should be a seperate dnssec config file
@@ -429,8 +430,11 @@ with a directory option to take affect of this.
 Same as above.
 The binary file
 .I dnssec-zkt
-have linked to
-.I dnssec-zkt-intern .
+has another link, named
+.I dnssec-zkt-intern
+made, and 
+.I dnssec-zkt
+examines argv[0] to find a view whose zones it proceeds to process.
 
 .SH ENVIRONMENT VARIABLES
 .TP
@@ -462,8 +466,8 @@ and the ksk rollover options
 insist on domain names ending with a dot.
 .PP
 
-.SH AUTHOR
-Holger Zuleger 
+.SH AUTHORS
+Holger Zuleger, Mans Nilsson
 
 .SH COPYRIGHT
 Copyright (c) 2005 \- 2008 by Holger Zuleger.
diff --git a/contrib/zkt/man/dnssec-zkt.8.html b/contrib/zkt/man/dnssec-zkt.8.html
index 9bab81f6..3c53d04c 100644
--- a/contrib/zkt/man/dnssec-zkt.8.html
+++ b/contrib/zkt/man/dnssec-zkt.8.html
@@ -1,5 +1,5 @@
-<!-- Creator     : groff version 1.19.2 -->
-<!-- CreationDate: Sun Dec 28 23:15:24 2008 -->
+<!-- Creator     : groff version 1.20.1 -->
+<!-- CreationDate: Tue Aug  4 21:33:40 2009 -->
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
 "http://www.w3.org/TR/html4/loose.dtd">
 <html>
@@ -8,16 +8,17 @@
 <meta http-equiv="Content-Type" content="text/html; charset=US-ASCII">
 <meta name="Content-Style" content="text/css">
 <style type="text/css">
-       p     { margin-top: 0; margin-bottom: 0; }
-       pre   { margin-top: 0; margin-bottom: 0; }
-       table { margin-top: 0; margin-bottom: 0; }
+       p       { margin-top: 0; margin-bottom: 0; vertical-align: top }
+       pre     { margin-top: 0; margin-bottom: 0; vertical-align: top }
+       table   { margin-top: 0; margin-bottom: 0; vertical-align: top }
+       h1      { text-align: center }
 </style>
 <title>dnssec-zkt</title>
 
 </head>
 <body>
 
-<h1 align=center>dnssec-zkt</h1>
+<h1 align="center">dnssec-zkt</h1>
 
 <a href="#NAME">NAME</a><br>
 <a href="#SYNOPSYS">SYNOPSYS</a><br>
@@ -28,22 +29,24 @@
 <a href="#ENVIRONMENT VARIABLES">ENVIRONMENT VARIABLES</a><br>
 <a href="#FILES">FILES</a><br>
 <a href="#BUGS">BUGS</a><br>
-<a href="#AUTHOR">AUTHOR</a><br>
+<a href="#AUTHORS">AUTHORS</a><br>
 <a href="#COPYRIGHT">COPYRIGHT</a><br>
 <a href="#SEE ALSO">SEE ALSO</a><br>
 
 <hr>
 
 
+<h2>NAME
 <a name="NAME"></a>
-<h2>NAME</h2>
+</h2>
 
 
 <p style="margin-left:11%; margin-top: 1em">dnssec-zkt
 &mdash; Secure DNS zone key tool</p>
 
+<h2>SYNOPSYS
 <a name="SYNOPSYS"></a>
-<h2>SYNOPSYS</h2>
+</h2>
 
 
 
@@ -135,8 +138,9 @@ dnssec-zkt &minus;0 | &minus;&minus;ksk-roll-stat</b>
 <i>do.ma.in.</i> [<b>&minus;V|--view</b> <i>view</i>]
 [<b>&minus;c</b> <i>file</i>]</p>
 
+<h2>DESCRIPTION
 <a name="DESCRIPTION"></a>
-<h2>DESCRIPTION</h2>
+</h2>
 
 
 <p style="margin-left:11%; margin-top: 1em">The
@@ -147,24 +151,25 @@ management.</p>
 <p style="margin-left:11%; margin-top: 1em">In the common
 usage the command prints out information about all dnssec
 (zone) keys found in the given (or predefined default)
-directory. It&rsquo;s also possible to specify keyfiles
-(K*.key) as arguments. With option <b>&minus;r</b>
-subdirectories will be searched recursively, and all dnssec
-keys found will be listed sorted by domain name, key type
-and generation time. In that mode the use of the
-<b>&minus;p</b> option may be helpful to find the location
-of the keyfile in the directory tree.</p>
+directory. It is also possible to specify keyfiles (K*.key)
+as arguments. With option <b>&minus;r</b> subdirectories
+will be searched recursively, and all dnssec keys found will
+be listed sorted by domain name, key type and generation
+time. In that mode the use of the <b>&minus;p</b> option may
+be helpful to find the location of the keyfile in the
+directory tree.</p>
 
 <p style="margin-left:11%; margin-top: 1em">Other forms of
 the command print out keys in a format suitable for a
 trusted-key section or as a DNSKEY resource record.</p>
 
 <p style="margin-left:11%; margin-top: 1em">The command is
-also useful in dns key management. It allows key livetime
-monitoring and status change.</p>
+also useful in dns key management. It offers monitoring of
+key lifetime and modification of key status.</p>
 
+<h2>GENERAL OPTIONS
 <a name="GENERAL OPTIONS"></a>
-<h2>GENERAL OPTIONS</h2>
+</h2>
 
 
 
@@ -174,10 +179,9 @@ monitoring and status change.</p>
 <p style="margin-left:22%;">Try to read the default
 configuration out of a file named
 <i>dnssec-&lt;view&gt;.conf .</i> Instead of specifying the
-&minus;V or --view option every time, it&rsquo;s also
-possible to create a hard or softlink to the executable file
-to give it an additional name like
-<i>dnssec-zkt-&lt;view&gt; .</i></p>
+&minus;V or --view option every time, it is also possible to
+create a hard or softlink to the executable file to give it
+an additional name like <i>dnssec-zkt-&lt;view&gt; .</i></p>
 
 <p style="margin-left:11%;"><b>&minus;c</b> <i>file</i><b>,
 &minus;&minus;config=</b><i>file</i></p>
@@ -209,7 +213,7 @@ will be useful in combination with wildcard arguments to
 prevent dnsssec-zkt to list all keys found in
 subdirectories. For example &quot;dnssec-zkt -d *&quot; will
 print out a list of all keys only found in the current
-directory. Maybe it&rsquo;s easier to use &quot;dnssec-zkt
+directory. Maybe it is easier to use &quot;dnssec-zkt
 .&quot; instead (without -r set). The option works similar
 to the &minus;d option of <i>ls(1)</i>.</p>
 
@@ -281,25 +285,25 @@ time.</p>
 Also settable in the dnssec.conf file (Parameter:
 PrintTime).</p>
 
-<table width="100%" border=0 rules="none" frame="void"
+<table width="100%" border="0" rules="none" frame="void"
        cellspacing="0" cellpadding="0">
 <tr valign="top" align="left">
 <td width="11%"></td>
 <td width="3%">
 
 
-
-<p style="margin-top: 1em" valign="top"><b>&minus;h</b></p> </td>
+<p><b>&minus;h</b></p></td>
 <td width="8%"></td>
 <td width="78%">
 
 
-<p style="margin-top: 1em" valign="top">No header or
-trusted-key section header and trailer in -T mode</p></td>
+<p>No header or trusted-key section header and trailer in
+-T mode</p></td></tr>
 </table>
 
+<h2>COMMAND OPTIONS
 <a name="COMMAND OPTIONS"></a>
-<h2>COMMAND OPTIONS</h2>
+</h2>
 
 
 
@@ -398,8 +402,9 @@ in experimental status and is mainly for the use in an
 hierachical environment. Use --ksk-rollover for a little
 more detailed description.</p>
 
+<h2>SAMPLE USAGE
 <a name="SAMPLE USAGE"></a>
-<h2>SAMPLE USAGE</h2>
+</h2>
 
 
 <p style="margin-left:11%; margin-top: 1em"><b>dnssec-zkt
@@ -447,11 +452,14 @@ affect of this.</p>
 <p style="margin-left:11%;"><b>dnssec-zkt-intern</b></p>
 
 <p style="margin-left:22%;">Same as above. The binary file
-<i>dnssec-zkt</i> have linked to <i>dnssec-zkt-intern
-.</i></p>
+<i>dnssec-zkt</i> has another link, named
+<i>dnssec-zkt-intern</i> made, and <i>dnssec-zkt</i>
+examines argv[0] to find a view whose zones it proceeds to
+process.</p>
 
+<h2>ENVIRONMENT VARIABLES
 <a name="ENVIRONMENT VARIABLES"></a>
-<h2>ENVIRONMENT VARIABLES</h2>
+</h2>
 
 
 
@@ -460,8 +468,9 @@ affect of this.</p>
 <p style="margin-left:22%;">Specifies the name of the
 default global configuration files.</p>
 
+<h2>FILES
 <a name="FILES"></a>
-<h2>FILES</h2>
+</h2>
 
 
 
@@ -483,8 +492,9 @@ configuration file.</p>
 <p style="margin-left:22%;">Local configuration file (only
 used in <b>&minus;C</b> mode).</p>
 
+<h2>BUGS
 <a name="BUGS"></a>
-<h2>BUGS</h2>
+</h2>
 
 
 <p style="margin-left:11%; margin-top: 1em">Some of the
@@ -493,15 +503,17 @@ modes. <br>
 The option <b>&minus;l</b> and the ksk rollover options
 insist on domain names ending with a dot.</p>
 
-<a name="AUTHOR"></a>
-<h2>AUTHOR</h2>
+<h2>AUTHORS
+<a name="AUTHORS"></a>
+</h2>
 
 
-<p style="margin-left:11%; margin-top: 1em">Holger
-Zuleger</p>
+<p style="margin-left:11%; margin-top: 1em">Holger Zuleger,
+Mans Nilsson</p>
 
+<h2>COPYRIGHT
 <a name="COPYRIGHT"></a>
-<h2>COPYRIGHT</h2>
+</h2>
 
 
 <p style="margin-left:11%; margin-top: 1em">Copyright (c)
@@ -509,8 +521,9 @@ Zuleger</p>
 Licences. There is NO warranty; not even for MERCHANTABILITY
 or FITNESS FOR A PARTICULAR PURPOSE.</p>
 
+<h2>SEE ALSO
 <a name="SEE ALSO"></a>
-<h2>SEE ALSO</h2>
+</h2>
 
 
 
diff --git a/contrib/zkt/man/dnssec-zkt.8.pdf b/contrib/zkt/man/dnssec-zkt.8.pdf
new file mode 100644
index 00000000..4e882976
--- /dev/null
+++ b/contrib/zkt/man/dnssec-zkt.8.pdf
diff --git a/contrib/zkt/misc.c b/contrib/zkt/misc.c
index c073c980..a7c90308 100644
--- a/contrib/zkt/misc.c
+++ b/contrib/zkt/misc.c
@@ -61,14 +61,10 @@
 
 extern	const	char	*progname;
 
-static	int	inc_soa_serial (FILE *fp, int use_unixtime);
-static	int	is_soa_rr (const char *line);
-static	const	char	*strfindstr (const char *str, const char *search);
-
 /*****************************************************************
 **	getnameappendix (progname, basename)
 **	return a pointer to the substring in progname subsequent
-**	following basename "-".
+**	following "<basename>-".
 *****************************************************************/
 const	char	*getnameappendix (const char *progname, const char *basename)
 {
@@ -124,7 +120,6 @@ const	char	*getdefconfname (const char *view)
 	return buf;	
 }
 
-#if 1
 /*****************************************************************
 **	domain_canonicdup (s)
 **	returns NULL or a pointer to a dynamic string containing the
@@ -157,7 +152,7 @@ char	*domain_canonicdup (const char *s)
 
 	return new;
 }
-#else
+#if 0		/* replaced by domain_canonicdup */
 /*****************************************************************
 **	str_tolowerdup (s)
 *****************************************************************/
@@ -186,8 +181,8 @@ char	*str_delspace (char *s)
 	char	*start;
 	char	*p;
 
-	if ( !s )	/* is there a string ? */
-		return s;
+	if ( !s )	/* no string present ? */
+		return NULL;
 
 	start = s;
 	for ( p = s; *p; p++ )
@@ -312,14 +307,18 @@ void	parseurl (char *url, char **proto, char **host, char **port, char **para)
 }
 
 /*****************************************************************
-**	splitpath (path, size, filename)
+**	splitpath (path, pathsize, filename)
+**	if filename is build of "path/file" then copy filename to path
+**	and split of the filename part.
+**	return pointer to filename part in path or NULL if path is too
+**	small to hold "path+filename"
 *****************************************************************/
-const	char	*splitpath (char *path, size_t size, const char *filename)
+const	char	*splitpath (char *path, size_t psize, const char *filename)
 {
 	char 	*p;
 
 	if ( !path )
-		return filename;
+		return NULL;
 
 	*path = '\0';
 	if ( !filename )
@@ -327,11 +326,11 @@ const	char	*splitpath (char *path, size_t size, const char *filename)
 
 	if ( (p = strrchr (filename, '/')) )	/* file arg contains path ? */
 	{
-		if ( strlen (filename) > size )
+		if ( strlen (filename) + 1 > psize )
 			return filename;
 
-		strcpy (path, filename);
-		path[p-filename] = '\0';
+		strcpy (path, filename);	/* copy whole filename to path */
+		path[p-filename] = '\0';	/* split of the file part */
 		filename = ++p;
 	}
 	return filename;
@@ -433,11 +432,11 @@ int	is_keyfilename (const char *name)
 }
 
 /*****************************************************************
-**	is_dotfile (name)
+**	is_dotfilename (name)
 **	Check if the given pathname 'name' looks like "." or "..".
 **	Returns 0 | 1
 *****************************************************************/
-int	is_dotfile (const char *name)
+int	is_dotfilename (const char *name)
 {
 	if ( name && (
 	     (name[0] == '.' && name[1] == '\0') || 
@@ -792,22 +791,23 @@ time_t	timestr2time (const char *timestr)
 	t.tm_mon -= 1;
 	t.tm_isdst = 0;
 
-#if defined(HAS_TIMEGM) && HAS_TIMEGM
+#if defined(HAVE_TIMEGM) && HAVE_TIMEGM
 	sec = timegm (&t);
 #else
 	{
-	time_t ret;
-	char *tz;
+	char	tzstr[31+1];
+	char	*tz;
 
 	tz = getenv("TZ");
-	// setenv("TZ", "", 1);
-	setenv("TZ", "UTC", 1);
+	snprintf (tzstr, sizeof (tzstr), "TZ=%s", "UTC");
+	putenv (tzstr);
 	tzset();
 	sec = mktime(&t);
 	if (tz)
-		setenv("TZ", tz, 1);
+		snprintf (tzstr, sizeof (tzstr), "TZ=%s", tz);
 	else
-		unsetenv("TZ");
+		snprintf (tzstr, sizeof (tzstr), "TZ=%s", "");
+	putenv (tzstr);
 	tzset();
 	}
 #endif
@@ -986,215 +986,41 @@ time_t	stop_timer (time_t start)
 	return stop - start;
 }
 
+
 /****************************************************************
 **
-**	int	inc_serial (filename, use_unixtime)
-**
-**	This function depends on a special syntax formating the
-**	SOA record in the zone file!!
+**	int	gensalt (saltstr, sizeofstalstr, bits)
 **
-**	To match the SOA record, the SOA RR must be formatted
-**	like this:
-**	@ [ttl]   IN  SOA <master.fq.dn.> <hostmaster.fq.dn.> (
-**	<SPACEes or TABs>      1234567890; serial number 
-**	<SPACEes or TABs>      86400	 ; other values
-**				...
-**	The space from the first digit of the serial number to
-**	the first none white space char or to the end of the line
-**	must be at least 10 characters!
-**	So you have to left justify the serial number in a field
-**	of at least 10 characters like this:
-**	<SPACEes or TABs>      1         ; Serial 
+**	generate a random hexstring of 'bits' salt and store it
+**	in saltstr. return 1 on success, otherwise 0.
 **
-****************************************************************/
-int	inc_serial (const char *fname, int use_unixtime)
-{
-	FILE	*fp;
-	char	buf[4095+1];
-	int	error;
-
-	/**
-	   since BIND 9.4, there is a dnssec-signzone option available for
-	   serial number increment.
-	   If the user request "unixtime" than use this mechanism 
-	**/
-#if defined(BIND_VERSION) && BIND_VERSION >= 940
-	if ( use_unixtime )
-		return 0;
-#endif
-	if ( (fp = fopen (fname, "r+")) == NULL )
-		return -1;
-
-		/* read until the line matches the beginning of a soa record ... */
-	while ( fgets (buf, sizeof buf, fp) && !is_soa_rr (buf) )
-		;
-
-	if ( feof (fp) )
-	{
-		fclose (fp);
-		return -2;
-	}
-
-	error = inc_soa_serial (fp, use_unixtime);	/* .. inc soa serial no ... */
-
-	if ( fclose (fp) != 0 )
-		return -5;
-	return error;
-}
-
-/*****************************************************************
-**	check if line is the beginning of a SOA RR record, thus
-**	containing the string "IN .* SOA" and ends with a '('
-**	returns 1 if true
 *****************************************************************/
-static	int	is_soa_rr (const char *line)
+int	gensalt (char *salt, size_t saltsize, int saltbits)
 {
-	const	char	*p;
-
-	assert ( line != NULL );
-
-	if ( (p = strfindstr (line, "IN")) && strfindstr (p+2, "SOA") )	/* line contains "IN" and "SOA" */
-	{
-		p = line + strlen (line) - 1;
-		while ( p > line && isspace (*p) )
-			p--;
-		if ( *p == '(' )	/* last character have to be a '(' to start a multi line record */
-			return 1;
-	}
-
-	return 0;
-}
+	static	char	hexstr[] = "0123456789ABCDEF";
+	static	int	seed = 0;
+	int	saltlen = 0;	/* current length of salt in hex nibbles */
+	int	i;
+	int	hex;
 
-/*****************************************************************
-**	Find string 'search' in 'str' and ignore case in comparison.
-**	returns the position of 'search' in 'str' or NULL if not found.
-*****************************************************************/
-static	const	char	*strfindstr (const char *str, const char *search)
-{
-	const	char	*p;
-	int		c;
-
-	assert ( str != NULL );
-	assert ( search != NULL );
-
-	c = tolower (*search);
-	p = str;
-	do {
-		while ( *p && tolower (*p) != c )
-			p++;
-		if ( strncasecmp (p, search, strlen (search)) == 0 )
-			return p;
-		p++;
-	} while ( *p );
+	if ( seed == 0 )
+		srandom (seed = (unsigned int)time (NULL));
 
-	return NULL;
-}
-
-/*****************************************************************
-**	return the serial number of the current day in the form
-**	of YYYYmmdd00
-*****************************************************************/
-static	ulong	today_serialtime ()
-{
-	struct	tm	*t;
-	ulong	serialtime;
-	time_t	now;
-
-	now =  time (NULL);
-	t = gmtime (&now);
-	serialtime = (t->tm_year + 1900) * 10000;
-	serialtime += (t->tm_mon+1) * 100;
-	serialtime += t->tm_mday;
-	serialtime *= 100;
-
-	return serialtime;
-}
+	saltlen = saltbits / 4;
+	if ( saltlen+1 > saltsize )
+		return 0;
 
-/*****************************************************************
-**	inc_soa_serial (fp, use_unixtime)
-**	increment the soa serial number of the file 'fp'
-**	'fp' must be opened "r+"
-*****************************************************************/
-static	int	inc_soa_serial (FILE *fp, int use_unixtime)
-{
-	int	c;
-	long	pos,	eos;
-	ulong	serial;
-	int	digits;
-	ulong	today;
-
-	/* move forward until any non ws reached */
-	while ( (c = getc (fp)) != EOF && isspace (c) )
-		;
-	ungetc (c, fp);		/* push back the last char */
-
-	pos = ftell (fp);	/* mark position */
-
-	serial = 0L;	/* read in the current serial number */
-	/* be aware of the trailing space in the format string !! */
-	if ( fscanf (fp, "%lu ", &serial) != 1 )	/* try to get serial no */
-		return -3;
-	eos = ftell (fp);	/* mark first non digit/ws character pos */
-
-	digits = eos - pos;
-	if ( digits < 10 )	/* not enough space for serial no ? */
-		return -4;
-
-	if ( use_unixtime )
-		today = time (NULL);
-	else
+	for ( i = 0; i < saltlen; i++ )
 	{
-		today = today_serialtime ();	/* YYYYmmdd00 */
-		if ( serial > 1970010100L && serial < today )	
-			serial = today;			/* set to current time */
-		serial++;			/* increment anyway */
+		hex = random () % 16;
+		assert ( hex >= 0 && hex < 16 );
+		salt[i] = hexstr[hex];
 	}
+	salt[i] = '\0';
 
-	fseek (fp, pos, SEEK_SET);	/* go back to the beginning */
-	fprintf (fp, "%-*lu", digits, serial);	/* write as many chars as before */
-
-	return 1;	/* yep! */
-}
-
-/*****************************************************************
-**	return the error text of the inc_serial return coode
-*****************************************************************/
-const	char	*inc_errstr (int err)
-{
-	switch ( err )
-	{
-	case -1:	return "couldn't open zone file for modifying";
-	case -2:	return "unexpected end of file";
-	case -3:	return "no serial number found in zone file";
-	case -4:	return "not enough space left for serialno";
-	case -5:	return "error on closing zone file";
-	}
-	return "";
+	return 1;
 }
 
-#ifdef SOA_TEST
-const char *progname;
-main (int argc, char *argv[])
-{
-	ulong	now;
-	int	err;
-	char	cmd[255];
-
-	progname = *argv;
-
-	now = today_serialtime ();
-	printf ("now = %lu\n", now);
-
-	if ( (err = inc_serial (argv[1], 0)) <= 0 )
-	{
-		error ("can't change serial errno=%d\n", err);
-		exit (1);
-	}
-
-	snprintf (cmd, sizeof(cmd), "head -15 %s", argv[1]);
-	system (cmd);
-}
-#endif
 
 #ifdef COPYZONE_TEST
 const char *progname;
diff --git a/contrib/zkt/misc.h b/contrib/zkt/misc.h
index c9c55171..11028d47 100644
--- a/contrib/zkt/misc.h
+++ b/contrib/zkt/misc.h
@@ -79,10 +79,9 @@ extern	void    fatal (char *fmt, ...);
 extern	void    logmesg (char *fmt, ...);
 extern	void	verbmesg (int verblvl, const zconf_t *conf, char *fmt, ...);
 extern	void	logflush (void);
-extern	int	inc_serial (const char *fname, int use_unixtime);
-extern	const	char	*inc_errstr (int err);
+extern	int	gensalt (char *salt, size_t saltsize, int saltbits);
 extern	char	*str_untaint (char *str);
 extern	char	*str_chop (char *str, char c);
-extern	int	is_dotfile (const char *name);
+extern	int	is_dotfilename (const char *name);
 extern	void	parseurl (char *url, char **proto, char **host, char **port, char **para);
 #endif
diff --git a/contrib/zkt/ncparse.c b/contrib/zkt/ncparse.c
index e67f4b0a..159e5ab8 100644
--- a/contrib/zkt/ncparse.c
+++ b/contrib/zkt/ncparse.c
@@ -186,14 +186,14 @@ static	int	gettok (FILE *fp, char *val, size_t valsize)
 
 /*****************************************************************
 **
-**	parse_namedconf (const char *filename, int (*func) ())
+**	parse_namedconf (const char *filename, chroot_dir, dir, dirsize, int (*func) ())
 **
 **	Very dumb named.conf parser.
 **	- In a zone declaration the _first_ keyword MUST be "type"
 **	- For every master zone "func (directory, zone, filename)" will be called
 **
 *****************************************************************/
-int	parse_namedconf (const char *filename, char *dir, size_t dirsize, int (*func) ())
+int	parse_namedconf (const char *filename, const char *chroot_dir, char *dir, size_t dirsize, int (*func) ())
 {
 	FILE	*fp;
 	int	tok;
@@ -234,7 +234,15 @@ int	parse_namedconf (const char *filename, char *dir, size_t dirsize, int (*func
 					snprintf (path, sizeof (path), "%s/%s", dir, strval);
 				else
 					snprintf (path, sizeof (path), "%s", strval);
-				snprintf (dir, dirsize, "%s", path);
+
+				/* prepend chroot directory (do it only once) */
+				if ( chroot_dir && *chroot_dir )
+				{
+					snprintf (dir, dirsize, "%s%s%s", chroot_dir, *path == '/' ? "": "/", path);
+					chroot_dir = NULL;
+				}
+				else
+					snprintf (dir, dirsize, "%s", path);
 				dbg_val ("parse_namedconf: new dir \"%s\" \n", dir);
 			}	
 		}	
@@ -246,7 +254,7 @@ int	parse_namedconf (const char *filename, char *dir, size_t dirsize, int (*func
 					snprintf (path, sizeof (path), "%s/%s", dir, strval);
 				else
 					snprintf (path, sizeof (path), "%s", strval);
-				if ( !parse_namedconf (path, dir, dirsize, func) )
+				if ( !parse_namedconf (path, chroot_dir, dir, dirsize, func) )
 					return 0;
 			}
 			else
@@ -310,8 +318,8 @@ main (int argc, char *argv[])
 
 	directory[0] = '\0';
 	if ( --argc == 0 )
-		parse_namedconf ("/var/named/named.conf", directory, sizeof (directory), printzone);
+		parse_namedconf ("/var/named/named.conf", NULL, directory, sizeof (directory), printzone);
 	else 
-		parse_namedconf (argv[1], directory, sizeof (directory), printzone);
+		parse_namedconf (argv[1], NULL, directory, sizeof (directory), printzone);
 }
 #endif
diff --git a/contrib/zkt/ncparse.h b/contrib/zkt/ncparse.h
index 4383c634..35d571dd 100644
--- a/contrib/zkt/ncparse.h
+++ b/contrib/zkt/ncparse.h
@@ -37,5 +37,5 @@
 
 #ifndef NCPARSE_H
 # define NCPARSE_H
-extern	int	parse_namedconf (const char *filename, char *dir, size_t dirsize, int (*func) ());
+extern	int	parse_namedconf (const char *filename, const char *chroot_dir, char *dir, size_t dirsize, int (*func) ());
 #endif
diff --git a/contrib/zkt/nscomm.c b/contrib/zkt/nscomm.c
new file mode 100644
index 00000000..244035a3
--- /dev/null
+++ b/contrib/zkt/nscomm.c
@@ -0,0 +1,203 @@
+/*****************************************************************
+**
+**	@(#) nscomm.c  (c) 2005 - 2009  Holger Zuleger  hznet.de
+**
+**	Copyright (c) 2005 - 2009, Holger Zuleger HZnet. All rights reserved.
+**
+**	This software is open source.
+**
+**	Redistribution and use in source and binary forms, with or without
+**	modification, are permitted provided that the following conditions
+**	are met:
+**
+**	Redistributions of source code must retain the above copyright notice,
+**	this list of conditions and the following disclaimer.
+**
+**	Redistributions in binary form must reproduce the above copyright notice,
+**	this list of conditions and the following disclaimer in the documentation
+**	and/or other materials provided with the distribution.
+**
+**	Neither the name of Holger Zuleger HZnet nor the names of its contributors may
+**	be used to endorse or promote products derived from this software without
+**	specific prior written permission.
+**
+**	THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+**	"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+**	TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+**	PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE
+**	LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+**	CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+**	SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+**	INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+**	CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+**	ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+**	POSSIBILITY OF SUCH DAMAGE.
+**
+*****************************************************************/
+# include <stdio.h>
+
+#ifdef HAVE_CONFIG_H
+# include <config.h>
+#endif
+
+#include "config_zkt.h"
+#include "zconf.h"
+#define extern
+#include "nscomm.h"
+#undef extern
+
+
+/*****************************************************************
+**	dyn_update_freeze ()
+*****************************************************************/
+int	dyn_update_freeze (const char *domain, const zconf_t *z, int freeze)
+{
+	char	cmdline[254+1];
+	char	str[254+1];
+	char	*action;
+	FILE	*fp;
+
+	assert (z != NULL);
+	if ( freeze )
+		action = "freeze";
+	else
+		action = "thaw";
+
+	if ( z->view )
+		snprintf (str, sizeof (str), "\"%s\" in view \"%s\"", domain, z->view);
+	else
+		snprintf (str, sizeof (str), "\"%s\"", domain);
+
+	lg_mesg (LG_NOTICE, "%s: %s dynamic zone", str, action);
+	verbmesg (1, z, "\t%s dynamic zone %s\n", action, str);
+
+	if ( z->view )
+		snprintf (cmdline, sizeof (cmdline), "%s %s %s IN %s", RELOADCMD, action, domain, z->view);
+	else
+		snprintf (cmdline, sizeof (cmdline), "%s %s %s", RELOADCMD, action, domain);
+
+	verbmesg (2, z, "\t  Run cmd \"%s\"\n", cmdline);
+	*str = '\0';
+	if ( z->noexec == 0 )
+	{
+		if ( (fp = popen (cmdline, "r")) == NULL || fgets (str, sizeof str, fp) == NULL )
+			return -1;
+		pclose (fp);
+	}
+
+	verbmesg (2, z, "\t  rndc %s return: \"%s\"\n", action, str_chop (str, '\n'));
+
+	return 0;
+}
+
+/*****************************************************************
+**	distribute and reload a zone via "distribute_command"
+*****************************************************************/
+int	dist_and_reload (const zone_t *zp)
+{
+	char	path[MAX_PATHSIZE+1];
+	char	cmdline[254+1];
+	char	zone[254+1];
+	char	str[254+1];
+	FILE	*fp;
+
+	assert (zp != NULL);
+	assert (zp->conf->dist_cmd != NULL);
+
+	if ( !is_exec_ok (zp->conf->dist_cmd) )
+	{
+		char	*mesg;
+
+		if ( getuid () == 0 )
+			mesg = "\tDistribution command %s not run as root\n";
+		else
+			mesg = "\tDistribution command %s not run due to strange file mode settings\n";
+
+		verbmesg (1, zp->conf, mesg, zp->conf->dist_cmd);
+		lg_mesg (LG_ERROR, "exec of distribution command %s disabled due to security reasons", zp->conf->dist_cmd);
+
+		return -1;
+	}
+
+	if ( zp->conf->view )
+		snprintf (zone, sizeof (zone), "\"%s\" in view \"%s\"", zp->zone, zp->conf->view);
+	else
+		snprintf (zone, sizeof (zone), "\"%s\"", zp->zone);
+
+
+	pathname (path, sizeof (path), zp->dir, zp->sfile, NULL);
+
+	lg_mesg (LG_NOTICE, "%s: distribution triggered", zone);
+	verbmesg (1, zp->conf, "\tDistribute zone %s\n", zone);
+	if ( zp->conf->view )
+		snprintf (cmdline, sizeof (cmdline), "%s distribute %s %s %s", zp->conf->dist_cmd, zp->zone, path, zp->conf->view);
+	else
+		snprintf (cmdline, sizeof (cmdline), "%s distribute %s %s", zp->conf->dist_cmd, zp->zone, path);
+
+	*str = '\0';
+	if ( zp->conf->noexec == 0 )
+	{
+		verbmesg (2, zp->conf, "\t  Run cmd \"%s\"\n", cmdline);
+		if ( (fp = popen (cmdline, "r")) == NULL || fgets (str, sizeof str, fp) == NULL )
+			return -2;
+		pclose (fp);
+		verbmesg (2, zp->conf, "\t  %s distribute return: \"%s\"\n", zp->conf->dist_cmd, str_chop (str, '\n'));
+	}
+
+
+	lg_mesg (LG_NOTICE, "%s: reload triggered", zone);
+	verbmesg (1, zp->conf, "\tReload zone %s\n", zone);
+	if ( zp->conf->view )
+		snprintf (cmdline, sizeof (cmdline), "%s reload %s %s %s", zp->conf->dist_cmd, zp->zone, path, zp->conf->view);
+	else
+		snprintf (cmdline, sizeof (cmdline), "%s reload %s %s", zp->conf->dist_cmd, zp->zone, path);
+
+	*str = '\0';
+	if ( zp->conf->noexec == 0 )
+	{
+		verbmesg (2, zp->conf, "\t  Run cmd \"%s\"\n", cmdline);
+		if ( (fp = popen (cmdline, "r")) == NULL || fgets (str, sizeof str, fp) == NULL )
+			return -2;
+		pclose (fp);
+		verbmesg (2, zp->conf, "\t  %s reload return: \"%s\"\n", zp->conf->dist_cmd, str_chop (str, '\n'));
+	}
+
+	return 0;
+}
+
+/*****************************************************************
+**	reload a zone via "rndc"
+*****************************************************************/
+int	reload_zone (const char *domain, const zconf_t *z)
+{
+	char	cmdline[254+1];
+	char	str[254+1];
+	FILE	*fp;
+
+	assert (z != NULL);
+	dbg_val3 ("reload_zone %d :%s: :%s:\n", z->verbosity, domain, z->view);
+	if ( z->view )
+		snprintf (str, sizeof (str), "\"%s\" in view \"%s\"", domain, z->view);
+	else
+		snprintf (str, sizeof (str), "\"%s\"", domain);
+
+	lg_mesg (LG_NOTICE, "%s: reload triggered", str);
+	verbmesg (1, z, "\tReload zone %s\n", str);
+
+	if ( z->view )
+		snprintf (cmdline, sizeof (cmdline), "%s reload %s IN %s", RELOADCMD, domain, z->view);
+	else
+		snprintf (cmdline, sizeof (cmdline), "%s reload %s", RELOADCMD, domain);
+
+	*str = '\0';
+	if ( z->noexec == 0 )
+	{
+		verbmesg (2, z, "\t  Run cmd \"%s\"\n", cmdline);
+		if ( (fp = popen (cmdline, "r")) == NULL || fgets (str, sizeof str, fp) == NULL )
+			return -1;
+		pclose (fp);
+		verbmesg (2, z, "\t  rndc reload return: \"%s\"\n", str_chop (str, '\n'));
+	}
+
+	return 0;
+}
diff --git a/contrib/zkt/nscomm.h b/contrib/zkt/nscomm.h
new file mode 100644
index 00000000..c4621dce
--- /dev/null
+++ b/contrib/zkt/nscomm.h
@@ -0,0 +1,52 @@
+/*****************************************************************
+**
+**	@(#) nscomm.h  (c) 2005 - 2009  Holger Zuleger  hznet.de
+**
+**	Copyright (c) 2005 - 2009, Holger Zuleger HZnet. All rights reserved.
+**
+**	This software is open source.
+**
+**	Redistribution and use in source and binary forms, with or without
+**	modification, are permitted provided that the following conditions
+**	are met:
+**
+**	Redistributions of source code must retain the above copyright notice,
+**	this list of conditions and the following disclaimer.
+**
+**	Redistributions in binary form must reproduce the above copyright notice,
+**	this list of conditions and the following disclaimer in the documentation
+**	and/or other materials provided with the distribution.
+**
+**	Neither the name of Holger Zuleger HZnet nor the names of its contributors may
+**	be used to endorse or promote products derived from this software without
+**	specific prior written permission.
+**
+**	THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+**	"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+**	TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+**	PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE
+**	LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+**	CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+**	SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+**	INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+**	CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+**	ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+**	POSSIBILITY OF SUCH DAMAGE.
+**
+*****************************************************************/
+#ifndef NSCOMM_H
+# include <assert.h>
+# include <unistd.h>
+# include <sys/types.h>
+
+# include "zconf.h"
+# include "zone.h"
+# include "log.h"
+# include "misc.h"
+# include "debug.h"
+# define NSCOMM_H
+
+extern	int	dyn_update_freeze (const char *domain, const zconf_t *z, int freeze);
+extern	int	reload_zone (const char *domain, const zconf_t *z);
+extern	int	dist_and_reload (const zone_t *zp);
+#endif
diff --git a/contrib/zkt/rollover.c b/contrib/zkt/rollover.c
index e2b754fb..104ef45b 100644
--- a/contrib/zkt/rollover.c
+++ b/contrib/zkt/rollover.c
@@ -72,7 +72,24 @@ static	dki_t	*genkey (dki_t **listp, const char *dir, const char *domain, int ks
 	if ( ksk )
 		dkp = dki_new (dir, domain, DKI_KSK, conf->k_algo, conf->k_bits, conf->k_random, conf->k_life / DAYSEC);
 	else
-		dkp = dki_new (dir, domain, DKI_ZSK, conf->z_algo, conf->z_bits, conf->z_random, conf->z_life / DAYSEC);
+		dkp = dki_new (dir, domain, DKI_ZSK, conf->k_algo, conf->z_bits, conf->z_random, conf->z_life / DAYSEC);
+	dki_add (listp, dkp);
+	dki_setstatus (dkp, status);
+
+	return dkp;
+}
+
+static	dki_t	*genkey2 (dki_t **listp, const char *dir, const char *domain, int ksk, const zconf_t *conf, int status)
+{
+	dki_t	*dkp;
+
+	if ( listp == NULL || domain == NULL )
+		return NULL;
+
+	if ( ksk )
+		dkp = dki_new (dir, domain, DKI_KSK, conf->k2_algo, conf->k_bits, conf->k_random, conf->k_life / DAYSEC);
+	else
+		dkp = dki_new (dir, domain, DKI_ZSK, conf->k2_algo, conf->z_bits, conf->z_random, conf->z_life / DAYSEC);
 	dki_add (listp, dkp);
 	dki_setstatus (dkp, status);
 
@@ -235,7 +252,7 @@ static	int	kskrollover (dki_t *ksk, zone_t *zonelist, zone_t *zp)
 	/* check if we have to change the ksk ? */
 	if ( lifetime > 0 && age > lifetime && !fileexist (path) )	/* lifetime is over and no kskrollover in progress */
 	{
-		/* we are using hierachical mode and the parent directory contains a signed zone ? */
+		/* we are in hierachical mode and the parent directory contains a signed zone ? */
 		if ( z->keysetdir && strcmp (z->keysetdir, "..") == 0 && is_parentdirsigned (zonelist, zp) )
 		{
 			verbmesg (2, z, "\t\tkskrollover: create new key signing key\n");
@@ -249,7 +266,7 @@ static	int	kskrollover (dki_t *ksk, zone_t *zonelist, zone_t *zp)
 			lg_mesg (LG_INFO, "\"%s\": kskrollover phase1: New key %d generated", zp->zone, ksk->tag);
 
 			/* find the oldest active ksk to create the parent file */
-			if ( (ksk = (dki_t *)dki_find (zp->keys, 1, 'a', 1)) == NULL )
+			if ( (ksk = (dki_t *)dki_findalgo (zp->keys, DKI_KSK, zp->conf->k_algo, 'a', 1)) == NULL )
 				lg_mesg (LG_ERROR, "kskrollover phase1: Couldn't find the old active key\n");
 			if ( !create_parent_file (path, 1, z->key_ttl, ksk) )
 				lg_mesg (LG_ERROR, "Couldn't create parentfile %s\n", path);
@@ -373,7 +390,8 @@ int	ksk5011status (dki_t **listp, const char *dir, const char *domain, const zco
 	{
 		exptime = get_exptime (dkp, z);
 		if ( dki_isrevoked (dkp) )
-			lg_mesg (LG_DEBUG, "zone \"%s\": found revoked key with exptime of: %s", domain, time2str (exptime, 's'));
+			lg_mesg (LG_DEBUG, "zone \"%s\": found revoked key (id=%d exptime=%s); waiting for remove hold down time",
+							domain, dkp->tag, time2str (exptime, 's'));
 
 		/* revoked key is older than 30 days? */
 		if ( dki_isrevoked (dkp) && currtime > exptime + REMOVE_HOLD_DOWN )
@@ -408,7 +426,7 @@ int	ksk5011status (dki_t **listp, const char *dir, const char *domain, const zco
 	lg_mesg (LG_DEBUG, "Stb time: %s", time2str (dki_time (standbykey), 's'));
 	lg_mesg (LG_DEBUG, "Stb time+wait: %s", time2str (dki_time (standbykey) + min (DAYSEC * 30, z->key_ttl), 's'));
 #endif
-	/* At the time we first introduce a standby key, the lifetime of the current KSK should not be expired, */
+	/* At the first time we introduce a standby key, the lifetime of the current KSK shouldn't be expired, */
 	/* otherwise we run into an (nearly) immediate key rollover!	*/
 	if ( currtime > exptime && currtime > dki_time (standbykey) + min (ADD_HOLD_DOWN, z->key_ttl) )
 	{
@@ -423,7 +441,7 @@ int	ksk5011status (dki_t **listp, const char *dir, const char *domain, const zco
 			lg_mesg (LG_ERROR, "\%s\": can't generate new standby KSK", domain);
 		}
 		else
-			lg_mesg (LG_INFO, "\"%s\": generated new standby KSK %d", domain, dkp->tag);
+			lg_mesg (LG_NOTICE, "\"%s\": generated new standby KSK %d", domain, dkp->tag);
 
 		/* standby key gets active  */
 		verbmesg (2, z, "\t\t=>Activating old standby key %d \n", standbykey->tag);
@@ -462,7 +480,7 @@ int	kskstatus (zone_t *zonelist, zone_t *zp)
 
 	verbmesg (1, z, "\tCheck KSK status\n");
 	/* check if a key signing key exist ? */
-	akey = (dki_t *)dki_find (zp->keys, 1, 'a', 1);
+	akey = (dki_t *)dki_findalgo (zp->keys, DKI_KSK, z->k_algo, 'a', 1);
 	if ( akey == NULL )
 	{
 		verbmesg (1, z, "\tNo active KSK found: generate new one\n");
@@ -477,9 +495,31 @@ int	kskstatus (zone_t *zonelist, zone_t *zp)
 			lg_mesg (LG_INFO, "\"%s\": generated new KSK %d", zp->zone, akey->tag);
 		return akey != NULL;	/* return value of 1 forces a resigning of the zone */
 	}
-	else	/* try to start a full automatic ksk rollover */
+	else	/* try to start a full automated ksk rollover */
 		kskrollover (akey, zonelist, zp);
 
+	/* is a second algorithm requested ? (since 0.99) */
+	if ( z->k2_algo && z->k2_algo != z->k_algo )
+	{
+		/* check for ksk supporting the additional algorithm */
+		akey = (dki_t *)dki_findalgo (zp->keys, DKI_KSK, z->k2_algo, 'a', 1);
+		if ( akey == NULL )
+		{
+			verbmesg (1, z, "\tNo active KSK for second algorithm found: generate new one\n");
+			akey = genkey2 (&zp->keys, zp->dir, zp->zone, DKI_KSK, z, DKI_ACTIVE);
+			if ( !akey )
+			{
+				error ("\tcould not generate new KSK for 2nd algorithm\n");
+				lg_mesg (LG_ERROR, "\"%s\": can't generate new KSK for 2nd algorithm: \"%s\"",
+									zp->zone, dki_geterrstr());
+			}
+			else
+				lg_mesg (LG_INFO, "\"%s\": generated new KSK %d for 2nd algorithm",
+										zp->zone, akey->tag);
+			return 1;	/* return value of 1 forces a resigning of the zone */
+		}
+	}
+
 	return 0;
 }
 
@@ -540,7 +580,7 @@ int	zskstatus (dki_t **listp, const char *dir, const char *domain, const zconf_t
 	/* check status of active key */
 	dbg_msg("zskstatus check status of active key ");
 	lifetime = z->z_life;			/* global configured lifetime for zsk */
-	akey = (dki_t *)dki_find (*listp, 0, 'a', 1);
+	akey = (dki_t *)dki_findalgo (*listp, DKI_ZSK, z->k_algo, 'a', 1);
 	if ( akey == NULL && lifetime > 0 )	/* no active key found */
 	{
 		verbmesg (1, z, "\tNo active ZSK found: generate new one\n");
@@ -560,9 +600,9 @@ int	zskstatus (dki_t **listp, const char *dir, const char *domain, const zconf_t
 					lifetime, (OFFSET) , akey->tag, dki_age (akey, currtime) );
 
 			/* depreciate the key only if there is another active or published key */
-			if ( (nextkey = (dki_t *)dki_find (*listp, 0, 'a', 2)) == NULL ||
+			if ( (nextkey = (dki_t *)dki_findalgo (*listp, DKI_ZSK, z->k_algo, 'a', 2)) == NULL ||
 			      nextkey == akey )
-				nextkey = (dki_t *)dki_find (*listp, 0, 'p', 1);
+				nextkey = (dki_t *)dki_findalgo (*listp, DKI_ZSK, z->k_algo, 'p', 1);
 
 			/* Is the published key sufficient long in the zone ? */
 			/* As mentioned by Olaf, this should be the ttl of the DNSKEY RR ! */
@@ -591,7 +631,7 @@ int	zskstatus (dki_t **listp, const char *dir, const char *domain, const zconf_t
 	 * time will be checked just before the active key will be removed.
 	 * See above).
 	 */
-	nextkey = (dki_t *)dki_find (*listp, 0, 'p', 1);
+	nextkey = (dki_t *)dki_findalgo (*listp, DKI_ZSK, z->k_algo, 'p', 1);
 	if ( nextkey == NULL && lifetime > 0 && (akey == NULL ||
 	     dki_age (akey, currtime + z->resign) > lifetime - (OFFSET)) )
 	{
@@ -611,6 +651,29 @@ int	zskstatus (dki_t **listp, const char *dir, const char *domain, const zconf_t
 								domain, dki_geterrstr());
 		}
 	}
+
+	/* is a second algorithm requested ? (since 0.99) */
+	if ( z->k2_algo && z->k2_algo != z->k_algo )
+	{
+		/* check for zsk supporting the additional algorithm */
+		akey = (dki_t *)dki_findalgo (*listp, DKI_ZSK, z->k2_algo, 'a', 1);
+		if ( akey == NULL )
+		{
+			verbmesg (1, z, "\tNo active ZSK for second algorithm found: generate new one\n");
+			akey = genkey2 (listp, dir, domain, DKI_ZSK, z, DKI_ACTIVE);
+			if ( !akey )
+			{
+				error ("\tcould not generate new ZSK for 2nd algorithm\n");
+				lg_mesg (LG_ERROR, "\"%s\": can't generate new ZSK for 2nd algorithm: \"%s\"",
+									domain, dki_geterrstr());
+			}
+			else
+				lg_mesg (LG_INFO, "\"%s\": generated new ZSK %d for 2nd algorithm",
+										domain, akey->tag);
+			return 1;	/* return value of 1 forces a resigning of the zone */
+		}
+	}
+
 	return keychange;
 }
 
diff --git a/contrib/zkt/soaserial.c b/contrib/zkt/soaserial.c
new file mode 100644
index 00000000..0f6eb219
--- /dev/null
+++ b/contrib/zkt/soaserial.c
@@ -0,0 +1,269 @@
+/*****************************************************************
+**
+**	@(#) soaserial.c -- helper function for the dnssec zone key tools
+**
+**	Copyright (c) Jan 2005, Holger Zuleger HZnet. All rights reserved.
+**
+**	This software is open source.
+**
+**	Redistribution and use in source and binary forms, with or without
+**	modification, are permitted provided that the following conditions
+**	are met:
+**
+**	Redistributions of source code must retain the above copyright notice,
+**	this list of conditions and the following disclaimer.
+**
+**	Redistributions in binary form must reproduce the above copyright notice,
+**	this list of conditions and the following disclaimer in the documentation
+**	and/or other materials provided with the distribution.
+**
+**	Neither the name of Holger Zuleger HZnet nor the names of its contributors may
+**	be used to endorse or promote products derived from this software without
+**	specific prior written permission.
+**
+**	THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+**	"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+**	TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+**	PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE
+**	LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+**	CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+**	SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+**	INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+**	CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+**	ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+**	POSSIBILITY OF SUCH DAMAGE.
+**
+*****************************************************************/
+# include <stdio.h>
+# include <string.h>
+# include <stdlib.h>
+# include <ctype.h>
+# include <sys/types.h>
+# include <sys/stat.h>
+# include <time.h>
+# include <utime.h>
+# include <assert.h>
+#ifdef HAVE_CONFIG_H
+# include <config.h>
+#endif
+# include "config_zkt.h"
+# include "zconf.h"
+# include "log.h"
+# include "debug.h"
+#define extern
+# include "soaserial.h"
+#undef extern
+
+static	int	inc_soa_serial (FILE *fp, int use_unixtime);
+static	int	is_soa_rr (const char *line);
+static	const	char	*strfindstr (const char *str, const char *search);
+
+
+/****************************************************************
+**
+**	int	inc_serial (filename, use_unixtime)
+**
+**	This function depends on a special syntax formating the
+**	SOA record in the zone file!!
+**
+**	To match the SOA record, the SOA RR must be formatted
+**	like this:
+**	@ [ttl]   IN  SOA <master.fq.dn.> <hostmaster.fq.dn.> (
+**	<SPACEes or TABs>      1234567890; serial number 
+**	<SPACEes or TABs>      86400	 ; other values
+**				...
+**	The space from the first digit of the serial number to
+**	the first none white space char or to the end of the line
+**	must be at least 10 characters!
+**	So you have to left justify the serial number in a field
+**	of at least 10 characters like this:
+**	<SPACEes or TABs>      1         ; Serial 
+**
+****************************************************************/
+int	inc_serial (const char *fname, int use_unixtime)
+{
+	FILE	*fp;
+	char	buf[4095+1];
+	int	error;
+
+	/**
+	   since BIND 9.4, there is a dnssec-signzone option available for
+	   serial number increment.
+	   If the user requests "unixtime"; then use this mechanism.
+	**/
+#if defined(BIND_VERSION) && BIND_VERSION >= 940
+	if ( use_unixtime )
+		return 0;
+#endif
+	if ( (fp = fopen (fname, "r+")) == NULL )
+		return -1;
+
+		/* read until the line matches the beginning of a soa record ... */
+	while ( fgets (buf, sizeof buf, fp) && !is_soa_rr (buf) )
+		;
+
+	if ( feof (fp) )
+	{
+		fclose (fp);
+		return -2;
+	}
+
+	error = inc_soa_serial (fp, use_unixtime);	/* .. inc soa serial no ... */
+
+	if ( fclose (fp) != 0 )
+		return -5;
+	return error;
+}
+
+/*****************************************************************
+**	check if line is the beginning of a SOA RR record, thus
+**	containing the string "IN .* SOA" and ends with a '('
+**	returns 1 if true
+*****************************************************************/
+static	int	is_soa_rr (const char *line)
+{
+	const	char	*p;
+
+	assert ( line != NULL );
+
+	if ( (p = strfindstr (line, "IN")) && strfindstr (p+2, "SOA") )	/* line contains "IN" and "SOA" */
+	{
+		p = line + strlen (line) - 1;
+		while ( p > line && isspace (*p) )
+			p--;
+		if ( *p == '(' )	/* last character have to be a '(' to start a multi line record */
+			return 1;
+	}
+
+	return 0;
+}
+
+/*****************************************************************
+**	Find string 'search' in 'str' and ignore case in comparison.
+**	returns the position of 'search' in 'str' or NULL if not found.
+*****************************************************************/
+static	const	char	*strfindstr (const char *str, const char *search)
+{
+	const	char	*p;
+	int		c;
+
+	assert ( str != NULL );
+	assert ( search != NULL );
+
+	c = tolower (*search);
+	p = str;
+	do {
+		while ( *p && tolower (*p) != c )
+			p++;
+		if ( strncasecmp (p, search, strlen (search)) == 0 )
+			return p;
+		p++;
+	} while ( *p );
+
+	return NULL;
+}
+
+/*****************************************************************
+**	return the serial number of the given time in the form
+**	of YYYYmmdd00 as ulong value
+*****************************************************************/
+static	ulong	serialtime (time_t sec)
+{
+	struct	tm	*t;
+	ulong	serialtime;
+
+	t = gmtime (&sec);
+	serialtime = (t->tm_year + 1900) * 10000;
+	serialtime += (t->tm_mon+1) * 100;
+	serialtime += t->tm_mday;
+	serialtime *= 100;
+
+	return serialtime;
+}
+
+/*****************************************************************
+**	inc_soa_serial (fp, use_unixtime)
+**	increment the soa serial number of the file 'fp'
+**	'fp' must be opened "r+"
+*****************************************************************/
+static	int	inc_soa_serial (FILE *fp, int use_unixtime)
+{
+	int	c;
+	long	pos,	eos;
+	ulong	serial;
+	int	digits;
+	ulong	today;
+
+	/* move forward until any non ws reached */
+	while ( (c = getc (fp)) != EOF && isspace (c) )
+		;
+	ungetc (c, fp);		/* push back the last char */
+
+	pos = ftell (fp);	/* mark position */
+
+	serial = 0L;	/* read in the current serial number */
+	/* be aware of the trailing space in the format string !! */
+	if ( fscanf (fp, "%lu ", &serial) != 1 )	/* try to get serial no */
+		return -3;
+	eos = ftell (fp);	/* mark first non digit/ws character pos */
+
+	digits = eos - pos;
+	if ( digits < 10 )	/* not enough space for serial no ? */
+		return -4;
+
+	today = time (NULL);
+	if ( !use_unixtime )
+	{
+		today = serialtime (today);	/* YYYYmmdd00 */
+		if ( serial > 1970010100L && serial < today )	
+			serial = today;			/* set to current time */
+		serial++;			/* increment anyway */
+	}
+
+	fseek (fp, pos, SEEK_SET);	/* go back to the beginning */
+	fprintf (fp, "%-*lu", digits, serial);	/* write as many chars as before */
+
+	return 1;	/* yep! */
+}
+
+/*****************************************************************
+**	return the error text of the inc_serial return coode
+*****************************************************************/
+const	char	*inc_errstr (int err)
+{
+	switch ( err )
+	{
+	case -1:	return "couldn't open zone file for modifying";
+	case -2:	return "unexpected end of file";
+	case -3:	return "no serial number found in zone file";
+	case -4:	return "not enough space left for serialno";
+	case -5:	return "error on closing zone file";
+	}
+	return "";
+}
+
+#ifdef SOA_TEST
+const char *progname;
+main (int argc, char *argv[])
+{
+	ulong	now;
+	int	err;
+	char	cmd[255];
+
+	progname = *argv;
+
+	now = time (NULL);
+	now = serialtime (now);
+	printf ("now = %lu\n", now);
+
+	if ( (err = inc_serial (argv[1], 0)) <= 0 )
+	{
+		error ("can't change serial errno=%d\n", err);
+		exit (1);
+	}
+
+	snprintf (cmd, sizeof(cmd), "head -15 %s", argv[1]);
+	system (cmd);
+}
+#endif
+
diff --git a/contrib/zkt/soaserial.h b/contrib/zkt/soaserial.h
new file mode 100644
index 00000000..08e34eec
--- /dev/null
+++ b/contrib/zkt/soaserial.h
@@ -0,0 +1,41 @@
+/*****************************************************************
+**
+**	@(#) soserial.h  (c) 2005 - 2007  Holger Zuleger  hznet.de
+**
+**	Copyright (c) 2005 - 2007, Holger Zuleger HZnet. All rights reserved.
+**
+**	This software is open source.
+**
+**	Redistribution and use in source and binary forms, with or without
+**	modification, are permitted provided that the following conditions
+**	are met:
+**
+**	Redistributions of source code must retain the above copyright notice,
+**	this list of conditions and the following disclaimer.
+**
+**	Redistributions in binary form must reproduce the above copyright notice,
+**	this list of conditions and the following disclaimer in the documentation
+**	and/or other materials provided with the distribution.
+**
+**	Neither the name of Holger Zuleger HZnet nor the names of its contributors may
+**	be used to endorse or promote products derived from this software without
+**	specific prior written permission.
+**
+**	THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+**	"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+**	TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+**	PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE
+**	LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+**	CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+**	SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+**	INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+**	CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+**	ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+**	POSSIBILITY OF SUCH DAMAGE.
+**
+*****************************************************************/
+#ifndef SOASERIAL_H
+# define SOASERIAL_H
+extern	int	inc_serial (const char *fname, int use_unixtime);
+extern	const	char	*inc_errstr (int err);
+#endif
diff --git a/contrib/zkt/tags b/contrib/zkt/tags
index 4fc5a237..f64df2db 100644
--- a/contrib/zkt/tags
+++ b/contrib/zkt/tags
@@ -3,24 +3,24 @@
 !_TAG_PROGRAM_AUTHOR	Darren Hiebert	/dhiebert@users.sourceforge.net/
 !_TAG_PROGRAM_NAME	Exuberant Ctags	//
 !_TAG_PROGRAM_URL	http://ctags.sourceforge.net	/official site/
-!_TAG_PROGRAM_VERSION	5.5.4	//
-CONF_ALGO	zconf.c	/^	CONF_ALGO,$/;"	e	file:
-CONF_BOOL	zconf.c	/^	CONF_BOOL,$/;"	e	file:
-CONF_COMMENT	zconf.c	/^	CONF_COMMENT,$/;"	e	file:
-CONF_END	zconf.c	/^	CONF_END = 0,$/;"	e	file:
-CONF_FACILITY	zconf.c	/^	CONF_FACILITY,$/;"	e	file:
-CONF_INT	zconf.c	/^	CONF_INT,$/;"	e	file:
-CONF_LEVEL	zconf.c	/^	CONF_LEVEL,$/;"	e	file:
-CONF_SERIAL	zconf.c	/^	CONF_SERIAL,$/;"	e	file:
-CONF_STRING	zconf.c	/^	CONF_STRING,$/;"	e	file:
-CONF_TIMEINT	zconf.c	/^	CONF_TIMEINT,$/;"	e	file:
-ISCOMMENT	zconf.c	68;"	d	file:
-ISDELIM	zconf.c	70;"	d	file:
-ISTRUE	zconf.c	66;"	d	file:
-KEYSET_FILE_PFX	dnssec-signer.c	691;"	d	file:
+!_TAG_PROGRAM_VERSION	5.6	//
+CONF_ALGO	zconf.c	/^	CONF_ALGO,$/;"	e	enum:__anon2	file:
+CONF_BOOL	zconf.c	/^	CONF_BOOL,$/;"	e	enum:__anon2	file:
+CONF_COMMENT	zconf.c	/^	CONF_COMMENT,$/;"	e	enum:__anon2	file:
+CONF_END	zconf.c	/^	CONF_END = 0,$/;"	e	enum:__anon2	file:
+CONF_FACILITY	zconf.c	/^	CONF_FACILITY,$/;"	e	enum:__anon2	file:
+CONF_INT	zconf.c	/^	CONF_INT,$/;"	e	enum:__anon2	file:
+CONF_LEVEL	zconf.c	/^	CONF_LEVEL,$/;"	e	enum:__anon2	file:
+CONF_SERIAL	zconf.c	/^	CONF_SERIAL,$/;"	e	enum:__anon2	file:
+CONF_STRING	zconf.c	/^	CONF_STRING,$/;"	e	enum:__anon2	file:
+CONF_TIMEINT	zconf.c	/^	CONF_TIMEINT,$/;"	e	enum:__anon2	file:
+ISCOMMENT	zconf.c	67;"	d	file:
+ISDELIM	zconf.c	69;"	d	file:
+ISTRUE	zconf.c	65;"	d	file:
+KEYSET_FILE_PFX	dnssec-signer.c	709;"	d	file:
 KeyWords	ncparse.c	/^static struct KeyWords {$/;"	s	file:
 MAXFNAME	log.c	97;"	d	file:
-STRCONFIG_DELIMITER	zconf.c	513;"	d	file:
+STRCONFIG_DELIMITER	zconf.c	529;"	d	file:
 TAINTEDCHARS	misc.c	60;"	d	file:
 TOK_DELEGATION	ncparse.c	59;"	d	file:
 TOK_DIR	ncparse.c	49;"	d	file:
@@ -36,17 +36,17 @@ TOK_TYPE	ncparse.c	53;"	d	file:
 TOK_UNKNOWN	ncparse.c	64;"	d	file:
 TOK_VIEW	ncparse.c	60;"	d	file:
 TOK_ZONE	ncparse.c	52;"	d	file:
-a	domaincmp.c	/^         char    *a;$/;"	m	file:
+a	domaincmp.c	/^         char    *a;$/;"	m	struct:__anon1	file:
 add2zonelist	dnssec-signer.c	/^static	int	add2zonelist (const char *dir, const char *view, const char *zone, const char *file)$/;"	f	file:
 age2str	misc.c	/^char	*age2str (time_t sec)$/;"	f
 ageflag	dnssec-zkt.c	/^int	ageflag = 0;$/;"	v
-b	domaincmp.c	/^         char    *b;$/;"	m	file:
-bind94_dynzone	dnssec-signer.c	131;"	d	file:
-bind96_dynzone	dnssec-signer.c	132;"	d	file:
+b	domaincmp.c	/^         char    *b;$/;"	m	struct:__anon1	file:
+bind94_dynzone	dnssec-signer.c	130;"	d	file:
+bind96_dynzone	dnssec-signer.c	131;"	d	file:
 bool2str	zconf.c	/^static	const char	*bool2str (int val)$/;"	f	file:
 check_keydb_timestamp	dnssec-signer.c	/^static	int	check_keydb_timestamp (dki_t *keylist, time_t reftime)$/;"	f	file:
 checkconfig	zconf.c	/^int	checkconfig (const zconf_t *z)$/;"	f
-cmdline	zconf.c	/^	int	cmdline;	\/* is this a command line parameter ? *\/$/;"	m	file:
+cmdline	zconf.c	/^	int	cmdline;	\/* is this a command line parameter ? *\/$/;"	m	struct:__anon3	file:
 cmpfile	misc.c	/^int	cmpfile (const char *file1, const char *file2)$/;"	f
 config	dnssec-signer.c	/^static	zconf_t	*config;$/;"	v	file:
 config	zconf.c	/^static	zconf_t	*config;$/;"	v	file:
@@ -57,13 +57,14 @@ copyzonefile	misc.c	/^int	copyzonefile (const char *fromfile, const char *tofile
 create_parent_file	dnssec-zkt.c	/^static	int	create_parent_file (const char *fname, int phase, int ttl, const dki_t *dkp)$/;"	f	file:
 create_parent_file	rollover.c	/^static	int	create_parent_file (const char *fname, int phase, int ttl, const dki_t *dkp)$/;"	f	file:
 createkey	dnssec-zkt.c	/^static	void	createkey (const char *keyname, const dki_t *list, const zconf_t *conf)$/;"	f	file:
-ctype_t	zconf.c	/^} ctype_t;$/;"	t	file:
+ctype_t	zconf.c	/^} ctype_t;$/;"	t	typeref:enum:__anon2	file:
 def	zconf.c	/^static	zconf_t	def = {$/;"	v	file:
 dirflag	dnssec-zkt.c	/^static	int	dirflag = 0;$/;"	v	file:
-dirname	dnssec-signer.c	/^const	char	*dirname = NULL;$/;"	v
-dist_and_reload	dnssec-signer.c	/^static	int	dist_and_reload (const zone_t *zp)$/;"	f	file:
+dirname	dnssec-signer.c	/^static	const	char	*dirname = NULL;$/;"	v	file:
+dist_and_reload	nscomm.c	/^int	dist_and_reload (const zone_t *zp)$/;"	f
 dki_add	dki.c	/^dki_t	*dki_add (dki_t **list, dki_t *new)$/;"	f
 dki_age	dki.c	/^int	dki_age (const dki_t *dkp, time_t curr)$/;"	f
+dki_algo	dki.c	/^time_t	dki_algo (const dki_t *dkp)$/;"	f
 dki_algo2sstr	dki.c	/^char	*dki_algo2sstr (int algo)$/;"	f
 dki_algo2str	dki.c	/^char	*dki_algo2str (int algo)$/;"	f
 dki_allcmp	dki.c	/^int	dki_allcmp (const dki_t *a, const dki_t *b)$/;"	f
@@ -73,6 +74,7 @@ dki_destroy	dki.c	/^dki_t	*dki_destroy (dki_t *dkp)$/;"	f
 dki_estr	dki.c	/^static	char	dki_estr[255+1];$/;"	v	file:
 dki_exptime	dki.c	/^time_t	dki_exptime (const dki_t *dkp)$/;"	f
 dki_find	dki.c	/^const dki_t	*dki_find (const dki_t *list, int ksk, int status, int no)$/;"	f
+dki_findalgo	dki.c	/^const dki_t	*dki_findalgo (const dki_t *list, int ksk, int alg, int status, int no)$/;"	f
 dki_free	dki.c	/^void	dki_free (dki_t *dkp)$/;"	f
 dki_freelist	dki.c	/^void	dki_freelist (dki_t **listp)$/;"	f
 dki_gentime	dki.c	/^time_t	dki_gentime (const dki_t *dkp)$/;"	f
@@ -117,10 +119,10 @@ domain_canonicdup	misc.c	/^char	*domain_canonicdup (const char *s)$/;"	f
 domaincmp	domaincmp.c	/^int     domaincmp (const char *a, const char *b)$/;"	f
 dosigning	dnssec-signer.c	/^static	int	dosigning (zone_t *zonelist, zone_t *zp)$/;"	f	file:
 dupconfig	zconf.c	/^zconf_t	*dupconfig (const zconf_t *conf)$/;"	f
-dyn_update_freeze	dnssec-signer.c	/^static	int	dyn_update_freeze (const char *domain, const zconf_t *z, int freeze)$/;"	f	file:
+dyn_update_freeze	nscomm.c	/^int	dyn_update_freeze (const char *domain, const zconf_t *z, int freeze)$/;"	f
 dynamic_zone	dnssec-signer.c	/^static	int	dynamic_zone = 0;	\/* dynamic zone ? *\/$/;"	v	file:
 error	misc.c	/^void error (char *fmt, ...)$/;"	f
-ex	domaincmp.c	/^} ex[] = {$/;"	v	file:
+ex	domaincmp.c	/^} ex[] = {$/;"	v	typeref:struct:__anon1	file:
 exptimeflag	dnssec-zkt.c	/^int	exptimeflag = 0;$/;"	v
 extern	dki.c	59;"	d	file:
 extern	dki.c	61;"	d	file:
@@ -132,10 +134,14 @@ extern	misc.c	56;"	d	file:
 extern	misc.c	58;"	d	file:
 extern	ncparse.c	44;"	d	file:
 extern	ncparse.c	46;"	d	file:
+extern	nscomm.c	45;"	d	file:
+extern	nscomm.c	47;"	d	file:
 extern	rollover.c	57;"	d	file:
 extern	rollover.c	59;"	d	file:
-extern	zconf.c	61;"	d	file:
-extern	zconf.c	63;"	d	file:
+extern	soaserial.c	53;"	d	file:
+extern	soaserial.c	55;"	d	file:
+extern	zconf.c	60;"	d	file:
+extern	zconf.c	62;"	d	file:
 extern	zkt.c	47;"	d	file:
 extern	zkt.c	49;"	d	file:
 extern	zone.c	53;"	d	file:
@@ -147,6 +153,8 @@ fileexist	misc.c	/^int	fileexist (const char *name)$/;"	f
 filesize	misc.c	/^size_t	filesize (const char *name)$/;"	f
 force	dnssec-signer.c	/^static	int	force = 0;$/;"	v	file:
 genkey	rollover.c	/^static	dki_t	*genkey (dki_t **listp, const char *dir, const char *domain, int ksk, const zconf_t *conf, int status)$/;"	f	file:
+genkey2	rollover.c	/^static	dki_t	*genkey2 (dki_t **listp, const char *dir, const char *domain, int ksk, const zconf_t *conf, int status)$/;"	f	file:
+gensalt	misc.c	/^int	gensalt (char *salt, size_t saltsize, int saltbits)$/;"	f
 get_exptime	rollover.c	/^static	time_t	get_exptime (dki_t *key, const zconf_t *z)$/;"	f	file:
 get_parent_phase	dnssec-zkt.c	/^static	int	get_parent_phase (const char *file)$/;"	f	file:
 get_parent_phase	rollover.c	/^static	int	get_parent_phase (const char *file)$/;"	f	file:
@@ -156,15 +164,15 @@ gettok	ncparse.c	/^static	int	gettok (FILE *fp, char *val, size_t valsize)$/;"	f
 goto_labelstart	domaincmp.c	47;"	d	file:
 headerflag	dnssec-zkt.c	/^int	headerflag = 1;$/;"	v
 in_strarr	misc.c	/^int	in_strarr (const char *str, char *const arr[], int cnt)$/;"	f
-inc_errstr	misc.c	/^const	char	*inc_errstr (int err)$/;"	f
-inc_serial	misc.c	/^int	inc_serial (const char *fname, int use_unixtime)$/;"	f
-inc_soa_serial	misc.c	/^static	int	inc_soa_serial (FILE *fp, int use_unixtime)$/;"	f	file:
+inc_errstr	soaserial.c	/^const	char	*inc_errstr (int err)$/;"	f
+inc_serial	soaserial.c	/^int	inc_serial (const char *fname, int use_unixtime)$/;"	f
+inc_soa_serial	soaserial.c	/^static	int	inc_soa_serial (FILE *fp, int use_unixtime)$/;"	f	file:
 is_directory	misc.c	/^int	is_directory (const char *name)$/;"	f
-is_dotfile	misc.c	/^int	is_dotfile (const char *name)$/;"	f
+is_dotfilename	misc.c	/^int	is_dotfilename (const char *name)$/;"	f
 is_exec_ok	misc.c	/^int	is_exec_ok (const char *prog)$/;"	f
 is_keyfilename	misc.c	/^int	is_keyfilename (const char *name)$/;"	f
 is_parentdirsigned	rollover.c	/^static	int	is_parentdirsigned (const zone_t *zonelist, const zone_t *zp)$/;"	f	file:
-is_soa_rr	misc.c	/^static	int	is_soa_rr (const char *line)$/;"	f	file:
+is_soa_rr	soaserial.c	/^static	int	is_soa_rr (const char *line)$/;"	f	file:
 isinlist	strlist.c	/^int	isinlist (const char *str, const char *list)$/;"	f
 ksk5011status	rollover.c	/^int	ksk5011status (dki_t **listp, const char *dir, const char *domain, const zconf_t *z)$/;"	f
 ksk_roll	dnssec-zkt.c	/^static	void	ksk_roll (const char *keyname, int phase, const dki_t *list, const zconf_t *conf)$/;"	f	file:
@@ -172,10 +180,10 @@ kskdomain	dnssec-zkt.c	/^static	char	*kskdomain = "";$/;"	v	file:
 kskflag	dnssec-zkt.c	/^int	kskflag = 1;$/;"	v
 kskrollover	rollover.c	/^static	int	kskrollover (dki_t *ksk, zone_t *zonelist, zone_t *zp)$/;"	f	file:
 kskstatus	rollover.c	/^int	kskstatus (zone_t *zonelist, zone_t *zp)$/;"	f
-kw	ncparse.c	/^} kw[] = {$/;"	v	file:
-label	zconf.c	/^	char	*label;		\/* the name of the paramter *\/$/;"	m	file:
+kw	ncparse.c	/^} kw[] = {$/;"	v	typeref:struct:KeyWords	file:
+label	zconf.c	/^	char	*label;		\/* the name of the paramter *\/$/;"	m	struct:__anon3	file:
 labellist	dnssec-zkt.c	/^char	*labellist = NULL;$/;"	v
-level	log.c	/^	lg_lvl_t	level;$/;"	m	file:
+level	log.c	/^	lg_lvl_t	level;$/;"	m	struct:__anon4	file:
 lg_args	log.c	/^void	lg_args (lg_lvl_t level, int argc, char * const argv[])$/;"	f
 lg_close	log.c	/^int	lg_close ()$/;"	f
 lg_errcnt	log.c	/^static	long	lg_errcnt;$/;"	v	file:
@@ -193,7 +201,7 @@ lg_reseterrcnt	log.c	/^long	lg_reseterrcnt ()$/;"	f
 lg_seterrcnt	log.c	/^long	lg_seterrcnt (long value)$/;"	f
 lg_str2lvl	log.c	/^lg_lvl_t	lg_str2lvl (const char *name)$/;"	f
 lg_str2syslog	log.c	/^int	lg_str2syslog (const char *facility)$/;"	f
-lg_symtbl_t	log.c	/^} lg_symtbl_t;$/;"	t	file:
+lg_symtbl_t	log.c	/^} lg_symtbl_t;$/;"	t	typeref:struct:__anon4	file:
 lg_syslogging	log.c	/^static	int	lg_syslogging;$/;"	v	file:
 lifetime	dnssec-zkt.c	/^int	lifetime = 0;$/;"	v
 lifetimeflag	dnssec-zkt.c	/^int	lifetimeflag = 0;$/;"	v
@@ -204,17 +212,17 @@ list_trustedkey	zkt.c	/^static	void	list_trustedkey (const dki_t **nodep, const
 ljustflag	dnssec-zkt.c	/^int	ljustflag = 0;$/;"	v
 loadconfig	zconf.c	/^zconf_t	*loadconfig (const char *filename, zconf_t *z)$/;"	f
 loadconfig_fromstr	zconf.c	/^zconf_t	*loadconfig_fromstr (const char *str, zconf_t *z)$/;"	f
-logfile	dnssec-signer.c	/^const	char	*logfile = NULL;$/;"	v
+logfile	dnssec-signer.c	/^static	const	char	*logfile = NULL;$/;"	v	file:
 logflush	misc.c	/^void logflush ()$/;"	f
 logmesg	misc.c	/^void logmesg (char *fmt, ...)$/;"	f
-long_options	dnssec-signer.c	/^static struct option long_options[] = {$/;"	v	file:
-long_options	dnssec-zkt.c	/^static struct option long_options[] = {$/;"	v	file:
-lopt_usage	dnssec-signer.c	323;"	d	file:
+long_options	dnssec-signer.c	/^static struct option long_options[] = {$/;"	v	typeref:struct:option	file:
+long_options	dnssec-zkt.c	/^static struct option long_options[] = {$/;"	v	typeref:struct:option	file:
 lopt_usage	dnssec-signer.c	326;"	d	file:
+lopt_usage	dnssec-signer.c	329;"	d	file:
 lopt_usage	dnssec-zkt.c	402;"	d	file:
 lopt_usage	dnssec-zkt.c	405;"	d	file:
-loptstr	dnssec-signer.c	324;"	d	file:
 loptstr	dnssec-signer.c	327;"	d	file:
+loptstr	dnssec-signer.c	330;"	d	file:
 loptstr	dnssec-zkt.c	403;"	d	file:
 loptstr	dnssec-zkt.c	406;"	d	file:
 main	dnssec-signer.c	/^int	main (int argc, char *const argv[])$/;"	f
@@ -223,15 +231,16 @@ main	domaincmp.c	/^main (int argc, char *argv[])$/;"	f
 main	log.c	/^int	main (int argc, char *argv[])$/;"	f
 main	misc.c	/^main (int argc, char *argv[])$/;"	f
 main	ncparse.c	/^main (int argc, char *argv[])$/;"	f
+main	soaserial.c	/^main (int argc, char *argv[])$/;"	f
 main	strlist.c	/^main (int argc, char *argv[])$/;"	f
 main	zconf.c	/^main (int argc, char *argv[])$/;"	f
 main	zkt-soaserial.c	/^int	main (int argc, char *argv[])$/;"	f
 name	ncparse.c	/^	char	*name;$/;"	m	struct:KeyWords	file:
-namedconf	dnssec-signer.c	/^const	char	*namedconf = NULL;$/;"	v
+namedconf	dnssec-signer.c	/^static	const	char	*namedconf = NULL;$/;"	v	file:
 new_keysetfiles	dnssec-signer.c	/^static	int	new_keysetfiles (const char *dir, time_t zone_signing_time)$/;"	f	file:
 noexec	dnssec-signer.c	/^static	int	noexec = 0;$/;"	v	file:
-origin	dnssec-signer.c	/^const	char	*origin = NULL;$/;"	v
-parse_namedconf	ncparse.c	/^int	parse_namedconf (const char *filename, char *dir, size_t dirsize, int (*func) ())$/;"	f
+origin	dnssec-signer.c	/^static	const	char	*origin = NULL;$/;"	v	file:
+parse_namedconf	ncparse.c	/^int	parse_namedconf (const char *filename, const char *chroot_dir, char *dir, size_t dirsize, int (*func) ())$/;"	f
 parseconfigline	zconf.c	/^static	void	parseconfigline (char *buf, unsigned int line, zconf_t *z)$/;"	f	file:
 parsedir	dnssec-signer.c	/^static	int	parsedir (const char *dir, zone_t **zp, const zconf_t *conf)$/;"	f	file:
 parsedirectory	dnssec-zkt.c	/^static	int	parsedirectory (const char *dir, dki_t **listp)$/;"	f	file:
@@ -252,41 +261,42 @@ progname	domaincmp.c	/^const char	*progname;$/;"	v
 progname	log.c	/^const char *progname;$/;"	v
 progname	misc.c	/^const char *progname;$/;"	v
 progname	ncparse.c	/^char	*progname;$/;"	v
+progname	soaserial.c	/^const char *progname;$/;"	v
 progname	zconf.c	/^const char *progname;$/;"	v
 progname	zkt-soaserial.c	/^static	const char *progname;$/;"	v	file:
 read_serial_fromfile	zkt-soaserial.c	/^static	int	read_serial_fromfile (const char *fname, unsigned long *serial)$/;"	f	file:
 recflag	dnssec-zkt.c	/^static	int	recflag = RECURSIVE;$/;"	v	file:
 register_key	dnssec-signer.c	/^static	void	register_key (dki_t *list, const zconf_t *z)$/;"	f	file:
-reload_zone	dnssec-signer.c	/^static	int	reload_zone (const char *domain, const zconf_t *z)$/;"	f	file:
+reload_zone	nscomm.c	/^int	reload_zone (const char *domain, const zconf_t *z)$/;"	f
 reloadflag	dnssec-signer.c	/^static	int	reloadflag = 0;$/;"	v	file:
-res	domaincmp.c	/^         int     res;$/;"	m	file:
+res	domaincmp.c	/^         int     res;$/;"	m	struct:__anon1	file:
 searchitem	zkt.c	/^static	int	searchitem;$/;"	v	file:
 searchkw	ncparse.c	/^static	int	searchkw (const char *keyword)$/;"	f	file:
 searchresult	zkt.c	/^static	const	dki_t	*searchresult;$/;"	v	file:
+serialtime	soaserial.c	/^static	ulong	serialtime (time_t sec)$/;"	f	file:
 set_all_varptr	zconf.c	/^static	void set_all_varptr (zconf_t *cp)$/;"	f	file:
-set_bind94_dynzone	dnssec-signer.c	129;"	d	file:
-set_bind96_dynzone	dnssec-signer.c	130;"	d	file:
+set_bind94_dynzone	dnssec-signer.c	128;"	d	file:
+set_bind96_dynzone	dnssec-signer.c	129;"	d	file:
 set_keylifetime	zkt.c	/^static	void	set_keylifetime (const dki_t **nodep, const VISIT which, int depth)$/;"	f	file:
 set_varptr	zconf.c	/^static	int set_varptr (char *entry, void *ptr)$/;"	f	file:
 setconfigpar	zconf.c	/^int	setconfigpar (zconf_t *config, char *entry, const void *pval)$/;"	f
 setglobalflags	dnssec-zkt.c	/^static	void	setglobalflags (zconf_t *config)$/;"	f	file:
-short_options	dnssec-signer.c	66;"	d	file:
 short_options	dnssec-signer.c	68;"	d	file:
+short_options	dnssec-signer.c	70;"	d	file:
 short_options	dnssec-zkt.c	89;"	d	file:
 sign_zone	dnssec-signer.c	/^static	int	sign_zone (const char *dir, const char *domain, const char *file, const zconf_t *conf)$/;"	f	file:
-sopt_usage	dnssec-signer.c	321;"	d	file:
+sopt_usage	dnssec-signer.c	324;"	d	file:
 sopt_usage	dnssec-zkt.c	400;"	d	file:
-splitpath	misc.c	/^const	char	*splitpath (char *path, size_t size, const char *filename)$/;"	f
+splitpath	misc.c	/^const	char	*splitpath (char *path, size_t psize, const char *filename)$/;"	f
 start_timer	misc.c	/^time_t	start_timer ()$/;"	f
 stop_timer	misc.c	/^time_t	stop_timer (time_t start)$/;"	f
-str	log.c	/^	const	char	*str;$/;"	m	file:
+str	log.c	/^	const	char	*str;$/;"	m	struct:__anon4	file:
 str_chop	misc.c	/^char	*str_chop (char *str, char c)$/;"	f
 str_delspace	misc.c	/^char	*str_delspace (char *s)$/;"	f
-str_tolowerdup	misc.c	/^char	*str_tolowerdup (const char *s)$/;"	f
 str_untaint	misc.c	/^char	*str_untaint (char *str)$/;"	f
-strfindstr	misc.c	/^static	const	char	*strfindstr (const char *str, const char *search)$/;"	f	file:
+strfindstr	soaserial.c	/^static	const	char	*strfindstr (const char *str, const char *search)$/;"	f	file:
 symtbl	log.c	/^static	lg_symtbl_t	symtbl[] = {$/;"	v	file:
-syslog_level	log.c	/^	int		syslog_level;$/;"	m	file:
+syslog_level	log.c	/^	int		syslog_level;$/;"	m	struct:__anon4	file:
 tag_search	zkt.c	/^static	void	tag_search (const dki_t **nodep, const VISIT which, int depth)$/;"	f	file:
 time2isostr	misc.c	/^char	*time2isostr (time_t sec, int precision)$/;"	f
 time2str	misc.c	/^char	*time2str (time_t sec, int precision)$/;"	f
@@ -294,23 +304,22 @@ timeflag	dnssec-zkt.c	/^int	timeflag = 1;$/;"	v
 timeint2str	zconf.c	/^static	const char	*timeint2str (ulong val)$/;"	f	file:
 timestr	zkt-soaserial.c	/^static	char	*timestr (time_t sec)$/;"	f	file:
 timestr2time	misc.c	/^time_t	timestr2time (const char *timestr)$/;"	f
-today_serialtime	misc.c	/^static	ulong	today_serialtime ()$/;"	f	file:
 tok	ncparse.c	/^	int	tok;$/;"	m	struct:KeyWords	file:
 tok2str	ncparse.c	/^static	const char	*tok2str (int  tok)$/;"	f	file:
 touch	misc.c	/^int	touch (const char *fname, time_t sec)$/;"	f
 trustedkeyflag	dnssec-zkt.c	/^static	int	trustedkeyflag = 0;$/;"	v	file:
-type	zconf.c	/^	ctype_t	type;		\/* the parameter type *\/$/;"	m	file:
+type	zconf.c	/^	ctype_t	type;		\/* the parameter type *\/$/;"	m	struct:__anon3	file:
 unprepstrlist	strlist.c	/^char	*unprepstrlist (char *list, char delimc)$/;"	f
 usage	dnssec-signer.c	/^static	void	usage (char *mesg, zconf_t *conf)$/;"	f	file:
 usage	dnssec-zkt.c	/^static	void    usage (char *mesg, zconf_t *cp)$/;"	f	file:
 usage	zkt-soaserial.c	/^static	void	usage (const char *msg)$/;"	f	file:
-var	zconf.c	/^	void	*var;		\/* pointer to the parameter variable *\/$/;"	m	file:
+var	zconf.c	/^	void	*var;		\/* pointer to the parameter variable *\/$/;"	m	struct:__anon3	file:
 verbmesg	misc.c	/^void	verbmesg (int verblvl, const zconf_t *conf, char *fmt, ...)$/;"	f
 verbose	dnssec-signer.c	/^static	int	verbose = 0;$/;"	v	file:
 view	dnssec-zkt.c	/^static	const	char	*view = "";$/;"	v	file:
-viewname	dnssec-signer.c	/^const	char	*viewname = NULL;$/;"	v
+viewname	dnssec-signer.c	/^static	const	char	*viewname = NULL;$/;"	v	file:
 writekeyfile	dnssec-signer.c	/^static	int	writekeyfile (const char *fname, const dki_t *list, int key_ttl)$/;"	f	file:
-zconf_para_t	zconf.c	/^} zconf_para_t;$/;"	t	file:
+zconf_para_t	zconf.c	/^} zconf_para_t;$/;"	t	typeref:struct:__anon3	file:
 zkt_list_dnskeys	zkt.c	/^void	zkt_list_dnskeys (const dki_t *data)$/;"	f
 zkt_list_keys	zkt.c	/^void	zkt_list_keys (const dki_t *data)$/;"	f
 zkt_list_trustedkeys	zkt.c	/^void	zkt_list_trustedkeys (const dki_t *data)$/;"	f
diff --git a/contrib/zkt/zconf.c b/contrib/zkt/zconf.c
index 831d1815..5c7a66f8 100644
--- a/contrib/zkt/zconf.c
+++ b/contrib/zkt/zconf.c
@@ -5,8 +5,7 @@
 **	Most of the code is from the SixXS Heartbeat Client
 **	written by Jeroen Massar <jeroen@sixxs.net>
 **
-**	New config types and some slightly code changes
-**	by Holger Zuleger
+**	New config types and some slightly code changes by Holger Zuleger
 **
 **	Copyright (c) Aug 2005, Jeroen Massar, Holger Zuleger.
 **	All rights reserved.
@@ -91,15 +90,18 @@ static	zconf_t	def = {
 	PRINTTIME, PRINTAGE, LJUST,
 	SIG_VALIDITY, MAX_TTL, KEY_TTL, PROPTIME, Incremental,
 	RESIGN_INT,
-	KSK_LIFETIME, KSK_ALGO, KSK_BITS, KSK_RANDOM,
-	ZSK_LIFETIME, ZSK_ALGO, ZSK_BITS, ZSK_RANDOM,
+	KEY_ALGO, ADDITIONAL_KEY_ALGO,
+	KSK_LIFETIME, KSK_BITS, KSK_RANDOM,
+	ZSK_LIFETIME, ZSK_BITS, ZSK_RANDOM,
 	SALTLEN,
-	NULL, /* viewname cmdline paramter */
+	NULL, /* viewname cmdline parameter */
+	0, /* noexec cmdline parameter */
 	LOGFILE, LOGLEVEL, SYSLOGFACILITY, SYSLOGLEVEL, VERBOSELOG, 0,
 	DNSKEYFILE, ZONEFILE, KEYSETDIR,
 	LOOKASIDEDOMAIN,
 	SIG_RANDOM, SIG_PSEUDO, SIG_GENDS, SIG_PARAM,
-	DIST_CMD	/* deafults to NULL which means to run "rndc reload" */
+	DIST_CMD,	/* defaults to NULL which means to run "rndc reload" */
+	NAMED_CHROOT
 };
 
 typedef	struct {
@@ -136,12 +138,15 @@ static	zconf_para_t	confpara[] = {
 
 	{ "",			0,	CONF_COMMENT,	NULL },
 	{ "",			0,	CONF_COMMENT,	"signing key parameters"},
+	{ "Key_algo",		0,	CONF_ALGO,	&def.k_algo },	/* now used as general KEY algoritjm (KSK & ZSK) */
+	{ "AddKey_algo",	0,	CONF_ALGO,	&def.k2_algo },		/* second key algorithm added (v0.99) */
 	{ "KSK_lifetime",	0,	CONF_TIMEINT,	&def.k_life },
-	{ "KSK_algo",		0,	CONF_ALGO,	&def.k_algo },
+	{ "KSK_algo",		1,	CONF_ALGO,	&def.k_algo },	/* old KSK value changed to key algorithm */
 	{ "KSK_bits",		0,	CONF_INT,	&def.k_bits },
 	{ "KSK_randfile",	0,	CONF_STRING,	&def.k_random },
 	{ "ZSK_lifetime",	0,	CONF_TIMEINT,	&def.z_life },
-	{ "ZSK_algo",		0,	CONF_ALGO,	&def.z_algo },
+	/* { "ZSK_algo",		1,	CONF_ALGO,	&def.z_algo },		ZSK algo removed (set to same as ksk) */
+	{ "ZSK_algo",		1,	CONF_ALGO,	&def.k2_algo },		/* if someone using it already, map the algo to the additional key algorithm */
 	{ "ZSK_bits",		0,	CONF_INT,	&def.z_bits },
 	{ "ZSK_randfile",	0,	CONF_STRING,	&def.z_random },
 	{ "SaltBits",		0,	CONF_INT,	&def.saltbits },
@@ -149,6 +154,7 @@ static	zconf_para_t	confpara[] = {
 	{ "",			0,	CONF_COMMENT,	NULL },
 	{ "",			0,	CONF_COMMENT,	"dnssec-signer options"},
 	{ "--view",		1,	CONF_STRING,	&def.view },
+	{ "--noexec",		1,	CONF_BOOL,	&def.noexec },
 	{ "LogFile",		0,	CONF_STRING,	&def.logfile },
 	{ "LogLevel",		0,	CONF_LEVEL,	&def.loglevel },
 	{ "SyslogFacility",	0,	CONF_FACILITY,	&def.syslogfacility },
@@ -161,9 +167,10 @@ static	zconf_para_t	confpara[] = {
 	{ "DLV_Domain",		0,	CONF_STRING,	&def.lookaside },
 	{ "Sig_Randfile",	0,	CONF_STRING,	&def.sig_random },
 	{ "Sig_Pseudorand",	0,	CONF_BOOL,	&def.sig_pseudo },
-	{ "Sig_GenerateDS",	1,	CONF_BOOL,	&def.sig_gends },
+	{ "Sig_GenerateDS",	0,	CONF_BOOL,	&def.sig_gends },
 	{ "Sig_Parameter",	0,	CONF_STRING,	&def.sig_param },
 	{ "Distribute_Cmd",	0,	CONF_STRING,	&def.dist_cmd },
+	{ "NamedChrootDir",	0,	CONF_STRING,	&def.chroot_dir },
 
 	{ NULL,			0,	CONF_END,	NULL},
 };
@@ -229,18 +236,22 @@ static	void set_all_varptr (zconf_t *cp)
 #endif
 	set_varptr ("serialformat", &cp->serialform);
 
+	set_varptr ("key_algo", &cp->k_algo);
+	set_varptr ("addkey_algo", &cp->k2_algo);
 	set_varptr ("ksk_lifetime", &cp->k_life);
-	set_varptr ("ksk_algo", &cp->k_algo);
+	set_varptr ("ksk_algo", &cp->k_algo);		/* to be removed in next release */
 	set_varptr ("ksk_bits", &cp->k_bits);
 	set_varptr ("ksk_randfile", &cp->k_random);
 
 	set_varptr ("zsk_lifetime", &cp->z_life);
-	set_varptr ("zsk_algo", &cp->z_algo);
+	// set_varptr ("zsk_algo", &cp->z_algo);
+	set_varptr ("zsk_algo", &cp->k2_algo);
 	set_varptr ("zsk_bits", &cp->z_bits);
 	set_varptr ("zsk_randfile", &cp->z_random);
 	set_varptr ("saltbits", &cp->saltbits);
 
 	set_varptr ("--view", &cp->view);
+	set_varptr ("--noexec", &cp->noexec);
 	set_varptr ("logfile", &cp->logfile);
 	set_varptr ("loglevel", &cp->loglevel);
 	set_varptr ("syslogfacility", &cp->syslogfacility);
@@ -256,6 +267,7 @@ static	void set_all_varptr (zconf_t *cp)
 	set_varptr ("sig_generateds", &cp->sig_gends);
 	set_varptr ("sig_parameter", &cp->sig_param);
 	set_varptr ("distribute_cmd", &cp->dist_cmd);
+	set_varptr ("namedchrootdir", &cp->chroot_dir);
 }
 
 static	void	parseconfigline (char *buf, unsigned int line, zconf_t *z)
@@ -325,7 +337,7 @@ static	void	parseconfigline (char *buf, unsigned int line, zconf_t *z)
 		{
 			char	**str;
 			char	quantity;
-			int	ival;
+			long	lval;
 
 			found = 1;
 			switch ( c->type )
@@ -342,18 +354,18 @@ static	void	parseconfigline (char *buf, unsigned int line, zconf_t *z)
 				break;
 			case CONF_TIMEINT:
 				quantity = 'd';
-				sscanf (val, "%d%c", &ival, &quantity);
+				sscanf (val, "%ld%c", &lval, &quantity);
 				if  ( quantity == 'm' )
-					ival *= MINSEC;
+					lval *= MINSEC;
 				else if  ( quantity == 'h' )
-					ival *= HOURSEC;
+					lval *= HOURSEC;
 				else if  ( quantity == 'd' )
-					ival *= DAYSEC;
+					lval *= DAYSEC;
 				else if  ( quantity == 'w' )
-					ival *= WEEKSEC;
+					lval *= WEEKSEC;
 				else if  ( quantity == 'y' )
-					ival *= YEARSEC;
-				(*(int *)c->var) = ival;
+					lval *= YEARSEC;
+				(*(long *)c->var) = lval;
 				break;
 			case CONF_ALGO:
 				if ( strcasecmp (val, "rsa") == 0 || strcasecmp (val, "rsamd5") == 0 )
@@ -398,6 +410,7 @@ static	void	parseconfigline (char *buf, unsigned int line, zconf_t *z)
 static	void	printconfigline (FILE *fp, zconf_para_t *cp)
 {
 	int	i;
+	long	lval;
 
 	assert (fp != NULL);
 	assert (cp != NULL);
@@ -435,16 +448,19 @@ static	void	printconfigline (FILE *fp, zconf_para_t *cp)
 		fprintf (fp, "%s:\t%s\n", cp->label, bool2str ( *(int*)cp->var ));
 		break;
 	case CONF_TIMEINT:
-		i = *(ulong*)cp->var;
-		fprintf (fp, "%s:\t%s", cp->label, timeint2str (i));
-		if ( i )
-			fprintf (fp, "\t# (%d seconds)", i);
+		lval = *(ulong*)cp->var;	/* in that case it should be of type ulong */
+		fprintf (fp, "%s:\t%s", cp->label, timeint2str (lval));
+		if ( lval )
+			fprintf (fp, "\t# (%ld seconds)", lval);
 		putc ('\n', fp);
 		break;
 	case CONF_ALGO:
 		i = *(int*)cp->var;
-		fprintf (fp, "%s:\t%s", cp->label, dki_algo2str (i));
-		fprintf (fp, "\t# (Algorithm ID %d)\n", i);
+		if ( i )
+		{
+			fprintf (fp, "%s:\t%s", cp->label, dki_algo2str (i));
+			fprintf (fp, "\t# (Algorithm ID %d)\n", i);
+		}
 		break;
 	case CONF_SERIAL:
 		fprintf (fp, "%s:\t", cp->label);
@@ -599,11 +615,12 @@ int	setconfigpar (zconf_t *config, char *entry, const void *pval)
 				/* fall through */
 			case CONF_ALGO:
 				/* fall through */
-			case CONF_TIMEINT:
-				/* fall through */
 			case CONF_INT:
 				*((int *)c->var) = *((int *)pval);
 				break;
+			case CONF_TIMEINT:
+				*((long *)c->var) = *((long *)pval);
+				break;
 			case CONF_SERIAL:
 				*((serial_form_t *)c->var) = *((serial_form_t *)pval);
 				break;
@@ -728,12 +745,12 @@ int	checkconfig (const zconf_t *z)
 	if ( z->resign < (z->max_ttl + z->proptime) )
 	{
 		fprintf (stderr, "Re-signing interval (%s) should be ", timeint2str (z->resign));
-		fprintf (stderr, "greater than max_ttl (%d) plus ", z->max_ttl);
-		fprintf (stderr, "propagation time (%d)\n", z->proptime);
+		fprintf (stderr, "greater than max_ttl (%ld) plus ", z->max_ttl);
+		fprintf (stderr, "propagation time (%ld)\n", z->proptime);
 	}
 
 	if ( z->max_ttl >= z->sigvalidity )
-		fprintf (stderr, "Max TTL (%d) should be less than signatur validity (%d)\n",
+		fprintf (stderr, "Max TTL (%ld) should be less than signature validity (%ld)\n",
 								z->max_ttl, z->sigvalidity);
 
 	if ( z->z_life > (12 * WEEKSEC) * (z->z_bits / 512.) )
diff --git a/contrib/zkt/zconf.h b/contrib/zkt/zconf.h
index 08adfd9b..a0c919e3 100644
--- a/contrib/zkt/zconf.h
+++ b/contrib/zkt/zconf.h
@@ -39,7 +39,7 @@
 # define ZCONF_H
 
 
-# define	MINSEC	60
+# define	MINSEC	60L
 # define	HOURSEC	(MINSEC * 60)
 # define	DAYSEC	(HOURSEC * 24)
 # define	WEEKSEC	(DAYSEC * 7)
@@ -64,13 +64,19 @@
 #if 0
 # define	ZSK_LIFETIME	((SIG_VALID_DAYS * 3) * DAYSEC)	/* set to three times the sig validity */
 #else
-# define	ZSK_LIFETIME	((MONTH * 3) * DAYSEC)	/* set fixed to 3 month */
+# if 0
+#  define	ZSK_LIFETIME	((MONTH * 3) * DAYSEC)	/* set fixed to 3 month */
+# else
+#  define	ZSK_LIFETIME	(12 * WEEKSEC)	/* set fixed to 3 month */
+# endif
 #endif
 
-# define	KSK_ALGO	(DK_ALGO_RSASHA1)
+/* # define	KSK_ALGO	(DK_ALGO_RSASHA1)	KSK_ALGO renamed to KEY_ALGO (v0.99) */
+# define	KEY_ALGO	(DK_ALGO_RSASHA1)	/* general KEY_ALGO used for both ksk and zsk */
+# define	ADDITIONAL_KEY_ALGO	0
 # define	KSK_BITS	(1300)
 # define	KSK_RANDOM	"/dev/urandom"	/* was NULL before v0.94 */
-# define	ZSK_ALGO	(DK_ALGO_RSASHA1)
+/* # define	ZSK_ALGO	(DK_ALGO_RSASHA1)	ZSK_ALGO has to be the same as KSK, so this is no longer used (v0.99) */
 # define	ZSK_BITS	(512)
 # define	ZSK_RANDOM	"/dev/urandom"
 # define	SALTLEN		24		/* salt length in bits (resolution is 4 bits)*/
@@ -94,6 +100,7 @@
 # define	SIG_GENDS	1
 # define	SIG_PARAM	""
 # define	DIST_CMD	NULL	/* default is to run "rndc reload" */
+# define	NAMED_CHROOT	NULL	/* default is none */
 
 #ifndef CONFIG_PATH
 # define	CONFIG_PATH	"/var/named/"
@@ -126,27 +133,29 @@ typedef	struct zconf	{
 	int	printtime;
 	int	printage;
 	int	ljust;
-	int	sigvalidity;	/* should be less than expire time */
-	int	max_ttl;	/* should be set to the maximum used ttl in the zone */
-	int	key_ttl;
-	int	proptime;	/* expected time offset for zone propagation */
+	long	sigvalidity;	/* should be less than expire time */
+	long	max_ttl;	/* should be set to the maximum used ttl in the zone */
+	long	key_ttl;
+	long	proptime;	/* expected time offset for zone propagation */
 #if defined (DEF_TTL)
-	int	def_ttl;	/* default ttl set in soa record  */
+	long	def_ttl;	/* default ttl set in soa record  */
 #endif
 	serial_form_t	serialform;	/* format of serial no */
-	int	resign;		/* resign interval */
+	long	resign;		/* resign interval */
 
-	int	k_life;
 	int	k_algo;
+	int	k2_algo;
+	long	k_life;
 	int	k_bits;
 	char	*k_random;
-	int	z_life;
-	int	z_algo;
+	long	z_life;
+	/* int	z_algo;		no longer used; renamed to k2_algo (v0.99) */
 	int	z_bits;
 	char	*z_random;
 	int	saltbits;
 
 	char	*view;
+	int	noexec;
 	// char	*errlog;
 	char	*logfile;
 	char	*loglevel;
@@ -163,6 +172,7 @@ typedef	struct zconf	{
 	int	sig_gends;
 	char	*sig_param;
 	char	*dist_cmd;	/* cmd to run instead of "rndc reload" */
+	char	*chroot_dir;	/* chroot directory of named */
 } zconf_t;
 
 extern	zconf_t	*loadconfig (const char *filename, zconf_t *z);