From 7ec93ff9e4d979e4bbcf33f9c90c94dc9d3cdba9 Mon Sep 17 00:00:00 2001
From: Luke Howard <lukeh@padl.com>
Date: Sun, 13 Nov 2011 16:16:05 +1100
Subject: add new RADIUS client library

---
 lib/radius/LICENSE                    |   24 +
 lib/radius/Makefile                   |   68 ++
 lib/radius/attrs.c                    | 1411 ++++++++++++++++++++++++++++++
 lib/radius/client.h                   | 1408 ++++++++++++++++++++++++++++++
 lib/radius/common.pl                  |  220 +++++
 lib/radius/convert.pl                 |  182 ++++
 lib/radius/crypto.c                   |  233 +++++
 lib/radius/custom.c                   |   87 ++
 lib/radius/dict.c                     |  172 ++++
 lib/radius/dictionaries.c             | 1515 +++++++++++++++++++++++++++++++++
 lib/radius/doc.txt                    |   41 +
 lib/radius/doxygen.conf               | 1417 ++++++++++++++++++++++++++++++
 lib/radius/examples/Makefile          |   54 ++
 lib/radius/examples/example_1.c       |   86 ++
 lib/radius/examples/example_2.c       |   86 ++
 lib/radius/examples/example_3.c       |  123 +++
 lib/radius/examples/example_4.c       |   94 ++
 lib/radius/examples/nr_vp_create.c    |   61 ++
 lib/radius/header.pl                  |   68 ++
 lib/radius/id.c                       |  178 ++++
 lib/radius/packet.c                   |  918 ++++++++++++++++++++
 lib/radius/parse.c                    |  142 +++
 lib/radius/print.c                    |  265 ++++++
 lib/radius/radius.h                   |  314 +++++++
 lib/radius/share/dictionary.microsoft |   17 +
 lib/radius/share/dictionary.txt       |  136 +++
 lib/radius/share/dictionary.vendor    |   10 +
 lib/radius/static.c                   |   37 +
 lib/radius/tests/Makefile             |   25 +
 lib/radius/tests/radattr.c            |  769 +++++++++++++++++
 lib/radius/tests/rfc.txt              |  144 ++++
 lib/radius/valuepair.c                |  199 +++++
 32 files changed, 10504 insertions(+)
 create mode 100644 lib/radius/LICENSE
 create mode 100644 lib/radius/Makefile
 create mode 100644 lib/radius/attrs.c
 create mode 100644 lib/radius/client.h
 create mode 100644 lib/radius/common.pl
 create mode 100755 lib/radius/convert.pl
 create mode 100644 lib/radius/crypto.c
 create mode 100644 lib/radius/custom.c
 create mode 100644 lib/radius/dict.c
 create mode 100644 lib/radius/dictionaries.c
 create mode 100644 lib/radius/doc.txt
 create mode 100644 lib/radius/doxygen.conf
 create mode 100644 lib/radius/examples/Makefile
 create mode 100644 lib/radius/examples/example_1.c
 create mode 100644 lib/radius/examples/example_2.c
 create mode 100644 lib/radius/examples/example_3.c
 create mode 100644 lib/radius/examples/example_4.c
 create mode 100644 lib/radius/examples/nr_vp_create.c
 create mode 100755 lib/radius/header.pl
 create mode 100644 lib/radius/id.c
 create mode 100644 lib/radius/packet.c
 create mode 100644 lib/radius/parse.c
 create mode 100644 lib/radius/print.c
 create mode 100644 lib/radius/radius.h
 create mode 100644 lib/radius/share/dictionary.microsoft
 create mode 100644 lib/radius/share/dictionary.txt
 create mode 100644 lib/radius/share/dictionary.vendor
 create mode 100644 lib/radius/static.c
 create mode 100644 lib/radius/tests/Makefile
 create mode 100644 lib/radius/tests/radattr.c
 create mode 100644 lib/radius/tests/rfc.txt
 create mode 100644 lib/radius/valuepair.c

(limited to 'lib/radius')

diff --git a/lib/radius/LICENSE b/lib/radius/LICENSE
new file mode 100644
index 0000000..01dbe92
--- /dev/null
+++ b/lib/radius/LICENSE
@@ -0,0 +1,24 @@
+Copyright (c) 2011, Network RADIUS SARL
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+    * Redistributions of source code must retain the above copyright
+      notice, this list of conditions and the following disclaimer.
+    * Redistributions in binary form must reproduce the above copyright
+      notice, this list of conditions and the following disclaimer in the
+      documentation and/or other materials provided with the distribution.
+    * Neither the name of the <organization> nor the
+      names of its contributors may be used to endorse or promote products
+      derived from this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL <COPYRIGHT HOLDER> BE LIABLE FOR ANY
+DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/lib/radius/Makefile b/lib/radius/Makefile
new file mode 100644
index 0000000..63eff89
--- /dev/null
+++ b/lib/radius/Makefile
@@ -0,0 +1,68 @@
+#
+#  GNU Makefile
+#
+.PHONY: all clean install
+all: libnetworkradius-client.a
+
+SRCS		:= dict.c attrs.c packet.c valuepair.c static.c id.c \
+		   crypto.c custom.c print.c parse.c
+
+OBJS		:= ${SRCS:.c=.o}
+
+HEADERS		:= client.h radius.h
+
+CFLAGS		:= -I. -g -Wall -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef
+
+VERSION := 1.0
+NAME := networkradius-client-$(VERSION)
+
+
+#
+#  The DICTIONARIES variable can be used to point to the FreeRADIUS
+#  dictionaries.
+#
+ifeq "${DICTIONARIES}" ""
+DICTIONARIES	:= $(filter-out %~,$(wildcard share/dictionary*))
+endif
+
+${OBJS}: ${HEADERS}
+
+radius.h dictionaries.c: ${DICTIONARIES} convert.pl common.pl
+	./convert.pl ${DICTIONARIES}
+
+static.o: static.c dictionaries.c
+
+%.o : %.c
+	$(CC) $(CFLAGS) -c $<
+
+%.o: ${HEADERS}
+
+.PHONY: networkradius-devel
+networkradius-devel:
+	@[ -e $@ ] || ln -s . $@
+
+libnetworkradius-client.a: ${OBJS}
+	${AR} ${ARFLAGS} $@ $^
+
+LIBS	:= -lcrypto -lssl
+LDFLAGS = -L. -lnetworkradius-client
+
+.PHONY: html
+html:
+	doxygen doxygen.conf
+
+clean:
+	@rm -rf *.o *.a *~ html
+
+install: libnetworkradius-client.a
+
+.PHONY: publish
+publish:
+	@scp -r html/* networkradius.com@liberty:www.new/site/clientapi/
+
+$(NAME).tar.gz: $(wildcard Makefile *.pl *.txt *.[ch] \
+	examples/*.[ch] doc/*.txt share/dictionary*)
+	git archive --format=tar --prefix=$(NAME)/ bsd | gzip > $@
+
+.PHONY: tar
+tar: $(NAME).tar.gz
diff --git a/lib/radius/attrs.c b/lib/radius/attrs.c
new file mode 100644
index 0000000..4fd2bf4
--- /dev/null
+++ b/lib/radius/attrs.c
@@ -0,0 +1,1411 @@
+/*
+Copyright (c) 2011, Network RADIUS SARL
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+    * Redistributions of source code must retain the above copyright
+      notice, this list of conditions and the following disclaimer.
+    * Redistributions in binary form must reproduce the above copyright
+      notice, this list of conditions and the following disclaimer in the
+      documentation and/or other materials provided with the distribution.
+    * Neither the name of the <organization> nor the
+      names of its contributors may be used to endorse or promote products
+      derived from this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL <COPYRIGHT HOLDER> BE LIABLE FOR ANY
+DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/** \file attrs.c
+ *  \brief Attribute encoding and decoding routines.
+ */
+
+#include <networkradius-devel/client.h>
+
+/*
+ *	Encodes the data portion of an attribute.
+ *	Returns -1 on error, or the length of the data portion.
+ */
+static ssize_t vp2data_any(const RADIUS_PACKET *packet,
+			   const RADIUS_PACKET *original,
+			   int nest,
+			   const VALUE_PAIR **pvp,
+			   uint8_t *start, size_t room)
+{
+	uint32_t lvalue;
+	ssize_t len;
+	const uint8_t *data;
+	uint8_t *ptr = start;
+	uint8_t	array[4];
+	const VALUE_PAIR *vp = *pvp;
+
+#ifdef NR_TYPE_TLV
+	/*
+	 *	See if we need to encode a TLV.  The low portion of
+	 *	the attribute has already been placed into the packer.
+	 *	If there are still attribute bytes left, then go
+	 *	encode them as TLVs.
+	 *
+	 *	If we cared about the stack, we could unroll the loop.
+	 */
+	if ((nest > 0) && (nest <= nr_attr_max_tlv) &&
+	    ((vp->da->attr >> nr_attr_shift[nest]) != 0)) {
+		return vp2data_tlvs(packet, original, nest, pvp,
+				    start, room);
+	}
+#else
+	nest = nest;		/* -Wunused */
+#endif
+
+	/*
+	 *	Set up the default sources for the data.
+	 */
+	data = vp->vp_octets;
+	len = vp->length;
+
+	switch(vp->da->type) {
+	case NR_TYPE_IPV6PREFIX:
+		len = sizeof(vp->vp_ipv6prefix);
+		break;
+
+	case NR_TYPE_STRING:
+	case NR_TYPE_OCTETS:
+	case NR_TYPE_IFID:
+	case NR_TYPE_IPV6ADDR:
+#ifdef NR_TYPE_ABINARY
+	case NR_TYPE_ABINARY:
+#endif
+		/* nothing more to do */
+		break;
+
+	case NR_TYPE_BYTE:
+		len = 1;	/* just in case */
+		array[0] = vp->vp_integer & 0xff;
+		data = array;
+		break;
+
+	case NR_TYPE_SHORT:
+		len = 2;	/* just in case */
+		array[0] = (vp->vp_integer >> 8) & 0xff;
+		array[1] = vp->vp_integer & 0xff;
+		data = array;
+		break;
+
+	case NR_TYPE_INTEGER:
+		len = 4;	/* just in case */
+		lvalue = htonl(vp->vp_integer);
+		memcpy(array, &lvalue, sizeof(lvalue));
+		data = array;
+		break;
+
+	case NR_TYPE_IPADDR:
+		data = (const uint8_t *) &vp->vp_ipaddr;
+		len = 4;	/* just in case */
+		break;
+
+		/*
+		 *  There are no tagged date attributes.
+		 */
+	case NR_TYPE_DATE:
+		lvalue = htonl(vp->vp_date);
+		data = (const uint8_t *) &lvalue;
+		len = 4;	/* just in case */
+		break;
+
+#ifdef VENDORPEC_WIMAX
+	case NR_TYPE_SIGNED:
+	{
+		int32_t slvalue;
+
+		len = 4;	/* just in case */
+		slvalue = htonl(vp->vp_signed);
+		memcpy(array, &slvalue, sizeof(slvalue));
+		break;
+	}
+#endif
+
+#ifdef NR_TYPE_TLV
+	case NR_TYPE_TLV:
+		data = vp->vp_tlv;
+		if (!data) {
+			nr_debug_error("ERROR: Cannot encode NULL TLV");
+			return -NR_ERR_INVALID_ARG;
+		}
+		len = vp->length;
+		break;
+#endif
+
+	default:		/* unknown type: ignore it */
+		nr_debug_error("ERROR: Unknown attribute type %d", vp->da->type);
+		return -NR_ERR_ATTR_TYPE_UNKNOWN;
+	}
+
+	/*
+	 *	Bound the data to the calling size
+	 */
+	if (len > (ssize_t) room) len = room;
+
+#ifndef FLAG_ENCRYPT_TUNNEL_PASSWORD
+	original = original;	/* -Wunused */
+#endif
+
+	/*
+	 *	Encrypt the various password styles
+	 *
+	 *	Attributes with encrypted values MUST be less than
+	 *	128 bytes long.
+	 */
+	switch (vp->da->flags.encrypt) {
+	case FLAG_ENCRYPT_USER_PASSWORD:
+		len = nr_password_encrypt(ptr, room, data, len,
+					  packet->secret, packet->vector);
+		break;
+
+#ifdef FLAG_ENCRYPT_TUNNEL_PASSWORD
+	case FLAG_ENCRYPT_TUNNEL_PASSWORD:
+		lvalue = 0;
+		if (vp->da->flags.has_tag) lvalue = 1;
+
+		/*
+		 *	Check if there's enough room.  If there isn't,
+		 *	we discard the attribute.
+		 *
+		 *	This is ONLY a problem if we have multiple VSA's
+		 *	in one Vendor-Specific, though.
+		 */
+		if (room < (18 + lvalue)) {
+			*pvp = vp->next;
+			return 0;
+		}
+
+        	switch (packet->code) {
+	        case PW_ACCESS_ACCEPT:
+        	case PW_ACCESS_REJECT:
+        	case PW_ACCESS_CHALLENGE:
+        	default:
+			if (!original) {
+				nr_debug_error("ERROR: No request packet, cannot encrypt %s attribute in the vp.", vp->da->name);
+				return -NR_ERR_REQUEST_REQUIRED;
+			}
+
+			if (lvalue) ptr[0] = vp->tag;
+			len = nr_tunnelpw_encrypt(ptr + lvalue,
+						  room - lvalue, data, len,
+						  packet->secret,
+						  original->vector);
+			if (len < 0) return len;
+                	break;
+	        case PW_ACCOUNTING_REQUEST:
+        	case PW_DISCONNECT_REQUEST:
+	        case PW_COA_REQUEST:
+			ptr[0] = vp->tag;
+			len = nr_tunnelpw_encrypt(ptr + 1, room, data, len - 1,
+						  packet->secret,
+						  packet->vector);
+			if (len < 0) return len;
+	                break;
+        	}
+		break;
+#endif
+
+		/*
+		 *	The code above ensures that this attribute
+		 *	always fits.
+		 */
+#ifdef FLAG_ENCRYPT_ASCEND_SECRET
+	case FLAG_ENCRYPT_ASCEND_SECRET:
+		make_secret(ptr, packet->vector, packet->secret, data);
+		len = AUTH_VECTOR_LEN;
+		break;
+#endif
+
+	default:
+		if (vp->da->flags.has_tag && TAG_VALID(vp->tag)) {
+			if (vp->da->type == NR_TYPE_STRING) {
+				if (len > ((ssize_t) (room - 1))) len = room - 1;
+				ptr[0] = vp->tag;
+				ptr++;
+			} else if (vp->da->type == NR_TYPE_INTEGER) {
+				array[0] = vp->tag;
+			} /* else it can't be any other type */
+		}
+		memcpy(ptr, data, len);
+		break;
+	} /* switch over encryption flags */
+
+	*(pvp) = vp->next;
+	return len + (ptr - start);;
+}
+
+
+/*
+ *	Encode an RFC format TLV.  This could be a standard attribute,
+ *	or a TLV data type.  If it's a standard attribute, then
+ *	vp->da->attr == attribute.  Otherwise, attribute may be
+ *	something else.
+ */
+static ssize_t vp2attr_rfc(const RADIUS_PACKET *packet,
+			   const RADIUS_PACKET *original,
+			   const VALUE_PAIR **pvp,
+			   unsigned int attribute, uint8_t *ptr, size_t room)
+{
+	ssize_t len;
+
+	if (room < 2) {
+		*pvp = (*pvp)->next;
+		return 0;
+	}
+
+	ptr[0] = attribute & 0xff;
+	ptr[1] = 2;
+
+	if (room > ((unsigned) 255 - ptr[1])) room = 255 - ptr[1];
+
+	len = vp2data_any(packet, original, 0, pvp, ptr + ptr[1], room);
+	if (len < 0) return len;
+
+	ptr[1] += len;
+
+	return ptr[1];
+}
+
+
+#ifndef WITHOUT_VSAS
+/*
+ *	Encode a VSA which is a TLV.  If it's in the RFC format, call
+ *	vp2attr_rfc.  Otherwise, encode it here.
+ */
+static ssize_t vp2attr_vsa(const RADIUS_PACKET *packet,
+			   const RADIUS_PACKET *original,
+			   const VALUE_PAIR **pvp,
+			   unsigned int attribute, unsigned int vendor,
+			   uint8_t *ptr, size_t room)
+{
+	ssize_t len;
+	const DICT_VENDOR *dv;
+
+	/*
+	 *	Unknown vendor: RFC format.
+	 *	Known vendor and RFC format: go do that.
+	 */
+	dv = nr_dict_vendor_byvalue(vendor);
+	if (!dv ||
+	    (
+#ifdef NR_TYPE_TLV
+		    !(*pvp)->flags.is_tlv &&
+#endif
+		    (dv->type == 1) && (dv->length == 1))) {
+		return vp2attr_rfc(packet, original, pvp,
+				   attribute, ptr, room);
+	}
+
+#ifdef NR_TYPE_TLV
+	if ((*pvp)->flags.is_tlv) {
+		return data2vp_tlvs(packet, original, 0, pvp,
+				    ptr, room);
+	}
+#endif
+
+	switch (dv->type) {
+	default:
+		nr_debug_error("vp2attr_vsa: Internal sanity check failed,"
+				   " type %u", (unsigned) dv->type);
+		return -NR_ERR_INTERNAL_FAILURE;
+
+	case 4:
+		ptr[0] = 0;	/* attr must be 24-bit */
+		ptr[1] = (attribute >> 16) & 0xff;
+		ptr[2] = (attribute >> 8) & 0xff;
+		ptr[3] = attribute & 0xff;
+		break;
+
+	case 2:
+		ptr[0] = (attribute >> 8) & 0xff;
+		ptr[1] = attribute & 0xff;
+		break;
+
+	case 1:
+		ptr[0] = attribute & 0xff;
+		break;
+	}
+
+	switch (dv->length) {
+	default:
+		nr_debug_error("vp2attr_vsa: Internal sanity check failed,"
+				   " length %u", (unsigned) dv->length);
+		return -NR_ERR_INTERNAL_FAILURE;
+
+	case 0:
+		break;
+
+	case 2:
+		ptr[dv->type] = 0;
+		/* FALL-THROUGH */
+
+	case 1:
+		ptr[dv->type + dv->length - 1] = dv->type + dv->length;
+		break;
+
+	}
+
+	if (room > ((unsigned) 255 - (dv->type + dv->length))) {
+		room = 255 - (dv->type + dv->length);
+	}
+
+	len = vp2data_any(packet, original, 0, pvp,
+			  ptr + dv->type + dv->length, room);
+	if (len < 0) return len;
+
+	if (dv->length) ptr[dv->type + dv->length - 1] += len;
+
+	return dv->type + dv->length + len;
+}
+
+
+/*
+ *	Encode a Vendor-Specific attribute.
+ */
+ssize_t nr_vp2vsa(const RADIUS_PACKET *packet, const RADIUS_PACKET *original,
+	      const VALUE_PAIR **pvp, uint8_t *ptr,
+	      size_t room)
+{
+	ssize_t len;
+	uint32_t lvalue;
+	const VALUE_PAIR *vp = *pvp;
+
+#ifdef VENDORPEC_WIMAX
+	/*
+	 *	Double-check for WiMAX
+	 */
+	if (vp->da->vendor == VENDORPEC_WIMAX) {
+		return nr_vp2wimax(packet, original,  pvp,
+				    ptr, room);
+	}
+#endif
+
+	if (vp->da->vendor > NR_MAX_VENDOR) {
+		nr_debug_error("nr_vp2vsa: Invalid arguments");
+		return -NR_ERR_INVALID_ARG;
+	}
+
+	/*
+	 *	Not enough room for:
+	 *		attr, len, vendor-id
+	 */
+	if (room < 6) {
+		*pvp = vp->next;
+		return 0;
+	}
+
+	/*
+	 *	Build the Vendor-Specific header
+	 */
+	ptr[0] = PW_VENDOR_SPECIFIC;
+	ptr[1] = 6;
+	lvalue = htonl(vp->da->vendor);
+	memcpy(ptr + 2, &lvalue, 4);
+
+	if (room > ((unsigned) 255 - ptr[1])) room = 255 - ptr[1];
+
+	len = vp2attr_vsa(packet, original, pvp,
+			  vp->da->attr, vp->da->vendor,
+			  ptr + ptr[1], room);
+	if (len < 0) return len;
+
+	ptr[1] += len;
+
+	return ptr[1];
+}
+#endif
+
+
+/*
+ *	Encode an RFC standard attribute 1..255
+ */
+ssize_t nr_vp2rfc(const RADIUS_PACKET *packet,
+	       const RADIUS_PACKET *original,
+	       const VALUE_PAIR **pvp,
+	       uint8_t *ptr, size_t room)
+{
+	const VALUE_PAIR *vp = *pvp;
+
+	if (vp->da->vendor != 0) {
+		nr_debug_error("nr_vp2rfc called with VSA");
+		return -NR_ERR_INVALID_ARG;
+	}
+
+	if ((vp->da->attr == 0) || (vp->da->attr > 255)) {
+		nr_debug_error("nr_vp2rfc called with non-standard attribute %u", vp->da->attr);
+		return -NR_ERR_INVALID_ARG;
+	}
+
+#ifdef PW_CHARGEABLE_USER_IDENTITY
+	if ((vp->length == 0) &&
+	    (vp->da != NR_DA_CHARGEABLE_USER_IDENTITY)) {
+		*pvp = vp->next;
+		return 0;
+	}
+#endif
+
+	return vp2attr_rfc(packet, original, pvp, vp->da->attr,
+			   ptr, room);
+}
+
+#ifdef PW_CHAP_PASSWORD
+/*
+ *	Encode an RFC standard attribute 1..255
+ */
+static ssize_t nr_chap2rfc(const RADIUS_PACKET *packet,
+			const RADIUS_PACKET *original,
+			const VALUE_PAIR **pvp,
+			uint8_t *ptr, size_t room)
+{
+	ssize_t rcode;
+	const VALUE_PAIR *vp = *pvp;
+	NR_MD5_CTX	ctx;
+	uint8_t		buffer[MAX_STRING_LEN*2 + 1], *p;
+	VALUE_PAIR chap = {
+		NR_DA_CHAP_PASSWORD,
+		17,
+		0,
+		NULL,
+		{
+			.octets = {
+				0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
+			},
+		},
+	};
+
+	if ((vp->da->vendor != 0) || (vp->da != NR_DA_CHAP_PASSWORD)) {
+		nr_debug_error("nr_chap2rfc called with non-CHAP");
+		return -NR_ERR_INVALID_ARG;
+	}
+
+	p = buffer;
+	*(p++) = nr_rand() & 0xff; /* id */
+
+	memcpy(p, vp->vp_strvalue, strlen(vp->vp_strvalue));
+	p += strlen(vp->vp_strvalue);
+
+	vp = nr_vps_find(packet->vps, PW_CHAP_CHALLENGE, 0);
+	if (vp) {
+		memcpy(p, vp->vp_octets, vp->length);
+		p += vp->length;
+	} else {
+		memcpy(p, packet->vector, sizeof(packet->vector));
+		p += sizeof(packet->vector);
+	}
+
+	nr_MD5Init(&ctx);
+	nr_MD5Update(&ctx, buffer, p - buffer);
+	nr_MD5Final(&chap.vp_octets[1], &ctx);
+
+	chap.vp_octets[0] = buffer[0];
+	vp = &chap;
+
+	rcode = vp2attr_rfc(packet, original, &vp, chap.da->attr,
+			    ptr, room);
+	if (rcode < 0) return rcode;
+
+	*pvp = (*pvp)->next;
+	return rcode;
+}
+#endif	/* PW_CHAP_PASSWORD */
+
+#ifdef PW_MESSAGE_AUTHENTICATOR
+/** Fake Message-Authenticator.
+ *
+ *  This structure is used to replace a Message-Authenticator in the
+ *  input list of VALUE_PAIRs when encoding a packet.  If the caller
+ *  asks us to encode a Message-Authenticator, we ignore the one given
+ *  to us by the caller (which may have the wrong length, etc.), and
+ *  instead use this one, which has the correct length and data.
+ */
+static const VALUE_PAIR fake_ma = {
+	NR_DA_MESSAGE_AUTHENTICATOR,
+	16,
+	0,
+	NULL,
+	{
+		.octets = {
+			0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
+		},
+	}
+};
+#endif	/* PW_MESSAGE_AUTHENTICATOR */
+
+/*
+ *	Parse a data structure into a RADIUS attribute.
+ */
+ssize_t nr_vp2attr(const RADIUS_PACKET *packet, const RADIUS_PACKET *original,
+		const VALUE_PAIR **pvp, uint8_t *start,
+		size_t room)
+{
+	const VALUE_PAIR *vp = *pvp;
+
+	/*
+	 *	RFC format attributes take the fast path.
+	 */
+	if (vp->da->vendor != 0) {
+#ifdef VENDORPEC_EXTENDED
+		if (vp->da->vendor > NR_MAX_VENDOR) {
+			return nr_vp2attr_extended(packet, original,
+						   pvp, start, room);
+						    
+		}
+#endif
+		
+#ifdef VENDORPEC_WIMAX
+		if (vp->da->vendor == VENDORPEC_WIMAX) {
+			return nr_vp2attr_wimax(packet, original,
+						 pvp, start, room);
+		}
+#endif
+		
+#ifndef WITHOUT_VSAS
+		return nr_vp2vsa(packet, original, pvp, start, room);
+#else
+		nr_debug_error("VSAs are not supported");
+		return -NR_ERR_UNSUPPORTED;
+#endif
+	}
+
+	/*
+	 *	Ignore non-protocol attributes.
+	 */
+	if (vp->da->attr > 255) {
+		*pvp = vp->next;
+		return 0;
+	}
+
+#ifdef PW_MESSAGE_AUTHENTICATOR
+	/*
+	 *	The caller wants a Message-Authenticator, but doesn't
+	 *	know how to calculate it, or what the correct values
+	 *	are.  So... create one for him.
+	 */
+	if (vp->da == NR_DA_MESSAGE_AUTHENTICATOR) {
+		ssize_t rcode;
+
+		vp = &fake_ma;
+		rcode = nr_vp2rfc(packet, original, &vp, start, room);
+		if (rcode <= 0) return rcode;
+		*pvp = (*pvp)->next;
+		return rcode;
+	}
+#endif
+
+#ifdef PW_CHAP_PASSWORD
+	/*
+	 *	The caller wants a CHAP-Password, but doesn't know how
+	 *	to calculate it, or what the correct values are.  To
+	 *	help, we calculate it for him.
+	 */
+	if (vp->da == NR_DA_CHAP_PASSWORD) {
+		int encoded = 0;
+
+		/*
+		 *	CHAP is ID + MD5(...).  If it's length is NOT
+		 *	17, then the caller has passed us a password,
+		 *	and wants us to encode it.  If the length IS
+		 *	17, then we need to double-check if the caller
+		 *	has already encoded it.
+		 */
+		if (vp->length == 17) {
+			int i;
+
+			/*
+			 *	ASCII and UTF-8 disallow values 0..31.
+			 *	If they appear, then the CHAP-Password
+			 *	has already been encoded by the
+			 *	caller.  The probability of a
+			 *	CHAP-Password being all 32..256 is
+			 *	(1-32/256)^17 =~ .10
+			 *
+			 *	This check isn't perfect, but it
+			 *	should be pretty rare for people to
+			 *	have 17-character passwords *and* have
+			 *	them all 32..256.
+			 */
+			for (i = 0; i < 17; i++) {
+				if (vp->vp_octets[i] < 32) {
+					encoded = 1;
+					break;
+				}
+			}
+		}
+
+		if (!encoded) {
+			return nr_chap2rfc(packet, original, pvp, start, room);
+		}
+	}
+#endif
+
+	return nr_vp2rfc(packet, original, pvp,
+			  start, room);
+}
+
+
+/*
+ *	Ignore unknown attributes, but "decoding" them into nothing.
+ */
+static ssize_t data2vp_raw(UNUSED const RADIUS_PACKET *packet,
+			   UNUSED const RADIUS_PACKET *original,
+			   unsigned int attribute,
+			   unsigned int vendor,
+			   const uint8_t *data, size_t length,
+			   VALUE_PAIR **pvp)
+{
+	VALUE_PAIR *vp;
+
+	if (length > sizeof(vp->vp_octets)) return -NR_ERR_ATTR_OVERFLOW;
+
+	vp = nr_vp_alloc_raw(attribute, vendor);
+	if (!vp) return -NR_ERR_NO_MEM;
+	
+	memcpy(vp->vp_octets, data, length);
+	vp->length = length;
+
+	*pvp = vp;
+	return length;
+}
+
+ssize_t nr_attr2vp_raw(const RADIUS_PACKET *packet,
+		       const RADIUS_PACKET *original,
+		       const uint8_t *data, size_t length,
+		       VALUE_PAIR **pvp)
+{
+
+	if (length < 2) return -NR_ERR_PACKET_TOO_SMALL;
+	if (data[1] < 2) return -NR_ERR_ATTR_TOO_SMALL;
+	if (data[1] > length) return -NR_ERR_ATTR_OVERFLOW;
+
+	return data2vp_raw(packet, original, data[0], 0,
+			   data + 2, data[1] - 2, pvp);
+}
+
+/*
+ *	Create any kind of VP from the attribute contents.
+ *
+ *	Will return -1 on error, or "length".
+ */
+static ssize_t data2vp_any(const RADIUS_PACKET *packet,
+			   const RADIUS_PACKET *original,
+			   int nest,
+			   unsigned int attribute, unsigned int vendor,
+			   const uint8_t *data, size_t length,
+			   VALUE_PAIR **pvp)
+{
+#ifdef FLAG_ENCRYPT_TUNNEL_PASSWORD
+	ssize_t rcode;
+#endif
+	int data_offset = 0;
+	const DICT_ATTR *da;
+	VALUE_PAIR *vp = NULL;
+
+	if (length == 0) {
+		/*
+		 *	Hacks for CUI.  The WiMAX spec says that it
+		 *	can be zero length, even though this is
+		 *	forbidden by the RADIUS specs.  So... we make
+		 *	a special case for it.
+		 */
+		if ((vendor == 0) &&
+		    (attribute == PW_CHARGEABLE_USER_IDENTITY)) {
+			data = (const uint8_t *) "";
+			length = 1;
+		} else {
+			*pvp = NULL;
+			return 0;
+		}
+	}
+
+	da = nr_dict_attr_byvalue(attribute, vendor);
+
+	/*
+	 *	Unknown attribute.  Create it as a "raw" attribute.
+	 */
+	if (!da) {
+	raw:
+		if (vp) nr_vp_free(&vp);
+		return data2vp_raw(packet, original,
+				   attribute, vendor, data, length, pvp);
+	}
+
+#ifdef NR_TYPE_TLV
+	/*
+	 *	TLVs are handled first.  They can't be tagged, and
+	 *	they can't be encrypted.
+	 */
+	if (da->da->type == NR_TYPE_TLV) {
+		return data2vp_tlvs(packet, original,
+				    attribute, vendor, nest,
+				    data, length, pvp);
+	}
+#else
+	nest = nest;		/* -Wunused */
+#endif
+
+	/*
+	 *	The attribute is known, and well formed.  We can now
+	 *	create it.  The main failure from here on in is being
+	 *	out of memory.
+	 */
+	vp = nr_vp_alloc(da);
+	if (!vp) return -NR_ERR_NO_MEM;
+
+	/*
+	 *	Handle tags.
+	 */
+	if (vp->da->flags.has_tag) {
+		if (TAG_VALID(data[0])
+#ifdef FLAG_ENCRYPT_TUNNEL_PASSWORD
+		    || (vp->da->flags.encrypt == FLAG_ENCRYPT_TUNNEL_PASSWORD)
+#endif
+			) {
+			/*
+			 *	Tunnel passwords REQUIRE a tag, even
+			 *	if don't have a valid tag.
+			 */
+			vp->tag = data[0];
+
+			if ((vp->da->type == NR_TYPE_STRING) ||
+			    (vp->da->type == NR_TYPE_OCTETS)) {
+				if (length == 0) goto raw;
+				data_offset = 1;
+			}
+		}
+	}
+
+	/*
+	 *	Copy the data to be decrypted
+	 */
+	vp->length = length - data_offset;
+	memcpy(&vp->vp_octets[0], data + data_offset, vp->length);
+
+	/*
+	 *	Decrypt the attribute.
+	 */
+	switch (vp->da->flags.encrypt) {
+		/*
+		 *  User-Password
+		 */
+	case FLAG_ENCRYPT_USER_PASSWORD:
+		if (original) {
+			rcode = nr_password_encrypt(vp->vp_octets,
+						    sizeof(vp->vp_strvalue),
+						    data + data_offset, vp->length,
+						    packet->secret,
+						    original->vector);
+		} else {
+			rcode = nr_password_encrypt(vp->vp_octets,
+						    sizeof(vp->vp_strvalue),
+						    data + data_offset, vp->length,
+						    packet->secret,
+						    packet->vector);
+		}
+		if (rcode < 0) goto raw;
+		vp->vp_strvalue[128] = '\0';
+		vp->length = strlen(vp->vp_strvalue);
+		break;
+
+		/*
+		 *	Tunnel-Password's may go ONLY
+		 *	in response packets.
+		 */
+#ifdef FLAG_ENCRYPT_TUNNEL_PASSWORD
+	case FLAG_ENCRYPT_TUNNEL_PASSWORD:
+		if (!original) goto raw;
+
+		rcode = nr_tunnelpw_decrypt(vp->vp_octets,
+					    sizeof(vp->vp_octets),
+					    data + data_offset, vp->length,
+					    packet->secret, original->vector);
+		if (rcode < 0) goto raw;
+		vp->length = rcode;
+		break;
+#endif
+
+
+#ifdef FLAG_ENCRYPT_ASCEND_SECRET:
+		/*
+		 *  Ascend-Send-Secret
+		 *  Ascend-Receive-Secret
+		 */
+	case FLAG_ENCRYPT_ASCEND_SECRET:
+		if (!original) {
+			goto raw;
+		} else {
+			uint8_t my_digest[AUTH_VECTOR_LEN];
+			make_secret(my_digest,
+				    original->vector,
+				    packet->secret, data);
+			memcpy(vp->vp_strvalue, my_digest,
+			       AUTH_VECTOR_LEN );
+			vp->vp_strvalue[AUTH_VECTOR_LEN] = '\0';
+			vp->length = strlen(vp->vp_strvalue);
+		}
+		break;
+#endif
+
+	default:
+		break;
+	} /* switch over encryption flags */
+
+	/*
+	 *	Expected a certain length, but got something else.
+	 */
+	if ((vp->da->flags.length != 0) &&
+	    (vp->length != vp->da->flags.length)) {
+		goto raw;
+	}
+
+	switch (vp->da->type) {
+	case NR_TYPE_STRING:
+	case NR_TYPE_OCTETS:
+#ifdef NR_TYPE_ABINARY
+	case NR_TYPE_ABINARY:
+#endif
+		/* nothing more to do */
+		break;
+
+	case NR_TYPE_BYTE:
+		vp->vp_integer = vp->vp_octets[0];
+		break;
+
+
+	case NR_TYPE_SHORT:
+		vp->vp_integer = (vp->vp_octets[0] << 8) | vp->vp_octets[1];
+		break;
+
+	case NR_TYPE_INTEGER:
+		memcpy(&vp->vp_integer, vp->vp_octets, 4);
+		vp->vp_integer = ntohl(vp->vp_integer);
+
+		if (vp->da->flags.has_tag) vp->vp_integer &= 0x00ffffff;
+		break;
+
+	case NR_TYPE_DATE:
+		memcpy(&vp->vp_date, vp->vp_octets, 4);
+		vp->vp_date = ntohl(vp->vp_date);
+		break;
+
+
+	case NR_TYPE_IPADDR:
+		memcpy(&vp->vp_ipaddr, vp->vp_octets, 4);
+		break;
+
+		/*
+		 *	IPv6 interface ID is 8 octets long.
+		 */
+	case NR_TYPE_IFID:
+		/* vp->vp_ifid == vp->vp_octets */
+		break;
+
+		/*
+		 *	IPv6 addresses are 16 octets long
+		 */
+	case NR_TYPE_IPV6ADDR:
+		/* vp->vp_ipv6addr == vp->vp_octets */
+		break;
+
+		/*
+		 *	IPv6 prefixes are 2 to 18 octets long.
+		 *
+		 *	RFC 3162: The first octet is unused.
+		 *	The second is the length of the prefix
+		 *	the rest are the prefix data.
+		 *
+		 *	The prefix length can have value 0 to 128.
+		 */
+	case NR_TYPE_IPV6PREFIX:
+		if (vp->length < 2 || vp->length > 18) goto raw;
+		if (vp->vp_octets[1] > 128) goto raw;
+
+		/*
+		 *	FIXME: double-check that
+		 *	(vp->vp_octets[1] >> 3) matches vp->length + 2
+		 */
+		if (vp->length < 18) {
+			memset(vp->vp_octets + vp->length, 0,
+			       18 - vp->length);
+		}
+		break;
+
+#ifdef VENDORPEC_WIMAX
+	case NR_TYPE_SIGNED:
+		if (vp->length != 4) goto raw;
+
+		/*
+		 *	Overload vp_integer for ntohl, which takes
+		 *	uint32_t, not int32_t
+		 */
+		memcpy(&vp->vp_integer, vp->vp_octets, 4);
+		vp->vp_integer = ntohl(vp->vp_integer);
+		memcpy(&vp->vp_signed, &vp->vp_integer, 4);
+		break;
+#endif
+
+#ifdef NR_TYPE_TLV
+	case NR_TYPE_TLV:
+		nr_vp_free(&vp);
+		nr_debug_error("data2vp_any: Internal sanity check failed");
+		return -NR_ERR_ATTR_TYPE_UNKNOWN;
+#endif
+
+#ifdef VENDORPEC_WIMAX
+	case NR_TYPE_COMBO_IP:
+		if (vp->length == 4) {
+			vp->da->type = NR_TYPE_IPADDR;
+			memcpy(&vp->vp_ipaddr, vp->vp_octets, 4);
+			break;
+
+		} else if (vp->length == 16) {
+			vp->da->type = NR_TYPE_IPV6ADDR;
+			/* vp->vp_ipv6addr == vp->vp_octets */
+			break;
+
+		}
+		/* FALL-THROUGH */
+#endif
+
+	default:
+		goto raw;
+	}
+
+	*pvp = vp;
+
+	return length;
+}
+
+
+/*
+ *	Create a "standard" RFC VALUE_PAIR from the given data.
+ */
+ssize_t nr_attr2vp_rfc(const RADIUS_PACKET *packet,
+			const RADIUS_PACKET *original,
+			const uint8_t *data, size_t length,
+			VALUE_PAIR **pvp)
+{
+	ssize_t rcode;
+
+	if (length < 2) return -NR_ERR_PACKET_TOO_SMALL;
+	if (data[1] < 2) return -NR_ERR_ATTR_TOO_SMALL;
+	if (data[1] > length) return -NR_ERR_ATTR_OVERFLOW;
+	
+	rcode = data2vp_any(packet, original, 0,
+			    data[0], 0, data + 2, data[1] - 2, pvp);
+	if (rcode < 0) return rcode;
+
+	return data[1];
+}	
+
+#ifndef WITHOUT_VSAS
+/*
+ *	Check if a set of RADIUS formatted TLVs are OK.
+ */
+int nr_tlv_ok(const uint8_t *data, size_t length,
+	       size_t dv_type, size_t dv_length)
+{
+	const uint8_t *end = data + length;
+
+	if ((dv_length > 2) || (dv_type == 0) || (dv_type > 4)) {
+		nr_debug_error("nr_tlv_ok: Invalid arguments");
+		return -NR_ERR_INVALID_ARG;
+	}
+
+	while (data < end) {
+		size_t attrlen;
+
+		if ((data + dv_type + dv_length) > end) {
+			nr_debug_error("Attribute header overflow");
+			return -NR_ERR_ATTR_TOO_SMALL;
+		}
+
+		switch (dv_type) {
+		case 4:
+			if ((data[0] == 0) && (data[1] == 0) &&
+			    (data[2] == 0) && (data[3] == 0)) {
+			zero:
+				nr_debug_error("Invalid attribute 0");
+				return -NR_ERR_ATTR_INVALID;
+			}
+
+			if (data[0] != 0) {
+				nr_debug_error("Invalid attribute > 2^24");
+				return -NR_ERR_ATTR_INVALID;
+			}
+			break;
+
+		case 2:
+			if ((data[1] == 0) && (data[1] == 0)) goto zero;
+			break;
+
+		case 1:
+			if (data[0] == 0) goto zero;
+			break;
+
+		default:
+			nr_debug_error("Internal sanity check failed");
+			return -NR_ERR_INTERNAL_FAILURE;
+		}
+
+		switch (dv_length) {
+		case 0:
+			return 0;
+
+		case 2:
+			if (data[dv_type + 1] != 0) {
+				nr_debug_error("Attribute is longer than 256 octets");
+				return -NR_ERR_ATTR_TOO_LARGE;
+			}
+			/* FALL-THROUGH */
+		case 1:
+			attrlen = data[dv_type + dv_length - 1];
+			break;
+
+
+		default:
+			nr_debug_error("Internal sanity check failed");
+			return -NR_ERR_INTERNAL_FAILURE;
+		}
+
+		if (attrlen < (dv_type + dv_length)) {
+			nr_debug_error("Attribute header has invalid length");
+			return -NR_ERR_PACKET_TOO_SMALL;
+		}
+
+		if (attrlen > length) {
+			nr_debug_error("Attribute overflows container");
+			return -NR_ERR_ATTR_OVERFLOW;
+		}
+
+		data += attrlen;
+		length -= attrlen;
+	}
+
+	return 0;
+}
+
+
+/*
+ *	Convert a top-level VSA to a VP.
+ */
+static ssize_t attr2vp_vsa(const RADIUS_PACKET *packet,
+			   const RADIUS_PACKET *original,
+			   unsigned int vendor,
+			   size_t dv_type, size_t dv_length,
+			   const uint8_t *data, size_t length,
+			   VALUE_PAIR **pvp)
+{
+	unsigned int attribute;
+	ssize_t attrlen, my_len;
+
+#ifndef NDEBUG
+	if (length <= (dv_type + dv_length)) {
+		nr_debug_error("attr2vp_vsa: Failure to call nr_tlv_ok");
+		return -NR_ERR_PACKET_TOO_SMALL;
+	}
+#endif	
+
+	switch (dv_type) {
+	case 4:
+		/* data[0] must be zero */
+		attribute = data[1] << 16;
+		attribute |= data[2] << 8;
+		attribute |= data[3];
+		break;
+
+	case 2:
+		attribute = data[0] << 8;
+		attribute |= data[1];
+		break;
+
+	case 1:
+		attribute = data[0];
+		break;
+
+	default:
+		nr_debug_error("attr2vp_vsa: Internal sanity check failed");
+		return -NR_ERR_INTERNAL_FAILURE;
+	}
+
+	switch (dv_length) {
+	case 2:
+		/* data[dv_type] must be zero */
+		attrlen = data[dv_type + 1];
+		break;
+
+	case 1:
+		attrlen = data[dv_type];
+		break;
+
+	case 0:
+		attrlen = length;
+		break;
+
+	default:
+		nr_debug_error("attr2vp_vsa: Internal sanity check failed");
+		return -NR_ERR_INTERNAL_FAILURE;
+	}
+
+#ifndef NDEBUG
+	if (attrlen <= (ssize_t) (dv_type + dv_length)) {
+		nr_debug_error("attr2vp_vsa: Failure to call nr_tlv_ok");
+		return -NR_ERR_PACKET_TOO_SMALL;
+	}
+#endif
+
+	attrlen -= (dv_type + dv_length);
+	
+	my_len = data2vp_any(packet, original, 0,
+			     attribute, vendor,
+			     data + dv_type + dv_length, attrlen, pvp);
+	if (my_len < 0) return my_len;
+
+#ifndef NDEBUG
+	if (my_len != attrlen) {
+		nr_vp_free(pvp);
+		nr_debug_error("attr2vp_vsa: Incomplete decode %d != %d",
+				   (int) my_len, (int) attrlen);
+		return -NR_ERR_INTERNAL_FAILURE;
+	}
+#endif
+
+	return dv_type + dv_length + attrlen;
+}
+
+
+/*
+ *	Create Vendor-Specifc VALUE_PAIRs from a RADIUS attribute.
+ */
+ssize_t nr_attr2vp_vsa(const RADIUS_PACKET *packet,
+			const RADIUS_PACKET *original,
+			const uint8_t *data, size_t length,
+			VALUE_PAIR **pvp)
+{
+	size_t dv_type, dv_length;
+	ssize_t my_len;
+	uint32_t lvalue;
+	const DICT_VENDOR *dv;
+
+	if (length < 2) return -NR_ERR_PACKET_TOO_SMALL;
+	if (data[1] < 2) return -NR_ERR_ATTR_TOO_SMALL;
+	if (data[1] > length) return -NR_ERR_ATTR_OVERFLOW;
+
+	if (data[0] != PW_VENDOR_SPECIFIC) {
+		nr_debug_error("nr_attr2vp_vsa: Invalid attribute");
+		return -NR_ERR_INVALID_ARG;
+	}
+
+	/*
+	 *	Not enough room for a Vendor-Id.
+	 *	Or the high octet of the Vendor-Id is set.
+	 */
+	if ((data[1] < 6) || (data[2] != 0)) {
+		return nr_attr2vp_raw(packet, original,
+				       data, length, pvp);
+	}
+
+	memcpy(&lvalue, data + 2, 4);
+	lvalue = ntohl(lvalue);
+
+#ifdef VENDORPEC_WIMAX
+	/*
+	 *	WiMAX gets its own set of magic.
+	 */
+	if (lvalue == VENDORPEC_WIMAX) {
+		return nr_attr2vp_wimax(packet, original,
+					 data, length, pvp);
+	}
+#endif
+
+	dv_type = dv_length = 1;
+	dv = nr_dict_vendor_byvalue(lvalue);
+	if (!dv) {
+		return nr_attr2vp_rfc(packet, original,
+				       data, length, pvp);
+	}
+
+	dv_type = dv->type;
+	dv_length = dv->length;
+
+	/*
+	 *	Attribute is not in the correct form.
+	 */
+	if (nr_tlv_ok(data + 6, data[1] - 6, dv_type, dv_length) < 0) {
+		return nr_attr2vp_raw(packet, original,
+				       data, length, pvp);
+	}
+
+	my_len = attr2vp_vsa(packet, original,
+			     lvalue, dv_type, dv_length,
+			     data + 6, data[1] - 6, pvp);
+	if (my_len < 0) return my_len;
+
+#ifndef NDEBUG
+	if (my_len != (data[1] - 6)) {
+		nr_vp_free(pvp);
+		nr_debug_error("nr_attr2vp_vsa: Incomplete decode");
+		return -NR_ERR_INTERNAL_FAILURE;
+	}
+#endif
+
+	return data[1];
+}
+#endif	/* WITHOUT_VSAS */
+
+
+/*
+ *	Create a "normal" VALUE_PAIR from the given data.
+ */
+ssize_t nr_attr2vp(const RADIUS_PACKET *packet,
+		    const RADIUS_PACKET *original,
+		    const uint8_t *data, size_t length,
+		    VALUE_PAIR **pvp)
+{
+	if (length < 2) return -NR_ERR_PACKET_TOO_SMALL;
+	if (data[1] < 2) return -NR_ERR_ATTR_TOO_SMALL;
+	if (data[1] > length) return -NR_ERR_ATTR_OVERFLOW;
+
+#ifndef WITHOUT_VSAS
+	/*
+	 *	VSAs get their own handler.
+	 */
+	if (data[0] == PW_VENDOR_SPECIFIC) {
+		return nr_attr2vp_vsa(packet, original,
+				       data, length, pvp);
+	}
+#endif
+
+#ifdef VENDORPEC_EXTENDED
+	/*
+	 *	Extended attribute format gets their own handler.
+	 */
+	if (nr_dict_attr_byvalue(data[0], VENDORPEC_EXTENDED) != NULL) {
+		return nr_attr2vp_extended(packet, original,
+					    data, length, pvp);
+	}
+#endif
+
+	return nr_attr2vp_rfc(packet, original, data, length, pvp);
+}
+
+ssize_t nr_attr2data(const RADIUS_PACKET *packet, ssize_t start,
+		      unsigned int attribute, unsigned int vendor,
+		      const uint8_t **pdata, size_t *plength)
+{
+	uint8_t *data, *attr;
+	const uint8_t *end;
+
+	if (!packet || !pdata || !plength) return -NR_ERR_INVALID_ARG;
+
+	if (!packet->data) return -NR_ERR_INVALID_ARG;
+	if (packet->length < 20) return -NR_ERR_INVALID_ARG;
+
+	/*
+	 *	Too long or short, not good.
+	 */
+	if ((start < 0) ||
+	    ((start > 0) && (start < 20))) return -NR_ERR_INVALID_ARG;
+
+	if ((size_t) start >= (packet->length - 2)) return -NR_ERR_INVALID_ARG;
+
+	end = packet->data + packet->length;
+
+	/*
+	 *	Loop over the packet, converting attrs to VPs.
+	 */
+	if (start == 0) {
+		data = packet->data + 20;
+	} else {
+		data = packet->data + start;
+		data += data[1];
+		if (data >= end) return 0;
+	}
+
+	for (attr = data; attr < end; attr += attr[1]) {
+		const DICT_VENDOR *dv = NULL;
+
+#ifndef NEBUG
+		/*
+		 *	This code is copied from packet_ok().
+		 *	It could be put into a separate function.
+		 */
+		if ((attr + 2) > end) {
+			nr_debug_error("Attribute overflows packet");
+			return -NR_ERR_ATTR_OVERFLOW;
+		}
+
+		if (attr[1] < 2) {
+			nr_debug_error("Attribute length is too small");
+			return -NR_ERR_ATTR_TOO_SMALL;
+		}
+
+		if ((attr + attr[1]) > end) {
+			nr_debug_error("Attribute length is too large");
+			return -NR_ERR_ATTR_TOO_LARGE;
+		}
+#endif
+
+		if ((vendor == 0) && (attr[0] == attribute)) {
+			*pdata = attr + 2;
+			*plength = attr[1] - 2;
+			return attr - packet->data;
+		}
+
+#ifndef WITHOUT_VSAS
+		if (vendor != 0) {
+			uint32_t vendorpec;
+
+			if (attr[0] != PW_VENDOR_SPECIFIC) continue;
+
+			if (attr[1] < 6) continue;
+
+			memcpy(&vendorpec, attr + 2, 4);
+			vendorpec = ntohl(vendorpec);
+			if (vendor != vendorpec) continue;
+
+			if (!dv) {
+				dv = nr_dict_vendor_byvalue(vendor);
+				if (dv &&
+				    ((dv->type != 1) || (dv->length != 1))) {
+					return -NR_ERR_VENDOR_UNKNOWN;
+				}
+			}
+
+			/*
+			 *	No data.
+			 */
+			if (attr[1] < 9) continue;
+
+			/*
+			 *	Malformed, or more than one VSA in
+			 *	the Vendor-Specific
+			 */
+			if (attr[7] + 6 != attr[1]) continue;
+
+			/*
+			 *	Not the right VSA.
+			 */
+			if (attr[6] != attribute) continue;
+
+			*pdata = attr + 8;
+			*plength = attr[1] - 8;
+			return attr - packet->data;
+		}
+#endif
+	}
+
+	return 0;		/* nothing more: stop */
+}
+
diff --git a/lib/radius/client.h b/lib/radius/client.h
new file mode 100644
index 0000000..591884f
--- /dev/null
+++ b/lib/radius/client.h
@@ -0,0 +1,1408 @@
+/*
+Copyright (c) 2011, Network RADIUS SARL
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+    * Redistributions of source code must retain the above copyright
+      notice, this list of conditions and the following disclaimer.
+    * Redistributions in binary form must reproduce the above copyright
+      notice, this list of conditions and the following disclaimer in the
+      documentation and/or other materials provided with the distribution.
+    * Neither the name of the <organization> nor the
+      names of its contributors may be used to endorse or promote products
+      derived from this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL <COPYRIGHT HOLDER> BE LIABLE FOR ANY
+DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/** \file client.h
+ *  \brief Main header file.
+ */
+
+/*
+ *  System-specific header files.
+ */
+#include <errno.h>
+#include <stdio.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdarg.h>
+#include <netdb.h>
+#include <netinet/in.h>
+#include <sys/time.h>
+
+/*
+ *  Definitions of attributes.
+ */
+#include <networkradius-devel/radius.h>
+
+/** \defgroup build Build Helpers
+ *
+ * These definitions give the GNU C compiler more information about
+ * the functions being compiled.  They are used to either remove
+ * warnings, or to enable better warnings.
+ **/
+
+/** \defgroup custom Portability Functions
+ *
+ * These functions and definitions should be modified for your local
+ * system.  See the individual definitions for details.
+ */
+
+/** \defgroup error Error handling
+ *
+ * These definitions and routines manage errors.
+ */
+
+/** \defgroup value_pair Attribute manipulation
+ *
+ * These routines manage structures which map to attributes.
+ */
+
+/**\defgroup dict Dictionary Lookup Functions
+ *
+ * \sa doc/dictionaries.txt
+ *
+ * The RADIUS dictionaries perform name to number mappings.  The names
+ * are used only for administrator convenience, for parsing
+ * configuration files, and printing humanly-readable output.  The
+ * numbers are used when encoding data in a packet.
+ *
+ * When attributes are decoded from a packet, the numbers are used to
+ * look up the associated name, which is then placed into a data
+ * structure.
+ *
+ * When the data structures are encoded into a packet, the numbers are
+ * used to create RFC and VSA format attributes.
+ *
+ * \attention The definitions, structures, and functions given below
+ * are useful only for implementing "low level" RADIUS
+ * functionality. There is usually no need to refer to them in a
+ * client application.  The library should be used at a higher level,
+ * which exposes a much simpler API.
+ */
+
+/** \defgroup packet Packet manipulation
+ *
+ * These routines perform encoding and decoding of RADIUS packets.
+ */
+
+/** \defgroup print Print / parse functions
+ *
+ * These routines convert the internal data structures to a printable
+ * form, or parse them.
+ */
+
+/** \defgroup id ID allocation and freeing
+ *
+ *  These routines manage RADIUS ID allocation.
+ */
+
+/** \defgroup attr Low-level attribute encode/decoding
+ *
+ * These routines perform "low level" encoding, decoding, sending, and
+ * reception of RADIUS attributes.  They are called by the \ref packet
+ * functions.
+ *
+ * \attention The structures and functions given below are useful only
+ * for implementing "low level" RADIUS functionality. There is usually
+ * no need to refer to them in a client application.  The library
+ * should be used at a higher level, which exposes a much simpler API.
+ */
+
+/** \defgroup internal Internal support functions.
+ *
+ * These functions are required to perform internal or "low-level"
+ * data manipulation.  While they are exposed for completeness, they
+ * should not be called by any application.
+ */
+
+#ifdef PW_EAP_MESSAGE
+#ifndef PW_MESSAGE_AUTHENTICATOR
+#error EAP-Message requires Message-Authenticator
+#endif
+#endif
+
+#ifdef WITHOUT_OPENSSL
+#ifndef NR_MD5_CTX
+#error NR_MD5_CTX must be defined
+#endif
+#ifndef nr_MD5Init
+#error n_rMD5Init must be defined
+#endif
+#ifndef nr_MD5Update
+#error nr_MD5Updyae must be defined
+#endif
+#ifndef nr_MD5Final
+#error nr_MD5Final must be defined
+#endif
+#ifndef nr_MD5Transform
+#error nr_MD5Transform must be defined
+#endif
+
+#else  /* WITHOUT_OPENSSL */
+
+#include <openssl/md5.h>
+/** Define for compile-time selection of the MD5 functions.  Defaults to using the OpenSSL functions.  \ingroup custom */
+#define NR_MD5_CTX	MD5_CTX
+/** Define for compile-time selection of the MD5 functions.  Defaults to using the OpenSSL functions. \ingroup custom */
+#define nr_MD5Init	MD5_Init
+/** Define for compile-time selection of the MD5 functions.  Defaults to using the OpenSSL functions. \ingroup custom */
+#define nr_MD5Update	MD5_Update
+/** Define for compile-time selection of the MD5 functions.  Defaults to using the OpenSSL functions. \ingroup custom */
+#define nr_MD5Final	MD5_Final
+/** Define for compile-time selection of the MD5 functions.  Defaults to using the OpenSSL functions. \ingroup custom */
+#define nr_MD5Transform MD5_Transform
+#endif
+
+#ifndef NR_MAX_PACKET_LEN
+/** The maximum size of a packet that the library will send or receive.  \ingroup custom
+ *
+ *  The RFC requirement is to handle at least 4K packets.  However, if
+ *  you expect to only do username/password authentication, this value
+ *  can be set to a smaller value, such as 256.
+ *
+ *  Be warned that any packets larger than this value will be ignored
+ *  and silently discarded.
+ */
+#define NR_MAX_PACKET_LEN (4096)
+#endif
+
+#ifndef NR_MAX_ATTRIBUTES
+/** The maximum number of attributes that the library will allow in a packet.  \ingroup custom
+ *
+ *  Packets which contain more than ::NR_MAX_ATTRIBUTES will generate
+ *  an error.  This value is configurable because there may be a need
+ *  to accept a large mumber of attributes.
+ *
+ *  This value is ignored when packets are sent.  The library will
+ *  send as many attributes as it is told to send.
+ */
+#define NR_MAX_ATTRIBUTES (200)
+#endif
+
+#undef NR_MAX_PACKET_CODE
+/** The maximum RADIUS_PACKET::code which we can accept. \ingroup dict
+ *
+ *  \attention This should not be changed, as it is used by other
+ *  structures such as ::nr_packet_codes.
+ */
+#define NR_MAX_PACKET_CODE PW_COA_NAK
+
+/**  The maximum vendor number which is permitted. \ingroup dict
+ *
+ *  The RFCs require that the Vendor Id or Private Enterprise Number
+ *  be encoded as 32 bits, with the upper 8 bits being zero.
+ */
+#define NR_MAX_VENDOR		(1 << 24)
+
+/**  The maximum length of a RADIUS attribute.
+ *
+ *  The RFCs require that a RADIUS attribute transport no more than
+ *  253 octets of data.  We add an extra byte for a trailing NUL, so
+ *  that the VALUE_PAIR::vp_strvalue field can be handled as a C
+ *  string.
+ */
+#define MAX_STRING_LEN		(254)
+
+/** Data Type Definitions. \ingroup dict
+ */
+typedef enum nr_attr_type_t {
+  NR_TYPE_INVALID = 0,		/**< Invalid data type */
+  NR_TYPE_STRING,      		/**< printable-text */
+  NR_TYPE_INTEGER,     		/**< a 32-bit unsigned integer */
+  NR_TYPE_IPADDR,      		/**< an IPv4 address */
+  NR_TYPE_DATE,			/**< a 32-bit date, of seconds since January 1, 1970 */
+  NR_TYPE_OCTETS,   		 /**< a sequence of binary octets */
+  NR_TYPE_IFID,	     		/**< an Interface Id */
+  NR_TYPE_IPV6ADDR,		/**< an IPv6 address */
+  NR_TYPE_IPV6PREFIX,		/**< an IPv6 prefix */
+  NR_TYPE_BYTE,			/**< an 8-bit integer */
+  NR_TYPE_SHORT,		/**< a 16-bit integer */
+} nr_attr_type_t;
+
+#define	PW_ACCESS_REQUEST		1
+#define	PW_ACCESS_ACCEPT		2
+#define	PW_ACCESS_REJECT		3
+#define	PW_ACCOUNTING_REQUEST		4
+#define	PW_ACCOUNTING_RESPONSE		5
+#define	PW_ACCOUNTING_STATUS		6
+#define PW_PASSWORD_REQUEST		7
+#define PW_PASSWORD_ACK			8
+#define PW_PASSWORD_REJECT		9
+#define	PW_ACCOUNTING_MESSAGE		10
+#define PW_ACCESS_CHALLENGE		11
+#define PW_STATUS_SERVER		12
+#define PW_STATUS_CLIENT		13
+#define PW_DISCONNECT_REQUEST		40
+#define PW_DISCONNECT_ACK		41
+#define PW_DISCONNECT_NAK		42
+#define PW_COA_REQUEST			43
+#define PW_COA_ACK			44
+#define PW_COA_NAK			45
+
+/** Error codes \ingroup error
+ *
+ *  The numerical value of these definitions may change from version
+ *  to version of the library.
+ */
+typedef enum nr_error_t {
+	/** Invalid argument */
+	NR_ERR_INVALID_ARG = 1,
+	/** Insufficient data to decode the packet */
+	NR_ERR_PACKET_TOO_SMALL,
+	/** The packet header says it is larger than the received data */
+	NR_ERR_PACKET_TOO_LARGE,
+	/** the attribute overflows the packet */
+	NR_ERR_ATTR_OVERFLOW,
+	/** the attribute header "length" field is too small */
+	NR_ERR_ATTR_TOO_SMALL,
+	/** the attribute is more than 256 octets long */
+	NR_ERR_ATTR_TOO_LARGE,
+	/** the attribute is unknown */
+	NR_ERR_ATTR_UNKNOWN,
+	/** the attribute name is improperly formatted */
+	NR_ERR_ATTR_BAD_NAME,
+	/** the attribute value could not be parsed */
+	NR_ERR_ATTR_VALUE_MALFORMED,
+	/** the attribute "type" is invalid */
+	NR_ERR_ATTR_INVALID,
+	/** the packet has too many attributes */
+	NR_ERR_TOO_MANY_ATTRS,
+	/** the attribute has an unsupported data type */
+	NR_ERR_ATTR_TYPE_UNKNOWN,
+	/** the Message-Authenticator has the wrong length */
+	NR_ERR_MSG_AUTH_LEN,
+	/** the Message-Authenticator is wrong */
+	NR_ERR_MSG_AUTH_WRONG,
+	/** we need a request packet to calculate something in the response */
+	NR_ERR_REQUEST_REQUIRED,
+	/** the request code is unsupported */
+	NR_ERR_REQUEST_CODE_INVALID,
+	/** the Authentication Vector is wrong */
+	NR_ERR_AUTH_VECTOR_WRONG,
+	/** the response code is unsupported */
+	NR_ERR_RESPONSE_CODE_INVALID,
+	/** the response ID field is invalid */
+	NR_ERR_RESPONSE_ID_INVALID,
+	/** the response is not from the correct source IP/port */
+	NR_ERR_RESPONSE_SRC_INVALID,
+	/** Look at "errno" for the error */
+	NR_ERR_SYSTEM,
+	/** We cannot encode the packet because of invalid arguments */
+	NR_ERR_NO_PACKET_DATA,
+	/** the vendor is unknown */
+	NR_ERR_VENDOR_UNKNOWN,
+	/** an internal sanity check failed */
+	NR_ERR_INTERNAL_FAILURE,
+	/** the caller requested an unsupported featuer */
+	NR_ERR_UNSUPPORTED,
+	/** we were unable to allocate memory */
+	NR_ERR_NO_MEM,
+	/** Resource is in use */
+	NR_ERR_IN_USE,
+} nr_error_t;
+
+#define TAG_VALID(x)          ((x) < 0x20)
+
+/** The attribute is not encrypted. */
+#define FLAG_ENCRYPT_NONE            (0)
+
+/** The attribute is encrypted using the RFC 2865 User-Password method */
+#define FLAG_ENCRYPT_USER_PASSWORD   (1)
+
+/** The attribute is encrypted using the RFC 2868 Tunnel-Password method */
+#define FLAG_ENCRYPT_TUNNEL_PASSWORD (2)
+
+/** A set of flags which determine how the attribute should be handled.
+ *
+ * Most attributes are "normal", and do not require special handling.
+ * However, some require "encryption", tagging, or have other special
+ * formats.  This structure contains the various options for the
+ * attribute formats.
+ */
+typedef struct attr_flags {
+	unsigned int		has_tag : 1; /**< Attribute has an RFC 2868 tag */
+	unsigned int		unknown : 1; /**< Attribute is unknown */
+#ifdef NR_TYPE_TLV
+	unsigned int		has_tlv : 1; /* has sub attributes */
+	unsigned int		is_tlv : 1; /* is a sub attribute */
+#endif
+#ifdef VENDOR_EXTENDED
+	unsigned int		extended : 1; /* extended attribute */
+	unsigned int		extended_flags : 1; /* with flag */
+	unsigned int		evs : 1;	    /* extended VSA */
+#endif
+
+	uint8_t		        encrypt;      /**< Attribute encryption method */
+	uint8_t			length;	      /**< The expected length of the attribute */
+} ATTR_FLAGS;
+
+
+/** Defines an dictionary mapping for an attribute.  \ingroup dict
+ *
+ *  The RADIUS dictionaries map humanly readable names to protocol
+ *  numbers.  The protocol numbers are used to encode/decode the
+ *  attributes in a packet.
+ */
+typedef struct nr_dict_attr {
+	unsigned int		attr;		/**< Attribute number  */
+	nr_attr_type_t	      	type;		/**< Data type */
+	unsigned int		vendor;		/**< Vendor-Id number  */
+        ATTR_FLAGS              flags;
+	const char		*name;		/**< Printable name  */
+} DICT_ATTR;
+
+/** Defines a dictionary mapping for a named enumeration.  \ingroup dict
+ *
+ *  This structure is currently not used.
+ */
+typedef struct nr_dict_value {
+	const DICT_ATTR		*da;		/**< pointer to a ::DICT_ATTR  */
+	int			value;		/**< enumerated value  */
+	char			name[1];	/**< printable name  */
+} DICT_VALUE;
+
+/** Defines an dictionary mapping for a vendor.  \ingroup dict
+ *
+ *  The RADIUS dictionaries map humanly readable vendor names to a
+ *  Vendor-Id (or Private Enterprise Code) assigned by IANA.  The
+ *  Vendor-Id is used to encode/decode Vendor-Specific attributes in a
+ *  packet.
+ */
+typedef struct nr_dict_vendor {
+	unsigned int		vendor; /**< Vendor Private Enterprise Code  */
+	size_t			type;	   /**< size of Vendor-Type field */
+	size_t			length;    /**< size of Vendor-Length field */
+	const char		*name;		/**< Printable name  */
+} DICT_VENDOR;
+
+/** Union holding all possible types of data for a ::VALUE_PAIR. \ingroup value_pair
+ *
+ */
+typedef union value_pair_data {
+	char			strvalue[MAX_STRING_LEN]; /* +1 for NUL */
+	uint8_t			octets[253];
+	struct in_addr		ipaddr;
+	struct in6_addr		ipv6addr;
+	uint32_t		date;
+	uint32_t		integer;
+#ifdef NR_TYPE_SIGNED
+	int32_t			sinteger;
+#endif
+#ifdef NR_TYPE_ABINARY
+	uint8_t			filter[32];
+#endif
+	uint8_t			ifid[8]; /* struct? */
+	uint8_t			ipv6prefix[18]; /* struct? */
+#ifdef NR_TYPE_TLV
+	uint8_t			*tlv;
+#endif
+} VALUE_PAIR_DATA;
+
+
+/** C structure version of a RADIUS attribute. \ingroup value_pair
+ *
+ * The library APIs use this structure to avoid depending on the
+ * details of the protocol.
+ */
+typedef struct value_pair {
+	const DICT_ATTR		*da; /**< dictionary definition */
+	size_t			length;	/**< number of octets in the data */
+	int			tag; /**< tag value if da->flags.has_tag */
+	struct value_pair	*next; /**< enables a linked list of values  */
+	VALUE_PAIR_DATA		data;  /**< the data of the attribute */
+} VALUE_PAIR;
+#define vp_strvalue   data.strvalue
+#define vp_octets     data.octets
+#define vp_ipv6addr   data.ipv6addr
+#define vp_ifid       data.ifid
+#define vp_ipv6prefix data.ipv6prefix
+#define vp_ipaddr     data.ipaddr.s_addr
+#define vp_date       data.integer
+#define vp_integer    data.integer
+#ifdef NR_TYPE_ABINARY
+#define vp_filter     data.filter
+#endif
+#ifdef NR_TYPE_ETHER
+#define vp_ether      data.ether
+#endif
+#ifdef NR_TYPE_SIGNED
+#define vp_signed     data.sinteger
+#endif
+#ifdef NR_TYPE_TLV
+#define vp_tlv	      data.tlv
+#endif
+
+#ifdef NR_TYPE_TLV
+#define NR_ATTR_MAX_TLV (4)
+extern const int nr_attr_shift[NR_ATTR_MAX_TLV];
+extern const int nr_attr_mask[NR_ATTR_MAX_TLV];
+extern const unsigned int nr_attr_max_tlv;
+#endif
+
+/** A structure which describes a RADIUS packet. \ingroup packet
+ *
+ *  In general, it should not be necessary to refererence the elements
+ *  of this structure.
+ */
+typedef struct radius_packet {
+	int			sockfd; /** The socket descriptor */
+	struct sockaddr_storage	src;    /**< The packet source address  */
+        struct sockaddr_storage	dst;    /**< the packet destination address */
+	const char		*secret; /**< The shared secret */
+	size_t			sizeof_secret; /**< Length of the shared secret */
+	unsigned int		code;	/**< The RADIUS Packet Code */
+	int			id;	/**< The RADIUS Packet Id */
+	size_t			length; /**< The RADIUS Packet Length.  This will be no larger than RADIUS_PACKET::sizeof_data */
+	uint8_t			vector[16]; /**< A copy of the authentication vector */
+	int			flags; /**< Internal flags.  Do not modify this field. */
+	int			attempts; /**< The number of transmission attempt  */
+	uint8_t			*data;	  /**< The raw packet data  */
+	size_t			sizeof_data; /**< size of the data buffer  */
+	VALUE_PAIR		*vps;	/**< linked list of ::VALUE_PAIR */
+} RADIUS_PACKET;
+
+#define NR_PACKET_ENCODED  (1 << 0)
+#define NR_PACKET_HEADER   (1 << 1)
+#define NR_PACKET_SIGNED   (1 << 2)
+#define NR_PACKET_OK	   (1 << 3)
+#define NR_PACKET_VERIFIED (1 << 4)
+#define NR_PACKET_DECODED  (1 << 5)
+
+
+/** Track packets sent to a server. \ingroup id
+ *
+ * This data structure tracks Identifiers which are used to
+ * communicate with a particular destination server.  The application
+ * should call nr_server_init() to initialize it.  If necessary, the
+ * application should then call nr_server_set_ipv4() to open an IPv4
+ * socket to the server.
+ *
+ * If the RADIUS packets are being transported over an encapsulation
+ * layer (e.g. RADIUS over TLS), then nr_server_set_ipv4() does not
+ * need to be called.  The ::nr_server_t structure should instead be
+ * associated wih the TLS session / socket.
+ */
+typedef struct nr_server_t {
+	int sockfd;		/**< socket for sending packets  */
+	int code;		/**< default value for the Code */
+
+	struct sockaddr_storage src; /**< Source address of the packet */
+	struct sockaddr_storage dst; /**< Destination address of the packet  */
+
+	/** The shared secret.
+	 *
+	 *  See also nr_packet_send() and nr_packet_recv().
+	 */
+	const char	*secret;
+
+	/** The length of the shared secret.
+	 *
+	 *  See also nr_packet_send() and nr_packet_recv().
+	 */
+	size_t		sizeof_secret;
+
+	int		used;	/**< Number of used IDs */
+
+	void		*free_list; /**< For managing packets */
+
+	RADIUS_PACKET	*ids[256]; /**< Pointers to "in flight" packets  */
+} nr_server_t;
+
+
+/** Return a printable error message. \ingroup error
+ *
+ *  This function returns a string describing the last error that
+ *  occurred.  These messages are intended for developers, and are not
+ *  suitable for display to an end user.  The application using this
+ *  library should instead produce a "summary" message when an error
+ *  occurs.  e.g. "Failed to receive a response", is better than
+ *  messages produced by this function, which contain text like
+ *  "invalid response authentication vector".  The first is
+ *  understandable, the second is not.
+ *
+ * @param[in] error   The error code (can be less than zero)
+ * @return            A printable string describing the error.
+ */
+extern const char *nr_strerror(int error);
+
+/** Allocate a ::VALUE_PAIR which refers to a ::DICT_ATTR.  \ingroup value_pair
+ *
+ *  This returned ::VALUE_PAIR has no data associated with it.  The
+ *  nr_vp_set_data() function must be called before placing the
+ *  ::VALUE_PAIR in a ::RADIUS_PACKET.
+ *
+ * @param[in] da       The ::DICT_ATTR associated with the ::VALUE_PAIR
+ * @return             The created ::VALUE_PAIR, or NULL on error.
+ */
+extern VALUE_PAIR *nr_vp_alloc(const DICT_ATTR *da);
+
+/** Free a ::VALUE_PAIR.  \ingroup value_pair
+ *
+ *  This function frees the ::VALUE_PAIR, and sets the head pointer to NULL.
+ *  If head refers to a ::VALUE_PAIR list, then all of the structures in the
+ *  list are freed.
+ *
+ * @param[in,out] head   The pointer to a ::VALUE_PAIR, or a ::VALUE_PAIR list.
+ */
+extern void nr_vp_free(VALUE_PAIR **head);
+
+/** Initializes a ::VALUE_PAIR from a ::DICT_ATTR \ingroup value_pair
+ *
+ *  This function assumes that the ::VALUE_PAIR points to existing
+ *  and writable memory.
+ *
+ * @param[in,out] vp   The ::VALUE_PAIR to be initialized
+ * @param[in] da       The ::DICT_ATTR used to initialize the ::VALUE_PAIR
+ * @return             The initialized  ::VALUE_PAIR, or NULL on error.
+ */
+extern VALUE_PAIR *nr_vp_init(VALUE_PAIR *vp, const DICT_ATTR *da);
+
+/** Allocate a ::VALUE_PAIR which refers to an unknown attribute.  \ingroup value_pair
+ *
+ *  It is used when an attribute is received, and that attribute does
+ *  not exist in the dictionaries.
+ *
+ *  The returned ::VALUE_PAIR has no data (i.e. VALUE_PAIR::length is
+ *  zero).  The nr_vp_set_data() function must be called before
+ *  placing the ::VALUE_PAIR in a ::RADIUS_PACKET.
+ *
+ * @param[in] attr     The attribute number, 0..2^16
+ * @param[in] vendor   The vendor number, 0..2^16
+ * @return             The created ::VALUE_PAIR, or NULL on error.
+ */
+extern VALUE_PAIR *nr_vp_alloc_raw(unsigned int attr, unsigned int vendor);
+
+/** Set the data associated with a previously allocated ::VALUE_PAIR.  \ingroup value_pair
+ *
+ *  If this function succeeds, VALUE_PAIR::length is no longer zero,
+ *  and the structure contains the data.
+ *
+ * @param[in,out] vp   The ::VALUE_PAIR to update
+ * @param[in] data     Data to set inside of the ::VALUE_PAIR
+ * @param[in] data_len Length of the data field
+ * @return             <0 on error, 0 for "data was truncated"
+ *                      >0 for "data successfully added"
+ */
+extern int nr_vp_set_data(VALUE_PAIR *vp, const void *data, size_t data_len);
+
+/** Create a ::VALUE_PAIR and set its data.  \ingroup value_pair
+ *
+ * @param[in] attr     The attribute number of the ::VALUE_PAIR to create
+ * @param[in] vendor   The vendor number of the ::VALUE_PAIR to create
+ * @param[in] data     Data to set inside of the ::VALUE_PAIR
+ * @param[in] data_len Length of the data field
+ * @return             The created ::VALUE_PAIR, or NULL on error.
+ */
+extern VALUE_PAIR *nr_vp_create(int attr, int vendor, const void *data,
+			      size_t data_len);
+
+/** Append a ::VALUE_PAIR to the end of a ::VALUE_PAIR list.  \ingroup value_pair
+ *
+ * @param[in,out] head The head of the ::VALUE_PAIR list.  May not be NULL.
+ * @param[in] vp       The ::VALUE_PAIR to append to the list.
+ */
+extern void nr_vps_append(VALUE_PAIR **head, VALUE_PAIR *vp);
+
+/** Search a ::VALUE_PAIR list for one of a given number.  \ingroup value_pair
+ *
+ * @param[in] head     The head of the ::VALUE_PAIR list to search.
+ * @param[in] attr     The attribute number of the ::VALUE_PAIR to find
+ * @param[in] vendor   The vendor number of the ::VALUE_PAIR to find
+ * @return             The found ::VALUE_PAIR, or NULL if it was not found.
+ */
+extern VALUE_PAIR *nr_vps_find(VALUE_PAIR *head,
+			    unsigned int attr, unsigned int vendor);
+
+/** Look up an attribute in the dictionaries.  \ingroup dict
+ *
+ *  The dictionary mapping contains information about the attribute,
+ *  such as printable name, data type (ipaddr, integer, etc), and
+ *  various other things used to encode/decode the attribute in a
+ *  packet.
+ *
+ *  \attention There is usually no need to call this function.  Use
+ *  the NR_DA_* definitions instead.
+ *
+ * @param[in] attr    Value of the attribute
+ * @param[in] vendor  Value of the vendor
+ * @return    NULL for "not found", or a pointer to the attribute mapping.
+ */
+extern const DICT_ATTR *nr_dict_attr_byvalue(unsigned int attr,
+					 unsigned int vendor);
+
+/** Look up an attribute in the dictionaries.  \ingroup dict
+ *
+ *  The dictionary mapping contains information about the attribute,
+ *  such as printable name, data type (ipaddr, integer, etc), and
+ *  various other things used to encode/decode the attribute in a
+ *  packet.
+ *
+ *  \attention There is usually no need to call this function.
+ *
+ * @param[in] name    Name of the attribute
+ * @return    NULL for "not found", or a pointer to the attribute mapping.
+ */
+extern const DICT_ATTR *nr_dict_attr_byname(const char *name);
+
+/** Converts raw data to a ::DICT_ATTR structure.  \ingroup dict
+ *
+ *  It is called when the library is asked to decode an attribute
+ *  which is not in the pre-defined dictionaries.
+ *
+ *  \attention There is usually no need to call this function.
+ *
+ * @param[in,out] da      The ::DICT_ATTR structure to initialize
+ * @param[in]     attr    The attribute number
+ * @param[in]     vendor  The vendor number
+ * @param[in]     buffer  The buffer where the name of the attribute is stored
+ * @param[in]     bufsize Size of the buffer
+ * @return    <0 for error, 0 for success
+ */
+extern int nr_dict_attr_2struct(DICT_ATTR *da,
+				unsigned int attr, unsigned int vendor,
+				char *buffer, size_t bufsize);
+
+/**  Unused. \ngroup dict
+ *
+ */
+extern const DICT_VALUE *nr_dict_value_byattr(unsigned int attr,
+					unsigned int vendor,
+					int value);
+
+/**  Unused. \ngroup dict
+ *
+ */
+const DICT_VALUE *nr_dict_value_byname(unsigned int attr,
+				 unsigned int vendor,
+				 const char *name);
+
+/** Look up a vendor in the dictionaries.  \ingroup dict
+ *
+ *  The dictionary mapping contains information about the vendor, such
+ *  as printable name, VSA encoding method, etc.
+ *
+ *  \attention There is usually no need to call this function.
+ *  Applications do not need access to low-level RADIUS protocol
+ *  information.
+ *
+ * @param[in] name    Name of the vendor.
+ * @return    NULL for "not found", or a pointer to the vendor mapping.
+ */
+extern int nr_dict_vendor_byname(const char *name);
+
+/** Look up an vendor in the dictionaries.  \ingroup dict
+ *
+ *  The dictionary mapping contains information about the vendor, such
+ *  as printable name, VSA encoding method, etc.
+ *
+ *  \attention There is usually no need to call this function.
+ *
+ * @param[in] vendor Vendor-Id (or Private Enterprise code) for the vendor.
+ * @return    NULL for "not found", or a pointer to the vendor mapping.
+ */
+extern const DICT_VENDOR *nr_dict_vendor_byvalue(unsigned int vendor);
+
+/**  Static array of known vendors.  \ingroup dict
+ *
+ *  \attention This structure should only be accessed by internal RADIUS library
+ *  functions.
+ */
+extern const DICT_VENDOR nr_dict_vendors[];
+
+/** The number of attribute definitions in the dictionary.  \ingroup dict
+ *
+ *  This number is guaranteed to be at least 256, for speed.
+ *
+ *  \attention This variable should only be accessed by internal RADIUS library
+ *  functions.
+ */
+extern const int nr_dict_num_attrs;
+
+/** The list of attribute definitions.  \ingroup dict
+ *
+ *  The "standard" RFC attributes are located in the first 256
+ *  entries.  Standard attributes without a dictionary definition are
+ *  given an empty entry.
+ *
+ *  The attributes are orderd by (vendor, attribute), in increasing
+ *  order.  This allows the dictionary lookups to find attributes by a
+ *  binary search.
+ *
+ *  \attention This variable should only be accessed by internal RADIUS library
+ *  functions.
+ */
+extern const DICT_ATTR nr_dict_attrs[];
+
+/** The number of attributes with names.  \ingroup dict
+ *
+ *  \attention This variable should only be accessed by internal RADIUS library
+ *  functions.
+ */
+extern const int nr_dict_num_names;
+
+/** The list of attribute definitions, organized by name.  \ingroup dict
+ *
+ *  The attributes are orderd by name (case insensitive), in
+ *  increasing order.  This allows the dictionary lookups to find
+ *  attributes by a binary search.
+ *
+ *  \attention This variable should only be accessed by internal RADIUS library
+ *  functions.
+ */
+extern const DICT_ATTR const *nr_dict_attr_names[];
+
+/** Static array containing names the RADIUS_PACKET::code field.  \ingroup dict
+ *
+ *  The names are hard-coded and not in any dictionary because they do
+ *  not change.
+ *
+ *  The names are exported because they may be useful in your
+ *  application.  Packet codes which are not handled by the library
+ *  have NULL for their names.
+ */
+extern const char *nr_packet_codes[NR_MAX_PACKET_CODE + 1];
+
+/** Verifies that a packet is "well formed".  \ingroup packet
+ *
+ *  This function performs basic validation to see if the packet is
+ *  well formed.  It is automatically called by nr_packet_decode().
+ *
+ * @param[in] packet      A pointer to the ::RADIUS_PACKET data.
+ * @return                <0 means malformed, >= 0 means well-formed.
+ */
+extern int nr_packet_ok(RADIUS_PACKET *packet);
+
+/** Verifies that a packet is "well formed".  \ingroup packet
+ *
+ *  This function performs basic validation to see if the packet is
+ *  well formed.  You should normally use nr_packet_ok() instead of
+ *  this function.
+ *
+ * @param[in] data        A pointer to the raw packet data.
+ * @param[in] sizeof_data The length of the raw packet data
+ * @return                <0 means malformed, >= 0 means well-formed.
+ */
+extern int nr_packet_ok_raw(const uint8_t *data, size_t sizeof_data);
+
+/** Encodes a packet.  \ingroup packet
+ *
+ *  This function encodes a packet using the fields of the
+ *  ::RADIUS_PACKET structure.  The RADIUS_PACKET::code and
+ *  RADIUS_PACKET::id fields are used to fill in the relevant fields
+ *  of the raw (encoded) packet.  The RADIUS_PACKET::vps list is
+ *  walked to encode the attributes.  The packet is signed, if
+ *  required.
+ *
+ *  The raw packet is placed into the RADIUS_PACKET::data field, up to
+ *  RADIUS_PACKET::sizeof_data bytes.  the RADIUS_PACKET::length field
+ *  is updated with the length of the raw packet.  This field is
+ *  always less than, or equal to, the RADIUS_PACKET::size_data field.
+ *  If there is insufficient room to store all of the attributes, then
+ *  some attributes are silently discarded.
+ *
+ *  The RADIUS_PACKET::vector field is either calculated as part of
+ *  the signing process, or is initialized by this function to be a
+ *  random sequence of bytes.  That field should therefore be left
+ *  alone by the caller.
+ *
+ *  When the encoding has been successful, it sets the
+ *  RADIUS_PACKET::encoded field to non-zero.
+ *
+ *  In addition, all required attribute "encryption" is performed.
+ *
+ *  User-Password.  The vp_strvalue field is assumed to contain the
+ *  "clear-text" version of the password.  The encrypted version is
+ *  calculated, and placed in the packet.
+ *
+ *  CHAP-Password.  The vp_strvalue field is assumed to contain the
+ *  "clear-text" version of the password.  The encrypted version is
+ *  calculated, and placed in the packet.  If the RADIUS_PACKET::vps
+ *  list contains a CHAP-Challenge attribute, it is used.  Otherwise
+ *  the RADIUS_PACKET::vector field is used a the challenge.
+ *
+ *  Message-Authenticator.  The contents of the Message-Authenticator
+ *  in the RADIUS_PACKET::vps list are ignored.  Instead, a
+ *  "place-holder" is put into the packt.  Tthe correct value is
+ *  calculated and placed into the packet by nr_packet_sign().
+ *
+ *  The RADIUS_PACKET::vps list is left untouched by this function,
+ *  even when attribute encryption or signing is performed.  Any
+ *  VALUE_PAIR structures can therefore be taken from static "const"
+ *  variables.
+ *
+ * @param[in] packet   The RADIUS packet to encode.
+ * @param[in] original The original request, when encoding a response.
+ * @return             <0 on error, >= 0 on success.
+ */
+extern int nr_packet_encode(RADIUS_PACKET *packet, const RADIUS_PACKET *original);
+
+/** Decodes a packet.  \ingroup packet
+ *
+ *  This function decodes a packet from the RADIUS_PACKET::data field
+ *  into a sequence of ::VALUE_PAIR structures in the
+ *  RADIUS_PACKET::vps list.
+ *
+ * @param[in] packet   The RADIUS packet to decode.
+ * @param[in] original The original request, when decoding a response.
+ * @return             <0 on error, >= 0 on success.
+ */
+extern int nr_packet_decode(RADIUS_PACKET *packet, const RADIUS_PACKET *original);
+
+/** Signs a packet so that it can be sent.  \ingroup packet
+ *
+ * This function calculates the Message-Authenticator (if required),
+ * and signs the packet.
+ *
+ * @param[in] packet   The RADIUS packet to sign.
+ * @param[in] original The original request, when signing a response.
+ * @return             <0 on error, >= 0 on success.
+ */
+extern int nr_packet_sign(RADIUS_PACKET *packet, const RADIUS_PACKET *original);
+
+/** Verifies that a packet is well-formed and contains the correct signature.  \ingroup packet
+ *
+ *  If "original" is specified, it also verifies that the packet is a
+ *  response to the original request, and that it has the correct
+ *  signature.
+ *
+ * @param[in] packet   The RADIUS packet to verify.
+ * @param[in] original The original request, when verifying a response.
+ * @return             <0 on error, >= 0 on success.
+ */
+extern int nr_packet_verify(RADIUS_PACKET *packet,
+			    const RADIUS_PACKET *original);
+
+/** Pretty-prints a hex dump of a RADIUS packet.  \ingroup packet print
+ *
+ *  This function is available only in debugging builds of the
+ *  library.  It is useful during development, but should not be used
+ *  in a production system.
+ *
+ *  The packet headers are printed individually, and each attribute is
+ *  printed as "type length data..."
+ *
+ * @param[in] packet   The RADIUS packet to print
+ */
+extern void nr_packet_print_hex(RADIUS_PACKET *packet);
+
+
+/** Return the given number of random bytes.  \ingroup custom
+ *
+ * This function should be replaced by one that is specific to your
+ * system.
+ *
+ *  This is a wrapper function which enables the library to be more
+ *  portable.
+ *
+ * @param[in] data      Location where the random bytes will be stored
+ * @param[in] data_len  Number of bytes to store
+ * @return              <0 on error, or the total number of bytes stored.
+ */
+extern ssize_t nr_rand_bytes(uint8_t *data, size_t data_len);
+
+/** Return a random 32-bit integer.  \ingroup custom
+ *
+ * This function should be replaced by one that is specific to your
+ * system.  The version supplied here just calls nr_rand_bytes() each
+ * time, which is slow.
+ *
+ *  This is a wrapper function which enables the library to be more
+ *  portable.
+ *
+ * @return An unsigned 32-bit random integer.
+ */
+extern uint32_t nr_rand(void);
+
+/** Add a time to the given ::struct timeval.  \ingroup custom
+ *
+ *  This is a wrapper function which enables the library to be more
+ *  portable.
+ *
+ *  @param[in,out] t       The timeval to which the time is added.
+ *  @param[in]     seconds Time in seconds to add
+ *  @param[in]     usec    Time in microseconds to add
+ */
+extern void nr_timeval_add(struct timeval *t, unsigned int seconds,
+			   unsigned int usec);
+
+/** Compare two times.  \ingroup custom
+ *
+ *  This is a wrapper function which enables the library to be more
+ *  portable.
+ *
+ * @param[in] a One timeval
+ * @param[in] b Another one
+ * @return a <=> b
+ */
+extern int nr_timeval_cmp(const struct timeval *a, const struct timeval *b);
+
+/** Initializes an ::nr_server_t.  \ingroup id
+ *
+ * @param[in,ut] s      The ::nr_server_t to initialize
+ * @param[in]    code   The packet code used for packets sent to this server
+ * @param[in]    secret The shared secret used for packet sent to this server
+ * @return <0 for error, >= 0 for success
+ */
+extern int nr_server_init(nr_server_t *s, int code, const char *secret);
+
+/** Closes an ::nr_server_t data structure.  \ingroup id
+ *
+ *  Ensures that all IDs are free, and closes the socket.
+ *
+ * @param[in] s      The server structure to close.
+ * @return <0 for error, 0 for success
+ */
+extern int nr_server_close(const nr_server_t *s);
+
+/** Allocate a RADIUS_PACKET::id value for sending a packet to a server. \ingroup id
+ *
+ * This function allocates a RADIUS_PACKET::id from the ::nr_server_t
+ * structure.  It also fills in the RADIUS_PACKET::sockfd,
+ * RADIUS_PACKET::code, and RADIUS_PACKET::dst fields.
+ *
+ * @param[in] s      The server structure which tracks the ID
+ * @param[in] packet The packet which needs an ID
+ * @return <0 for error, 0 for success
+ */
+extern int nr_server_id_alloc(nr_server_t *id, RADIUS_PACKET *packet);
+
+/** Re-allocate a RADIUS_PACKET::id value for sending a packet to a server. \ingroup id
+ *
+ *  It is used when retransmitting an Accounting-Request packet to a
+ *  server, after updating the Acct-Delay-Time field.  The "realloc"
+ *  name means that the new ID is allocated, and is guaranteed to be
+ *  different from the old one.
+ *
+ * @param[in] s      The server structure which tracks the ID
+ * @param[in] packet The packet which needs a new ID
+ * @return <0 for error, 0 for success
+ */
+extern int nr_server_id_realloc(nr_server_t *id, RADIUS_PACKET *packet);
+
+/** Free a RADIUS_PACKET::id value after sending a packet to a server. \ingroup id
+ *
+ * @param[in] s      The server structure which tracks the ID
+ * @param[in] packet The packet which has an ID, and wants to free it
+ * @return <0 for error, 0 for success
+ */
+extern int nr_server_id_free(nr_server_t *id, RADIUS_PACKET *packet);
+
+
+/** Allocates a packet using malloc(), and initializes it. \ingroup id
+ *
+ * @param[in] s             The server structure
+ * @param[in,out] packet_p  Pointer to the ::RADIUS_PACKET to be allocated
+ * @return <0 for error, 0 for success
+ */
+extern int nr_server_packet_alloc(const nr_server_t *s, RADIUS_PACKET **packet_p);
+
+/**  Record a humanly readable error message. \ingroup error
+ *
+ *  \attention This structure should only be accessed by internal
+ *  RADIUS library functions.
+ *
+ * @param[in] fmt   The format to use.
+ */
+extern void nr_strerror_printf(const char *fmt, ...);
+
+#ifndef NDEBUG
+#define nr_debug_error nr_strerror_printf /** \ingroup error */
+#else
+#define nr_debug_error if (0) nr_strerror_printf
+#endif
+
+/**  Encrypts or decrypts a User-Password attribute. \ingroup internal
+ *
+ *  \attention This structure should only be accessed by internal
+ *  RADIUS library functions.
+ *
+ * @param[out] output   Buffer where the password is stored
+ * @param[out] outlen   Size of the output buffer
+ * @param[in]  input    Input buffer with password
+ * @param[in]  inlen    Length of the input buffer
+ * @param[in]  secret   The shared secret
+ * @param[in]  vector   Authentication vector
+ * @return <0 on error, or the length of data in "output"
+ */
+extern ssize_t nr_password_encrypt(uint8_t *output, size_t outlen,
+				   const uint8_t *input, size_t inlen,
+				   const char *secret, const uint8_t *vector);
+
+/**  Encrypts a Tunnel-Password attribute. \ingroup internal
+ *
+ *  \attention This structure should only be accessed by internal
+ *  RADIUS library functions.
+ *
+ * @param[out] output   Buffer where the password is stored
+ * @param[out] outlen   Size of the output buffer
+ * @param[in]  input    Input buffer with password
+ * @param[in]  inlen    Length of the input buffer
+ * @param[in]  secret   The shared secret
+ * @param[in]  vector   Authentication vector
+ * @return <0 on error, or the length of data in "output"
+ */
+extern ssize_t nr_tunnelpw_encrypt(uint8_t *output, size_t outlen,
+				   const uint8_t *input, size_t inlen,
+				   const char *secret, const uint8_t *vector);
+
+/**  Decrypts a Tunnel-Password attribute. \ingroup internal
+ *
+ *
+ *  \attention This structure should only be accessed by internal
+ *  RADIUS library functions.
+ *
+ * @param[out] output   Buffer where the password is stored
+ * @param[out] outlen   Size of the output buffer
+ * @param[in]  input    Input buffer with password
+ * @param[in]  inlen    Length of the input buffer
+ * @param[in]  secret   The shared secret
+ * @param[in]  vector   Authentication vector
+ * @return <0 on error, or the length of data in "output"
+ */
+extern ssize_t nr_tunnelpw_decrypt(uint8_t *output, size_t outlen,
+				   const uint8_t *input, size_t inlen,
+				   const char *secret, const uint8_t *vector);
+
+/**  Calculates an HMAC-MD5. \ingroup internal
+ *
+ * @param[in] data      Data to be hashed
+ * @param[in] data_len  Length of data to be hashed
+ * @param[in] key       Key for the HMAC
+ * @param[in] key_len   Length of the key
+ * @param[out] digest
+ */
+extern void nr_hmac_md5(const uint8_t *data, size_t data_len,
+			const uint8_t *key, size_t key_len,
+			uint8_t digest[16]);
+
+/** Checks if a TLV is properly formatted. \ingroup internal
+ *
+ *  \attention This structure should only be accessed by internal
+ *  RADIUS library functions.
+ *
+ * @param[in] data      Data to check
+ * @param[in] length    Length of the data field
+ * @param[in] dv_type   Length of the TLV "type" field
+ * @param[in] dv_length Length of the TLV "length" field
+ * @return             <0 on error, 0 for "TLV is OK"
+ */
+extern int nr_tlv_ok(const uint8_t *data, size_t length,
+		      size_t dv_type, size_t dv_length);
+
+/** A callback function used by nr_packet_walk().  \ingroup packet
+ *
+ *  The function should return 0 on success (i.e. keep walking), and
+ *  otherwise a negative number indicating an error code
+ *  (::nr_error_t).  That negative number will be used as the return
+ *  code for nr_packet_walk().
+ */
+typedef int (*nr_packet_walk_func_t)(void *, const DICT_ATTR *, const uint8_t *, size_t);
+
+/** Walks over all attributes in a packet. \ingroup packet
+ *
+ *  This function is an iterator which calls a user-supplied callback
+ *  function for each attribute in the packet.  It should be used
+ *  instead of manually walking over the attributes.  There are a
+ *  number of odd corner cases when handling Vendor-Specific
+ *  attributes, and it is easy to get those corner cases wrong.
+ *
+ *  This function iterates over *all* attributes, including nested
+ *  VSAs.  That is its main value.
+ *
+ *  Encrypted attributes such as User-Password are not decrypted.
+ *
+ * @param[in] packet    The packet containing the data
+ * @param[in] ctx       A user-supplied context.  May be NULL
+ * @param[in] callback  The callback function where the information is passed.
+ *
+ * @return <0 for error,
+ *          0 for success.
+ */
+extern int nr_packet_walk(RADIUS_PACKET *packet, void *ctx,
+			  nr_packet_walk_func_t callback);
+
+/** Initialize a packet
+ *
+ *  If original is specified, the packet is initialized as a response
+ *  to the original request.
+ *
+ * @param[in,out] packet  The packet to initialize
+ * @param[in] original    The original request (if any) to use as a template
+ * @param[in] secret      Shared secret
+ * @param[in] code        RADIUS Code field.
+ * @param[in] data        Buffer where packets will be stored (RADIUS_PACKET::data)
+ * @param[in] sizeof_data Size of buffer (RADIUS_PACKET::sizeof_data)
+ * @return  <0 on error, 0 for success.
+ */
+extern int nr_packet_init(RADIUS_PACKET *packet, const RADIUS_PACKET *original,
+			  const char *secret, int code,
+			  void *data, size_t sizeof_data);
+
+/** Add one attribute to the packet.
+ *
+ *  This function can be used to add "raw" data to a packet.  It
+ *  allows the caller to extend the RADIUS packet without using a
+ *  ::VALUE_PAIR data structure.
+ *
+ *  Some attributes are handled specially by this function.
+ *
+ *  EAP-Message.  This attribute is automatically split into 253-octet
+ *  chunks.
+ *
+ *  User-Password, CHAP-Password, and Message-Authenticator.  These
+ *  attributes are automatically encrypted, as is done by
+ *  nr_packet_encode().
+ *
+ * @param[in] packet   The packet to edit
+ * @param[in] original The original request (if any)
+ * @param[in] da       Pointer to the attribute definition
+ * @param[in] data     Data to append to the packet
+ * @param[in] data_len Length of data to append to the packet
+ *
+ * @return <0 for error, >= 0 for "successfully appended data"
+ *  The function returns the number of octets appended to the packet.
+ */
+extern ssize_t nr_packet_attr_append(RADIUS_PACKET *packet,
+				     const RADIUS_PACKET *original,
+				     const DICT_ATTR *da,
+				     const void *data, size_t data_len);
+
+
+/** Encodes any ::VALUE_PAIR into an attribute.  \ingroup attr
+ *
+ *  This function can be called for any ::VALUE_PAIR.  It will examine
+ *  that structure, and call one of nr_vp2rfc() or nr_vp2vsa() as
+ *  necessary.
+ *
+ * \attention This function should not be called.
+ *
+ * @param[in] packet   Where to place the encoded attribute.
+ * @param[in] original The original request (optional), if "packet" is a response
+ * @param[in,out] pvp  The ::VALUE_PAIR to encode.  On any return >=0, it is updated to point to the "next" ::VALUE_PAIR which should be encoded.
+ * @param[in] data     Where the attribute is to be encoded.
+ * @param[in] room     How many octets are available for attribute encoding.
+ *
+ * @return <0 for error, or the number of octets used to encode the attribute.
+ */
+extern ssize_t nr_vp2attr(const RADIUS_PACKET *packet,
+		      const RADIUS_PACKET *original,
+		      const VALUE_PAIR **pvp, uint8_t *data, size_t room);
+
+/** Encodes an RFC "standard" ::VALUE_PAIR into an attribute.  \ingroup attr
+ *
+ *  \attention This function should not be called.
+ *
+ * @param[in] packet   Where to place the encoded attribute.
+ * @param[in] original The original request (optional), if "packet" is a response
+ * @param[in,out] pvp  The ::VALUE_PAIR to encode.  On any return >=0, it is updated to point to the "next" ::VALUE_PAIR which should be encoded.
+ * @param[in] data      Where the attribute is to be encoded.
+ * @param[in] room     How many octets are available for attribute encoding.
+ *
+ * @return <0 for error, or the number of octets used to encode the attribute.
+ */
+extern ssize_t nr_vp2rfc(const RADIUS_PACKET *packet,
+		     const RADIUS_PACKET *original,
+		     const VALUE_PAIR **pvp,
+		     uint8_t *data, size_t room);
+
+/** Decodes any attribute into a ::VALUE_PAIR.  \ingroup attr
+ *
+ *  \attention This function should not be called.
+ *
+ * @param[in] packet   The packet containing the attribute to be decoded.
+ * @param[in] original The original request (optional), if "packet" is a response
+ * @param[out] pvp     Where to place the decoded ::VALUE_PAIR.  On any return >=0, it is updated to point to the ::VALUE_PAIR which was decoded from the packet.
+ * @param[in] data     Where the attribute is to be encoded.
+ * @param[in] length   How many octets are available for attribute decoding.
+ *
+ * @return <0 for error, or the number of octets used to decode the attribute.
+ */
+extern ssize_t nr_attr2vp(const RADIUS_PACKET *packet, const RADIUS_PACKET *original,
+			    const uint8_t *data, size_t length,
+			    VALUE_PAIR **pvp);
+
+/** Decodes an RFC "standard" attribute into a ::VALUE_PAIR.  \ingroup attr
+ *
+ *  \attention This function should not be called.
+ *
+ * @param[in] packet   The packet containing the attribute to be decoded.
+ * @param[in] original The original request (optional), if "packet" is a response
+ * @param[out] pvp     Where to place the decoded ::VALUE_PAIR.  On any return >=0, it is updated to point to the ::VALUE_PAIR which was decoded from the packet.
+ * @param[in] data     Where the attribute is to be encoded.
+ * @param[in] length   How many octets are available for attribute decoding.
+ *
+ * @return <0 for error, or the number of octets used to decode the attribute.
+ */
+extern ssize_t nr_attr2vp_rfc(const RADIUS_PACKET *packet,
+			const RADIUS_PACKET *original,
+			const uint8_t *data, size_t length,
+			VALUE_PAIR **pvp);
+
+/** Decodes a Vendor-Specific attribute into a ::VALUE_PAIR.  \ingroup attr
+ *
+ *  \attention This function should not be called.
+ *
+ * @param[in] packet   The packet containing the attribute to be decoded.
+ * @param[in] original The original request (optional), if "packet" is a response
+ * @param[out] pvp     Where to place the decoded ::VALUE_PAIR.  On any return >=0, it is updated to point to the ::VALUE_PAIR which was decoded from the packet.
+ * @param[in] data     Where the attribute is to be encoded.
+ * @param[in] length   How many octets are available for attribute decoding.
+ *
+ * @return <0 for error, or the number of octets used to decode the attribute.
+ */
+extern ssize_t nr_attr2vp_vsa(const RADIUS_PACKET *packet,
+			const RADIUS_PACKET *original,
+			const uint8_t *data, size_t length,
+			VALUE_PAIR **pvp);
+
+/** Decodes an attribute with an unexpected length into a ::VALUE_PAIR.  \ingroup attr
+ *
+ *  \attention This function should not be called.
+ *
+ * @param[in] packet   The packet containing the attribute to be decoded.
+ * @param[in] original The original request (optional), if "packet" is a response
+ * @param[out] pvp     Where to place the decoded ::VALUE_PAIR.  On any return >=0, it is updated to point to the ::VALUE_PAIR which was decoded from the packet.
+ * @param[in] data     Where the attribute is to be encoded.
+ * @param[in] length   How many octets are available for attribute decoding.
+ *
+ * @return <0 for error, or the number of octets used to decode the attribute.
+ */
+extern ssize_t nr_attr2vp_raw(const RADIUS_PACKET *packet,
+			const RADIUS_PACKET *original,
+			const uint8_t *data, size_t length,
+			VALUE_PAIR **pvp);
+
+/** Encodes a Vendor-Specific ::VALUE_PAIR into an attribute.
+ *
+ *  \attention This function should not be called.
+ *
+ * @param[in] packet   Where to place the encoded attribute.
+ * @param[in] original The original request (optional), if "packet" is a response
+ * @param[in,out] pvp  The ::VALUE_PAIR to encode.  On any return >=0, it is updated to point to the "next" ::VALUE_PAIR which should be encoded.
+ * @param[in] data     Where the attribute is to be encoded.
+ * @param[in] room     How many octets are available for attribute encoding.
+ *
+ * @return <0 for error, or the number of octets used to encode the attribute.
+ */
+extern ssize_t nr_vp2vsa(const RADIUS_PACKET *packet, const RADIUS_PACKET *original,
+		     const VALUE_PAIR **pvp, uint8_t *data,
+		     size_t room);
+
+/** Returns raw data from the RADIUS packet, for a given attribute. \ingroup attr
+ *
+ *  This function can be called repeatedly to find all instances of a
+ *  given attribute.  The first time it is called, the "start"
+ *  parameter should be zero.  If the function returns a non-zero
+ *  positive number, it means that there *may* be more attributes
+ *  available.  The returned value should be then passed via the
+ *  "start" option in any subsequent calls to the function.
+ *
+ *  This function should be called by an application when it wants
+ *  access to data which is not in the pre-defined dictionaries.
+ *
+ * @param[in] packet   The packet containing the attribute.
+ * @param[in] start    Where in the packet we start searching for the attribute.
+ * @param[in] attr     Value of the attribute to search for
+ * @param[in] vendor   Value of the vendor (use 0 for IETF attributes)
+ * @param[out] pdata   Pointer to the data.  If no data was found, the pointer is unchanged.
+ * @param[out] plength  Length of the data.  If no data was found, the value pointed to is unchanged.
+ *
+ * @return <0 for error,
+ *          0 for "no attribute found, stop searching"
+ *         >0 offset where the attribute was found.
+ */
+extern ssize_t nr_attr2data(const RADIUS_PACKET *packet, ssize_t start,
+			     unsigned int attr, unsigned int vendor,
+			     const uint8_t **pdata, size_t *plength);
+
+/**  Pretty-print the entire ::VALUE_PAIR \ingroup print
+ *
+ *  All data is printed in ASCII format.  The data type of "octets" is
+ *  printed as a hex string (e.g. 0xabcdef01...).  The data type of
+ *  "ipaddr" is printed as a dotted-quad (e.g. 192.0.2.15).
+ *
+ *  The format is "Attribute-Name = value"
+ *
+ * @param[out] buffer  Where the printable version of the ::VALUE_PAIR is stored
+ * @param[in]  bufsize size of the output buffer
+ * @param[in]  vp      ::VALUE_PAIR to print
+ * @return   length of data in buffer
+ */
+extern size_t nr_vp_snprintf(char *buffer, size_t bufsize, const VALUE_PAIR *vp);
+
+/**  Pretty-print the VALUE_PAIR::data field \ingroup print
+ *
+ *  Prints the value of a ::VALUE_PAIR, without the name or "=" sign.
+ *
+ * @param[out] buffer  Where the printable version of the ::VALUE_PAIR is stored
+ * @param[in]  bufsize size of the output buffer
+ * @param[in]  vp      ::VALUE_PAIR to print
+ * @return   length of data in buffer
+ */
+extern size_t nr_vp_snprintf_value(char *buffer, size_t bufsize, const VALUE_PAIR *vp);
+
+/** Prints a list of :VALUE_PAIR structures to the given output. \ingroup print
+ *
+ * @param[in] fp   Where to print the results
+ * @param[in] vps  Linked list of ::VALUE_PAIR to print
+ */
+extern void nr_vp_fprintf_list(FILE *fp, const VALUE_PAIR *vps);
+
+/** Scan a string into a ::VALUE_PAIR.  The counterpart to
+ * nr_vp_snprintf_value() \ingroup print
+ *
+ * @param[in] string  Printable version of the ::VALUE_PAIR
+ * @param[out] pvp    Newly allocated ::VALUE_PAIR
+ * @return <0 on error, 0 for success.
+ */
+extern int nr_vp_sscanf(const char *string, VALUE_PAIR **pvp);
+
+/** Scan the data portion of a ::VALUE_PAIR.  The counterpart to
+ * nr_vp_snprintf_value() \ingroup print
+ *
+ * @param[in,out] vp    The ::VALUE_PAIR where the data will be stored
+ * @param[in]     value The string version of the data to be parsed
+ * @return             <0 on error, >=0 for the number of characters parsed in value.
+ */
+extern ssize_t nr_vp_sscanf_value(VALUE_PAIR *vp, const char *value);
+
+#if defined(__GNUC__)
+# define PRINTF_LIKE(n) __attribute__ ((format(printf, n, n+1)))
+# define NEVER_RETURNS __attribute__ ((noreturn))
+# define UNUSED __attribute__ ((unused))
+# define BLANK_FORMAT " "	/* GCC_LINT whines about empty formats */
+#else
+
+/** Macro used to quiet compiler warnings inside of the library. \ingroup build
+ *
+ */
+# define PRINTF_LIKE(n)
+
+/** Macro used to quiet compiler warnings inside of the library. \ingroup build
+ *
+ */
+# define NEVER_RETURNS
+
+/** Macro used to quiet compiler warnings inside of the library. \ingroup build
+ *
+ */
+# define UNUSED
+
+/** Macro used to quiet compiler warnings inside of the library. \ingroup build
+ *
+ */
+# define BLANK_FORMAT ""
+#endif
diff --git a/lib/radius/common.pl b/lib/radius/common.pl
new file mode 100644
index 0000000..c08489a
--- /dev/null
+++ b/lib/radius/common.pl
@@ -0,0 +1,220 @@
+######################################################################
+# Copyright (c) 2011, Network RADIUS SARL
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are met:
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above copyright
+#       notice, this list of conditions and the following disclaimer in the
+#       documentation and/or other materials provided with the distribution.
+#     * Neither the name of the <organization> nor the
+#       names of its contributors may be used to endorse or promote products
+#       derived from this software without specific prior written permission.
+# 
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+# DISCLAIMED. IN NO EVENT SHALL <COPYRIGHT HOLDER> BE LIABLE FOR ANY
+# DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+######################################################################
+our %attributes;
+our %vendor;
+our %vendorpec;
+our $begin_vendor = 0;
+
+$vendorpec{'0'} = "IETF";
+
+sub do_file()
+{
+    my $filename = shift;
+    my $fh;
+
+    $dir = $filename;
+    $dir =~ s:/[^/]+?$::;
+    $lineno = 0;
+
+    open $fh, "<$filename" or die "Failed to open $filename: $!\n";
+
+    while (<$fh>) {
+	$lineno++;
+	next if (/^\s*#/);
+	next if (/^\s*$/);
+	s/#.*//;
+	s/\s+$//;
+
+	next if ($_ eq "");
+
+	#
+	#  Remember the vendor
+	#
+	if (/^VENDOR\s+([\w-]+)\s+(\w+)(.*)/) {
+	    my $me = $1;
+
+	    $vendor{$me}{'pec'} = $2;
+	    $vendorpec{$2} = $me;
+
+	    $vendor{$me}{'type'} = 1;
+	    $vendor{$me}{'length'} = 1;
+
+	    if ($3) {
+		$format=$3;
+		$format =~ s/^\s+//;
+
+		if ($format !~ /^format=(\d+),(\d+)$/) {
+		    die "Unknown format $format\n";
+		}
+		$vendor{$me}{'type'} = $1;
+		$vendor{$me}{'length'} = $2;
+	    }
+	    next;
+	}
+
+	#
+	#  Remember if we did begin-vendor.
+	#
+	if (/^BEGIN-VENDOR\s+([\w-]+)/) {
+	    if (!defined $vendor{$1}) {
+		die "Unknown vendor $1\n";
+	    }
+	    $begin_vendor = $vendor{$1}{'pec'};
+	    next;
+	}
+
+	#
+	#  Remember if we did this.
+	#
+	if (/^END-VENDOR/) {
+	    $begin_vendor = 0;
+	    next;
+	}
+
+	#
+	#  Get attribute.
+	#
+	if (/^ATTRIBUTE\s+([\w-\/.]+)\s+(\w+)\s+(\w+)(.*)/) {
+	    $name=$1;
+	    $value = $2;
+	    $type = $3;
+	    $stuff = $4;
+
+	    $value =~ tr/[A-F]/[a-f]/; # normal form for hex
+	    $value =~ tr/X/x/;
+
+	    if ($value =~ /^0x/) {
+		$index = hex $value;
+	    } else {
+		$index = $value;
+	    }
+
+	    next if (($begin_vendor == 0) && ($index > 255));
+
+	    $index += ($begin_vendor << 16);
+
+	    $attributes{$index}{'name'} = $name;
+	    $attributes{$index}{'value'} = $value;
+	    if ($begin_vendor ne "") {
+		$attributes{$index}{'vendor'} = $begin_vendor;
+	    }
+
+	    $type =~ tr/a-z/A-Z/;
+	    $attributes{$index}{'type'} = "NR_TYPE_$type";
+
+	    $stuff =~ s/^\s*//;
+
+	    if ($stuff) {
+		foreach $text (split /,/, $stuff) {
+		    if ($text eq "encrypt=1") {
+			$attributes{$index}{'flags'}{'encrypt'} = "FLAG_ENCRYPT_USER_PASSWORD";
+		    } elsif ($text eq "encrypt=2") {
+			$attributes{$index}{'flags'}{'encrypt'} = "FLAG_ENCRYPT_TUNNEL_PASSWORD";
+
+			} elsif ($text eq "encrypt=3") {
+			$attributes{$index}{'flags'}{'encrypt'} = "FLAG_ENCRYPT_ASCEND_SECRET";
+
+		    } elsif ($text eq "has_tag") {
+			$attributes{$index}{'flags'}{'has_tag'} = "1";
+
+		    } elsif ($text =~ /\[(\d+)\]/) {
+			$attributes{$index}{'flags'}{'length'} = $1;
+			
+		    } else {
+			die "$filename: $lineno - Unknown flag $text\n";
+		    }
+		}
+	    }
+
+	    if ($type eq "BYTE") {
+		$attributes{$index}{'flags'}{'length'} = "1";
+		
+	    } elsif ($type eq "SHORT") {
+		$attributes{$index}{'flags'}{'length'} = "2";
+		
+	    } elsif ($type eq "INTEGER") {
+		$attributes{$index}{'flags'}{'length'} = "4";
+		
+	    } elsif ($type eq "IPADDR") {
+		$attributes{$index}{'flags'}{'length'} = "4";
+		
+	    } elsif ($type eq "DATE") {
+		$attributes{$index}{'flags'}{'length'} = "4";
+		
+	    } elsif ($type eq "IFID") {
+		$attributes{$index}{'flags'}{'length'} = "8";
+		
+	    } elsif ($type eq "IPV6ADDR") {
+		
+		$attributes{$index}{'flags'}{'length'} = "16";
+	    }
+
+	    $name2val{$name} = $index;
+	    next;
+	}
+
+	#
+	#  Values.
+	#
+	if (/^VALUE\s+([\d\w-\/.]+)\s+([\w-\/,.+]+)\s+(\w+)(.*)/) {
+	    next;
+
+	    $attr = $1;
+	    $name = $2;
+	    $value = $3;
+	    $stuff = $d;
+
+	    $value =~ tr/[A-F]/[a-f]/; # normal form for hex
+	    $value =~ tr/X/x/;
+
+	    if ($value =~ /^0x/) {
+		$index = hex $value;
+	    } else {
+		$index = $value;
+	    }
+
+	    if (!defined $name2val{$attr}) {
+		print "# FIXME: FORWARD REF?\nVALUE $attr $name $value$stuff\n";
+		next;
+	    }
+
+	    $values{$name2val{$attr}}{$index} = "$attr $name $value$stuff";
+	    next;
+	}
+
+	if (/^\$INCLUDE\s+(.*)$/) {
+	    do_file("$dir/$1");
+	    next;
+	}
+
+	die "unknown text in line $lineno of $filename: $_\n";
+    }
+
+    close $fh;
+}
+
+1;
diff --git a/lib/radius/convert.pl b/lib/radius/convert.pl
new file mode 100755
index 0000000..ce7cccd
--- /dev/null
+++ b/lib/radius/convert.pl
@@ -0,0 +1,182 @@
+#!/usr/bin/env perl
+######################################################################
+# Copyright (c) 2011, Network RADIUS SARL
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are met:
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above copyright
+#       notice, this list of conditions and the following disclaimer in the
+#       documentation and/or other materials provided with the distribution.
+#     * Neither the name of the <organization> nor the
+#       names of its contributors may be used to endorse or promote products
+#       derived from this software without specific prior written permission.
+# 
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+# DISCLAIMED. IN NO EVENT SHALL <COPYRIGHT HOLDER> BE LIABLE FOR ANY
+# DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+######################################################################
+#
+#  Converts dictionaries to C structures.  Does not yet do "VALUE"s.
+#
+#  Usage: ./convert.pl dictionary ...
+#
+#  Reads input dictionaries, and outputs "radius.h" and "dictionaries.c"
+#
+#  $Id$
+#
+require "common.pl";
+
+#
+#  Read all of the dictionaries
+#
+while (@ARGV) {
+    $filename = shift;
+    do_file($filename);
+}
+
+#
+#  For speed, the dictionary data structures have the first 256
+#  attributes at fixed offsets in the array.  If the user didn't
+#  define them, then we set them here to be "raw" or unknown.
+#
+foreach $attr_val (0..255) {
+    next if defined $attributes{$attr_val};
+    
+    $attributes{$attr_val}{'raw'} = 1;
+}
+
+if (scalar keys %attributes == 0) {
+    die "No attributes were defined\n";
+}
+
+
+open DICT, ">dictionaries.c" or die "Failed creating dictionaries.c: $!\n";
+
+#
+#  Print out the data structues for the vendors.
+#
+if (scalar keys %vendor > 0) {
+    print DICT "const DICT_VENDOR nr_dict_vendors[] = {\n";
+    foreach $v (sort keys %vendor) {
+	print DICT "  { \n";
+	print DICT "    .name = \"", $v, "\", \n";
+	print DICT "    .vendor = ", $vendor{$v}{'pec'}, ", \n";
+	print DICT "    .type = ", $vendor{$v}{'type'}, ",\n";
+	print DICT "    .length = ", $vendor{$v}{'length'}, ",\n";
+	print DICT "  },\n";
+    }
+    print DICT "\n  { .name = NULL, }\n";
+    print DICT "};\n\n";
+}
+
+# needed for later.
+$vendor{""}{'pec'} = 0;
+
+#
+#  Print DICT out the attributes sorted by number.
+#
+my $offset = 0;
+my $num_names = 0;
+print DICT "const DICT_ATTR nr_dict_attrs[] = {\n";
+foreach $attr_val (sort {$a <=> $b} keys %attributes) {
+    print DICT "  { /* $offset */ \n";
+
+    if (defined $attributes{$attr_val}{'raw'}) {
+	print DICT "    .name = NULL, \n";
+    } else {
+	print DICT "    .name = \"", $attributes{$attr_val}{'name'}, "\", \n";
+	if ($attributes{$attr_val}{'vendor'}) {
+	    print DICT "    .vendor = ", $attributes{$attr_val}{'vendor'}, ", \n";
+	}
+
+	print DICT "    .attr = ", $attributes{$attr_val}{'value'}, ", \n";
+	print DICT "    .type = ", $attributes{$attr_val}{'type'}, ", \n";
+	
+	if ($attributes{$attr_val}{'flags'}) {
+	    print DICT "    .flags = {\n";
+	    foreach $flag (keys %{$attributes{$attr_val}{'flags'}}) {
+		print DICT "      .$flag = $attributes{$attr_val}{'flags'}{$flag},\n";
+	    }
+	    print DICT "    },\n";
+	}
+
+	$num_names++;
+    }
+
+    $attributes{$attr_val}{'offset'} = $offset++;
+    
+    print DICT "  },\n";
+    
+}
+print DICT "};\n\n";
+
+print DICT "const int nr_dict_num_attrs = ", $offset - 1, ";\n\n";
+print DICT "const int nr_dict_num_names = ", $num_names - 1, ";\n\n";
+
+my $offset = 0;
+print DICT "const DICT_ATTR *nr_dict_attr_names[] = {\n";
+foreach $attr_val (sort {lc($attributes{$a}{'name'}) cmp lc($attributes{$b}{'name'})} keys %attributes) {
+    next if (defined $attributes{$attr_val}{'raw'});
+    
+    print DICT "    &nr_dict_attrs[", $attributes{$attr_val}{'offset'}, "], /* ", $attributes{$attr_val}{'name'}, " */\n";
+}
+
+print DICT "};\n\n";
+close DICT;
+
+open HDR, ">radius.h" or die "Failed creating radius.c: $!\n";
+
+print HDR "/* Automatically generated file.  Do not edit */\n\n";
+
+foreach $v (sort keys %vendor) {
+    next if ($v eq "");
+
+    $name = $v;
+    $name =~ tr/a-z/A-Z/;		# uppercase
+    $name =~ tr/A-Z0-9/_/c;	# any ELSE becomes _
+
+    print HDR "#define VENDORPEC_", $name, " ", $vendor{$v}{'pec'}, "\n";
+}
+print HDR "\n";
+
+$begin_vendor = -1;
+foreach $attr_val (sort {$a <=> $b} keys %attributes) {
+    next if (defined $attributes{$attr_val}{'raw'});
+
+    if ($attributes{$attr_val}{'vendor'} != $begin_vendor) {
+	print HDR "\n/* ", $vendorpec{$attributes{$attr_val}{'vendor'}}, " */\n";
+	$begin_vendor = $attributes{$attr_val}{'vendor'};
+    }
+
+    $name = $attributes{$attr_val}{'name'};
+    $name =~ tr/a-z/A-Z/;
+    $name =~ tr/A-Z0-9/_/c;
+
+    print HDR "#define PW_", $name, " ", $attributes{$attr_val}{'value'}, "\n";
+}
+print HDR "\n";
+
+print HDR "/* Fixed offsets to dictionary definitions of attributes */\n";
+foreach $attr_val (sort {$a <=> $b} keys %attributes) {
+    next if (defined $attributes{$attr_val}{'raw'});
+
+    $name = $attributes{$attr_val}{'name'};
+    $name =~ tr/a-z/A-Z/;
+    $name =~ tr/-/_/;
+
+    print HDR "#define NR_DA_$name (&nr_dict_attrs[$attributes{$attr_val}{'offset'}])\n";
+}
+
+print HDR "/* Automatically generated file.  Do not edit */\n";
+
+close HDR;
diff --git a/lib/radius/crypto.c b/lib/radius/crypto.c
new file mode 100644
index 0000000..02a223d
--- /dev/null
+++ b/lib/radius/crypto.c
@@ -0,0 +1,233 @@
+/*
+Copyright (c) 2011, Network RADIUS SARL
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+    * Redistributions of source code must retain the above copyright
+      notice, this list of conditions and the following disclaimer.
+    * Redistributions in binary form must reproduce the above copyright
+      notice, this list of conditions and the following disclaimer in the
+      documentation and/or other materials provided with the distribution.
+    * Neither the name of the <organization> nor the
+      names of its contributors may be used to endorse or promote products
+      derived from this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL <COPYRIGHT HOLDER> BE LIABLE FOR ANY
+DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/** \file crypto.c
+ *  \brief Data obfuscation and signing, using MD5.
+ *
+ *  The "encryption" methods defined here are export-safe.  The
+ *  technical cryptography name for these functions is "obfuscation".
+ *  They cannot properly be called "encryption", in the same way that
+ *  DES or AES performs encryption.
+ */
+
+/** \cond PRIVATE */
+
+#include	<networkradius-devel/client.h>
+
+
+ssize_t nr_password_encrypt(uint8_t *output, size_t outlen,
+			   const uint8_t *input, size_t inlen,
+			   const char *secret, const uint8_t *vector)
+{
+	size_t i, j, len;
+	uint8_t digest[16];
+	NR_MD5_CTX ctx, secret_ctx;
+
+	if (!output || (outlen < 16) || !input || (inlen == 0) ||
+	    !secret || !vector) {
+		return -NR_ERR_INVALID_ARG;
+	}
+
+	len = inlen;
+	if (len > 128) return -NR_ERR_ATTR_OVERFLOW;
+
+	len = (len + 0x0f) & ~0x0f; /* round up to 16 byte boundary */
+
+	if (outlen < len) return -NR_ERR_ATTR_OVERFLOW;
+
+	memcpy(output, input, len);
+	memset(output + len, 0, 128 - len);
+
+	nr_MD5Init(&secret_ctx);
+	nr_MD5Update(&secret_ctx, (const uint8_t *) secret, strlen(secret));
+
+	for (j = 0; j < len; j += 16) {
+		ctx = secret_ctx;
+
+		if (j == 0) {
+			nr_MD5Update(&ctx, vector, 16);
+			nr_MD5Final(digest, &ctx);
+		} else {
+			nr_MD5Update(&ctx, &output[j - 16], 16);
+			nr_MD5Final(digest, &ctx);
+		}
+
+		for (i = 0; i < 16; i++) {
+			output[i + j] ^= digest[i];
+		}
+	}
+
+	return len;
+}
+
+#ifdef FLAG_ENCRYPT_TUNNEL_PASSWORD
+ssize_t nr_tunnelpw_encrypt(uint8_t *output, size_t outlen,
+			    const uint8_t *input, size_t inlen,
+			    const char *secret, const uint8_t *vector)
+{
+	size_t i, j, len;
+	NR_MD5_CTX ctx, secret_ctx;
+	uint8_t digest[16];
+
+	if (!output || (outlen < 18) || !input || (inlen == 0) ||
+	    !secret || !vector) {
+		return -NR_ERR_INVALID_ARG;
+	}
+
+	len = ((inlen + 1) + 0x0f) & ~0x0f;
+	if (len > 251) return -NR_ERR_ATTR_OVERFLOW;
+
+	output[0] = (nr_rand() & 0xff) | 0x80;
+	output[1] = nr_rand() & 0xff;
+	output[2] = inlen;
+
+	memcpy(output + 3, input, inlen);
+	memset(output + 3 + inlen, 0, len - inlen - 1);
+
+	nr_MD5Init(&secret_ctx);
+	nr_MD5Update(&secret_ctx, (const uint8_t *) secret, strlen(secret));
+
+	for (j = 0; j < len; j += 16) {
+		ctx = secret_ctx;
+
+		if (j == 0) {
+			nr_MD5Update(&ctx, vector, 16);
+			nr_MD5Update(&ctx, output, 2);
+			nr_MD5Final(digest, &ctx);
+		} else {
+			nr_MD5Update(&ctx, &output[j + 2 - 16], 16);
+			nr_MD5Final(digest, &ctx);
+		}
+
+		for (i = 0; i < 16; i++) {
+			output[i + j + 2] ^= digest[i];
+		}
+	}
+
+	return len + 2;
+}
+
+ssize_t nr_tunnelpw_decrypt(uint8_t *output, size_t outlen,
+			    const uint8_t *input, size_t inlen,
+			    const char *secret, const uint8_t *vector)
+{
+	size_t i, j, len, encoded_len;
+	NR_MD5_CTX ctx, secret_ctx;
+	uint8_t digest[16];
+
+	if (!output || (outlen < 1) || !input || (inlen < 2) ||
+	    !secret || !vector) {
+		return -NR_ERR_INVALID_ARG;
+	}
+
+	if (inlen <= 3) {
+		output[0] = 0;
+		return 0;
+	}
+
+	len = inlen - 2;
+
+	if (outlen < (len - 1)) return -NR_ERR_ATTR_OVERFLOW;
+
+	nr_MD5Init(&secret_ctx);
+	nr_MD5Update(&secret_ctx, (const uint8_t *) secret, strlen(secret));
+
+	ctx = secret_ctx;
+
+	nr_MD5Update(&ctx, vector, 16); /* MD5(secret + vector + salt) */
+	nr_MD5Update(&ctx, input, 2);
+	nr_MD5Final(digest, &ctx);
+
+	encoded_len = input[2] ^ digest[0];
+	if (encoded_len >= len) {
+		return -NR_ERR_ATTR_TOO_LARGE;
+	}
+
+	for (i = 0; i < 15; i++) {
+		output[i] = input[i + 3] ^ digest[i + 1];
+	}
+
+	for (j = 16; j < len; j += 16) {
+		ctx = secret_ctx;
+
+		nr_MD5Update(&ctx, input + j - 16 + 2, 16);
+		nr_MD5Final(digest, &ctx);
+
+		for (i = 0; i < 16; i++) {
+			output[i + j - 1] = input[i + j + 2] ^ digest[i];
+		}
+		
+
+	}
+
+	output[encoded_len] = '\0';
+	return encoded_len;
+}
+#endif
+
+void
+nr_hmac_md5(const uint8_t *data, size_t data_len,
+	    const uint8_t *key, size_t key_len,
+	    uint8_t digest[16])
+{
+        size_t i;
+        uint8_t k_ipad[64];
+        uint8_t k_opad[64];
+        uint8_t tk[16];
+        NR_MD5_CTX ctx;
+
+        if (key_len > 64) {
+                nr_MD5Init(&ctx);
+                nr_MD5Update(&ctx, key, key_len);
+                nr_MD5Final(tk, &ctx);
+
+                key = tk;
+                key_len = 16;
+        }
+
+        memset(k_ipad, 0, sizeof(k_ipad));
+        memset(k_opad, 0, sizeof(k_opad));
+        memcpy(k_ipad, key, key_len);
+        memcpy(k_opad, key, key_len);
+
+        for (i = 0; i < sizeof(k_ipad); i++) {
+                k_ipad[i] ^= 0x36;
+                k_opad[i] ^= 0x5c;
+        }
+
+        nr_MD5Init(&ctx); 
+        nr_MD5Update(&ctx, k_ipad, sizeof(k_ipad));
+        nr_MD5Update(&ctx, data, data_len);
+        nr_MD5Final(digest, &ctx);
+
+        nr_MD5Init(&ctx);
+        nr_MD5Update(&ctx, k_opad, sizeof(k_opad));
+        nr_MD5Update(&ctx, digest, 16);
+        nr_MD5Final(digest, &ctx);
+}
+
+/** \endcond */
diff --git a/lib/radius/custom.c b/lib/radius/custom.c
new file mode 100644
index 0000000..e33cf5a
--- /dev/null
+++ b/lib/radius/custom.c
@@ -0,0 +1,87 @@
+/*
+Copyright (c) 2011, Network RADIUS SARL
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+    * Redistributions of source code must retain the above copyright
+      notice, this list of conditions and the following disclaimer.
+    * Redistributions in binary form must reproduce the above copyright
+      notice, this list of conditions and the following disclaimer in the
+      documentation and/or other materials provided with the distribution.
+    * Neither the name of the <organization> nor the
+      names of its contributors may be used to endorse or promote products
+      derived from this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL <COPYRIGHT HOLDER> BE LIABLE FOR ANY
+DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/** \file custom.c
+ *  \brief Functions which should be customized for your local system.
+ */
+
+#include <networkradius-devel/client.h>
+
+#include	<unistd.h>
+#include	<fcntl.h>
+
+ssize_t nr_rand_bytes(uint8_t *data, size_t data_len)
+{
+	static int fd = -1;
+	
+	if (fd < 0) {
+		fd = open("/dev/urandom", O_RDONLY);
+		if (fd < 0) {
+			nr_strerror_printf("Error opening randomness: %s",
+					   strerror(errno));
+			return 0;
+		}
+	}
+
+	return read(fd, data, data_len);
+}
+
+uint32_t nr_rand(void)
+{
+	uint32_t lvalue;
+
+	nr_rand_bytes((void *)&lvalue, sizeof(lvalue));
+	return lvalue;
+}
+
+
+#ifndef USEC
+#define USEC (1000000)
+#endif
+
+void nr_timeval_add(struct timeval *t, unsigned int seconds, unsigned int usec)
+{
+	t->tv_sec += seconds;
+	t->tv_sec += usec / USEC;
+	t->tv_usec += usec % USEC;
+	if (t->tv_usec > USEC) {
+		t->tv_sec++;
+		t->tv_usec -= USEC;
+	}
+}
+
+int nr_timeval_cmp(const struct timeval *a, const struct timeval *b)
+{
+	if (a->tv_sec > b->tv_sec) return +1;
+	if (a->tv_sec < b->tv_sec) return -1;
+
+	if (a->tv_usec > b->tv_usec) return +1;
+	if (a->tv_usec < b->tv_usec) return -1;
+
+	return 0;
+}
+
diff --git a/lib/radius/dict.c b/lib/radius/dict.c
new file mode 100644
index 0000000..26fe7d0
--- /dev/null
+++ b/lib/radius/dict.c
@@ -0,0 +1,172 @@
+/*
+Copyright (c) 2011, Network RADIUS SARL
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+    * Redistributions of source code must retain the above copyright
+      notice, this list of conditions and the following disclaimer.
+    * Redistributions in binary form must reproduce the above copyright
+      notice, this list of conditions and the following disclaimer in the
+      documentation and/or other materials provided with the distribution.
+    * Neither the name of the <organization> nor the
+      names of its contributors may be used to endorse or promote products
+      derived from this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL <COPYRIGHT HOLDER> BE LIABLE FOR ANY
+DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <networkradius-devel/client.h>
+#include <ctype.h>
+
+/** \file dict.c
+ *  \brief Functions for name to number, and number to name mappings.
+ */
+
+const DICT_ATTR *nr_dict_attr_byvalue(unsigned int attr, unsigned int vendor)
+{
+	int start, half, end;
+
+	if (!vendor && (attr > 0) && (attr < 256)) {
+		if (nr_dict_attrs[attr].name) {
+			return &nr_dict_attrs[attr];
+		}
+		return NULL;
+	}
+
+	if (!vendor) return NULL; /* no "non-protocol" attributes */
+
+	start = 256;		/* first 256 entries are "standard" ones */
+	end = nr_dict_num_attrs;
+
+	do {
+		half = (start + end) / 2;
+
+		if ((nr_dict_attrs[half].vendor == vendor) &&
+		    (nr_dict_attrs[half].attr == attr)) {
+			return &nr_dict_attrs[half];
+		}
+
+		if ((vendor > nr_dict_attrs[half].vendor) &&
+		    (attr > nr_dict_attrs[half].attr)) {
+			start = half + 1;
+		} else {
+			end = half - 1;
+		}
+
+	} while (start <= end);
+
+	return NULL;
+}
+
+const DICT_ATTR *nr_dict_attr_byname(const char *name)
+{
+	int start, half, end;
+
+	start = 1;
+	end = nr_dict_num_names;
+
+	if (!name || !*name) return NULL;
+
+	do {
+		int rcode;
+
+		half = (start + end) / 2;
+
+		rcode = strcasecmp(name, nr_dict_attr_names[half]->name);
+		if (rcode == 0) return nr_dict_attr_names[half];
+
+		if (rcode > 0) {
+			start = half + 1;
+		} else {
+			end = half - 1;
+		}
+
+
+	} while (start <= end);
+
+	return NULL;
+}
+
+int nr_dict_attr_2struct(DICT_ATTR *da, unsigned int attr, unsigned int vendor,
+			 char *buffer, size_t bufsize)
+{
+	if (!da || !buffer) return -NR_ERR_INVALID_ARG;
+
+	if (!vendor) {
+		if (attr > 256) return -NR_ERR_INVALID_ARG;
+
+	} else if (vendor > (1 << 24)) {
+		return -NR_ERR_INVALID_ARG;
+	}
+
+	memset(da, 0, sizeof(*da));
+	da->attr = attr;
+	da->flags.unknown = 1;
+	da->type = NR_TYPE_OCTETS;
+	da->vendor = vendor;
+
+	if (da->vendor) {
+		snprintf(buffer, bufsize, "Attr-26.%u.%u",
+			 vendor, attr);
+	} else {
+		snprintf(buffer, bufsize, "Attr-%u", attr);
+	}
+	da->name = buffer;
+
+	return 0;
+}
+
+
+const DICT_VALUE *nr_dict_value_byattr(UNUSED unsigned int attr,
+				 UNUSED unsigned int vendor,
+				 UNUSED int value)
+{
+	return NULL;
+}
+
+const DICT_VALUE *nr_dict_value_byname(UNUSED unsigned int attr,
+				 UNUSED unsigned int vendor,
+				 UNUSED const char *name)
+{
+	return NULL;
+}
+
+int nr_dict_vendor_byname(const char *name)
+{
+	const DICT_VENDOR *dv;
+
+	if (!name || !*name) return 0;
+
+	/*
+	 *	O(n) lookup.
+	 */
+	for (dv = &nr_dict_vendors[0]; dv->name != NULL; dv++) {
+		if (strcasecmp(dv->name, name) == 0) return dv->vendor;
+	}
+
+	return 0;
+}
+
+const DICT_VENDOR *nr_dict_vendor_byvalue(unsigned int vendor)
+{
+	const DICT_VENDOR *dv;
+
+	/*
+	 *	O(n) lookup.
+	 */
+	for (dv = &nr_dict_vendors[0]; dv->name != NULL; dv++) {
+		if (dv->vendor == vendor) return dv;
+	}
+
+	return NULL;
+}
diff --git a/lib/radius/dictionaries.c b/lib/radius/dictionaries.c
new file mode 100644
index 0000000..d1f4b6f
--- /dev/null
+++ b/lib/radius/dictionaries.c
@@ -0,0 +1,1515 @@
+const DICT_VENDOR nr_dict_vendors[] = {
+  { 
+    .name = "Microsoft", 
+    .vendor = 311, 
+    .type = 1,
+    .length = 1,
+  },
+  { 
+    .name = "example", 
+    .vendor = 65535, 
+    .type = 1,
+    .length = 1,
+  },
+
+  { .name = NULL, }
+};
+
+const DICT_ATTR nr_dict_attrs[] = {
+  { /* 0 */ 
+    .name = NULL, 
+  },
+  { /* 1 */ 
+    .name = "User-Name", 
+    .attr = 1, 
+    .type = NR_TYPE_STRING, 
+  },
+  { /* 2 */ 
+    .name = "User-Password", 
+    .attr = 2, 
+    .type = NR_TYPE_STRING, 
+    .flags = {
+      .encrypt = FLAG_ENCRYPT_USER_PASSWORD,
+    },
+  },
+  { /* 3 */ 
+    .name = "CHAP-Password", 
+    .attr = 3, 
+    .type = NR_TYPE_OCTETS, 
+  },
+  { /* 4 */ 
+    .name = "NAS-IP-Address", 
+    .attr = 4, 
+    .type = NR_TYPE_IPADDR, 
+    .flags = {
+      .length = 4,
+    },
+  },
+  { /* 5 */ 
+    .name = "NAS-Port", 
+    .attr = 5, 
+    .type = NR_TYPE_INTEGER, 
+    .flags = {
+      .length = 4,
+    },
+  },
+  { /* 6 */ 
+    .name = "Service-Type", 
+    .attr = 6, 
+    .type = NR_TYPE_INTEGER, 
+    .flags = {
+      .length = 4,
+    },
+  },
+  { /* 7 */ 
+    .name = "Framed-Protocol", 
+    .attr = 7, 
+    .type = NR_TYPE_INTEGER, 
+    .flags = {
+      .length = 4,
+    },
+  },
+  { /* 8 */ 
+    .name = "Framed-IP-Address", 
+    .attr = 8, 
+    .type = NR_TYPE_IPADDR, 
+    .flags = {
+      .length = 4,
+    },
+  },
+  { /* 9 */ 
+    .name = "Framed-IP-Netmask", 
+    .attr = 9, 
+    .type = NR_TYPE_IPADDR, 
+    .flags = {
+      .length = 4,
+    },
+  },
+  { /* 10 */ 
+    .name = "Framed-Routing", 
+    .attr = 10, 
+    .type = NR_TYPE_INTEGER, 
+    .flags = {
+      .length = 4,
+    },
+  },
+  { /* 11 */ 
+    .name = "Filter-Id", 
+    .attr = 11, 
+    .type = NR_TYPE_STRING, 
+  },
+  { /* 12 */ 
+    .name = "Framed-MTU", 
+    .attr = 12, 
+    .type = NR_TYPE_INTEGER, 
+    .flags = {
+      .length = 4,
+    },
+  },
+  { /* 13 */ 
+    .name = "Framed-Compression", 
+    .attr = 13, 
+    .type = NR_TYPE_INTEGER, 
+    .flags = {
+      .length = 4,
+    },
+  },
+  { /* 14 */ 
+    .name = "Login-IP-Host", 
+    .attr = 14, 
+    .type = NR_TYPE_IPADDR, 
+    .flags = {
+      .length = 4,
+    },
+  },
+  { /* 15 */ 
+    .name = "Login-Service", 
+    .attr = 15, 
+    .type = NR_TYPE_INTEGER, 
+    .flags = {
+      .length = 4,
+    },
+  },
+  { /* 16 */ 
+    .name = "Login-TCP-Port", 
+    .attr = 16, 
+    .type = NR_TYPE_INTEGER, 
+    .flags = {
+      .length = 4,
+    },
+  },
+  { /* 17 */ 
+    .name = NULL, 
+  },
+  { /* 18 */ 
+    .name = "Reply-Message", 
+    .attr = 18, 
+    .type = NR_TYPE_STRING, 
+  },
+  { /* 19 */ 
+    .name = "Callback-Number", 
+    .attr = 19, 
+    .type = NR_TYPE_STRING, 
+  },
+  { /* 20 */ 
+    .name = "Callback-Id", 
+    .attr = 20, 
+    .type = NR_TYPE_STRING, 
+  },
+  { /* 21 */ 
+    .name = NULL, 
+  },
+  { /* 22 */ 
+    .name = "Framed-Route", 
+    .attr = 22, 
+    .type = NR_TYPE_STRING, 
+  },
+  { /* 23 */ 
+    .name = "Framed-IPX-Network", 
+    .attr = 23, 
+    .type = NR_TYPE_IPADDR, 
+    .flags = {
+      .length = 4,
+    },
+  },
+  { /* 24 */ 
+    .name = "State", 
+    .attr = 24, 
+    .type = NR_TYPE_OCTETS, 
+  },
+  { /* 25 */ 
+    .name = "Class", 
+    .attr = 25, 
+    .type = NR_TYPE_OCTETS, 
+  },
+  { /* 26 */ 
+    .name = "Vendor-Specific", 
+    .attr = 26, 
+    .type = NR_TYPE_OCTETS, 
+  },
+  { /* 27 */ 
+    .name = "Session-Timeout", 
+    .attr = 27, 
+    .type = NR_TYPE_INTEGER, 
+    .flags = {
+      .length = 4,
+    },
+  },
+  { /* 28 */ 
+    .name = "Idle-Timeout", 
+    .attr = 28, 
+    .type = NR_TYPE_INTEGER, 
+    .flags = {
+      .length = 4,
+    },
+  },
+  { /* 29 */ 
+    .name = "Termination-Action", 
+    .attr = 29, 
+    .type = NR_TYPE_INTEGER, 
+    .flags = {
+      .length = 4,
+    },
+  },
+  { /* 30 */ 
+    .name = "Called-Station-Id", 
+    .attr = 30, 
+    .type = NR_TYPE_STRING, 
+  },
+  { /* 31 */ 
+    .name = "Calling-Station-Id", 
+    .attr = 31, 
+    .type = NR_TYPE_STRING, 
+  },
+  { /* 32 */ 
+    .name = "NAS-Identifier", 
+    .attr = 32, 
+    .type = NR_TYPE_STRING, 
+  },
+  { /* 33 */ 
+    .name = "Proxy-State", 
+    .attr = 33, 
+    .type = NR_TYPE_OCTETS, 
+  },
+  { /* 34 */ 
+    .name = "Login-LAT-Service", 
+    .attr = 34, 
+    .type = NR_TYPE_STRING, 
+  },
+  { /* 35 */ 
+    .name = "Login-LAT-Node", 
+    .attr = 35, 
+    .type = NR_TYPE_STRING, 
+  },
+  { /* 36 */ 
+    .name = "Login-LAT-Group", 
+    .attr = 36, 
+    .type = NR_TYPE_OCTETS, 
+  },
+  { /* 37 */ 
+    .name = "Framed-AppleTalk-Link", 
+    .attr = 37, 
+    .type = NR_TYPE_INTEGER, 
+    .flags = {
+      .length = 4,
+    },
+  },
+  { /* 38 */ 
+    .name = "Framed-AppleTalk-Network", 
+    .attr = 38, 
+    .type = NR_TYPE_INTEGER, 
+    .flags = {
+      .length = 4,
+    },
+  },
+  { /* 39 */ 
+    .name = "Framed-AppleTalk-Zone", 
+    .attr = 39, 
+    .type = NR_TYPE_STRING, 
+  },
+  { /* 40 */ 
+    .name = "Acct-Status-Type", 
+    .attr = 40, 
+    .type = NR_TYPE_INTEGER, 
+    .flags = {
+      .length = 4,
+    },
+  },
+  { /* 41 */ 
+    .name = "Acct-Delay-Time", 
+    .attr = 41, 
+    .type = NR_TYPE_INTEGER, 
+    .flags = {
+      .length = 4,
+    },
+  },
+  { /* 42 */ 
+    .name = "Acct-Input-Octets", 
+    .attr = 42, 
+    .type = NR_TYPE_INTEGER, 
+    .flags = {
+      .length = 4,
+    },
+  },
+  { /* 43 */ 
+    .name = "Acct-Output-Octets", 
+    .attr = 43, 
+    .type = NR_TYPE_INTEGER, 
+    .flags = {
+      .length = 4,
+    },
+  },
+  { /* 44 */ 
+    .name = "Acct-Session-Id", 
+    .attr = 44, 
+    .type = NR_TYPE_STRING, 
+  },
+  { /* 45 */ 
+    .name = "Acct-Authentic", 
+    .attr = 45, 
+    .type = NR_TYPE_INTEGER, 
+    .flags = {
+      .length = 4,
+    },
+  },
+  { /* 46 */ 
+    .name = "Acct-Session-Time", 
+    .attr = 46, 
+    .type = NR_TYPE_INTEGER, 
+    .flags = {
+      .length = 4,
+    },
+  },
+  { /* 47 */ 
+    .name = "Acct-Input-Packets", 
+    .attr = 47, 
+    .type = NR_TYPE_INTEGER, 
+    .flags = {
+      .length = 4,
+    },
+  },
+  { /* 48 */ 
+    .name = "Acct-Output-Packets", 
+    .attr = 48, 
+    .type = NR_TYPE_INTEGER, 
+    .flags = {
+      .length = 4,
+    },
+  },
+  { /* 49 */ 
+    .name = "Acct-Terminate-Cause", 
+    .attr = 49, 
+    .type = NR_TYPE_INTEGER, 
+    .flags = {
+      .length = 4,
+    },
+  },
+  { /* 50 */ 
+    .name = "Acct-Multi-Session-Id", 
+    .attr = 50, 
+    .type = NR_TYPE_STRING, 
+  },
+  { /* 51 */ 
+    .name = "Acct-Link-Count", 
+    .attr = 51, 
+    .type = NR_TYPE_INTEGER, 
+    .flags = {
+      .length = 4,
+    },
+  },
+  { /* 52 */ 
+    .name = "Acct-Input-Gigawords", 
+    .attr = 52, 
+    .type = NR_TYPE_INTEGER, 
+    .flags = {
+      .length = 4,
+    },
+  },
+  { /* 53 */ 
+    .name = "Acct-Output-Gigawords", 
+    .attr = 53, 
+    .type = NR_TYPE_INTEGER, 
+    .flags = {
+      .length = 4,
+    },
+  },
+  { /* 54 */ 
+    .name = NULL, 
+  },
+  { /* 55 */ 
+    .name = "Event-Timestamp", 
+    .attr = 55, 
+    .type = NR_TYPE_DATE, 
+    .flags = {
+      .length = 4,
+    },
+  },
+  { /* 56 */ 
+    .name = "Egress-VLANID", 
+    .attr = 56, 
+    .type = NR_TYPE_INTEGER, 
+    .flags = {
+      .length = 4,
+    },
+  },
+  { /* 57 */ 
+    .name = "Ingress-Filters", 
+    .attr = 57, 
+    .type = NR_TYPE_INTEGER, 
+    .flags = {
+      .length = 4,
+    },
+  },
+  { /* 58 */ 
+    .name = "Egress-VLAN-Name", 
+    .attr = 58, 
+    .type = NR_TYPE_STRING, 
+  },
+  { /* 59 */ 
+    .name = "User-Priority-Table", 
+    .attr = 59, 
+    .type = NR_TYPE_OCTETS, 
+  },
+  { /* 60 */ 
+    .name = "CHAP-Challenge", 
+    .attr = 60, 
+    .type = NR_TYPE_OCTETS, 
+  },
+  { /* 61 */ 
+    .name = "NAS-Port-Type", 
+    .attr = 61, 
+    .type = NR_TYPE_INTEGER, 
+    .flags = {
+      .length = 4,
+    },
+  },
+  { /* 62 */ 
+    .name = "Port-Limit", 
+    .attr = 62, 
+    .type = NR_TYPE_INTEGER, 
+    .flags = {
+      .length = 4,
+    },
+  },
+  { /* 63 */ 
+    .name = "Login-LAT-Port", 
+    .attr = 63, 
+    .type = NR_TYPE_STRING, 
+  },
+  { /* 64 */ 
+    .name = "Tunnel-Type", 
+    .attr = 64, 
+    .type = NR_TYPE_INTEGER, 
+    .flags = {
+      .length = 4,
+      .has_tag = 1,
+    },
+  },
+  { /* 65 */ 
+    .name = "Tunnel-Medium-Type", 
+    .attr = 65, 
+    .type = NR_TYPE_INTEGER, 
+    .flags = {
+      .length = 4,
+      .has_tag = 1,
+    },
+  },
+  { /* 66 */ 
+    .name = "Tunnel-Client-Endpoint", 
+    .attr = 66, 
+    .type = NR_TYPE_STRING, 
+    .flags = {
+      .has_tag = 1,
+    },
+  },
+  { /* 67 */ 
+    .name = "Tunnel-Server-Endpoint", 
+    .attr = 67, 
+    .type = NR_TYPE_STRING, 
+    .flags = {
+      .has_tag = 1,
+    },
+  },
+  { /* 68 */ 
+    .name = "Acct-Tunnel-Connection", 
+    .attr = 68, 
+    .type = NR_TYPE_STRING, 
+  },
+  { /* 69 */ 
+    .name = "Tunnel-Password", 
+    .attr = 69, 
+    .type = NR_TYPE_STRING, 
+    .flags = {
+      .encrypt = FLAG_ENCRYPT_TUNNEL_PASSWORD,
+      .has_tag = 1,
+    },
+  },
+  { /* 70 */ 
+    .name = "ARAP-Password", 
+    .attr = 70, 
+    .type = NR_TYPE_OCTETS, 
+    .flags = {
+      .length = 16,
+    },
+  },
+  { /* 71 */ 
+    .name = "ARAP-Features", 
+    .attr = 71, 
+    .type = NR_TYPE_OCTETS, 
+    .flags = {
+      .length = 14,
+    },
+  },
+  { /* 72 */ 
+    .name = "ARAP-Zone-Access", 
+    .attr = 72, 
+    .type = NR_TYPE_INTEGER, 
+    .flags = {
+      .length = 4,
+    },
+  },
+  { /* 73 */ 
+    .name = "ARAP-Security", 
+    .attr = 73, 
+    .type = NR_TYPE_INTEGER, 
+    .flags = {
+      .length = 4,
+    },
+  },
+  { /* 74 */ 
+    .name = "ARAP-Security-Data", 
+    .attr = 74, 
+    .type = NR_TYPE_STRING, 
+  },
+  { /* 75 */ 
+    .name = "Password-Retry", 
+    .attr = 75, 
+    .type = NR_TYPE_INTEGER, 
+    .flags = {
+      .length = 4,
+    },
+  },
+  { /* 76 */ 
+    .name = "Prompt", 
+    .attr = 76, 
+    .type = NR_TYPE_INTEGER, 
+    .flags = {
+      .length = 4,
+    },
+  },
+  { /* 77 */ 
+    .name = "Connect-Info", 
+    .attr = 77, 
+    .type = NR_TYPE_STRING, 
+  },
+  { /* 78 */ 
+    .name = "Configuration-Token", 
+    .attr = 78, 
+    .type = NR_TYPE_STRING, 
+  },
+  { /* 79 */ 
+    .name = "EAP-Message", 
+    .attr = 79, 
+    .type = NR_TYPE_OCTETS, 
+  },
+  { /* 80 */ 
+    .name = "Message-Authenticator", 
+    .attr = 80, 
+    .type = NR_TYPE_OCTETS, 
+  },
+  { /* 81 */ 
+    .name = "Tunnel-Private-Group-Id", 
+    .attr = 81, 
+    .type = NR_TYPE_STRING, 
+    .flags = {
+      .has_tag = 1,
+    },
+  },
+  { /* 82 */ 
+    .name = "Tunnel-Assignment-Id", 
+    .attr = 82, 
+    .type = NR_TYPE_STRING, 
+    .flags = {
+      .has_tag = 1,
+    },
+  },
+  { /* 83 */ 
+    .name = "Tunnel-Preference", 
+    .attr = 83, 
+    .type = NR_TYPE_INTEGER, 
+    .flags = {
+      .length = 4,
+      .has_tag = 1,
+    },
+  },
+  { /* 84 */ 
+    .name = "ARAP-Challenge-Response", 
+    .attr = 84, 
+    .type = NR_TYPE_OCTETS, 
+    .flags = {
+      .length = 8,
+    },
+  },
+  { /* 85 */ 
+    .name = "Acct-Interim-Interval", 
+    .attr = 85, 
+    .type = NR_TYPE_INTEGER, 
+    .flags = {
+      .length = 4,
+    },
+  },
+  { /* 86 */ 
+    .name = "Acct-Tunnel-Packets-Lost", 
+    .attr = 86, 
+    .type = NR_TYPE_INTEGER, 
+    .flags = {
+      .length = 4,
+    },
+  },
+  { /* 87 */ 
+    .name = "NAS-Port-Id", 
+    .attr = 87, 
+    .type = NR_TYPE_STRING, 
+  },
+  { /* 88 */ 
+    .name = "Framed-Pool", 
+    .attr = 88, 
+    .type = NR_TYPE_STRING, 
+  },
+  { /* 89 */ 
+    .name = "Chargeable-User-Identity", 
+    .attr = 89, 
+    .type = NR_TYPE_STRING, 
+  },
+  { /* 90 */ 
+    .name = "Tunnel-Client-Auth-Id", 
+    .attr = 90, 
+    .type = NR_TYPE_STRING, 
+    .flags = {
+      .has_tag = 1,
+    },
+  },
+  { /* 91 */ 
+    .name = "Tunnel-Server-Auth-Id", 
+    .attr = 91, 
+    .type = NR_TYPE_STRING, 
+    .flags = {
+      .has_tag = 1,
+    },
+  },
+  { /* 92 */ 
+    .name = "NAS-Filter-Rule", 
+    .attr = 92, 
+    .type = NR_TYPE_STRING, 
+  },
+  { /* 93 */ 
+    .name = NULL, 
+  },
+  { /* 94 */ 
+    .name = NULL, 
+  },
+  { /* 95 */ 
+    .name = "NAS-IPv6-Address", 
+    .attr = 95, 
+    .type = NR_TYPE_IPV6ADDR, 
+    .flags = {
+      .length = 16,
+    },
+  },
+  { /* 96 */ 
+    .name = "Framed-Interface-Id", 
+    .attr = 96, 
+    .type = NR_TYPE_IFID, 
+    .flags = {
+      .length = 8,
+    },
+  },
+  { /* 97 */ 
+    .name = "Framed-IPv6-Prefix", 
+    .attr = 97, 
+    .type = NR_TYPE_IPV6PREFIX, 
+  },
+  { /* 98 */ 
+    .name = "Login-IPv6-Host", 
+    .attr = 98, 
+    .type = NR_TYPE_IPV6ADDR, 
+    .flags = {
+      .length = 16,
+    },
+  },
+  { /* 99 */ 
+    .name = "Framed-IPv6-Route", 
+    .attr = 99, 
+    .type = NR_TYPE_STRING, 
+  },
+  { /* 100 */ 
+    .name = "Framed-IPv6-Pool", 
+    .attr = 100, 
+    .type = NR_TYPE_STRING, 
+  },
+  { /* 101 */ 
+    .name = "Error-Cause", 
+    .attr = 101, 
+    .type = NR_TYPE_INTEGER, 
+    .flags = {
+      .length = 4,
+    },
+  },
+  { /* 102 */ 
+    .name = "EAP-Key-Name", 
+    .attr = 102, 
+    .type = NR_TYPE_STRING, 
+  },
+  { /* 103 */ 
+    .name = "Digest-Response", 
+    .attr = 103, 
+    .type = NR_TYPE_STRING, 
+  },
+  { /* 104 */ 
+    .name = "Digest-Realm", 
+    .attr = 104, 
+    .type = NR_TYPE_STRING, 
+  },
+  { /* 105 */ 
+    .name = "Digest-Nonce", 
+    .attr = 105, 
+    .type = NR_TYPE_STRING, 
+  },
+  { /* 106 */ 
+    .name = "Digest-Response-Auth", 
+    .attr = 106, 
+    .type = NR_TYPE_STRING, 
+  },
+  { /* 107 */ 
+    .name = "Digest-Nextnonce", 
+    .attr = 107, 
+    .type = NR_TYPE_STRING, 
+  },
+  { /* 108 */ 
+    .name = "Digest-Method", 
+    .attr = 108, 
+    .type = NR_TYPE_STRING, 
+  },
+  { /* 109 */ 
+    .name = "Digest-URI", 
+    .attr = 109, 
+    .type = NR_TYPE_STRING, 
+  },
+  { /* 110 */ 
+    .name = "Digest-Qop", 
+    .attr = 110, 
+    .type = NR_TYPE_STRING, 
+  },
+  { /* 111 */ 
+    .name = "Digest-Algorithm", 
+    .attr = 111, 
+    .type = NR_TYPE_STRING, 
+  },
+  { /* 112 */ 
+    .name = "Digest-Entity-Body-Hash", 
+    .attr = 112, 
+    .type = NR_TYPE_STRING, 
+  },
+  { /* 113 */ 
+    .name = "Digest-CNonce", 
+    .attr = 113, 
+    .type = NR_TYPE_STRING, 
+  },
+  { /* 114 */ 
+    .name = "Digest-Nonce-Count", 
+    .attr = 114, 
+    .type = NR_TYPE_STRING, 
+  },
+  { /* 115 */ 
+    .name = "Digest-Username", 
+    .attr = 115, 
+    .type = NR_TYPE_STRING, 
+  },
+  { /* 116 */ 
+    .name = "Digest-Opaque", 
+    .attr = 116, 
+    .type = NR_TYPE_STRING, 
+  },
+  { /* 117 */ 
+    .name = "Digest-Auth-Param", 
+    .attr = 117, 
+    .type = NR_TYPE_STRING, 
+  },
+  { /* 118 */ 
+    .name = "Digest-AKA-Auts", 
+    .attr = 118, 
+    .type = NR_TYPE_STRING, 
+  },
+  { /* 119 */ 
+    .name = "Digest-Domain", 
+    .attr = 119, 
+    .type = NR_TYPE_STRING, 
+  },
+  { /* 120 */ 
+    .name = "Digest-Stale", 
+    .attr = 120, 
+    .type = NR_TYPE_STRING, 
+  },
+  { /* 121 */ 
+    .name = "Digest-HA1", 
+    .attr = 121, 
+    .type = NR_TYPE_STRING, 
+  },
+  { /* 122 */ 
+    .name = "SIP-AOR", 
+    .attr = 122, 
+    .type = NR_TYPE_STRING, 
+  },
+  { /* 123 */ 
+    .name = "Delegated-IPv6-Prefix", 
+    .attr = 123, 
+    .type = NR_TYPE_IPV6PREFIX, 
+  },
+  { /* 124 */ 
+    .name = NULL, 
+  },
+  { /* 125 */ 
+    .name = NULL, 
+  },
+  { /* 126 */ 
+    .name = "Operator-Name", 
+    .attr = 126, 
+    .type = NR_TYPE_STRING, 
+  },
+  { /* 127 */ 
+    .name = "Location-Information", 
+    .attr = 127, 
+    .type = NR_TYPE_OCTETS, 
+  },
+  { /* 128 */ 
+    .name = "Location-Data", 
+    .attr = 128, 
+    .type = NR_TYPE_OCTETS, 
+  },
+  { /* 129 */ 
+    .name = "Basic-Location-Policy-Rules", 
+    .attr = 129, 
+    .type = NR_TYPE_OCTETS, 
+  },
+  { /* 130 */ 
+    .name = "Extended-Location-Policy-Rules", 
+    .attr = 130, 
+    .type = NR_TYPE_OCTETS, 
+  },
+  { /* 131 */ 
+    .name = "Location-Capable", 
+    .attr = 131, 
+    .type = NR_TYPE_INTEGER, 
+    .flags = {
+      .length = 4,
+    },
+  },
+  { /* 132 */ 
+    .name = "Requested-Location-Info", 
+    .attr = 132, 
+    .type = NR_TYPE_INTEGER, 
+    .flags = {
+      .length = 4,
+    },
+  },
+  { /* 133 */ 
+    .name = "Framed-Management", 
+    .attr = 133, 
+    .type = NR_TYPE_INTEGER, 
+    .flags = {
+      .length = 4,
+    },
+  },
+  { /* 134 */ 
+    .name = "Management-Transport-Protection", 
+    .attr = 134, 
+    .type = NR_TYPE_INTEGER, 
+    .flags = {
+      .length = 4,
+    },
+  },
+  { /* 135 */ 
+    .name = "Management-Policy-Id", 
+    .attr = 135, 
+    .type = NR_TYPE_STRING, 
+  },
+  { /* 136 */ 
+    .name = "Management-Privilege-Level", 
+    .attr = 136, 
+    .type = NR_TYPE_INTEGER, 
+    .flags = {
+      .length = 4,
+    },
+  },
+  { /* 137 */ 
+    .name = "PKM-SS-Cert", 
+    .attr = 137, 
+    .type = NR_TYPE_OCTETS, 
+  },
+  { /* 138 */ 
+    .name = "PKM-CA-Cert", 
+    .attr = 138, 
+    .type = NR_TYPE_OCTETS, 
+  },
+  { /* 139 */ 
+    .name = "PKM-Config-Settings", 
+    .attr = 139, 
+    .type = NR_TYPE_OCTETS, 
+  },
+  { /* 140 */ 
+    .name = "PKM-Cryptosuite-List", 
+    .attr = 140, 
+    .type = NR_TYPE_OCTETS, 
+  },
+  { /* 141 */ 
+    .name = "PKM-SAID", 
+    .attr = 141, 
+    .type = NR_TYPE_SHORT, 
+    .flags = {
+      .length = 2,
+    },
+  },
+  { /* 142 */ 
+    .name = "PKM-SA-Descriptor", 
+    .attr = 142, 
+    .type = NR_TYPE_OCTETS, 
+  },
+  { /* 143 */ 
+    .name = "PKM-Auth-Key", 
+    .attr = 143, 
+    .type = NR_TYPE_OCTETS, 
+  },
+  { /* 144 */ 
+    .name = NULL, 
+  },
+  { /* 145 */ 
+    .name = NULL, 
+  },
+  { /* 146 */ 
+    .name = NULL, 
+  },
+  { /* 147 */ 
+    .name = NULL, 
+  },
+  { /* 148 */ 
+    .name = NULL, 
+  },
+  { /* 149 */ 
+    .name = NULL, 
+  },
+  { /* 150 */ 
+    .name = NULL, 
+  },
+  { /* 151 */ 
+    .name = NULL, 
+  },
+  { /* 152 */ 
+    .name = NULL, 
+  },
+  { /* 153 */ 
+    .name = NULL, 
+  },
+  { /* 154 */ 
+    .name = NULL, 
+  },
+  { /* 155 */ 
+    .name = NULL, 
+  },
+  { /* 156 */ 
+    .name = NULL, 
+  },
+  { /* 157 */ 
+    .name = NULL, 
+  },
+  { /* 158 */ 
+    .name = NULL, 
+  },
+  { /* 159 */ 
+    .name = NULL, 
+  },
+  { /* 160 */ 
+    .name = NULL, 
+  },
+  { /* 161 */ 
+    .name = NULL, 
+  },
+  { /* 162 */ 
+    .name = NULL, 
+  },
+  { /* 163 */ 
+    .name = NULL, 
+  },
+  { /* 164 */ 
+    .name = NULL, 
+  },
+  { /* 165 */ 
+    .name = NULL, 
+  },
+  { /* 166 */ 
+    .name = NULL, 
+  },
+  { /* 167 */ 
+    .name = NULL, 
+  },
+  { /* 168 */ 
+    .name = NULL, 
+  },
+  { /* 169 */ 
+    .name = NULL, 
+  },
+  { /* 170 */ 
+    .name = NULL, 
+  },
+  { /* 171 */ 
+    .name = NULL, 
+  },
+  { /* 172 */ 
+    .name = NULL, 
+  },
+  { /* 173 */ 
+    .name = NULL, 
+  },
+  { /* 174 */ 
+    .name = NULL, 
+  },
+  { /* 175 */ 
+    .name = NULL, 
+  },
+  { /* 176 */ 
+    .name = NULL, 
+  },
+  { /* 177 */ 
+    .name = NULL, 
+  },
+  { /* 178 */ 
+    .name = NULL, 
+  },
+  { /* 179 */ 
+    .name = NULL, 
+  },
+  { /* 180 */ 
+    .name = NULL, 
+  },
+  { /* 181 */ 
+    .name = NULL, 
+  },
+  { /* 182 */ 
+    .name = NULL, 
+  },
+  { /* 183 */ 
+    .name = NULL, 
+  },
+  { /* 184 */ 
+    .name = NULL, 
+  },
+  { /* 185 */ 
+    .name = NULL, 
+  },
+  { /* 186 */ 
+    .name = NULL, 
+  },
+  { /* 187 */ 
+    .name = NULL, 
+  },
+  { /* 188 */ 
+    .name = NULL, 
+  },
+  { /* 189 */ 
+    .name = NULL, 
+  },
+  { /* 190 */ 
+    .name = NULL, 
+  },
+  { /* 191 */ 
+    .name = NULL, 
+  },
+  { /* 192 */ 
+    .name = NULL, 
+  },
+  { /* 193 */ 
+    .name = NULL, 
+  },
+  { /* 194 */ 
+    .name = NULL, 
+  },
+  { /* 195 */ 
+    .name = NULL, 
+  },
+  { /* 196 */ 
+    .name = NULL, 
+  },
+  { /* 197 */ 
+    .name = NULL, 
+  },
+  { /* 198 */ 
+    .name = NULL, 
+  },
+  { /* 199 */ 
+    .name = NULL, 
+  },
+  { /* 200 */ 
+    .name = NULL, 
+  },
+  { /* 201 */ 
+    .name = NULL, 
+  },
+  { /* 202 */ 
+    .name = NULL, 
+  },
+  { /* 203 */ 
+    .name = NULL, 
+  },
+  { /* 204 */ 
+    .name = NULL, 
+  },
+  { /* 205 */ 
+    .name = NULL, 
+  },
+  { /* 206 */ 
+    .name = NULL, 
+  },
+  { /* 207 */ 
+    .name = NULL, 
+  },
+  { /* 208 */ 
+    .name = NULL, 
+  },
+  { /* 209 */ 
+    .name = NULL, 
+  },
+  { /* 210 */ 
+    .name = NULL, 
+  },
+  { /* 211 */ 
+    .name = NULL, 
+  },
+  { /* 212 */ 
+    .name = NULL, 
+  },
+  { /* 213 */ 
+    .name = NULL, 
+  },
+  { /* 214 */ 
+    .name = NULL, 
+  },
+  { /* 215 */ 
+    .name = NULL, 
+  },
+  { /* 216 */ 
+    .name = NULL, 
+  },
+  { /* 217 */ 
+    .name = NULL, 
+  },
+  { /* 218 */ 
+    .name = NULL, 
+  },
+  { /* 219 */ 
+    .name = NULL, 
+  },
+  { /* 220 */ 
+    .name = NULL, 
+  },
+  { /* 221 */ 
+    .name = NULL, 
+  },
+  { /* 222 */ 
+    .name = NULL, 
+  },
+  { /* 223 */ 
+    .name = NULL, 
+  },
+  { /* 224 */ 
+    .name = NULL, 
+  },
+  { /* 225 */ 
+    .name = NULL, 
+  },
+  { /* 226 */ 
+    .name = NULL, 
+  },
+  { /* 227 */ 
+    .name = NULL, 
+  },
+  { /* 228 */ 
+    .name = NULL, 
+  },
+  { /* 229 */ 
+    .name = NULL, 
+  },
+  { /* 230 */ 
+    .name = NULL, 
+  },
+  { /* 231 */ 
+    .name = NULL, 
+  },
+  { /* 232 */ 
+    .name = NULL, 
+  },
+  { /* 233 */ 
+    .name = NULL, 
+  },
+  { /* 234 */ 
+    .name = NULL, 
+  },
+  { /* 235 */ 
+    .name = NULL, 
+  },
+  { /* 236 */ 
+    .name = NULL, 
+  },
+  { /* 237 */ 
+    .name = NULL, 
+  },
+  { /* 238 */ 
+    .name = NULL, 
+  },
+  { /* 239 */ 
+    .name = NULL, 
+  },
+  { /* 240 */ 
+    .name = NULL, 
+  },
+  { /* 241 */ 
+    .name = NULL, 
+  },
+  { /* 242 */ 
+    .name = NULL, 
+  },
+  { /* 243 */ 
+    .name = NULL, 
+  },
+  { /* 244 */ 
+    .name = NULL, 
+  },
+  { /* 245 */ 
+    .name = NULL, 
+  },
+  { /* 246 */ 
+    .name = NULL, 
+  },
+  { /* 247 */ 
+    .name = NULL, 
+  },
+  { /* 248 */ 
+    .name = NULL, 
+  },
+  { /* 249 */ 
+    .name = NULL, 
+  },
+  { /* 250 */ 
+    .name = NULL, 
+  },
+  { /* 251 */ 
+    .name = NULL, 
+  },
+  { /* 252 */ 
+    .name = NULL, 
+  },
+  { /* 253 */ 
+    .name = NULL, 
+  },
+  { /* 254 */ 
+    .name = NULL, 
+  },
+  { /* 255 */ 
+    .name = NULL, 
+  },
+  { /* 256 */ 
+    .name = "MS-CHAP-Response", 
+    .vendor = 311, 
+    .attr = 1, 
+    .type = NR_TYPE_OCTETS, 
+  },
+  { /* 257 */ 
+    .name = "MS-CHAP-Error", 
+    .vendor = 311, 
+    .attr = 2, 
+    .type = NR_TYPE_STRING, 
+  },
+  { /* 258 */ 
+    .name = "MS-MPPE-Encryption-Policy", 
+    .vendor = 311, 
+    .attr = 7, 
+    .type = NR_TYPE_OCTETS, 
+  },
+  { /* 259 */ 
+    .name = "MS-MPPE-Encryption-Types", 
+    .vendor = 311, 
+    .attr = 8, 
+    .type = NR_TYPE_OCTETS, 
+  },
+  { /* 260 */ 
+    .name = "MS-CHAP-Domain", 
+    .vendor = 311, 
+    .attr = 10, 
+    .type = NR_TYPE_STRING, 
+  },
+  { /* 261 */ 
+    .name = "MS-CHAP-Challenge", 
+    .vendor = 311, 
+    .attr = 11, 
+    .type = NR_TYPE_OCTETS, 
+  },
+  { /* 262 */ 
+    .name = "MS-CHAP-MPPE-Keys", 
+    .vendor = 311, 
+    .attr = 12, 
+    .type = NR_TYPE_OCTETS, 
+    .flags = {
+      .encrypt = FLAG_ENCRYPT_USER_PASSWORD,
+    },
+  },
+  { /* 263 */ 
+    .name = "MS-MPPE-Send-Key", 
+    .vendor = 311, 
+    .attr = 16, 
+    .type = NR_TYPE_OCTETS, 
+    .flags = {
+      .encrypt = FLAG_ENCRYPT_TUNNEL_PASSWORD,
+    },
+  },
+  { /* 264 */ 
+    .name = "MS-MPPE-Recv-Key", 
+    .vendor = 311, 
+    .attr = 17, 
+    .type = NR_TYPE_OCTETS, 
+    .flags = {
+      .encrypt = FLAG_ENCRYPT_TUNNEL_PASSWORD,
+    },
+  },
+  { /* 265 */ 
+    .name = "MS-CHAP2-Response", 
+    .vendor = 311, 
+    .attr = 25, 
+    .type = NR_TYPE_OCTETS, 
+  },
+  { /* 266 */ 
+    .name = "MS-CHAP2-Success", 
+    .vendor = 311, 
+    .attr = 26, 
+    .type = NR_TYPE_OCTETS, 
+  },
+  { /* 267 */ 
+    .name = "Example-Integer", 
+    .vendor = 65535, 
+    .attr = 1, 
+    .type = NR_TYPE_INTEGER, 
+    .flags = {
+      .length = 4,
+    },
+  },
+  { /* 268 */ 
+    .name = "Example-String", 
+    .vendor = 65535, 
+    .attr = 2, 
+    .type = NR_TYPE_STRING, 
+  },
+  { /* 269 */ 
+    .name = "Example-IP-Address", 
+    .vendor = 65535, 
+    .attr = 3, 
+    .type = NR_TYPE_IPADDR, 
+    .flags = {
+      .length = 4,
+    },
+  },
+};
+
+const int nr_dict_num_attrs = 269;
+
+const int nr_dict_num_names = 149;
+
+const DICT_ATTR *nr_dict_attr_names[] = {
+    &nr_dict_attrs[45], /* Acct-Authentic */
+    &nr_dict_attrs[41], /* Acct-Delay-Time */
+    &nr_dict_attrs[52], /* Acct-Input-Gigawords */
+    &nr_dict_attrs[42], /* Acct-Input-Octets */
+    &nr_dict_attrs[47], /* Acct-Input-Packets */
+    &nr_dict_attrs[85], /* Acct-Interim-Interval */
+    &nr_dict_attrs[51], /* Acct-Link-Count */
+    &nr_dict_attrs[50], /* Acct-Multi-Session-Id */
+    &nr_dict_attrs[53], /* Acct-Output-Gigawords */
+    &nr_dict_attrs[43], /* Acct-Output-Octets */
+    &nr_dict_attrs[48], /* Acct-Output-Packets */
+    &nr_dict_attrs[44], /* Acct-Session-Id */
+    &nr_dict_attrs[46], /* Acct-Session-Time */
+    &nr_dict_attrs[40], /* Acct-Status-Type */
+    &nr_dict_attrs[49], /* Acct-Terminate-Cause */
+    &nr_dict_attrs[68], /* Acct-Tunnel-Connection */
+    &nr_dict_attrs[86], /* Acct-Tunnel-Packets-Lost */
+    &nr_dict_attrs[84], /* ARAP-Challenge-Response */
+    &nr_dict_attrs[71], /* ARAP-Features */
+    &nr_dict_attrs[70], /* ARAP-Password */
+    &nr_dict_attrs[73], /* ARAP-Security */
+    &nr_dict_attrs[74], /* ARAP-Security-Data */
+    &nr_dict_attrs[72], /* ARAP-Zone-Access */
+    &nr_dict_attrs[129], /* Basic-Location-Policy-Rules */
+    &nr_dict_attrs[20], /* Callback-Id */
+    &nr_dict_attrs[19], /* Callback-Number */
+    &nr_dict_attrs[30], /* Called-Station-Id */
+    &nr_dict_attrs[31], /* Calling-Station-Id */
+    &nr_dict_attrs[60], /* CHAP-Challenge */
+    &nr_dict_attrs[3], /* CHAP-Password */
+    &nr_dict_attrs[89], /* Chargeable-User-Identity */
+    &nr_dict_attrs[25], /* Class */
+    &nr_dict_attrs[78], /* Configuration-Token */
+    &nr_dict_attrs[77], /* Connect-Info */
+    &nr_dict_attrs[123], /* Delegated-IPv6-Prefix */
+    &nr_dict_attrs[118], /* Digest-AKA-Auts */
+    &nr_dict_attrs[111], /* Digest-Algorithm */
+    &nr_dict_attrs[117], /* Digest-Auth-Param */
+    &nr_dict_attrs[113], /* Digest-CNonce */
+    &nr_dict_attrs[119], /* Digest-Domain */
+    &nr_dict_attrs[112], /* Digest-Entity-Body-Hash */
+    &nr_dict_attrs[121], /* Digest-HA1 */
+    &nr_dict_attrs[108], /* Digest-Method */
+    &nr_dict_attrs[107], /* Digest-Nextnonce */
+    &nr_dict_attrs[105], /* Digest-Nonce */
+    &nr_dict_attrs[114], /* Digest-Nonce-Count */
+    &nr_dict_attrs[116], /* Digest-Opaque */
+    &nr_dict_attrs[110], /* Digest-Qop */
+    &nr_dict_attrs[104], /* Digest-Realm */
+    &nr_dict_attrs[103], /* Digest-Response */
+    &nr_dict_attrs[106], /* Digest-Response-Auth */
+    &nr_dict_attrs[120], /* Digest-Stale */
+    &nr_dict_attrs[109], /* Digest-URI */
+    &nr_dict_attrs[115], /* Digest-Username */
+    &nr_dict_attrs[102], /* EAP-Key-Name */
+    &nr_dict_attrs[79], /* EAP-Message */
+    &nr_dict_attrs[58], /* Egress-VLAN-Name */
+    &nr_dict_attrs[56], /* Egress-VLANID */
+    &nr_dict_attrs[101], /* Error-Cause */
+    &nr_dict_attrs[55], /* Event-Timestamp */
+    &nr_dict_attrs[267], /* Example-Integer */
+    &nr_dict_attrs[269], /* Example-IP-Address */
+    &nr_dict_attrs[268], /* Example-String */
+    &nr_dict_attrs[130], /* Extended-Location-Policy-Rules */
+    &nr_dict_attrs[11], /* Filter-Id */
+    &nr_dict_attrs[37], /* Framed-AppleTalk-Link */
+    &nr_dict_attrs[38], /* Framed-AppleTalk-Network */
+    &nr_dict_attrs[39], /* Framed-AppleTalk-Zone */
+    &nr_dict_attrs[13], /* Framed-Compression */
+    &nr_dict_attrs[96], /* Framed-Interface-Id */
+    &nr_dict_attrs[8], /* Framed-IP-Address */
+    &nr_dict_attrs[9], /* Framed-IP-Netmask */
+    &nr_dict_attrs[100], /* Framed-IPv6-Pool */
+    &nr_dict_attrs[97], /* Framed-IPv6-Prefix */
+    &nr_dict_attrs[99], /* Framed-IPv6-Route */
+    &nr_dict_attrs[23], /* Framed-IPX-Network */
+    &nr_dict_attrs[133], /* Framed-Management */
+    &nr_dict_attrs[12], /* Framed-MTU */
+    &nr_dict_attrs[88], /* Framed-Pool */
+    &nr_dict_attrs[7], /* Framed-Protocol */
+    &nr_dict_attrs[22], /* Framed-Route */
+    &nr_dict_attrs[10], /* Framed-Routing */
+    &nr_dict_attrs[28], /* Idle-Timeout */
+    &nr_dict_attrs[57], /* Ingress-Filters */
+    &nr_dict_attrs[131], /* Location-Capable */
+    &nr_dict_attrs[128], /* Location-Data */
+    &nr_dict_attrs[127], /* Location-Information */
+    &nr_dict_attrs[14], /* Login-IP-Host */
+    &nr_dict_attrs[98], /* Login-IPv6-Host */
+    &nr_dict_attrs[36], /* Login-LAT-Group */
+    &nr_dict_attrs[35], /* Login-LAT-Node */
+    &nr_dict_attrs[63], /* Login-LAT-Port */
+    &nr_dict_attrs[34], /* Login-LAT-Service */
+    &nr_dict_attrs[15], /* Login-Service */
+    &nr_dict_attrs[16], /* Login-TCP-Port */
+    &nr_dict_attrs[135], /* Management-Policy-Id */
+    &nr_dict_attrs[136], /* Management-Privilege-Level */
+    &nr_dict_attrs[134], /* Management-Transport-Protection */
+    &nr_dict_attrs[80], /* Message-Authenticator */
+    &nr_dict_attrs[261], /* MS-CHAP-Challenge */
+    &nr_dict_attrs[260], /* MS-CHAP-Domain */
+    &nr_dict_attrs[257], /* MS-CHAP-Error */
+    &nr_dict_attrs[262], /* MS-CHAP-MPPE-Keys */
+    &nr_dict_attrs[256], /* MS-CHAP-Response */
+    &nr_dict_attrs[265], /* MS-CHAP2-Response */
+    &nr_dict_attrs[266], /* MS-CHAP2-Success */
+    &nr_dict_attrs[258], /* MS-MPPE-Encryption-Policy */
+    &nr_dict_attrs[259], /* MS-MPPE-Encryption-Types */
+    &nr_dict_attrs[264], /* MS-MPPE-Recv-Key */
+    &nr_dict_attrs[263], /* MS-MPPE-Send-Key */
+    &nr_dict_attrs[92], /* NAS-Filter-Rule */
+    &nr_dict_attrs[32], /* NAS-Identifier */
+    &nr_dict_attrs[4], /* NAS-IP-Address */
+    &nr_dict_attrs[95], /* NAS-IPv6-Address */
+    &nr_dict_attrs[5], /* NAS-Port */
+    &nr_dict_attrs[87], /* NAS-Port-Id */
+    &nr_dict_attrs[61], /* NAS-Port-Type */
+    &nr_dict_attrs[126], /* Operator-Name */
+    &nr_dict_attrs[75], /* Password-Retry */
+    &nr_dict_attrs[143], /* PKM-Auth-Key */
+    &nr_dict_attrs[138], /* PKM-CA-Cert */
+    &nr_dict_attrs[139], /* PKM-Config-Settings */
+    &nr_dict_attrs[140], /* PKM-Cryptosuite-List */
+    &nr_dict_attrs[142], /* PKM-SA-Descriptor */
+    &nr_dict_attrs[141], /* PKM-SAID */
+    &nr_dict_attrs[137], /* PKM-SS-Cert */
+    &nr_dict_attrs[62], /* Port-Limit */
+    &nr_dict_attrs[76], /* Prompt */
+    &nr_dict_attrs[33], /* Proxy-State */
+    &nr_dict_attrs[18], /* Reply-Message */
+    &nr_dict_attrs[132], /* Requested-Location-Info */
+    &nr_dict_attrs[6], /* Service-Type */
+    &nr_dict_attrs[27], /* Session-Timeout */
+    &nr_dict_attrs[122], /* SIP-AOR */
+    &nr_dict_attrs[24], /* State */
+    &nr_dict_attrs[29], /* Termination-Action */
+    &nr_dict_attrs[82], /* Tunnel-Assignment-Id */
+    &nr_dict_attrs[90], /* Tunnel-Client-Auth-Id */
+    &nr_dict_attrs[66], /* Tunnel-Client-Endpoint */
+    &nr_dict_attrs[65], /* Tunnel-Medium-Type */
+    &nr_dict_attrs[69], /* Tunnel-Password */
+    &nr_dict_attrs[83], /* Tunnel-Preference */
+    &nr_dict_attrs[81], /* Tunnel-Private-Group-Id */
+    &nr_dict_attrs[91], /* Tunnel-Server-Auth-Id */
+    &nr_dict_attrs[67], /* Tunnel-Server-Endpoint */
+    &nr_dict_attrs[64], /* Tunnel-Type */
+    &nr_dict_attrs[1], /* User-Name */
+    &nr_dict_attrs[2], /* User-Password */
+    &nr_dict_attrs[59], /* User-Priority-Table */
+    &nr_dict_attrs[26], /* Vendor-Specific */
+};
+
diff --git a/lib/radius/doc.txt b/lib/radius/doc.txt
new file mode 100644
index 0000000..09a8415
--- /dev/null
+++ b/lib/radius/doc.txt
@@ -0,0 +1,41 @@
+/**
+
+\file doc.txt
+\brief The main documentation.
+
+\mainpage The Network RADIUS Client Library
+
+This client library is intended for use in embedded systems.  It is
+small with a simple API, yet has more functionality than most
+commercial or Open Source products.
+
+\section License
+
+Copyright (c) 2011, Network RADIUS SARL
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+    * Redistributions of source code must retain the above copyright
+      notice, this list of conditions and the following disclaimer.
+    * Redistributions in binary form must reproduce the above copyright
+      notice, this list of conditions and the following disclaimer in the
+      documentation and/or other materials provided with the distribution.
+    * Neither the name of the <organization> nor the
+      names of its contributors may be used to endorse or promote products
+      derived from this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL <COPYRIGHT HOLDER> BE LIABLE FOR ANY
+DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+\ref dictionaries.txt "Dictionaries and dictionary formats"
+
+*/
diff --git a/lib/radius/doxygen.conf b/lib/radius/doxygen.conf
new file mode 100644
index 0000000..e310771
--- /dev/null
+++ b/lib/radius/doxygen.conf
@@ -0,0 +1,1417 @@
+# Doxyfile 1.5.6
+
+# This file describes the settings to be used by the documentation system
+# doxygen (www.doxygen.org) for a project
+#
+# All text after a hash (#) is considered a comment and will be ignored
+# The format is:
+#       TAG = value [value, ...]
+# For lists items can also be appended using:
+#       TAG += value [value, ...]
+# Values that contain spaces should be placed between quotes (" ")
+
+#---------------------------------------------------------------------------
+# Project related configuration options
+#---------------------------------------------------------------------------
+
+# This tag specifies the encoding used for all characters in the config file 
+# that follow. The default is UTF-8 which is also the encoding used for all 
+# text before the first occurrence of this tag. Doxygen uses libiconv (or the 
+# iconv built into libc) for the transcoding. See 
+# http://www.gnu.org/software/libiconv for the list of possible encodings.
+
+DOXYFILE_ENCODING      = UTF-8
+
+# The PROJECT_NAME tag is a single word (or a sequence of words surrounded 
+# by quotes) that should identify the project.
+
+PROJECT_NAME           = networkclient
+
+# The PROJECT_NUMBER tag can be used to enter a project or revision number. 
+# This could be handy for archiving the generated documentation or 
+# if some version control system is used.
+
+PROJECT_NUMBER         = 
+
+# The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute) 
+# base path where the generated documentation will be put. 
+# If a relative path is entered, it will be relative to the location 
+# where doxygen was started. If left blank the current directory will be used.
+
+OUTPUT_DIRECTORY       = 
+
+# If the CREATE_SUBDIRS tag is set to YES, then doxygen will create 
+# 4096 sub-directories (in 2 levels) under the output directory of each output 
+# format and will distribute the generated files over these directories. 
+# Enabling this option can be useful when feeding doxygen a huge amount of 
+# source files, where putting all generated files in the same directory would 
+# otherwise cause performance problems for the file system.
+
+CREATE_SUBDIRS         = NO
+
+# The OUTPUT_LANGUAGE tag is used to specify the language in which all 
+# documentation generated by doxygen is written. Doxygen will use this 
+# information to generate all constant output in the proper language. 
+# The default language is English, other supported languages are: 
+# Afrikaans, Arabic, Brazilian, Catalan, Chinese, Chinese-Traditional, 
+# Croatian, Czech, Danish, Dutch, Farsi, Finnish, French, German, Greek, 
+# Hungarian, Italian, Japanese, Japanese-en (Japanese with English messages), 
+# Korean, Korean-en, Lithuanian, Norwegian, Macedonian, Persian, Polish, 
+# Portuguese, Romanian, Russian, Serbian, Slovak, Slovene, Spanish, Swedish, 
+# and Ukrainian.
+
+OUTPUT_LANGUAGE        = English
+
+# If the BRIEF_MEMBER_DESC tag is set to YES (the default) Doxygen will 
+# include brief member descriptions after the members that are listed in 
+# the file and class documentation (similar to JavaDoc). 
+# Set to NO to disable this.
+
+BRIEF_MEMBER_DESC      = YES
+
+# If the REPEAT_BRIEF tag is set to YES (the default) Doxygen will prepend 
+# the brief description of a member or function before the detailed description. 
+# Note: if both HIDE_UNDOC_MEMBERS and BRIEF_MEMBER_DESC are set to NO, the 
+# brief descriptions will be completely suppressed.
+
+REPEAT_BRIEF           = YES
+
+# This tag implements a quasi-intelligent brief description abbreviator 
+# that is used to form the text in various listings. Each string 
+# in this list, if found as the leading text of the brief description, will be 
+# stripped from the text and the result after processing the whole list, is 
+# used as the annotated text. Otherwise, the brief description is used as-is. 
+# If left blank, the following values are used ("$name" is automatically 
+# replaced with the name of the entity): "The $name class" "The $name widget" 
+# "The $name file" "is" "provides" "specifies" "contains" 
+# "represents" "a" "an" "the"
+
+ABBREVIATE_BRIEF       = 
+
+# If the ALWAYS_DETAILED_SEC and REPEAT_BRIEF tags are both set to YES then 
+# Doxygen will generate a detailed section even if there is only a brief 
+# description.
+
+ALWAYS_DETAILED_SEC    = NO
+
+# If the INLINE_INHERITED_MEMB tag is set to YES, doxygen will show all 
+# inherited members of a class in the documentation of that class as if those 
+# members were ordinary class members. Constructors, destructors and assignment 
+# operators of the base classes will not be shown.
+
+INLINE_INHERITED_MEMB  = NO
+
+# If the FULL_PATH_NAMES tag is set to YES then Doxygen will prepend the full 
+# path before files name in the file list and in the header files. If set 
+# to NO the shortest path that makes the file name unique will be used.
+
+FULL_PATH_NAMES        = YES
+
+# If the FULL_PATH_NAMES tag is set to YES then the STRIP_FROM_PATH tag 
+# can be used to strip a user-defined part of the path. Stripping is 
+# only done if one of the specified strings matches the left-hand part of 
+# the path. The tag can be used to show relative paths in the file list. 
+# If left blank the directory from which doxygen is run is used as the 
+# path to strip.
+
+STRIP_FROM_PATH        = 
+
+# The STRIP_FROM_INC_PATH tag can be used to strip a user-defined part of 
+# the path mentioned in the documentation of a class, which tells 
+# the reader which header file to include in order to use a class. 
+# If left blank only the name of the header file containing the class 
+# definition is used. Otherwise one should specify the include paths that 
+# are normally passed to the compiler using the -I flag.
+
+STRIP_FROM_INC_PATH    = 
+
+# If the SHORT_NAMES tag is set to YES, doxygen will generate much shorter 
+# (but less readable) file names. This can be useful is your file systems 
+# doesn't support long names like on DOS, Mac, or CD-ROM.
+
+SHORT_NAMES            = NO
+
+# If the JAVADOC_AUTOBRIEF tag is set to YES then Doxygen 
+# will interpret the first line (until the first dot) of a JavaDoc-style 
+# comment as the brief description. If set to NO, the JavaDoc 
+# comments will behave just like regular Qt-style comments 
+# (thus requiring an explicit @brief command for a brief description.)
+
+JAVADOC_AUTOBRIEF      = NO
+
+# If the QT_AUTOBRIEF tag is set to YES then Doxygen will 
+# interpret the first line (until the first dot) of a Qt-style 
+# comment as the brief description. If set to NO, the comments 
+# will behave just like regular Qt-style comments (thus requiring 
+# an explicit \brief command for a brief description.)
+
+QT_AUTOBRIEF           = NO
+
+# The MULTILINE_CPP_IS_BRIEF tag can be set to YES to make Doxygen 
+# treat a multi-line C++ special comment block (i.e. a block of //! or /// 
+# comments) as a brief description. This used to be the default behaviour. 
+# The new default is to treat a multi-line C++ comment block as a detailed 
+# description. Set this tag to YES if you prefer the old behaviour instead.
+
+MULTILINE_CPP_IS_BRIEF = NO
+
+# If the DETAILS_AT_TOP tag is set to YES then Doxygen 
+# will output the detailed description near the top, like JavaDoc.
+# If set to NO, the detailed description appears after the member 
+# documentation.
+
+DETAILS_AT_TOP         = YES
+
+# If the INHERIT_DOCS tag is set to YES (the default) then an undocumented 
+# member inherits the documentation from any documented member that it 
+# re-implements.
+
+INHERIT_DOCS           = YES
+
+# If the SEPARATE_MEMBER_PAGES tag is set to YES, then doxygen will produce 
+# a new page for each member. If set to NO, the documentation of a member will 
+# be part of the file/class/namespace that contains it.
+
+SEPARATE_MEMBER_PAGES  = NO
+
+# The TAB_SIZE tag can be used to set the number of spaces in a tab. 
+# Doxygen uses this value to replace tabs by spaces in code fragments.
+
+TAB_SIZE               = 8
+
+# This tag can be used to specify a number of aliases that acts 
+# as commands in the documentation. An alias has the form "name=value". 
+# For example adding "sideeffect=\par Side Effects:\n" will allow you to 
+# put the command \sideeffect (or @sideeffect) in the documentation, which 
+# will result in a user-defined paragraph with heading "Side Effects:". 
+# You can put \n's in the value part of an alias to insert newlines.
+
+ALIASES                = 
+
+# Set the OPTIMIZE_OUTPUT_FOR_C tag to YES if your project consists of C 
+# sources only. Doxygen will then generate output that is more tailored for C. 
+# For instance, some of the names that are used will be different. The list 
+# of all members will be omitted, etc.
+
+OPTIMIZE_OUTPUT_FOR_C  = YES
+
+# Set the OPTIMIZE_OUTPUT_JAVA tag to YES if your project consists of Java 
+# sources only. Doxygen will then generate output that is more tailored for 
+# Java. For instance, namespaces will be presented as packages, qualified 
+# scopes will look different, etc.
+
+OPTIMIZE_OUTPUT_JAVA   = NO
+
+# Set the OPTIMIZE_FOR_FORTRAN tag to YES if your project consists of Fortran 
+# sources only. Doxygen will then generate output that is more tailored for 
+# Fortran.
+
+OPTIMIZE_FOR_FORTRAN   = NO
+
+# Set the OPTIMIZE_OUTPUT_VHDL tag to YES if your project consists of VHDL 
+# sources. Doxygen will then generate output that is tailored for 
+# VHDL.
+
+OPTIMIZE_OUTPUT_VHDL   = NO
+
+# If you use STL classes (i.e. std::string, std::vector, etc.) but do not want 
+# to include (a tag file for) the STL sources as input, then you should 
+# set this tag to YES in order to let doxygen match functions declarations and 
+# definitions whose arguments contain STL classes (e.g. func(std::string); v.s. 
+# func(std::string) {}). This also make the inheritance and collaboration 
+# diagrams that involve STL classes more complete and accurate.
+
+BUILTIN_STL_SUPPORT    = NO
+
+# If you use Microsoft's C++/CLI language, you should set this option to YES to
+# enable parsing support.
+
+CPP_CLI_SUPPORT        = NO
+
+# Set the SIP_SUPPORT tag to YES if your project consists of sip sources only. 
+# Doxygen will parse them like normal C++ but will assume all classes use public 
+# instead of private inheritance when no explicit protection keyword is present.
+
+SIP_SUPPORT            = NO
+
+# For Microsoft's IDL there are propget and propput attributes to indicate getter 
+# and setter methods for a property. Setting this option to YES (the default) 
+# will make doxygen to replace the get and set methods by a property in the 
+# documentation. This will only work if the methods are indeed getting or 
+# setting a simple type. If this is not the case, or you want to show the 
+# methods anyway, you should set this option to NO.
+
+IDL_PROPERTY_SUPPORT   = YES
+
+# If member grouping is used in the documentation and the DISTRIBUTE_GROUP_DOC 
+# tag is set to YES, then doxygen will reuse the documentation of the first 
+# member in the group (if any) for the other members of the group. By default 
+# all members of a group must be documented explicitly.
+
+DISTRIBUTE_GROUP_DOC   = NO
+
+# Set the SUBGROUPING tag to YES (the default) to allow class member groups of 
+# the same type (for instance a group of public functions) to be put as a 
+# subgroup of that type (e.g. under the Public Functions section). Set it to 
+# NO to prevent subgrouping. Alternatively, this can be done per class using 
+# the \nosubgrouping command.
+
+SUBGROUPING            = YES
+
+# When TYPEDEF_HIDES_STRUCT is enabled, a typedef of a struct, union, or enum 
+# is documented as struct, union, or enum with the name of the typedef. So 
+# typedef struct TypeS {} TypeT, will appear in the documentation as a struct 
+# with name TypeT. When disabled the typedef will appear as a member of a file, 
+# namespace, or class. And the struct will be named TypeS. This can typically 
+# be useful for C code in case the coding convention dictates that all compound 
+# types are typedef'ed and only the typedef is referenced, never the tag name.
+
+TYPEDEF_HIDES_STRUCT   = NO
+
+#---------------------------------------------------------------------------
+# Build related configuration options
+#---------------------------------------------------------------------------
+
+# If the EXTRACT_ALL tag is set to YES doxygen will assume all entities in 
+# documentation are documented, even if no documentation was available. 
+# Private class members and static file members will be hidden unless 
+# the EXTRACT_PRIVATE and EXTRACT_STATIC tags are set to YES
+
+EXTRACT_ALL            = YES
+
+# If the EXTRACT_PRIVATE tag is set to YES all private members of a class 
+# will be included in the documentation.
+
+EXTRACT_PRIVATE        = NO
+
+# If the EXTRACT_STATIC tag is set to YES all static members of a file 
+# will be included in the documentation.
+
+EXTRACT_STATIC         = NO
+
+# If the EXTRACT_LOCAL_CLASSES tag is set to YES classes (and structs) 
+# defined locally in source files will be included in the documentation. 
+# If set to NO only classes defined in header files are included.
+
+EXTRACT_LOCAL_CLASSES  = YES
+
+# This flag is only useful for Objective-C code. When set to YES local 
+# methods, which are defined in the implementation section but not in 
+# the interface are included in the documentation. 
+# If set to NO (the default) only methods in the interface are included.
+
+EXTRACT_LOCAL_METHODS  = NO
+
+# If this flag is set to YES, the members of anonymous namespaces will be 
+# extracted and appear in the documentation as a namespace called 
+# 'anonymous_namespace{file}', where file will be replaced with the base 
+# name of the file that contains the anonymous namespace. By default 
+# anonymous namespace are hidden.
+
+EXTRACT_ANON_NSPACES   = NO
+
+# If the HIDE_UNDOC_MEMBERS tag is set to YES, Doxygen will hide all 
+# undocumented members of documented classes, files or namespaces. 
+# If set to NO (the default) these members will be included in the 
+# various overviews, but no documentation section is generated. 
+# This option has no effect if EXTRACT_ALL is enabled.
+
+HIDE_UNDOC_MEMBERS     = NO
+
+# If the HIDE_UNDOC_CLASSES tag is set to YES, Doxygen will hide all 
+# undocumented classes that are normally visible in the class hierarchy. 
+# If set to NO (the default) these classes will be included in the various 
+# overviews. This option has no effect if EXTRACT_ALL is enabled.
+
+HIDE_UNDOC_CLASSES     = NO
+
+# If the HIDE_FRIEND_COMPOUNDS tag is set to YES, Doxygen will hide all 
+# friend (class|struct|union) declarations. 
+# If set to NO (the default) these declarations will be included in the 
+# documentation.
+
+HIDE_FRIEND_COMPOUNDS  = NO
+
+# If the HIDE_IN_BODY_DOCS tag is set to YES, Doxygen will hide any 
+# documentation blocks found inside the body of a function. 
+# If set to NO (the default) these blocks will be appended to the 
+# function's detailed documentation block.
+
+HIDE_IN_BODY_DOCS      = NO
+
+# The INTERNAL_DOCS tag determines if documentation 
+# that is typed after a \internal command is included. If the tag is set 
+# to NO (the default) then the documentation will be excluded. 
+# Set it to YES to include the internal documentation.
+
+INTERNAL_DOCS          = NO
+
+# If the CASE_SENSE_NAMES tag is set to NO then Doxygen will only generate 
+# file names in lower-case letters. If set to YES upper-case letters are also 
+# allowed. This is useful if you have classes or files whose names only differ 
+# in case and if your file system supports case sensitive file names. Windows 
+# and Mac users are advised to set this option to NO.
+
+CASE_SENSE_NAMES       = NO
+
+# If the HIDE_SCOPE_NAMES tag is set to NO (the default) then Doxygen 
+# will show members with their full class and namespace scopes in the 
+# documentation. If set to YES the scope will be hidden.
+
+HIDE_SCOPE_NAMES       = NO
+
+# If the SHOW_INCLUDE_FILES tag is set to YES (the default) then Doxygen 
+# will put a list of the files that are included by a file in the documentation 
+# of that file.
+
+SHOW_INCLUDE_FILES     = YES
+
+# If the INLINE_INFO tag is set to YES (the default) then a tag [inline] 
+# is inserted in the documentation for inline members.
+
+INLINE_INFO            = YES
+
+# If the SORT_MEMBER_DOCS tag is set to YES (the default) then doxygen 
+# will sort the (detailed) documentation of file and class members 
+# alphabetically by member name. If set to NO the members will appear in 
+# declaration order.
+
+SORT_MEMBER_DOCS       = YES
+
+# If the SORT_BRIEF_DOCS tag is set to YES then doxygen will sort the 
+# brief documentation of file, namespace and class members alphabetically 
+# by member name. If set to NO (the default) the members will appear in 
+# declaration order.
+
+SORT_BRIEF_DOCS        = NO
+
+# If the SORT_GROUP_NAMES tag is set to YES then doxygen will sort the 
+# hierarchy of group names into alphabetical order. If set to NO (the default) 
+# the group names will appear in their defined order.
+
+SORT_GROUP_NAMES       = NO
+
+# If the SORT_BY_SCOPE_NAME tag is set to YES, the class list will be 
+# sorted by fully-qualified names, including namespaces. If set to 
+# NO (the default), the class list will be sorted only by class name, 
+# not including the namespace part. 
+# Note: This option is not very useful if HIDE_SCOPE_NAMES is set to YES.
+# Note: This option applies only to the class list, not to the 
+# alphabetical list.
+
+SORT_BY_SCOPE_NAME     = NO
+
+# The GENERATE_TODOLIST tag can be used to enable (YES) or 
+# disable (NO) the todo list. This list is created by putting \todo 
+# commands in the documentation.
+
+GENERATE_TODOLIST      = YES
+
+# The GENERATE_TESTLIST tag can be used to enable (YES) or 
+# disable (NO) the test list. This list is created by putting \test 
+# commands in the documentation.
+
+GENERATE_TESTLIST      = YES
+
+# The GENERATE_BUGLIST tag can be used to enable (YES) or 
+# disable (NO) the bug list. This list is created by putting \bug 
+# commands in the documentation.
+
+GENERATE_BUGLIST       = YES
+
+# The GENERATE_DEPRECATEDLIST tag can be used to enable (YES) or 
+# disable (NO) the deprecated list. This list is created by putting 
+# \deprecated commands in the documentation.
+
+GENERATE_DEPRECATEDLIST= YES
+
+# The ENABLED_SECTIONS tag can be used to enable conditional 
+# documentation sections, marked by \if sectionname ... \endif.
+
+ENABLED_SECTIONS       = 
+
+# The MAX_INITIALIZER_LINES tag determines the maximum number of lines 
+# the initial value of a variable or define consists of for it to appear in 
+# the documentation. If the initializer consists of more lines than specified 
+# here it will be hidden. Use a value of 0 to hide initializers completely. 
+# The appearance of the initializer of individual variables and defines in the 
+# documentation can be controlled using \showinitializer or \hideinitializer 
+# command in the documentation regardless of this setting.
+
+MAX_INITIALIZER_LINES  = 30
+
+# Set the SHOW_USED_FILES tag to NO to disable the list of files generated 
+# at the bottom of the documentation of classes and structs. If set to YES the 
+# list will mention the files that were used to generate the documentation.
+
+SHOW_USED_FILES        = YES
+
+# If the sources in your project are distributed over multiple directories 
+# then setting the SHOW_DIRECTORIES tag to YES will show the directory hierarchy 
+# in the documentation. The default is NO.
+
+SHOW_DIRECTORIES       = NO
+
+# Set the SHOW_FILES tag to NO to disable the generation of the Files page.
+# This will remove the Files entry from the Quick Index and from the 
+# Folder Tree View (if specified). The default is YES.
+
+SHOW_FILES             = YES
+
+# Set the SHOW_NAMESPACES tag to NO to disable the generation of the 
+# Namespaces page.  This will remove the Namespaces entry from the Quick Index
+# and from the Folder Tree View (if specified). The default is YES.
+
+SHOW_NAMESPACES        = YES
+
+# The FILE_VERSION_FILTER tag can be used to specify a program or script that 
+# doxygen should invoke to get the current version for each file (typically from 
+# the version control system). Doxygen will invoke the program by executing (via 
+# popen()) the command <command> <input-file>, where <command> is the value of 
+# the FILE_VERSION_FILTER tag, and <input-file> is the name of an input file 
+# provided by doxygen. Whatever the program writes to standard output 
+# is used as the file version. See the manual for examples.
+
+FILE_VERSION_FILTER    = 
+
+#---------------------------------------------------------------------------
+# configuration options related to warning and progress messages
+#---------------------------------------------------------------------------
+
+# The QUIET tag can be used to turn on/off the messages that are generated 
+# by doxygen. Possible values are YES and NO. If left blank NO is used.
+
+QUIET                  = NO
+
+# The WARNINGS tag can be used to turn on/off the warning messages that are 
+# generated by doxygen. Possible values are YES and NO. If left blank 
+# NO is used.
+
+WARNINGS               = YES
+
+# If WARN_IF_UNDOCUMENTED is set to YES, then doxygen will generate warnings 
+# for undocumented members. If EXTRACT_ALL is set to YES then this flag will 
+# automatically be disabled.
+
+WARN_IF_UNDOCUMENTED   = YES
+
+# If WARN_IF_DOC_ERROR is set to YES, doxygen will generate warnings for 
+# potential errors in the documentation, such as not documenting some 
+# parameters in a documented function, or documenting parameters that 
+# don't exist or using markup commands wrongly.
+
+WARN_IF_DOC_ERROR      = YES
+
+# This WARN_NO_PARAMDOC option can be abled to get warnings for 
+# functions that are documented, but have no documentation for their parameters 
+# or return value. If set to NO (the default) doxygen will only warn about 
+# wrong or incomplete parameter documentation, but not about the absence of 
+# documentation.
+
+WARN_NO_PARAMDOC       = NO
+
+# The WARN_FORMAT tag determines the format of the warning messages that 
+# doxygen can produce. The string should contain the $file, $line, and $text 
+# tags, which will be replaced by the file and line number from which the 
+# warning originated and the warning text. Optionally the format may contain 
+# $version, which will be replaced by the version of the file (if it could 
+# be obtained via FILE_VERSION_FILTER)
+
+WARN_FORMAT            = "$file:$line: $text"
+
+# The WARN_LOGFILE tag can be used to specify a file to which warning 
+# and error messages should be written. If left blank the output is written 
+# to stderr.
+
+WARN_LOGFILE           = 
+
+#---------------------------------------------------------------------------
+# configuration options related to the input files
+#---------------------------------------------------------------------------
+
+# The INPUT tag can be used to specify the files and/or directories that contain 
+# documented source files. You may enter file names like "myfile.cpp" or 
+# directories like "/usr/src/myproject". Separate the files or directories 
+# with spaces.
+
+INPUT                  = . doc/
+
+# This tag can be used to specify the character encoding of the source files 
+# that doxygen parses. Internally doxygen uses the UTF-8 encoding, which is 
+# also the default input encoding. Doxygen uses libiconv (or the iconv built 
+# into libc) for the transcoding. See http://www.gnu.org/software/libiconv for 
+# the list of possible encodings.
+
+INPUT_ENCODING         = UTF-8
+
+# If the value of the INPUT tag contains directories, you can use the 
+# FILE_PATTERNS tag to specify one or more wildcard pattern (like *.cpp 
+# and *.h) to filter out the source-files in the directories. If left 
+# blank the following patterns are tested: 
+# *.c *.cc *.cxx *.cpp *.c++ *.java *.ii *.ixx *.ipp *.i++ *.inl *.h *.hh *.hxx 
+# *.hpp *.h++ *.idl *.odl *.cs *.php *.php3 *.inc *.m *.mm *.py *.f90
+
+FILE_PATTERNS          = *.txt *.[ch]
+
+# The RECURSIVE tag can be used to turn specify whether or not subdirectories 
+# should be searched for input files as well. Possible values are YES and NO. 
+# If left blank NO is used.
+
+RECURSIVE              = NO
+
+# The EXCLUDE tag can be used to specify files and/or directories that should 
+# excluded from the INPUT source files. This way you can easily exclude a 
+# subdirectory from a directory tree whose root is specified with the INPUT tag.
+
+EXCLUDE                = 
+
+# The EXCLUDE_SYMLINKS tag can be used select whether or not files or 
+# directories that are symbolic links (a Unix filesystem feature) are excluded 
+# from the input.
+
+EXCLUDE_SYMLINKS       = NO
+
+# If the value of the INPUT tag contains directories, you can use the 
+# EXCLUDE_PATTERNS tag to specify one or more wildcard patterns to exclude 
+# certain files from those directories. Note that the wildcards are matched 
+# against the file with absolute path, so to exclude all test directories 
+# for example use the pattern */test/*
+
+EXCLUDE_PATTERNS       = 
+
+# The EXCLUDE_SYMBOLS tag can be used to specify one or more symbol names 
+# (namespaces, classes, functions, etc.) that should be excluded from the 
+# output. The symbol name can be a fully qualified name, a word, or if the 
+# wildcard * is used, a substring. Examples: ANamespace, AClass, 
+# AClass::ANamespace, ANamespace::*Test
+
+EXCLUDE_SYMBOLS        = 
+
+# The EXAMPLE_PATH tag can be used to specify one or more files or 
+# directories that contain example code fragments that are included (see 
+# the \include command).
+
+EXAMPLE_PATH           = examples
+
+# If the value of the EXAMPLE_PATH tag contains directories, you can use the 
+# EXAMPLE_PATTERNS tag to specify one or more wildcard pattern (like *.cpp 
+# and *.h) to filter out the source-files in the directories. If left 
+# blank all files are included.
+
+EXAMPLE_PATTERNS       = *.[ch]
+
+# If the EXAMPLE_RECURSIVE tag is set to YES then subdirectories will be 
+# searched for input files to be used with the \include or \dontinclude 
+# commands irrespective of the value of the RECURSIVE tag. 
+# Possible values are YES and NO. If left blank NO is used.
+
+EXAMPLE_RECURSIVE      = NO
+
+# The IMAGE_PATH tag can be used to specify one or more files or 
+# directories that contain image that are included in the documentation (see 
+# the \image command).
+
+IMAGE_PATH             = 
+
+# The INPUT_FILTER tag can be used to specify a program that doxygen should 
+# invoke to filter for each input file. Doxygen will invoke the filter program 
+# by executing (via popen()) the command <filter> <input-file>, where <filter> 
+# is the value of the INPUT_FILTER tag, and <input-file> is the name of an 
+# input file. Doxygen will then use the output that the filter program writes 
+# to standard output.  If FILTER_PATTERNS is specified, this tag will be 
+# ignored.
+
+INPUT_FILTER           = 
+
+# The FILTER_PATTERNS tag can be used to specify filters on a per file pattern 
+# basis.  Doxygen will compare the file name with each pattern and apply the 
+# filter if there is a match.  The filters are a list of the form: 
+# pattern=filter (like *.cpp=my_cpp_filter). See INPUT_FILTER for further 
+# info on how filters are used. If FILTER_PATTERNS is empty, INPUT_FILTER 
+# is applied to all files.
+
+FILTER_PATTERNS        = 
+
+# If the FILTER_SOURCE_FILES tag is set to YES, the input filter (if set using 
+# INPUT_FILTER) will be used to filter the input files when producing source 
+# files to browse (i.e. when SOURCE_BROWSER is set to YES).
+
+FILTER_SOURCE_FILES    = NO
+
+#---------------------------------------------------------------------------
+# configuration options related to source browsing
+#---------------------------------------------------------------------------
+
+# If the SOURCE_BROWSER tag is set to YES then a list of source files will 
+# be generated. Documented entities will be cross-referenced with these sources. 
+# Note: To get rid of all source code in the generated output, make sure also 
+# VERBATIM_HEADERS is set to NO.
+
+SOURCE_BROWSER         = NO
+
+# Setting the INLINE_SOURCES tag to YES will include the body 
+# of functions and classes directly in the documentation.
+
+INLINE_SOURCES         = NO
+
+# Setting the STRIP_CODE_COMMENTS tag to YES (the default) will instruct 
+# doxygen to hide any special comment blocks from generated source code 
+# fragments. Normal C and C++ comments will always remain visible.
+
+STRIP_CODE_COMMENTS    = YES
+
+# If the REFERENCED_BY_RELATION tag is set to YES 
+# then for each documented function all documented 
+# functions referencing it will be listed.
+
+REFERENCED_BY_RELATION = YES
+
+# If the REFERENCES_RELATION tag is set to YES 
+# then for each documented function all documented entities 
+# called/used by that function will be listed.
+
+REFERENCES_RELATION    = YES
+
+# If the REFERENCES_LINK_SOURCE tag is set to YES (the default)
+# and SOURCE_BROWSER tag is set to YES, then the hyperlinks from
+# functions in REFERENCES_RELATION and REFERENCED_BY_RELATION lists will
+# link to the source code.  Otherwise they will link to the documentstion.
+
+REFERENCES_LINK_SOURCE = NO
+
+# If the USE_HTAGS tag is set to YES then the references to source code 
+# will point to the HTML generated by the htags(1) tool instead of doxygen 
+# built-in source browser. The htags tool is part of GNU's global source 
+# tagging system (see http://www.gnu.org/software/global/global.html). You 
+# will need version 4.8.6 or higher.
+
+USE_HTAGS              = NO
+
+# If the VERBATIM_HEADERS tag is set to YES (the default) then Doxygen 
+# will generate a verbatim copy of the header file for each class for 
+# which an include is specified. Set to NO to disable this.
+
+VERBATIM_HEADERS       = YES
+
+#---------------------------------------------------------------------------
+# configuration options related to the alphabetical class index
+#---------------------------------------------------------------------------
+
+# If the ALPHABETICAL_INDEX tag is set to YES, an alphabetical index 
+# of all compounds will be generated. Enable this if the project 
+# contains a lot of classes, structs, unions or interfaces.
+
+ALPHABETICAL_INDEX     = NO
+
+# If the alphabetical index is enabled (see ALPHABETICAL_INDEX) then 
+# the COLS_IN_ALPHA_INDEX tag can be used to specify the number of columns 
+# in which this list will be split (can be a number in the range [1..20])
+
+COLS_IN_ALPHA_INDEX    = 5
+
+# In case all classes in a project start with a common prefix, all 
+# classes will be put under the same header in the alphabetical index. 
+# The IGNORE_PREFIX tag can be used to specify one or more prefixes that 
+# should be ignored while generating the index headers.
+
+IGNORE_PREFIX          = 
+
+#---------------------------------------------------------------------------
+# configuration options related to the HTML output
+#---------------------------------------------------------------------------
+
+# If the GENERATE_HTML tag is set to YES (the default) Doxygen will 
+# generate HTML output.
+
+GENERATE_HTML          = YES
+
+# The HTML_OUTPUT tag is used to specify where the HTML docs will be put. 
+# If a relative path is entered the value of OUTPUT_DIRECTORY will be 
+# put in front of it. If left blank `html' will be used as the default path.
+
+HTML_OUTPUT            = html
+
+# The HTML_FILE_EXTENSION tag can be used to specify the file extension for 
+# each generated HTML page (for example: .htm,.php,.asp). If it is left blank 
+# doxygen will generate files with .html extension.
+
+HTML_FILE_EXTENSION    = .html
+
+# The HTML_HEADER tag can be used to specify a personal HTML header for 
+# each generated HTML page. If it is left blank doxygen will generate a 
+# standard header.
+
+HTML_HEADER            = 
+
+# The HTML_FOOTER tag can be used to specify a personal HTML footer for 
+# each generated HTML page. If it is left blank doxygen will generate a 
+# standard footer.
+
+HTML_FOOTER            = 
+
+# The HTML_STYLESHEET tag can be used to specify a user-defined cascading 
+# style sheet that is used by each HTML page. It can be used to 
+# fine-tune the look of the HTML output. If the tag is left blank doxygen 
+# will generate a default style sheet. Note that doxygen will try to copy 
+# the style sheet file to the HTML output directory, so don't put your own 
+# stylesheet in the HTML output directory as well, or it will be erased!
+
+HTML_STYLESHEET        = 
+
+# If the HTML_ALIGN_MEMBERS tag is set to YES, the members of classes, 
+# files or namespaces will be aligned in HTML using tables. If set to 
+# NO a bullet list will be used.
+
+HTML_ALIGN_MEMBERS     = YES
+
+# If the GENERATE_HTMLHELP tag is set to YES, additional index files 
+# will be generated that can be used as input for tools like the 
+# Microsoft HTML help workshop to generate a compiled HTML help file (.chm) 
+# of the generated HTML documentation.
+
+GENERATE_HTMLHELP      = NO
+
+# If the GENERATE_DOCSET tag is set to YES, additional index files 
+# will be generated that can be used as input for Apple's Xcode 3 
+# integrated development environment, introduced with OSX 10.5 (Leopard). 
+# To create a documentation set, doxygen will generate a Makefile in the 
+# HTML output directory. Running make will produce the docset in that 
+# directory and running "make install" will install the docset in 
+# ~/Library/Developer/Shared/Documentation/DocSets so that Xcode will find 
+# it at startup.
+
+GENERATE_DOCSET        = NO
+
+# When GENERATE_DOCSET tag is set to YES, this tag determines the name of the 
+# feed. A documentation feed provides an umbrella under which multiple 
+# documentation sets from a single provider (such as a company or product suite) 
+# can be grouped.
+
+DOCSET_FEEDNAME        = "Doxygen generated docs"
+
+# When GENERATE_DOCSET tag is set to YES, this tag specifies a string that 
+# should uniquely identify the documentation set bundle. This should be a 
+# reverse domain-name style string, e.g. com.mycompany.MyDocSet. Doxygen 
+# will append .docset to the name.
+
+DOCSET_BUNDLE_ID       = org.doxygen.Project
+
+# If the HTML_DYNAMIC_SECTIONS tag is set to YES then the generated HTML 
+# documentation will contain sections that can be hidden and shown after the 
+# page has loaded. For this to work a browser that supports 
+# JavaScript and DHTML is required (for instance Mozilla 1.0+, Firefox 
+# Netscape 6.0+, Internet explorer 5.0+, Konqueror, or Safari).
+
+HTML_DYNAMIC_SECTIONS  = NO
+
+# If the GENERATE_HTMLHELP tag is set to YES, the CHM_FILE tag can 
+# be used to specify the file name of the resulting .chm file. You 
+# can add a path in front of the file if the result should not be 
+# written to the html output directory.
+
+CHM_FILE               = 
+
+# If the GENERATE_HTMLHELP tag is set to YES, the HHC_LOCATION tag can 
+# be used to specify the location (absolute path including file name) of 
+# the HTML help compiler (hhc.exe). If non-empty doxygen will try to run 
+# the HTML help compiler on the generated index.hhp.
+
+HHC_LOCATION           = 
+
+# If the GENERATE_HTMLHELP tag is set to YES, the GENERATE_CHI flag 
+# controls if a separate .chi index file is generated (YES) or that 
+# it should be included in the master .chm file (NO).
+
+GENERATE_CHI           = NO
+
+# If the GENERATE_HTMLHELP tag is set to YES, the CHM_INDEX_ENCODING
+# is used to encode HtmlHelp index (hhk), content (hhc) and project file
+# content.
+
+CHM_INDEX_ENCODING     = 
+
+# If the GENERATE_HTMLHELP tag is set to YES, the BINARY_TOC flag 
+# controls whether a binary table of contents is generated (YES) or a 
+# normal table of contents (NO) in the .chm file.
+
+BINARY_TOC             = NO
+
+# The TOC_EXPAND flag can be set to YES to add extra items for group members 
+# to the contents of the HTML help documentation and to the tree view.
+
+TOC_EXPAND             = NO
+
+# The DISABLE_INDEX tag can be used to turn on/off the condensed index at 
+# top of each HTML page. The value NO (the default) enables the index and 
+# the value YES disables it.
+
+DISABLE_INDEX          = NO
+
+# This tag can be used to set the number of enum values (range [1..20]) 
+# that doxygen will group on one line in the generated HTML documentation.
+
+ENUM_VALUES_PER_LINE   = 4
+
+# The GENERATE_TREEVIEW tag is used to specify whether a tree-like index
+# structure should be generated to display hierarchical information.
+# If the tag value is set to FRAME, a side panel will be generated
+# containing a tree-like index structure (just like the one that 
+# is generated for HTML Help). For this to work a browser that supports 
+# JavaScript, DHTML, CSS and frames is required (for instance Mozilla 1.0+, 
+# Netscape 6.0+, Internet explorer 5.0+, or Konqueror). Windows users are 
+# probably better off using the HTML help feature. Other possible values 
+# for this tag are: HIERARCHIES, which will generate the Groups, Directories,
+# and Class Hiererachy pages using a tree view instead of an ordered list;
+# ALL, which combines the behavior of FRAME and HIERARCHIES; and NONE, which
+# disables this behavior completely. For backwards compatibility with previous
+# releases of Doxygen, the values YES and NO are equivalent to FRAME and NONE
+# respectively.
+
+GENERATE_TREEVIEW      = YES
+
+# If the treeview is enabled (see GENERATE_TREEVIEW) then this tag can be 
+# used to set the initial width (in pixels) of the frame in which the tree 
+# is shown.
+
+TREEVIEW_WIDTH         = 250
+
+# Use this tag to change the font size of Latex formulas included 
+# as images in the HTML documentation. The default is 10. Note that 
+# when you change the font size after a successful doxygen run you need 
+# to manually remove any form_*.png images from the HTML output directory 
+# to force them to be regenerated.
+
+FORMULA_FONTSIZE       = 10
+
+#---------------------------------------------------------------------------
+# configuration options related to the LaTeX output
+#---------------------------------------------------------------------------
+
+# If the GENERATE_LATEX tag is set to YES (the default) Doxygen will 
+# generate Latex output.
+
+GENERATE_LATEX         = NO
+
+# The LATEX_OUTPUT tag is used to specify where the LaTeX docs will be put. 
+# If a relative path is entered the value of OUTPUT_DIRECTORY will be 
+# put in front of it. If left blank `latex' will be used as the default path.
+
+LATEX_OUTPUT           = latex
+
+# The LATEX_CMD_NAME tag can be used to specify the LaTeX command name to be 
+# invoked. If left blank `latex' will be used as the default command name.
+
+LATEX_CMD_NAME         = latex
+
+# The MAKEINDEX_CMD_NAME tag can be used to specify the command name to 
+# generate index for LaTeX. If left blank `makeindex' will be used as the 
+# default command name.
+
+MAKEINDEX_CMD_NAME     = makeindex
+
+# If the COMPACT_LATEX tag is set to YES Doxygen generates more compact 
+# LaTeX documents. This may be useful for small projects and may help to 
+# save some trees in general.
+
+COMPACT_LATEX          = NO
+
+# The PAPER_TYPE tag can be used to set the paper type that is used 
+# by the printer. Possible values are: a4, a4wide, letter, legal and 
+# executive. If left blank a4wide will be used.
+
+PAPER_TYPE             = a4wide
+
+# The EXTRA_PACKAGES tag can be to specify one or more names of LaTeX 
+# packages that should be included in the LaTeX output.
+
+EXTRA_PACKAGES         = 
+
+# The LATEX_HEADER tag can be used to specify a personal LaTeX header for 
+# the generated latex document. The header should contain everything until 
+# the first chapter. If it is left blank doxygen will generate a 
+# standard header. Notice: only use this tag if you know what you are doing!
+
+LATEX_HEADER           = 
+
+# If the PDF_HYPERLINKS tag is set to YES, the LaTeX that is generated 
+# is prepared for conversion to pdf (using ps2pdf). The pdf file will 
+# contain links (just like the HTML output) instead of page references 
+# This makes the output suitable for online browsing using a pdf viewer.
+
+PDF_HYPERLINKS         = YES
+
+# If the USE_PDFLATEX tag is set to YES, pdflatex will be used instead of 
+# plain latex in the generated Makefile. Set this option to YES to get a 
+# higher quality PDF documentation.
+
+USE_PDFLATEX           = YES
+
+# If the LATEX_BATCHMODE tag is set to YES, doxygen will add the \\batchmode. 
+# command to the generated LaTeX files. This will instruct LaTeX to keep 
+# running if errors occur, instead of asking the user for help. 
+# This option is also used when generating formulas in HTML.
+
+LATEX_BATCHMODE        = NO
+
+# If LATEX_HIDE_INDICES is set to YES then doxygen will not 
+# include the index chapters (such as File Index, Compound Index, etc.) 
+# in the output.
+
+LATEX_HIDE_INDICES     = NO
+
+#---------------------------------------------------------------------------
+# configuration options related to the RTF output
+#---------------------------------------------------------------------------
+
+# If the GENERATE_RTF tag is set to YES Doxygen will generate RTF output 
+# The RTF output is optimized for Word 97 and may not look very pretty with 
+# other RTF readers or editors.
+
+GENERATE_RTF           = NO
+
+# The RTF_OUTPUT tag is used to specify where the RTF docs will be put. 
+# If a relative path is entered the value of OUTPUT_DIRECTORY will be 
+# put in front of it. If left blank `rtf' will be used as the default path.
+
+RTF_OUTPUT             = rtf
+
+# If the COMPACT_RTF tag is set to YES Doxygen generates more compact 
+# RTF documents. This may be useful for small projects and may help to 
+# save some trees in general.
+
+COMPACT_RTF            = NO
+
+# If the RTF_HYPERLINKS tag is set to YES, the RTF that is generated 
+# will contain hyperlink fields. The RTF file will 
+# contain links (just like the HTML output) instead of page references. 
+# This makes the output suitable for online browsing using WORD or other 
+# programs which support those fields. 
+# Note: wordpad (write) and others do not support links.
+
+RTF_HYPERLINKS         = NO
+
+# Load stylesheet definitions from file. Syntax is similar to doxygen's 
+# config file, i.e. a series of assignments. You only have to provide 
+# replacements, missing definitions are set to their default value.
+
+RTF_STYLESHEET_FILE    = 
+
+# Set optional variables used in the generation of an rtf document. 
+# Syntax is similar to doxygen's config file.
+
+RTF_EXTENSIONS_FILE    = 
+
+#---------------------------------------------------------------------------
+# configuration options related to the man page output
+#---------------------------------------------------------------------------
+
+# If the GENERATE_MAN tag is set to YES (the default) Doxygen will 
+# generate man pages
+
+GENERATE_MAN           = NO
+
+# The MAN_OUTPUT tag is used to specify where the man pages will be put. 
+# If a relative path is entered the value of OUTPUT_DIRECTORY will be 
+# put in front of it. If left blank `man' will be used as the default path.
+
+MAN_OUTPUT             = man
+
+# The MAN_EXTENSION tag determines the extension that is added to 
+# the generated man pages (default is the subroutine's section .3)
+
+MAN_EXTENSION          = .3
+
+# If the MAN_LINKS tag is set to YES and Doxygen generates man output, 
+# then it will generate one additional man file for each entity 
+# documented in the real man page(s). These additional files 
+# only source the real man page, but without them the man command 
+# would be unable to find the correct page. The default is NO.
+
+MAN_LINKS              = NO
+
+#---------------------------------------------------------------------------
+# configuration options related to the XML output
+#---------------------------------------------------------------------------
+
+# If the GENERATE_XML tag is set to YES Doxygen will 
+# generate an XML file that captures the structure of 
+# the code including all documentation.
+
+GENERATE_XML           = NO
+
+# The XML_OUTPUT tag is used to specify where the XML pages will be put. 
+# If a relative path is entered the value of OUTPUT_DIRECTORY will be 
+# put in front of it. If left blank `xml' will be used as the default path.
+
+XML_OUTPUT             = xml
+
+# The XML_SCHEMA tag can be used to specify an XML schema, 
+# which can be used by a validating XML parser to check the 
+# syntax of the XML files.
+
+XML_SCHEMA             = 
+
+# The XML_DTD tag can be used to specify an XML DTD, 
+# which can be used by a validating XML parser to check the 
+# syntax of the XML files.
+
+XML_DTD                = 
+
+# If the XML_PROGRAMLISTING tag is set to YES Doxygen will 
+# dump the program listings (including syntax highlighting 
+# and cross-referencing information) to the XML output. Note that 
+# enabling this will significantly increase the size of the XML output.
+
+XML_PROGRAMLISTING     = YES
+
+#---------------------------------------------------------------------------
+# configuration options for the AutoGen Definitions output
+#---------------------------------------------------------------------------
+
+# If the GENERATE_AUTOGEN_DEF tag is set to YES Doxygen will 
+# generate an AutoGen Definitions (see autogen.sf.net) file 
+# that captures the structure of the code including all 
+# documentation. Note that this feature is still experimental 
+# and incomplete at the moment.
+
+GENERATE_AUTOGEN_DEF   = NO
+
+#---------------------------------------------------------------------------
+# configuration options related to the Perl module output
+#---------------------------------------------------------------------------
+
+# If the GENERATE_PERLMOD tag is set to YES Doxygen will 
+# generate a Perl module file that captures the structure of 
+# the code including all documentation. Note that this 
+# feature is still experimental and incomplete at the 
+# moment.
+
+GENERATE_PERLMOD       = NO
+
+# If the PERLMOD_LATEX tag is set to YES Doxygen will generate 
+# the necessary Makefile rules, Perl scripts and LaTeX code to be able 
+# to generate PDF and DVI output from the Perl module output.
+
+PERLMOD_LATEX          = NO
+
+# If the PERLMOD_PRETTY tag is set to YES the Perl module output will be 
+# nicely formatted so it can be parsed by a human reader.  This is useful 
+# if you want to understand what is going on.  On the other hand, if this 
+# tag is set to NO the size of the Perl module output will be much smaller 
+# and Perl will parse it just the same.
+
+PERLMOD_PRETTY         = YES
+
+# The names of the make variables in the generated doxyrules.make file 
+# are prefixed with the string contained in PERLMOD_MAKEVAR_PREFIX. 
+# This is useful so different doxyrules.make files included by the same 
+# Makefile don't overwrite each other's variables.
+
+PERLMOD_MAKEVAR_PREFIX = 
+
+#---------------------------------------------------------------------------
+# Configuration options related to the preprocessor   
+#---------------------------------------------------------------------------
+
+# If the ENABLE_PREPROCESSING tag is set to YES (the default) Doxygen will 
+# evaluate all C-preprocessor directives found in the sources and include 
+# files.
+
+ENABLE_PREPROCESSING   = YES
+
+# If the MACRO_EXPANSION tag is set to YES Doxygen will expand all macro 
+# names in the source code. If set to NO (the default) only conditional 
+# compilation will be performed. Macro expansion can be done in a controlled 
+# way by setting EXPAND_ONLY_PREDEF to YES.
+
+MACRO_EXPANSION        = NO
+
+# If the EXPAND_ONLY_PREDEF and MACRO_EXPANSION tags are both set to YES 
+# then the macro expansion is limited to the macros specified with the 
+# PREDEFINED and EXPAND_AS_DEFINED tags.
+
+EXPAND_ONLY_PREDEF     = NO
+
+# If the SEARCH_INCLUDES tag is set to YES (the default) the includes files 
+# in the INCLUDE_PATH (see below) will be search if a #include is found.
+
+SEARCH_INCLUDES        = YES
+
+# The INCLUDE_PATH tag can be used to specify one or more directories that 
+# contain include files that are not input files but should be processed by 
+# the preprocessor.
+
+INCLUDE_PATH           = 
+
+# You can use the INCLUDE_FILE_PATTERNS tag to specify one or more wildcard 
+# patterns (like *.h and *.hpp) to filter out the header-files in the 
+# directories. If left blank, the patterns specified with FILE_PATTERNS will 
+# be used.
+
+INCLUDE_FILE_PATTERNS  = 
+
+# The PREDEFINED tag can be used to specify one or more macro names that 
+# are defined before the preprocessor is started (similar to the -D option of 
+# gcc). The argument of the tag is a list of macros of the form: name 
+# or name=definition (no spaces). If the definition and the = are 
+# omitted =1 is assumed. To prevent a macro definition from being 
+# undefined via #undef or recursively expanded use the := operator 
+# instead of the = operator.
+
+PREDEFINED             = 
+
+# If the MACRO_EXPANSION and EXPAND_ONLY_PREDEF tags are set to YES then 
+# this tag can be used to specify a list of macro names that should be expanded. 
+# The macro definition that is found in the sources will be used. 
+# Use the PREDEFINED tag if you want to use a different macro definition.
+
+EXPAND_AS_DEFINED      = 
+
+# If the SKIP_FUNCTION_MACROS tag is set to YES (the default) then 
+# doxygen's preprocessor will remove all function-like macros that are alone 
+# on a line, have an all uppercase name, and do not end with a semicolon. Such 
+# function macros are typically used for boiler-plate code, and will confuse 
+# the parser if not removed.
+
+SKIP_FUNCTION_MACROS   = YES
+
+#---------------------------------------------------------------------------
+# Configuration::additions related to external references   
+#---------------------------------------------------------------------------
+
+# The TAGFILES option can be used to specify one or more tagfiles. 
+# Optionally an initial location of the external documentation 
+# can be added for each tagfile. The format of a tag file without 
+# this location is as follows: 
+#   TAGFILES = file1 file2 ... 
+# Adding location for the tag files is done as follows: 
+#   TAGFILES = file1=loc1 "file2 = loc2" ... 
+# where "loc1" and "loc2" can be relative or absolute paths or 
+# URLs. If a location is present for each tag, the installdox tool 
+# does not have to be run to correct the links.
+# Note that each tag file must have a unique name
+# (where the name does NOT include the path)
+# If a tag file is not located in the directory in which doxygen 
+# is run, you must also specify the path to the tagfile here.
+
+TAGFILES               = 
+
+# When a file name is specified after GENERATE_TAGFILE, doxygen will create 
+# a tag file that is based on the input files it reads.
+
+GENERATE_TAGFILE       = 
+
+# If the ALLEXTERNALS tag is set to YES all external classes will be listed 
+# in the class index. If set to NO only the inherited external classes 
+# will be listed.
+
+ALLEXTERNALS           = NO
+
+# If the EXTERNAL_GROUPS tag is set to YES all external groups will be listed 
+# in the modules index. If set to NO, only the current project's groups will 
+# be listed.
+
+EXTERNAL_GROUPS        = YES
+
+# The PERL_PATH should be the absolute path and name of the perl script 
+# interpreter (i.e. the result of `which perl').
+
+PERL_PATH              = /usr/bin/perl
+
+#---------------------------------------------------------------------------
+# Configuration options related to the dot tool   
+#---------------------------------------------------------------------------
+
+# If the CLASS_DIAGRAMS tag is set to YES (the default) Doxygen will 
+# generate a inheritance diagram (in HTML, RTF and LaTeX) for classes with base 
+# or super classes. Setting the tag to NO turns the diagrams off. Note that 
+# this option is superseded by the HAVE_DOT option below. This is only a 
+# fallback. It is recommended to install and use dot, since it yields more 
+# powerful graphs.
+
+CLASS_DIAGRAMS         = YES
+
+# You can define message sequence charts within doxygen comments using the \msc 
+# command. Doxygen will then run the mscgen tool (see 
+# http://www.mcternan.me.uk/mscgen/) to produce the chart and insert it in the 
+# documentation. The MSCGEN_PATH tag allows you to specify the directory where 
+# the mscgen tool resides. If left empty the tool is assumed to be found in the 
+# default search path.
+
+MSCGEN_PATH            = 
+
+# If set to YES, the inheritance and collaboration graphs will hide 
+# inheritance and usage relations if the target is undocumented 
+# or is not a class.
+
+HIDE_UNDOC_RELATIONS   = YES
+
+# If you set the HAVE_DOT tag to YES then doxygen will assume the dot tool is 
+# available from the path. This tool is part of Graphviz, a graph visualization 
+# toolkit from AT&T and Lucent Bell Labs. The other options in this section 
+# have no effect if this option is set to NO (the default)
+
+HAVE_DOT               = YES
+
+# By default doxygen will write a font called FreeSans.ttf to the output 
+# directory and reference it in all dot files that doxygen generates. This 
+# font does not include all possible unicode characters however, so when you need 
+# these (or just want a differently looking font) you can specify the font name 
+# using DOT_FONTNAME. You need need to make sure dot is able to find the font, 
+# which can be done by putting it in a standard location or by setting the 
+# DOTFONTPATH environment variable or by setting DOT_FONTPATH to the directory 
+# containing the font.
+
+DOT_FONTNAME           = FreeSans
+
+# By default doxygen will tell dot to use the output directory to look for the 
+# FreeSans.ttf font (which doxygen will put there itself). If you specify a 
+# different font using DOT_FONTNAME you can set the path where dot 
+# can find it using this tag.
+
+DOT_FONTPATH           = 
+
+# If the CLASS_GRAPH and HAVE_DOT tags are set to YES then doxygen 
+# will generate a graph for each documented class showing the direct and 
+# indirect inheritance relations. Setting this tag to YES will force the 
+# the CLASS_DIAGRAMS tag to NO.
+
+CLASS_GRAPH            = YES
+
+# If the COLLABORATION_GRAPH and HAVE_DOT tags are set to YES then doxygen 
+# will generate a graph for each documented class showing the direct and 
+# indirect implementation dependencies (inheritance, containment, and 
+# class references variables) of the class with other documented classes.
+
+COLLABORATION_GRAPH    = YES
+
+# If the GROUP_GRAPHS and HAVE_DOT tags are set to YES then doxygen 
+# will generate a graph for groups, showing the direct groups dependencies
+
+GROUP_GRAPHS           = YES
+
+# If the UML_LOOK tag is set to YES doxygen will generate inheritance and 
+# collaboration diagrams in a style similar to the OMG's Unified Modeling 
+# Language.
+
+UML_LOOK               = NO
+
+# If set to YES, the inheritance and collaboration graphs will show the 
+# relations between templates and their instances.
+
+TEMPLATE_RELATIONS     = NO
+
+# If the ENABLE_PREPROCESSING, SEARCH_INCLUDES, INCLUDE_GRAPH, and HAVE_DOT 
+# tags are set to YES then doxygen will generate a graph for each documented 
+# file showing the direct and indirect include dependencies of the file with 
+# other documented files.
+
+INCLUDE_GRAPH          = YES
+
+# If the ENABLE_PREPROCESSING, SEARCH_INCLUDES, INCLUDED_BY_GRAPH, and 
+# HAVE_DOT tags are set to YES then doxygen will generate a graph for each 
+# documented header file showing the documented files that directly or 
+# indirectly include this file.
+
+INCLUDED_BY_GRAPH      = YES
+
+# If the CALL_GRAPH and HAVE_DOT options are set to YES then 
+# doxygen will generate a call dependency graph for every global function 
+# or class method. Note that enabling this option will significantly increase 
+# the time of a run. So in most cases it will be better to enable call graphs 
+# for selected functions only using the \callgraph command.
+
+CALL_GRAPH             = YES
+
+# If the CALLER_GRAPH and HAVE_DOT tags are set to YES then 
+# doxygen will generate a caller dependency graph for every global function 
+# or class method. Note that enabling this option will significantly increase 
+# the time of a run. So in most cases it will be better to enable caller 
+# graphs for selected functions only using the \callergraph command.
+
+CALLER_GRAPH           = NO
+
+# If the GRAPHICAL_HIERARCHY and HAVE_DOT tags are set to YES then doxygen 
+# will graphical hierarchy of all classes instead of a textual one.
+
+GRAPHICAL_HIERARCHY    = YES
+
+# If the DIRECTORY_GRAPH, SHOW_DIRECTORIES and HAVE_DOT tags are set to YES 
+# then doxygen will show the dependencies a directory has on other directories 
+# in a graphical way. The dependency relations are determined by the #include
+# relations between the files in the directories.
+
+DIRECTORY_GRAPH        = YES
+
+# The DOT_IMAGE_FORMAT tag can be used to set the image format of the images 
+# generated by dot. Possible values are png, jpg, or gif
+# If left blank png will be used.
+
+DOT_IMAGE_FORMAT       = png
+
+# The tag DOT_PATH can be used to specify the path where the dot tool can be 
+# found. If left blank, it is assumed the dot tool can be found in the path.
+
+DOT_PATH               = 
+
+# The DOTFILE_DIRS tag can be used to specify one or more directories that 
+# contain dot files that are included in the documentation (see the 
+# \dotfile command).
+
+DOTFILE_DIRS           = 
+
+# The DOT_GRAPH_MAX_NODES tag can be used to set the maximum number of 
+# nodes that will be shown in the graph. If the number of nodes in a graph 
+# becomes larger than this value, doxygen will truncate the graph, which is 
+# visualized by representing a node as a red box. Note that doxygen if the 
+# number of direct children of the root node in a graph is already larger than 
+# DOT_GRAPH_MAX_NODES then the graph will not be shown at all. Also note 
+# that the size of a graph can be further restricted by MAX_DOT_GRAPH_DEPTH.
+
+DOT_GRAPH_MAX_NODES    = 50
+
+# The MAX_DOT_GRAPH_DEPTH tag can be used to set the maximum depth of the 
+# graphs generated by dot. A depth value of 3 means that only nodes reachable 
+# from the root by following a path via at most 3 edges will be shown. Nodes 
+# that lay further from the root node will be omitted. Note that setting this 
+# option to 1 or 2 may greatly reduce the computation time needed for large 
+# code bases. Also note that the size of a graph can be further restricted by 
+# DOT_GRAPH_MAX_NODES. Using a depth of 0 means no depth restriction.
+
+MAX_DOT_GRAPH_DEPTH    = 0
+
+# Set the DOT_TRANSPARENT tag to YES to generate images with a transparent 
+# background. This is enabled by default, which results in a transparent 
+# background. Warning: Depending on the platform used, enabling this option 
+# may lead to badly anti-aliased labels on the edges of a graph (i.e. they 
+# become hard to read).
+
+DOT_TRANSPARENT        = YES
+
+# Set the DOT_MULTI_TARGETS tag to YES allow dot to generate multiple output 
+# files in one run (i.e. multiple -o and -T options on the command line). This 
+# makes dot run faster, but since only newer versions of dot (>1.8.10) 
+# support this, this feature is disabled by default.
+
+DOT_MULTI_TARGETS      = NO
+
+# If the GENERATE_LEGEND tag is set to YES (the default) Doxygen will 
+# generate a legend page explaining the meaning of the various boxes and 
+# arrows in the dot generated graphs.
+
+GENERATE_LEGEND        = YES
+
+# If the DOT_CLEANUP tag is set to YES (the default) Doxygen will 
+# remove the intermediate dot files that are used to generate 
+# the various graphs.
+
+DOT_CLEANUP            = YES
+
+#---------------------------------------------------------------------------
+# Configuration::additions related to the search engine   
+#---------------------------------------------------------------------------
+
+# The SEARCHENGINE tag specifies whether or not a search engine should be 
+# used. If set to NO the values of all tags below this one will be ignored.
+
+SEARCHENGINE           = NO
diff --git a/lib/radius/examples/Makefile b/lib/radius/examples/Makefile
new file mode 100644
index 0000000..f39c343
--- /dev/null
+++ b/lib/radius/examples/Makefile
@@ -0,0 +1,54 @@
+#
+#  GNU Makefile
+#
+.PHONY: all clean install
+
+SRCS = example_1.c example_2.c example_3.c example_4.c
+
+OBJS 	 := ${SRCS:.c=.o}
+PROGRAMS := ${SRCS:.c=}
+
+all: ${PROGRAMS}
+
+HEADERS		:= ../client.h ../radius.h
+
+${OBJS}: ${HEADERS}
+
+$(info ${PROGRAMS} ${OBJS})
+
+${PROGRAMS}: ../libnetworkradius-client.a
+
+
+%.o : %.c
+	$(CC) $(CFLAGS) -I.. -I. -c $<
+
+%.o: ${HEADERS}
+
+LDFLAGS = -L.. -lnetworkradius-client -lcrypto -lssl
+CFLAGS  = -I..
+
+../libnetworkradius-client.a:
+	@${MAKE} -C .. libnetworkradius-client.a
+
+radsample.o: radsample.c ${HEADERS} nr_vp_create.c nr_packet_send.c
+
+#radsample: radsample.o ../libnetworkradius-client.a
+#	${CC} ${LFDLAGS} ${LIBS} -o $@ $^
+
+sample_chap.o: sample_chap.c ${HEADERS}
+
+sample_chap: sample_chap.o ../libnetworkradius-client.a
+	${CC} ${LFDLAGS} ${LIBS} -o $@ $^
+
+radsample2.o: radsample2.c ${HEADERS} nr_vp_create.c
+
+radsample2: radsample2.o ../libnetworkradius-client.a
+	${CC} ${LFDLAGS} ${LIBS} -o $@ $^
+
+radsample3.o: radsample3.c ${HEADERS} nr_transmit.c nr_server_t.c nr_vp_create.c
+
+radsample3: radsample3.o ../libnetworkradius-client.a
+	${CC} ${LFDLAGS} ${LIBS} -o $@ $^
+
+clean:
+	@rm -rf *.o *.a *~
diff --git a/lib/radius/examples/example_1.c b/lib/radius/examples/example_1.c
new file mode 100644
index 0000000..503d927
--- /dev/null
+++ b/lib/radius/examples/example_1.c
@@ -0,0 +1,86 @@
+/*
+Copyright (c) 2011, Network RADIUS SARL
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+    * Redistributions of source code must retain the above copyright
+      notice, this list of conditions and the following disclaimer.
+    * Redistributions in binary form must reproduce the above copyright
+      notice, this list of conditions and the following disclaimer in the
+      documentation and/or other materials provided with the distribution.
+    * Neither the name of the <organization> nor the
+      names of its contributors may be used to endorse or promote products
+      derived from this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL <COPYRIGHT HOLDER> BE LIABLE FOR ANY
+DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <networkradius-devel/client.h>
+
+/** \file example_1.c
+ *  \brief Sample code to initialize a RADIUS packet.
+ *
+ *  This example initializes a packet, and then adds User-Name and
+ *  User-Password to it.  The resulting packet is then printed to the
+ *  standard output.
+ */
+
+static const char *secret = "testing123";
+static uint8_t request_buffer[NR_MAX_PACKET_LEN];
+static uint8_t response_buffer[NR_MAX_PACKET_LEN];
+static RADIUS_PACKET request, response;
+
+int main(int argc, const char *argv[])
+{
+	ssize_t rcode;
+	const char *user = "bob";
+	const char *password = "password";
+
+	rcode = nr_packet_init(&request, NULL, secret, PW_ACCESS_REQUEST,
+			       request_buffer, sizeof(request_buffer));
+	if (rcode < 0) {
+	error:
+		fprintf(stderr, "Error: %s\n", nr_strerror(rcode));
+		return 1;
+	}
+
+	if (argc > 1) user = argv[1];
+	if (argc > 2) password = argv[2];
+
+	rcode = nr_packet_attr_append(&request, NULL,
+				      NR_DA_USER_NAME,
+				      user, 0);
+	if (rcode < 0) goto error;
+	
+	rcode = nr_packet_attr_append(&request, NULL,
+				      NR_DA_USER_PASSWORD,
+				      password, 0);
+	if (rcode < 0) goto error;
+
+	/*
+	 *	ALWAYS call nr_packet_sign() before sending the packet
+	 *	to anyone else!
+	 */
+	rcode = nr_packet_sign(&request, NULL);
+	if (rcode < 0) goto error;
+
+	nr_packet_print_hex(&request);
+
+	rcode = nr_packet_decode(&request, NULL);
+	if (rcode < 0) goto error;
+
+	nr_vp_fprintf_list(stdout, request.vps);
+	nr_vp_free(&request.vps);
+
+	return 0;
+}
diff --git a/lib/radius/examples/example_2.c b/lib/radius/examples/example_2.c
new file mode 100644
index 0000000..1065c8e
--- /dev/null
+++ b/lib/radius/examples/example_2.c
@@ -0,0 +1,86 @@
+/*
+Copyright (c) 2011, Network RADIUS SARL
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+    * Redistributions of source code must retain the above copyright
+      notice, this list of conditions and the following disclaimer.
+    * Redistributions in binary form must reproduce the above copyright
+      notice, this list of conditions and the following disclaimer in the
+      documentation and/or other materials provided with the distribution.
+    * Neither the name of the <organization> nor the
+      names of its contributors may be used to endorse or promote products
+      derived from this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL <COPYRIGHT HOLDER> BE LIABLE FOR ANY
+DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <networkradius-devel/client.h>
+
+/** \file example_2.c
+ *  \brief Sample code to initialize a RADIUS packet.
+ *
+ *  This example initializes a packet, and then adds User-Name and
+ *  CHAP-Password to it.  The resulting packet is then printed to the
+ *  standard output.
+ */
+
+static const char *secret = "testing123";
+static uint8_t request_buffer[NR_MAX_PACKET_LEN];
+static uint8_t response_buffer[NR_MAX_PACKET_LEN];
+static RADIUS_PACKET request, response;
+
+int main(int argc, const char *argv[])
+{
+	int rcode;
+	const char *user = "bob";
+	const char *password = "password";
+
+	rcode = nr_packet_init(&request, NULL, secret, PW_ACCESS_REQUEST,
+			       request_buffer, sizeof(request_buffer));
+	if (rcode < 0) {
+	error:
+		fprintf(stderr, "Error: %s\n", nr_strerror(rcode));
+		return 1;
+	}
+
+	if (argc > 1) user = argv[1];
+	if (argc > 2) password = argv[2];
+
+	rcode = nr_packet_attr_append(&request, NULL,
+				      NR_DA_USER_NAME,
+				      user, 0);
+	if (rcode < 0) goto error;
+	
+	rcode = nr_packet_attr_append(&request, NULL,
+				      NR_DA_CHAP_PASSWORD,
+				      password, strlen(password));
+	if (rcode < 0) goto error;
+
+	/*
+	 *	ALWAYS call nr_packet_sign() before sending the packet
+	 *	to anyone else!
+	 */
+	rcode = nr_packet_sign(&request, NULL);
+	if (rcode < 0) goto error;
+
+	nr_packet_print_hex(&request);
+
+	rcode = nr_packet_decode(&request, NULL);
+	if (rcode < 0) goto error;
+
+	nr_vp_fprintf_list(stdout, request.vps);
+	nr_vp_free(&request.vps);
+
+	return 0;
+}
diff --git a/lib/radius/examples/example_3.c b/lib/radius/examples/example_3.c
new file mode 100644
index 0000000..6104f6f
--- /dev/null
+++ b/lib/radius/examples/example_3.c
@@ -0,0 +1,123 @@
+/*
+Copyright (c) 2011, Network RADIUS SARL
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+    * Redistributions of source code must retain the above copyright
+      notice, this list of conditions and the following disclaimer.
+    * Redistributions in binary form must reproduce the above copyright
+      notice, this list of conditions and the following disclaimer in the
+      documentation and/or other materials provided with the distribution.
+    * Neither the name of the <organization> nor the
+      names of its contributors may be used to endorse or promote products
+      derived from this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL <COPYRIGHT HOLDER> BE LIABLE FOR ANY
+DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <networkradius-devel/client.h>
+
+/** \file example_3.c
+ *  \brief Sample code to initialize a RADIUS packet and a response to it.
+ *
+ *  This example initializes a packet, and then adds User-Name and
+ *  User-Password to it.  The resulting packet is then printed to the
+ *  standard output.
+ *
+ *  As a next step, it then creates the response, and prints that,
+ *  too.
+ */
+
+static const char *secret = "testing123";
+static uint8_t request_buffer[NR_MAX_PACKET_LEN];
+static uint8_t response_buffer[NR_MAX_PACKET_LEN];
+static RADIUS_PACKET request, response;
+
+int main(int argc, const char *argv[])
+{
+	int rcode;
+	const char *user = "bob";
+	const char *password = "password";
+
+	rcode = nr_packet_init(&request, NULL, secret, PW_ACCESS_REQUEST,
+			       request_buffer, sizeof(request_buffer));
+	if (rcode < 0) {
+	error:
+		fprintf(stderr, "Error :%s\n",  nr_strerror(rcode));
+		return 1;
+	}
+
+	if (argc > 1) user = argv[1];
+	if (argc > 2) password = argv[2];
+
+	rcode = nr_packet_attr_append(&request, NULL,
+				      NR_DA_USER_NAME,
+				      user, 0);
+	if (rcode < 0) goto error;
+	
+	rcode = nr_packet_attr_append(&request, NULL,
+				      NR_DA_USER_PASSWORD,
+				      password, 0);
+	if (rcode < 0) goto error;
+
+	/*
+	 *	ALWAYS call nr_packet_sign() before sending the packet
+	 *	to anyone else!
+	 */
+	rcode = nr_packet_sign(&request, NULL);
+	if (rcode < 0) goto error;
+
+	nr_packet_print_hex(&request);
+
+	rcode = nr_packet_init(&response, &request, secret, PW_ACCESS_ACCEPT,
+			       response_buffer, sizeof(response_buffer));
+	if (rcode < 0) goto error;
+
+	rcode = nr_packet_attr_append(&response, &request,
+				      NR_DA_REPLY_MESSAGE,
+				      "Success!", 0);
+	if (rcode < 0) goto error;
+
+	rcode = nr_packet_attr_append(&response, &request,
+				      NR_DA_TUNNEL_PASSWORD,
+				      password, 0);
+	if (rcode < 0) goto error;
+	rcode = nr_packet_sign(&response, &request);
+	if (rcode < 0) goto error;
+
+	nr_packet_print_hex(&response);
+
+	/*
+	 *	Check that the response is well-formed.  The
+	 *	nr_packet_verify() function also calls nr_packet_ok().
+	 *	However, it is sometimes useful to separate "malformed
+	 *	packet" errors from "packet is not a response to a
+	 *	reqeust" errors.
+	 */
+	rcode = nr_packet_ok(&response);
+	if (rcode < 0) goto error;
+
+	/*
+	 *	Double-check the signature of the response.
+	 */
+	rcode = nr_packet_verify(&response, &request);
+	if (rcode < 0) goto error;
+
+	rcode = nr_packet_decode(&response, &request);
+	if (rcode < 0) goto error;
+
+	nr_vp_fprintf_list(stdout, response.vps);
+	nr_vp_free(&response.vps);
+
+	return 0;
+}
diff --git a/lib/radius/examples/example_4.c b/lib/radius/examples/example_4.c
new file mode 100644
index 0000000..f93764c
--- /dev/null
+++ b/lib/radius/examples/example_4.c
@@ -0,0 +1,94 @@
+/*
+Copyright (c) 2011, Network RADIUS SARL
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+    * Redistributions of source code must retain the above copyright
+      notice, this list of conditions and the following disclaimer.
+    * Redistributions in binary form must reproduce the above copyright
+      notice, this list of conditions and the following disclaimer in the
+      documentation and/or other materials provided with the distribution.
+    * Neither the name of the <organization> nor the
+      names of its contributors may be used to endorse or promote products
+      derived from this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL <COPYRIGHT HOLDER> BE LIABLE FOR ANY
+DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <networkradius-devel/client.h>
+
+/** \file example_4.c
+ *  \brief Allocate and manage multiple packets.
+ */
+
+static const char *secret = "testing123";
+static nr_server_t server;
+
+int main(int argc, const char *argv[])
+{
+	int rcode;
+	const char *user = "bob";
+	const char *password = "password";
+
+	rcode = nr_packet_init(&request, NULL, secret, PW_ACCESS_REQUEST,
+			       request_buffer, sizeof(request_buffer));
+	if (rcode < 0) {
+	error:
+		fprintf(stderr, "Error :%s\n",  nr_strerror(rcode));
+		return 1;
+	}
+
+	if (argc > 1) user = argv[1];
+	if (argc > 2) password = argv[2];
+
+	rcode = nr_packet_attr_append(&request, NULL,
+				      NR_DA_USER_NAME,
+				      user, 0);
+	if (rcode < 0) goto error;
+	
+	rcode = nr_packet_attr_append(&request, NULL,
+				      NR_DA_USER_PASSWORD,
+				      password, 0);
+	if (rcode < 0) goto error;
+
+	/*
+	 *	ALWAYS call nr_packet_sign() before sending the packet
+	 *	to anyone else!
+	 */
+	rcode = nr_packet_sign(&request, NULL);
+	if (rcode < 0) goto error;
+
+	nr_packet_print_hex(&request);
+
+	rcode = nr_packet_init(&response, &request, secret, PW_ACCESS_ACCEPT,
+			       response_buffer, sizeof(response_buffer));
+	if (rcode < 0) goto error;
+
+	rcode = nr_packet_attr_append(&response, &request,
+				      NR_DA_REPLY_MESSAGE,
+				      "Success!", 0);
+	if (rcode < 0) goto error;
+
+	rcode = nr_packet_sign(&response, &request);
+	if (rcode < 0) goto error;
+
+	nr_packet_print_hex(&response);
+
+	/*
+	 *	Double-check the signature of the response.
+	 */
+	rcode = nr_packet_verify(&response, &request);
+	if (rcode < 0) goto error;
+
+	return 0;
+}
diff --git a/lib/radius/examples/nr_vp_create.c b/lib/radius/examples/nr_vp_create.c
new file mode 100644
index 0000000..bd04f17
--- /dev/null
+++ b/lib/radius/examples/nr_vp_create.c
@@ -0,0 +1,61 @@
+/*
+ * The person or persons who have associated work with this document
+ * (the "Dedicator" or "Certifier") hereby either (a) certifies that,
+ * to the best of his knowledge, the work of authorship identified is
+ * in the public domain of the country from which the work is
+ * published, or (b) hereby dedicates whatever copyright the
+ * dedicators holds in the work of authorship identified below (the
+ * "Work") to the public domain. A certifier, moreover, dedicates any
+ * copyright interest he may have in the associated work, and for
+ * these purposes, is described as a "dedicator" below.
+ *
+ * A certifier has taken reasonable steps to verify the copyright
+ * status of this work. Certifier recognizes that his good faith
+ * efforts may not shield him from liability if in fact the work
+ * certified is not in the public domain.
+ *
+ * Dedicator makes this dedication for the benefit of the public at
+ * large and to the detriment of the Dedicator's heirs and
+ * successors. Dedicator intends this dedication to be an overt act of
+ * relinquishment in perpetuity of all present and future rights under
+ * copyright law, whether vested or contingent, in the Work. Dedicator
+ * understands that such relinquishment of all rights includes the
+ * relinquishment of all rights to enforce (by lawsuit or otherwise)
+ * those copyrights in the Work.
+ *
+ * Dedicator recognizes that, once placed in the public domain, the
+ * Work may be freely reproduced, distributed, transmitted, used,
+ * modified, built upon, or otherwise exploited by anyone for any
+ * purpose, commercial or non-commercial, and in any way, including by
+ * methods that have not yet been invented or conceived.
+ */
+
+static VALUE_PAIR *example_nr_vp_create(void)
+{
+	VALUE_PAIR *vp;
+	VALUE_PAIR *head = NULL;
+
+	/*
+	 *	Create the request contents.
+	 */
+	vp = nr_vp_create(PW_USER_NAME, 0, "bob", 4);
+	if (!vp) {
+		fprintf(stderr, "User-Name: %s\n", nr_strerror(0));
+		exit(1);
+	}
+	nr_vps_append(&head, vp);
+
+	/*
+	 *	The User-Password attribute is automatically encrypted
+	 *	when being placed in the packet.  This version stays
+	 *	untouched, and should be "plain text".
+	 */
+	vp = nr_vp_create(PW_USER_PASSWORD, 0, "hello", 6);
+	if (!vp) {
+		fprintf(stderr, "User-Password: %s\n", nr_strerror(0));
+		exit(1);
+	}
+	nr_vps_append(&head, vp);
+
+	return head;
+}
diff --git a/lib/radius/header.pl b/lib/radius/header.pl
new file mode 100755
index 0000000..c366612
--- /dev/null
+++ b/lib/radius/header.pl
@@ -0,0 +1,68 @@
+#!/usr/bin/env perl
+######################################################################
+# Copyright (c) 2011, Network RADIUS SARL
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are met:
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above copyright
+#       notice, this list of conditions and the following disclaimer in the
+#       documentation and/or other materials provided with the distribution.
+#     * Neither the name of the <organization> nor the
+#       names of its contributors may be used to endorse or promote products
+#       derived from this software without specific prior written permission.
+# 
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+# DISCLAIMED. IN NO EVENT SHALL <COPYRIGHT HOLDER> BE LIABLE FOR ANY
+# DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+######################################################################
+#
+#  Converts dictionaries to C defines.  Does not yet do "VALUE"s.
+#
+#  $Id$
+#
+require "common.pl";
+
+while (@ARGV) {
+    $filename = shift;
+    do_file($filename);
+}
+
+
+print "/* Automatically generated file.  Do not edit */\n\n";
+
+foreach $v (sort keys %vendor) {
+    $name = $v;
+    $name =~ tr/a-z/A-Z/;		# uppercase
+    $name =~ tr/A-Z0-9/_/c;	# any ELSE becomes _
+
+    print "#define VENDORPEC_", $name, " ", $vendor{$v}{'pec'}, "\n";
+}
+print "\n";
+
+$begin_vendor = -1;
+foreach $attr_val (sort {$a <=> $b} keys %attributes) {
+    if ($attributes{$attr_val}{'vendor'} != $begin_vendor) {
+	print "\n/* ", $vendorpec{$attributes{$attr_val}{'vendor'}}, " */\n";
+	$begin_vendor = $attributes{$attr_val}{'vendor'};
+    }
+
+    $name = $attributes{$attr_val}{'name'};
+    $name =~ tr/a-z/A-Z/;
+    $name =~ tr/A-Z0-9/_/c;
+
+    print "#define PW_", $name, " ", $attributes{$attr_val}{'value'}, "\n";
+}
+print "\n\n";
+
+print "/* Automatically generated file.  Do not edit */\n";
+
diff --git a/lib/radius/id.c b/lib/radius/id.c
new file mode 100644
index 0000000..4fbe631
--- /dev/null
+++ b/lib/radius/id.c
@@ -0,0 +1,178 @@
+/*
+Copyright (c) 2011, Network RADIUS SARL
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+    * Redistributions of source code must retain the above copyright
+      notice, this list of conditions and the following disclaimer.
+    * Redistributions in binary form must reproduce the above copyright
+      notice, this list of conditions and the following disclaimer in the
+      documentation and/or other materials provided with the distribution.
+    * Neither the name of the <organization> nor the
+      names of its contributors may be used to endorse or promote products
+      derived from this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL <COPYRIGHT HOLDER> BE LIABLE FOR ANY
+DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include	<networkradius-devel/client.h>
+#include	<unistd.h>
+
+/** \file id.c
+ *  \brief Handling of ID allocation / freeing
+ *
+ */
+
+static int find_id(nr_server_t *s)
+{
+	int i;
+	uint32_t lvalue;
+
+	if ((s->used < 0) || (s->used > 256)) return -NR_ERR_INTERNAL_FAILURE;
+
+	/*
+	 *	Ensure that the ID allocation is random.
+	 */
+	lvalue = nr_rand();
+
+	for (i = 0; i < 256; i++) {
+		int offset = (i + lvalue) & 0xff;
+
+		if (!s->ids[offset]) return offset;
+	}
+
+	nr_strerror_printf("Out of IDs for server");
+	return -1;
+}
+
+int nr_server_id_alloc(nr_server_t *s, RADIUS_PACKET *packet)
+{
+	int new_id;
+
+	if (!s || !packet) return -NR_ERR_INVALID_ARG;
+
+	new_id = find_id(s);
+	if (new_id < 0) return -new_id;
+
+	s->ids[new_id] = packet;
+	s->used++;
+	packet->sockfd = s->sockfd;
+	packet->code = s->code;
+	packet->src = s->src;
+	packet->dst = s->dst;
+	packet->id = new_id;
+
+	return 0;
+}
+
+int nr_server_id_free(nr_server_t *s, RADIUS_PACKET *packet)
+{
+	if (!s || !packet) return -NR_ERR_INVALID_ARG;
+
+	if ((packet->id < 0) || (packet->id > 255) || !s->ids[packet->id]) {
+		return -NR_ERR_INVALID_ARG;
+	}
+
+	if (s->ids[packet->id] != packet) return -NR_ERR_INTERNAL_FAILURE;
+
+	s->ids[packet->id] = NULL;
+	s->used--;
+	packet->sockfd = -1;
+
+	return 0;
+}
+
+int nr_server_id_realloc(nr_server_t *s, RADIUS_PACKET *packet)
+{
+	int new_id;
+
+	if (!s || !packet) return -NR_ERR_INVALID_ARG;
+
+	if ((packet->id < 0) || (packet->id > 255) || !s->ids[packet->id]) {
+		return -NR_ERR_INVALID_ARG;
+	}
+
+	if (s->ids[packet->id] != packet) return -NR_ERR_INTERNAL_FAILURE;
+
+	new_id = find_id(s);
+	if (new_id < 0) return new_id;
+
+	s->ids[packet->id] = NULL;
+	packet->id = new_id;
+	s->ids[packet->id] = packet;
+
+	return 0;
+}
+
+
+int nr_server_init(nr_server_t *s, int code, const char *secret)
+{
+	if (!s || !secret || !*secret ||
+	    (code == 0) || (code > NR_MAX_PACKET_CODE)) {
+		return -NR_ERR_INVALID_ARG;
+	}
+
+	memset(s, 0, sizeof(*s));
+
+	s->sockfd = -1;
+	s->code = code;
+	s->secret = secret;
+	s->sizeof_secret = strlen(secret);
+	s->src.ss_family = AF_UNSPEC;
+	s->dst.ss_family = AF_UNSPEC;
+
+	return 0;
+}
+
+
+int nr_server_close(const nr_server_t *s)
+{
+	if (!s) return -NR_ERR_INVALID_ARG;
+
+	if (s->used > 0) return -NR_ERR_IN_USE;
+
+	if (s->sockfd >= 0) close(s->sockfd);
+
+	return 0;
+}
+
+int nr_server_packet_alloc(const nr_server_t *s, RADIUS_PACKET **packet_p)
+{
+	int rcode;
+	RADIUS_PACKET *packet;
+
+	if (!packet_p) return -NR_ERR_INVALID_ARG;
+
+	packet = malloc(sizeof(*packet) + NR_MAX_PACKET_LEN);
+	if (!packet) return -NR_ERR_NO_MEM;
+
+	memset(packet, 0, sizeof(*packet));
+
+	if (!s) {
+		packet->data = (uint8_t *)(packet + 1);
+		packet->sizeof_data = NR_MAX_PACKET_LEN;
+
+		*packet_p = packet;
+		return 0;
+	}
+
+	rcode = nr_packet_init(packet, NULL, s->secret, s->code,
+			       (uint8_t *)(packet + 1), NR_MAX_PACKET_LEN);
+	if (rcode < 0) {
+		free(packet);
+		return rcode;
+	}
+
+	*packet_p = packet;
+	return 0;
+}
diff --git a/lib/radius/packet.c b/lib/radius/packet.c
new file mode 100644
index 0000000..77e3d14
--- /dev/null
+++ b/lib/radius/packet.c
@@ -0,0 +1,918 @@
+/*
+Copyright (c) 2011, Network RADIUS SARL
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+    * Redistributions of source code must retain the above copyright
+      notice, this list of conditions and the following disclaimer.
+    * Redistributions in binary form must reproduce the above copyright
+      notice, this list of conditions and the following disclaimer in the
+      documentation and/or other materials provided with the distribution.
+    * Neither the name of the <organization> nor the
+      names of its contributors may be used to endorse or promote products
+      derived from this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL <COPYRIGHT HOLDER> BE LIABLE FOR ANY
+DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/** \file packet.c
+ *  \brief Encoding and decoding packets
+ */
+
+#include	<networkradius-devel/client.h>
+
+#if NR_MAX_PACKET_LEN < 64
+#error NR_MAX_PACKET_LEN is too small.  It should be at least 64.
+#endif
+
+#if NR_MAX_PACKET_LEN > 16384
+#error NR_MAX_PACKET_LEN is too large.  It should be smaller than 16K.
+#endif
+
+const char *nr_packet_codes[NR_MAX_PACKET_CODE + 1] = {
+  NULL,
+  "Access-Request",
+  "Access-Accept",
+  "Access-Reject",
+  "Accounting-Request",
+  "Accounting-Response",
+  NULL, NULL, NULL, NULL, NULL,
+  "Access-Challenge",
+  "Status-Server",		/* 12 */
+  NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 19 */
+  NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 20..29 */
+  NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 30..39 */
+  "Disconnect-Request",
+  "Disconnect-ACK",
+  "Disconnect-NAK",
+  "CoA-Request",
+  "CoA-ACK",
+  "CoA-NAK"
+};
+
+
+static uint64_t allowed_responses[NR_MAX_PACKET_CODE + 1] = {
+	0,
+	(1 << PW_ACCESS_ACCEPT) | (1 << PW_ACCESS_REJECT) | (1 << PW_ACCESS_CHALLENGE),
+	0, 0,
+	1 << PW_ACCOUNTING_RESPONSE,
+	0,
+	0, 0, 0, 0, 0,
+	0,
+	(1 << PW_ACCESS_ACCEPT) | (1 << PW_ACCESS_REJECT) | (1 << PW_ACCESS_CHALLENGE) | (1 << PW_ACCOUNTING_RESPONSE),
+	0, 0, 0, 0, 0, 0, 0,
+	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 20..29 */
+	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 30..39 */
+	(((uint64_t) 1) << PW_DISCONNECT_ACK) | (((uint64_t) 1) << PW_DISCONNECT_NAK),
+	0,
+	0,
+	(((uint64_t) 1) << PW_COA_ACK) | (((uint64_t) 1) << PW_COA_NAK),
+	0,
+	0
+};
+
+
+int nr_packet_ok_raw(const uint8_t *data, size_t sizeof_data)
+{
+	size_t packet_len;
+	const uint8_t *attr, *end;
+
+	if (!data || (sizeof_data < 20)) {
+		nr_debug_error("Invalid argument");
+		return -NR_ERR_INVALID_ARG;
+	}
+
+	packet_len = (data[2] << 8) | data[3];
+	if (packet_len < 20) {
+		nr_debug_error("Packet length is too small");
+		return -NR_ERR_PACKET_TOO_SMALL;
+	}
+
+	if (packet_len > sizeof_data) {
+		nr_debug_error("Packet length overflows received data");
+		return -NR_ERR_PACKET_TOO_LARGE;
+	}
+
+	/*
+	 *	If we receive 100 bytes, and the header says it's 20 bytes,
+	 *	then it's 20 bytes.
+	 */
+	end = data + packet_len;
+
+	for (attr = data + 20; attr < end; attr += attr[1]) {
+		if ((attr + 2) > end) {
+			nr_debug_error("Attribute overflows packet");
+			return -NR_ERR_ATTR_OVERFLOW;
+		}
+
+		if (attr[1] < 2) {
+			nr_debug_error("Attribute length is too small");
+			return -NR_ERR_ATTR_TOO_SMALL;
+		}
+
+		if ((attr + attr[1]) > end) {
+			nr_debug_error("Attribute length is too large");
+			return -NR_ERR_ATTR_TOO_LARGE;
+		}
+	}
+
+	return 0;
+}
+
+int nr_packet_ok(RADIUS_PACKET *packet)
+{
+	int rcode;
+
+	if (!packet) return -NR_ERR_INVALID_ARG;
+
+	if ((packet->flags & NR_PACKET_OK) != 0) return 0;
+
+	rcode = nr_packet_ok_raw(packet->data, packet->length);
+	if (rcode < 0) return rcode;
+
+	packet->flags |= NR_PACKET_OK;
+	return 0;
+}
+
+
+/*
+ *	Comparison function that is time-independent.  Using "memcmp"
+ *	would satisfy the "comparison" part.  However, it would also
+ *	leak information about *which* bytes are wrong.  Attackers
+ *	could use that leak to create a "correct" RADIUS packet which
+ *	will be accepted by the client and/or server.
+ */
+static int digest_cmp(const uint8_t *a, const uint8_t *b, size_t length)
+{
+	int result = 0;
+	size_t i;
+
+	for (i = 0; i < length; i++) {
+		result |= (a[i] ^ b[i]);
+	}
+
+	return result;
+}
+
+
+#ifdef PW_MESSAGE_AUTHENTICATOR
+static int msg_auth_ok(const RADIUS_PACKET *original,
+		       uint8_t *ma,
+		       uint8_t *data, size_t length)
+{
+	uint8_t	packet_vector[sizeof(original->vector)];
+	uint8_t	msg_auth_vector[sizeof(original->vector)];
+	uint8_t calc_auth_vector[sizeof(original->vector)];
+	
+	if (ma[1] != 18) {
+		nr_debug_error("Message-Authenticator has invalid length");
+		return -NR_ERR_MSG_AUTH_LEN;
+	}
+
+	memcpy(packet_vector, data + 4, sizeof(packet_vector));
+	memcpy(msg_auth_vector, ma + 2, sizeof(msg_auth_vector));
+	memset(ma + 2, 0, sizeof(msg_auth_vector));
+
+	switch (data[0]) {
+	default:
+		break;
+		
+	case PW_ACCOUNTING_REQUEST:
+	case PW_ACCOUNTING_RESPONSE:
+	case PW_DISCONNECT_REQUEST:
+	case PW_DISCONNECT_ACK:
+	case PW_DISCONNECT_NAK:
+	case PW_COA_REQUEST:
+	case PW_COA_ACK:
+	case PW_COA_NAK:
+		memset(data + 4, 0, sizeof(packet_vector));
+		break;
+		
+	case PW_ACCESS_ACCEPT:
+	case PW_ACCESS_REJECT:
+	case PW_ACCESS_CHALLENGE:
+		if (!original) {
+			nr_debug_error("Cannot validate response without request");
+			return -NR_ERR_REQUEST_REQUIRED;
+		}
+		memcpy(data + 4, original->vector, sizeof(original->vector));
+		break;
+	}
+	
+	nr_hmac_md5(data, length,
+		    (const uint8_t *) original->secret, original->sizeof_secret,
+		    calc_auth_vector);
+
+	memcpy(ma + 2, msg_auth_vector, sizeof(msg_auth_vector));
+	memcpy(data + 4, packet_vector, sizeof(packet_vector));
+
+	if (digest_cmp(calc_auth_vector, msg_auth_vector,
+		       sizeof(calc_auth_vector)) != 0) {
+		nr_debug_error("Invalid Message-Authenticator");
+		return -NR_ERR_MSG_AUTH_WRONG;
+	}
+
+	return 1;
+}
+#endif
+
+/*
+ *	The caller ensures that the packet codes are as expected.
+ */
+static int packet_auth_ok(const RADIUS_PACKET *original,
+			  uint8_t *data, size_t length)
+{
+	uint8_t packet_vector[sizeof(original->vector)];
+	uint8_t calc_digest[sizeof(original->vector)];
+	NR_MD5_CTX ctx;
+
+	if ((data[0] == PW_ACCESS_REQUEST) ||
+	    (data[0] == PW_STATUS_SERVER)) return 1;
+
+	memcpy(packet_vector, data + 4, sizeof(packet_vector));
+
+	if (!original) {
+		memset(data + 4, 0, sizeof(packet_vector));
+	} else {
+		memcpy(data + 4, original->vector, sizeof(original->vector));
+	}
+
+	nr_MD5Init(&ctx);
+	nr_MD5Update(&ctx, data, length);
+	nr_MD5Update(&ctx, original->secret, original->sizeof_secret);
+	nr_MD5Final(calc_digest, &ctx);
+
+	memcpy(data + 4, packet_vector, sizeof(packet_vector));
+
+	if (digest_cmp(calc_digest, packet_vector,
+		       sizeof(packet_vector)) != 0) {
+		nr_debug_error("Invalid authentication vector");
+		return -NR_ERR_AUTH_VECTOR_WRONG;
+	}
+
+	return 0;
+}
+
+
+int nr_packet_verify(RADIUS_PACKET *packet, const RADIUS_PACKET *original)
+{
+	int rcode;
+	uint8_t *attr;
+#ifdef PW_MESSAGE_AUTHENTICATOR
+	const uint8_t *end;
+#endif
+
+	if (!packet || !packet->data || !packet->secret) {
+		nr_debug_error("Invalid argument");
+		return -NR_ERR_INVALID_ARG;
+	}
+
+	if ((packet->flags & NR_PACKET_VERIFIED) != 0) return 0;
+
+	/*
+	 *	Packet isn't well formed.  Ignore it.
+	 */
+	rcode = nr_packet_ok(packet);
+	if (rcode < 0) return rcode;
+
+	/*
+	 *	Get rid of improper packets as early as possible.
+	 */
+	if (original) {
+		uint64_t mask;
+
+		if (original->code > NR_MAX_PACKET_CODE) {
+			nr_debug_error("Invalid original code %u",
+					   original->code);
+			return -NR_ERR_REQUEST_CODE_INVALID;
+		}
+
+		if (packet->data[1] != original->id) {
+			nr_debug_error("Ignoring response with wrong ID %u",
+					   packet->data[1]);
+			return -NR_ERR_RESPONSE_ID_INVALID;
+		}
+
+		mask = 1;
+		mask <<= packet->data[0];
+
+		if ((allowed_responses[original->code] & mask) == 0) {
+			nr_debug_error("Ignoring response with wrong code %u",
+					   packet->data[0]);
+			return -NR_ERR_RESPONSE_CODE_INVALID;
+		}
+
+		if ((memcmp(&packet->src, &original->dst, sizeof(packet->src)) != 0) &&
+		    (sockaddr_cmp(&(packet->src), &(original->dst)) != 0)) {
+			nr_debug_error("Ignoring response from wrong IP/port");
+			return -NR_ERR_RESPONSE_SRC_INVALID;
+		}
+
+	} else if (allowed_responses[packet->data[0]] != 0) {
+		nr_debug_error("Ignoring response without original");
+		return -NR_ERR_RESPONSE_CODE_INVALID;
+	}
+
+#ifdef PW_MESSAGE_AUTHENTICATOR
+	end = packet->data + packet->length;
+
+	/*
+	 *	Note that the packet MUST be well-formed here.
+	 */
+	for (attr = packet->data + 20; attr < end; attr += attr[1]) {
+		if (attr[0] == PW_MESSAGE_AUTHENTICATOR) {
+			rcode = msg_auth_ok(original, attr,
+					    packet->data, packet->length);
+			if (rcode < 0) return rcode;
+		}
+	}
+#endif
+
+	/*
+	 *	Verify the packet authenticator.
+	 */
+	rcode = packet_auth_ok(original, packet->data, packet->length);
+	if (rcode < 0) return rcode;
+
+	packet->flags |= NR_PACKET_VERIFIED;
+
+	return 0;
+}
+
+
+int nr_packet_decode(RADIUS_PACKET *packet, const RADIUS_PACKET *original)
+{
+	int		rcode, num_attributes;
+	uint8_t		*data, *attr;
+	const uint8_t	*end;
+	VALUE_PAIR	**tail, *vp;
+
+	if (!packet) return -NR_ERR_INVALID_ARG;
+
+	if ((packet->flags & NR_PACKET_DECODED) != 0) return 0;
+      
+	rcode = nr_packet_ok(packet);
+	if (rcode < 0) return rcode;
+
+	data = packet->data;
+	end = data + packet->length;
+	tail = &packet->vps;
+	num_attributes = 0;
+
+	/*
+	 *	Loop over the packet, converting attrs to VPs.
+	 */
+	for (attr = data + 20; attr < end; attr += attr[1]) {
+		rcode = nr_attr2vp(packet, original,
+				    attr, end - attr, &vp);
+		if (rcode < 0) {
+			nr_vp_free(&packet->vps);
+			return -rcode;
+		}
+
+		*tail = vp;
+		while (vp) {
+			num_attributes++;
+			tail = &(vp->next);
+			vp = vp->next;
+		}
+
+		if (num_attributes > NR_MAX_ATTRIBUTES) {
+			nr_debug_error("Too many attributes");
+			nr_vp_free(&packet->vps);
+			return -NR_ERR_TOO_MANY_ATTRS;
+		}
+	}
+
+	packet->code = data[0];
+	packet->id = data[1];
+	memcpy(packet->vector, data + 4, sizeof(packet->vector));
+
+	packet->flags |= NR_PACKET_DECODED;
+
+	return 0;
+}
+
+
+int nr_packet_sign(RADIUS_PACKET *packet, const RADIUS_PACKET *original)
+{
+#ifdef PW_MESSAGE_AUTHENTICATOR
+	size_t ma = 0;
+	const uint8_t *attr, *end;
+#endif
+
+	if ((packet->flags & NR_PACKET_SIGNED) != 0) return 0;
+
+	if ((packet->flags & NR_PACKET_ENCODED) == 0) {
+		int rcode;
+
+		rcode = nr_packet_encode(packet, original);
+		if (rcode < 0) return rcode;
+	}
+
+	if ((packet->code == PW_ACCESS_ACCEPT) ||
+	    (packet->code == PW_ACCESS_CHALLENGE) ||
+	    (packet->code == PW_ACCESS_REJECT)) {
+#ifdef PW_MESSAGE_AUTHENTICATOR
+		if (!original) {
+			nr_debug_error("Original packet is required to create the  Message-Authenticator");
+			return -NR_ERR_REQUEST_REQUIRED;
+		}
+#endif
+		
+		memcpy(packet->data + 4, original->vector,
+		       sizeof(original->vector));
+	} else {
+		memcpy(packet->data + 4, packet->vector,
+		       sizeof(packet->vector));
+	}
+
+#ifdef PW_MESSAGE_AUTHENTICATOR
+	end = packet->data + packet->length;
+
+	for (attr = packet->data + 20; attr < end; attr += attr[1]) {
+		if (attr[0] == PW_MESSAGE_AUTHENTICATOR) {
+			ma = (attr - packet->data);
+			break;
+		}
+	}
+
+	/*
+	 *	Force all Access-Request packets to have a
+	 *	Message-Authenticator.
+	 */
+	if (!ma && ((packet->length + 18) <= packet->sizeof_data) &&
+	    ((packet->code == PW_ACCESS_REQUEST) ||
+	     (packet->code == PW_STATUS_SERVER))) {
+		ma = packet->length;
+
+		packet->data[ma]= PW_MESSAGE_AUTHENTICATOR;
+		packet->data[ma + 1] = 18;
+		memset(&packet->data[ma + 2], 0, 16);
+		packet->length += 18;
+	}
+
+	/*
+	 *	Reset the length.
+	 */
+	packet->data[2] = (packet->length >> 8) & 0xff;
+	packet->data[3] = packet->length & 0xff;
+
+	/*
+	 *	Sign the Message-Authenticator && packet.
+	 */
+	if (ma) {
+		nr_hmac_md5(packet->data, packet->length,
+			    (const uint8_t *) packet->secret, packet->sizeof_secret,
+			    packet->data + ma + 2);
+	}
+#endif
+
+	/*
+	 *	Calculate the signature.
+	 */
+	if (!((packet->code == PW_ACCESS_REQUEST) ||
+	      (packet->code == PW_STATUS_SERVER))) {
+		NR_MD5_CTX	ctx;
+
+		nr_MD5Init(&ctx);
+		nr_MD5Update(&ctx, packet->data, packet->length);
+		nr_MD5Update(&ctx, packet->secret, packet->sizeof_secret);
+		nr_MD5Final(packet->vector, &ctx);
+	}
+
+	memcpy(packet->data + 4, packet->vector, sizeof(packet->vector));
+
+	packet->attempts = 0;
+	packet->flags |= NR_PACKET_SIGNED;
+
+	return 0;
+}
+
+
+static int can_encode_packet(RADIUS_PACKET *packet,
+			     const RADIUS_PACKET *original)
+{
+	if ((packet->code == 0) ||
+	    (packet->code > NR_MAX_PACKET_CODE) ||
+	    (original && (original->code > NR_MAX_PACKET_CODE))) {
+		nr_debug_error("Cannot send unknown packet code");
+		return -NR_ERR_REQUEST_CODE_INVALID;
+	}
+
+	if (!nr_packet_codes[packet->code]) {
+		nr_debug_error("Cannot handle packet code %u",
+				   packet->code);
+		return -NR_ERR_REQUEST_CODE_INVALID;
+	}
+
+#ifdef NR_NO_MALLOC
+	if (!packet->data) {
+		nr_debug_error("No place to put packet");
+		return -NR_ERR_NO_PACKET_DATA;
+	}
+#endif
+
+	if (packet->sizeof_data < 20) {
+		nr_debug_error("The buffer is too small to encode the packet");
+		return -NR_ERR_PACKET_TOO_SMALL;
+	}
+
+	/*
+	 *	Enforce request / response correlation.
+	 */
+	if (original) {
+		uint64_t mask;
+
+		mask = 1;
+		mask <<= packet->code;
+
+		if ((allowed_responses[original->code] & mask) == 0) {
+			nr_debug_error("Cannot encode response %u to packet %u",
+					   packet->code, original->code);
+			return -NR_ERR_RESPONSE_CODE_INVALID;
+		}
+		packet->id = original->id;
+
+	} else if (allowed_responses[packet->code] == 0) {
+		nr_debug_error("Cannot encode response %u without original",
+				   packet->code);
+		return -NR_ERR_REQUEST_REQUIRED;
+	}
+
+	return 0;
+}
+
+static void encode_header(RADIUS_PACKET *packet)
+{
+	if ((packet->flags & NR_PACKET_HEADER) != 0) return;
+
+	memset(packet->data, 0, 20);
+	packet->data[0] = packet->code;
+	packet->data[1] = packet->id;
+	packet->data[2] = 0;
+	packet->data[3] = 20;
+	packet->length = 20;
+
+	/*
+	 *	Calculate a random authentication vector.
+	 */
+	if ((packet->code == PW_ACCESS_REQUEST) ||
+	    (packet->code == PW_STATUS_SERVER)) {
+		nr_rand_bytes(packet->vector, sizeof(packet->vector));
+	} else {
+		memset(packet->vector, 0, sizeof(packet->vector));
+	}
+
+	memcpy(packet->data + 4, packet->vector, sizeof(packet->vector));
+
+	packet->flags |= NR_PACKET_HEADER;
+}
+
+int nr_packet_encode(RADIUS_PACKET *packet, const RADIUS_PACKET *original)
+{
+#ifdef PW_MESSAGE_AUTHENTICATOR
+	size_t ma = 0;
+#endif
+	int rcode;
+	ssize_t len;
+	const VALUE_PAIR *vp;
+	uint8_t *data, *end;
+
+	if ((packet->flags & NR_PACKET_ENCODED) != 0) return 0;
+
+	rcode = can_encode_packet(packet, original);
+	if (rcode < 0) return rcode;
+
+	data = packet->data;
+	end = data + packet->sizeof_data;
+
+	encode_header(packet);
+	data += 20;
+
+	/*
+	 *	Encode each VALUE_PAIR
+	 */
+	vp = packet->vps;
+	while (vp) {
+#ifdef PW_MESSAGE_AUTHENTICATOR
+		if (vp->da->attr == PW_MESSAGE_AUTHENTICATOR) {
+			ma = (data - packet->data);
+		}
+#endif
+		len = nr_vp2attr(packet, original, &vp,
+				  data, end - data);
+		if (len < 0) return len;
+
+		if (len == 0) break; /* insufficient room to encode it */
+
+		data += data[1];
+	}
+
+#ifdef PW_MESSAGE_AUTHENTICATOR
+	/*
+	 *	Always send a Message-Authenticator.
+	 *
+	 *	We do *not* recommend removing this code.
+	 */
+	if (((packet->code == PW_ACCESS_REQUEST) ||
+	     (packet->code == PW_STATUS_SERVER)) &&
+	    !ma &&
+	    ((data + 18) <= end)) {
+		ma = (data - packet->data);
+		data[0] = PW_MESSAGE_AUTHENTICATOR;
+		data[1] = 18;
+		memset(data + 2, 0, 16);
+		data += data[1];
+	}
+#endif
+
+	packet->length = data - packet->data;
+
+	packet->data[2] = (packet->length >> 8) & 0xff;
+	packet->data[3] = packet->length & 0xff;
+
+	packet->flags |= NR_PACKET_ENCODED;
+
+	return packet->length;
+}
+
+
+/*
+ *	Ensure that the nr_data2attr_t structure is filled in
+ *	appropriately.  This includes filling in a fake DICT_ATTR
+ *	structure, if necessary.
+ */
+static int do_callback(void *ctx, nr_packet_walk_func_t callback,
+		       int attr, int vendor,
+		       const uint8_t *data, size_t sizeof_data)
+		       
+{
+	int rcode;
+	const DICT_ATTR *da;
+	DICT_ATTR myda;
+	char buffer[64];
+
+	da = nr_dict_attr_byvalue(attr, vendor);
+
+	/*
+	 *	The attribute is supposed to have a particular length,
+	 *	but does not.  It is therefore malformed.
+	 */
+	if (da && (da->flags.length != 0) &&
+	    da->flags.length != sizeof_data) {
+		da = NULL;
+	}
+
+	if (!da) {
+		rcode = nr_dict_attr_2struct(&myda, attr, vendor,
+					     buffer, sizeof(buffer));
+		
+		if (rcode < 0) return rcode;
+		da = &myda;
+	}
+	
+	rcode = callback(ctx, da, data, sizeof_data);
+	if (rcode < 0) return rcode;
+
+	return 0;
+}
+
+
+int nr_packet_walk(RADIUS_PACKET *packet, void *ctx,
+		   nr_packet_walk_func_t callback)
+{
+	int rcode;
+	uint8_t *attr;
+	const uint8_t *end;
+
+	if (!packet || !callback) return -NR_ERR_INVALID_ARG;
+
+	rcode = nr_packet_ok(packet);
+	if (rcode < 0) return rcode;
+
+	end = packet->data + packet->length;
+
+	for (attr = packet->data + 20; attr < end; attr += attr[1]) {
+		int length, value;
+		int dv_type, dv_length;
+		uint32_t vendorpec;
+		const uint8_t *vsa;
+		const DICT_VENDOR *dv = NULL;
+
+		vendorpec = 0;
+		value = attr[0];
+
+		if (value != PW_VENDOR_SPECIFIC) {
+		raw:
+			rcode = do_callback(ctx, callback,
+					    attr[0], 0,
+					    attr + 2, attr[1] - 2);
+			if (rcode < 0) return rcode;
+			continue;
+		}
+
+		if (attr[1] < 6) goto raw;
+		memcpy(&vendorpec, attr + 2, 4);
+		vendorpec = ntohl(vendorpec);
+
+		if (dv && (dv->vendor != vendorpec)) dv = NULL;
+
+		if (!dv) dv = nr_dict_vendor_byvalue(vendorpec);
+
+		if (dv) {
+			dv_type = dv->type;
+			dv_length = dv->length;
+		} else {
+			dv_type = 1;
+			dv_length = 1;
+		}
+
+		/*
+		 *	Malformed: it's a raw attribute.
+		 */
+		if (nr_tlv_ok(attr + 6, attr[1] - 6, dv_type, dv_length) < 0) {
+			goto raw;
+		}
+
+		for (vsa = attr + 6; vsa < attr + attr[1]; vsa += length) {
+			switch (dv_type) {
+			case 4:
+				value = (vsa[2] << 8) | vsa[3];
+				break;
+
+			case 2:
+				value = (vsa[0] << 8) | vsa[1];
+				break;
+
+			case 1:
+				value = vsa[0];
+				break;
+
+			default:
+				return -NR_ERR_INTERNAL_FAILURE;
+			}
+
+			switch (dv_length) {
+			case 0:
+				length = attr[1] - 6 - dv_type;
+				break;
+
+			case 2:
+			case 1:
+				length = vsa[dv_type + dv_length - 1];
+				break;
+
+			default:
+				return -NR_ERR_INTERNAL_FAILURE;
+			}
+
+			rcode = do_callback(ctx, callback,
+					    value, vendorpec,
+					    vsa + dv_type + dv_length,
+					    length - dv_type - dv_length);
+			if (rcode < 0) return rcode;
+		}
+	}
+
+	return 0;
+}
+
+int nr_packet_init(RADIUS_PACKET *packet, const RADIUS_PACKET *original,
+		   const char *secret, int code,
+		   void *data, size_t sizeof_data)
+{
+	int rcode;
+
+	if ((code < 0) || (code > NR_MAX_PACKET_CODE)) {
+		return -NR_ERR_REQUEST_CODE_INVALID;
+	}
+
+	if (!data || (sizeof_data < 20)) return -NR_ERR_INVALID_ARG;
+
+	if (!secret || !*secret) return -NR_ERR_INVALID_ARG;
+
+	memset(packet, 0, sizeof(*packet));
+	packet->secret = secret;
+	packet->sizeof_secret = strlen(secret);
+	packet->code = code;
+	packet->id = 0;
+	packet->data = data;
+	packet->sizeof_data = sizeof_data;
+
+	rcode = can_encode_packet(packet, original);
+	if (rcode < 0) return rcode;
+
+	encode_header(packet);
+
+	return 0;
+}
+
+
+static int pack_eap(RADIUS_PACKET *packet,
+		    const void *data, size_t data_len)
+{
+	uint8_t *attr, *end;
+	const uint8_t *eap;
+	size_t left;
+		
+	eap = data;
+	left = data_len;
+	attr = packet->data + packet->length;
+	end = attr + packet->sizeof_data;
+	
+	while (left > 253) {
+		if ((attr + 255) > end) return -NR_ERR_ATTR_OVERFLOW;
+		
+		attr[0] = PW_EAP_MESSAGE;
+		attr[1] = 255;
+		memcpy(attr + 2, eap, 253);
+		attr += attr[1];
+		eap += 253;
+		left -= 253;
+	}
+	
+	if ((attr + (2 + left)) > end) return -NR_ERR_ATTR_OVERFLOW;
+	
+	attr[0] = PW_EAP_MESSAGE;
+	attr[1] = 2 + left;
+	memcpy(attr + 2, eap, left);
+	attr += attr[1];
+	packet->length = attr - packet->data;
+
+	return 0;
+}
+
+ssize_t nr_packet_attr_append(RADIUS_PACKET *packet,
+			      const RADIUS_PACKET *original,
+			      const DICT_ATTR *da,
+			      const void *data, size_t data_len)
+{
+	ssize_t rcode;
+	uint8_t *attr, *end;
+	VALUE_PAIR my_vp;
+	const VALUE_PAIR *vp;
+
+	if (!packet || !da || !data) {
+		return -NR_ERR_INVALID_ARG;
+	}
+
+	if (data_len == 0) {
+		if (da->type != NR_TYPE_STRING) return -NR_ERR_ATTR_TOO_SMALL;
+
+		data_len = strlen(data);
+	}
+
+	packet->flags |= NR_PACKET_ENCODED; /* ignore any VPs */
+
+	attr = packet->data + packet->length;
+	end = attr + packet->sizeof_data;
+
+	if ((attr + 2 + data_len) > end) {
+		return -NR_ERR_ATTR_OVERFLOW;
+	}
+
+	if ((da->flags.length != 0) &&
+	    (data_len != da->flags.length)) {
+		return -NR_ERR_ATTR_VALUE_MALFORMED;
+	}
+
+#ifdef PW_EAP_MESSAGE
+	/*
+	 *	automatically split EAP-Message into multiple
+	 *	attributes.
+	 */
+	if (!da->vendor && (da->attr == PW_EAP_MESSAGE) && (data_len > 253)) {
+		return pack_eap(packet, data, data_len);
+	}
+#endif
+
+	if (data_len > 253) return -NR_ERR_ATTR_TOO_LARGE;
+
+	vp = nr_vp_init(&my_vp, da);
+	rcode = nr_vp_set_data(&my_vp, data, data_len);
+	if (rcode < 0) return rcode;
+
+	/*
+	 *	Note that this function packs VSAs each into their own
+	 *	Vendor-Specific attribute.  If this isn't what you
+	 *	want, use the version of the library with full support
+	 *	for TLVs, WiMAX, and extended attributes.
+	 */
+	rcode = nr_vp2attr(packet, original, &vp, attr, end - attr);
+	if (rcode <= 0) return rcode;
+
+	packet->length += rcode;
+
+	return rcode;
+}
diff --git a/lib/radius/parse.c b/lib/radius/parse.c
new file mode 100644
index 0000000..6b593a8
--- /dev/null
+++ b/lib/radius/parse.c
@@ -0,0 +1,142 @@
+/*
+Copyright (c) 2011, Network RADIUS SARL
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+    * Redistributions of source code must retain the above copyright
+      notice, this list of conditions and the following disclaimer.
+    * Redistributions in binary form must reproduce the above copyright
+      notice, this list of conditions and the following disclaimer in the
+      documentation and/or other materials provided with the distribution.
+    * Neither the name of the <organization> nor the
+      names of its contributors may be used to endorse or promote products
+      derived from this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL <COPYRIGHT HOLDER> BE LIABLE FOR ANY
+DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/** \file parse.c
+ *  \brief Routines to parse strings into internal data structures
+ */
+
+#include <networkradius-devel/client.h>
+#include <arpa/inet.h>
+
+ssize_t nr_vp_sscanf_value(VALUE_PAIR *vp, const char *value)
+{
+	char *end;
+
+	switch (vp->da->type) {
+	case NR_TYPE_STRING:
+		strlcpy(vp->vp_strvalue, value, sizeof(vp->vp_strvalue));
+		vp->length = strlen(vp->vp_strvalue);
+		return vp->length;
+
+	case NR_TYPE_DATE:
+	case NR_TYPE_INTEGER:
+		vp->vp_integer = strtoul(value, &end, 10);
+		if ((value == end) || (*end != '\0')) {
+			nr_debug_error("Invalid value");
+			return -NR_ERR_ATTR_VALUE_MALFORMED;
+		}
+		return (end - value);
+
+	case NR_TYPE_IPADDR:
+		if (inet_pton(AF_INET, value, &vp->vp_ipaddr) < 0) {
+			return -NR_ERR_SYSTEM;
+		}
+		return strlen(value);
+		
+#ifdef NR_TYPE_IPV6ADDR
+	case NR_TYPE_IPV6ADDR:
+		if (inet_pton(AF_INET6, value, &vp-vp>ipv6addr) < 0) {
+			return -NR_ERR_SYSTEM;
+		}
+		return strlen(value);
+#endif
+
+#ifdef NR_TYPE_IFID
+	case NR_TYPE_IFID:
+	{
+		int i, array[8];
+
+		if (sscanf(value, "%02x%02x%02x%02x%02x%02x%02x%02x",
+			   &array[0], &array[1], &array[2], &array[3],
+			   &array[4], &array[5], &array[6], &array[7]) != 8) {
+			return -NR_ERR_SYSTEM;
+		}
+
+		for (i = 0; i < 8; i++) vp->vp_ifid[i] = array[i] & 0xff;
+
+	}
+		break;
+#endif
+
+	default:
+		nr_debug_error("Invalid type");
+		return -NR_ERR_ATTR_TYPE_UNKNOWN;
+	}
+
+	return 0;
+}
+
+int nr_vp_sscanf(const char *string, VALUE_PAIR **pvp)
+{
+	int rcode;
+	const char *p;
+	char *q;
+	const DICT_ATTR *da;
+	VALUE_PAIR *vp;
+	char buffer[256];
+
+	if (!string || !pvp) return -NR_ERR_INVALID_ARG;
+
+	p = string;
+	q = buffer;
+	while (*p && (*p != ' ') && (*p != '=')) {
+		*(q++) = *(p++);
+	}
+	*q = '\0';
+
+	if (q == buffer) {
+		nr_debug_error("No Attribute name");
+		return -NR_ERR_ATTR_BAD_NAME;
+	}
+
+	da = nr_dict_attr_byname(buffer);
+	if (!da) {
+		nr_debug_error("Unknown attribute \"%s\"", buffer);
+		return -NR_ERR_ATTR_UNKNOWN;
+	}
+
+	while (*p == ' ') p++;
+	if (*p != '=') {
+		nr_debug_error("Unexpected text after attribute name");
+		return -NR_ERR_ATTR_BAD_NAME;
+	}
+
+	p++;
+	while (*p == ' ') p++;
+
+	vp = nr_vp_alloc(da);
+	if (!vp) return -NR_ERR_NO_MEM;
+
+	rcode = nr_vp_sscanf_value(vp, p);
+	if (rcode < 0) {
+		nr_vp_free(&vp);
+		return rcode;
+	}
+
+	*pvp = vp;
+	return 0;
+}
diff --git a/lib/radius/print.c b/lib/radius/print.c
new file mode 100644
index 0000000..abe4255
--- /dev/null
+++ b/lib/radius/print.c
@@ -0,0 +1,265 @@
+/*
+Copyright (c) 2011, Network RADIUS SARL
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+    * Redistributions of source code must retain the above copyright
+      notice, this list of conditions and the following disclaimer.
+    * Redistributions in binary form must reproduce the above copyright
+      notice, this list of conditions and the following disclaimer in the
+      documentation and/or other materials provided with the distribution.
+    * Neither the name of the <organization> nor the
+      names of its contributors may be used to endorse or promote products
+      derived from this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL <COPYRIGHT HOLDER> BE LIABLE FOR ANY
+DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/** \file print.c
+ *  \brief Functions to print things.
+ */
+
+#include <networkradius-devel/client.h>
+#include <string.h>
+#ifdef NR_TYPE_IPV6ADDR
+#include <arpa/inet.h>
+#endif
+
+#ifndef NDEBUG
+void nr_packet_print_hex(RADIUS_PACKET *packet)
+{
+	int i;
+
+	if (!packet->data) return;
+
+	printf("  Code:\t\t%u\n", packet->data[0]);
+	printf("  Id:\t\t%u\n", packet->data[1]);
+	printf("  Length:\t%u\n", ((packet->data[2] << 8) |
+				   (packet->data[3])));
+	printf("  Vector:\t");
+	for (i = 4; i < 20; i++) {
+		printf("%02x", packet->data[i]);
+	}
+	printf("\n");
+	if ((packet->flags & NR_PACKET_SIGNED) == 0) printf("\t\tWARNING: nr_packet_sign() was not called!\n");
+
+	if (packet->length > 20) {
+		int total;
+		const uint8_t *ptr;
+		printf("  Data:");
+
+		total = packet->length - 20;
+		ptr = packet->data + 20;
+
+		while (total > 0) {
+			int attrlen;
+
+			printf("\t\t");
+			if (total < 2) { /* too short */
+				printf("%02x\n", *ptr);
+				break;
+			}
+
+			if (ptr[1] > total) { /* too long */
+				for (i = 0; i < total; i++) {
+					printf("%02x ", ptr[i]);
+				}
+				break;
+			}
+
+			printf("%02x  %02x  ", ptr[0], ptr[1]);
+			attrlen = ptr[1] - 2;
+			ptr += 2;
+			total -= 2;
+
+			for (i = 0; i < attrlen; i++) {
+				if ((i > 0) && ((i & 0x0f) == 0x00))
+					printf("\t\t\t");
+				printf("%02x ", ptr[i]);
+				if ((i & 0x0f) == 0x0f) printf("\n");
+			}
+
+			if (!attrlen || ((attrlen & 0x0f) != 0x00)) printf("\n");
+
+			ptr += attrlen;
+			total -= attrlen;
+		}
+	}
+	printf("\n");
+	fflush(stdout);
+}
+#endif
+
+size_t nr_vp_snprintf_value(char *buffer, size_t buflen, const VALUE_PAIR *vp)
+{
+	size_t i, len;
+	char *p = buffer;
+
+	switch (vp->da->type) {
+	case NR_TYPE_STRING:
+		/*
+		 *	FIXME: escape backslash && quotes!
+		 */
+		len = snprintf(p, buflen, "\"%s\"", vp->vp_strvalue);
+		break;
+
+	case NR_TYPE_DATE:
+	case NR_TYPE_INTEGER:
+	case NR_TYPE_SHORT:
+	case NR_TYPE_BYTE:
+		len = snprintf(p, buflen, "%u", vp->vp_integer);
+		break;
+
+	case NR_TYPE_IPADDR:
+		len = snprintf(p, buflen, "%u.%u.%u.%u",
+			       (vp->vp_ipaddr >> 24) & 0xff,
+			       (vp->vp_ipaddr >> 16) & 0xff,
+			       (vp->vp_ipaddr >> 8) & 0xff,
+			       vp->vp_ipaddr & 0xff);
+		break;
+
+#ifdef NR_TYPE_IPV6ADDR
+	case NR_TYPE_IPV6ADDR:
+		if (!inet_ntop(AF_INET6, &vp->vp_ipv6addr, buffer, buflen)) {
+			return -NR_ERR_SYSTEM;
+		}
+		break;
+#endif
+
+#ifdef NR_TYPE_IFID
+	case NR_TYPE_IFID:
+		len = snprintf(p, buflen, "%02x%02x%02x%02x%02x%02x%02x%02x",
+			       vp->vp_ifid[0], vp->vp_ifid[1],
+			       vp->vp_ifid[2], vp->vp_ifid[3],
+			       vp->vp_ifid[4], vp->vp_ifid[5],
+			       vp->vp_ifid[6], vp->vp_ifid[7]);
+		break;
+#endif
+
+	case NR_TYPE_OCTETS:
+		len = snprintf(p, buflen, "0x");
+		if (len >= buflen) return 0;
+
+		p += len;
+		buflen -= len;
+
+		for (i = 0; i < vp->length; i++) {
+			len = snprintf(p, buflen, "%02x", vp->vp_octets[i]);
+			if (len >= buflen) return 0;
+			
+			p += len;
+			buflen -= len;
+		}
+		len = 0;
+		break;
+
+	default:
+		break;
+	}
+
+	if (len >= buflen) return 0;
+
+	p += len;
+	buflen -= len;
+
+	return p - buffer;
+}
+
+size_t nr_vp_snprintf(char *buffer, size_t buflen, const VALUE_PAIR *vp)
+{
+	size_t len;
+	char *p = buffer;
+
+	len = snprintf(p, buflen, "%s = ", vp->da->name);
+	if (len >= buflen) return 0;
+
+	p += len;
+	buflen -= len;
+
+	len = nr_vp_snprintf_value(p, buflen, vp);
+	if (len == 0) return 0;
+
+	if (len >= buflen) return 0;
+
+	p += len;
+
+	return p - buffer;
+}
+
+#ifndef NDEBUG
+void nr_vp_fprintf_list(FILE *fp, const VALUE_PAIR *vps)
+{
+	const VALUE_PAIR *vp;
+	char buffer[1024];
+
+	for (vp = vps; vp != NULL; vp = vp->next) {
+		nr_vp_snprintf(buffer, sizeof(buffer), vp);
+		fprintf(fp, "\t%s\n", buffer);
+	}
+}
+#endif
+
+/** \cond PRIVATE */
+#define NR_STRERROR_BUFSIZE (1024)
+static char nr_strerror_buffer[NR_STRERROR_BUFSIZE];
+
+void nr_strerror_printf(const char *fmt, ...)
+{
+	va_list ap;
+	va_start(ap, fmt);
+	vsnprintf(nr_strerror_buffer, sizeof(nr_strerror_buffer), fmt, ap);
+	va_end(ap);
+
+	fprintf(stderr, "ERROR: %s\n", nr_strerror_buffer);
+}
+/** \endcond */
+
+const char *nr_strerror(int error)
+{
+	if (error == 0) return nr_strerror_buffer;
+
+	if (error < 0) error = -error;
+
+	switch (error) {
+	default: return "Unknown error";
+	case NR_ERR_SYSTEM: return strerror(errno);
+
+	case NR_ERR_INVALID_ARG: return "Invalid argument";
+	case NR_ERR_PACKET_TOO_SMALL: return "Packet is too small";
+	case NR_ERR_PACKET_TOO_LARGE: return "Packet is too large";
+	case NR_ERR_ATTR_OVERFLOW: return "Attribute overflows packet";
+	case NR_ERR_ATTR_TOO_SMALL: return "Attribute is too small";
+	case NR_ERR_ATTR_TOO_LARGE: return "Attribute is too large";
+	case NR_ERR_ATTR_UNKNOWN: return "Unknown attribute";
+	case NR_ERR_ATTR_BAD_NAME: return "Invalid name for attribute";
+	case NR_ERR_ATTR_VALUE_MALFORMED: return "Invalid value for attribute";
+	case NR_ERR_ATTR_INVALID: return "Invalid attribute";
+	case NR_ERR_TOO_MANY_ATTRS: return "Too many attributes in the packet";
+	case NR_ERR_ATTR_TYPE_UNKNOWN: return "Attribute type unknown";
+	case NR_ERR_MSG_AUTH_LEN: return "Invalid Message-Authenticator";
+	case NR_ERR_MSG_AUTH_WRONG: return "Incorrect Message-Authenticator";
+	case NR_ERR_REQUEST_REQUIRED: return "Request is required";
+	case NR_ERR_REQUEST_CODE_INVALID: return "Invalid request code";
+	case NR_ERR_AUTH_VECTOR_WRONG: return "Incorrect Request Authenticator";
+	case NR_ERR_RESPONSE_CODE_INVALID: return "Response code is unsupported";
+	case NR_ERR_RESPONSE_ID_INVALID: return "Response ID is invalid";
+	case NR_ERR_RESPONSE_SRC_INVALID: return "Response from the wrong src ip/port";
+	case NR_ERR_NO_PACKET_DATA: return "Cannot encode the packet";
+	case NR_ERR_VENDOR_UNKNOWN: return "Vendor is unknown";
+	case NR_ERR_INTERNAL_FAILURE: return "Internal failure";
+	case NR_ERR_UNSUPPORTED: return "Unsupported feature";
+	case NR_ERR_NO_MEM: return "Out of memory";
+	case NR_ERR_IN_USE: return "Resource is in use";
+		
+	}
+}
diff --git a/lib/radius/radius.h b/lib/radius/radius.h
new file mode 100644
index 0000000..cfc16b7
--- /dev/null
+++ b/lib/radius/radius.h
@@ -0,0 +1,314 @@
+/* Automatically generated file.  Do not edit */
+
+#define VENDORPEC_MICROSOFT 311
+#define VENDORPEC_EXAMPLE 65535
+
+
+/* IETF */
+#define PW_USER_NAME 1
+#define PW_USER_PASSWORD 2
+#define PW_CHAP_PASSWORD 3
+#define PW_NAS_IP_ADDRESS 4
+#define PW_NAS_PORT 5
+#define PW_SERVICE_TYPE 6
+#define PW_FRAMED_PROTOCOL 7
+#define PW_FRAMED_IP_ADDRESS 8
+#define PW_FRAMED_IP_NETMASK 9
+#define PW_FRAMED_ROUTING 10
+#define PW_FILTER_ID 11
+#define PW_FRAMED_MTU 12
+#define PW_FRAMED_COMPRESSION 13
+#define PW_LOGIN_IP_HOST 14
+#define PW_LOGIN_SERVICE 15
+#define PW_LOGIN_TCP_PORT 16
+#define PW_REPLY_MESSAGE 18
+#define PW_CALLBACK_NUMBER 19
+#define PW_CALLBACK_ID 20
+#define PW_FRAMED_ROUTE 22
+#define PW_FRAMED_IPX_NETWORK 23
+#define PW_STATE 24
+#define PW_CLASS 25
+#define PW_VENDOR_SPECIFIC 26
+#define PW_SESSION_TIMEOUT 27
+#define PW_IDLE_TIMEOUT 28
+#define PW_TERMINATION_ACTION 29
+#define PW_CALLED_STATION_ID 30
+#define PW_CALLING_STATION_ID 31
+#define PW_NAS_IDENTIFIER 32
+#define PW_PROXY_STATE 33
+#define PW_LOGIN_LAT_SERVICE 34
+#define PW_LOGIN_LAT_NODE 35
+#define PW_LOGIN_LAT_GROUP 36
+#define PW_FRAMED_APPLETALK_LINK 37
+#define PW_FRAMED_APPLETALK_NETWORK 38
+#define PW_FRAMED_APPLETALK_ZONE 39
+#define PW_ACCT_STATUS_TYPE 40
+#define PW_ACCT_DELAY_TIME 41
+#define PW_ACCT_INPUT_OCTETS 42
+#define PW_ACCT_OUTPUT_OCTETS 43
+#define PW_ACCT_SESSION_ID 44
+#define PW_ACCT_AUTHENTIC 45
+#define PW_ACCT_SESSION_TIME 46
+#define PW_ACCT_INPUT_PACKETS 47
+#define PW_ACCT_OUTPUT_PACKETS 48
+#define PW_ACCT_TERMINATE_CAUSE 49
+#define PW_ACCT_MULTI_SESSION_ID 50
+#define PW_ACCT_LINK_COUNT 51
+#define PW_ACCT_INPUT_GIGAWORDS 52
+#define PW_ACCT_OUTPUT_GIGAWORDS 53
+#define PW_EVENT_TIMESTAMP 55
+#define PW_EGRESS_VLANID 56
+#define PW_INGRESS_FILTERS 57
+#define PW_EGRESS_VLAN_NAME 58
+#define PW_USER_PRIORITY_TABLE 59
+#define PW_CHAP_CHALLENGE 60
+#define PW_NAS_PORT_TYPE 61
+#define PW_PORT_LIMIT 62
+#define PW_LOGIN_LAT_PORT 63
+#define PW_TUNNEL_TYPE 64
+#define PW_TUNNEL_MEDIUM_TYPE 65
+#define PW_TUNNEL_CLIENT_ENDPOINT 66
+#define PW_TUNNEL_SERVER_ENDPOINT 67
+#define PW_ACCT_TUNNEL_CONNECTION 68
+#define PW_TUNNEL_PASSWORD 69
+#define PW_ARAP_PASSWORD 70
+#define PW_ARAP_FEATURES 71
+#define PW_ARAP_ZONE_ACCESS 72
+#define PW_ARAP_SECURITY 73
+#define PW_ARAP_SECURITY_DATA 74
+#define PW_PASSWORD_RETRY 75
+#define PW_PROMPT 76
+#define PW_CONNECT_INFO 77
+#define PW_CONFIGURATION_TOKEN 78
+#define PW_EAP_MESSAGE 79
+#define PW_MESSAGE_AUTHENTICATOR 80
+#define PW_TUNNEL_PRIVATE_GROUP_ID 81
+#define PW_TUNNEL_ASSIGNMENT_ID 82
+#define PW_TUNNEL_PREFERENCE 83
+#define PW_ARAP_CHALLENGE_RESPONSE 84
+#define PW_ACCT_INTERIM_INTERVAL 85
+#define PW_ACCT_TUNNEL_PACKETS_LOST 86
+#define PW_NAS_PORT_ID 87
+#define PW_FRAMED_POOL 88
+#define PW_CHARGEABLE_USER_IDENTITY 89
+#define PW_TUNNEL_CLIENT_AUTH_ID 90
+#define PW_TUNNEL_SERVER_AUTH_ID 91
+#define PW_NAS_FILTER_RULE 92
+#define PW_NAS_IPV6_ADDRESS 95
+#define PW_FRAMED_INTERFACE_ID 96
+#define PW_FRAMED_IPV6_PREFIX 97
+#define PW_LOGIN_IPV6_HOST 98
+#define PW_FRAMED_IPV6_ROUTE 99
+#define PW_FRAMED_IPV6_POOL 100
+#define PW_ERROR_CAUSE 101
+#define PW_EAP_KEY_NAME 102
+#define PW_DIGEST_RESPONSE 103
+#define PW_DIGEST_REALM 104
+#define PW_DIGEST_NONCE 105
+#define PW_DIGEST_RESPONSE_AUTH 106
+#define PW_DIGEST_NEXTNONCE 107
+#define PW_DIGEST_METHOD 108
+#define PW_DIGEST_URI 109
+#define PW_DIGEST_QOP 110
+#define PW_DIGEST_ALGORITHM 111
+#define PW_DIGEST_ENTITY_BODY_HASH 112
+#define PW_DIGEST_CNONCE 113
+#define PW_DIGEST_NONCE_COUNT 114
+#define PW_DIGEST_USERNAME 115
+#define PW_DIGEST_OPAQUE 116
+#define PW_DIGEST_AUTH_PARAM 117
+#define PW_DIGEST_AKA_AUTS 118
+#define PW_DIGEST_DOMAIN 119
+#define PW_DIGEST_STALE 120
+#define PW_DIGEST_HA1 121
+#define PW_SIP_AOR 122
+#define PW_DELEGATED_IPV6_PREFIX 123
+#define PW_OPERATOR_NAME 126
+#define PW_LOCATION_INFORMATION 127
+#define PW_LOCATION_DATA 128
+#define PW_BASIC_LOCATION_POLICY_RULES 129
+#define PW_EXTENDED_LOCATION_POLICY_RULES 130
+#define PW_LOCATION_CAPABLE 131
+#define PW_REQUESTED_LOCATION_INFO 132
+#define PW_FRAMED_MANAGEMENT 133
+#define PW_MANAGEMENT_TRANSPORT_PROTECTION 134
+#define PW_MANAGEMENT_POLICY_ID 135
+#define PW_MANAGEMENT_PRIVILEGE_LEVEL 136
+#define PW_PKM_SS_CERT 137
+#define PW_PKM_CA_CERT 138
+#define PW_PKM_CONFIG_SETTINGS 139
+#define PW_PKM_CRYPTOSUITE_LIST 140
+#define PW_PKM_SAID 141
+#define PW_PKM_SA_DESCRIPTOR 142
+#define PW_PKM_AUTH_KEY 143
+
+/* Microsoft */
+#define PW_MS_CHAP_RESPONSE 1
+#define PW_MS_CHAP_ERROR 2
+#define PW_MS_MPPE_ENCRYPTION_POLICY 7
+#define PW_MS_MPPE_ENCRYPTION_TYPES 8
+#define PW_MS_CHAP_DOMAIN 10
+#define PW_MS_CHAP_CHALLENGE 11
+#define PW_MS_CHAP_MPPE_KEYS 12
+#define PW_MS_MPPE_SEND_KEY 16
+#define PW_MS_MPPE_RECV_KEY 17
+#define PW_MS_CHAP2_RESPONSE 25
+#define PW_MS_CHAP2_SUCCESS 26
+
+/* example */
+#define PW_EXAMPLE_INTEGER 1
+#define PW_EXAMPLE_STRING 2
+#define PW_EXAMPLE_IP_ADDRESS 3
+
+/* Fixed offsets to dictionary definitions of attributes */
+#define NR_DA_USER_NAME (&nr_dict_attrs[1])
+#define NR_DA_USER_PASSWORD (&nr_dict_attrs[2])
+#define NR_DA_CHAP_PASSWORD (&nr_dict_attrs[3])
+#define NR_DA_NAS_IP_ADDRESS (&nr_dict_attrs[4])
+#define NR_DA_NAS_PORT (&nr_dict_attrs[5])
+#define NR_DA_SERVICE_TYPE (&nr_dict_attrs[6])
+#define NR_DA_FRAMED_PROTOCOL (&nr_dict_attrs[7])
+#define NR_DA_FRAMED_IP_ADDRESS (&nr_dict_attrs[8])
+#define NR_DA_FRAMED_IP_NETMASK (&nr_dict_attrs[9])
+#define NR_DA_FRAMED_ROUTING (&nr_dict_attrs[10])
+#define NR_DA_FILTER_ID (&nr_dict_attrs[11])
+#define NR_DA_FRAMED_MTU (&nr_dict_attrs[12])
+#define NR_DA_FRAMED_COMPRESSION (&nr_dict_attrs[13])
+#define NR_DA_LOGIN_IP_HOST (&nr_dict_attrs[14])
+#define NR_DA_LOGIN_SERVICE (&nr_dict_attrs[15])
+#define NR_DA_LOGIN_TCP_PORT (&nr_dict_attrs[16])
+#define NR_DA_REPLY_MESSAGE (&nr_dict_attrs[18])
+#define NR_DA_CALLBACK_NUMBER (&nr_dict_attrs[19])
+#define NR_DA_CALLBACK_ID (&nr_dict_attrs[20])
+#define NR_DA_FRAMED_ROUTE (&nr_dict_attrs[22])
+#define NR_DA_FRAMED_IPX_NETWORK (&nr_dict_attrs[23])
+#define NR_DA_STATE (&nr_dict_attrs[24])
+#define NR_DA_CLASS (&nr_dict_attrs[25])
+#define NR_DA_VENDOR_SPECIFIC (&nr_dict_attrs[26])
+#define NR_DA_SESSION_TIMEOUT (&nr_dict_attrs[27])
+#define NR_DA_IDLE_TIMEOUT (&nr_dict_attrs[28])
+#define NR_DA_TERMINATION_ACTION (&nr_dict_attrs[29])
+#define NR_DA_CALLED_STATION_ID (&nr_dict_attrs[30])
+#define NR_DA_CALLING_STATION_ID (&nr_dict_attrs[31])
+#define NR_DA_NAS_IDENTIFIER (&nr_dict_attrs[32])
+#define NR_DA_PROXY_STATE (&nr_dict_attrs[33])
+#define NR_DA_LOGIN_LAT_SERVICE (&nr_dict_attrs[34])
+#define NR_DA_LOGIN_LAT_NODE (&nr_dict_attrs[35])
+#define NR_DA_LOGIN_LAT_GROUP (&nr_dict_attrs[36])
+#define NR_DA_FRAMED_APPLETALK_LINK (&nr_dict_attrs[37])
+#define NR_DA_FRAMED_APPLETALK_NETWORK (&nr_dict_attrs[38])
+#define NR_DA_FRAMED_APPLETALK_ZONE (&nr_dict_attrs[39])
+#define NR_DA_ACCT_STATUS_TYPE (&nr_dict_attrs[40])
+#define NR_DA_ACCT_DELAY_TIME (&nr_dict_attrs[41])
+#define NR_DA_ACCT_INPUT_OCTETS (&nr_dict_attrs[42])
+#define NR_DA_ACCT_OUTPUT_OCTETS (&nr_dict_attrs[43])
+#define NR_DA_ACCT_SESSION_ID (&nr_dict_attrs[44])
+#define NR_DA_ACCT_AUTHENTIC (&nr_dict_attrs[45])
+#define NR_DA_ACCT_SESSION_TIME (&nr_dict_attrs[46])
+#define NR_DA_ACCT_INPUT_PACKETS (&nr_dict_attrs[47])
+#define NR_DA_ACCT_OUTPUT_PACKETS (&nr_dict_attrs[48])
+#define NR_DA_ACCT_TERMINATE_CAUSE (&nr_dict_attrs[49])
+#define NR_DA_ACCT_MULTI_SESSION_ID (&nr_dict_attrs[50])
+#define NR_DA_ACCT_LINK_COUNT (&nr_dict_attrs[51])
+#define NR_DA_ACCT_INPUT_GIGAWORDS (&nr_dict_attrs[52])
+#define NR_DA_ACCT_OUTPUT_GIGAWORDS (&nr_dict_attrs[53])
+#define NR_DA_EVENT_TIMESTAMP (&nr_dict_attrs[55])
+#define NR_DA_EGRESS_VLANID (&nr_dict_attrs[56])
+#define NR_DA_INGRESS_FILTERS (&nr_dict_attrs[57])
+#define NR_DA_EGRESS_VLAN_NAME (&nr_dict_attrs[58])
+#define NR_DA_USER_PRIORITY_TABLE (&nr_dict_attrs[59])
+#define NR_DA_CHAP_CHALLENGE (&nr_dict_attrs[60])
+#define NR_DA_NAS_PORT_TYPE (&nr_dict_attrs[61])
+#define NR_DA_PORT_LIMIT (&nr_dict_attrs[62])
+#define NR_DA_LOGIN_LAT_PORT (&nr_dict_attrs[63])
+#define NR_DA_TUNNEL_TYPE (&nr_dict_attrs[64])
+#define NR_DA_TUNNEL_MEDIUM_TYPE (&nr_dict_attrs[65])
+#define NR_DA_TUNNEL_CLIENT_ENDPOINT (&nr_dict_attrs[66])
+#define NR_DA_TUNNEL_SERVER_ENDPOINT (&nr_dict_attrs[67])
+#define NR_DA_ACCT_TUNNEL_CONNECTION (&nr_dict_attrs[68])
+#define NR_DA_TUNNEL_PASSWORD (&nr_dict_attrs[69])
+#define NR_DA_ARAP_PASSWORD (&nr_dict_attrs[70])
+#define NR_DA_ARAP_FEATURES (&nr_dict_attrs[71])
+#define NR_DA_ARAP_ZONE_ACCESS (&nr_dict_attrs[72])
+#define NR_DA_ARAP_SECURITY (&nr_dict_attrs[73])
+#define NR_DA_ARAP_SECURITY_DATA (&nr_dict_attrs[74])
+#define NR_DA_PASSWORD_RETRY (&nr_dict_attrs[75])
+#define NR_DA_PROMPT (&nr_dict_attrs[76])
+#define NR_DA_CONNECT_INFO (&nr_dict_attrs[77])
+#define NR_DA_CONFIGURATION_TOKEN (&nr_dict_attrs[78])
+#define NR_DA_EAP_MESSAGE (&nr_dict_attrs[79])
+#define NR_DA_MESSAGE_AUTHENTICATOR (&nr_dict_attrs[80])
+#define NR_DA_TUNNEL_PRIVATE_GROUP_ID (&nr_dict_attrs[81])
+#define NR_DA_TUNNEL_ASSIGNMENT_ID (&nr_dict_attrs[82])
+#define NR_DA_TUNNEL_PREFERENCE (&nr_dict_attrs[83])
+#define NR_DA_ARAP_CHALLENGE_RESPONSE (&nr_dict_attrs[84])
+#define NR_DA_ACCT_INTERIM_INTERVAL (&nr_dict_attrs[85])
+#define NR_DA_ACCT_TUNNEL_PACKETS_LOST (&nr_dict_attrs[86])
+#define NR_DA_NAS_PORT_ID (&nr_dict_attrs[87])
+#define NR_DA_FRAMED_POOL (&nr_dict_attrs[88])
+#define NR_DA_CHARGEABLE_USER_IDENTITY (&nr_dict_attrs[89])
+#define NR_DA_TUNNEL_CLIENT_AUTH_ID (&nr_dict_attrs[90])
+#define NR_DA_TUNNEL_SERVER_AUTH_ID (&nr_dict_attrs[91])
+#define NR_DA_NAS_FILTER_RULE (&nr_dict_attrs[92])
+#define NR_DA_NAS_IPV6_ADDRESS (&nr_dict_attrs[95])
+#define NR_DA_FRAMED_INTERFACE_ID (&nr_dict_attrs[96])
+#define NR_DA_FRAMED_IPV6_PREFIX (&nr_dict_attrs[97])
+#define NR_DA_LOGIN_IPV6_HOST (&nr_dict_attrs[98])
+#define NR_DA_FRAMED_IPV6_ROUTE (&nr_dict_attrs[99])
+#define NR_DA_FRAMED_IPV6_POOL (&nr_dict_attrs[100])
+#define NR_DA_ERROR_CAUSE (&nr_dict_attrs[101])
+#define NR_DA_EAP_KEY_NAME (&nr_dict_attrs[102])
+#define NR_DA_DIGEST_RESPONSE (&nr_dict_attrs[103])
+#define NR_DA_DIGEST_REALM (&nr_dict_attrs[104])
+#define NR_DA_DIGEST_NONCE (&nr_dict_attrs[105])
+#define NR_DA_DIGEST_RESPONSE_AUTH (&nr_dict_attrs[106])
+#define NR_DA_DIGEST_NEXTNONCE (&nr_dict_attrs[107])
+#define NR_DA_DIGEST_METHOD (&nr_dict_attrs[108])
+#define NR_DA_DIGEST_URI (&nr_dict_attrs[109])
+#define NR_DA_DIGEST_QOP (&nr_dict_attrs[110])
+#define NR_DA_DIGEST_ALGORITHM (&nr_dict_attrs[111])
+#define NR_DA_DIGEST_ENTITY_BODY_HASH (&nr_dict_attrs[112])
+#define NR_DA_DIGEST_CNONCE (&nr_dict_attrs[113])
+#define NR_DA_DIGEST_NONCE_COUNT (&nr_dict_attrs[114])
+#define NR_DA_DIGEST_USERNAME (&nr_dict_attrs[115])
+#define NR_DA_DIGEST_OPAQUE (&nr_dict_attrs[116])
+#define NR_DA_DIGEST_AUTH_PARAM (&nr_dict_attrs[117])
+#define NR_DA_DIGEST_AKA_AUTS (&nr_dict_attrs[118])
+#define NR_DA_DIGEST_DOMAIN (&nr_dict_attrs[119])
+#define NR_DA_DIGEST_STALE (&nr_dict_attrs[120])
+#define NR_DA_DIGEST_HA1 (&nr_dict_attrs[121])
+#define NR_DA_SIP_AOR (&nr_dict_attrs[122])
+#define NR_DA_DELEGATED_IPV6_PREFIX (&nr_dict_attrs[123])
+#define NR_DA_OPERATOR_NAME (&nr_dict_attrs[126])
+#define NR_DA_LOCATION_INFORMATION (&nr_dict_attrs[127])
+#define NR_DA_LOCATION_DATA (&nr_dict_attrs[128])
+#define NR_DA_BASIC_LOCATION_POLICY_RULES (&nr_dict_attrs[129])
+#define NR_DA_EXTENDED_LOCATION_POLICY_RULES (&nr_dict_attrs[130])
+#define NR_DA_LOCATION_CAPABLE (&nr_dict_attrs[131])
+#define NR_DA_REQUESTED_LOCATION_INFO (&nr_dict_attrs[132])
+#define NR_DA_FRAMED_MANAGEMENT (&nr_dict_attrs[133])
+#define NR_DA_MANAGEMENT_TRANSPORT_PROTECTION (&nr_dict_attrs[134])
+#define NR_DA_MANAGEMENT_POLICY_ID (&nr_dict_attrs[135])
+#define NR_DA_MANAGEMENT_PRIVILEGE_LEVEL (&nr_dict_attrs[136])
+#define NR_DA_PKM_SS_CERT (&nr_dict_attrs[137])
+#define NR_DA_PKM_CA_CERT (&nr_dict_attrs[138])
+#define NR_DA_PKM_CONFIG_SETTINGS (&nr_dict_attrs[139])
+#define NR_DA_PKM_CRYPTOSUITE_LIST (&nr_dict_attrs[140])
+#define NR_DA_PKM_SAID (&nr_dict_attrs[141])
+#define NR_DA_PKM_SA_DESCRIPTOR (&nr_dict_attrs[142])
+#define NR_DA_PKM_AUTH_KEY (&nr_dict_attrs[143])
+#define NR_DA_MS_CHAP_RESPONSE (&nr_dict_attrs[256])
+#define NR_DA_MS_CHAP_ERROR (&nr_dict_attrs[257])
+#define NR_DA_MS_MPPE_ENCRYPTION_POLICY (&nr_dict_attrs[258])
+#define NR_DA_MS_MPPE_ENCRYPTION_TYPES (&nr_dict_attrs[259])
+#define NR_DA_MS_CHAP_DOMAIN (&nr_dict_attrs[260])
+#define NR_DA_MS_CHAP_CHALLENGE (&nr_dict_attrs[261])
+#define NR_DA_MS_CHAP_MPPE_KEYS (&nr_dict_attrs[262])
+#define NR_DA_MS_MPPE_SEND_KEY (&nr_dict_attrs[263])
+#define NR_DA_MS_MPPE_RECV_KEY (&nr_dict_attrs[264])
+#define NR_DA_MS_CHAP2_RESPONSE (&nr_dict_attrs[265])
+#define NR_DA_MS_CHAP2_SUCCESS (&nr_dict_attrs[266])
+#define NR_DA_EXAMPLE_INTEGER (&nr_dict_attrs[267])
+#define NR_DA_EXAMPLE_STRING (&nr_dict_attrs[268])
+#define NR_DA_EXAMPLE_IP_ADDRESS (&nr_dict_attrs[269])
+/* Automatically generated file.  Do not edit */
diff --git a/lib/radius/share/dictionary.microsoft b/lib/radius/share/dictionary.microsoft
new file mode 100644
index 0000000..034e5f0
--- /dev/null
+++ b/lib/radius/share/dictionary.microsoft
@@ -0,0 +1,17 @@
+#  A minimal dictionary for Microsoft VSAs
+#
+VENDOR		Microsoft			311
+
+BEGIN-VENDOR	Microsoft
+ATTRIBUTE	MS-CHAP-Response			1	octets
+ATTRIBUTE	MS-CHAP-Error				2	string
+ATTRIBUTE	MS-MPPE-Encryption-Policy		7	octets
+ATTRIBUTE	MS-MPPE-Encryption-Types		8	octets
+ATTRIBUTE	MS-CHAP-Domain				10	string
+ATTRIBUTE	MS-CHAP-Challenge			11	octets
+ATTRIBUTE	MS-CHAP-MPPE-Keys			12	octets  encrypt=1
+ATTRIBUTE	MS-MPPE-Send-Key			16	octets	encrypt=2
+ATTRIBUTE	MS-MPPE-Recv-Key			17	octets	encrypt=2
+ATTRIBUTE	MS-CHAP2-Response			25	octets
+ATTRIBUTE	MS-CHAP2-Success			26	octets
+END-VENDOR	Microsoft
diff --git a/lib/radius/share/dictionary.txt b/lib/radius/share/dictionary.txt
new file mode 100644
index 0000000..e62f8b3
--- /dev/null
+++ b/lib/radius/share/dictionary.txt
@@ -0,0 +1,136 @@
+ATTRIBUTE	User-Name				1	string
+ATTRIBUTE	User-Password				2	string encrypt=1
+ATTRIBUTE	CHAP-Password				3	octets
+ATTRIBUTE	NAS-IP-Address				4	ipaddr
+ATTRIBUTE	NAS-Port				5	integer
+ATTRIBUTE	Service-Type				6	integer
+ATTRIBUTE	Framed-Protocol				7	integer
+ATTRIBUTE	Framed-IP-Address			8	ipaddr
+ATTRIBUTE	Framed-IP-Netmask			9	ipaddr
+ATTRIBUTE	Framed-Routing				10	integer
+ATTRIBUTE	Filter-Id				11	string
+ATTRIBUTE	Framed-MTU				12	integer
+ATTRIBUTE	Framed-Compression			13	integer
+ATTRIBUTE	Login-IP-Host				14	ipaddr
+ATTRIBUTE	Login-Service				15	integer
+ATTRIBUTE	Login-TCP-Port				16	integer
+ATTRIBUTE	Reply-Message				18	string
+ATTRIBUTE	Callback-Number				19	string
+ATTRIBUTE	Callback-Id				20	string
+ATTRIBUTE	Framed-Route				22	string
+ATTRIBUTE	Framed-IPX-Network			23	ipaddr
+ATTRIBUTE	State					24	octets
+ATTRIBUTE	Class					25	octets
+ATTRIBUTE	Vendor-Specific				26	octets
+ATTRIBUTE	Session-Timeout				27	integer
+ATTRIBUTE	Idle-Timeout				28	integer
+ATTRIBUTE	Termination-Action			29	integer
+ATTRIBUTE	Called-Station-Id			30	string
+ATTRIBUTE	Calling-Station-Id			31	string
+ATTRIBUTE	NAS-Identifier				32	string
+ATTRIBUTE	Proxy-State				33	octets
+ATTRIBUTE	Login-LAT-Service			34	string
+ATTRIBUTE	Login-LAT-Node				35	string
+ATTRIBUTE	Login-LAT-Group				36	octets
+ATTRIBUTE	Framed-AppleTalk-Link			37	integer
+ATTRIBUTE	Framed-AppleTalk-Network		38	integer
+ATTRIBUTE	Framed-AppleTalk-Zone			39	string
+ATTRIBUTE	CHAP-Challenge				60	octets
+ATTRIBUTE	NAS-Port-Type				61	integer
+ATTRIBUTE	Port-Limit				62	integer
+ATTRIBUTE	Login-LAT-Port				63	string
+ATTRIBUTE	Acct-Status-Type			40	integer
+ATTRIBUTE	Acct-Delay-Time				41	integer
+ATTRIBUTE	Acct-Input-Octets			42	integer
+ATTRIBUTE	Acct-Output-Octets			43	integer
+ATTRIBUTE	Acct-Session-Id				44	string
+ATTRIBUTE	Acct-Authentic				45	integer
+ATTRIBUTE	Acct-Session-Time			46	integer
+ATTRIBUTE	Acct-Input-Packets			47	integer
+ATTRIBUTE	Acct-Output-Packets			48	integer
+ATTRIBUTE	Acct-Terminate-Cause			49	integer
+ATTRIBUTE	Acct-Multi-Session-Id			50	string
+ATTRIBUTE	Acct-Link-Count				51	integer
+ATTRIBUTE	Acct-Tunnel-Connection			68	string
+ATTRIBUTE	Acct-Tunnel-Packets-Lost		86	integer
+ATTRIBUTE	Tunnel-Type				64	integer	has_tag
+ATTRIBUTE	Tunnel-Medium-Type			65	integer	has_tag
+ATTRIBUTE	Tunnel-Client-Endpoint			66	string	has_tag
+ATTRIBUTE	Tunnel-Server-Endpoint			67	string	has_tag
+ATTRIBUTE	Tunnel-Password				69	string	has_tag,encrypt=2
+ATTRIBUTE	Tunnel-Private-Group-Id			81	string	has_tag
+ATTRIBUTE	Tunnel-Assignment-Id			82	string	has_tag
+ATTRIBUTE	Tunnel-Preference			83	integer	has_tag
+ATTRIBUTE	Tunnel-Client-Auth-Id			90	string	has_tag
+ATTRIBUTE	Tunnel-Server-Auth-Id			91	string	has_tag
+ATTRIBUTE	Acct-Input-Gigawords			52	integer
+ATTRIBUTE	Acct-Output-Gigawords			53	integer
+ATTRIBUTE	Event-Timestamp				55	date
+ATTRIBUTE	ARAP-Password				70	octets[16]
+ATTRIBUTE	ARAP-Features				71	octets[14]
+ATTRIBUTE	ARAP-Zone-Access			72	integer
+ATTRIBUTE	ARAP-Security				73	integer
+ATTRIBUTE	ARAP-Security-Data			74	string
+ATTRIBUTE	Password-Retry				75	integer
+ATTRIBUTE	Prompt					76	integer
+ATTRIBUTE	Connect-Info				77	string
+ATTRIBUTE	Configuration-Token			78	string
+ATTRIBUTE	EAP-Message				79	octets
+ATTRIBUTE	Message-Authenticator			80	octets
+ATTRIBUTE	ARAP-Challenge-Response			84	octets[8]
+ATTRIBUTE	Acct-Interim-Interval			85	integer
+ATTRIBUTE	NAS-Port-Id				87	string
+ATTRIBUTE	Framed-Pool				88	string
+ATTRIBUTE	NAS-IPv6-Address			95	ipv6addr
+ATTRIBUTE	Framed-Interface-Id			96	ifid
+ATTRIBUTE	Framed-IPv6-Prefix			97	ipv6prefix
+ATTRIBUTE	Login-IPv6-Host				98	ipv6addr
+ATTRIBUTE	Framed-IPv6-Route			99	string
+ATTRIBUTE	Framed-IPv6-Pool			100	string
+ATTRIBUTE	Error-Cause				101	integer
+ATTRIBUTE	EAP-Key-Name				102	string
+ATTRIBUTE	Chargeable-User-Identity		89	string
+ATTRIBUTE	Egress-VLANID				56	integer
+ATTRIBUTE	Ingress-Filters				57	integer
+ATTRIBUTE	Egress-VLAN-Name			58	string
+ATTRIBUTE	User-Priority-Table			59	octets 
+ATTRIBUTE	Delegated-IPv6-Prefix			123	ipv6prefix
+ATTRIBUTE	NAS-Filter-Rule				92	string
+ATTRIBUTE	Digest-Response				103	string
+ATTRIBUTE	Digest-Realm				104	string
+ATTRIBUTE	Digest-Nonce				105	string
+ATTRIBUTE	Digest-Response-Auth			106	string
+ATTRIBUTE	Digest-Nextnonce			107	string
+ATTRIBUTE	Digest-Method				108	string
+ATTRIBUTE	Digest-URI				109	string
+ATTRIBUTE	Digest-Qop				110	string
+ATTRIBUTE	Digest-Algorithm			111	string
+ATTRIBUTE	Digest-Entity-Body-Hash			112	string
+ATTRIBUTE	Digest-CNonce				113	string
+ATTRIBUTE	Digest-Nonce-Count			114	string
+ATTRIBUTE	Digest-Username				115	string
+ATTRIBUTE	Digest-Opaque				116	string
+ATTRIBUTE	Digest-Auth-Param			117	string
+ATTRIBUTE	Digest-AKA-Auts				118	string
+ATTRIBUTE	Digest-Domain				119	string
+ATTRIBUTE	Digest-Stale				120	string
+ATTRIBUTE	Digest-HA1				121	string
+ATTRIBUTE	SIP-AOR					122	string
+ATTRIBUTE	Operator-Name				126	string
+ATTRIBUTE	Location-Information			127	octets
+ATTRIBUTE	Location-Data				128	octets
+ATTRIBUTE	Basic-Location-Policy-Rules		129	octets
+ATTRIBUTE	Extended-Location-Policy-Rules		130	octets
+ATTRIBUTE	Location-Capable			131	integer
+ATTRIBUTE	Requested-Location-Info			132	integer
+ATTRIBUTE	Framed-Management			133	integer
+ATTRIBUTE	Management-Transport-Protection		134	integer
+ATTRIBUTE	Management-Policy-Id			135	string
+ATTRIBUTE	Management-Privilege-Level		136	integer
+ATTRIBUTE	PKM-SS-Cert				137	octets
+ATTRIBUTE	PKM-CA-Cert				138	octets
+ATTRIBUTE	PKM-Config-Settings			139	octets
+ATTRIBUTE	PKM-Cryptosuite-List			140	octets
+ATTRIBUTE	PKM-SAID				141	short
+ATTRIBUTE	PKM-SA-Descriptor			142	octets
+ATTRIBUTE	PKM-Auth-Key				143	octets
diff --git a/lib/radius/share/dictionary.vendor b/lib/radius/share/dictionary.vendor
new file mode 100644
index 0000000..571dbc4
--- /dev/null
+++ b/lib/radius/share/dictionary.vendor
@@ -0,0 +1,10 @@
+# a sample vendor-specific dictionary
+
+VENDOR example	   65535
+
+BEGIN-VENDOR example
+ATTRIBUTE Example-Integer	1 integer
+ATTRIBUTE Example-String	2 string
+ATTRIBUTE Example-IP-Address	3 ipaddr
+
+END-VENDOR example
diff --git a/lib/radius/static.c b/lib/radius/static.c
new file mode 100644
index 0000000..d633e5b
--- /dev/null
+++ b/lib/radius/static.c
@@ -0,0 +1,37 @@
+/*
+Copyright (c) 2011, Network RADIUS SARL
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+    * Redistributions of source code must retain the above copyright
+      notice, this list of conditions and the following disclaimer.
+    * Redistributions in binary form must reproduce the above copyright
+      notice, this list of conditions and the following disclaimer in the
+      documentation and/or other materials provided with the distribution.
+    * Neither the name of the <organization> nor the
+      names of its contributors may be used to endorse or promote products
+      derived from this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL <COPYRIGHT HOLDER> BE LIABLE FOR ANY
+DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/** \file static.c
+ *  \brief Dummy file to include auto-generating static dictionary mappings.
+ */
+
+#include <networkradius-devel/client.h>
+
+/*
+ *	Include the dynamically generated dictionaries.
+ */
+#include "dictionaries.c"
diff --git a/lib/radius/tests/Makefile b/lib/radius/tests/Makefile
new file mode 100644
index 0000000..b9d74ad
--- /dev/null
+++ b/lib/radius/tests/Makefile
@@ -0,0 +1,25 @@
+#
+#  GNU Makefile
+#
+.PHONY: all clean
+all: radattr
+
+HEADERS		:= ../client.h ../radius.h
+CFLAGS		:= -g
+
+%.o : %.c
+	$(CC) $(CFLAGS) -I.. -I. -c $<
+
+%.o: ${HEADERS}
+
+LIBS	:= -lcrypto -lssl
+LDFLAGS = -L.. -lnetworkradius-client
+
+../libnetworkradius-client.a:
+	@${MAKE} -C .. libnetworkradius-client.a
+
+radattr: radattr.o ../libnetworkradius-client.a
+	${CC} ${LFDLAGS} ${LIBS} -o $@ $^
+
+clean:
+	@rm -rf *.o *.a *~
diff --git a/lib/radius/tests/radattr.c b/lib/radius/tests/radattr.c
new file mode 100644
index 0000000..d41499a
--- /dev/null
+++ b/lib/radius/tests/radattr.c
@@ -0,0 +1,769 @@
+/*
+ * Copyright (C) 2011 Network RADIUS SARL <info@networkradius.com>
+ *
+ * This software may not be redistributed in any form without the prior
+ * written consent of Network RADIUS.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <networkradius-devel/client.h>
+
+#include <ctype.h>
+
+#include <assert.h>
+
+static int packet_code = PW_ACCESS_REQUEST;
+static int packet_id = 1;
+static uint8_t packet_vector[16] = { 0, 0, 0, 0, 0, 0, 0, 0,
+				     0, 0, 0, 0, 0, 0, 0, 0 };
+static char secret[256] = "testing123";
+
+static int encode_tlv(char *buffer, uint8_t *output, size_t outlen);
+
+static const char *hextab = "0123456789abcdef";
+
+static int encode_data_string(char *buffer,
+			      uint8_t *output, size_t outlen)
+{
+	int length = 0;
+	char *p;
+	
+	p = buffer + 1;
+
+	while (*p && (outlen > 0)) {
+		if (*p == '"') {
+			return length;
+		}
+
+		if (*p != '\\') {
+			*(output++) = *(p++);
+			outlen--;
+			length++;
+			continue;
+		}
+
+		switch (p[1]) {
+		default:
+			*(output++) = p[1];
+			break;
+
+		case 'n':
+			*(output++) = '\n';
+			break;
+
+		case 'r':
+			*(output++) = '\r';
+			break;
+
+		case 't':
+			*(output++) = '\t';
+			break;
+		}
+
+		outlen--;
+		length++;
+	}
+
+	fprintf(stderr, "String is not terminated\n");
+	return 0;
+}
+
+static int encode_data_tlv(char *buffer, char **endptr,
+			   uint8_t *output, size_t outlen)
+{
+	int depth = 0;
+	int length;
+	char *p;
+
+	for (p = buffer; *p != '\0'; p++) {
+		if (*p == '{') depth++;
+		if (*p == '}') {
+			depth--;
+			if (depth == 0) break;
+		}
+	}
+
+	if (*p != '}') {
+		fprintf(stderr, "No trailing '}' in string starting "
+			"with \"%s\"\n",
+			buffer);
+		return 0;
+	}
+
+	*endptr = p + 1;
+	*p = '\0';
+	
+	p = buffer + 1;
+	while (isspace((int) *p)) p++;
+	
+	length = encode_tlv(p, output, outlen);
+	if (length == 0) return 0;
+	
+	return length;
+}
+
+static int encode_hex(char *p, uint8_t *output, size_t outlen)
+{
+	int length = 0;
+	while (*p) {
+		char *c1, *c2;
+
+		while (isspace((int) *p)) p++;
+
+		if (!*p) break;
+
+		if(!(c1 = memchr(hextab, tolower((int) p[0]), 16)) ||
+		   !(c2 = memchr(hextab, tolower((int)  p[1]), 16))) {
+			fprintf(stderr, "Invalid data starting at "
+				"\"%s\"\n", p);
+			return 0;
+		}
+
+		*output = ((c1 - hextab) << 4) + (c2 - hextab);
+		output++;
+		length++;
+		p += 2;
+
+		outlen--;
+		if (outlen == 0) {
+			fprintf(stderr, "Too much data\n");
+			return 0;
+		}
+	}
+
+	return length;
+}
+
+
+static int encode_data(char *p, uint8_t *output, size_t outlen)
+{
+	int length;
+
+	if (!isspace((int) *p)) {
+		fprintf(stderr, "Invalid character following attribute "
+			"definition\n");
+		return 0;
+	}
+
+	while (isspace((int) *p)) p++;
+
+	if (*p == '{') {
+		int sublen;
+		char *q;
+
+		length = 0;
+
+		do {
+			while (isspace((int) *p)) p++;
+			if (!*p) {
+				if (length == 0) {
+					fprintf(stderr, "No data\n");
+					return 0;
+				}
+
+				break;
+			}
+
+			sublen = encode_data_tlv(p, &q, output, outlen);
+			if (sublen == 0) return 0;
+
+			length += sublen;
+			output += sublen;
+			outlen -= sublen;
+			p = q;
+		} while (*q);
+
+		return length;
+	}
+
+	if (*p == '"') {
+		length = encode_data_string(p, output, outlen);
+		return length;
+	}
+
+	length = encode_hex(p, output, outlen);
+
+	if (length == 0) {
+		fprintf(stderr, "Empty string\n");
+		return 0;
+	}
+
+	return length;
+}
+
+static int decode_attr(char *buffer, char **endptr)
+{
+	long attr;
+
+	attr = strtol(buffer, endptr, 10);
+	if (*endptr == buffer) {
+		fprintf(stderr, "No valid number found in string "
+			"starting with \"%s\"\n", buffer);
+		return 0;
+	}
+
+	if (!**endptr) {
+		fprintf(stderr, "Nothing follows attribute number\n");
+		return 0;
+	}
+
+	if ((attr <= 0) || (attr > 256)) {
+		fprintf(stderr, "Attribute number is out of valid "
+			"range\n");
+		return 0;
+	}
+
+	return (int) attr;
+}
+
+static int decode_vendor(char *buffer, char **endptr)
+{
+	long vendor;
+
+	if (*buffer != '.') {
+		fprintf(stderr, "Invalid separator before vendor id\n");
+		return 0;
+	}
+
+	vendor = strtol(buffer + 1, endptr, 10);
+	if (*endptr == (buffer + 1)) {
+		fprintf(stderr, "No valid vendor number found\n");
+		return 0;
+	}
+
+	if (!**endptr) {
+		fprintf(stderr, "Nothing follows vendor number\n");
+		return 0;
+	}
+
+	if ((vendor <= 0) || (vendor > (1 << 24))) {
+		fprintf(stderr, "Vendor number is out of valid range\n");
+		return 0;
+	}
+
+	if (**endptr != '.') {
+		fprintf(stderr, "Invalid data following vendor number\n");
+		return 0;
+	}
+	(*endptr)++;
+
+	return (int) vendor;
+}
+
+static int encode_tlv(char *buffer, uint8_t *output, size_t outlen)
+{
+	int attr;
+	int length;
+	char *p;
+
+	attr = decode_attr(buffer, &p);
+	if (attr == 0) return 0;
+
+	output[0] = attr;
+	output[1] = 2;
+
+	if (*p == '.') {
+		p++;
+		length = encode_tlv(p, output + 2, outlen - 2);
+
+	} else {
+		length = encode_data(p, output + 2, outlen - 2);
+	}
+
+	if (length == 0) return 0;
+	if (length > (255 - 2)) {
+		fprintf(stderr, "TLV data is too long\n");
+		return 0;
+	}
+
+	output[1] += length;
+
+	return length + 2;
+}
+
+static int encode_vsa(char *buffer, uint8_t *output, size_t outlen)
+{
+	int vendor;
+	int length;
+	char *p;
+
+	vendor = decode_vendor(buffer, &p);
+	if (vendor == 0) return 0;
+
+	output[0] = 0;
+	output[1] = (vendor >> 16) & 0xff;
+	output[2] = (vendor >> 8) & 0xff;
+	output[3] = vendor & 0xff;
+
+	length = encode_tlv(p, output + 4, outlen - 4);
+	if (length == 0) return 0;
+	if (length > (255 - 6)) {
+		fprintf(stderr, "VSA data is too long\n");
+		return 0;
+	}
+
+
+	return length + 4;
+}
+
+static int encode_evs(char *buffer, uint8_t *output, size_t outlen)
+{
+	int vendor;
+	int attr;
+	int length;
+	char *p;
+
+	vendor = decode_vendor(buffer, &p);
+	if (vendor == 0) return 0;
+
+	attr = decode_attr(p, &p);
+	if (attr == 0) return 0;
+
+	output[0] = 0;
+	output[1] = (vendor >> 16) & 0xff;
+	output[2] = (vendor >> 8) & 0xff;
+	output[3] = vendor & 0xff;
+	output[4] = attr;
+
+	length = encode_data(p, output + 5, outlen - 5);
+	if (length == 0) return 0;
+
+	return length + 5;
+}
+
+static int encode_extended(char *buffer,
+			   uint8_t *output, size_t outlen)
+{
+	int attr;
+	int length;
+	char *p;
+	
+	attr = decode_attr(buffer, &p);
+	if (attr == 0) return 0;
+
+	output[0] = attr;
+
+	if (attr == 26) {
+		length = encode_evs(p, output + 1, outlen - 1);
+	} else {
+		length = encode_data(p, output + 1, outlen - 1);
+	}
+	if (length == 0) return 0;
+	if (length > (255 - 3)) {
+		fprintf(stderr, "Extended Attr data is too long\n");
+		return 0;
+	}
+
+	return length + 1;
+}
+
+static int encode_extended_flags(char *buffer,
+				 uint8_t *output, size_t outlen)
+{
+	int attr;
+	int length, total;
+	char *p;
+	
+	attr = decode_attr(buffer, &p);
+	if (attr == 0) return 0;
+
+	/* output[0] is the extended attribute */
+	output[1] = 4;
+	output[2] = attr;
+	output[3] = 0;
+
+	if (attr == 26) {
+		length = encode_evs(p, output + 4, outlen - 4);
+		if (length == 0) return 0;
+
+		output[1] += 5;
+		length -= 5;
+	} else {
+		length = encode_data(p, output + 4, outlen - 4);
+	}
+	if (length == 0) return 0;
+
+	total = 0;
+	while (1) {
+		int sublen = 255 - output[1];
+
+		if (length <= sublen) {
+			output[1] += length;
+			total += output[1];
+			break;
+		}
+
+		length -= sublen;
+
+		memmove(output + 255 + 4, output + 255, length);
+		memcpy(output + 255, output, 4);
+
+		output[1] = 255;
+		output[3] |= 0x80;
+
+		output += 255;
+		output[1] = 4;
+		total += 255;
+	}
+
+	return total;
+}
+
+static int encode_rfc(char *buffer, uint8_t *output, size_t outlen)
+{
+	int attr;
+	int length, sublen;
+	char *p;
+
+	attr = decode_attr(buffer, &p);
+	if (attr == 0) return 0;
+
+	length = 2;
+	output[0] = attr;
+	output[1] = 2;
+
+	if (attr == 26) {
+		sublen = encode_vsa(p, output + 2, outlen - 2);
+
+	} else if ((attr < 241) || (attr > 246)) {
+		sublen = encode_data(p, output + 2, outlen - 2);
+
+	} else {
+		if (*p != '.') {
+			fprintf(stderr, "Invalid data following "
+				"attribute number\n");
+			return 0;
+		}
+
+		if (attr < 245) {
+			sublen = encode_extended(p + 1,
+						 output + 2, outlen - 2);
+		} else {
+
+			/*
+			 *	Not like the others!
+			 */
+			return encode_extended_flags(p + 1, output, outlen);
+		}
+	}
+	if (sublen == 0) return 0;
+	if (sublen > (255 -2)) {
+		fprintf(stderr, "RFC Data is too long\n");
+		return 0;
+	}
+
+	output[1] += sublen;
+	return length + sublen;
+}
+
+static int walk_callback(void *ctx, const DICT_ATTR *da,
+			 const uint8_t *data, size_t sizeof_data)
+{
+	char **p = ctx;
+
+	sprintf(*p, "v%u a%u l%ld,",
+		da->vendor, da->attr, sizeof_data);
+
+	*p += strlen(*p);
+}
+
+static void process_file(const char *filename)
+{
+	int lineno, rcode;
+	size_t i, outlen;
+	ssize_t len, data_len;
+	FILE *fp;
+	RADIUS_PACKET packet;
+	char input[8192], buffer[8192];
+	char output[8192];
+	uint8_t *attr, data[2048];
+
+	if (strcmp(filename, "-") == 0) {
+		fp = stdin;
+		filename = "<stdin>";
+
+	} else {
+		fp = fopen(filename, "r");
+		if (!fp) {
+			fprintf(stderr, "Error opening %s: %s\n",
+				filename, strerror(errno));
+			exit(1);
+		}
+	}
+
+	lineno = 0;
+	*output = '\0';
+	data_len = 0;
+
+	while (fgets(buffer, sizeof(buffer), fp) != NULL) {
+		char *p = strchr(buffer, '\n');
+		VALUE_PAIR *vp, *head = NULL;
+		VALUE_PAIR **tail = &head;
+
+		lineno++;
+
+		if (!p) {
+			if (!feof(fp)) {
+				fprintf(stderr, "Line %d too long in %s\n",
+					lineno, filename);
+				exit(1);
+			}
+		} else {
+			*p = '\0';
+		}
+
+		p = strchr(buffer, '#');
+		if (p) *p = '\0';
+
+		p = buffer;
+		while (isspace((int) *p)) p++;
+		if (!*p) continue;
+
+		strcpy(input, p);
+
+		if (strncmp(p, "raw ", 4) == 0) {
+			outlen = encode_rfc(p + 4, data, sizeof(data));
+			if (outlen == 0) {
+				fprintf(stderr, "Parse error in line %d of %s\n",
+					lineno, filename);
+				exit(1);
+			}
+
+		print_hex:
+			if (outlen == 0) {
+				output[0] = 0;
+				continue;
+			}
+
+			data_len = outlen;
+			for (i = 0; i < outlen; i++) {
+				snprintf(output + 3*i, sizeof(output),
+					 "%02x ", data[i]);
+			}
+			outlen = strlen(output);
+			output[outlen - 1] = '\0';
+			continue;
+		}
+
+		if (strncmp(p, "data ", 5) == 0) {
+			if (strcmp(p + 5, output) != 0) {
+				fprintf(stderr, "Mismatch in line %d of %s, expected: %s\n",
+					lineno, filename, output);
+				exit(1);
+			}
+			continue;
+		}
+
+		head = NULL;
+		if (strncmp(p, "encode ", 7) == 0) {
+			if (strcmp(p + 7, "-") == 0) {
+				p = output;
+			} else {
+				p += 7;
+			}
+
+			rcode = nr_vp_sscanf(p, &head);
+			if (rcode < 0) {
+				strcpy(output, nr_strerror(rcode));
+				continue;
+			}
+
+			attr = data;
+			vp = head;
+			while (vp != NULL) {
+				len = nr_vp2attr(NULL, NULL, &vp,
+						 attr, sizeof(data) - (attr - data));
+				if (len < 0) {
+					fprintf(stderr, "Failed encoding %s: %s\n",
+						vp->da->name, nr_strerror(len));
+					exit(1);
+				}
+
+				attr += len;
+				if (len == 0) break;
+			}
+			
+			nr_vp_free(&head);
+			outlen = len;
+			goto print_hex;
+		}
+
+		if (strncmp(p, "decode ", 7) == 0) {
+			ssize_t my_len;
+
+			if (strcmp(p + 7, "-") == 0) {
+				attr = data;
+				len = data_len;
+			} else {
+				attr = data;
+				len = encode_hex(p + 7, data, sizeof(data));
+				if (len == 0) {
+					fprintf(stderr, "Failed decoding hex string at line %d of %s\n", lineno, filename);
+					exit(1);
+				}
+			}
+
+			while (len > 0) {
+				vp = NULL;
+				my_len = nr_attr2vp(NULL, NULL,
+						     attr, len, &vp);
+				if (my_len < 0) {
+					nr_vp_free(&head);
+					break;
+				}
+
+				if (my_len > len) {
+					fprintf(stderr, "Internal sanity check failed at %d\n", __LINE__);
+					exit(1);
+				}
+
+				*tail = vp;
+				while (vp) {
+					tail = &(vp->next);
+					vp = vp->next;
+				}				
+
+				attr += my_len;
+				len -= my_len;				
+			}
+
+			/*
+			 *	Output may be an error, and we ignore
+			 *	it if so.
+			 */
+			if (head) {
+				p = output;
+				for (vp = head; vp != NULL; vp = vp->next) {
+					nr_vp_snprintf(p, sizeof(output) - (p - output), vp);
+					p += strlen(p);
+					
+					if (vp->next) {strcpy(p, ", ");
+						p += 2;
+					}
+				}
+				
+				nr_vp_free(&head);
+			} else if (my_len < 0) {
+				strcpy(output, nr_strerror(my_len));
+
+			} else { /* zero-length attribute */
+				*output = '\0';
+			}
+			continue;
+		}
+
+		if (strncmp(p, "walk ", 5) == 0) {
+			len = encode_hex(p + 5, data + 20, sizeof(data) - 20);
+
+			if (len == 0) {
+				fprintf(stderr, "Failed decoding hex string at line %d of %s\n", lineno, filename);
+				exit(1);
+			}
+
+			memset(data, 0, 20);
+			packet.data = data;
+			packet.length = len + 20;
+			packet.data[2] = ((len + 20) >> 8) & 0xff;
+			packet.data[3] = (len + 20) & 0xff;
+
+			*output = '\0';
+			p = output;
+
+			rcode = nr_packet_walk(&packet, &p, walk_callback);
+			if (rcode < 0) {
+				snprintf(output, sizeof(output), "%d", rcode);
+				continue;
+			}
+
+			if (*output) output[strlen(output) - 1] = '\0';
+			continue;
+		}
+
+		if (strncmp(p, "$INCLUDE ", 9) == 0) {
+			p += 9;
+			while (isspace((int) *p)) p++;
+
+			process_file(p);
+			continue;
+		}
+
+		if (strncmp(p, "secret ", 7) == 0) {
+			strlcpy(secret, p + 7, sizeof(secret));
+			strlcpy(output, secret, sizeof(output));
+			continue;
+		}
+
+		if (strncmp(p, "code ", 5) == 0) {
+			packet_code = atoi(p + 5);
+			snprintf(output, sizeof(output), "%u", packet_code);
+			continue;
+		}
+
+		if (strncmp(p, "sign ", 5) == 0) {
+			len = encode_hex(p + 5, data + 20, sizeof(data) - 20);
+			if (len == 0) {
+				fprintf(stderr, "Failed decoding hex string at line %d of %s\n", lineno, filename);
+				exit(1);
+			}
+
+			memset(&packet, 0, sizeof(packet));
+			packet.secret = secret;
+			packet.sizeof_secret = strlen(secret);
+			packet.code = packet_code;
+			packet.id = packet_id;
+			memcpy(packet.vector, packet_vector, 16);
+			packet.data = data;
+			packet.length = len + 20;
+
+			/*
+			 *	Hack encode the packet.
+			 */
+			packet.data[0] = packet_code;
+			packet.data[1] = packet_id;
+			packet.data[2] = ((len + 20) >> 8) & 0xff;
+			packet.data[3] = (len + 20) & 0xff;
+			memcpy(packet.data + 4, packet_vector, 16);
+
+			rcode = nr_packet_sign(&packet, NULL);
+			if (rcode < 0) {
+				snprintf(output, sizeof(output), "%d", rcode);
+				continue;
+			}
+
+			memcpy(data, packet.vector, sizeof(packet.vector));
+			outlen = sizeof(packet.vector);
+			goto print_hex;
+		}
+
+		fprintf(stderr, "Unknown input at line %d of %s\n",
+			lineno, filename);
+		exit(1);
+	}
+
+	if (fp != stdin) fclose(fp);
+}
+
+int main(int argc, char *argv[])
+{
+	int c;
+
+	if (argc < 2) {
+		process_file("-");
+		
+	} else {
+		process_file(argv[1]);
+	}
+
+	return 0;
+}
diff --git a/lib/radius/tests/rfc.txt b/lib/radius/tests/rfc.txt
new file mode 100644
index 0000000..d8bd613
--- /dev/null
+++ b/lib/radius/tests/rfc.txt
@@ -0,0 +1,144 @@
+#  All attribute lengths are implicit, and are calculated automatically
+#
+#  Input is of the form:
+#
+#	WORD ...
+#
+#  The WORD is a keyword which indicates the format of the following text.
+#  WORD is one of:
+#
+#	raw - read the grammar defined below, and encode an attribute.
+#	      The grammer supports a trivial way of describing RADIUS
+#	      attributes, without reference to dictionaries or fancy
+#	      parsers
+#
+#	encode - reads "Attribute-Name = value", encodes it, and prints
+#	         the result as text.
+#		use "-" to encode the output of the last command
+#
+#	decode - reads hex, and decodes it "Attribute-Name = value"
+#		use "-" to decode the output of the last command
+#
+#	data - the expected output of the previous command, in ASCII form.
+#	       if the actual command output is different, an error message
+#	       is produced, and the program terminates.
+#
+#
+#  The "raw" input satisfies the following grammar:
+#
+#	Identifier = 1*DIGIT *( "." 1*DIGIT )
+#
+#	HEXCHAR = HEXDIG HEXDIG 
+#
+#	STRING = DQUOTE *CHAR DQUOTE
+#
+#	TLV = "{" 1*DIGIT DATA "}"
+#
+#	DATA = 1*HEXCHAR / 1*TLV / STRING
+#
+#	LINE = Identifier DATA
+#
+#  The "Identifier" is a RADIUS attribute identifier, as given in the draft.
+#
+#	e.g.	1		for User-Name
+#		26.9.1		Vendor-Specific, Cisco, Cisco-AVPAir
+#		241.1		Extended Attribute, number 1
+#		241.2.3		Extended Attribute 2, data type TLV, TLV type 3
+#		etc.
+#
+#  The "DATA" portion is the contents of the RADIUS Attribute.
+#
+#		123456789abcdef hex string
+#		12 34 56 ab	with spaces for clarity
+#		"hello"	 	Text string
+#		{ 1 abcdef }	TLV, TLV-Type 1, data "abcdef"
+#
+#  TLVs can be nested:
+#
+#	{ tlv-type { tlv-type data } }		{ 3 { 4 01020304 } }
+#
+#  TLVs can be concatencated
+#
+#	{tlv-type data } { tlv-type data}	{ 3 040506 } { 8 aabbcc }
+#
+#  The "raw" data is encoded without reference to dictionaries.  Any
+#  valid string is parsed to a RADIUS attribute.  The resulting RADIUS
+#  attribute *may not* be correctly formatted to the relevant RADIUS
+#  specifications.  i.e. you can use this tool to create attribute 1
+#  (User-Name), which is encoded as a series of TLVs.  That's up to you.
+#
+#  The purpose of the "raw" command is to have a simple way of encoding
+#  attributes which is independent of any dictionaries or packet processing
+#  routines.
+#
+#  The output data is the hex version of the encoded attribute.
+#
+
+encode User-Name = bob
+data 01 05 62 6f 62
+
+decode -
+data User-Name = "bob"
+
+decode 01 05 62 6f 62
+data User-Name = "bob"
+
+#
+#  The Type/Length is OK, but the attribute data is of the wrong size.
+#
+decode 04 04 ab cd
+data Attr-4 = 0xabcd
+
+#  Zero-length attributes
+decode 01 02
+data 
+
+# don't encode zero-length attributes
+#encode User-Name = ""
+#data 
+
+# except for CUI.  Thank you, WiMAX!
+decode 59 02
+data Chargeable-User-Identity = ""
+
+# Hah! Thought you had it figured out, didn't you?
+#encode -
+#data 59 02
+
+encode NAS-Port = 10
+data 05 06 00 00 00 0a
+
+decode -
+data NAS-Port = 10
+
+walk 05 06 00 00 00 0a
+data v0 a5 l4
+
+walk 05 06 00 00 00 0a 02 06 00 00 00 0a
+data v0 a5 l4,v0 a2 l4
+
+walk 1a 0c 00 00 00 01 05 06 00 00 00 0a
+data v1 a5 l4
+
+walk 1a 12 00 00 00 01 05 06 00 00 00 0a 03 06 00 00 00 0a
+data v1 a5 l4,v1 a3 l4
+
+# Access-Request, code 1, authentication vector of zero
+sign 05 06 00 00 00 0a
+data 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+
+code 4
+
+sign 05 06 00 00 00 0a
+data 62 63 f1 db 80 70 a6 64 37 31 63 e4 aa 95 5a 68
+
+sign 05 06 00 00 00 0a
+data 62 63 f1 db 80 70 a6 64 37 31 63 e4 aa 95 5a 68
+
+secret hello
+sign 05 06 00 00 00 0a
+data 69 20 c0 b9 e1 2f 12 54 9f 92 16 5e f4 64 9b fd
+
+secret testing123
+sign 05 06 00 00 00 0a
+data 62 63 f1 db 80 70 a6 64 37 31 63 e4 aa 95 5a 68
diff --git a/lib/radius/valuepair.c b/lib/radius/valuepair.c
new file mode 100644
index 0000000..603a970
--- /dev/null
+++ b/lib/radius/valuepair.c
@@ -0,0 +1,199 @@
+/*
+Copyright (c) 2011, Network RADIUS SARL
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+    * Redistributions of source code must retain the above copyright
+      notice, this list of conditions and the following disclaimer.
+    * Redistributions in binary form must reproduce the above copyright
+      notice, this list of conditions and the following disclaimer in the
+      documentation and/or other materials provided with the distribution.
+    * Neither the name of the <organization> nor the
+      names of its contributors may be used to endorse or promote products
+      derived from this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL <COPYRIGHT HOLDER> BE LIABLE FOR ANY
+DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/** \file valuepair.c
+ *  \brief Functions to manipulate C structure versions of RADIUS attributes.
+ */
+
+#include <networkradius-devel/client.h>
+
+void nr_vp_free(VALUE_PAIR **head)
+{
+	VALUE_PAIR	*next, *vp;
+
+	if (!head || !*head) return;
+
+	vp = *head;
+	do {
+		if (vp) next = vp->next;
+		if (vp->da->flags.encrypt) {
+			memset(vp, 0, sizeof(vp));
+		}
+		free(vp);
+		vp = next;
+	} while (next);
+
+	*head = NULL;
+}
+
+
+VALUE_PAIR *nr_vp_init(VALUE_PAIR *vp, const DICT_ATTR *da)
+{
+	memset(vp, 0, sizeof(*vp));
+	
+	vp->da = da;
+	vp->length = da->flags.length;
+
+	return vp;
+}
+
+
+VALUE_PAIR *nr_vp_alloc(const DICT_ATTR *da)
+{
+	VALUE_PAIR *vp = NULL;
+
+	if (!da) {
+		nr_strerror_printf("Unknown attribute");
+		return NULL;
+	}
+
+#ifndef NR_NO_MALLOC
+	vp = malloc(sizeof(*vp));
+#endif
+	if (!vp) {
+		nr_strerror_printf("Out of memory");
+		return NULL;
+	}
+
+	return nr_vp_init(vp, da);
+}
+
+VALUE_PAIR *nr_vp_alloc_raw(unsigned int attr, unsigned int vendor)
+{
+	VALUE_PAIR *vp = NULL;
+	DICT_ATTR *da;
+
+#ifndef NR_NO_MALLOC
+	vp = malloc(sizeof(*vp) + sizeof(*da) + 64);
+#endif
+	if (!vp) {
+		nr_strerror_printf("Out of memory");
+		return NULL;
+	}
+	memset(vp, 0, sizeof(*vp));
+
+	da = (DICT_ATTR *) (vp + 1);
+
+	if (nr_dict_attr_2struct(da, attr, vendor, (char *) (da + 1), 64) < 0) {
+		free(vp);
+		return NULL;
+	}
+
+	vp->da = da;
+
+	return vp;
+}
+
+int nr_vp_set_data(VALUE_PAIR *vp, const void *data, size_t sizeof_data)
+{
+	int rcode = 1;		/* OK */
+
+	if (!vp || !data || (sizeof_data == 0)) return -NR_ERR_INVALID_ARG;
+
+	switch (vp->da->type) {
+	case NR_TYPE_BYTE:
+		vp->vp_integer = *(const uint8_t *) data;
+		break;
+		
+	case NR_TYPE_SHORT:
+		vp->vp_integer = *(const uint16_t *) data;
+		break;
+		
+	case NR_TYPE_INTEGER:
+	case NR_TYPE_DATE:
+	case NR_TYPE_IPADDR:
+		vp->vp_integer = *(const uint32_t *) data;
+		break;
+		
+	case NR_TYPE_STRING:
+		if (sizeof_data >= sizeof(vp->vp_strvalue)) {
+			sizeof_data = sizeof(vp->vp_strvalue) - 1;
+			rcode = 0; /* truncated */
+		}
+
+		memcpy(vp->vp_strvalue, (const char *) data, sizeof_data);
+		vp->vp_strvalue[sizeof_data + 1] = '\0';
+		vp->length = sizeof_data;
+		break;
+		
+	case NR_TYPE_OCTETS:
+		if (sizeof_data > sizeof(vp->vp_octets)) {
+			sizeof_data = sizeof(vp->vp_octets);
+			rcode = 0; /* truncated */
+		}
+		memcpy(vp->vp_octets, data, sizeof_data);
+		vp->length = sizeof_data;
+		break;
+		
+	default:
+		return -NR_ERR_ATTR_TYPE_UNKNOWN;
+	}
+
+	return rcode;
+}
+
+VALUE_PAIR *nr_vp_create(int attr, int vendor, const void *data, size_t data_len)
+{
+	const DICT_ATTR	*da;
+	VALUE_PAIR *vp;
+
+	da = nr_dict_attr_byvalue(attr, vendor);
+	if (!da) return NULL;
+
+	vp = nr_vp_alloc(da);
+	if (!vp) return NULL;
+	
+	if (nr_vp_set_data(vp, data, data_len) < 0) {
+		nr_vp_free(&vp);
+		return NULL;
+	}
+
+	return vp;
+}
+
+void nr_vps_append(VALUE_PAIR **head, VALUE_PAIR *tail)
+{
+	if (!tail) return;
+
+	while (*head) {
+		head = &((*head)->next);
+	}
+
+	*head = tail;
+}
+
+VALUE_PAIR *nr_vps_find(VALUE_PAIR *head,
+		     unsigned int attr, unsigned int vendor)
+{
+	while (head) {
+		if ((head->da->attr == attr) &&
+		    (head->da->vendor == vendor)) return head;
+		head = head->next;
+	}
+
+	return NULL;
+}
-- 
cgit v1.1