127 files changed, 19908 insertions, 0 deletions

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..21c7ed0
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,21 @@
+/bin
+/jni/iodine/src/*.o
+/jni/iodine/bin
+/obj
+/libs
+/gen
+jni/iodine/src/base64u.c
+jni/iodine/src/base64u.h
+tests/gen
+
+# eclipse
+.project
+.classpath
+
+# Android Studio
+.idea
+
+# ant
+out
+build.xml
+local.properties
diff --git a/AndroidManifest.xml b/AndroidManifest.xml
new file mode 100644
index 0000000..9129320
--- /dev/null
+++ b/AndroidManifest.xml
@@ -0,0 +1,43 @@
+<?xml version="1.0" encoding="utf-8"?>
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+          package="org.xapek.andiodine"
+          android:versionCode="1"
+          android:versionName="1.0">
+
+    <uses-sdk
+            android:minSdkVersion="14"
+            android:targetSdkVersion="16"/>
+
+    <uses-permission android:name="android.permission.INTERNET"/>
+
+    <application
+            android:allowBackup="false"
+            android:icon="@drawable/logo"
+            android:label="@string/app_name"
+            android:logo="@drawable/logo">
+        <activity
+                android:name="org.xapek.andiodine.IodineMain"
+                android:label="@string/app_name"
+                android:screenOrientation="portrait">
+            <intent-filter>
+                <action android:name="android.intent.action.MAIN"/>
+
+                <category android:name="android.intent.category.LAUNCHER"/>
+            </intent-filter>
+        </activity>
+        <activity
+                android:name="org.xapek.andiodine.IodinePref"
+                android:label="@string/pref_title"
+                android:launchMode="singleTop"
+                android:logo="@drawable/logo">
+        </activity>
+
+        <service
+                android:name=".IodineVpnService"
+                android:permission="android.permission.BIND_VPN_SERVICE">
+            <intent-filter>
+                <action android:name="android.net.VpnService"/>
+            </intent-filter>
+        </service>
+    </application>
+</manifest>
\ No newline at end of file
diff --git a/BUGS b/BUGS
new file mode 100644
index 0000000..a660555
--- /dev/null
+++ b/BUGS
@@ -0,0 +1,19 @@
+E/AndroidRuntime( 1505): FATAL EXCEPTION: main
+E/AndroidRuntime( 1505): java.lang.RuntimeException: Error receiving broadcast Intent { act=org.xapek.andiodine.IodineVpnService.STATUS_IDLE flg=0x10 } in org.xapek.andiodine.IodineMain$1@40f33f68
+E/AndroidRuntime( 1505):        at android.app.LoadedApk$ReceiverDispatcher$Args.run(LoadedApk.java)
+E/AndroidRuntime( 1505):        at android.os.Handler.handleCallback(Handler.java)
+E/AndroidRuntime( 1505):        at android.os.Handler.dispatchMessage(Handler.java)
+E/AndroidRuntime( 1505):        at android.os.Looper.loop(Looper.java)
+E/AndroidRuntime( 1505):        at android.app.ActivityThread.main(ActivityThread.java)
+E/AndroidRuntime( 1505):        at java.lang.reflect.Method.invokeNative(Native Method)
+E/AndroidRuntime( 1505):        at java.lang.reflect.Method.invoke(Method.java)
+E/AndroidRuntime( 1505):        at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java)
+E/AndroidRuntime( 1505):        at com.android.internal.os.ZygoteInit.main(ZygoteInit.java)
+E/AndroidRuntime( 1505):        at dalvik.system.NativeStart.main(Native Method)
+E/AndroidRuntime( 1505): Caused by: java.lang.IllegalStateException: Can not perform this action after onSaveInstanceState
+E/AndroidRuntime( 1505):        at android.app.FragmentManagerImpl.checkStateLoss(FragmentManager.java)
+E/AndroidRuntime( 1505):        at android.app.FragmentManagerImpl.enqueueAction(FragmentManager.java)
+E/AndroidRuntime( 1505):        at android.app.BackStackRecord.commitInternal(BackStackRecord.java)
+E/AndroidRuntime( 1505):        at android.app.BackStackRecord.commit(BackStackRecord.java)
+E/AndroidRuntime( 1505):        at org.xapek.andiodine.IodineMain$1.onReceive(IodineMain.java:41)
+E/AndroidRuntime( 1505):        ... 10 more
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..749e157
--- /dev/null
+++ b/README.md
@@ -0,0 +1,31 @@
+Dies ist eine Portierung von iodine (http://code.kryo.se/iodine/)
+auf Android
+
+# Dokumentation
+
+  - [Anwenderdokumentation](doc/anwenderdoku.html) [(PDF)](doc/anwenderdoku.pdf)
+  - [Entwicklerdokumentation](doc/entwicklerdoku.html) [(PDF)](doc/entwicklerdoku.pdf)
+
+# Authos and License
+Android Iodine Copyright (c) 2013 Yves Fischer <yvesf+andiodine@xapek.org>
+Same license as iodine.
+
+Iodine Copyright (c) 2006-2009 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
+Also major contributions by Anne Bezemer.
+
+Permission to use, copy, modify, and distribute this software for any purpose
+with or without fee is hereby granted, provided that the above copyright notice
+and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH
+REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND
+FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT,
+INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
+OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+PERFORMANCE OF THIS SOFTWARE.
+
+
+MD5 implementation by L. Peter Deutsch (license and source in src/md5.[ch])
+Copyright (C) 1999, 2000, 2002 Aladdin Enterprises.  All rights reserved.
+
diff --git a/doc/Makefile b/doc/Makefile
new file mode 100644
index 0000000..a63612e
--- /dev/null
+++ b/doc/Makefile
@@ -0,0 +1,11 @@
+# aptitude install texlive-lang-cyrillic txt
+
+all: anwenderdoku.pdf anwenderdoku.html entwicklerdoku.pdf entwicklerdoku.html
+
+%.html: %.txt bilder/*
+	asciidoc -o $@ $*.txt
+
+%.pdf: %.txt bilder/*
+	a2x -v -a encoding=utf-8 -a lang=de --dblatex-opts='-Platex.output.revhistory=0 -P latex.encoding=utf8 -P latex.unicode.use=1' $*.txt
+
+
diff --git a/doc/anwenderdoku.html b/doc/anwenderdoku.html
new file mode 100644
index 0000000..02abb35
--- /dev/null
+++ b/doc/anwenderdoku.html
@@ -0,0 +1,1070 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"

+    "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">

+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="de">

+<head>

+<meta http-equiv="Content-Type" content="application/xhtml+xml; charset=UTF-8" />

+<meta name="generator" content="AsciiDoc 8.6.7" />

+<title>Android Iodine Anwenderdokumentation</title>

+<style type="text/css">

+/* Shared CSS for AsciiDoc xhtml11 and html5 backends */

+

+/* Default font. */

+body {

+  font-family: Georgia,serif;

+}

+

+/* Title font. */

+h1, h2, h3, h4, h5, h6,

+div.title, caption.title,

+thead, p.table.header,

+#toctitle,

+#author, #revnumber, #revdate, #revremark,

+#footer {

+  font-family: Arial,Helvetica,sans-serif;

+}

+

+body {

+  margin: 1em 5% 1em 5%;

+}

+

+a {

+  color: blue;

+  text-decoration: underline;

+}

+a:visited {

+  color: fuchsia;

+}

+

+em {

+  font-style: italic;

+  color: navy;

+}

+

+strong {

+  font-weight: bold;

+  color: #083194;

+}

+

+h1, h2, h3, h4, h5, h6 {

+  color: #527bbd;

+  margin-top: 1.2em;

+  margin-bottom: 0.5em;

+  line-height: 1.3;

+}

+

+h1, h2, h3 {

+  border-bottom: 2px solid silver;

+}

+h2 {

+  padding-top: 0.5em;

+}

+h3 {

+  float: left;

+}

+h3 + * {

+  clear: left;

+}

+h5 {

+  font-size: 1.0em;

+}

+

+div.sectionbody {

+  margin-left: 0;

+}

+

+hr {

+  border: 1px solid silver;

+}

+

+p {

+  margin-top: 0.5em;

+  margin-bottom: 0.5em;

+}

+

+ul, ol, li > p {

+  margin-top: 0;

+}

+ul > li     { color: #aaa; }

+ul > li > * { color: black; }

+

+pre {

+  padding: 0;

+  margin: 0;

+}

+

+#author {

+  color: #527bbd;

+  font-weight: bold;

+  font-size: 1.1em;

+}

+#email {

+}

+#revnumber, #revdate, #revremark {

+}

+

+#footer {

+  font-size: small;

+  border-top: 2px solid silver;

+  padding-top: 0.5em;

+  margin-top: 4.0em;

+}

+#footer-text {

+  float: left;

+  padding-bottom: 0.5em;

+}

+#footer-badges {

+  float: right;

+  padding-bottom: 0.5em;

+}

+

+#preamble {

+  margin-top: 1.5em;

+  margin-bottom: 1.5em;

+}

+div.imageblock, div.exampleblock, div.verseblock,

+div.quoteblock, div.literalblock, div.listingblock, div.sidebarblock,

+div.admonitionblock {

+  margin-top: 1.0em;

+  margin-bottom: 1.5em;

+}

+div.admonitionblock {

+  margin-top: 2.0em;

+  margin-bottom: 2.0em;

+  margin-right: 10%;

+  color: #606060;

+}

+

+div.content { /* Block element content. */

+  padding: 0;

+}

+

+/* Block element titles. */

+div.title, caption.title {

+  color: #527bbd;

+  font-weight: bold;

+  text-align: left;

+  margin-top: 1.0em;

+  margin-bottom: 0.5em;

+}

+div.title + * {

+  margin-top: 0;

+}

+

+td div.title:first-child {

+  margin-top: 0.0em;

+}

+div.content div.title:first-child {

+  margin-top: 0.0em;

+}

+div.content + div.title {

+  margin-top: 0.0em;

+}

+

+div.sidebarblock > div.content {

+  background: #ffffee;

+  border: 1px solid #dddddd;

+  border-left: 4px solid #f0f0f0;

+  padding: 0.5em;

+}

+

+div.listingblock > div.content {

+  border: 1px solid #dddddd;

+  border-left: 5px solid #f0f0f0;

+  background: #f8f8f8;

+  padding: 0.5em;

+}

+

+div.quoteblock, div.verseblock {

+  padding-left: 1.0em;

+  margin-left: 1.0em;

+  margin-right: 10%;

+  border-left: 5px solid #f0f0f0;

+  color: #888;

+}

+

+div.quoteblock > div.attribution {

+  padding-top: 0.5em;

+  text-align: right;

+}

+

+div.verseblock > pre.content {

+  font-family: inherit;

+  font-size: inherit;

+}

+div.verseblock > div.attribution {

+  padding-top: 0.75em;

+  text-align: left;

+}

+/* DEPRECATED: Pre version 8.2.7 verse style literal block. */

+div.verseblock + div.attribution {

+  text-align: left;

+}

+

+div.admonitionblock .icon {

+  vertical-align: top;

+  font-size: 1.1em;

+  font-weight: bold;

+  text-decoration: underline;

+  color: #527bbd;

+  padding-right: 0.5em;

+}

+div.admonitionblock td.content {

+  padding-left: 0.5em;

+  border-left: 3px solid #dddddd;

+}

+

+div.exampleblock > div.content {

+  border-left: 3px solid #dddddd;

+  padding-left: 0.5em;

+}

+

+div.imageblock div.content { padding-left: 0; }

+span.image img { border-style: none; }

+a.image:visited { color: white; }

+

+dl {

+  margin-top: 0.8em;

+  margin-bottom: 0.8em;

+}

+dt {

+  margin-top: 0.5em;

+  margin-bottom: 0;

+  font-style: normal;

+  color: navy;

+}

+dd > *:first-child {

+  margin-top: 0.1em;

+}

+

+ul, ol {

+    list-style-position: outside;

+}

+ol.arabic {

+  list-style-type: decimal;

+}

+ol.loweralpha {

+  list-style-type: lower-alpha;

+}

+ol.upperalpha {

+  list-style-type: upper-alpha;

+}

+ol.lowerroman {

+  list-style-type: lower-roman;

+}

+ol.upperroman {

+  list-style-type: upper-roman;

+}

+

+div.compact ul, div.compact ol,

+div.compact p, div.compact p,

+div.compact div, div.compact div {

+  margin-top: 0.1em;

+  margin-bottom: 0.1em;

+}

+

+tfoot {

+  font-weight: bold;

+}

+td > div.verse {

+  white-space: pre;

+}

+

+div.hdlist {

+  margin-top: 0.8em;

+  margin-bottom: 0.8em;

+}

+div.hdlist tr {

+  padding-bottom: 15px;

+}

+dt.hdlist1.strong, td.hdlist1.strong {

+  font-weight: bold;

+}

+td.hdlist1 {

+  vertical-align: top;

+  font-style: normal;

+  padding-right: 0.8em;

+  color: navy;

+}

+td.hdlist2 {

+  vertical-align: top;

+}

+div.hdlist.compact tr {

+  margin: 0;

+  padding-bottom: 0;

+}

+

+.comment {

+  background: yellow;

+}

+

+.footnote, .footnoteref {

+  font-size: 0.8em;

+}

+

+span.footnote, span.footnoteref {

+  vertical-align: super;

+}

+

+#footnotes {

+  margin: 20px 0 20px 0;

+  padding: 7px 0 0 0;

+}

+

+#footnotes div.footnote {

+  margin: 0 0 5px 0;

+}

+

+#footnotes hr {

+  border: none;

+  border-top: 1px solid silver;

+  height: 1px;

+  text-align: left;

+  margin-left: 0;

+  width: 20%;

+  min-width: 100px;

+}

+

+div.colist td {

+  padding-right: 0.5em;

+  padding-bottom: 0.3em;

+  vertical-align: top;

+}

+div.colist td img {

+  margin-top: 0.3em;

+}

+

+@media print {

+  #footer-badges { display: none; }

+}

+

+#toc {

+  margin-bottom: 2.5em;

+}

+

+#toctitle {

+  color: #527bbd;

+  font-size: 1.1em;

+  font-weight: bold;

+  margin-top: 1.0em;

+  margin-bottom: 0.1em;

+}

+

+div.toclevel0, div.toclevel1, div.toclevel2, div.toclevel3, div.toclevel4 {

+  margin-top: 0;

+  margin-bottom: 0;

+}

+div.toclevel2 {

+  margin-left: 2em;

+  font-size: 0.9em;

+}

+div.toclevel3 {

+  margin-left: 4em;

+  font-size: 0.9em;

+}

+div.toclevel4 {

+  margin-left: 6em;

+  font-size: 0.9em;

+}

+

+span.aqua { color: aqua; }

+span.black { color: black; }

+span.blue { color: blue; }

+span.fuchsia { color: fuchsia; }

+span.gray { color: gray; }

+span.green { color: green; }

+span.lime { color: lime; }

+span.maroon { color: maroon; }

+span.navy { color: navy; }

+span.olive { color: olive; }

+span.purple { color: purple; }

+span.red { color: red; }

+span.silver { color: silver; }

+span.teal { color: teal; }

+span.white { color: white; }

+span.yellow { color: yellow; }

+

+span.aqua-background { background: aqua; }

+span.black-background { background: black; }

+span.blue-background { background: blue; }

+span.fuchsia-background { background: fuchsia; }

+span.gray-background { background: gray; }

+span.green-background { background: green; }

+span.lime-background { background: lime; }

+span.maroon-background { background: maroon; }

+span.navy-background { background: navy; }

+span.olive-background { background: olive; }

+span.purple-background { background: purple; }

+span.red-background { background: red; }

+span.silver-background { background: silver; }

+span.teal-background { background: teal; }

+span.white-background { background: white; }

+span.yellow-background { background: yellow; }

+

+span.big { font-size: 2em; }

+span.small { font-size: 0.6em; }

+

+span.underline { text-decoration: underline; }

+span.overline { text-decoration: overline; }

+span.line-through { text-decoration: line-through; }

+

+div.unbreakable { page-break-inside: avoid; }

+

+

+/*

+ * xhtml11 specific

+ *

+ * */

+

+tt {

+  font-family: "Courier New", Courier, monospace;

+  font-size: inherit;

+  color: navy;

+}

+

+div.tableblock {

+  margin-top: 1.0em;

+  margin-bottom: 1.5em;

+}

+div.tableblock > table {

+  border: 3px solid #527bbd;

+}

+thead, p.table.header {

+  font-weight: bold;

+  color: #527bbd;

+}

+p.table {

+  margin-top: 0;

+}

+/* Because the table frame attribute is overriden by CSS in most browsers. */

+div.tableblock > table[frame="void"] {

+  border-style: none;

+}

+div.tableblock > table[frame="hsides"] {

+  border-left-style: none;

+  border-right-style: none;

+}

+div.tableblock > table[frame="vsides"] {

+  border-top-style: none;

+  border-bottom-style: none;

+}

+

+

+/*

+ * html5 specific

+ *

+ * */

+

+.monospaced {

+  font-family: "Courier New", Courier, monospace;

+  font-size: inherit;

+  color: navy;

+}

+

+table.tableblock {

+  margin-top: 1.0em;

+  margin-bottom: 1.5em;

+}

+thead, p.tableblock.header {

+  font-weight: bold;

+  color: #527bbd;

+}

+p.tableblock {

+  margin-top: 0;

+}

+table.tableblock {

+  border-width: 3px;

+  border-spacing: 0px;

+  border-style: solid;

+  border-color: #527bbd;

+  border-collapse: collapse;

+}

+th.tableblock, td.tableblock {

+  border-width: 1px;

+  padding: 4px;

+  border-style: solid;

+  border-color: #527bbd;

+}

+

+table.tableblock.frame-topbot {

+  border-left-style: hidden;

+  border-right-style: hidden;

+}

+table.tableblock.frame-sides {

+  border-top-style: hidden;

+  border-bottom-style: hidden;

+}

+table.tableblock.frame-none {

+  border-style: hidden;

+}

+

+th.tableblock.halign-left, td.tableblock.halign-left {

+  text-align: left;

+}

+th.tableblock.halign-center, td.tableblock.halign-center {

+  text-align: center;

+}

+th.tableblock.halign-right, td.tableblock.halign-right {

+  text-align: right;

+}

+

+th.tableblock.valign-top, td.tableblock.valign-top {

+  vertical-align: top;

+}

+th.tableblock.valign-middle, td.tableblock.valign-middle {

+  vertical-align: middle;

+}

+th.tableblock.valign-bottom, td.tableblock.valign-bottom {

+  vertical-align: bottom;

+}

+

+

+/*

+ * manpage specific

+ *

+ * */

+

+body.manpage h1 {

+  padding-top: 0.5em;

+  padding-bottom: 0.5em;

+  border-top: 2px solid silver;

+  border-bottom: 2px solid silver;

+}

+body.manpage h2 {

+  border-style: none;

+}

+body.manpage div.sectionbody {

+  margin-left: 3em;

+}

+

+@media print {

+  body.manpage div#toc { display: none; }

+}

+</style>

+<script type="text/javascript">

+/*<![CDATA[*/

+var asciidoc = {  // Namespace.

+

+/////////////////////////////////////////////////////////////////////

+// Table Of Contents generator

+/////////////////////////////////////////////////////////////////////

+

+/* Author: Mihai Bazon, September 2002

+ * http://students.infoiasi.ro/~mishoo

+ *

+ * Table Of Content generator

+ * Version: 0.4

+ *

+ * Feel free to use this script under the terms of the GNU General Public

+ * License, as long as you do not remove or alter this notice.

+ */

+

+ /* modified by Troy D. Hanson, September 2006. License: GPL */

+ /* modified by Stuart Rackham, 2006, 2009. License: GPL */

+

+// toclevels = 1..4.

+toc: function (toclevels) {

+

+  function getText(el) {

+    var text = "";

+    for (var i = el.firstChild; i != null; i = i.nextSibling) {

+      if (i.nodeType == 3 /* Node.TEXT_NODE */) // IE doesn't speak constants.

+        text += i.data;

+      else if (i.firstChild != null)

+        text += getText(i);

+    }

+    return text;

+  }

+

+  function TocEntry(el, text, toclevel) {

+    this.element = el;

+    this.text = text;

+    this.toclevel = toclevel;

+  }

+

+  function tocEntries(el, toclevels) {

+    var result = new Array;

+    var re = new RegExp('[hH]([1-'+(toclevels+1)+'])');

+    // Function that scans the DOM tree for header elements (the DOM2

+    // nodeIterator API would be a better technique but not supported by all

+    // browsers).

+    var iterate = function (el) {

+      for (var i = el.firstChild; i != null; i = i.nextSibling) {

+        if (i.nodeType == 1 /* Node.ELEMENT_NODE */) {

+          var mo = re.exec(i.tagName);

+          if (mo && (i.getAttribute("class") || i.getAttribute("className")) != "float") {

+            result[result.length] = new TocEntry(i, getText(i), mo[1]-1);

+          }

+          iterate(i);

+        }

+      }

+    }

+    iterate(el);

+    return result;

+  }

+

+  var toc = document.getElementById("toc");

+  if (!toc) {

+    return;

+  }

+

+  // Delete existing TOC entries in case we're reloading the TOC.

+  var tocEntriesToRemove = [];

+  var i;

+  for (i = 0; i < toc.childNodes.length; i++) {

+    var entry = toc.childNodes[i];

+    if (entry.nodeName.toLowerCase() == 'div'

+     && entry.getAttribute("class")

+     && entry.getAttribute("class").match(/^toclevel/))

+      tocEntriesToRemove.push(entry);

+  }

+  for (i = 0; i < tocEntriesToRemove.length; i++) {

+    toc.removeChild(tocEntriesToRemove[i]);

+  }

+

+  // Rebuild TOC entries.

+  var entries = tocEntries(document.getElementById("content"), toclevels);

+  for (var i = 0; i < entries.length; ++i) {

+    var entry = entries[i];

+    if (entry.element.id == "")

+      entry.element.id = "_toc_" + i;

+    var a = document.createElement("a");

+    a.href = "#" + entry.element.id;

+    a.appendChild(document.createTextNode(entry.text));

+    var div = document.createElement("div");

+    div.appendChild(a);

+    div.className = "toclevel" + entry.toclevel;

+    toc.appendChild(div);

+  }

+  if (entries.length == 0)

+    toc.parentNode.removeChild(toc);

+},

+

+

+/////////////////////////////////////////////////////////////////////

+// Footnotes generator

+/////////////////////////////////////////////////////////////////////

+

+/* Based on footnote generation code from:

+ * http://www.brandspankingnew.net/archive/2005/07/format_footnote.html

+ */

+

+footnotes: function () {

+  // Delete existing footnote entries in case we're reloading the footnodes.

+  var i;

+  var noteholder = document.getElementById("footnotes");

+  if (!noteholder) {

+    return;

+  }

+  var entriesToRemove = [];

+  for (i = 0; i < noteholder.childNodes.length; i++) {

+    var entry = noteholder.childNodes[i];

+    if (entry.nodeName.toLowerCase() == 'div' && entry.getAttribute("class") == "footnote")

+      entriesToRemove.push(entry);

+  }

+  for (i = 0; i < entriesToRemove.length; i++) {

+    noteholder.removeChild(entriesToRemove[i]);

+  }

+

+  // Rebuild footnote entries.

+  var cont = document.getElementById("content");

+  var spans = cont.getElementsByTagName("span");

+  var refs = {};

+  var n = 0;

+  for (i=0; i<spans.length; i++) {

+    if (spans[i].className == "footnote") {

+      n++;

+      var note = spans[i].getAttribute("data-note");

+      if (!note) {

+        // Use [\s\S] in place of . so multi-line matches work.

+        // Because JavaScript has no s (dotall) regex flag.

+        note = spans[i].innerHTML.match(/\s*\[([\s\S]*)]\s*/)[1];

+        spans[i].innerHTML =

+          "[<a id='_footnoteref_" + n + "' href='#_footnote_" + n +

+          "' title='View footnote' class='footnote'>" + n + "</a>]";

+        spans[i].setAttribute("data-note", note);

+      }

+      noteholder.innerHTML +=

+        "<div class='footnote' id='_footnote_" + n + "'>" +

+        "<a href='#_footnoteref_" + n + "' title='Return to text'>" +

+        n + "</a>. " + note + "</div>";

+      var id =spans[i].getAttribute("id");

+      if (id != null) refs["#"+id] = n;

+    }

+  }

+  if (n == 0)

+    noteholder.parentNode.removeChild(noteholder);

+  else {

+    // Process footnoterefs.

+    for (i=0; i<spans.length; i++) {

+      if (spans[i].className == "footnoteref") {

+        var href = spans[i].getElementsByTagName("a")[0].getAttribute("href");

+        href = href.match(/#.*/)[0];  // Because IE return full URL.

+        n = refs[href];

+        spans[i].innerHTML =

+          "[<a href='#_footnote_" + n +

+          "' title='View footnote' class='footnote'>" + n + "</a>]";

+      }

+    }

+  }

+},

+

+install: function(toclevels) {

+  var timerId;

+

+  function reinstall() {

+    asciidoc.footnotes();

+    if (toclevels) {

+      asciidoc.toc(toclevels);

+    }

+  }

+

+  function reinstallAndRemoveTimer() {

+    clearInterval(timerId);

+    reinstall();

+  }

+

+  timerId = setInterval(reinstall, 500);

+  if (document.addEventListener)

+    document.addEventListener("DOMContentLoaded", reinstallAndRemoveTimer, false);

+  else

+    window.onload = reinstallAndRemoveTimer;

+}

+

+}

+asciidoc.install(2);

+/*]]>*/

+</script>

+</head>

+<body class="article">

+<div id="header">

+<h1>Android Iodine Anwenderdokumentation</h1>

+<span id="author">Yves Fischer</span><br />

+<span id="revdate">April 2013</span>

+<div id="toc">
+  <div id="toctitle">Inhaltsverzeichnis</div>
+  <noscript><p><b>JavaScript must be enabled in your browser to display the table of contents.</b></p></noscript>
+</div>

+</div>

+<div id="content">

+<div id="preamble">

+<div class="sectionbody">

+<div class="quoteblock">

+<div class="content">

+<div class="paragraph"><p>Die Dokumentation ist zweigeteilt. Dieser Teil enthält eine Beschreibung des Programs

+und einen Überblick über die Funktionsweise von DNS-Tunnel. Zur technischen Beschreibung

+des Programs siehe <em>Entwicklerdokumentation</em>.</p></div>

+<div class="paragraph"><p>Ein DNS Tunnel ermöglicht regulären IP Verkehr durch den Internet

+Namensauflösungsdienst DNS zu tunneln. Damit ist es möglich, in Netzen

+die keine normales Internet Routing unterstützen, Daten auszutauschen.

+Voraussetzung ist, dass das Netz gewöhnliche DNS-Auflösung unterstützt.

+Die Datenpakete werden in DNS-Anfragen kodiert, die durch die hierarchische

+Struktur an einen speziellen (i.d.R. third-level) Nameserver weitergeleitet werden.</p></div>

+<div class="paragraph"><p>Die Software <a href="#iodine">[iodine]</a> ist eine Implementierung eines DNS Tunnel für Linux,

+Mac OS X, FreeBSD, NetBSD, OpenBSD and Windows. Diese Dokumentation beschreibt

+die Portierung auf Android mit einer angepassten Benutzeroberfläche.</p></div>

+</div>

+<div class="attribution">

+</div></div>

+</div>

+</div>

+<div class="sect1">

+<h2 id="_android_systemanforderungen">Android Systemanforderungen</h2>

+<div class="sectionbody">

+<div class="paragraph"><p>Durch die Verwendung des Android VPN Framework ist mindestens Android

+4.0 (API Level 14) erforderlich.</p></div>

+<div class="paragraph"><p>Für Android vor 4.0 besteht bei vorhandenem Root Zugriff die Möglichkeit

+das tun.ko Kernelmodul zu laden und ein

+<a href="http://code.kryo.se/iodine/iodine-latest-android.zip">cross-kompiliertes

+iodine</a> auszuführen.</p></div>

+</div>

+</div>

+<div class="sect1">

+<h2 id="_funktionsweise_eines_dns_tunnel">Funktionsweise eines DNS-Tunnel</h2>

+<div class="sectionbody">

+<div class="paragraph"><p>Das Domain-Name-System (DNS) wird eingesetzt um Namen (wie

+"example.com") in IP-Adressen (wie "194.71.107.50" oder

+"2001:db8:85a3:8d3:1319:8a2e:370:7347") zu übersetzen. DNS wurde in den

+1980er Jahren ursprünglich mit dem Ziel entwickelt lokale <tt>hosts</tt> Datei

+im Internet abzulösen. Inzwischen werden auch andere Informationen als

+die reine Adressauflösung über DNS ausgetauscht.</p></div>

+<div class="paragraph"><p>Als DNS Tunnel bezeichnet man eine Verbindung die in der Lage ist über

+das DNS Protokoll als Transportmedium generischen IP-Verkehr zu übertragen.</p></div>

+<div class="sect2">

+<h3 id="_einbetten_von_beliebigen_daten">Einbetten von beliebigen Daten</h3>

+<div class="paragraph"><p>Im folgenden ist der Datenverkehr zur Auflösung des Namens "bla.de" dekodiert dargestellt.

+Das erste Paket ist die Anfrage des A-Record zu "bla.de". Das zweite Paket die Antwort des DNS Relay.</p></div>

+<div class="paragraph"><p>Das DNS-Relay antwortet "bla.de A IN 217.160.95.28", diese Angabe soll "5 hours, 39 minutes,

+47 seconds" gültig sein. <tt>217.160.95.28</tt> wurde direkt binär übertragen als  <tt>d9 a0  5f 1c</tt>.</p></div>

+<div class="paragraph"><p>Nichts hält einen DNS Server davon ab andere Daten als IP-Adressen in der Antwort zu verschicken und

+nichts kann einen Client davon abhalten beliebige Daten in subdomains (hallowelt.bla.de) zu kodieren.</p></div>

+<div class="paragraph"><p>Aufgrund der hierarchischen Architektur von DNS kann der Inhaber einer Domains die Auflösung von

+Subdomains übernehmen. Nach RFC1035 ist die maximale Länge eines auflösbaren Namens 255 Zeichen.</p></div>

+<div class="listingblock">

+<div class="content"><!-- Generator: GNU source-highlight 3.1.6

+by Lorenzo Bettini

+http://www.lorenzobettini.it

+http://www.gnu.org/software/src-highlite -->

+<pre><tt>Time         Source      Destination  Protocol Info

+<span style="color: #993399">2.425301000</span>  <span style="color: #993399">10.1</span><span style="color: #990000">.</span><span style="color: #993399">1.145</span>  <span style="color: #993399">10.1</span><span style="color: #990000">.</span><span style="color: #993399">0.1</span>     DNS      Standard query <span style="color: #993399">0x5e9e</span> <span style="color: #008080">A</span> bla<span style="color: #990000">.</span>de

+

+Internet Protocol Version <span style="color: #993399">4</span><span style="color: #990000">,</span> Src<span style="color: #990000">:</span> <span style="color: #993399">10.1</span><span style="color: #990000">.</span><span style="color: #993399">1.145</span> <span style="color: #990000">(</span><span style="color: #993399">10.1</span><span style="color: #990000">.</span><span style="color: #993399">1.145</span><span style="color: #990000">),</span> Dst<span style="color: #990000">:</span> <span style="color: #993399">10.1</span><span style="color: #990000">.</span><span style="color: #993399">0.1</span> <span style="color: #990000">(</span><span style="color: #993399">10.1</span><span style="color: #990000">.</span><span style="color: #993399">0.1</span><span style="color: #990000">)</span>

+User <span style="color: #008080">Datagram</span> Protocol<span style="color: #990000">,</span> <span style="color: #008080">Src</span> Port<span style="color: #990000">:</span> <span style="color: #993399">52963</span> <span style="color: #990000">(</span><span style="color: #993399">52963</span><span style="color: #990000">),</span> <span style="color: #008080">Dst</span> Port<span style="color: #990000">:</span> <span style="font-weight: bold"><span style="color: #000000">domain</span></span> <span style="color: #990000">(</span><span style="color: #993399">53</span><span style="color: #990000">)</span>

+Domain <span style="color: #008080">Name</span> <span style="font-weight: bold"><span style="color: #000000">System</span></span> <span style="color: #990000">(</span>query<span style="color: #990000">)</span>

+    <span style="color: #990000">[</span><span style="color: #008080">Response</span> In<span style="color: #990000">:</span> <span style="color: #993399">16</span><span style="color: #990000">]</span>

+    <span style="color: #008080">Transaction</span> ID<span style="color: #990000">:</span> <span style="color: #993399">0x5e9e</span>

+    Flags<span style="color: #990000">:</span> <span style="color: #993399">0x0100</span> Standard query

+    Questions<span style="color: #990000">:</span> <span style="color: #993399">1</span>

+    <span style="color: #008080">Answer</span> RRs<span style="color: #990000">:</span> <span style="color: #993399">0</span>

+    <span style="color: #008080">Authority</span> RRs<span style="color: #990000">:</span> <span style="color: #993399">0</span>

+    <span style="color: #008080">Additional</span> RRs<span style="color: #990000">:</span> <span style="color: #993399">0</span>

+    Queries

+        bla<span style="color: #990000">.</span>de<span style="color: #990000">:</span> <span style="color: #008080">type</span> A<span style="color: #990000">,</span> class IN

+            Name<span style="color: #990000">:</span> bla<span style="color: #990000">.</span>de

+            Type<span style="color: #990000">:</span> <span style="font-weight: bold"><span style="color: #000000">A</span></span> <span style="color: #990000">(</span><span style="color: #008080">Host</span> address<span style="color: #990000">)</span>

+            Class<span style="color: #990000">:</span> <span style="font-weight: bold"><span style="color: #000000">IN</span></span> <span style="color: #990000">(</span><span style="color: #993399">0x0001</span><span style="color: #990000">)</span>

+

+<span style="color: #993399">0030</span>  <span style="color: #993399">00</span> <span style="color: #993399">00</span> <span style="color: #993399">00</span> <span style="color: #993399">00</span> <span style="color: #993399">00</span> <span style="color: #993399">00</span> <span style="color: #993399">03</span> <span style="color: #993399">62</span> 6c <span style="color: #993399">61</span> <span style="color: #993399">02</span> <span style="color: #993399">64</span> <span style="color: #993399">65</span> <span style="color: #993399">00</span> <span style="color: #993399">00</span> <span style="color: #993399">01</span>   <span style="color: #990000">.......</span>bla<span style="color: #990000">.</span>de<span style="color: #990000">...</span>

+<span style="color: #993399">0040</span>  <span style="color: #993399">00</span> <span style="color: #993399">01</span>                                             <span style="color: #990000">..</span>

+

+Time         Source    Destination  Protocol Info

+<span style="color: #993399">2.493068000</span>  <span style="color: #993399">10.1</span><span style="color: #990000">.</span><span style="color: #993399">0.1</span>  <span style="color: #993399">10.1</span><span style="color: #990000">.</span><span style="color: #993399">1.145</span>   DNS      Standard query response <span style="color: #993399">0x5e9e</span> A <span style="color: #993399">217.160</span><span style="color: #990000">.</span><span style="color: #993399">95.28</span>

+

+Internet Protocol Version <span style="color: #993399">4</span><span style="color: #990000">,</span> Src<span style="color: #990000">:</span> <span style="color: #993399">10.1</span><span style="color: #990000">.</span><span style="color: #993399">0.1</span> <span style="color: #990000">(</span><span style="color: #993399">10.1</span><span style="color: #990000">.</span><span style="color: #993399">0.1</span><span style="color: #990000">),</span> Dst<span style="color: #990000">:</span> <span style="color: #993399">10.1</span><span style="color: #990000">.</span><span style="color: #993399">1.145</span> <span style="color: #990000">(</span><span style="color: #993399">10.1</span><span style="color: #990000">.</span><span style="color: #993399">1.145</span><span style="color: #990000">)</span>

+User <span style="color: #008080">Datagram</span> Protocol<span style="color: #990000">,</span> <span style="color: #008080">Src</span> Port<span style="color: #990000">:</span> <span style="font-weight: bold"><span style="color: #000000">domain</span></span> <span style="color: #990000">(</span><span style="color: #993399">53</span><span style="color: #990000">),</span> <span style="color: #008080">Dst</span> Port<span style="color: #990000">:</span> <span style="color: #993399">52963</span> <span style="color: #990000">(</span><span style="color: #993399">52963</span><span style="color: #990000">)</span>

+Domain <span style="color: #008080">Name</span> <span style="font-weight: bold"><span style="color: #000000">System</span></span> <span style="color: #990000">(</span>response<span style="color: #990000">)</span>

+    <span style="color: #990000">[</span><span style="color: #008080">Request</span> In<span style="color: #990000">:</span> <span style="color: #993399">15</span><span style="color: #990000">]</span>

+    <span style="color: #990000">[</span>Time<span style="color: #990000">:</span> <span style="color: #993399">0.067767000</span> seconds<span style="color: #990000">]</span>

+    <span style="color: #008080">Transaction</span> ID<span style="color: #990000">:</span> <span style="color: #993399">0x5e9e</span>

+    Flags<span style="color: #990000">:</span> <span style="color: #993399">0x8180</span> Standard <span style="color: #008080">query</span> response<span style="color: #990000">,</span> No error

+    Questions<span style="color: #990000">:</span> <span style="color: #993399">1</span>

+    <span style="color: #008080">Answer</span> RRs<span style="color: #990000">:</span> <span style="color: #993399">1</span>

+    <span style="color: #008080">Authority</span> RRs<span style="color: #990000">:</span> <span style="color: #993399">0</span>

+    <span style="color: #008080">Additional</span> RRs<span style="color: #990000">:</span> <span style="color: #993399">0</span>

+    Queries

+        bla<span style="color: #990000">.</span>de<span style="color: #990000">:</span> <span style="color: #008080">type</span> A<span style="color: #990000">,</span> class IN

+            Name<span style="color: #990000">:</span> bla<span style="color: #990000">.</span>de

+            Type<span style="color: #990000">:</span> <span style="font-weight: bold"><span style="color: #000000">A</span></span> <span style="color: #990000">(</span><span style="color: #008080">Host</span> address<span style="color: #990000">)</span>

+            Class<span style="color: #990000">:</span> <span style="font-weight: bold"><span style="color: #000000">IN</span></span> <span style="color: #990000">(</span><span style="color: #993399">0x0001</span><span style="color: #990000">)</span>

+    Answers

+        bla<span style="color: #990000">.</span>de<span style="color: #990000">:</span> <span style="color: #008080">type</span> A<span style="color: #990000">,</span> <span style="color: #008080">class</span> IN<span style="color: #990000">,</span> addr <span style="color: #993399">217.160</span><span style="color: #990000">.</span><span style="color: #993399">95.28</span>

+            Name<span style="color: #990000">:</span> bla<span style="color: #990000">.</span>de

+            Type<span style="color: #990000">:</span> <span style="font-weight: bold"><span style="color: #000000">A</span></span> <span style="color: #990000">(</span><span style="color: #008080">Host</span> address<span style="color: #990000">)</span>

+            Class<span style="color: #990000">:</span> <span style="font-weight: bold"><span style="color: #000000">IN</span></span> <span style="color: #990000">(</span><span style="color: #993399">0x0001</span><span style="color: #990000">)</span>

+            Time <span style="color: #008080">to</span> live<span style="color: #990000">:</span> <span style="color: #993399">5</span> hours<span style="color: #990000">,</span> <span style="color: #993399">39</span> minutes<span style="color: #990000">,</span> <span style="color: #993399">47</span> seconds

+            <span style="color: #008080">Data</span> length<span style="color: #990000">:</span> <span style="color: #993399">4</span>

+            Addr<span style="color: #990000">:</span> <span style="color: #993399">217.160</span><span style="color: #990000">.</span><span style="color: #993399">95.28</span> <span style="color: #990000">(</span><span style="color: #993399">217.160</span><span style="color: #990000">.</span><span style="color: #993399">95.28</span><span style="color: #990000">)</span>

+

+<span style="color: #993399">0030</span>  <span style="color: #993399">00</span> <span style="color: #993399">01</span> <span style="color: #993399">00</span> <span style="color: #993399">00</span> <span style="color: #993399">00</span> <span style="color: #993399">00</span> <span style="color: #993399">03</span> <span style="color: #993399">62</span> 6c <span style="color: #993399">61</span> <span style="color: #993399">02</span> <span style="color: #993399">64</span> <span style="color: #993399">65</span> <span style="color: #993399">00</span> <span style="color: #993399">00</span> <span style="color: #993399">01</span>   <span style="color: #990000">.......</span>bla<span style="color: #990000">.</span>de<span style="color: #990000">...</span>

+<span style="color: #993399">0040</span>  <span style="color: #993399">00</span> <span style="color: #993399">01</span> c0 0c <span style="color: #993399">00</span> <span style="color: #993399">01</span> <span style="color: #993399">00</span> <span style="color: #993399">01</span> <span style="color: #993399">00</span> <span style="color: #993399">00</span> 4f a3 <span style="color: #993399">00</span> <span style="color: #993399">04</span> <span style="color: #008080">d9</span> a0   <span style="color: #990000">..........</span>O<span style="color: #990000">.....</span>

+<span style="color: #993399">0050</span>  5f 1<span style="color: #008080">c</span>                                             _<span style="color: #990000">.</span></tt></pre></div></div>

+</div>

+<div class="sect2">

+<h3 id="gegenmasnahmen">Gegenmaßnahmen</h3>

+<div class="paragraph"><p>Die von einem idealen DNS Tunnel gestellten Anfragen sind gültig und unterscheiden sich

+in erster Linie nicht von denen einer gewöhnlichen Anwendung von DNS. Um Tunnel

+aufzuspüren wären daher statistische Verfahren nötig die Kriterien wie Anzahl,

+Größe und Inhalt der Pakete betrachten. Aufgrund der Fehleranfälligkeit ist

+es damit aber auch möglich legitime Anwendungen zu blockieren.</p></div>

+<div class="paragraph"><p>Möchte man lediglich iodine als konkrete Implementierung blockieren ist dies sehr einfach möglich.

+Der vom iodine Client Verwendete "ping" Aufruf kann sehr einfach erkannt werden, es könnte jeder Client

+der regelmäßíg eine Subdomain mit dem Anfangsbuchstaben "p" der gleichen Restdomain erfragt geblockt werden.</p></div>

+<div class="paragraph"><p>In einem durch Proxy Server sowieso schon stark eingeschränkten Netzwerk ist es denkbar, dass auf die Auflösung von

+Namen ausserhalb der lokalen Domain durch den DNS Server allgemein verzichtet wird.

+Sowohl ein HTTP-Proxyserver als auch ein SOCKS Server kann dies für

+den Client übernehmen.</p></div>

+<div class="paragraph"><p>In einer Konfiguration für einen Internet Hotspot mit Autorisation der Benutzer (z.B. nach Bezahlvorgang) ist

+es unbedingt sinnvoll die Autoriserungsregeln auch auf den DNS Server anzuwenden, sodass für den nicht autorisierten

+Benutzer nur das Loginformular aufrufbar ist. Dies in vielen öffentlichen Hotspots momentan nicht umgesetzt.

+Für weitere Informationen zum Blockieren von DNS Tunneln siehe <a href="#schillinger11">[schillinger11]</a>.</p></div>

+</div>

+</div>

+</div>

+<div class="sect1">

+<h2 id="_bedienung">Bedienung</h2>

+<div class="sectionbody">

+<div class="paragraph"><p>Im folgenden wird die Bedienung der Android Oberfläche beschrieben. Die Anwendungen

+teilt sich für den Benutzer in zwei Bereiche: Die Steuerung der Tunnel und die

+Verbindungskonfiguration.</p></div>

+<div class="sect2">

+<h3 id="_hauptbildschirm">Hauptbildschirm</h3>

+<div style="clear:both;"></div>

+<div class="imageblock" style="float:left;">

+<div class="content">

+<img src="bilder/screen_main.png" alt="bilder/screen_main.png" width="300px" />

+</div>

+</div>

+<div class="paragraph"><p>Der Hauptbildschirm zeigt die konfigurierten Verbindungsprofile. Eine Verbindung wird

+mit Auswahl des Eintrags gestartet.</p></div>

+<div class="paragraph"><p>Mit dem Einstellungsbutton <span class="image">

+<img src="../res/drawable/ic_bt_config.png" alt="../res/drawable/ic_bt_config.png" width="32px" />

+</span> können

+die Verbindungsparameter geändert werden.</p></div>

+<div class="paragraph"><p>Mit dem Button <span class="image">

+<img src="../res/drawable/device_access_new_account.png" alt="../res/drawable/device_access_new_account.png" width="32px" />

+</span> in der ActionBar

+wird ein neues Verbindungsprofil angelegt.</p></div>

+<div style="clear:both;"></div>

+</div>

+<div class="sect2">

+<h3 id="_verbindungskonfiguration">Verbindungskonfiguration</h3>

+<div style="clear:both;"></div>

+<div class="imageblock" style="float:left;">

+<div class="content">

+<img src="bilder/screen_pref.png" alt="bilder/screen_pref.png" width="300px" />

+</div>

+</div>

+<div class="paragraph"><p>In der Verbindungskonfiguration werden Parameter festgelegt die beim Starten

+des Tunnels gesetzt werden. Die Änderungen werden sofort übernommen.</p></div>

+<div class="paragraph"><p>Zu jeder Einstellung kann mit Drücken des Hilfebuttons die Hilfe aus der Nachfolgenden

+Tabelle aufgerufen werden.</p></div>

+<div class="paragraph"><p>Mit mit der Auswahl von <span class="image">

+<img src="../res/drawable/delete.png" alt="../res/drawable/delete.png" width="32px" />

+</span> wird

+die aktuell geöffnete Konfiguration gelöscht.</p></div>

+<div style="clear:both;"></div>

+<div class="tableblock">

+<table rules="all"

+width="100%"

+frame="border"

+cellspacing="0" cellpadding="4">

+<caption class="title">Tabelle 1. Parameter</caption>

+<col width="50%" />

+<col width="50%" />

+<thead>

+<tr>

+<th align="left" valign="top">Parameter            </th>

+<th align="left" valign="top"> Beschreibung</th>

+</tr>

+</thead>

+<tbody>

+<tr>

+<td align="left" valign="top"><p class="table">Name</p></td>

+<td align="left" valign="top"><p class="table">Name für diese Verbindungskonfiguration&lt;</p></td>

+</tr>

+<tr>

+<td align="left" valign="top"><p class="table">Lazy-Mode</p></td>

+<td align="left" valign="top"><p class="table">Lazy mode erhöht den Durchsatz und senkt die Reaktionszeit.

+                        Eine kleine Minderheit an DNS Relays scheint damit nicht klarzukommen was

+                        darin resultiert dass keine oder fast keine Daten übertragen werden.

+                        Der Client wird dies aber in der Regel feststellen und den Lazy mode ausschalten.

+                        Falls nicht, kann lazy-mode mit dieser Option ausgeschaltet werden.</p></td>

+</tr>

+<tr>

+<td align="left" valign="top"><p class="table">Tunnel Nameserver</p></td>

+<td align="left" valign="top"><p class="table">Der Nameserver/DNS Relay, der verwendet wird um mit iodined zu kommunizieren.

+                        Dieses Feld ist optional und wenn es nicht gesetzt ist wird der im System hinterlegte

+                        DNS Server verwendet</p></td>

+</tr>

+<tr>

+<td align="left" valign="top"><p class="table">Nameserver-Mode</p></td>

+<td align="left" valign="top"><p class="table">Legt fest wie der Nameserver gesetzt werden soll nachdem der Tunnel aufgebaut wurde</p></td>

+</tr>

+<tr>

+<td align="left" valign="top"><p class="table">Nameserver</p></td>

+<td align="left" valign="top"><p class="table">IP-Adresse eine speziellen Nameserver der gesetzt werden soll

+                        wenn Nameserver Modus = Custom ist.</p></td>

+</tr>

+<tr>

+<td align="left" valign="top"><p class="table">Password</p></td>

+<td align="left" valign="top"><p class="table">Dieses Feld ist optional. Es werden nur die ersten 32 Zeichen verwendet.

+                        pwasswo cont</p></td>

+</tr>

+<tr>

+<td align="left" valign="top"><p class="table">Raw-Mode</p></td>

+<td align="left" valign="top"><p class="table">Falls gesetzt wird iodine versuchen die öffentliche IP-Adresse des iodined Server

+                        aufzulösen und testen ob er direkt erreichbar ist. Falls ja, wird er den Traffic

+                        direkt an den Server senden anstatt an ein DNS relay</p></td>

+</tr>

+<tr>

+<td align="left" valign="top"><p class="table">Request-Type</p></td>

+<td align="left" valign="top"><p class="table">Typ der DNS Abfragen. Standardmäßig wird die beste Request type automatisch ausgewählt.</p></td>

+</tr>

+<tr>

+<td align="left" valign="top"><p class="table">Top-Domain</p></td>

+<td align="left" valign="top"><p class="table">Der DNS Traffic wird als Anfragen für subdomains unterhalb dieser Topdomain gesendert.

+                        Dies ist gewöhnlich eine Domain die Dir gehört. Verwende eine kurze

+                        Domain um mehr Durchsatz zu erzielen.

+                        Diese Einstellung muss am Server und am Client gleich sein</p></td>

+</tr>

+<tr>

+<td align="left" valign="top"><p class="table">Default Route</p></td>

+<td align="left" valign="top"><p class="table">Legt fest ob die Default Route gesetzt wird nachdem die Verbindung aufgebaut wurde</p></td>

+</tr>

+</tbody>

+</table>

+</div>

+</div>

+</div>

+</div>

+<div class="sect1">

+<h2 id="_einrichtung_eines_iodine_server">Einrichtung eines iodine Server</h2>

+<div class="sectionbody">

+<div class="paragraph"><p>Vorraussetzung für den Betrieb eines Iodine Server ist eine öffentlich erreichbare IP-Adresse und

+ein freier Port 53/dns.</p></div>

+<div class="paragraph"><p>Es muss ein NS-Record für diese IP-Adresse eingerichtet werden. Angenommen die Tunnel Toplevel Domain

+soll "t.example.com" sein und der Server hat die IP-Adresse 192.0.43.10, dann lautet der Eintrag:</p></div>

+<div class="literalblock">

+<div class="content">

+<pre><tt>t.example.com.       8192    IN  NS    192.0.43.10</tt></pre>

+</div></div>

+<div class="paragraph"><p>Die Konfiguration der IP-Adressen erfolgt nicht über DHCP oder statisch, sondern diese werden den Clients

+vom iodine Server, aus einem IP Subnetz das beim Start festgelegt wird, zugewiesen.</p></div>

+<div class="literalblock">

+<div class="content">

+<pre><tt>iodined -c -P PASSWORD 192.168.0.1/24 t.example.com</tt></pre>

+</div></div>

+<div class="paragraph"><p>Die Option <tt>-c</tt> ist nicht immer erforderlich. Sie bewirkt, dass iodine die Quelladressen der Anfragen

+nicht überprüft. Die Überprüfung ist nicht möglich wenn die DNS Anfragen über ein Cluster verarbeitet werden,

+sodass die beim Server einkommenden Pakete von verschiedenen Quelladressen stammen.</p></div>

+<div class="paragraph"><p>Der Server legt ein TUN-Device an (typischerweise "dns0"), je nach Zweck ist noch das

+IP Routing/Masquerade zu konfigurieren.</p></div>

+<div class="sect2">

+<h3 id="_testen">Testen</h3>

+<div class="paragraph"><p>Die Funktionstüchtigkeit eines iodine Server kann mit einfachen DNS Anfragen getestet werden:</p></div>

+<div class="listingblock">

+<div class="content"><!-- Generator: GNU source-highlight 3.1.6

+by Lorenzo Bettini

+http://www.lorenzobettini.it

+http://www.gnu.org/software/src-highlite -->

+<pre><tt>$ dig -t A zabc<span style="color: #990000">.</span>t<span style="color: #990000">.</span>example<span style="color: #990000">.</span>com

+<span style="color: #990000">....</span>

+<span style="color: #990000">;;</span> QUESTION SECTION<span style="color: #990000">:</span>

+<span style="color: #990000">;</span>zabc<span style="color: #990000">.</span>t<span style="color: #990000">.</span>example<span style="color: #990000">.</span>com<span style="color: #990000">.</span>      IN  A

+

+<span style="color: #990000">;;</span> ANSWER SECTION<span style="color: #990000">:</span>

+zabc<span style="color: #990000">.</span>t<span style="color: #990000">.</span>example<span style="color: #990000">.</span>com<span style="color: #990000">.</span>   <span style="color: #993399">0</span> IN  CNAME hpjqweyzo<span style="color: #990000">.</span>dh<span style="color: #990000">.</span>

+

+$ <span style="color: #990000">.</span>/base<span style="color: #993399">32</span> d pjqweyz

+Decoded <span style="color: #993399">4</span> bytes<span style="color: #990000">:</span>

+<span style="color: #993399">0x7a</span> <span style="color: #990000">(</span>z<span style="color: #990000">)</span> <span style="color: #993399">0x61</span> <span style="color: #990000">(</span>a<span style="color: #990000">)</span> <span style="color: #993399">0x62</span> <span style="color: #990000">(</span>b<span style="color: #990000">)</span> <span style="color: #993399">0x63</span> <span style="color: #990000">(</span>c<span style="color: #990000">)</span></tt></pre></div></div>

+<div class="paragraph"><p>Unter <a href="http://code.kryo.se/iodine/check-it/">http://code.kryo.se/iodine/check-it/</a> wird ein Online Service zum Testen der Konfiguration angeboten.</p></div>

+</div>

+</div>

+</div>

+<div class="sect1">

+<h2 id="_anhang">Anhang</h2>

+<div class="sectionbody">

+<div class="ulist bibliography"><ul>

+<li>

+<p>

+<a id="schillinger11"></a>[schillinger11]

+  <a href="http://www.data.ks.uni-freiburg.de/download/praxisseminarSS11/dns-tunnel/Fabian%20Schillinger%20-%20DNS-Tunnel.pdf">Fabian Schillinger, DNS-Tunnel, Universität Freiburg 2011</a>

+</p>

+</li>

+<li>

+<p>

+<a id="iodine"></a>[iodine] <a href="http://code.kryo.se/iodine/">http://code.kryo.se/iodine/</a>

+</p>

+</li>

+</ul></div>

+</div>

+</div>

+</div>

+<div id="footnotes"><hr /></div>

+<div id="footer">

+<div id="footer-text">

+Letzte Änderung 2013-06-12 22:22:54 CEST

+</div>

+</div>

+</body>

+</html>

diff --git a/doc/anwenderdoku.pdf b/doc/anwenderdoku.pdf
new file mode 100644
index 0000000..9dba3da
--- /dev/null
+++ b/doc/anwenderdoku.pdf
diff --git a/doc/anwenderdoku.txt b/doc/anwenderdoku.txt
new file mode 100644
index 0000000..f38c7bf
--- /dev/null
+++ b/doc/anwenderdoku.txt
@@ -0,0 +1,279 @@
+Android Iodine Anwenderdokumentation
+====================================
+Yves Fischer
+April 2013
+:toc:
+:doctype: article
+:lang: de
+:icons:
+
+
+[abstract]
+--
+Die Dokumentation ist zweigeteilt. Dieser Teil enthält eine Beschreibung des Programs
+und einen Überblick über die Funktionsweise von DNS-Tunnel. Zur technischen Beschreibung
+des Programs siehe 'Entwicklerdokumentation'.
+
+Ein DNS Tunnel ermöglicht regulären IP Verkehr durch den Internet
+Namensauflösungsdienst DNS zu tunneln. Damit ist es möglich, in Netzen
+die keine normales Internet Routing unterstützen, Daten auszutauschen.
+Voraussetzung ist, dass das Netz gewöhnliche DNS-Auflösung unterstützt. 
+Die Datenpakete werden in DNS-Anfragen kodiert, die durch die hierarchische
+Struktur an einen speziellen (i.d.R. third-level) Nameserver weitergeleitet werden.
+
+Die Software <<iodine>> ist eine Implementierung eines DNS Tunnel für Linux, 
+Mac OS X, FreeBSD, NetBSD, OpenBSD and Windows. Diese Dokumentation beschreibt
+die Portierung auf Android mit einer angepassten Benutzeroberfläche.
+--
+
+Android Systemanforderungen
+---------------------------
+
+Durch die Verwendung des Android VPN Framework ist mindestens Android
+4.0 (API Level 14) erforderlich.
+
+Für Android vor 4.0 besteht bei vorhandenem Root Zugriff die Möglichkeit
+das tun.ko Kernelmodul zu laden und ein
+http://code.kryo.se/iodine/iodine-latest-android.zip[cross-kompiliertes
+iodine] auszuführen.
+
+
+    
+Funktionsweise eines DNS-Tunnel
+-------------------------------
+
+Das Domain-Name-System (DNS) wird eingesetzt um Namen (wie
+"example.com") in IP-Adressen (wie "194.71.107.50" oder
+"2001:db8:85a3:8d3:1319:8a2e:370:7347") zu übersetzen. DNS wurde in den
+1980er Jahren ursprünglich mit dem Ziel entwickelt lokale `hosts` Datei
+im Internet abzulösen. Inzwischen werden auch andere Informationen als
+die reine Adressauflösung über DNS ausgetauscht.
+
+Als DNS Tunnel bezeichnet man eine Verbindung die in der Lage ist über
+das DNS Protokoll als Transportmedium generischen IP-Verkehr zu übertragen.
+
+Einbetten von beliebigen Daten
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Im folgenden ist der Datenverkehr zur Auflösung des Namens "bla.de" dekodiert dargestellt.
+Das erste Paket ist die Anfrage des A-Record zu "bla.de". Das zweite Paket die Antwort des DNS Relay.
+
+Das DNS-Relay antwortet "bla.de A IN 217.160.95.28", diese Angabe soll "5 hours, 39 minutes, 
+47 seconds" gültig sein. `217.160.95.28` wurde direkt binär übertragen als  `d9 a0  5f 1c`.
+
+Nichts hält einen DNS Server davon ab andere Daten als IP-Adressen in der Antwort zu verschicken und
+nichts kann einen Client davon abhalten beliebige Daten in subdomains (hallowelt.bla.de) zu kodieren.
+
+Aufgrund der hierarchischen Architektur von DNS kann der Inhaber einer Domains die Auflösung von
+Subdomains übernehmen. Nach RFC1035 ist die maximale Länge eines auflösbaren Namens 255 Zeichen.  
+
+[source,c]
+-------------------------------------------------------------------------------------------------------------
+Time         Source      Destination  Protocol Info
+2.425301000  10.1.1.145  10.1.0.1     DNS      Standard query 0x5e9e A bla.de
+
+Internet Protocol Version 4, Src: 10.1.1.145 (10.1.1.145), Dst: 10.1.0.1 (10.1.0.1)
+User Datagram Protocol, Src Port: 52963 (52963), Dst Port: domain (53)
+Domain Name System (query)
+    [Response In: 16]
+    Transaction ID: 0x5e9e
+    Flags: 0x0100 Standard query
+    Questions: 1
+    Answer RRs: 0
+    Authority RRs: 0
+    Additional RRs: 0
+    Queries
+        bla.de: type A, class IN
+            Name: bla.de
+            Type: A (Host address)
+            Class: IN (0x0001)
+
+0030  00 00 00 00 00 00 03 62 6c 61 02 64 65 00 00 01   .......bla.de...
+0040  00 01                                             ..
+
+Time         Source    Destination  Protocol Info
+2.493068000  10.1.0.1  10.1.1.145   DNS      Standard query response 0x5e9e A 217.160.95.28
+
+Internet Protocol Version 4, Src: 10.1.0.1 (10.1.0.1), Dst: 10.1.1.145 (10.1.1.145)
+User Datagram Protocol, Src Port: domain (53), Dst Port: 52963 (52963)
+Domain Name System (response)
+    [Request In: 15]
+    [Time: 0.067767000 seconds]
+    Transaction ID: 0x5e9e
+    Flags: 0x8180 Standard query response, No error
+    Questions: 1
+    Answer RRs: 1
+    Authority RRs: 0
+    Additional RRs: 0
+    Queries
+        bla.de: type A, class IN
+            Name: bla.de
+            Type: A (Host address)
+            Class: IN (0x0001)
+    Answers
+        bla.de: type A, class IN, addr 217.160.95.28
+            Name: bla.de
+            Type: A (Host address)
+            Class: IN (0x0001)
+            Time to live: 5 hours, 39 minutes, 47 seconds
+            Data length: 4
+            Addr: 217.160.95.28 (217.160.95.28)
+
+0030  00 01 00 00 00 00 03 62 6c 61 02 64 65 00 00 01   .......bla.de...
+0040  00 01 c0 0c 00 01 00 01 00 00 4f a3 00 04 d9 a0   ..........O.....
+0050  5f 1c                                             _.
+-------------------------------------------------------------------------------------------------------------
+
+
+[[gegenmasnahmen,Gegenmaßnahmen]]
+Gegenmaßnahmen
+~~~~~~~~~~~~~~
+
+Die von einem idealen DNS Tunnel gestellten Anfragen sind gültig und unterscheiden sich
+in erster Linie nicht von denen einer gewöhnlichen Anwendung von DNS. Um Tunnel
+aufzuspüren wären daher statistische Verfahren nötig die Kriterien wie Anzahl, 
+Größe und Inhalt der Pakete betrachten. Aufgrund der Fehleranfälligkeit ist 
+es damit aber auch möglich legitime Anwendungen zu blockieren. 
+
+Möchte man lediglich iodine als konkrete Implementierung blockieren ist dies sehr einfach möglich.
+Der vom iodine Client Verwendete "ping" Aufruf kann sehr einfach erkannt werden, es könnte jeder Client
+der regelmäßíg eine Subdomain mit dem Anfangsbuchstaben "p" der gleichen Restdomain erfragt geblockt werden.
+
+In einem durch Proxy Server sowieso schon stark eingeschränkten Netzwerk ist es denkbar, dass auf die Auflösung von 
+Namen ausserhalb der lokalen Domain durch den DNS Server allgemein verzichtet wird. 
+Sowohl ein HTTP-Proxyserver als auch ein SOCKS Server kann dies für
+den Client übernehmen.
+
+In einer Konfiguration für einen Internet Hotspot mit Autorisation der Benutzer (z.B. nach Bezahlvorgang) ist
+es unbedingt sinnvoll die Autoriserungsregeln auch auf den DNS Server anzuwenden, sodass für den nicht autorisierten
+Benutzer nur das Loginformular aufrufbar ist. Dies in vielen öffentlichen Hotspots momentan nicht umgesetzt.
+Für weitere Informationen zum Blockieren von DNS Tunneln siehe <<schillinger11>>. 
+ 
+
+Bedienung
+---------
+
+Im folgenden wird die Bedienung der Android Oberfläche beschrieben. Die Anwendungen
+teilt sich für den Benutzer in zwei Bereiche: Die Steuerung der Tunnel und die 
+Verbindungskonfiguration.
+
+ 
+Hauptbildschirm
+~~~~~~~~~~~~~~~
+
+unfloat::[]
+
+image::bilder/screen_main.png[width="300px",scaledwidth="50%",float="left"]
+
+Der Hauptbildschirm zeigt die konfigurierten Verbindungsprofile. Eine Verbindung wird 
+mit Auswahl des Eintrags gestartet.
+
+Mit dem Einstellungsbutton image:../res/drawable/ic_bt_config.png[width="32px"] können 
+die Verbindungsparameter geändert werden.
+
+Mit dem Button image:../res/drawable/device_access_new_account.png[width="32px"] in der ActionBar
+wird ein neues Verbindungsprofil angelegt.
+
+unfloat::[]
+
+Verbindungskonfiguration
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+unfloat::[]
+
+image::bilder/screen_pref.png[width="300px",scaledwidth="50%",float="left"]
+
+In der Verbindungskonfiguration werden Parameter festgelegt die beim Starten 
+des Tunnels gesetzt werden. Die Änderungen werden sofort übernommen.
+
+Zu jeder Einstellung kann mit Drücken des Hilfebuttons die Hilfe aus der Nachfolgenden 
+Tabelle aufgerufen werden.
+
+Mit mit der Auswahl von image:../res/drawable/delete.png[width="32px"] wird
+die aktuell geöffnete Konfiguration gelöscht. 
+
+unfloat::[]
+
+.Parameter
+[options="header"]
+|=====================================
+|Parameter            | Beschreibung
+|Name                 | Name für diese Verbindungskonfiguration<
+|Lazy-Mode            | Lazy mode erhöht den Durchsatz und senkt die Reaktionszeit. 
+                        Eine kleine Minderheit an DNS Relays scheint damit nicht klarzukommen was 
+                        darin resultiert dass keine oder fast keine Daten übertragen werden. 
+                        Der Client wird dies aber in der Regel feststellen und den Lazy mode ausschalten. 
+                        Falls nicht, kann lazy-mode mit dieser Option ausgeschaltet werden.
+|Tunnel Nameserver    | Der Nameserver/DNS Relay, der verwendet wird um mit iodined zu kommunizieren.  
+                        Dieses Feld ist optional und wenn es nicht gesetzt ist wird der im System hinterlegte 
+                        DNS Server verwendet
+|Nameserver-Mode      | Legt fest wie der Nameserver gesetzt werden soll nachdem der Tunnel aufgebaut wurde
+|Nameserver           | IP-Adresse eine speziellen Nameserver der gesetzt werden soll 
+                        wenn Nameserver Modus = Custom ist.
+|Password             | Dieses Feld ist optional. Es werden nur die ersten 32 Zeichen verwendet.
+                        pwasswo cont
+|Raw-Mode             | Falls gesetzt wird iodine versuchen die öffentliche IP-Adresse des iodined Server
+                        aufzulösen und testen ob er direkt erreichbar ist. Falls ja, wird er den Traffic 
+                        direkt an den Server senden anstatt an ein DNS relay
+|Request-Type         | Typ der DNS Abfragen. Standardmäßig wird die beste Request type automatisch ausgewählt.
+|Top-Domain           | Der DNS Traffic wird als Anfragen für subdomains unterhalb dieser Topdomain gesendert. 
+                        Dies ist gewöhnlich eine Domain die Dir gehört. Verwende eine kurze 
+                        Domain um mehr Durchsatz zu erzielen. 
+                        Diese Einstellung muss am Server und am Client gleich sein
+|Default Route        | Legt fest ob die Default Route gesetzt wird nachdem die Verbindung aufgebaut wurde
+|====================================
+
+Einrichtung eines iodine Server
+-------------------------------
+
+Vorraussetzung für den Betrieb eines Iodine Server ist eine öffentlich erreichbare IP-Adresse und
+ein freier Port 53/dns.
+
+Es muss ein NS-Record für diese IP-Adresse eingerichtet werden. Angenommen die Tunnel Toplevel Domain
+soll "t.example.com" sein und der Server hat die IP-Adresse 192.0.43.10, dann lautet der Eintrag:
+
+    t.example.com.       8192    IN  NS    192.0.43.10
+
+Die Konfiguration der IP-Adressen erfolgt nicht über DHCP oder statisch, sondern diese werden den Clients
+vom iodine Server, aus einem IP Subnetz das beim Start festgelegt wird, zugewiesen.
+
+    iodined -c -P PASSWORD 192.168.0.1/24 t.example.com
+
+Die Option `-c` ist nicht immer erforderlich. Sie bewirkt, dass iodine die Quelladressen der Anfragen
+nicht überprüft. Die Überprüfung ist nicht möglich wenn die DNS Anfragen über ein Cluster verarbeitet werden, 
+sodass die beim Server einkommenden Pakete von verschiedenen Quelladressen stammen. 
+
+Der Server legt ein TUN-Device an (typischerweise "dns0"), je nach Zweck ist noch das
+IP Routing/Masquerade zu konfigurieren. 
+
+Testen
+~~~~~~
+
+Die Funktionstüchtigkeit eines iodine Server kann mit einfachen DNS Anfragen getestet werden:
+
+[source,bash]
+--------------------------------------------------------------------------------------------------------
+$ dig -t A zabc.t.example.com
+....
+;; QUESTION SECTION:
+;zabc.t.example.com.      IN  A
+
+;; ANSWER SECTION:
+zabc.t.example.com.   0 IN  CNAME hpjqweyzo.dh.
+
+$ ./base32 d pjqweyz 
+Decoded 4 bytes:
+0x7a (z) 0x61 (a) 0x62 (b) 0x63 (c) 
+--------------------------------------------------------------------------------------------------------
+
+Unter http://code.kryo.se/iodine/check-it/ wird ein Online Service zum Testen der Konfiguration angeboten.
+
+[bibliography]
+Anhang
+------
+
+[bibliography]
+- [[[schillinger11]]] 
+  http://www.data.ks.uni-freiburg.de/download/praxisseminarSS11/dns-tunnel/Fabian%20Schillinger%20-%20DNS-Tunnel.pdf[Fabian Schillinger, DNS-Tunnel, Universität Freiburg 2011] 
+- [[[iodine]]] http://code.kryo.se/iodine/
+
diff --git a/doc/bilder/Model_model_Architektur.PNG b/doc/bilder/Model_model_Architektur.PNG
new file mode 100644
index 0000000..b326f5f
--- /dev/null
+++ b/doc/bilder/Model_model_Architektur.PNG
diff --git a/doc/bilder/logo.png b/doc/bilder/logo.png
new file mode 100644
index 0000000..5c28e32
--- /dev/null
+++ b/doc/bilder/logo.png
diff --git a/doc/bilder/model.di b/doc/bilder/model.di
new file mode 100644
index 0000000..c2b1564
--- /dev/null
+++ b/doc/bilder/model.di
@@ -0,0 +1,24 @@
+<?xml version="1.0" encoding="ASCII"?>
+<di:SashWindowsMngr xmi:version="2.0" xmlns:xmi="http://www.omg.org/XMI" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:di="http://www.eclipse.org/papyrus/0.7.0/sashdi">
+  <pageList>
+    <availablePage>
+      <emfPageIdentifier href="model.notation#_8KzMgJ1_EeKdgaaT-l6UWg"/>
+    </availablePage>
+    <availablePage/>
+    <availablePage/>
+    <availablePage/>
+    <availablePage/>
+    <availablePage/>
+    <availablePage/>
+    <availablePage/>
+  </pageList>
+  <sashModel currentSelection="//@sashModel/@windows.0/@children.0">
+    <windows>
+      <children xsi:type="di:TabFolder">
+        <children>
+          <emfPageIdentifier href="model.notation#_8KzMgJ1_EeKdgaaT-l6UWg"/>
+        </children>
+      </children>
+    </windows>
+  </sashModel>
+</di:SashWindowsMngr>
diff --git a/doc/bilder/model.notation b/doc/bilder/model.notation
new file mode 100644
index 0000000..d1dbcc3
--- /dev/null
+++ b/doc/bilder/model.notation
@@ -0,0 +1,298 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<notation:Diagram xmi:version="2.0" xmlns:xmi="http://www.omg.org/XMI" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:ecore="http://www.eclipse.org/emf/2002/Ecore" xmlns:notation="http://www.eclipse.org/gmf/runtime/1.0.2/notation" xmlns:uml="http://www.eclipse.org/uml2/3.0.0/UML" xmi:id="_8KzMgJ1_EeKdgaaT-l6UWg" type="PapyrusUMLClassDiagram" name="Architektur" measurementUnit="Pixel">
+  <children xmi:type="notation:Shape" xmi:id="_GCsesJ2AEeKdgaaT-l6UWg" type="2007" fontName="Sans" fontHeight="10" lineColor="0">
+    <eAnnotations xmi:type="ecore:EAnnotation" xmi:id="_GCts0J2AEeKdgaaT-l6UWg" source="ShadowFigure">
+      <details xmi:type="ecore:EStringToStringMapEntry" xmi:id="_GCts0Z2AEeKdgaaT-l6UWg" key="ShadowFigure_Value" value="false"/>
+    </eAnnotations>
+    <eAnnotations xmi:type="ecore:EAnnotation" xmi:id="_GCuT4J2AEeKdgaaT-l6UWg" source="QualifiedName">
+      <details xmi:type="ecore:EStringToStringMapEntry" xmi:id="_GCuT4Z2AEeKdgaaT-l6UWg" key="QualifiedNameDepth" value="1000"/>
+    </eAnnotations>
+    <eAnnotations xmi:type="ecore:EAnnotation" xmi:id="_MUsLwJ2BEeKdgaaT-l6UWg" source="displayNameLabelIcon">
+      <details xmi:type="ecore:EStringToStringMapEntry" xmi:id="_MUsLwZ2BEeKdgaaT-l6UWg" key="displayNameLabelIcon_value" value="true"/>
+    </eAnnotations>
+    <children xmi:type="notation:DecorationNode" xmi:id="_GCuT4p2AEeKdgaaT-l6UWg" type="5026"/>
+    <children xmi:type="notation:DecorationNode" xmi:id="_GCuT452AEeKdgaaT-l6UWg" type="7016">
+      <children xmi:type="notation:Shape" xmi:id="_MjCmQJ2AEeKdgaaT-l6UWg" type="3010" fontName="Sans" fontHeight="10" lineColor="0">
+        <eAnnotations xmi:type="ecore:EAnnotation" xmi:id="_MjD0Yp2AEeKdgaaT-l6UWg" source="QualifiedName">
+          <details xmi:type="ecore:EStringToStringMapEntry" xmi:id="_MjD0Y52AEeKdgaaT-l6UWg" key="QualifiedNameDepth" value="1000"/>
+        </eAnnotations>
+        <eAnnotations xmi:type="ecore:EAnnotation" xmi:id="_66mTcJ2AEeKdgaaT-l6UWg" source="ShadowFigure">
+          <details xmi:type="ecore:EStringToStringMapEntry" xmi:id="_66m6gJ2AEeKdgaaT-l6UWg" key="ShadowFigure_Value" value="false"/>
+        </eAnnotations>
+        <eAnnotations xmi:type="ecore:EAnnotation" xmi:id="_LV194J2BEeKdgaaT-l6UWg" source="displayNameLabelIcon">
+          <details xmi:type="ecore:EStringToStringMapEntry" xmi:id="_LV194Z2BEeKdgaaT-l6UWg" key="displayNameLabelIcon_value" value="true"/>
+        </eAnnotations>
+        <children xmi:type="notation:DecorationNode" xmi:id="_MjD0ZJ2AEeKdgaaT-l6UWg" type="5014"/>
+        <children xmi:type="notation:BasicCompartment" xmi:id="_MjEbcJ2AEeKdgaaT-l6UWg" type="7011">
+          <styles xmi:type="notation:TitleStyle" xmi:id="_MjEbcZ2AEeKdgaaT-l6UWg"/>
+          <styles xmi:type="notation:SortingStyle" xmi:id="_MjEbcp2AEeKdgaaT-l6UWg"/>
+          <styles xmi:type="notation:FilteringStyle" xmi:id="_MjEbc52AEeKdgaaT-l6UWg"/>
+          <layoutConstraint xmi:type="notation:Bounds" xmi:id="_MjEbdJ2AEeKdgaaT-l6UWg"/>
+        </children>
+        <children xmi:type="notation:BasicCompartment" xmi:id="_MjEbdZ2AEeKdgaaT-l6UWg" visible="false" type="7012">
+          <styles xmi:type="notation:TitleStyle" xmi:id="_MjEbdp2AEeKdgaaT-l6UWg"/>
+          <styles xmi:type="notation:SortingStyle" xmi:id="_MjEbd52AEeKdgaaT-l6UWg"/>
+          <styles xmi:type="notation:FilteringStyle" xmi:id="_MjFCgJ2AEeKdgaaT-l6UWg"/>
+          <layoutConstraint xmi:type="notation:Bounds" xmi:id="_MjFCgZ2AEeKdgaaT-l6UWg"/>
+        </children>
+        <children xmi:type="notation:BasicCompartment" xmi:id="_MjFCgp2AEeKdgaaT-l6UWg" visible="false" type="7013">
+          <styles xmi:type="notation:TitleStyle" xmi:id="_MjFCg52AEeKdgaaT-l6UWg"/>
+          <styles xmi:type="notation:SortingStyle" xmi:id="_MjFChJ2AEeKdgaaT-l6UWg"/>
+          <styles xmi:type="notation:FilteringStyle" xmi:id="_MjFChZ2AEeKdgaaT-l6UWg"/>
+          <layoutConstraint xmi:type="notation:Bounds" xmi:id="_MjFChp2AEeKdgaaT-l6UWg"/>
+        </children>
+        <element xmi:type="uml:Class" href="model.uml#_MjAxEJ2AEeKdgaaT-l6UWg"/>
+        <layoutConstraint xmi:type="notation:Bounds" xmi:id="_MjCmQZ2AEeKdgaaT-l6UWg" x="60" y="8" width="151"/>
+      </children>
+      <children xmi:type="notation:Shape" xmi:id="_U9JEwJ2AEeKdgaaT-l6UWg" type="3010" fontName="Sans" fontHeight="10" lineColor="0">
+        <eAnnotations xmi:type="ecore:EAnnotation" xmi:id="_U9Jr0J2AEeKdgaaT-l6UWg" source="ShadowFigure">
+          <details xmi:type="ecore:EStringToStringMapEntry" xmi:id="_U9KS4J2AEeKdgaaT-l6UWg" key="ShadowFigure_Value" value="false"/>
+        </eAnnotations>
+        <eAnnotations xmi:type="ecore:EAnnotation" xmi:id="_U9K58J2AEeKdgaaT-l6UWg" source="QualifiedName">
+          <details xmi:type="ecore:EStringToStringMapEntry" xmi:id="_U9K58Z2AEeKdgaaT-l6UWg" key="QualifiedNameDepth" value="1000"/>
+        </eAnnotations>
+        <eAnnotations xmi:type="ecore:EAnnotation" xmi:id="_L_bGYJ2BEeKdgaaT-l6UWg" source="displayNameLabelIcon">
+          <details xmi:type="ecore:EStringToStringMapEntry" xmi:id="_L_btcJ2BEeKdgaaT-l6UWg" key="displayNameLabelIcon_value" value="true"/>
+        </eAnnotations>
+        <children xmi:type="notation:DecorationNode" xmi:id="_U9K58p2AEeKdgaaT-l6UWg" type="5014"/>
+        <children xmi:type="notation:BasicCompartment" xmi:id="_U9K5852AEeKdgaaT-l6UWg" type="7011">
+          <styles xmi:type="notation:TitleStyle" xmi:id="_U9K59J2AEeKdgaaT-l6UWg"/>
+          <styles xmi:type="notation:SortingStyle" xmi:id="_U9K59Z2AEeKdgaaT-l6UWg"/>
+          <styles xmi:type="notation:FilteringStyle" xmi:id="_U9K59p2AEeKdgaaT-l6UWg"/>
+          <layoutConstraint xmi:type="notation:Bounds" xmi:id="_U9K5952AEeKdgaaT-l6UWg"/>
+        </children>
+        <children xmi:type="notation:BasicCompartment" xmi:id="_U9LhAJ2AEeKdgaaT-l6UWg" visible="false" type="7012">
+          <styles xmi:type="notation:TitleStyle" xmi:id="_U9LhAZ2AEeKdgaaT-l6UWg"/>
+          <styles xmi:type="notation:SortingStyle" xmi:id="_U9LhAp2AEeKdgaaT-l6UWg"/>
+          <styles xmi:type="notation:FilteringStyle" xmi:id="_U9LhA52AEeKdgaaT-l6UWg"/>
+          <layoutConstraint xmi:type="notation:Bounds" xmi:id="_U9LhBJ2AEeKdgaaT-l6UWg"/>
+        </children>
+        <children xmi:type="notation:BasicCompartment" xmi:id="_U9MIEJ2AEeKdgaaT-l6UWg" visible="false" type="7013">
+          <styles xmi:type="notation:TitleStyle" xmi:id="_U9MIEZ2AEeKdgaaT-l6UWg"/>
+          <styles xmi:type="notation:SortingStyle" xmi:id="_U9MIEp2AEeKdgaaT-l6UWg"/>
+          <styles xmi:type="notation:FilteringStyle" xmi:id="_U9MIE52AEeKdgaaT-l6UWg"/>
+          <layoutConstraint xmi:type="notation:Bounds" xmi:id="_U9MIFJ2AEeKdgaaT-l6UWg"/>
+        </children>
+        <element xmi:type="uml:Class" href="model.uml#_U9GogJ2AEeKdgaaT-l6UWg"/>
+        <layoutConstraint xmi:type="notation:Bounds" xmi:id="_U9JEwZ2AEeKdgaaT-l6UWg" x="410" y="8" width="166"/>
+      </children>
+      <children xmi:type="notation:Shape" xmi:id="_JS-uQJ2BEeKdgaaT-l6UWg" type="3010" fontName="Sans" fontHeight="10" lineColor="0">
+        <eAnnotations xmi:type="ecore:EAnnotation" xmi:id="_JS_VUJ2BEeKdgaaT-l6UWg" source="ShadowFigure">
+          <details xmi:type="ecore:EStringToStringMapEntry" xmi:id="_JS_VUZ2BEeKdgaaT-l6UWg" key="ShadowFigure_Value" value="true"/>
+        </eAnnotations>
+        <eAnnotations xmi:type="ecore:EAnnotation" xmi:id="_JS_8YJ2BEeKdgaaT-l6UWg" source="displayNameLabelIcon">
+          <details xmi:type="ecore:EStringToStringMapEntry" xmi:id="_JS_8YZ2BEeKdgaaT-l6UWg" key="displayNameLabelIcon_value" value="true"/>
+        </eAnnotations>
+        <eAnnotations xmi:type="ecore:EAnnotation" xmi:id="_JS_8Yp2BEeKdgaaT-l6UWg" source="QualifiedName">
+          <details xmi:type="ecore:EStringToStringMapEntry" xmi:id="_JS_8Y52BEeKdgaaT-l6UWg" key="QualifiedNameDepth" value="1000"/>
+        </eAnnotations>
+        <children xmi:type="notation:DecorationNode" xmi:id="_JS_8ZJ2BEeKdgaaT-l6UWg" type="5014"/>
+        <children xmi:type="notation:BasicCompartment" xmi:id="_JS_8ZZ2BEeKdgaaT-l6UWg" type="7011">
+          <styles xmi:type="notation:TitleStyle" xmi:id="_JS_8Zp2BEeKdgaaT-l6UWg"/>
+          <styles xmi:type="notation:SortingStyle" xmi:id="_JTAjcJ2BEeKdgaaT-l6UWg"/>
+          <styles xmi:type="notation:FilteringStyle" xmi:id="_JTAjcZ2BEeKdgaaT-l6UWg"/>
+          <layoutConstraint xmi:type="notation:Bounds" xmi:id="_JTAjcp2BEeKdgaaT-l6UWg"/>
+        </children>
+        <children xmi:type="notation:BasicCompartment" xmi:id="_JTAjc52BEeKdgaaT-l6UWg" visible="false" type="7012">
+          <styles xmi:type="notation:TitleStyle" xmi:id="_JTAjdJ2BEeKdgaaT-l6UWg"/>
+          <styles xmi:type="notation:SortingStyle" xmi:id="_JTAjdZ2BEeKdgaaT-l6UWg"/>
+          <styles xmi:type="notation:FilteringStyle" xmi:id="_JTAjdp2BEeKdgaaT-l6UWg"/>
+          <layoutConstraint xmi:type="notation:Bounds" xmi:id="_JTAjd52BEeKdgaaT-l6UWg"/>
+        </children>
+        <children xmi:type="notation:BasicCompartment" xmi:id="_JTBKgJ2BEeKdgaaT-l6UWg" visible="false" type="7013">
+          <styles xmi:type="notation:TitleStyle" xmi:id="_JTBKgZ2BEeKdgaaT-l6UWg"/>
+          <styles xmi:type="notation:SortingStyle" xmi:id="_JTBKgp2BEeKdgaaT-l6UWg"/>
+          <styles xmi:type="notation:FilteringStyle" xmi:id="_JTBKg52BEeKdgaaT-l6UWg"/>
+          <layoutConstraint xmi:type="notation:Bounds" xmi:id="_JTBKhJ2BEeKdgaaT-l6UWg"/>
+        </children>
+        <element xmi:type="uml:Class" href="model.uml#_JS09QJ2BEeKdgaaT-l6UWg"/>
+        <layoutConstraint xmi:type="notation:Bounds" xmi:id="_JS-uQZ2BEeKdgaaT-l6UWg" x="60" y="172" width="151"/>
+      </children>
+      <children xmi:type="notation:Shape" xmi:id="_OkwJ4J2BEeKdgaaT-l6UWg" type="3010" fontName="Sans" fontHeight="10" lineColor="0">
+        <eAnnotations xmi:type="ecore:EAnnotation" xmi:id="_Okww8J2BEeKdgaaT-l6UWg" source="ShadowFigure">
+          <details xmi:type="ecore:EStringToStringMapEntry" xmi:id="_Okww8Z2BEeKdgaaT-l6UWg" key="ShadowFigure_Value" value="true"/>
+        </eAnnotations>
+        <eAnnotations xmi:type="ecore:EAnnotation" xmi:id="_Okww8p2BEeKdgaaT-l6UWg" source="displayNameLabelIcon">
+          <details xmi:type="ecore:EStringToStringMapEntry" xmi:id="_Okww852BEeKdgaaT-l6UWg" key="displayNameLabelIcon_value" value="true"/>
+        </eAnnotations>
+        <eAnnotations xmi:type="ecore:EAnnotation" xmi:id="_Okww9J2BEeKdgaaT-l6UWg" source="QualifiedName">
+          <details xmi:type="ecore:EStringToStringMapEntry" xmi:id="_Okww9Z2BEeKdgaaT-l6UWg" key="QualifiedNameDepth" value="1000"/>
+        </eAnnotations>
+        <children xmi:type="notation:DecorationNode" xmi:id="_OkxYAJ2BEeKdgaaT-l6UWg" type="5014"/>
+        <children xmi:type="notation:BasicCompartment" xmi:id="_OkxYAZ2BEeKdgaaT-l6UWg" type="7011">
+          <styles xmi:type="notation:TitleStyle" xmi:id="_OkxYAp2BEeKdgaaT-l6UWg"/>
+          <styles xmi:type="notation:SortingStyle" xmi:id="_OkxYA52BEeKdgaaT-l6UWg"/>
+          <styles xmi:type="notation:FilteringStyle" xmi:id="_OkxYBJ2BEeKdgaaT-l6UWg"/>
+          <layoutConstraint xmi:type="notation:Bounds" xmi:id="_OkxYBZ2BEeKdgaaT-l6UWg"/>
+        </children>
+        <children xmi:type="notation:BasicCompartment" xmi:id="_OkxYBp2BEeKdgaaT-l6UWg" visible="false" type="7012">
+          <styles xmi:type="notation:TitleStyle" xmi:id="_OkxYB52BEeKdgaaT-l6UWg"/>
+          <styles xmi:type="notation:SortingStyle" xmi:id="_OkxYCJ2BEeKdgaaT-l6UWg"/>
+          <styles xmi:type="notation:FilteringStyle" xmi:id="_OkxYCZ2BEeKdgaaT-l6UWg"/>
+          <layoutConstraint xmi:type="notation:Bounds" xmi:id="_OkxYCp2BEeKdgaaT-l6UWg"/>
+        </children>
+        <children xmi:type="notation:BasicCompartment" xmi:id="_Okx_EJ2BEeKdgaaT-l6UWg" visible="false" type="7013">
+          <styles xmi:type="notation:TitleStyle" xmi:id="_Okx_EZ2BEeKdgaaT-l6UWg"/>
+          <styles xmi:type="notation:SortingStyle" xmi:id="_Okx_Ep2BEeKdgaaT-l6UWg"/>
+          <styles xmi:type="notation:FilteringStyle" xmi:id="_Okx_E52BEeKdgaaT-l6UWg"/>
+          <layoutConstraint xmi:type="notation:Bounds" xmi:id="_Okx_FJ2BEeKdgaaT-l6UWg"/>
+        </children>
+        <element xmi:type="uml:Class" href="model.uml#_OkmY4J2BEeKdgaaT-l6UWg"/>
+        <layoutConstraint xmi:type="notation:Bounds" xmi:id="_OkwJ4Z2BEeKdgaaT-l6UWg" x="410" y="172" width="166"/>
+      </children>
+      <styles xmi:type="notation:TitleStyle" xmi:id="_GCuT5J2AEeKdgaaT-l6UWg"/>
+      <layoutConstraint xmi:type="notation:Bounds" xmi:id="_GCuT5Z2AEeKdgaaT-l6UWg"/>
+    </children>
+    <element xmi:type="uml:Package" href="model.uml#_GCWgcJ2AEeKdgaaT-l6UWg"/>
+    <layoutConstraint xmi:type="notation:Bounds" xmi:id="_GCsesZ2AEeKdgaaT-l6UWg" x="50" y="30" width="591" height="321"/>
+  </children>
+  <children xmi:type="notation:Shape" xmi:id="_ewq-4J2BEeKdgaaT-l6UWg" type="2002" fontName="Sans" fontHeight="10" lineColor="0">
+    <eAnnotations xmi:type="ecore:EAnnotation" xmi:id="_ewrl8J2BEeKdgaaT-l6UWg" source="ShadowFigure">
+      <details xmi:type="ecore:EStringToStringMapEntry" xmi:id="_ewrl8Z2BEeKdgaaT-l6UWg" key="ShadowFigure_Value" value="true"/>
+    </eAnnotations>
+    <eAnnotations xmi:type="ecore:EAnnotation" xmi:id="_ewsNAJ2BEeKdgaaT-l6UWg" source="displayNameLabelIcon">
+      <details xmi:type="ecore:EStringToStringMapEntry" xmi:id="_ewsNAZ2BEeKdgaaT-l6UWg" key="displayNameLabelIcon_value" value="true"/>
+    </eAnnotations>
+    <eAnnotations xmi:type="ecore:EAnnotation" xmi:id="_ewsNAp2BEeKdgaaT-l6UWg" source="QualifiedName">
+      <details xmi:type="ecore:EStringToStringMapEntry" xmi:id="_ewsNA52BEeKdgaaT-l6UWg" key="QualifiedNameDepth" value="1000"/>
+    </eAnnotations>
+    <children xmi:type="notation:DecorationNode" xmi:id="_ewsNBJ2BEeKdgaaT-l6UWg" type="5005"/>
+    <children xmi:type="notation:BasicCompartment" xmi:id="_ewsNBZ2BEeKdgaaT-l6UWg" visible="false" type="7002">
+      <styles xmi:type="notation:TitleStyle" xmi:id="_ewsNBp2BEeKdgaaT-l6UWg"/>
+      <styles xmi:type="notation:SortingStyle" xmi:id="_ewsNB52BEeKdgaaT-l6UWg"/>
+      <styles xmi:type="notation:FilteringStyle" xmi:id="_ewsNCJ2BEeKdgaaT-l6UWg"/>
+      <layoutConstraint xmi:type="notation:Bounds" xmi:id="_ewsNCZ2BEeKdgaaT-l6UWg"/>
+    </children>
+    <children xmi:type="notation:BasicCompartment" xmi:id="_ews0EJ2BEeKdgaaT-l6UWg" visible="false" type="7003">
+      <styles xmi:type="notation:TitleStyle" xmi:id="_ews0EZ2BEeKdgaaT-l6UWg"/>
+      <styles xmi:type="notation:SortingStyle" xmi:id="_ews0Ep2BEeKdgaaT-l6UWg"/>
+      <styles xmi:type="notation:FilteringStyle" xmi:id="_ews0E52BEeKdgaaT-l6UWg"/>
+      <layoutConstraint xmi:type="notation:Bounds" xmi:id="_ews0FJ2BEeKdgaaT-l6UWg"/>
+    </children>
+    <children xmi:type="notation:BasicCompartment" xmi:id="_ews0FZ2BEeKdgaaT-l6UWg" visible="false" type="7004">
+      <styles xmi:type="notation:TitleStyle" xmi:id="_ews0Fp2BEeKdgaaT-l6UWg"/>
+      <styles xmi:type="notation:SortingStyle" xmi:id="_ews0F52BEeKdgaaT-l6UWg"/>
+      <styles xmi:type="notation:FilteringStyle" xmi:id="_ews0GJ2BEeKdgaaT-l6UWg"/>
+      <layoutConstraint xmi:type="notation:Bounds" xmi:id="_ews0GZ2BEeKdgaaT-l6UWg"/>
+    </children>
+    <element xmi:type="uml:Component" href="model.uml#_ewh08J2BEeKdgaaT-l6UWg"/>
+    <layoutConstraint xmi:type="notation:Bounds" xmi:id="_ewq-4Z2BEeKdgaaT-l6UWg" x="495" y="355"/>
+  </children>
+  <children xmi:type="notation:Shape" xmi:id="_WSCFYJ3TEeKUheNxQxhLXg" type="2012" fontName="Sans" fontHeight="10" lineColor="0">
+    <eAnnotations xmi:type="ecore:EAnnotation" xmi:id="_WSCscJ3TEeKUheNxQxhLXg" source="ShadowFigure">
+      <details xmi:type="ecore:EStringToStringMapEntry" xmi:id="_WSCscZ3TEeKUheNxQxhLXg" key="ShadowFigure_Value" value="true"/>
+    </eAnnotations>
+    <eAnnotations xmi:type="ecore:EAnnotation" xmi:id="_WSCscp3TEeKUheNxQxhLXg" source="displayNameLabelIcon">
+      <details xmi:type="ecore:EStringToStringMapEntry" xmi:id="_WSCsc53TEeKUheNxQxhLXg" key="displayNameLabelIcon_value" value="true"/>
+    </eAnnotations>
+    <eAnnotations xmi:type="ecore:EAnnotation" xmi:id="_WSDTgJ3TEeKUheNxQxhLXg" source="QualifiedName">
+      <details xmi:type="ecore:EStringToStringMapEntry" xmi:id="_WSDTgZ3TEeKUheNxQxhLXg" key="QualifiedNameDepth" value="1000"/>
+    </eAnnotations>
+    <children xmi:type="notation:DecorationNode" xmi:id="_WSDTgp3TEeKUheNxQxhLXg" type="5038"/>
+    <element xmi:type="uml:Comment" href="model.uml#_WRsuMJ3TEeKUheNxQxhLXg"/>
+    <layoutConstraint xmi:type="notation:Bounds" xmi:id="_WSCFYZ3TEeKUheNxQxhLXg" x="15" y="65" width="81" height="8"/>
+  </children>
+  <styles xmi:type="notation:DiagramStyle" xmi:id="_8KzMgZ1_EeKdgaaT-l6UWg"/>
+  <element xmi:type="uml:Model" href="model.uml#_8Kr3wJ1_EeKdgaaT-l6UWg"/>
+  <edges xmi:type="notation:Connector" xmi:id="_amNJkJ2BEeKdgaaT-l6UWg" type="4008" source="_MjCmQJ2AEeKdgaaT-l6UWg" target="_JS-uQJ2BEeKdgaaT-l6UWg" lineColor="0">
+    <children xmi:type="notation:DecorationNode" xmi:id="_amOXsJ2BEeKdgaaT-l6UWg" type="6026">
+      <layoutConstraint xmi:type="notation:Location" xmi:id="_amOXsZ2BEeKdgaaT-l6UWg" y="40"/>
+    </children>
+    <children xmi:type="notation:DecorationNode" xmi:id="_amOXsp2BEeKdgaaT-l6UWg" type="6027">
+      <layoutConstraint xmi:type="notation:Location" xmi:id="_amOXs52BEeKdgaaT-l6UWg" y="60"/>
+    </children>
+    <styles xmi:type="notation:FontStyle" xmi:id="_amNJkZ2BEeKdgaaT-l6UWg" fontName="Sans" fontHeight="10"/>
+    <element xmi:type="uml:Dependency" href="model.uml#_amFNwJ2BEeKdgaaT-l6UWg"/>
+    <bendpoints xmi:type="notation:RelativeBendpoints" xmi:id="_amNJkp2BEeKdgaaT-l6UWg" points="[8, 19, 0, -114]$[8, 83, 0, -50]"/>
+    <sourceAnchor xmi:type="notation:IdentityAnchor" xmi:id="_amkV8J2BEeKdgaaT-l6UWg" id="(0.11920529801324503,0.94)"/>
+    <targetAnchor xmi:type="notation:IdentityAnchor" xmi:id="_bDhpAJ3UEeKUheNxQxhLXg" id="(0.11258278145695365,0.16)"/>
+  </edges>
+  <edges xmi:type="notation:Connector" xmi:id="_g9NH4J2BEeKdgaaT-l6UWg" type="4008" source="_ewq-4J2BEeKdgaaT-l6UWg" target="_OkwJ4J2BEeKdgaaT-l6UWg" lineColor="0">
+    <children xmi:type="notation:DecorationNode" xmi:id="_g9Nu8J2BEeKdgaaT-l6UWg" visible="false" type="6026">
+      <layoutConstraint xmi:type="notation:Location" xmi:id="_g9Nu8Z2BEeKdgaaT-l6UWg" y="40"/>
+    </children>
+    <children xmi:type="notation:DecorationNode" xmi:id="_g9OWAJ2BEeKdgaaT-l6UWg" type="6027">
+      <layoutConstraint xmi:type="notation:Location" xmi:id="_g9OWAZ2BEeKdgaaT-l6UWg" y="60"/>
+    </children>
+    <styles xmi:type="notation:FontStyle" xmi:id="_g9NH4Z2BEeKdgaaT-l6UWg" fontName="Sans" fontHeight="10"/>
+    <element xmi:type="uml:Dependency" href="model.uml#_g9FMEJ2BEeKdgaaT-l6UWg"/>
+    <bendpoints xmi:type="notation:RelativeBendpoints" xmi:id="_g9NH4p2BEeKdgaaT-l6UWg" points="[-50, 15, 155, -50]$[-182, 72, 23, 7]"/>
+  </edges>
+  <edges xmi:type="notation:Connector" xmi:id="_glR20J3TEeKUheNxQxhLXg" type="4013" source="_WSCFYJ3TEeKUheNxQxhLXg" target="_MjCmQJ2AEeKdgaaT-l6UWg" lineColor="0">
+    <styles xmi:type="notation:FontStyle" xmi:id="_glR20Z3TEeKUheNxQxhLXg" fontName="Sans" fontHeight="10"/>
+    <element xsi:nil="true"/>
+    <bendpoints xmi:type="notation:RelativeBendpoints" xmi:id="_glR20p3TEeKUheNxQxhLXg" points="[0, 0, -114, -97]$[39, 72, -75, -25]"/>
+    <sourceAnchor xmi:type="notation:IdentityAnchor" xmi:id="_glYkgJ3TEeKUheNxQxhLXg" id="(0.7297297297297297,1.0)"/>
+  </edges>
+  <edges xmi:type="notation:Connector" xmi:id="_0KF6QJ3TEeKUheNxQxhLXg" type="4001" source="_MjCmQJ2AEeKdgaaT-l6UWg" target="_U9JEwJ2AEeKdgaaT-l6UWg" lineColor="0">
+    <children xmi:type="notation:DecorationNode" xmi:id="_0KGhUJ3TEeKUheNxQxhLXg" type="6001">
+      <layoutConstraint xmi:type="notation:Location" xmi:id="_0KGhUZ3TEeKUheNxQxhLXg" y="-20"/>
+    </children>
+    <children xmi:type="notation:DecorationNode" xmi:id="_0KGhUp3TEeKUheNxQxhLXg" type="6002">
+      <eAnnotations xmi:type="ecore:EAnnotation" xmi:id="_8o8V4J3TEeKUheNxQxhLXg" source="QualifiedName">
+        <details xmi:type="ecore:EStringToStringMapEntry" xmi:id="_8o888J3TEeKUheNxQxhLXg" key="QualifiedNameDepth" value="2"/>
+      </eAnnotations>
+      <eAnnotations xmi:type="ecore:EAnnotation" xmi:id="__l8SgJ3TEeKUheNxQxhLXg" source="Stereotype_Annotation">
+        <details xmi:type="ecore:EStringToStringMapEntry" xmi:id="__6BFEJ3TEeKUheNxQxhLXg" key="StereotypeWithQualifiedNameList" value=""/>
+        <details xmi:type="ecore:EStringToStringMapEntry" xmi:id="__6BFEZ3TEeKUheNxQxhLXg" key="StereotypeList" value=""/>
+        <details xmi:type="ecore:EStringToStringMapEntry" xmi:id="__6BsIJ3TEeKUheNxQxhLXg" key="Stereotype_Presentation_Kind" value="HorizontalStereo"/>
+        <details xmi:type="ecore:EStringToStringMapEntry" xmi:id="__6BsIZ3TEeKUheNxQxhLXg" key="PropStereoDisplay" value=""/>
+        <details xmi:type="ecore:EStringToStringMapEntry" xmi:id="__6BsIp3TEeKUheNxQxhLXg" key="StereotypePropertyLocation" value="Compartment"/>
+      </eAnnotations>
+      <layoutConstraint xmi:type="notation:Location" xmi:id="_0KGhU53TEeKUheNxQxhLXg" y="20"/>
+    </children>
+    <children xmi:type="notation:DecorationNode" xmi:id="_0KHIYJ3TEeKUheNxQxhLXg" type="6003">
+      <layoutConstraint xmi:type="notation:Location" xmi:id="_0KHIYZ3TEeKUheNxQxhLXg" y="-20"/>
+    </children>
+    <children xmi:type="notation:DecorationNode" xmi:id="_0KHIYp3TEeKUheNxQxhLXg" type="6005">
+      <layoutConstraint xmi:type="notation:Location" xmi:id="_0KHIY53TEeKUheNxQxhLXg" y="20"/>
+    </children>
+    <children xmi:type="notation:DecorationNode" xmi:id="_0KHIZJ3TEeKUheNxQxhLXg" type="6033">
+      <layoutConstraint xmi:type="notation:Location" xmi:id="_0KHIZZ3TEeKUheNxQxhLXg" y="20"/>
+    </children>
+    <children xmi:type="notation:DecorationNode" xmi:id="_0KHvcJ3TEeKUheNxQxhLXg" type="6034">
+      <layoutConstraint xmi:type="notation:Location" xmi:id="_0KHvcZ3TEeKUheNxQxhLXg" y="-20"/>
+    </children>
+    <styles xmi:type="notation:FontStyle" xmi:id="_0KF6QZ3TEeKUheNxQxhLXg" fontName="Sans" fontHeight="10"/>
+    <element xmi:type="uml:Association" href="model.uml#_0KC28J3TEeKUheNxQxhLXg"/>
+    <bendpoints xmi:type="notation:RelativeBendpoints" xmi:id="_0KF6Qp3TEeKUheNxQxhLXg" points="[76, 8, -205, -25]$[261, 50, -20, 17]"/>
+    <targetAnchor xmi:type="notation:IdentityAnchor" xmi:id="_0KqiAJ3TEeKUheNxQxhLXg" id="(0.07228915662650602,0.57)"/>
+  </edges>
+  <edges xmi:type="notation:Connector" xmi:id="_18dPwJ3TEeKUheNxQxhLXg" type="4001" source="_JS-uQJ2BEeKdgaaT-l6UWg" target="_OkwJ4J2BEeKdgaaT-l6UWg" lineColor="0">
+    <children xmi:type="notation:DecorationNode" xmi:id="_18d20J3TEeKUheNxQxhLXg" type="6001">
+      <layoutConstraint xmi:type="notation:Location" xmi:id="_18d20Z3TEeKUheNxQxhLXg" y="-20"/>
+    </children>
+    <children xmi:type="notation:DecorationNode" xmi:id="_18d20p3TEeKUheNxQxhLXg" type="6002">
+      <layoutConstraint xmi:type="notation:Location" xmi:id="_18ed4J3TEeKUheNxQxhLXg" y="20"/>
+    </children>
+    <children xmi:type="notation:DecorationNode" xmi:id="_18ed4Z3TEeKUheNxQxhLXg" type="6003">
+      <layoutConstraint xmi:type="notation:Location" xmi:id="_18ed4p3TEeKUheNxQxhLXg" y="-20"/>
+    </children>
+    <children xmi:type="notation:DecorationNode" xmi:id="_18ed453TEeKUheNxQxhLXg" type="6005">
+      <layoutConstraint xmi:type="notation:Location" xmi:id="_18ed5J3TEeKUheNxQxhLXg" y="20"/>
+    </children>
+    <children xmi:type="notation:DecorationNode" xmi:id="_18ed5Z3TEeKUheNxQxhLXg" type="6033">
+      <layoutConstraint xmi:type="notation:Location" xmi:id="_18fE8J3TEeKUheNxQxhLXg" y="20"/>
+    </children>
+    <children xmi:type="notation:DecorationNode" xmi:id="_18fE8Z3TEeKUheNxQxhLXg" type="6034">
+      <layoutConstraint xmi:type="notation:Location" xmi:id="_18fE8p3TEeKUheNxQxhLXg" y="-20"/>
+    </children>
+    <styles xmi:type="notation:FontStyle" xmi:id="_18dPwZ3TEeKUheNxQxhLXg" fontName="Sans" fontHeight="10"/>
+    <element xmi:type="uml:Association" href="model.uml#_18aMcJ3TEeKUheNxQxhLXg"/>
+    <bendpoints xmi:type="notation:RelativeBendpoints" xmi:id="_18dPwp3TEeKUheNxQxhLXg" points="[76, 7, -283, -30]$[270, 27, -89, -10]"/>
+    <targetAnchor xmi:type="notation:IdentityAnchor" xmi:id="_18mZsJ3TEeKUheNxQxhLXg" id="(0.0,0.55)"/>
+  </edges>
+  <edges xmi:type="notation:Connector" xmi:id="_d6EYUJ3UEeKUheNxQxhLXg" type="4008" source="_JS-uQJ2BEeKdgaaT-l6UWg" target="_MjCmQJ2AEeKdgaaT-l6UWg" lineColor="0">
+    <children xmi:type="notation:DecorationNode" xmi:id="_d6FmcJ3UEeKUheNxQxhLXg" type="6026">
+      <layoutConstraint xmi:type="notation:Location" xmi:id="_d6FmcZ3UEeKUheNxQxhLXg" y="40"/>
+    </children>
+    <children xmi:type="notation:DecorationNode" xmi:id="_d6Fmcp3UEeKUheNxQxhLXg" type="6027">
+      <layoutConstraint xmi:type="notation:Location" xmi:id="_d6Fmc53UEeKUheNxQxhLXg" y="60"/>
+    </children>
+    <styles xmi:type="notation:FontStyle" xmi:id="_d6EYUZ3UEeKUheNxQxhLXg" fontName="Sans" fontHeight="10"/>
+    <element xmi:type="uml:Dependency" href="model.uml#_d6At8J3UEeKUheNxQxhLXg"/>
+    <bendpoints xmi:type="notation:RelativeBendpoints" xmi:id="_d6EYUp3UEeKUheNxQxhLXg" points="[2, -58, 0, 112]$[25, -170, 23, 0]"/>
+    <sourceAnchor xmi:type="notation:IdentityAnchor" xmi:id="_d6LGAJ3UEeKUheNxQxhLXg" id="(0.8344370860927153,0.58)"/>
+    <targetAnchor xmi:type="notation:IdentityAnchor" xmi:id="_d6LtEJ3UEeKUheNxQxhLXg" id="(0.847682119205298,0.52)"/>
+  </edges>
+</notation:Diagram>
diff --git a/doc/bilder/model.uml b/doc/bilder/model.uml
new file mode 100644
index 0000000..1bc0ff6
--- /dev/null
+++ b/doc/bilder/model.uml
@@ -0,0 +1,41 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<uml:Model xmi:version="2.1" xmlns:xmi="http://schema.omg.org/spec/XMI/2.1" xmlns:uml="http://www.eclipse.org/uml2/3.0.0/UML" xmi:id="_8Kr3wJ1_EeKdgaaT-l6UWg" name="model">
+  <ownedComment xmi:id="_WRsuMJ3TEeKUheNxQxhLXg" annotatedElement="_MjAxEJ2AEeKdgaaT-l6UWg">
+    <body> action.MAIN</body>
+  </ownedComment>
+  <packagedElement xmi:type="uml:Package" xmi:id="_GCWgcJ2AEeKdgaaT-l6UWg" name="org.xapek.andiodine">
+    <packagedElement xmi:type="uml:Class" xmi:id="_MjAxEJ2AEeKdgaaT-l6UWg" name="IodineMain" clientDependency="_aSTyoJ2AEeKdgaaT-l6UWg _amFNwJ2BEeKdgaaT-l6UWg">
+      <ownedAttribute xmi:id="_0KBo0J3TEeKUheNxQxhLXg" name="pref" type="_U9GogJ2AEeKdgaaT-l6UWg" association="_0KC28J3TEeKUheNxQxhLXg">
+        <upperValue xmi:type="uml:LiteralUnlimitedNatural" xmi:id="_0KBo0Z3TEeKUheNxQxhLXg" value="*"/>
+        <lowerValue xmi:type="uml:LiteralInteger" xmi:id="_0KBo0p3TEeKUheNxQxhLXg"/>
+      </ownedAttribute>
+    </packagedElement>
+    <packagedElement xmi:type="uml:Class" xmi:id="_U9GogJ2AEeKdgaaT-l6UWg" name="IodinePref"/>
+    <packagedElement xmi:type="uml:Dependency" xmi:id="_aSTyoJ2AEeKdgaaT-l6UWg" name="Dependency1" supplier="_U9GogJ2AEeKdgaaT-l6UWg" client="_MjAxEJ2AEeKdgaaT-l6UWg"/>
+    <packagedElement xmi:type="uml:Class" xmi:id="_JS09QJ2BEeKdgaaT-l6UWg" name="IodineVpnService" clientDependency="_YEmIcJ2BEeKdgaaT-l6UWg _d6At8J3UEeKUheNxQxhLXg">
+      <ownedAttribute xmi:id="_18Y-UJ3TEeKUheNxQxhLXg" name="IodineClient" type="_OkmY4J2BEeKdgaaT-l6UWg" association="_18aMcJ3TEeKUheNxQxhLXg">
+        <upperValue xmi:type="uml:LiteralUnlimitedNatural" xmi:id="_18Y-UZ3TEeKUheNxQxhLXg" value="1"/>
+        <lowerValue xmi:type="uml:LiteralInteger" xmi:id="_18Y-Up3TEeKUheNxQxhLXg" value="1"/>
+      </ownedAttribute>
+    </packagedElement>
+    <packagedElement xmi:type="uml:Class" xmi:id="_OkmY4J2BEeKdgaaT-l6UWg" name="IodineClient"/>
+    <packagedElement xmi:type="uml:Dependency" xmi:id="_YEmIcJ2BEeKdgaaT-l6UWg" name="" supplier="_OkmY4J2BEeKdgaaT-l6UWg" client="_JS09QJ2BEeKdgaaT-l6UWg"/>
+    <packagedElement xmi:type="uml:Dependency" xmi:id="_amFNwJ2BEeKdgaaT-l6UWg" name="CONTROL_*" supplier="_JS09QJ2BEeKdgaaT-l6UWg" client="_MjAxEJ2AEeKdgaaT-l6UWg"/>
+    <packagedElement xmi:type="uml:Association" xmi:id="_0KC28J3TEeKUheNxQxhLXg" name="preferences" visibility="private" memberEnd="_0KC28Z3TEeKUheNxQxhLXg _0KBo0J3TEeKUheNxQxhLXg">
+      <ownedEnd xmi:id="_0KC28Z3TEeKUheNxQxhLXg" name="main" type="_MjAxEJ2AEeKdgaaT-l6UWg" association="_0KC28J3TEeKUheNxQxhLXg">
+        <upperValue xmi:type="uml:LiteralUnlimitedNatural" xmi:id="_0KC28p3TEeKUheNxQxhLXg" value="1"/>
+        <lowerValue xmi:type="uml:LiteralInteger" xmi:id="_0KC2853TEeKUheNxQxhLXg" value="1"/>
+      </ownedEnd>
+    </packagedElement>
+    <packagedElement xmi:type="uml:Association" xmi:id="_18aMcJ3TEeKUheNxQxhLXg" name="Client" memberEnd="_18aMcZ3TEeKUheNxQxhLXg _18Y-UJ3TEeKUheNxQxhLXg">
+      <ownedEnd xmi:id="_18aMcZ3TEeKUheNxQxhLXg" name="service" type="_JS09QJ2BEeKdgaaT-l6UWg" association="_18aMcJ3TEeKUheNxQxhLXg">
+        <upperValue xmi:type="uml:LiteralUnlimitedNatural" xmi:id="_18aMcp3TEeKUheNxQxhLXg" value="1"/>
+        <lowerValue xmi:type="uml:LiteralInteger" xmi:id="_18aMc53TEeKUheNxQxhLXg" value="1"/>
+      </ownedEnd>
+    </packagedElement>
+    <packagedElement xmi:type="uml:Dependency" xmi:id="_d6At8J3UEeKUheNxQxhLXg" name="STATUS_*" supplier="_MjAxEJ2AEeKdgaaT-l6UWg" client="_JS09QJ2BEeKdgaaT-l6UWg"/>
+  </packagedElement>
+  <packagedElement xmi:type="uml:Component" xmi:id="_ewh08J2BEeKdgaaT-l6UWg" name="JNI/C-Code" clientDependency="_g9FMEJ2BEeKdgaaT-l6UWg"/>
+  <packagedElement xmi:type="uml:Dependency" xmi:id="_g9FMEJ2BEeKdgaaT-l6UWg" name="Verwendet JNI" supplier="_OkmY4J2BEeKdgaaT-l6UWg" client="_ewh08J2BEeKdgaaT-l6UWg"/>
+  <packagedElement xmi:type="uml:Signal" xmi:id="_tMcTAJ3QEeKUheNxQxhLXg" name="STATUS_CONNECT"/>
+</uml:Model>
diff --git a/doc/bilder/screen_main.png b/doc/bilder/screen_main.png
new file mode 100644
index 0000000..6a5f6d4
--- /dev/null
+++ b/doc/bilder/screen_main.png
diff --git a/doc/bilder/screen_pref.png b/doc/bilder/screen_pref.png
new file mode 100644
index 0000000..7592d66
--- /dev/null
+++ b/doc/bilder/screen_pref.png
diff --git a/doc/bilder/whiteboard_gui.jpg b/doc/bilder/whiteboard_gui.jpg
new file mode 100644
index 0000000..b778fac
--- /dev/null
+++ b/doc/bilder/whiteboard_gui.jpg
diff --git a/doc/bilder/whiteboard_intents.jpg b/doc/bilder/whiteboard_intents.jpg
new file mode 100644
index 0000000..2aed674
--- /dev/null
+++ b/doc/bilder/whiteboard_intents.jpg
diff --git a/doc/bilder/whiteboard_komponenten.jpg b/doc/bilder/whiteboard_komponenten.jpg
new file mode 100644
index 0000000..c468377
--- /dev/null
+++ b/doc/bilder/whiteboard_komponenten.jpg
diff --git a/doc/entwicklerdoku.html b/doc/entwicklerdoku.html
new file mode 100644
index 0000000..eea35fb
--- /dev/null
+++ b/doc/entwicklerdoku.html
@@ -0,0 +1,1284 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"

+    "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">

+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="de">

+<head>

+<meta http-equiv="Content-Type" content="application/xhtml+xml; charset=UTF-8" />

+<meta name="generator" content="AsciiDoc 8.6.9" />

+<title>Android Iodine Entwicklerdokumentation</title>

+<style type="text/css">

+/* Shared CSS for AsciiDoc xhtml11 and html5 backends */

+

+/* Default font. */

+body {

+  font-family: Georgia,serif;

+}

+

+/* Title font. */

+h1, h2, h3, h4, h5, h6,

+div.title, caption.title,

+thead, p.table.header,

+#toctitle,

+#author, #revnumber, #revdate, #revremark,

+#footer {

+  font-family: Arial,Helvetica,sans-serif;

+}

+

+body {

+  margin: 1em 5% 1em 5%;

+}

+

+a {

+  color: blue;

+  text-decoration: underline;

+}

+a:visited {

+  color: fuchsia;

+}

+

+em {

+  font-style: italic;

+  color: navy;

+}

+

+strong {

+  font-weight: bold;

+  color: #083194;

+}

+

+h1, h2, h3, h4, h5, h6 {

+  color: #527bbd;

+  margin-top: 1.2em;

+  margin-bottom: 0.5em;

+  line-height: 1.3;

+}

+

+h1, h2, h3 {

+  border-bottom: 2px solid silver;

+}

+h2 {

+  padding-top: 0.5em;

+}

+h3 {

+  float: left;

+}

+h3 + * {

+  clear: left;

+}

+h5 {

+  font-size: 1.0em;

+}

+

+div.sectionbody {

+  margin-left: 0;

+}

+

+hr {

+  border: 1px solid silver;

+}

+

+p {

+  margin-top: 0.5em;

+  margin-bottom: 0.5em;

+}

+

+ul, ol, li > p {

+  margin-top: 0;

+}

+ul > li     { color: #aaa; }

+ul > li > * { color: black; }

+

+.monospaced, code, pre {

+  font-family: "Courier New", Courier, monospace;

+  font-size: inherit;

+  color: navy;

+  padding: 0;

+  margin: 0;

+}

+pre {

+  white-space: pre-wrap;

+}

+

+#author {

+  color: #527bbd;

+  font-weight: bold;

+  font-size: 1.1em;

+}

+#email {

+}

+#revnumber, #revdate, #revremark {

+}

+

+#footer {

+  font-size: small;

+  border-top: 2px solid silver;

+  padding-top: 0.5em;

+  margin-top: 4.0em;

+}

+#footer-text {

+  float: left;

+  padding-bottom: 0.5em;

+}

+#footer-badges {

+  float: right;

+  padding-bottom: 0.5em;

+}

+

+#preamble {

+  margin-top: 1.5em;

+  margin-bottom: 1.5em;

+}

+div.imageblock, div.exampleblock, div.verseblock,

+div.quoteblock, div.literalblock, div.listingblock, div.sidebarblock,

+div.admonitionblock {

+  margin-top: 1.0em;

+  margin-bottom: 1.5em;

+}

+div.admonitionblock {

+  margin-top: 2.0em;

+  margin-bottom: 2.0em;

+  margin-right: 10%;

+  color: #606060;

+}

+

+div.content { /* Block element content. */

+  padding: 0;

+}

+

+/* Block element titles. */

+div.title, caption.title {

+  color: #527bbd;

+  font-weight: bold;

+  text-align: left;

+  margin-top: 1.0em;

+  margin-bottom: 0.5em;

+}

+div.title + * {

+  margin-top: 0;

+}

+

+td div.title:first-child {

+  margin-top: 0.0em;

+}

+div.content div.title:first-child {

+  margin-top: 0.0em;

+}

+div.content + div.title {

+  margin-top: 0.0em;

+}

+

+div.sidebarblock > div.content {

+  background: #ffffee;

+  border: 1px solid #dddddd;

+  border-left: 4px solid #f0f0f0;

+  padding: 0.5em;

+}

+

+div.listingblock > div.content {

+  border: 1px solid #dddddd;

+  border-left: 5px solid #f0f0f0;

+  background: #f8f8f8;

+  padding: 0.5em;

+}

+

+div.quoteblock, div.verseblock {

+  padding-left: 1.0em;

+  margin-left: 1.0em;

+  margin-right: 10%;

+  border-left: 5px solid #f0f0f0;

+  color: #888;

+}

+

+div.quoteblock > div.attribution {

+  padding-top: 0.5em;

+  text-align: right;

+}

+

+div.verseblock > pre.content {

+  font-family: inherit;

+  font-size: inherit;

+}

+div.verseblock > div.attribution {

+  padding-top: 0.75em;

+  text-align: left;

+}

+/* DEPRECATED: Pre version 8.2.7 verse style literal block. */

+div.verseblock + div.attribution {

+  text-align: left;

+}

+

+div.admonitionblock .icon {

+  vertical-align: top;

+  font-size: 1.1em;

+  font-weight: bold;

+  text-decoration: underline;

+  color: #527bbd;

+  padding-right: 0.5em;

+}

+div.admonitionblock td.content {

+  padding-left: 0.5em;

+  border-left: 3px solid #dddddd;

+}

+

+div.exampleblock > div.content {

+  border-left: 3px solid #dddddd;

+  padding-left: 0.5em;

+}

+

+div.imageblock div.content { padding-left: 0; }

+span.image img { border-style: none; vertical-align: text-bottom; }

+a.image:visited { color: white; }

+

+dl {

+  margin-top: 0.8em;

+  margin-bottom: 0.8em;

+}

+dt {

+  margin-top: 0.5em;

+  margin-bottom: 0;

+  font-style: normal;

+  color: navy;

+}

+dd > *:first-child {

+  margin-top: 0.1em;

+}

+

+ul, ol {

+    list-style-position: outside;

+}

+ol.arabic {

+  list-style-type: decimal;

+}

+ol.loweralpha {

+  list-style-type: lower-alpha;

+}

+ol.upperalpha {

+  list-style-type: upper-alpha;

+}

+ol.lowerroman {

+  list-style-type: lower-roman;

+}

+ol.upperroman {

+  list-style-type: upper-roman;

+}

+

+div.compact ul, div.compact ol,

+div.compact p, div.compact p,

+div.compact div, div.compact div {

+  margin-top: 0.1em;

+  margin-bottom: 0.1em;

+}

+

+tfoot {

+  font-weight: bold;

+}

+td > div.verse {

+  white-space: pre;

+}

+

+div.hdlist {

+  margin-top: 0.8em;

+  margin-bottom: 0.8em;

+}

+div.hdlist tr {

+  padding-bottom: 15px;

+}

+dt.hdlist1.strong, td.hdlist1.strong {

+  font-weight: bold;

+}

+td.hdlist1 {

+  vertical-align: top;

+  font-style: normal;

+  padding-right: 0.8em;

+  color: navy;

+}

+td.hdlist2 {

+  vertical-align: top;

+}

+div.hdlist.compact tr {

+  margin: 0;

+  padding-bottom: 0;

+}

+

+.comment {

+  background: yellow;

+}

+

+.footnote, .footnoteref {

+  font-size: 0.8em;

+}

+

+span.footnote, span.footnoteref {

+  vertical-align: super;

+}

+

+#footnotes {

+  margin: 20px 0 20px 0;

+  padding: 7px 0 0 0;

+}

+

+#footnotes div.footnote {

+  margin: 0 0 5px 0;

+}

+

+#footnotes hr {

+  border: none;

+  border-top: 1px solid silver;

+  height: 1px;

+  text-align: left;

+  margin-left: 0;

+  width: 20%;

+  min-width: 100px;

+}

+

+div.colist td {

+  padding-right: 0.5em;

+  padding-bottom: 0.3em;

+  vertical-align: top;

+}

+div.colist td img {

+  margin-top: 0.3em;

+}

+

+@media print {

+  #footer-badges { display: none; }

+}

+

+#toc {

+  margin-bottom: 2.5em;

+}

+

+#toctitle {

+  color: #527bbd;

+  font-size: 1.1em;

+  font-weight: bold;

+  margin-top: 1.0em;

+  margin-bottom: 0.1em;

+}

+

+div.toclevel0, div.toclevel1, div.toclevel2, div.toclevel3, div.toclevel4 {

+  margin-top: 0;

+  margin-bottom: 0;

+}

+div.toclevel2 {

+  margin-left: 2em;

+  font-size: 0.9em;

+}

+div.toclevel3 {

+  margin-left: 4em;

+  font-size: 0.9em;

+}

+div.toclevel4 {

+  margin-left: 6em;

+  font-size: 0.9em;

+}

+

+span.aqua { color: aqua; }

+span.black { color: black; }

+span.blue { color: blue; }

+span.fuchsia { color: fuchsia; }

+span.gray { color: gray; }

+span.green { color: green; }

+span.lime { color: lime; }

+span.maroon { color: maroon; }

+span.navy { color: navy; }

+span.olive { color: olive; }

+span.purple { color: purple; }

+span.red { color: red; }

+span.silver { color: silver; }

+span.teal { color: teal; }

+span.white { color: white; }

+span.yellow { color: yellow; }

+

+span.aqua-background { background: aqua; }

+span.black-background { background: black; }

+span.blue-background { background: blue; }

+span.fuchsia-background { background: fuchsia; }

+span.gray-background { background: gray; }

+span.green-background { background: green; }

+span.lime-background { background: lime; }

+span.maroon-background { background: maroon; }

+span.navy-background { background: navy; }

+span.olive-background { background: olive; }

+span.purple-background { background: purple; }

+span.red-background { background: red; }

+span.silver-background { background: silver; }

+span.teal-background { background: teal; }

+span.white-background { background: white; }

+span.yellow-background { background: yellow; }

+

+span.big { font-size: 2em; }

+span.small { font-size: 0.6em; }

+

+span.underline { text-decoration: underline; }

+span.overline { text-decoration: overline; }

+span.line-through { text-decoration: line-through; }

+

+div.unbreakable { page-break-inside: avoid; }

+

+

+/*

+ * xhtml11 specific

+ *

+ * */

+

+div.tableblock {

+  margin-top: 1.0em;

+  margin-bottom: 1.5em;

+}

+div.tableblock > table {

+  border: 3px solid #527bbd;

+}

+thead, p.table.header {

+  font-weight: bold;

+  color: #527bbd;

+}

+p.table {

+  margin-top: 0;

+}

+/* Because the table frame attribute is overriden by CSS in most browsers. */

+div.tableblock > table[frame="void"] {

+  border-style: none;

+}

+div.tableblock > table[frame="hsides"] {

+  border-left-style: none;

+  border-right-style: none;

+}

+div.tableblock > table[frame="vsides"] {

+  border-top-style: none;

+  border-bottom-style: none;

+}

+

+

+/*

+ * html5 specific

+ *

+ * */

+

+table.tableblock {

+  margin-top: 1.0em;

+  margin-bottom: 1.5em;

+}

+thead, p.tableblock.header {

+  font-weight: bold;

+  color: #527bbd;

+}

+p.tableblock {

+  margin-top: 0;

+}

+table.tableblock {

+  border-width: 3px;

+  border-spacing: 0px;

+  border-style: solid;

+  border-color: #527bbd;

+  border-collapse: collapse;

+}

+th.tableblock, td.tableblock {

+  border-width: 1px;

+  padding: 4px;

+  border-style: solid;

+  border-color: #527bbd;

+}

+

+table.tableblock.frame-topbot {

+  border-left-style: hidden;

+  border-right-style: hidden;

+}

+table.tableblock.frame-sides {

+  border-top-style: hidden;

+  border-bottom-style: hidden;

+}

+table.tableblock.frame-none {

+  border-style: hidden;

+}

+

+th.tableblock.halign-left, td.tableblock.halign-left {

+  text-align: left;

+}

+th.tableblock.halign-center, td.tableblock.halign-center {

+  text-align: center;

+}

+th.tableblock.halign-right, td.tableblock.halign-right {

+  text-align: right;

+}

+

+th.tableblock.valign-top, td.tableblock.valign-top {

+  vertical-align: top;

+}

+th.tableblock.valign-middle, td.tableblock.valign-middle {

+  vertical-align: middle;

+}

+th.tableblock.valign-bottom, td.tableblock.valign-bottom {

+  vertical-align: bottom;

+}

+

+

+/*

+ * manpage specific

+ *

+ * */

+

+body.manpage h1 {

+  padding-top: 0.5em;

+  padding-bottom: 0.5em;

+  border-top: 2px solid silver;

+  border-bottom: 2px solid silver;

+}

+body.manpage h2 {

+  border-style: none;

+}

+body.manpage div.sectionbody {

+  margin-left: 3em;

+}

+

+@media print {

+  body.manpage div#toc { display: none; }

+}

+

+

+</style>

+<script type="text/javascript">

+/*<![CDATA[*/

+var asciidoc = {  // Namespace.

+

+/////////////////////////////////////////////////////////////////////

+// Table Of Contents generator

+/////////////////////////////////////////////////////////////////////

+

+/* Author: Mihai Bazon, September 2002

+ * http://students.infoiasi.ro/~mishoo

+ *

+ * Table Of Content generator

+ * Version: 0.4

+ *

+ * Feel free to use this script under the terms of the GNU General Public

+ * License, as long as you do not remove or alter this notice.

+ */

+

+ /* modified by Troy D. Hanson, September 2006. License: GPL */

+ /* modified by Stuart Rackham, 2006, 2009. License: GPL */

+

+// toclevels = 1..4.

+toc: function (toclevels) {

+

+  function getText(el) {

+    var text = "";

+    for (var i = el.firstChild; i != null; i = i.nextSibling) {

+      if (i.nodeType == 3 /* Node.TEXT_NODE */) // IE doesn't speak constants.

+        text += i.data;

+      else if (i.firstChild != null)

+        text += getText(i);

+    }

+    return text;

+  }

+

+  function TocEntry(el, text, toclevel) {

+    this.element = el;

+    this.text = text;

+    this.toclevel = toclevel;

+  }

+

+  function tocEntries(el, toclevels) {

+    var result = new Array;

+    var re = new RegExp('[hH]([1-'+(toclevels+1)+'])');

+    // Function that scans the DOM tree for header elements (the DOM2

+    // nodeIterator API would be a better technique but not supported by all

+    // browsers).

+    var iterate = function (el) {

+      for (var i = el.firstChild; i != null; i = i.nextSibling) {

+        if (i.nodeType == 1 /* Node.ELEMENT_NODE */) {

+          var mo = re.exec(i.tagName);

+          if (mo && (i.getAttribute("class") || i.getAttribute("className")) != "float") {

+            result[result.length] = new TocEntry(i, getText(i), mo[1]-1);

+          }

+          iterate(i);

+        }

+      }

+    }

+    iterate(el);

+    return result;

+  }

+

+  var toc = document.getElementById("toc");

+  if (!toc) {

+    return;

+  }

+

+  // Delete existing TOC entries in case we're reloading the TOC.

+  var tocEntriesToRemove = [];

+  var i;

+  for (i = 0; i < toc.childNodes.length; i++) {

+    var entry = toc.childNodes[i];

+    if (entry.nodeName.toLowerCase() == 'div'

+     && entry.getAttribute("class")

+     && entry.getAttribute("class").match(/^toclevel/))

+      tocEntriesToRemove.push(entry);

+  }

+  for (i = 0; i < tocEntriesToRemove.length; i++) {

+    toc.removeChild(tocEntriesToRemove[i]);

+  }

+

+  // Rebuild TOC entries.

+  var entries = tocEntries(document.getElementById("content"), toclevels);

+  for (var i = 0; i < entries.length; ++i) {

+    var entry = entries[i];

+    if (entry.element.id == "")

+      entry.element.id = "_toc_" + i;

+    var a = document.createElement("a");

+    a.href = "#" + entry.element.id;

+    a.appendChild(document.createTextNode(entry.text));

+    var div = document.createElement("div");

+    div.appendChild(a);

+    div.className = "toclevel" + entry.toclevel;

+    toc.appendChild(div);

+  }

+  if (entries.length == 0)

+    toc.parentNode.removeChild(toc);

+},

+

+

+/////////////////////////////////////////////////////////////////////

+// Footnotes generator

+/////////////////////////////////////////////////////////////////////

+

+/* Based on footnote generation code from:

+ * http://www.brandspankingnew.net/archive/2005/07/format_footnote.html

+ */

+

+footnotes: function () {

+  // Delete existing footnote entries in case we're reloading the footnodes.

+  var i;

+  var noteholder = document.getElementById("footnotes");

+  if (!noteholder) {

+    return;

+  }

+  var entriesToRemove = [];

+  for (i = 0; i < noteholder.childNodes.length; i++) {

+    var entry = noteholder.childNodes[i];

+    if (entry.nodeName.toLowerCase() == 'div' && entry.getAttribute("class") == "footnote")

+      entriesToRemove.push(entry);

+  }

+  for (i = 0; i < entriesToRemove.length; i++) {

+    noteholder.removeChild(entriesToRemove[i]);

+  }

+

+  // Rebuild footnote entries.

+  var cont = document.getElementById("content");

+  var spans = cont.getElementsByTagName("span");

+  var refs = {};

+  var n = 0;

+  for (i=0; i<spans.length; i++) {

+    if (spans[i].className == "footnote") {

+      n++;

+      var note = spans[i].getAttribute("data-note");

+      if (!note) {

+        // Use [\s\S] in place of . so multi-line matches work.

+        // Because JavaScript has no s (dotall) regex flag.

+        note = spans[i].innerHTML.match(/\s*\[([\s\S]*)]\s*/)[1];

+        spans[i].innerHTML =

+          "[<a id='_footnoteref_" + n + "' href='#_footnote_" + n +

+          "' title='View footnote' class='footnote'>" + n + "</a>]";

+        spans[i].setAttribute("data-note", note);

+      }

+      noteholder.innerHTML +=

+        "<div class='footnote' id='_footnote_" + n + "'>" +

+        "<a href='#_footnoteref_" + n + "' title='Return to text'>" +

+        n + "</a>. " + note + "</div>";

+      var id =spans[i].getAttribute("id");

+      if (id != null) refs["#"+id] = n;

+    }

+  }

+  if (n == 0)

+    noteholder.parentNode.removeChild(noteholder);

+  else {

+    // Process footnoterefs.

+    for (i=0; i<spans.length; i++) {

+      if (spans[i].className == "footnoteref") {

+        var href = spans[i].getElementsByTagName("a")[0].getAttribute("href");

+        href = href.match(/#.*/)[0];  // Because IE return full URL.

+        n = refs[href];

+        spans[i].innerHTML =

+          "[<a href='#_footnote_" + n +

+          "' title='View footnote' class='footnote'>" + n + "</a>]";

+      }

+    }

+  }

+},

+

+install: function(toclevels) {

+  var timerId;

+

+  function reinstall() {

+    asciidoc.footnotes();

+    if (toclevels) {

+      asciidoc.toc(toclevels);

+    }

+  }

+

+  function reinstallAndRemoveTimer() {

+    clearInterval(timerId);

+    reinstall();

+  }

+

+  timerId = setInterval(reinstall, 500);

+  if (document.addEventListener)

+    document.addEventListener("DOMContentLoaded", reinstallAndRemoveTimer, false);

+  else

+    window.onload = reinstallAndRemoveTimer;

+}

+

+}

+asciidoc.install(2);

+/*]]>*/

+</script>

+</head>

+<body class="article">

+<div id="header">

+<h1>Android Iodine Entwicklerdokumentation</h1>

+<span id="author">Yves Fischer</span><br />

+<span id="revdate">April 2013</span>

+<div id="toc">
+  <div id="toctitle">Inhaltsverzeichnis</div>
+  <noscript><p><b>JavaScript must be enabled in your browser to display the table of contents.</b></p></noscript>
+</div>

+</div>

+<div id="content">

+<div id="preamble">

+<div class="sectionbody">

+<div class="quoteblock">

+<div class="content">

+<div class="paragraph"><p>Die Dokumentation ist zweigeteilt. Dieser Teil enthält eine technische Beschreibung.

+Die Bedienung und Funktionsweise ist in der <em>Anwenderdokumentation</em> beschrieben.</p></div>

+</div>

+<div class="attribution">

+</div></div>

+</div>

+</div>

+<div class="sect1">

+<h2 id="_aufbau">Aufbau</h2>

+<div class="sectionbody">

+<div class="paragraph"><p>Die Anwendung besteht im groben aus 4 Komponenten</p></div>

+<div class="ulist"><ul>

+<li>

+<p>

+Activity <code>.IodineMain</code>

+</p>

+</li>

+<li>

+<p>

+Activity Verbindungseinstellungen <code>.IodinePref</code>

+</p>

+</li>

+<li>

+<p>

+Tunnel Service <code>VpnService</code> und den JNI Bindings <code>IodineClient</code>

+</p>

+</li>

+<li>

+<p>

+Konfigurationsverwaltung <code>.config.ConfigDatabase</code> und <code>.config.IodineConfiguration</code>

+</p>

+</li>

+</ul></div>

+<div class="paragraph"><p><a href="#whiteboard-komponenten">[whiteboard-komponenten]</a> zeigt Architektur der Anwendung:</p></div>

+<div class="imageblock" id="whiteboard-komponenten" style="text-align:center;">

+<div class="content">

+<img src="bilder/Model_model_Architektur.PNG" alt="bilder/Model_model_Architektur.PNG" width="500px" />

+</div>

+<div class="title">Abbildung 1. Architektur der Anwendung</div>

+</div>

+<div class="sect2">

+<h3 id="_benutzeroberfläche">Benutzeroberfläche</h3>

+<div class="paragraph"><p>Die Haupt Activity <code>.IodineMain</code> startet den "VpnService" und steuert

+ihn über Broadcast Intents. In dieser Activity steuert der Benutzer den

+Auf- und Abbau der Tunnel. Über ein Button in der ActionToolbar kann

+eine neue Tunnelkonfiguration angelegt werden.</p></div>

+<div class="paragraph"><p>Die Interaktion zwischen des Benutzers in der Anwendung ist in

+<a href="#whiteboard-gui">[whiteboard-gui]</a> visuell dargestellt:</p></div>

+<div class="imageblock" id="whiteboard-gui" style="text-align:center;">

+<div class="content">

+<img src="bilder/whiteboard_gui.jpg" alt="bilder/whiteboard_gui.jpg" width="500px" />

+</div>

+<div class="title">Abbildung 2. Graphischer Aufbau der GUI</div>

+</div>

+</div>

+<div class="sect2">

+<h3 id="_konfiguration">Konfiguration</h3>

+<div class="paragraph"><p>Die Tunnelkonfigurationen werden in einer SQLite Datenbank abgelegt. Es

+existiert mit <code>.config.IodineConfiguration</code> ein leichtgewichtiger Proxy

+um die Android <code>ContentValues</code> Klasse. Die <code>.config.ConfigDatabase</code> Klasse

+ist ein <code>SQLiteOpenHelper</code> und kann mehrfach instanziert werden.</p></div>

+</div>

+<div class="sect2">

+<h3 id="_vpn_service">VPN-Service</h3>

+<div class="paragraph"><p>Der VPN Service hat 5 Zustände die er über Broadcast Intents mitteilt.

+Eine solche Mitteilung wird verschickt wenn sich der Zustand ändert oder

+dies über ACTION_CONTROL_UPDATE angefordert wurde.</p></div>

+<div class="paragraph"><p>Die Kommunikation der Oberfläche mit dem VPN Service erfolgt mit Broadcasts Intents.</p></div>

+<div class="paragraph"><p><a href="#whiteboard-intents">[whiteboard-intents]</a> zeigt die Zustände des Iodine VPN-Service. Rot nummeriert sind die

+Intents die der Service verschickt um über Statusänderungen zu informieren. Blau nummeriert

+sind Intents mit denen der Service gesteuert werden kann.</p></div>

+<div class="imageblock" id="whiteboard-intents" style="text-align:center;">

+<div class="content">

+<img src="bilder/whiteboard_intents.jpg" alt="bilder/whiteboard_intents.jpg" width="500px" />

+</div>

+<div class="title">Abbildung 3. Status Informations und Steuerungs Intents des VPN Service</div>

+</div>

+</div>

+<div class="sect2">

+<h3 id="_jni">JNI</h3>

+<div class="paragraph"><p>Die JNI Methoden für iodine befinden sich in der Klasse <code>.IodineClient</code>

+bzw. <code>/jni/iodine-client.c</code>. <code>IodineClient#connect</code> ersetzt dabei prinzipiell

+die <code>main()</code> des ursprünglichen iodine Client.</p></div>

+<div class="paragraph"><p>Weitere Methoden dienen dem Austausch der vom Server übermittelten Konfiguration

+und des im System eingestellten DNS Server.</p></div>

+</div>

+</div>

+</div>

+<div class="sect1">

+<h2 id="_android_vpn_framework">Android VPN-Framework</h2>

+<div class="sectionbody">

+<div class="paragraph"><p>Seit API Level 14/Android 4 ist es möglich VPN Verbindungen mit Android

+Anwendungen aufzubauen und zu verwalten.</p></div>

+<div class="paragraph"><p>Die Application benötigt dazu die Permission

+<code>android.permission.BIND_VPN_SERVICE</code>.</p></div>

+<div class="paragraph"><p>Bevor eine Anwendung das erste mal eine VPN Verbindung aufbauen darf

+wird Android sicherheitshalber den Benutzer explizit um Erlaubnis

+fragen.</p></div>

+<div class="paragraph"><p>Dazu wird <code>IodineVpnService.prepare(this)</code> <a href="#vpnapi">[vpnapi]</a>

+aufgerufen. Wird null zurückgegeben hat der Benutzer VPN Verbindungen

+dieser App bereits früher zugestimmt. Andernfalls wird ein Intent

+zurückgegeben mit dem die Benutzernachfrage initiiert werden kann.</p></div>

+<div class="listingblock">

+<div class="content"><!-- Generator: GNU source-highlight 3.1.6

+by Lorenzo Bettini

+http://www.lorenzobettini.it

+http://www.gnu.org/software/src-highlite -->

+<pre><tt>  <span style="font-weight: bold"><span style="color: #0000FF">public</span></span> <span style="color: #009900">void</span> <span style="font-weight: bold"><span style="color: #000000">tunnel</span></span><span style="color: #990000">()</span> <span style="color: #FF0000">{</span>

+    <span style="color: #008080">Intent</span> intent <span style="color: #990000">=</span> IodineVpnService<span style="color: #990000">.</span><span style="font-weight: bold"><span style="color: #000000">prepare</span></span><span style="color: #990000">(</span><span style="font-weight: bold"><span style="color: #0000FF">this</span></span><span style="color: #990000">);</span>

+    <span style="font-weight: bold"><span style="color: #0000FF">if</span></span> <span style="color: #990000">(</span>intent <span style="color: #990000">!=</span> <span style="font-weight: bold"><span style="color: #0000FF">null</span></span><span style="color: #990000">)</span> <span style="color: #FF0000">{</span>

+      <span style="font-style: italic"><span style="color: #9A1900">// Ask for permission</span></span>

+      intent<span style="color: #990000">.</span><span style="font-weight: bold"><span style="color: #000000">putExtra</span></span><span style="color: #990000">(</span>IodineVpnService<span style="color: #990000">.</span>EXTRA_CONFIGURATION_ID<span style="color: #990000">,</span> configuration<span style="color: #990000">.</span><span style="font-weight: bold"><span style="color: #000000">getId</span></span><span style="color: #990000">());</span>

+      <span style="font-weight: bold"><span style="color: #000000">startActivityForResult</span></span><span style="color: #990000">(</span>intent<span style="color: #990000">,</span> INTENT_REQUEST_CODE_PREPARE<span style="color: #990000">);</span>

+    <span style="color: #FF0000">}</span> <span style="font-weight: bold"><span style="color: #0000FF">else</span></span> <span style="color: #FF0000">{</span>

+      <span style="font-style: italic"><span style="color: #9A1900">// Permission already granted</span></span>

+      <span style="font-weight: bold"><span style="color: #000000">startVPNService</span></span><span style="color: #990000">();</span>

+    <span style="color: #FF0000">}</span>

+  <span style="color: #FF0000">}</span>

+

+  @Override

+  <span style="font-weight: bold"><span style="color: #0000FF">protected</span></span> <span style="color: #009900">void</span> <span style="font-weight: bold"><span style="color: #000000">onActivityResult</span></span><span style="color: #990000">(</span><span style="color: #009900">int</span> requestCode<span style="color: #990000">,</span> <span style="color: #009900">int</span> resultCode<span style="color: #990000">,</span> <span style="color: #008080">Intent</span> data<span style="color: #990000">)</span> <span style="color: #FF0000">{</span>

+    <span style="font-weight: bold"><span style="color: #0000FF">if</span></span> <span style="color: #990000">(</span>requestCode <span style="color: #990000">==</span> INTENT_REQUEST_CODE_PREPARE<span style="color: #990000">)</span> <span style="color: #FF0000">{</span>

+      <span style="font-weight: bold"><span style="color: #0000FF">if</span></span> <span style="color: #990000">(</span>resultCode <span style="color: #990000">==</span> RESULT_OK<span style="color: #990000">)</span> <span style="color: #FF0000">{</span>

+        <span style="font-weight: bold"><span style="color: #000000">startVPNService</span></span><span style="color: #990000">();</span>

+      <span style="color: #FF0000">}</span> <span style="font-weight: bold"><span style="color: #0000FF">else</span></span> <span style="color: #FF0000">{</span>

+        <span style="font-style: italic"><span style="color: #9A1900">// User denied permission</span></span>

+      <span style="color: #FF0000">}</span>

+    <span style="color: #FF0000">}</span>

+  <span style="color: #FF0000">}</span>

+

+  <span style="font-weight: bold"><span style="color: #0000FF">private</span></span> <span style="color: #009900">void</span> <span style="font-weight: bold"><span style="color: #000000">startVPNService</span></span><span style="color: #990000">()</span> <span style="color: #FF0000">{</span>

+    <span style="font-style: italic"><span style="color: #9A1900">// Start VPN with VPNService.Builder</span></span>

+  <span style="color: #FF0000">}</span></tt></pre></div></div>

+<div class="paragraph"><p>Der weitere Weg mit dem <code>VPNService.Builder</code> ist geradelinig. Im Fall

+von iodine wird zunächst der Tunnel über DNS aufgebaut bevor das

+tun-Interface geöffnet wird.</p></div>

+<div class="paragraph"><p>Nachdem vom Server die IP-Konfiguration mitgeteilt wurde, wird diese im

+<code>Builder</code> gesetzt und der Tunnel geöffnet:</p></div>

+<div class="listingblock">

+<div class="content"><!-- Generator: GNU source-highlight 3.1.6

+by Lorenzo Bettini

+http://www.lorenzobettini.it

+http://www.gnu.org/software/src-highlite -->

+<pre><tt>    <span style="font-style: italic"><span style="color: #9A1900">// .... IodineVpnService.java :: runTunnel()</span></span>

+    b<span style="color: #990000">.</span><span style="font-weight: bold"><span style="color: #000000">addAddress</span></span><span style="color: #990000">(</span>hostAddress<span style="color: #990000">,</span> netbits<span style="color: #990000">);</span>

+    b<span style="color: #990000">.</span><span style="font-weight: bold"><span style="color: #000000">addRoute</span></span><span style="color: #990000">(</span><span style="color: #FF0000">"0.0.0.0"</span><span style="color: #990000">,</span> <span style="color: #993399">0</span><span style="color: #990000">);</span> <span style="font-style: italic"><span style="color: #9A1900">// Default Route</span></span>

+    b<span style="color: #990000">.</span><span style="font-weight: bold"><span style="color: #000000">setMtu</span></span><span style="color: #990000">(</span>mtu<span style="color: #990000">);</span>

+

+    <span style="font-style: italic"><span style="color: #9A1900">// Opens tun device</span></span>

+    <span style="color: #008080">ParcelFileDescriptor</span> parcelFD <span style="color: #990000">=</span> b<span style="color: #990000">.</span><span style="font-weight: bold"><span style="color: #000000">establish</span></span><span style="color: #990000">();</span>

+

+    <span style="font-style: italic"><span style="color: #9A1900">// prevent dns traffic to get through its own tunnel</span></span>

+    <span style="font-weight: bold"><span style="color: #000000">protect</span></span><span style="color: #990000">(</span>IodineClient<span style="color: #990000">.</span><span style="font-weight: bold"><span style="color: #000000">getDnsFd</span></span><span style="color: #990000">());</span>

+

+    <span style="font-style: italic"><span style="color: #9A1900">// get the filedescriptor</span></span>

+    <span style="color: #009900">int</span> tun_fd <span style="color: #990000">=</span> parcelFD<span style="color: #990000">.</span><span style="font-weight: bold"><span style="color: #000000">detachFd</span></span><span style="color: #990000">();</span>

+

+    <span style="font-style: italic"><span style="color: #9A1900">// pass the filedescriptor to iodine</span></span>

+    IodineClient<span style="color: #990000">.</span><span style="font-weight: bold"><span style="color: #000000">tunnel</span></span><span style="color: #990000">(</span>tun_fd<span style="color: #990000">);</span></tt></pre></div></div>

+</div>

+</div>

+<div class="sect1">

+<h2 id="_iodine">iodine</h2>

+<div class="sectionbody">

+<div class="sect2">

+<h3 id="_verbindungsaufbau_handshake">Verbindungsaufbau (Handshake)</h3>

+<div class="paragraph"><p>Der folgende Text zeigt ein Beispiel für den Ablauf eines Handshake. Der genaue Ablauf kann

+variieren jenachdem wie die Verbindungsparameter gewählt werden.</p></div>

+<div class="paragraph"><p>Hier sind gewählt -m 768 fragment size und ein 9 Zeichen

+Passwort. Die Gegenstelle ist <code>t.yves.tw</code>. Eine Raw (direkte UDP) Verbindung

+wurde verhindert indem der Rechner zum Testzeitpunkt keine default Route hatte.</p></div>

+<div class="paragraph"><p>RX/TX aus der Sicht des Servers. Die "*" in den Hostnamen markieren Zeichen die

+sich aus Random Daten ergeben.</p></div>

+<div class="listingblock">

+<div class="content"><!-- Generator: GNU source-highlight 3.1.6

+by Lorenzo Bettini

+http://www.lorenzobettini.it

+http://www.gnu.org/software/src-highlite -->

+<pre><tt>    <span style="color: #990000">==</span> Der Client testet die Qualitaet der Uebertragung

+    <span style="color: #990000">&lt;--</span> client<span style="color: #990000">.</span>c<span style="color: #990000">:</span><span style="font-weight: bold"><span style="color: #000000">handshake_qtype_autodetect</span></span><span style="color: #990000">()</span>

+              <span style="color: #990000">-&gt;</span> <span style="font-weight: bold"><span style="color: #000000">handshake_qtypetest</span></span><span style="color: #990000">()</span>

+              <span style="color: #990000">-&gt;</span> <span style="font-weight: bold"><span style="color: #000000">send_downenctest</span></span><span style="color: #990000">()</span>

+      hostname<span style="color: #990000">[</span><span style="color: #993399">0</span><span style="color: #990000">]</span> <span style="color: #990000">=</span> <span style="color: #FF0000">"y"</span>

+      hostanme<span style="color: #990000">[</span><span style="color: #993399">1</span><span style="color: #990000">]</span> <span style="color: #990000">=</span> downenc <span style="color: #990000">=</span> <span style="color: #FF0000">'r'</span>

+      hostname<span style="color: #990000">[</span><span style="color: #993399">2</span><span style="color: #990000">]</span> <span style="color: #990000">=</span> variant <span style="color: #990000">=</span> <span style="color: #993399">1</span> <span style="color: #990000">=</span> <span style="color: #FF0000">'b'</span> <span style="color: #990000">(</span>b32<span style="color: #990000">)</span>

+      hostname<span style="color: #990000">[</span><span style="color: #993399">3</span><span style="color: #990000">..</span><span style="color: #993399">5</span><span style="color: #990000">]</span> <span style="color: #990000">=</span> rand_seed<span style="color: #990000">++</span>

+      RX<span style="color: #990000">:</span> yrb<span style="color: #990000">***.</span>t<span style="color: #990000">.</span>yves<span style="color: #990000">.</span>tw

+

+    <span style="color: #990000">--&gt;</span> <span style="color: #993399">48</span> bytes <span style="color: #008080">aus</span> encoding<span style="color: #990000">.</span>h<span style="color: #990000">:</span>DOWNCODECHECK

+      TX<span style="color: #990000">:</span> yrb<span style="color: #990000">***.</span>t<span style="color: #990000">.</span>yves<span style="color: #990000">.</span>tw<span style="color: #990000">,</span> <span style="color: #993399">48</span> bytes data

+

+    <span style="color: #990000">==</span> Austausch der Versionsinformationen

+    <span style="color: #990000">&lt;--</span> client<span style="color: #990000">.</span>c<span style="color: #990000">:</span><span style="font-weight: bold"><span style="color: #000000">send_version</span></span><span style="color: #990000">()</span>

+      VERSION<span style="color: #990000">=</span><span style="color: #993399">0x00</span> <span style="color: #993399">00</span> <span style="color: #993399">05</span> <span style="color: #993399">02</span>

+      hostname<span style="color: #990000">[</span><span style="color: #993399">0</span><span style="color: #990000">]</span> <span style="color: #990000">=</span> cmd <span style="color: #990000">=</span> <span style="color: #FF0000">'v'</span>

+      hostname<span style="color: #990000">[</span><span style="color: #993399">1</span><span style="color: #990000">..</span><span style="color: #993399">6</span><span style="color: #990000">]</span> <span style="color: #990000">=</span> <span style="font-weight: bold"><span style="color: #000000">b32</span></span><span style="color: #990000">(</span><span style="color: #993399">0</span><span style="color: #990000">,</span><span style="color: #993399">0</span><span style="color: #990000">,</span><span style="color: #993399">5</span><span style="color: #990000">,</span><span style="color: #993399">2</span><span style="color: #990000">,</span>random<span style="color: #990000">&lt;&lt;</span><span style="color: #993399">8</span><span style="color: #990000">,</span>random<span style="color: #990000">)</span>

+      hostname <span style="color: #990000">=</span> <span style="color: #FF0000">"vAAAAKAR__"</span>

+      RX<span style="color: #990000">:</span> vaaaaka<span style="color: #990000">****.</span>t<span style="color: #990000">.</span>yves<span style="color: #990000">.</span>tw

+

+    <span style="color: #990000">--&gt;</span> iodined<span style="color: #990000">.</span>c<span style="color: #990000">:</span><span style="font-weight: bold"><span style="color: #000000">send_version_response</span></span><span style="color: #990000">()</span>

+      der Server bestaetigt mit

+      data<span style="color: #990000">[</span><span style="color: #993399">0</span><span style="color: #990000">..</span><span style="color: #993399">8</span><span style="color: #990000">]</span> <span style="color: #990000">=</span> <span style="color: #FF0000">"VACK"</span> <span style="font-weight: bold"><span style="color: #000000">b32</span></span><span style="color: #990000">(</span>seed<span style="color: #990000">&gt;&gt;</span><span style="color: #993399">24</span><span style="color: #990000">,</span> seed<span style="color: #990000">&gt;&gt;</span><span style="color: #993399">16</span><span style="color: #990000">,</span> seed<span style="color: #990000">&gt;&gt;</span><span style="color: #993399">8</span><span style="color: #990000">,</span> seed<span style="color: #990000">,</span> userid<span style="color: #990000">)</span>

+      TX<span style="color: #990000">:</span> vaaaaka<span style="color: #990000">***.</span>t<span style="color: #990000">.</span>yves<span style="color: #990000">.</span>tw<span style="color: #990000">,</span> <span style="color: #993399">9</span> bytes data

+

+

+    <span style="color: #990000">==</span> Senden von Passwort <span style="color: #008080">und</span> IP<span style="color: #990000">-</span><span style="font-weight: bold"><span style="color: #000000">Konfiguration</span></span> <span style="color: #990000">(</span>Subnetz<span style="color: #990000">)</span>

+    <span style="color: #990000">&lt;--</span> client<span style="color: #990000">.</span>c<span style="color: #990000">:</span><span style="font-weight: bold"><span style="color: #000000">send_login</span></span><span style="color: #990000">()</span>

+      cmd <span style="color: #990000">=</span> <span style="color: #FF0000">'l'</span>

+      hostname<span style="color: #990000">[</span><span style="color: #993399">1</span><span style="color: #990000">..</span><span style="color: #993399">16</span><span style="color: #990000">]</span> <span style="color: #990000">=</span> login<span style="color: #990000">/</span>password mit seed xored und md5

+      hostname<span style="color: #990000">[</span><span style="color: #993399">17</span><span style="color: #990000">..</span><span style="color: #993399">18</span><span style="color: #990000">]</span> <span style="color: #990000">=</span> seed

+      RX<span style="color: #990000">:</span> lad24srn4ezmg21qjsfy13msagd0srfq<span style="color: #990000">.</span>t<span style="color: #990000">.</span>yves<span style="color: #990000">.</span>tw

+

+    <span style="color: #990000">--&gt;</span> iodined<span style="color: #990000">.</span>c<span style="color: #990000">:</span><span style="font-weight: bold"><span style="color: #000000">handle_null_request</span></span><span style="color: #990000">()</span>

+      Sendet bei Erfolg die IP Einstellungen wie

+      <span style="color: #FF0000">"172.16.0.1-172.16.0.2-1130-16"</span>

+      server<span style="color: #990000">=</span><span style="color: #FF0000">"172.16.0.1"</span>

+      client<span style="color: #990000">=</span><span style="color: #FF0000">"172.16.0.2"</span>

+      mtu<span style="color: #990000">=</span><span style="color: #993399">1130</span>

+      netbits<span style="color: #990000">=</span><span style="color: #993399">16</span>

+      TX<span style="color: #990000">:</span> lad24srn4ezmg21qjsfy13msagd0srfq<span style="color: #990000">.</span>t<span style="color: #990000">.</span>yves<span style="color: #990000">.</span>tw

+        <span style="color: #990000">=</span> 3137322<span style="font-weight: bold"><span style="color: #000000">e31362e302e312d3137322e31362e302e322d313133302d3136</span></span> <span style="color: #990000">(</span>_16<span style="color: #990000">)</span>

+        <span style="color: #990000">=</span> <span style="color: #993399">172.16</span><span style="color: #990000">.</span><span style="color: #993399">0.1</span><span style="color: #990000">-</span><span style="color: #993399">172.16</span><span style="color: #990000">.</span><span style="color: #993399">0.2</span><span style="color: #990000">-</span><span style="color: #993399">1130</span><span style="color: #990000">-</span><span style="color: #993399">16</span>

+

+    <span style="color: #990000">==</span> Senden der IP Adresse des Clients

+    <span style="color: #990000">&lt;--</span> Request <span style="font-weight: bold"><span style="color: #0000FF">for</span></span> IP address

+      RX<span style="color: #990000">:</span> iamin<span style="color: #990000">.</span>t<span style="color: #990000">.</span>yves<span style="color: #990000">.</span>tw

+

+    <span style="color: #990000">--&gt;</span> iodined<span style="color: #990000">.</span>c<span style="color: #990000">:</span><span style="font-weight: bold"><span style="color: #000000">handle_null_request</span></span><span style="color: #990000">()</span>

+        addr <span style="color: #990000">=</span> externe IP Adresse <span style="color: #008080">des</span> <span style="font-weight: bold"><span style="color: #000000">Server</span></span> <span style="color: #990000">(-</span><span style="color: #008080">n</span> Switch<span style="color: #990000">)</span>

+        reply<span style="color: #990000">[</span><span style="color: #993399">0</span><span style="color: #990000">]</span> <span style="color: #990000">=</span> <span style="color: #FF0000">'I'</span><span style="color: #990000">;</span>

+        reply<span style="color: #990000">[</span><span style="color: #993399">1</span><span style="color: #990000">]</span> <span style="color: #990000">=</span> <span style="color: #990000">(</span>addr <span style="color: #990000">&gt;&gt;</span> <span style="color: #993399">24</span><span style="color: #990000">)</span> <span style="color: #990000">&amp;</span> <span style="color: #993399">0xFF</span><span style="color: #990000">;</span>

+        reply<span style="color: #990000">[</span><span style="color: #993399">2</span><span style="color: #990000">]</span> <span style="color: #990000">=</span> <span style="color: #990000">(</span>addr <span style="color: #990000">&gt;&gt;</span> <span style="color: #993399">16</span><span style="color: #990000">)</span> <span style="color: #990000">&amp;</span> <span style="color: #993399">0xFF</span><span style="color: #990000">;</span>

+        reply<span style="color: #990000">[</span><span style="color: #993399">3</span><span style="color: #990000">]</span> <span style="color: #990000">=</span> <span style="color: #990000">(</span>addr <span style="color: #990000">&gt;&gt;</span>  <span style="color: #993399">8</span><span style="color: #990000">)</span> <span style="color: #990000">&amp;</span> <span style="color: #993399">0xFF</span><span style="color: #990000">;</span>

+        reply<span style="color: #990000">[</span><span style="color: #993399">4</span><span style="color: #990000">]</span> <span style="color: #990000">=</span> <span style="color: #990000">(</span>addr <span style="color: #990000">&gt;&gt;</span>  <span style="color: #993399">0</span><span style="color: #990000">)</span> <span style="color: #990000">&amp;</span> <span style="color: #993399">0xFF</span><span style="color: #990000">;</span>

+      TX<span style="color: #990000">:</span> iamin<span style="color: #990000">.</span>t<span style="color: #990000">.</span>yves<span style="color: #990000">.</span>tw

+        <span style="color: #990000">=</span> 494<span style="font-weight: bold"><span style="color: #000000">e2f737d</span></span> <span style="color: #990000">(</span>_16<span style="color: #990000">)</span>

+

+    <span style="color: #990000">==</span> Testen auf EDNS Erweiterung

+    <span style="color: #990000">&lt;--</span> client<span style="color: #990000">.</span>c<span style="color: #990000">:</span><span style="font-weight: bold"><span style="color: #000000">handshake_edns0_check</span></span><span style="color: #990000">()</span>

+              <span style="color: #990000">-&gt;</span> <span style="font-weight: bold"><span style="color: #000000">send_downenctest</span></span><span style="color: #990000">()</span>

+      downenc <span style="color: #990000">=</span> <span style="color: #FF0000">'r'</span> <span style="color: #008080">fuer</span> T_NULL <span style="color: #FF0000">'t'</span>

+      variant <span style="color: #990000">=</span> <span style="color: #993399">1</span> <span style="color: #990000">=</span> <span style="color: #FF0000">'b'</span> <span style="color: #990000">(</span>b32<span style="color: #990000">)</span>

+      data<span style="color: #990000">[</span><span style="color: #993399">0</span><span style="color: #990000">..</span><span style="color: #993399">5</span><span style="color: #990000">]</span>  <span style="color: #990000">=</span> <span style="color: #FF0000">"y"</span> downenc <span style="color: #008080">variant</span> rand_seed<span style="color: #990000">[</span><span style="color: #993399">0</span><span style="color: #990000">..</span><span style="color: #993399">2</span><span style="color: #990000">]</span>

+      RX<span style="color: #990000">:</span> yrb<span style="color: #990000">***.</span>t<span style="color: #990000">.</span>yves<span style="color: #990000">.</span>tw

+

+    <span style="color: #990000">--&gt;</span> iodined<span style="color: #990000">.</span>c<span style="color: #990000">:</span><span style="font-weight: bold"><span style="color: #000000">handle_null_login</span></span><span style="color: #990000">()</span> <span style="color: #990000">:</span> <span style="color: #993399">937</span>

+               <span style="color: #990000">-&gt;</span> <span style="font-weight: bold"><span style="color: #000000">write_dns</span></span><span style="color: #990000">(</span> type<span style="color: #990000">=</span><span style="color: #FF0000">'R'</span><span style="color: #990000">)</span>

+      Der Server antwortet mit <span style="color: #993399">48</span> bytes <span style="color: #008080">aus</span> encoding<span style="color: #990000">.</span>h<span style="color: #990000">:</span>DOWNCODECHECK

+      TX<span style="color: #990000">:</span> yrb<span style="color: #990000">***.</span>t<span style="color: #990000">.</span>yves<span style="color: #990000">.</span>tw<span style="color: #990000">,</span> <span style="color: #993399">48</span> bytes data

+

+

+    <span style="color: #990000">==</span> Testen der Kodierungen mit verschiedenen Patterns

+    <span style="color: #990000">&lt;--</span> client<span style="color: #990000">.</span>c<span style="color: #990000">:</span><span style="font-weight: bold"><span style="color: #000000">handshake_upenc_autodetect</span></span><span style="color: #990000">()</span>

+      In den folgenden Tests testet der Client ob mit Base128

+      kodierte Nachrichten vom DNS Relay korrekt <span style="color: #008080">verarbeitet</span> werden<span style="color: #990000">.</span>

+

+    <span style="color: #990000">--&gt;</span> Der Server schickt die Patterns einfach <span style="color: #008080">wieder</span> zurueck<span style="color: #990000">.</span>

+

+    <span style="color: #990000">==</span> Client legt <span style="color: #008080">Kodierung</span> fest<span style="color: #990000">,</span> Server bestaetigt

+    <span style="color: #990000">&lt;--</span> client<span style="color: #990000">.</span>c<span style="color: #990000">:</span><span style="font-weight: bold"><span style="color: #000000">handshake_switch_codec</span></span><span style="color: #990000">()</span>

+      hostname<span style="color: #990000">[</span><span style="color: #993399">0</span><span style="color: #990000">]</span> <span style="color: #990000">=</span> command <span style="color: #FF0000">'s'</span>

+      hostname<span style="color: #990000">[</span><span style="color: #993399">1</span><span style="color: #990000">]</span> <span style="color: #990000">=</span> <span style="font-weight: bold"><span style="color: #000000">b32</span></span><span style="color: #990000">(</span>userid<span style="color: #990000">)</span>

+      hostname<span style="color: #990000">[</span><span style="color: #993399">2</span><span style="color: #990000">]</span> <span style="color: #990000">=</span> <span style="color: #FF0000">'h'</span> <span style="color: #990000">(</span><span style="color: #993399">7</span><span style="color: #990000">)</span>

+      hostname<span style="color: #990000">[</span><span style="color: #993399">3</span><span style="color: #990000">..</span><span style="color: #993399">5</span><span style="color: #990000">]</span> <span style="color: #990000">=</span> rand_seed<span style="color: #990000">++</span>

+      rand_seed<span style="color: #990000">++;</span>

+      RX<span style="color: #990000">:</span> sahmiut<span style="color: #990000">.</span>yves<span style="color: #990000">.</span>tw

+

+    <span style="color: #990000">--&gt;</span> iodined<span style="color: #990000">.</span>c<span style="color: #990000">:</span><span style="color: #993399">840</span>

+      Schreibt den Namen des <span style="color: #008080">ausgewaehlten</span> Codecs<span style="color: #990000">:</span>

+      data<span style="color: #990000">=</span><span style="color: #FF0000">"Base128"</span> <span style="color: #990000">(</span><span style="color: #008080">kein</span> encoding<span style="color: #990000">!)</span>

+      TX<span style="color: #990000">:</span> sahmiut<span style="color: #990000">.</span>yves<span style="color: #990000">.</span>tw<span style="color: #990000">,</span> <span style="color: #993399">7</span> bytes of data

+

+    <span style="color: #990000">==</span> Anschalten <span style="color: #008080">lazy</span> <span style="font-weight: bold"><span style="color: #000000">mode</span></span> <span style="color: #990000">(</span>an<span style="color: #990000">:</span> Server beantwortet Anfragen <span style="color: #008080">nicht</span> sofort<span style="color: #990000">)</span>

+    <span style="color: #990000">&lt;--</span> client<span style="color: #990000">.</span>c<span style="color: #990000">:</span><span style="font-weight: bold"><span style="color: #000000">send_lazy_switch</span></span><span style="color: #990000">()</span>

+      hostname<span style="color: #990000">[</span><span style="color: #993399">0</span><span style="color: #990000">]</span> <span style="color: #990000">=</span> <span style="color: #FF0000">'o'</span>

+      hostname<span style="color: #990000">[</span><span style="color: #993399">1</span><span style="color: #990000">]</span> <span style="color: #990000">=</span> <span style="font-weight: bold"><span style="color: #000000">b32</span></span><span style="color: #990000">(</span>userid<span style="color: #990000">)</span> <span style="color: #990000">=</span> <span style="color: #FF0000">'a'</span>

+      hostname<span style="color: #990000">[</span><span style="color: #993399">2</span><span style="color: #990000">]</span> <span style="color: #990000">=</span> <span style="color: #FF0000">'l'</span> fuer lazy <span style="color: #008080">mode</span> oder <span style="color: #FF0000">'i'</span>

+      hostname<span style="color: #990000">[</span><span style="color: #993399">3</span><span style="color: #990000">..</span><span style="color: #993399">5</span><span style="color: #990000">]</span> <span style="color: #990000">=</span> rand_seed<span style="color: #990000">++</span>

+      RX<span style="color: #990000">:</span> oalmiv<span style="color: #990000">.</span>t<span style="color: #990000">.</span>yves<span style="color: #990000">.</span>tw

+

+    <span style="color: #990000">--&gt;</span> iodined<span style="color: #990000">.</span>c<span style="color: #990000">:</span><span style="color: #993399">919</span>

+      data<span style="color: #990000">=</span><span style="color: #FF0000">"Lazy"</span> <span style="color: #990000">(</span><span style="color: #008080">kein</span> encoding<span style="color: #990000">!)</span>

+      TX<span style="color: #990000">:</span> oalmiv<span style="color: #990000">.</span>t<span style="color: #990000">.</span>yves<span style="color: #990000">.</span>tw<span style="color: #990000">,</span> <span style="color: #993399">4</span> bytes of data

+

+    <span style="color: #990000">==</span>

+    <span style="color: #990000">&lt;--</span> client<span style="color: #990000">.</span>c<span style="color: #990000">:</span><span style="font-weight: bold"><span style="color: #000000">send_set_downstream_fragsize</span></span><span style="color: #990000">()</span>

+      data<span style="color: #990000">[</span><span style="color: #993399">0</span><span style="color: #990000">]</span> <span style="color: #990000">=</span> userid<span style="color: #990000">;</span>

+      data<span style="color: #990000">[</span><span style="color: #993399">1</span><span style="color: #990000">]</span> <span style="color: #990000">=</span> <span style="color: #990000">(</span>fragsize <span style="color: #990000">&amp;</span> <span style="color: #993399">0xff00</span><span style="color: #990000">)</span> <span style="color: #990000">&gt;&gt;</span> <span style="color: #993399">8</span><span style="color: #990000">;</span>

+      data<span style="color: #990000">[</span><span style="color: #993399">2</span><span style="color: #990000">]</span> <span style="color: #990000">=</span> <span style="color: #990000">(</span>fragsize <span style="color: #990000">&amp;</span> <span style="color: #993399">0x00ff</span><span style="color: #990000">);</span>

+      data<span style="color: #990000">[</span><span style="color: #993399">3</span><span style="color: #990000">]</span> <span style="color: #990000">=</span> <span style="color: #990000">(</span>rand_seed <span style="color: #990000">&gt;&gt;</span> <span style="color: #993399">8</span><span style="color: #990000">)</span> <span style="color: #990000">&amp;</span> <span style="color: #993399">0xff</span><span style="color: #990000">;</span>

+      data<span style="color: #990000">[</span><span style="color: #993399">4</span><span style="color: #990000">]</span> <span style="color: #990000">=</span> <span style="color: #990000">(</span>rand_seed <span style="color: #990000">&gt;&gt;</span> <span style="color: #993399">0</span><span style="color: #990000">)</span> <span style="color: #990000">&amp;</span> <span style="color: #993399">0xff</span><span style="color: #990000">;</span>

+      hostname <span style="color: #990000">=</span> <span style="color: #FF0000">'n'</span> <span style="color: #990000">+</span> <span style="font-weight: bold"><span style="color: #000000">b32</span></span><span style="color: #990000">(</span>data<span style="color: #990000">)</span>

+      RX<span style="color: #990000">:</span> naabqbmiw<span style="color: #990000">.</span>t<span style="color: #990000">.</span>yves<span style="color: #990000">.</span>tw

+

+    <span style="color: #990000">--&gt;</span> iodined<span style="color: #990000">.</span>c<span style="color: #990000">:</span><span style="color: #993399">1042</span>

+      bestaetigt empfangene Framesize durch Wiederholung

+

+    <span style="color: #990000">==</span> Regelmaesige pings fragen den Server nach anstehenden Daten ab

+    <span style="color: #990000">&lt;--</span> client<span style="color: #990000">.</span>c<span style="color: #990000">:</span><span style="font-weight: bold"><span style="color: #000000">send_ping</span></span><span style="color: #990000">()</span>

+      data<span style="color: #990000">[</span><span style="color: #993399">0</span><span style="color: #990000">]</span> <span style="color: #990000">=</span> userid<span style="color: #990000">;</span>

+      data<span style="color: #990000">[</span><span style="color: #993399">1</span><span style="color: #990000">]</span> <span style="color: #990000">=</span> <span style="color: #990000">((</span>inpkt<span style="color: #990000">.</span>seqno <span style="color: #990000">&amp;</span> <span style="color: #993399">7</span><span style="color: #990000">)</span> <span style="color: #990000">&lt;&lt;</span> <span style="color: #993399">4</span><span style="color: #990000">)</span> <span style="color: #990000">|</span> <span style="color: #990000">(</span>inpkt<span style="color: #990000">.</span>fragment <span style="color: #990000">&amp;</span> <span style="color: #993399">15</span><span style="color: #990000">);</span>

+      data<span style="color: #990000">[</span><span style="color: #993399">2</span><span style="color: #990000">]</span> <span style="color: #990000">=</span> <span style="color: #990000">(</span>rand_seed <span style="color: #990000">&gt;&gt;</span> <span style="color: #993399">8</span><span style="color: #990000">)</span> <span style="color: #990000">&amp;</span> <span style="color: #993399">0xff</span><span style="color: #990000">;</span>

+      data<span style="color: #990000">[</span><span style="color: #993399">3</span><span style="color: #990000">]</span> <span style="color: #990000">=</span> <span style="color: #990000">(</span>rand_seed <span style="color: #990000">&gt;&gt;</span> <span style="color: #993399">0</span><span style="color: #990000">)</span> <span style="color: #990000">&amp;</span> <span style="color: #993399">0xff</span><span style="color: #990000">;</span>

+      hostname <span style="color: #990000">=</span> <span style="color: #FF0000">'p'</span> <span style="color: #990000">+</span> <span style="font-weight: bold"><span style="color: #000000">b32</span></span><span style="color: #990000">(</span>data<span style="color: #990000">)</span>

+      RX<span style="color: #990000">:</span> paaalcfy<span style="color: #990000">.</span>t<span style="color: #990000">.</span>yves<span style="color: #990000">.</span>tw

+

+    <span style="color: #990000">--&gt;</span> iodined<span style="color: #990000">.</span>c<span style="color: #990000">:</span><span style="color: #993399">1067</span>

+      Der Server nutzt die regelmaessigen Pings um Daten an den Client <span style="color: #008080">zu</span> liefern<span style="color: #990000">.</span></tt></pre></div></div>

+<div class="sect3">

+<h4 id="_der_lazy_modus">Der lazy Modus</h4>

+<div class="paragraph"><p>Wie in der Anwenderdokumentation beschrieben erhöht der Lazy Modus den Durchsatz

+und senkt die Latenzzeit, wird aber nicht von allen DNS-Relays unterstützt.</p></div>

+<div class="paragraph"><p>Lazy bezieht sich auf das Verhalten des Servers. Der Server wird im Lazy-mode

+alle Antworten auf Anfragen solange zurückhalten bis er neue Daten für den

+Client erhalten hat. Im Idealfall also bis das Antwortpaket der getunnelten

+IP Verbindung angekommen ist.</p></div>

+<div class="paragraph"><p>Diese Verzögerung kann mit manchen DNS-Relays Probleme machen. Der Server kann dies jedoch

+anhand der Duplikate in den Anfragen erkennen und damit den lazy-mode ausschalten.</p></div>

+<div class="paragraph"><p>Ohne diesen Mechanismus müsste der Client jedoch viel häufiger nach neuen Daten

+pollen (vgl. HTTP Long polling in Comet oder BOSH).</p></div>

+</div>

+</div>

+<div class="sect2">

+<h3 id="_iodine_base_32_kodierung">iodine base(32) Kodierung</h3>

+<div class="paragraph"><p>Dieses Programm bietet die Base32 Kodierung von iodine für die

+Kommandozeile zum Debuggen an.</p></div>

+<div class="listingblock">

+<div class="content">

+<pre><code>#include &lt;stdio.h&gt;

+#include &lt;string.h&gt;

+

+#include "src/base32.h"

+#include "src/encoding.h"

+

+<strong>int</strong> main(<strong>int</strong> argc, <strong>char</strong> *argv[]) {

+    <strong>struct</strong> encoder *b32 = get_base32_encoder();

+    <strong>char</strong> buf[512];

+    size_t len = 512;

+

+    <strong>if</strong> (argc != 3) <strong>return</strong> 0;

+    <strong>if</strong> (*argv[1] == 'd') {

+        <strong>int</strong> r = b32-&gt;decode(buf, &amp;len, argv[2], strlen(argv[2]));

+        <strong>int</strong> i;

+        printf("Decoded %d bytes:\n", r);

+        <strong>for</strong> (i = 0; i&lt; r; i++) {

+            printf("0x%02hhx (%c) ", buf[i], (buf[i] &gt;= '0' &amp;&amp; buf[i] &lt;= 'z') ? buf[i] : ' ');

+        }

+        printf("\n");

+    } <strong>else</strong> <strong>if</strong> (*argv[1] == 'e') {

+        <strong>int</strong> r = b32-&gt;encode(buf, &amp;len, argv[2], strlen(argv[2]));

+        printf("Encoded %d bytes in %ld output bytes: &gt;%s&lt;\n", len, r, buf);

+    }

+    <strong>return</strong> 0;

+}</code></pre>

+</div></div>

+<div class="listingblock">

+<div class="content">

+<pre><code># gcc test.c src/base32.c -o test

+# ./test e abcdefg

+Encoded 7 12 bytes: &gt;mfrggzdfmztq&lt;</code></pre>

+</div></div>

+</div>

+<div class="sect2">

+<h3 id="_änderungen_an_iodine">Änderungen an iodine</h3>

+<div class="paragraph"><p>Der Code basiert auf der letzten Iodine Version 0.6.0-rc1. Die

+Änderungen wurden absichtlich möglichst gering gehalten und betragen

+im wesentlichsten nur ca. 80 Zeilen.</p></div>

+<div class="paragraph"><p>Ein Hauptteil der Änderungen verhindern, dass Android als Linux erkannt wird.

+Im Gegensatz zu vielen Linux Installationen verwenden Android nicht die GNU libc

+sondern <em>Bionic libc</em>. Dies ist eine besonders kleine, auf die BSD libc zurückgehende

+standard C Library. Es fehlen einige Features der glibc wie wide-character support,

+volle POSIX Thread Unterstützung oder locale Unterstützung. Das Ziel von Bionic ist

+nicht eine vollständige C Standardbibliothek sondern lediglich eine schlanke Implementierung

+aller für ein Android nötigen Funktionen.</p></div>

+<div class="paragraph"><p>Im einfachsten Fall scheitert die Ausführung von iodine unter Android an einem <code>system()</code> Aufruf

+mit dem iodine die IP-Konfiguration anwendet.</p></div>

+<div class="sect3">

+<h4 id="_android_mk">Android.mk</h4>

+<div class="paragraph"><p>Das ursprüngliche iodine Makefile wird nicht verwendet. Es wird das

+Android NDK Buildsystem verwendet, die Anweisungen dazu liegen in

+<code>jni/Android.mk</code>. Aus dem Projektverzeichnis kann die Übersetzung der

+C-Quellen angestossen werden.</p></div>

+<div class="listingblock">

+<div class="content">

+<pre><code>org.xapek.andiodine % ~/$NDK_ROOT/ndk-build clean

+Clean: iodine-client [armeabi]

+Clean: stdc++ [armeabi]

+org.xapek.andiodine % ~/$NDK_ROOT/ndk-build

+Compile thumb  : iodine-client &lt;= iodine-client.c

+Compile thumb  : iodine-client &lt;= tun.c

+Compile thumb  : iodine-client &lt;= dns.c

+Compile thumb  : iodine-client &lt;= read.c

+Compile thumb  : iodine-client &lt;= encoding.c

+Compile thumb  : iodine-client &lt;= login.c

+Compile thumb  : iodine-client &lt;= base32.c

+Compile thumb  : iodine-client &lt;= base64.c

+Compile thumb  : iodine-client &lt;= base64u.c

+Compile thumb  : iodine-client &lt;= base128.c

+Compile thumb  : iodine-client &lt;= md5.c

+Compile thumb  : iodine-client &lt;= common.c

+Compile thumb  : iodine-client &lt;= client.c

+Compile thumb  : iodine-client &lt;= util.c

+SharedLibrary  : libiodine-client.so

+Install        : libiodine-client.so =&gt; libs/armeabi/libiodine-client.so</code></pre>

+</div></div>

+<div class="paragraph"><p>Die Library wird vom Android SDK automatisch in die APK-Datei eingefügt.</p></div>

+</div>

+<div class="sect3">

+<h4 id="_common_c_daemon">common.c daemon()</h4>

+<div class="paragraph"><p>Die <code>daemon()</code> Funktion in src/common.c ist gedacht um iodine als

+Hintergrundprozess laufen zu lassen. Sie ist nur für Linux und BSD

+vorgesehen.</p></div>

+<div class="paragraph"><p>Das <code>#ifdef</code> erkennt Android als Linux, Bionic unterstützt <code>daemon()</code>

+jedoch nicht, da die Funktionalität der <code>daemon()</code> Funktion für eine

+Android App nicht benötigt wird.</p></div>

+<div class="paragraph"><p>Auch in diesem Fall brauchen wir die <code>daemon()</code> Funktion nicht, da iodine

+in einem von Java gesteuerten Thread laufen wird.</p></div>

+</div>

+<div class="sect3">

+<h4 id="_common_c_warn">common.c warn()</h4>

+<div class="paragraph"><p>Die <code>warn()</code> Funktion existiert nicht in der Bionic libc. Die

+bereitgestellte Implementierung verwendet <code>fprintf</code> auf stderr. Die

+Meldungen werden in das Android Logging System umgeleitet und sind auch

+über Logcat nutzbar.</p></div>

+</div>

+<div class="sect3">

+<h4 id="_tun_c_write_tun_read_tun">tun.c write_tun() / read_tun()</h4>

+<div class="paragraph"><p>Wie bei FreeBSD und Windows muss beim schreiben auf das Tun device

+(<code>write_tun</code> ) kein 4 byte großer Header mit der Adress Family angefügt werden.

+Entsprechend wird dieser in <code>read_tun()</code> im Fall von Android, FreeBSD

+und Windows nicht entfernt.</p></div>

+</div>

+<div class="sect3">

+<h4 id="_tun_c_tun_setip">tun.c tun_setip()</h4>

+<div class="paragraph"><p>Je nach Plattform werden wird die IP-Adresse unterschiedlich gesetzt. Im

+Fall von Linux geschieht dies mit einem fragwürdigen

+<code>system("/sbin/ifconfig")</code> Aufruf.</p></div>

+<div class="paragraph"><p>Dies ist unter Android so nicht möglich. Es wurde daher eine globale

+Datenstruktur <code>tun_config_android</code> (tun.h) angelegt in welcher die zu

+setzende IP-Adresse, Gegenstelle IP-Adresse und Netzmaske abgelegt wird.

+Die Inhalte dieser Datenstruktur können von Java über JNI Funktionen

+abgefragt werden.</p></div>

+<div class="paragraph"><p>Das setzen der IP-Adressen und Routen geschieht über Methoden des

+Android VPN-Framework in Java.</p></div>

+</div>

+<div class="sect3">

+<h4 id="_dns_headerfiles">DNS Headerfiles</h4>

+<div class="paragraph"><p>Iodine benötigt Konstanten aus arpa/nameser_compat.h und arpa/nameser.h

+das nicht Teil der Android Libc ist. Die Header wurden als

+src/dns_android.h hinzugefügt.</p></div>

+</div>

+</div>

+</div>

+</div>

+<div class="sect1">

+<h2 id="_projekt_öffnen_und_bauen">Projekt öffnen und bauen</h2>

+<div class="sectionbody">

+<div class="sect2">

+<h3 id="_c_quellcodes_übersetzen">C Quellcodes übersetzen</h3>

+<div class="paragraph"><p>Um das Projekt zu bauen ist neben dem Android SDK auch das Android NDK erforderlich. Mit dem daraus

+bereitgestellten Kommando <code>ndk-build</code> werden die C-Quellcodes unterhalb des Verzeichnisses <code>jni/</code>

+übersetzt.</p></div>

+<div class="listingblock">

+<div class="content">

+<pre><code>andiodine$ $NDK_ROOT/ndk-build clean

+Clean: iodine-client [armeabi]

+Clean: stdc++ [armeabi]

+Clean: iodine-client [x86]

+Clean: stdc++ [x86]

+

+andiodine$ $NDK_ROOT/ndk-build

+Compile thumb  : iodine-client &lt;= iodine-client.c

+.....

+SharedLibrary  : libiodine-client.so

+Install        : libiodine-client.so =&gt; libs/armeabi/libiodine-client.so

+Compile x86    : iodine-client &lt;= iodine-client.c

+.....

+SharedLibrary  : libiodine-client.so

+Install        : libiodine-client.so =&gt; libs/x86/libiodine-client.so</code></pre>

+</div></div>

+</div>

+<div class="sect2">

+<h3 id="_entwickeln_mit_eclipse">Entwickeln mit Eclipse</h3>

+<div class="paragraph"><p>Das Projekt kann über den Importassistenten eingebunden werden:</p></div>

+<div class="paragraph"><p>Import &#8594; Android &#8594; Existing Android Code Into Workspace</p></div>

+</div>

+<div class="sect2">

+<h3 id="_entwickeln_mit_android_studio">Entwickeln mit Android Studio</h3>

+<div class="ulist"><ul>

+<li>

+<p>

+Choose Import Project, choose project Folder.

+</p>

+</li>

+<li>

+<p>

+Select "Create project from existing sources".

+</p>

+</li>

+</ul></div>

+</div>

+<div class="sect2">

+<h3 id="_übersetzen_mit_ant">Übersetzen mit ant</h3>

+<div class="paragraph"><p>Using ant</p></div>

+<div class="listingblock">

+<div class="content">

+<pre><code>   android project --path .

+   ant debug</code></pre>

+</div></div>

+<div class="paragraph"><p>Die APK liegt unterhalb von <code>bin</code> und kann mit dem ant target <code>install</code> über adb installiert werden.</p></div>

+</div>

+</div>

+</div>

+<div class="sect1">

+<h2 id="_anhang">Anhang</h2>

+<div class="sectionbody">

+<div class="ulist bibliography"><ul>

+<li>

+<p>

+<a id="vpnapi"></a>[vpnapi]

+  <a href="http://developer.android.com/reference/android/net/VpnService.html">http://developer.android.com/reference/android/net/VpnService.html</a> Dokumentation

+  zu den Android VPN Service API

+</p>

+</li>

+</ul></div>

+</div>

+</div>

+</div>

+<div id="footnotes"><hr /></div>

+<div id="footer">

+<div id="footer-text">

+Letzte Änderung 2014-01-11 18:40:29 CET

+</div>

+</div>

+</body>

+</html>

diff --git a/doc/entwicklerdoku.pdf b/doc/entwicklerdoku.pdf
new file mode 100644
index 0000000..edfdd2d
--- /dev/null
+++ b/doc/entwicklerdoku.pdf
diff --git a/doc/entwicklerdoku.txt b/doc/entwicklerdoku.txt
new file mode 100644
index 0000000..ce92eeb
--- /dev/null
+++ b/doc/entwicklerdoku.txt
@@ -0,0 +1,536 @@
+Android Iodine Entwicklerdokumentation
+======================================
+Yves Fischer
+April 2013
+:toc:
+:doctype: article
+:lang: de
+:icons:
+
+[abstract]
+--
+Die Dokumentation ist zweigeteilt. Dieser Teil enthält eine technische Beschreibung.
+Die Bedienung und Funktionsweise ist in der 'Anwenderdokumentation' beschrieben. 
+--
+
+Aufbau
+------
+Die Anwendung besteht im groben aus 4 Komponenten
+
+* Activity `.IodineMain`
+* Activity Verbindungseinstellungen `.IodinePref`
+* Tunnel Service `VpnService` und den JNI Bindings `IodineClient`
+* Konfigurationsverwaltung `.config.ConfigDatabase` und `.config.IodineConfiguration`
+
+<<whiteboard-komponenten>> zeigt Architektur der Anwendung:
+
+[[whiteboard-komponenten]]
+.Architektur der Anwendung
+image::bilder/Model_model_Architektur.PNG[width="500px",align="center"]
+
+
+
+Benutzeroberfläche
+~~~~~~~~~~~~~~~~~~~
+Die Haupt Activity `.IodineMain` startet den "VpnService" und steuert
+ihn über Broadcast Intents. In dieser Activity steuert der Benutzer den
+Auf- und Abbau der Tunnel. Über ein Button in der ActionToolbar kann
+eine neue Tunnelkonfiguration angelegt werden.
+
+Die Interaktion zwischen des Benutzers in der Anwendung ist in
+<<whiteboard-gui>> visuell dargestellt:
+
+[[whiteboard-gui]]
+.Graphischer Aufbau der GUI
+image::bilder/whiteboard_gui.jpg[width="500px",align="center"]
+
+Konfiguration
+~~~~~~~~~~~~~
+Die Tunnelkonfigurationen werden in einer SQLite Datenbank abgelegt. Es
+existiert mit `.config.IodineConfiguration` ein leichtgewichtiger Proxy
+um die Android `ContentValues` Klasse. Die `.config.ConfigDatabase` Klasse 
+ist ein `SQLiteOpenHelper` und kann mehrfach instanziert werden.
+
+VPN-Service
+~~~~~~~~~~~
+
+Der VPN Service hat 5 Zustände die er über Broadcast Intents mitteilt.
+Eine solche Mitteilung wird verschickt wenn sich der Zustand ändert oder
+dies über ACTION_CONTROL_UPDATE angefordert wurde.
+
+Die Kommunikation der Oberfläche mit dem VPN Service erfolgt mit Broadcasts Intents. 
+
+<<whiteboard-intents>> zeigt die Zustände des Iodine VPN-Service. Rot nummeriert sind die
+Intents die der Service verschickt um über Statusänderungen zu informieren. Blau nummeriert
+sind Intents mit denen der Service gesteuert werden kann.  
+
+[[whiteboard-intents]]
+.Status Informations und Steuerungs Intents des VPN Service
+image::bilder/whiteboard_intents.jpg[align="center",width="500px"]
+
+JNI
+~~~
+
+Die JNI Methoden für iodine befinden sich in der Klasse `.IodineClient`
+bzw. `/jni/iodine-client.c`. `IodineClient#connect` ersetzt dabei prinzipiell 
+die `main()` des ursprünglichen iodine Client.
+
+Weitere Methoden dienen dem Austausch der vom Server übermittelten Konfiguration 
+und des im System eingestellten DNS Server.
+
+
+Android VPN-Framework
+---------------------
+Seit API Level 14/Android 4 ist es möglich VPN Verbindungen mit Android
+Anwendungen aufzubauen und zu verwalten.
+
+Die Application benötigt dazu die Permission
+`android.permission.BIND_VPN_SERVICE`.
+
+Bevor eine Anwendung das erste mal eine VPN Verbindung aufbauen darf
+wird Android sicherheitshalber den Benutzer explizit um Erlaubnis
+fragen.
+
+Dazu wird `IodineVpnService.prepare(this)` <<vpnapi>>
+aufgerufen. Wird null zurückgegeben hat der Benutzer VPN Verbindungen
+dieser App bereits früher zugestimmt. Andernfalls wird ein Intent
+zurückgegeben mit dem die Benutzernachfrage initiiert werden kann.
+
+[source,java]
+--------------------------------------------------------------------------------------
+  public void tunnel() {
+    Intent intent = IodineVpnService.prepare(this);
+    if (intent != null) {
+      // Ask for permission
+      intent.putExtra(IodineVpnService.EXTRA_CONFIGURATION_ID, configuration.getId());
+      startActivityForResult(intent, INTENT_REQUEST_CODE_PREPARE);
+    } else {
+      // Permission already granted
+      startVPNService();
+    }
+  }
+
+  @Override
+  protected void onActivityResult(int requestCode, int resultCode, Intent data) {
+    if (requestCode == INTENT_REQUEST_CODE_PREPARE) {
+      if (resultCode == RESULT_OK) {
+        startVPNService();
+      } else {
+        // User denied permission
+      }
+    }
+  }
+
+  private void startVPNService() {
+    // Start VPN with VPNService.Builder
+  }
+--------------------------------------------------------------------------------------
+
+Der weitere Weg mit dem `VPNService.Builder` ist geradelinig. Im Fall
+von iodine wird zunächst der Tunnel über DNS aufgebaut bevor das
+tun-Interface geöffnet wird.
+
+Nachdem vom Server die IP-Konfiguration mitgeteilt wurde, wird diese im
+`Builder` gesetzt und der Tunnel geöffnet:
+
+[source,java]
+--------------------------------------------------------
+    // .... IodineVpnService.java :: runTunnel()
+    b.addAddress(hostAddress, netbits);
+    b.addRoute("0.0.0.0", 0); // Default Route
+    b.setMtu(mtu);
+
+    // Opens tun device
+    ParcelFileDescriptor parcelFD = b.establish();
+
+    // prevent dns traffic to get through its own tunnel
+    protect(IodineClient.getDnsFd());
+
+    // get the filedescriptor
+    int tun_fd = parcelFD.detachFd();
+
+    // pass the filedescriptor to iodine
+    IodineClient.tunnel(tun_fd); 
+--------------------------------------------------------
+
+iodine
+------
+
+Verbindungsaufbau (Handshake)
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Der folgende Text zeigt ein Beispiel für den Ablauf eines Handshake. Der genaue Ablauf kann
+variieren jenachdem wie die Verbindungsparameter gewählt werden.
+
+Hier sind gewählt -m 768 fragment size und ein 9 Zeichen
+Passwort. Die Gegenstelle ist `t.yves.tw`. Eine Raw (direkte UDP) Verbindung 
+wurde verhindert indem der Rechner zum Testzeitpunkt keine default Route hatte.
+
+RX/TX aus der Sicht des Servers. Die "*" in den Hostnamen markieren Zeichen die
+sich aus Random Daten ergeben.
+
+[source,java]
+---------------------------------------------------------------------
+    == Der Client testet die Qualitaet der Uebertragung
+    <-- client.c:handshake_qtype_autodetect() 
+              -> handshake_qtypetest() 
+              -> send_downenctest()
+      hostname[0] = "y"
+      hostanme[1] = downenc = 'r'
+      hostname[2] = variant = 1 = 'b' (b32)
+      hostname[3..5] = rand_seed++
+      RX: yrb***.t.yves.tw
+    
+    --> 48 bytes aus encoding.h:DOWNCODECHECK
+      TX: yrb***.t.yves.tw, 48 bytes data
+    
+    == Austausch der Versionsinformationen
+    <-- client.c:send_version()
+      VERSION=0x00 00 05 02
+      hostname[0] = cmd = 'v'
+      hostname[1..6] = b32(0,0,5,2,random<<8,random)
+      hostname = "vAAAAKAR__"
+      RX: vaaaaka****.t.yves.tw
+    
+    --> iodined.c:send_version_response()
+      der Server bestaetigt mit
+      data[0..8] = "VACK" b32(seed>>24, seed>>16, seed>>8, seed, userid)
+      TX: vaaaaka***.t.yves.tw, 9 bytes data
+
+
+    == Senden von Passwort und IP-Konfiguration (Subnetz)
+    <-- client.c:send_login()
+      cmd = 'l'
+      hostname[1..16] = login/password mit seed xored und md5
+      hostname[17..18] = seed
+      RX: lad24srn4ezmg21qjsfy13msagd0srfq.t.yves.tw
+
+    --> iodined.c:handle_null_request()
+      Sendet bei Erfolg die IP Einstellungen wie
+      "172.16.0.1-172.16.0.2-1130-16" 
+      server="172.16.0.1"
+      client="172.16.0.2"
+      mtu=1130
+      netbits=16
+      TX: lad24srn4ezmg21qjsfy13msagd0srfq.t.yves.tw
+        = 3137322e31362e302e312d3137322e31362e302e322d313133302d3136 (_16)
+        = 172.16.0.1-172.16.0.2-1130-16
+    
+    == Senden der IP Adresse des Clients
+    <-- Request for IP address
+      RX: iamin.t.yves.tw
+    
+    --> iodined.c:handle_null_request()
+        addr = externe IP Adresse des Server (-n Switch)
+        reply[0] = 'I';
+        reply[1] = (addr >> 24) & 0xFF;
+        reply[2] = (addr >> 16) & 0xFF;
+        reply[3] = (addr >>  8) & 0xFF;
+        reply[4] = (addr >>  0) & 0xFF;
+      TX: iamin.t.yves.tw
+        = 494e2f737d (_16)
+    
+    == Testen auf EDNS Erweiterung
+    <-- client.c:handshake_edns0_check()
+              -> send_downenctest()
+      downenc = 'r' fuer T_NULL 't' 
+      variant = 1 = 'b' (b32)
+      data[0..5]  = "y" downenc variant rand_seed[0..2]
+      RX: yrb***.t.yves.tw
+    
+    --> iodined.c:handle_null_login() : 937 
+               -> write_dns( type='R') 
+      Der Server antwortet mit 48 bytes aus encoding.h:DOWNCODECHECK
+      TX: yrb***.t.yves.tw, 48 bytes data
+    
+    
+    == Testen der Kodierungen mit verschiedenen Patterns
+    <-- client.c:handshake_upenc_autodetect()
+      In den folgenden Tests testet der Client ob mit Base128
+      kodierte Nachrichten vom DNS Relay korrekt verarbeitet werden.
+      
+    --> Der Server schickt die Patterns einfach wieder zurueck.
+    
+    == Client legt Kodierung fest, Server bestaetigt
+    <-- client.c:handshake_switch_codec()
+      hostname[0] = command 's'
+      hostname[1] = b32(userid)
+      hostname[2] = 'h' (7)
+      hostname[3..5] = rand_seed++
+      rand_seed++;
+      RX: sahmiut.yves.tw
+    
+    --> iodined.c:840
+      Schreibt den Namen des ausgewaehlten Codecs:
+      data="Base128" (kein encoding!)
+      TX: sahmiut.yves.tw, 7 bytes of data 
+    
+    == Anschalten lazy mode (an: Server beantwortet Anfragen nicht sofort) 
+    <-- client.c:send_lazy_switch()
+      hostname[0] = 'o'
+      hostname[1] = b32(userid) = 'a'
+      hostname[2] = 'l' fuer lazy mode oder 'i'
+      hostname[3..5] = rand_seed++
+      RX: oalmiv.t.yves.tw
+      
+    --> iodined.c:919
+      data="Lazy" (kein encoding!)
+      TX: oalmiv.t.yves.tw, 4 bytes of data
+      
+    == 
+    <-- client.c:send_set_downstream_fragsize()
+      data[0] = userid;
+      data[1] = (fragsize & 0xff00) >> 8;
+      data[2] = (fragsize & 0x00ff);
+      data[3] = (rand_seed >> 8) & 0xff;
+      data[4] = (rand_seed >> 0) & 0xff;
+      hostname = 'n' + b32(data)
+      RX: naabqbmiw.t.yves.tw
+
+    --> iodined.c:1042
+      bestaetigt empfangene Framesize durch Wiederholung
+    
+    == Regelmaesige pings fragen den Server nach anstehenden Daten ab 
+    <-- client.c:send_ping()
+      data[0] = userid;
+      data[1] = ((inpkt.seqno & 7) << 4) | (inpkt.fragment & 15);
+      data[2] = (rand_seed >> 8) & 0xff;
+      data[3] = (rand_seed >> 0) & 0xff;
+      hostname = 'p' + b32(data)    
+      RX: paaalcfy.t.yves.tw
+    
+    --> iodined.c:1067
+      Der Server nutzt die regelmaessigen Pings um Daten an den Client zu liefern.
+---------------------------------------------------------------------
+
+Der lazy Modus
+^^^^^^^^^^^^^^
+
+Wie in der Anwenderdokumentation beschrieben erhöht der Lazy Modus den Durchsatz 
+und senkt die Latenzzeit, wird aber nicht von allen DNS-Relays unterstützt.
+
+Lazy bezieht sich auf das Verhalten des Servers. Der Server wird im Lazy-mode
+alle Antworten auf Anfragen solange zurückhalten bis er neue Daten für den
+Client erhalten hat. Im Idealfall also bis das Antwortpaket der getunnelten
+IP Verbindung angekommen ist. 
+
+Diese Verzögerung kann mit manchen DNS-Relays Probleme machen. Der Server kann dies jedoch
+anhand der Duplikate in den Anfragen erkennen und damit den lazy-mode ausschalten. 
+
+Ohne diesen Mechanismus müsste der Client jedoch viel häufiger nach neuen Daten
+pollen (vgl. HTTP Long polling in Comet oder BOSH).
+
+
+iodine base(32) Kodierung
+~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Dieses Programm bietet die Base32 Kodierung von iodine für die
+Kommandozeile zum Debuggen an.
+
+[code,c]
+----------------------------------------------------------------------------------------------------
+#include <stdio.h>
+#include <string.h>
+
+#include "src/base32.h"
+#include "src/encoding.h"
+
+int main(int argc, char *argv[]) {
+    struct encoder *b32 = get_base32_encoder();
+    char buf[512];
+    size_t len = 512;
+
+    if (argc != 3) return 0;
+    if (*argv[1] == 'd') {
+        int r = b32->decode(buf, &len, argv[2], strlen(argv[2]));
+        int i;
+        printf("Decoded %d bytes:\n", r); 
+        for (i = 0; i< r; i++) {
+            printf("0x%02hhx (%c) ", buf[i], (buf[i] >= '0' && buf[i] <= 'z') ? buf[i] : ' ');
+        }   
+        printf("\n");
+    } else if (*argv[1] == 'e') {
+        int r = b32->encode(buf, &len, argv[2], strlen(argv[2]));
+        printf("Encoded %d bytes in %ld output bytes: >%s<\n", len, r, buf);
+    }   
+    return 0;
+}
+----------------------------------------------------------------------------------------------------
+
+---------------------------------------
+# gcc test.c src/base32.c -o test
+# ./test e abcdefg
+Encoded 7 12 bytes: >mfrggzdfmztq<
+---------------------------------------
+
+Änderungen an iodine
+~~~~~~~~~~~~~~~~~~~~
+
+Der Code basiert auf der letzten Iodine Version 0.6.0-rc1. Die
+Änderungen wurden absichtlich möglichst gering gehalten und betragen
+im wesentlichsten nur ca. 80 Zeilen.
+
+Ein Hauptteil der Änderungen verhindern, dass Android als Linux erkannt wird.
+Im Gegensatz zu vielen Linux Installationen verwenden Android nicht die GNU libc
+sondern 'Bionic libc'. Dies ist eine besonders kleine, auf die BSD libc zurückgehende
+standard C Library. Es fehlen einige Features der glibc wie wide-character support,
+volle POSIX Thread Unterstützung oder locale Unterstützung. Das Ziel von Bionic ist
+nicht eine vollständige C Standardbibliothek sondern lediglich eine schlanke Implementierung
+aller für ein Android nötigen Funktionen. 
+
+Im einfachsten Fall scheitert die Ausführung von iodine unter Android an einem `system()` Aufruf
+mit dem iodine die IP-Konfiguration anwendet.
+
+Android.mk
+^^^^^^^^^^
+
+Das ursprüngliche iodine Makefile wird nicht verwendet. Es wird das
+Android NDK Buildsystem verwendet, die Anweisungen dazu liegen in
+`jni/Android.mk`. Aus dem Projektverzeichnis kann die Übersetzung der
+C-Quellen angestossen werden.
+
+[code,c++]
+----------------------------------------------------------------------------------------------------
+org.xapek.andiodine % ~/$NDK_ROOT/ndk-build clean
+Clean: iodine-client [armeabi]
+Clean: stdc++ [armeabi]
+org.xapek.andiodine % ~/$NDK_ROOT/ndk-build      
+Compile thumb  : iodine-client <= iodine-client.c
+Compile thumb  : iodine-client <= tun.c
+Compile thumb  : iodine-client <= dns.c
+Compile thumb  : iodine-client <= read.c
+Compile thumb  : iodine-client <= encoding.c
+Compile thumb  : iodine-client <= login.c
+Compile thumb  : iodine-client <= base32.c
+Compile thumb  : iodine-client <= base64.c
+Compile thumb  : iodine-client <= base64u.c
+Compile thumb  : iodine-client <= base128.c
+Compile thumb  : iodine-client <= md5.c
+Compile thumb  : iodine-client <= common.c
+Compile thumb  : iodine-client <= client.c
+Compile thumb  : iodine-client <= util.c
+SharedLibrary  : libiodine-client.so
+Install        : libiodine-client.so => libs/armeabi/libiodine-client.so
+----------------------------------------------------------------------------------------------------
+
+
+Die Library wird vom Android SDK automatisch in die APK-Datei eingefügt.
+
+common.c daemon()
+^^^^^^^^^^^^^^^^^
+
+Die `daemon()` Funktion in src/common.c ist gedacht um iodine als
+Hintergrundprozess laufen zu lassen. Sie ist nur für Linux und BSD
+vorgesehen.
+
+Das `#ifdef` erkennt Android als Linux, Bionic unterstützt `daemon()`
+jedoch nicht, da die Funktionalität der `daemon()` Funktion für eine
+Android App nicht benötigt wird.
+
+Auch in diesem Fall brauchen wir die `daemon()` Funktion nicht, da iodine
+in einem von Java gesteuerten Thread laufen wird.
+
+common.c warn()
+^^^^^^^^^^^^^^^
+
+Die `warn()` Funktion existiert nicht in der Bionic libc. Die
+bereitgestellte Implementierung verwendet `fprintf` auf stderr. Die
+Meldungen werden in das Android Logging System umgeleitet und sind auch
+über Logcat nutzbar.
+
+tun.c write_tun() / read_tun()
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Wie bei FreeBSD und Windows muss beim schreiben auf das Tun device
+(`write_tun` ) kein 4 byte großer Header mit der Adress Family angefügt werden.
+Entsprechend wird dieser in `read_tun()` im Fall von Android, FreeBSD
+und Windows nicht entfernt.
+
+tun.c tun_setip()
+^^^^^^^^^^^^^^^^^
+
+Je nach Plattform werden wird die IP-Adresse unterschiedlich gesetzt. Im
+Fall von Linux geschieht dies mit einem fragwürdigen
+`system("/sbin/ifconfig")` Aufruf.
+
+Dies ist unter Android so nicht möglich. Es wurde daher eine globale
+Datenstruktur `tun_config_android` (tun.h) angelegt in welcher die zu
+setzende IP-Adresse, Gegenstelle IP-Adresse und Netzmaske abgelegt wird.
+Die Inhalte dieser Datenstruktur können von Java über JNI Funktionen
+abgefragt werden.
+
+Das setzen der IP-Adressen und Routen geschieht über Methoden des
+Android VPN-Framework in Java.
+
+DNS Headerfiles
+^^^^^^^^^^^^^^^
+
+Iodine benötigt Konstanten aus arpa/nameser_compat.h und arpa/nameser.h
+das nicht Teil der Android Libc ist. Die Header wurden als
+src/dns_android.h hinzugefügt.
+
+Projekt öffnen und bauen
+------------------------
+
+C Quellcodes übersetzen
+~~~~~~~~~~~~~~~~~~~~~~~
+
+Um das Projekt zu bauen ist neben dem Android SDK auch das Android NDK erforderlich. Mit dem daraus
+bereitgestellten Kommando `ndk-build` werden die C-Quellcodes unterhalb des Verzeichnisses `jni/`
+übersetzt.
+
+[verbatim]
+----------------------------------------------------------------------------------------------------
+andiodine$ $NDK_ROOT/ndk-build clean
+Clean: iodine-client [armeabi]
+Clean: stdc++ [armeabi]
+Clean: iodine-client [x86]
+Clean: stdc++ [x86]
+
+andiodine$ $NDK_ROOT/ndk-build
+Compile thumb  : iodine-client <= iodine-client.c
+.....
+SharedLibrary  : libiodine-client.so
+Install        : libiodine-client.so => libs/armeabi/libiodine-client.so
+Compile x86    : iodine-client <= iodine-client.c
+.....
+SharedLibrary  : libiodine-client.so
+Install        : libiodine-client.so => libs/x86/libiodine-client.so
+----------------------------------------------------------------------------------------------------
+
+Entwickeln mit Eclipse
+~~~~~~~~~~~~~~~~~~~~~~
+
+Das Projekt kann über den Importassistenten eingebunden werden:
+
+Import -> Android -> Existing Android Code Into Workspace
+
+
+Entwickeln mit Android Studio
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+* Choose Import Project, choose project Folder.
+
+* Select "Create project from existing sources".
+
+
+Übersetzen mit ant
+~~~~~~~~~~~~~~~~~~
+Using ant
+
+[verbatim]
+----------------------------------------------------------------------------------------------------
+   android project --path .
+   ant debug
+----------------------------------------------------------------------------------------------------
+
+Die APK liegt unterhalb von `bin` und kann mit dem ant target `install` über adb installiert werden.
+
+[bibliography]
+Anhang
+------
+
+[bibliography]
+- [[[vpnapi]]] 
+  http://developer.android.com/reference/android/net/VpnService.html Dokumentation
+  zu den Android VPN Service API
+
diff --git a/doc/vorstellung.odp b/doc/vorstellung.odp
new file mode 100644
index 0000000..4a62f57
--- /dev/null
+++ b/doc/vorstellung.odp
diff --git a/doc/vorstellung.pdf b/doc/vorstellung.pdf
new file mode 100644
index 0000000..129224c
--- /dev/null
+++ b/doc/vorstellung.pdf
diff --git a/jni/Android.mk b/jni/Android.mk
new file mode 100644
index 0000000..fcb4b00
--- /dev/null
+++ b/jni/Android.mk
@@ -0,0 +1,48 @@
+# Copyright (C) 2009 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+
+LOCAL_MODULE    := iodine-client
+LOCAL_LDLIBS := -lz -llog
+LOCAL_CFLAGS := -Wall
+LOCAL_SRC_FILES := iodine-client.c \
+ iodine/src/tun.c \
+ iodine/src/dns.c \
+ iodine/src/read.c \
+ iodine/src/encoding.c \
+ iodine/src/login.c \
+ iodine/src/base32.c \
+ iodine/src/base64.c \
+ iodine/src/base64u.c \
+ iodine/src/base128.c \
+ iodine/src/md5.c \
+ iodine/src/common.c \
+ iodine/src/client.c \
+ iodine/src/util.c
+
+$(LOCAL_PATH)/iodine/src/base64u.c: $(LOCAL_PATH)/iodine/src/base64.c $(LOCAL_PATH)/iodine/src/base64u.h
+	@echo Making $@
+	@echo '/* No use in editing, produced by Makefile! */' > $@
+	@sed -e 's/\([Bb][Aa][Ss][Ee]64\)/\1u/g ; s/0123456789+/0123456789_/' < $< >> $@
+
+$(LOCAL_PATH)/iodine/src/base64u.h: $(LOCAL_PATH)/iodine/src/base64.h
+	@echo Making $@
+	@echo '/* No use in editing, produced by Makefile! */' > $@
+	@sed -e 's/\([Bb][Aa][Ss][Ee]64\)/\1u/g ; s/0123456789+/0123456789_/' < $< >> $@
+		
+
+include $(BUILD_SHARED_LIBRARY)
diff --git a/jni/Application.mk b/jni/Application.mk
new file mode 100644
index 0000000..7a1599b
--- /dev/null
+++ b/jni/Application.mk
@@ -0,0 +1 @@
+APP_ABI := armeabi x86
diff --git a/jni/iodine-client.c b/jni/iodine-client.c
new file mode 100644
index 0000000..cb5db97
--- /dev/null
+++ b/jni/iodine-client.c
@@ -0,0 +1,209 @@
+#include <string.h>
+#include <errno.h>
+#include <stdlib.h>
+#include <time.h>
+#include <unistd.h>
+
+#include <jni.h>
+
+#include <sys/system_properties.h>
+
+#include "iodine/src/common.h"
+#include "iodine/src/tun.h"
+#include "iodine/src/client.h"
+#include "iodine/src/util.h"
+
+#define IODINE_CLIENT_CLASS "org/xapek/andiodine/IodineClient"
+#define IODINE_CLIENT_CLASS_LOG_CALLBACK "log_callback"
+#define IODINE_CLIENT_CLASS_LOG_CALLBACK_SIG "(Ljava/lang/String;)V"
+
+static int dns_fd;
+
+static JavaVM *javaVM = 0;
+
+JNIEXPORT jint JNI_OnLoad(JavaVM* jvm, void* reserved) {
+    javaVM = jvm;
+
+    return JNI_VERSION_1_6;
+}
+
+void android_log_callback(const char *msg_) {
+    int i;
+    JNIEnv *env;
+    char *msg = strdup(msg_);
+
+    if (!msg) {
+        return;
+    }
+
+    (*javaVM)->GetEnv(javaVM, (void**)&env, JNI_VERSION_1_6);
+    if (!env) {
+        __android_log_print(ANDROID_LOG_ERROR, "iodine", "Native Debug: env == null");
+        return;
+    }
+
+    if ((*javaVM)->AttachCurrentThread(javaVM, &env, 0) < 0) {
+        __android_log_print(ANDROID_LOG_ERROR, "iodine", "Failed to get the environment using AttachCurrentThread()");
+        return;
+    }
+
+    jclass clazz = (*env)->FindClass(env, IODINE_CLIENT_CLASS);
+    if (!clazz) {
+        __android_log_print(ANDROID_LOG_ERROR, "iodine", "Native Debug: clazz == null");
+        return;
+    }
+
+    jmethodID log_callback = (*env)->GetStaticMethodID(env, clazz,
+        IODINE_CLIENT_CLASS_LOG_CALLBACK, IODINE_CLIENT_CLASS_LOG_CALLBACK_SIG);
+    if (!log_callback) {
+        __android_log_print(ANDROID_LOG_ERROR, "iodine", "Native Debug: log_callback == null");
+        return;
+    }
+
+    for (i = 0; i< strlen(msg); i++) {
+        // not printable
+        if ( ! (msg[i] >= 0x20 && msg[i] <= 0x7e)) {
+            msg[i] = ' ';
+        }
+    }
+    jstring message = (*env)->NewStringUTF(env, msg);
+    if (!message) {
+        __android_log_print(ANDROID_LOG_ERROR, "iodine", "Native Debug: message == null");
+        return;
+    }
+    (*env)->CallStaticVoidMethod(env, clazz, log_callback, message);
+
+    (*env)->DeleteLocalRef(env,message);
+    free(msg);
+}
+
+JNIEXPORT jint JNICALL Java_org_xapek_andiodine_IodineClient_getDnsFd(
+		JNIEnv *env, jclass klass) {
+	return dns_fd;
+}
+
+JNIEXPORT jint JNICALL Java_org_xapek_andiodine_IodineClient_connect(
+		JNIEnv *env, jclass klass, jstring j_nameserv_addr, jstring j_topdomain, jboolean j_raw_mode, jboolean j_lazy_mode,
+		jstring j_password) {
+
+	// XXX strdup leaks
+	const char *__p_nameserv_addr = (*env)->GetStringUTFChars(env,
+			j_nameserv_addr, NULL);
+	const char *p_nameserv_addr = strdup(__p_nameserv_addr);
+	(*env)->ReleaseStringUTFChars(env, j_nameserv_addr, __p_nameserv_addr);
+
+	const char *__p_topdomain = (*env)->GetStringUTFChars(env, j_topdomain,
+			NULL);
+	const char *p_topdomain = strdup(__p_topdomain);
+	(*env)->ReleaseStringUTFChars(env, j_topdomain, __p_topdomain);
+
+	const char *p_password = (*env)->GetStringUTFChars(env, j_password, NULL);
+	char passwordField[33];
+	memset(passwordField, 0, 33);
+	strncpy(passwordField, p_password, 32);
+	(*env)->ReleaseStringUTFChars(env, j_password, p_password);
+
+    tun_config_android.request_disconnect = 0;
+
+	int selecttimeout = 2; // original: 4
+	int lazy_mode;
+	int hostname_maxlen = 0xFF;
+	int raw_mode;
+	int autodetect_frag_size = 1;
+	int max_downstream_frag_size = 3072;
+
+	if (j_raw_mode) {
+		raw_mode = 1;
+	} else {
+		raw_mode = 0;
+	}
+
+	if (j_lazy_mode) {
+		lazy_mode = 1;
+	} else {
+		lazy_mode = 0;
+	}
+
+	srand((unsigned) time(NULL));
+	client_init();
+	client_set_nameserver(p_nameserv_addr, DNS_PORT);
+	client_set_selecttimeout(selecttimeout);
+	client_set_lazymode(lazy_mode);
+	client_set_topdomain(p_topdomain);
+	client_set_hostname_maxlen(hostname_maxlen);
+	client_set_password(passwordField);
+
+	if ((dns_fd = open_dns(0, INADDR_ANY)) == -1) {
+		printf("Could not open dns socket: %s", strerror(errno));
+		return 1;
+	}
+
+	if (client_handshake(dns_fd, raw_mode, autodetect_frag_size,
+			max_downstream_frag_size)) {
+		printf("Handshake unsuccessful: %s", strerror(errno));
+		close(dns_fd);
+		return 2;
+	}
+
+	if (client_get_conn() == CONN_RAW_UDP) {
+		printf("Sending raw traffic directly to %s\n", client_get_raw_addr());
+	}
+
+	printf("Handshake successful, leave native code");
+	return 0;
+}
+
+
+static int tunnel_continue_cb() {
+	return ! tun_config_android.request_disconnect;
+}
+
+JNIEXPORT void JNICALL Java_org_xapek_andiodine_IodineClient_tunnelInterrupt(JNIEnv *env,
+		jclass klass) {
+	tun_config_android.request_disconnect = 1;
+	client_stop();
+}
+
+JNIEXPORT jint JNICALL Java_org_xapek_andiodine_IodineClient_tunnel(JNIEnv *env,
+		jclass klass, jint tun_fd) {
+
+    printf("Run client_tunnel_cb");
+	int retval = client_tunnel_cb(tun_fd, dns_fd, &tunnel_continue_cb);
+
+	close(dns_fd);
+	close(tun_fd);
+	return retval;
+}
+
+// String IodineClient.getIp()
+JNIEXPORT jstring JNICALL Java_org_xapek_andiodine_IodineClient_getIp(
+		JNIEnv *env, jclass klass) {
+	return (*env)->NewStringUTF(env, tun_config_android.ip);
+}
+
+// String IodineClient.getRemoteIp()
+JNIEXPORT jstring JNICALL Java_org_xapek_andiodine_IodineClient_getRemoteIp(
+		JNIEnv *env, jclass klass) {
+	return (*env)->NewStringUTF(env, tun_config_android.remoteip);
+}
+
+// int IodineClient.getNetbits()
+JNIEXPORT jint JNICALL Java_org_xapek_andiodine_IodineClient_getNetbits(
+		JNIEnv *env, jclass klass) {
+	return tun_config_android.netbits;
+}
+
+// int IodineClient.getMtu()
+JNIEXPORT jint JNICALL Java_org_xapek_andiodine_IodineClient_getMtu(JNIEnv *env,
+		jclass klass) {
+	return tun_config_android.mtu;
+}
+
+// String IodineClient.getPropertyNetDns1
+JNIEXPORT jstring JNICALL Java_org_xapek_andiodine_IodineClient_getPropertyNetDns1(
+		JNIEnv *env, jclass klass) {
+	char value[PROP_VALUE_MAX];
+	__system_property_get("net.dns1", value);
+	return (*env)->NewStringUTF(env, value);
+}
+
diff --git a/jni/iodine/CHANGELOG b/jni/iodine/CHANGELOG
new file mode 100644
index 0000000..888beac
--- /dev/null
+++ b/jni/iodine/CHANGELOG
@@ -0,0 +1,142 @@
+
+iodine - http://code.kryo.se/iodine
+
+***********************************
+
+CHANGES:
+
+2010-02-13: 0.6.0-rc1 "Hotspotify"
+	- Fixed tunnel not working on Windows.
+	- Any device name is now supported on Windows, fixes #47.
+	- Multiple installed TAP32 interfaces are now supported, fixes #46.
+	- Return nonzero if tunnel fails to open, fixes #62.
+	- Support for setting a SELinux context, based on patch by
+		Sebastien Raveau. Sample context file in doc/iodine.te
+	- Allow listen port and DNS forward port to be the same if listen IP
+		does not include localhost.
+	- The client will now exit if configuring IP or MTU fails.
+	- The starting cache miss value is randomized at startup, fixes #65.
+	- Raw UDP mode added. If the iodined server is reachable directly,
+		packets can be sent to it without DNS encoding. Fixes #36.
+	- Do not overwrite users CC/CFLAGS/LDFLAGS, only add to them.
+	- Added -F option to write pidfile, based on patch from
+		misc at mandriva.org. Fixes #70.
+	- Allow password to be set via environment variable, fixes #77.
+		Based on patch by logix.
+	- Client now prints server tunnel IP, fixes #78. Patch by logix.
+	- Fix build error on Mac OS X 10.6, patch by G. Rischard. #79.
+	- Added support for CNAME/TXT/A/MX query types, fixes #75.
+		Patch by Anne Bezemer, merge help by logix.
+	- Merged low-latency patch from Anne Bezemer, fixes #76.
+	- Resolve client nameserver argument if given as hostname, fixes #82.
+	- Open log before chroot, fixes #86: logging on FreeBSD.
+
+2009-06-01: 0.5.2 "WifiFree"
+	- Fixed client segfault on OS X, #57
+	- Added check that nameserver lookup was successful
+	- Fixed ENOTSOCK error on OS X and FreeBSD, #58.
+
+2009-03-21: 0.5.1 "Boringo"
+	- Added initial Windows support, fixes #43.
+	- Added length check of autoprobe responses
+	- Refactored and added unit tests
+	- Added syslog logging for iodined on version and login packets
+	- Fixed segfault when encoding just one block, fixes #51.
+		The normal code was never affected by this.
+	- Added win32 code to read DNS server from system, fixes #45.
+	- Disabled password echo on win32, fixes #44.
+	- Fix encoding error making all autoprobing > 1024 bytes fail, #52.
+	- Increase default interface MTU to 1200.
+	- Fix autoprobing error making every third probe fail, set IP flag
+		Dont-Fragment where supported. Fixes #54.
+	- Added TAP32 version 0901 as accepted (#53).
+
+2009-01-23: 0.5.0 "iPassed"
+	- Fixed segfault in server when sending version reject.
+	- Applied patch to make iodine build on BeOS R5-BONE and Haiku,
+		from Francois Revol. Still work to do to get tun device working.
+	- Added capability to forward DNS queries outside tunnel domain to
+		a nameserver on localhost. Use -b port to enable, fixes #31.
+	- iodined now replies to NS request on its own domain, fixes issue #33.
+		The destination IP address is sent as reply. Use -n to specify
+		a specific IP address to return (if behind NAT etc).
+	- Upstream data is now Base64 encoded if relay server preserves case and
+		supports the plus (+) character in domain names, fixes #16.
+	- Fixed problem in client when DNS trans. ID has highest bit set (#37)
+	- IP addresses are now assigned within the netmask, so iodined can
+		use any address for itself, fixes #28.
+	- Netmask size is now adjustable. Setting a small net will reduce the
+		number of users. Use x.x.x.x/n notation on iodined tunnel ip.
+		This fixes #27.
+	- Downstream data is now fragmented, and the fragment size is auto-
+		probed after login. Fixes #7. It only took a few years :)
+	- Enhanced the checks that validates incoming packets
+	- Fixed endless loop in fragment size autodetection, #39.
+	- Fixed broken hostname dot placing with specific lengths, #40.
+
+2008-08-06: 0.4.2 "Opened Zone"
+	- Applied a few small patches from Maxim Bourmistrov and Gregor Herrmann
+	- Applied a patch for not creating and configuring the tun interface,
+		Debian bug #477692 by Vincent Bernat, controlled by -s switch
+	- Applied a security patch from Andrew Griffiths, use setgroups() to
+		limit the groups of the user
+	- Applied a patch to make iodine build on (Open)Solaris, from Albert Lee
+		Needs TUN/TAP driver http://www.whiteboard.ne.jp/~admin2/tuntap/
+		Still needs more code in tun.c for opening/closing the device
+	- Added option in server (-c) to disable IP/port checking on packets,
+		will hopefully help when server is behind NAT
+	- Fixed bug #21, now only IP address part of each packet is checked.
+		Should remove the need for the -c option and also work with
+		bugfixed DNS servers worldwide.
+	- Added -D option on server to enable debugging. Debug level 1 now 
+		prints info about each RX/TX datagram.
+
+2007-11-30: 0.4.1 "Tea Online"
+	- Introduced encoding API
+	- Switched to new Base32 implementation
+	- Added Base64 implementation that only uses 63 chars (not used yet)
+	- Refined 'install' make target and use $(MAKE) for recursive calls
+	- All received error messages (RCODE field) are echoed
+	- Top domain limited to 128 chars
+	- Case preservation check sent after login to decide codec
+	- Fixed crash on incoming NULL query in server with bad top domain
+	- /etc/resolv.conf is consulted if no nameserver is given on commandline
+	- Applied patch from Matthew W. S. Bell (Detach before chroot/dropping priv)
+
+2007-03-25: 0.4.0 "Run Home"
+	- Added multiuser support (up to 8 users simultaneously)
+	- Added authentication (password entered as argument or on stdin)
+	- Added manpage
+	- Added install/uninstall make target
+	- Cleanup of dns code, more test cases, use check library
+	- Changed directory structure
+
+2006-11-08: 0.3.4
+	- Fixed handshake() buffer overflow
+	  (Found by poplix, Secunia: SA22674 / FrSIRT/ADV-2006-4333)
+	- Added more tests
+	- More name parsing enhancements
+	- Now runs on Linux/AMD64
+	- Added setting to change server port
+
+2006-11-05: 0.3.3
+	- Fixed possible buffer overflow
+	  (Found by poplix, Bugtraq ID: 20883)
+	- Reworked dns hostname encoding
+
+2006-09-11: 0.3.2
+	- Support for NetBSD
+	- Fixed potential security problems
+	- Name parsing routines rewritten, added regression tests
+	- New encoding, 25% more peak upstream throughput
+	- New -l option to set local ip to listen to on server
+
+2006-07-11: 0.3.1 
+	- Add Mac OSX support
+	- Add setting device name
+	- Use compression of domain name in reply (should allow setting MTU 
+		approx 200 bytes higher)
+
+2006-06-24: 0.3.0
+	- First public release
+	- Support for Linux, FreeBSD, OpenBSD
diff --git a/jni/iodine/Makefile b/jni/iodine/Makefile
new file mode 100644
index 0000000..01c2325
--- /dev/null
+++ b/jni/iodine/Makefile
@@ -0,0 +1,62 @@
+prefix=/usr/local
+sbindir=$(prefix)/sbin
+datadir=$(prefix)/share
+mandir=$(datadir)/man
+
+DESTDIR=
+
+INSTALL=install
+INSTALL_FLAGS=
+
+MKDIR=mkdir
+MKDIR_FLAGS=-p
+
+RM=rm
+RM_FLAGS=-f
+
+TARGETOS = `uname`
+
+all: 
+	@(cd src; $(MAKE) TARGETOS=$(TARGETOS) all)
+
+cross-mingw: 
+	@(cd src; $(MAKE) TARGETOS=windows32 CC=i686-mingw32-gcc all)
+
+cross-mingw-dist: cross-mingw
+	@rm -rf iodine-latest-win32*
+	@mkdir -p iodine-latest-win32/bin
+	@for i in `ls bin`; do cp bin/$$i iodine-latest-win32/bin/$$i.exe; done
+	@cp /usr/i686-mingw32/usr/bin/zlib1.dll iodine-latest-win32/bin
+	@cp README* CH* TO* iodine-latest-win32
+	@echo "Create date: " > iodine-latest-win32/VERSION
+	@date >> iodine-latest-win32/VERSION
+	@echo "SVN version: " >> iodine-latest-win32/VERSION
+	@svnversion >> iodine-latest-win32/VERSION
+	@zip -r iodine-latest-win32.zip iodine-latest-win32
+
+install: all
+	$(MKDIR) $(MKDIR_FLAGS) $(DESTDIR)$(sbindir)
+	$(INSTALL) $(INSTALL_FLAGS) bin/iodine $(DESTDIR)$(sbindir)/iodine
+	chmod 755 $(DESTDIR)$(sbindir)/iodine
+	$(INSTALL) $(INSTALL_FLAGS) bin/iodined $(DESTDIR)$(sbindir)/iodined
+	chmod 755 $(DESTDIR)$(sbindir)/iodined
+	$(MKDIR) $(MKDIR_FLAGS) $(DESTDIR)$(mandir)/man8
+	$(INSTALL) $(INSTALL_FLAGS) man/iodine.8 $(DESTDIR)$(mandir)/man8/iodine.8
+	chmod 644 $(DESTDIR)$(mandir)/man8/iodine.8
+
+uninstall:
+	$(RM) $(RM_FLAGS) $(DESTDIR)$(sbindir)/iodine
+	$(RM) $(RM_FLAGS) $(DESTDIR)$(sbindir)/iodined
+	$(RM) $(RM_FLAGS) $(DESTDIR)$(mandir)/man8/iodine.8
+	
+test: all
+	@echo "!! The check library is required for compiling and running the tests"
+	@echo "!! Get it at http://check.sf.net"
+	@(cd tests; $(MAKE) TARGETOS=$(TARGETOS) all)
+
+clean:
+	@echo "Cleaning..."
+	@(cd src; $(MAKE) clean)
+	@(cd tests; $(MAKE) clean)
+	@rm -rf bin iodine-latest-win32*
+
diff --git a/jni/iodine/README b/jni/iodine/README
new file mode 100644
index 0000000..d9e3c29
--- /dev/null
+++ b/jni/iodine/README
@@ -0,0 +1,357 @@
+
+iodine - http://code.kryo.se/iodine
+
+***********************************
+
+This is a piece of software that lets you tunnel IPv4 data through a DNS
+server. This can be usable in different situations where internet access is
+firewalled, but DNS queries are allowed.
+
+
+QUICKSTART:
+
+Try it out within your own LAN! Follow these simple steps:
+- On your server, run: ./iodined -f 10.0.0.1 test.com
+  (If you already use the 10.0.0.0 network, use another internal net like 
+  172.16.0.0)
+- Enter a password
+- On the client, run: ./iodine -f -r 192.168.0.1 test.com
+  (Replace 192.168.0.1 with your server's ip address)
+- Enter the same password
+- Now the client has the tunnel ip 10.0.0.2 and the server has 10.0.0.1
+- Try pinging each other through the tunnel
+- Done! :)
+To actually use it through a relaying nameserver, see below.
+
+
+HOW TO USE:
+
+Note: server and client are required to speak the exact same protocol. In most
+cases, this means running the same iodine version. Unfortunately, implementing
+backward and forward protocol compatibility is usually not feasible.
+
+Server side:
+To use this tunnel, you need control over a real domain (like mydomain.com),
+and a server with a public IP address to run iodined on. If this server
+already runs a DNS program, change its listening port and then use iodined's
+-b option to let iodined forward the DNS requests. (Note that this procedure
+is not advised in production environments, because iodined's DNS forwarding
+is not completely transparent.)
+
+Then, delegate a subdomain (say, t1.mydomain.com) to the iodined server.
+If you use BIND for your domain, add two lines like these to the zone file:
+
+t1		IN	NS	t1ns.mydomain.com.		; note the dot!
+t1ns		IN	A	10.15.213.99
+
+The "NS" line is all that's needed to route queries for the "t1" subdomain
+to the "t1ns" server. We use a short name for the subdomain, to keep as much
+space as possible available for the data traffic. At the end of the "NS" line
+is the name of your iodined server. This can be any name, pointing anywhere,
+but in this case it's easily kept in the same zone file. It must be a name
+(not an IP address), and that name itself must have an A record (not a CNAME).
+
+If your iodined server has a dynamic IP, use a dynamic dns provider. Simply
+point the "NS" line to it, and leave the "A" line out:
+
+t1		IN	NS	myname.mydyndnsprovider.com.	; note the dot!
+
+Then reload or restart your nameserver program. Now any DNS queries for
+domains ending in t1.mydomain.com will be sent to your iodined server.
+
+Finally start iodined on your server. The first argument is the IP address
+inside the tunnel, which can be from any range that you don't use yet (for
+example 192.168.99.1), and the second argument is the assigned domain (in this
+case t1.mydomain.com). Using the -f option will keep iodined running in the
+foreground, which helps when testing. iodined will open a virtual interface
+("tun device"), and will also start listening for DNS queries on UDP port 53.
+Either enter a password on the commandline (-P pass) or after the server has
+started. Now everything is ready for the client.
+
+If there is a chance you'll be using an iodine tunnel from unexpected
+environments, start iodined with a -c option.
+
+Resulting commandline in this example situation:
+./iodined -f -c -P secretpassword 192.168.99.1 t1.mydomain.com
+
+Client side: 
+All the setup is done, just start iodine. It takes one or two arguments, the
+first is the local relaying DNS server (optional) and the second is the domain
+you used (t1.mydomain.com). If you don't specify the first argument, the
+system's current DNS setting will be consulted.
+
+If DNS queries are allowed to any computer, you can directly give the iodined
+server's address as first argument (in the example: t1ns.mydomain.com or
+10.15.213.99). In that case, it may also happen that _any_ traffic is allowed
+to the DNS port (53 UDP) of any computer. Iodine will detect this, and switch
+to raw UDP tunneling if possible. To force DNS tunneling in any case, use the
+-r option (especially useful when testing within your own network).
+
+The client's tunnel interface will get an IP close to the server's (in this
+case 192.168.99.2 or .3 etc.) and a suitable MTU. Enter the same password as
+on the server either as commandline option or after the client has started.
+Using the -f option will keep the iodine client running in the foreground.
+
+Resulting commandline in this example situation:
+./iodine -f -P secretpassword t1.mydomain.com
+(add -r to force DNS tunneling even if raw UDP tunneling would be possible)
+
+From either side, you should now be able to ping the IP address on the other
+end of the tunnel. In this case, ping 192.168.99.1 from the iodine client, and
+192.168.99.2 or .3 etc. from the iodine server.
+
+
+MISC. INFO:
+
+Routing:
+It is possible to route all traffic through the DNS tunnel. To do this, first
+add a host route to the nameserver used by iodine over the wired/wireless
+interface with the default gateway as gateway. Then replace the default
+gateway with the iodined server's IP address inside the DNS tunnel, and
+configure the server to do NAT.
+
+However, note that the tunneled data traffic is not encrypted at all, and can
+be read and changed by external parties relatively easily. For maximum
+security, run a VPN through the DNS tunnel (=double tunneling), or use secure
+shell (SSH) access, possibly with port forwarding. The latter can also be used
+for web browsing, when you run a web proxy (for example Privoxy) on your
+server.
+
+Testing:
+The iodined server replies to NS requests sent for subdomains of the tunnel
+domain. If your iodined subdomain is t1.mydomain.com, send a NS request for
+foo123.t1.mydomain.com to see if the delegation works. dig is a good tool
+for this:
+dig -t NS foo123.t1.mydomain.com
+
+Also, the iodined server will answer requests starting with 'z' for any of the
+supported request types, for example:
+dig -t TXT z456.t1.mydomain.com
+dig -t SRV z456.t1.mydomain.com
+dig -t CNAME z456.t1.mydomain.com
+The reply should look like garbled text in all these cases.
+
+Operational info:
+The DNS-response fragment size is normally autoprobed to get maximum bandwidth.
+To force a specific value (and speed things up), use the -m option.
+
+The DNS hostnames are normally used up to their maximum length, 255 characters.
+Some DNS relays have been found that answer full-length queries rather
+unreliably, giving widely varying (and mostly very bad) results of the
+fragment size autoprobe on repeated tries. In these cases, use the -M switch
+to reduce the DNS hostname length to for example 200 characters, which makes
+these DNS relays much more stable. This is also useful on some "de-optimizing"
+DNS relays that stuff the response with two full copies of the query, leaving
+very little space for downstream data (also not capable of EDNS0). The -M
+switch can trade some upstream bandwidth for downstream bandwidth. Note that
+the minimum -M value is about 100, since the protocol can split packets (1200
+bytes max) in only 16 fragments, requiring at least 75 real data bytes per
+fragment.
+
+The upstream data is sent gzipped encoded with Base32; or Base64 if the relay
+server supports mixed case and '+' in domain names; or Base64u if '_' is
+supported instead; or Base128 if high-byte-value characters are supported.
+This upstream encoding is autodetected. The DNS protocol allows one query per
+packet, and one query can be max 256 chars. Each domain name part can be max
+63 chars. So your domain name and subdomain should be as short as possible to
+allow maximum upstream throughput.
+
+Several DNS request types are supported, with the NULL type expected to provide
+the largest downstream bandwidth. Other available types are TXT, SRV, MX,
+CNAME and A (returning CNAME), in decreasing bandwidth order. Normally the
+"best" request type is autodetected and used. However, DNS relays may impose
+limits on for example NULL and TXT, making SRV or MX actually the best choice.
+This is not autodetected, but can be forced using the -T option. It is
+advisable to try various alternatives especially when the autodetected request
+type provides a downstream fragment size of less than 200 bytes.
+
+Note that SRV, MX and A (returning CNAME) queries may/will cause additional
+lookups by "smart" caching nameservers to get an actual IP address, which may
+either slow down or fail completely.
+
+DNS responses for non-NULL queries can be encoded with the same set of codecs
+as upstream data. This is normally also autodetected, but no fully exhaustive
+tests are done, so some problems may not be noticed when selecting more
+advanced codecs. In that case, you'll see failures/corruption in the fragment
+size autoprobe. In particular, several DNS relays have been found that change
+replies returning hostnames (SRV, MX, CNAME, A) to lowercase only when that
+hostname exceeds ca. 180 characters. In these and similar cases, use the -O
+option to try other downstream codecs; Base32 should always work.
+
+Normal operation now is for the server to _not_ answer a DNS request until
+the next DNS request has come in, a.k.a. being "lazy". This way, the server
+will always have a DNS request handy when new downstream data has to be sent.
+This greatly improves (interactive) performance and latency, and allows to
+slow down the quiescent ping requests to 4 second intervals by default, and
+possibly much slower. In fact, the main purpose of the pings now is to force
+a reply to the previous ping, and prevent DNS server timeouts (usually at
+least 5-10 seconds per RFC1035). Some DNS servers are more impatient and will
+give SERVFAIL errors (timeouts) in periods without tunneled data traffic. All
+data should still get through in these cases, but iodine will reduce the ping
+interval to 1 second anyway (-I1) to reduce the number of error messages. This
+may not help for very impatient DNS relays like dnsadvantage.com (ultradns),
+which time out in 1 second or even less. Yet data will still get trough, and
+you can ignore the SERVFAIL errors.
+
+If you are running on a local network without any DNS server in-between, try
+-I 50 (iodine and iodined close the connection after 60 seconds of silence).
+The only time you'll notice a slowdown, is when DNS reply packets go missing;
+the iodined server then has to wait for a new ping to re-send the data. You can
+speed this up by generating some upstream traffic (keypress, ping). If this
+happens often, check your network for bottlenecks and/or run with -I1.
+
+The delayed answering in lazy mode will cause some "carrier grade" commercial
+DNS relays to repeatedly re-send the same DNS query to the iodined server.
+If the DNS relay is actually implemented as a pool of parallel servers,
+duplicate requests may even arrive from multiple sources. This effect will
+only be visible in the network traffic at the iodined server, and will not
+affect the client's connection. Iodined will notice these duplicates, and send
+the same answer (when its time has come) to both the original query and the
+latest duplicate. After that, the full answer is cached for a short while.
+Delayed duplicates that arrive at the server even later, get a reply that the
+iodine client will ignore (if it ever arrives there).
+
+If you have problems, try inspecting the traffic with network monitoring tools
+like tcpdump or ethereal/wireshark, and make sure that the relaying DNS server
+has not cached the response. A cached error message could mean that you
+started the client before the server. The -D (and -DD) option on the server
+can also show received and sent queries.
+
+
+TIPS & TRICKS:
+
+If your port 53 is taken on a specific interface by an application that does 
+not use it, use -p on iodined to specify an alternate port (like -p 5353) and 
+use for instance iptables (on Linux) to forward the traffic:
+iptables -t nat -A PREROUTING -i eth0 -p udp --dport 53 -j DNAT --to :5353
+(Sent in by Tom Schouten)
+
+Iodined will reject data from clients that have not been active (data/pings)
+for more than 60 seconds. Similarly, iodine will exit when no downstream
+data has been received for 60 seconds. In case of a long network outage or
+similar, just restart iodine (re-login), possibly multiple times until you get
+your old IP address back. Once that's done, just wait a while, and you'll
+eventually see the tunneled TCP traffic continue to flow from where it left
+off before the outage.
+
+With the introduction of the downstream packet queue in the server, its memory
+usage has increased with several megabytes in the default configuration.
+For use in low-memory environments (e.g. running on your DSL router), you can
+decrease USERS and undefine OUTPACKETQ_LEN in user.h without any ill conse-
+quence, assuming at most one client will be connected at any time. A small
+DNSCACHE_LEN is still advised, preferably 2 or higher, however you can also
+undefine it to save a few more kilobytes.
+
+
+PERFORMANCE:
+
+This section tabulates some performance measurements. To view properly, use
+a fixed-width font like Courier.
+
+Measurements were done in protocol 00000502 in lazy mode; upstream encoding
+always Base128; iodine -M255; iodined -m1130. Network conditions were not
+extremely favorable; results are not benchmarks but a realistic indication of
+real-world performance that can be expected in similar situations.
+
+Upstream/downstream throughput was measured by scp'ing a file previously
+read from /dev/urandom (i.e. incompressible), and measuring size with
+"ls -l ; sleep 30 ; ls -l" on a separate non-tunneled connection. Given the
+large scp block size of 16 kB, this gives a resolution of 4.3 kbit/s, which
+explains why some values are exactly equal.
+Ping round-trip times measured with "ping -c100", presented are average rtt
+and mean deviation (indicating spread around the average), in milliseconds.
+
+
+Situation 1:
+Laptop  ->   Wifi AP   ->  Home server  ->  DSL provider  ->  Datacenter
+ iodine    DNS "relay"        bind9           DNS cache        iodined
+
+                        downstr.  upstream downstr.  ping-up       ping-down
+                        fragsize   kbit/s   kbit/s  avg +/-mdev   avg +/-mdev
+------------------------------------------------------------------------------
+
+iodine -> Wifi AP :53
+  -Tnull (= -Oraw)           982    43.6    131.0   28.0    4.6   26.8    3.4
+
+iodine -> Home server :53
+  -Tnull (= -Oraw)          1174    48.0    305.8   26.6    5.0   26.9    8.4
+
+iodine -> DSL provider :53  
+  -Tnull (= -Oraw)          1174    56.7    367.0   20.6    3.1   21.2    4.4
+  -Ttxt -Obase32             730    56.7    174.7*
+  -Ttxt -Obase64             874    56.7    174.7
+  -Ttxt -Obase128           1018    56.7    174.7
+  -Ttxt -Oraw               1162    56.7    358.2
+  -Tsrv -Obase128            910    56.7    174.7
+  -Tcname -Obase32           151    56.7     43.6
+  -Tcname -Obase128          212    56.7     52.4
+
+iodine -> DSL provider :53  
+  wired (no Wifi) -Tnull    1174    74.2    585.4   20.2    5.6   19.6    3.4
+
+ [174.7* : these all have 2frag/packet]
+
+
+Situation 2:
+Laptop  ->  Wifi+vpn / wired  ->  Home server
+ iodine                            iodined
+
+                        downstr.  upstream downstr.  ping-up       ping-down
+                        fragsize   kbit/s   kbit/s  avg +/-mdev   avg +/-mdev
+------------------------------------------------------------------------------
+
+wifi + openvpn  -Tnull      1186   166.0   1022.3    6.3    1.3    6.6    1.6
+
+wired  -Tnull               1186   677.2   2464.1    1.3    0.2    1.3    0.1
+
+
+Performance is strongly coupled to low ping times, as iodine requires
+confirmation for every data fragment before moving on to the next. Allowing
+multiple fragments in-flight like TCP could possibly increase performance,
+but it would likely cause serious overload for the intermediary DNS servers.
+The current protocol scales performance with DNS responsivity, since the
+DNS servers are on average handling at most one DNS request per client.
+
+
+PORTABILITY:
+
+iodine has been tested on Linux (arm, ia64, x86, AMD64 and SPARC64), FreeBSD
+(ia64, x86), OpenBSD (x86), NetBSD (x86), MacOS X (ppc and x86, with
+http://tuntaposx.sourceforge.net/). and Windows (with OpenVPN TAP32 driver, see
+win32 readme file).  It should be easy to port to other unix-like systems that
+has TUN/TAP tunneling support. Let us know if you get it to run on other
+platforms. 
+
+
+THE NAME:
+
+The name iodine was chosen since it starts with IOD (IP Over DNS) and since
+iodine has atomic number 53, which happens to be the DNS port number.
+
+
+THANKS:
+
+- To kuxien for FreeBSD and OS X testing
+- To poplix for code audit
+
+
+AUTHORS & LICENSE:
+
+Copyright (c) 2006-2009 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
+Also major contributions by Anne Bezemer.
+
+Permission to use, copy, modify, and distribute this software for any purpose
+with or without fee is hereby granted, provided that the above copyright notice
+and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH
+REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND
+FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT,
+INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
+OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+PERFORMANCE OF THIS SOFTWARE.
+
+
+MD5 implementation by L. Peter Deutsch (license and source in src/md5.[ch])
+Copyright (C) 1999, 2000, 2002 Aladdin Enterprises.  All rights reserved.
diff --git a/jni/iodine/README-win32.txt b/jni/iodine/README-win32.txt
new file mode 100644
index 0000000..eec675e
--- /dev/null
+++ b/jni/iodine/README-win32.txt
@@ -0,0 +1,62 @@
+

+

+iodine - http://code.kryo.se/iodine

+

+***********************************

+

+Extra README file for Win32 related stuff

+

+

+== Running iodine on Windows:

+1. Install the TAP32 driver 

+   http://openvpn.net/index.php/open-source/downloads.html

+   Choose OpenVPN 2.0.9 Windows Installer, when installing you can

+   select to install only the TAP driver.

+

+2. Have at least one TAP32 interface installed. There are scripts for adding

+   and removing in the OpenVPN bin directory. If you have more than one

+   installed, use -d to specify which. Use double quotes if you have spaces,

+   example: iodine.exe -d "Local Area Connection 4" abc.ab

+

+3. Make sure the interface you want to use does not have a default gateway set.

+

+4. Run iodine/iodined as normal (see the main README file).

+   You may have to run it as administrator depending on user privileges.

+

+5. Enjoy!

+

+

+== Building on Windows:

+You need:

+	MinGW, MSYS, GCC, zlib

+

+Then just run make

+

+

+== Cross-compiling for MinGW:

+You need:

+	MinGW crosscompiler, crosscompiled zlib

+

+Then run "make cross-mingw"

+Note that the binaries will not get a .exe suffix

+

+

+== Zlib download

+You can get zlib for MinGW here (both for native and crosscompile):

+http://code.kryo.se/iodine/deps/zlib.zip

+Unzip it in your MinGW directory on Windows or in $ROOT/usr for

+cross-compile.

+

+

+== Results of crappy Win32 API:

+The following fixable limitations apply:

+- Server cannot read packet destination address

+

+The following (probably) un-fixable limitations apply:

+- A password entered as -P argument can be shown in process list

+- Priviligies cannot be dropped

+- chroot() cannot be used

+- Detaching from terminal not possible

+- Server on windows must be run with /30 netmask

+- Client can only talk to server, not other clients

+

diff --git a/jni/iodine/TODO b/jni/iodine/TODO
new file mode 100644
index 0000000..e852d32
--- /dev/null
+++ b/jni/iodine/TODO
@@ -0,0 +1,12 @@
+
+iodine - http://code.kryo.se/iodine
+
+***********************************
+
+The TODO list is now located at
+
+http://dev.kryo.se/iodine/
+
+The list is under the "View tickets" page
+
+Feel free to add your own wishes and bug reports
diff --git a/jni/iodine/doc/iodine.te b/jni/iodine/doc/iodine.te
new file mode 100644
index 0000000..9749f03
--- /dev/null
+++ b/jni/iodine/doc/iodine.te
@@ -0,0 +1,25 @@
+# Sample post-initialization SELinux policy for Iodine
+policy_module(iodine, 1.1)
+
+require {
+	type init_t;
+	type initrc_t;
+	type unconfined_t;
+	type unlabeled_t;
+	class udp_socket { read write };
+	class rawip_socket { write read };
+	class association recvfrom;
+	class unix_dgram_socket { create connect };
+}
+
+type iodine_t;
+domain_type(iodine_t)
+domain_dyntrans_type(initrc_t)
+allow initrc_t iodine_t:process dyntransition;
+
+allow iodine_t unconfined_t:udp_socket { read write };
+allow iodine_t unconfined_t:rawip_socket { write read };
+allow iodine_t unlabeled_t:association recvfrom;
+allow iodine_t self:unix_dgram_socket { create connect };
+corenet_raw_receive_generic_node(iodine_t)
+corenet_rw_tun_tap_dev(iodine_t)
diff --git a/jni/iodine/doc/proto_00000402.txt b/jni/iodine/doc/proto_00000402.txt
new file mode 100644
index 0000000..da36919
--- /dev/null
+++ b/jni/iodine/doc/proto_00000402.txt
@@ -0,0 +1,61 @@
+Detailed specification of protocol in version 00000402
+======================================================
+
+CMC = 2 byte Cache Miss Counter, increased every time it is used
+
+Version:
+Client sends:
+	First byte v or V
+	Rest encoded with base32:
+	4 bytes big endian protocol version
+	CMC
+Server replies:
+	4 chars:
+		VACK (version ok), followed by login challenge
+		VNAK (version differs), followed by server protocol version
+		VFUL (server has no free slots), followed by max users
+	4 byte value: means login challenge/server protocol version/max users
+	1 byte userid of the new user, or any byte if not VACK
+	
+Login:
+Client sends:
+	First byte l or L
+	Rest encoded with base32:
+	1 byte userid
+	16 bytes MD5 hash of: (first 32 bytes of password) xor (8 repetitions of login challenge)
+	CMC
+Server replies:
+	LNAK means not accepted
+	x.x.x.x-y.y.y.y-mtu means accepted (server ip, client ip, mtu)
+
+Case check:
+Client sends: 
+	First byte z or Z
+	Lots of data that should not be decoded
+Server replies:
+	The requested domain copied raw
+
+Data:
+Data header:
+	 321 0 
+	+---+-+
+	|UUU|L|
+	+---+-+
+
+UUU = Userid
+L = Last fragment in packet flag
+
+First byte is the header, 4 bits coded as hex in ASCII. 
+Followed by data encoded with Base32.
+
+Ping:
+Client sends:
+	First byte p or P
+	Rest encoded with Base32:
+	1 byte userid
+	CMC
+
+The server response to Ping and Data packets is a DNS NULL type response:
+If server has nothing to send, data length is 0 bytes.
+If server has a packet to send, data length is set and the data is a full raw
+unencoded ip packet, prefixed with 32 bits tun data.
diff --git a/jni/iodine/doc/proto_00000500.txt b/jni/iodine/doc/proto_00000500.txt
new file mode 100644
index 0000000..05f100c
--- /dev/null
+++ b/jni/iodine/doc/proto_00000500.txt
@@ -0,0 +1,112 @@
+Detailed specification of protocol in version 00000500
+======================================================
+
+CMC = 2 byte Cache Miss Counter, increased every time it is used
+
+Version:
+Client sends:
+	First byte v or V
+	Rest encoded with base32:
+	4 bytes big endian protocol version
+	CMC
+Server replies:
+	4 chars:
+		VACK (version ok), followed by login challenge
+		VNAK (version differs), followed by server protocol version
+		VFUL (server has no free slots), followed by max users
+	4 byte value: means login challenge/server protocol version/max users
+	1 byte userid of the new user, or any byte if not VACK
+	
+Login:
+Client sends:
+	First byte l or L
+	Rest encoded with base32:
+	1 byte userid
+	16 bytes MD5 hash of: (first 32 bytes of password) xor (8 repetitions of login challenge)
+	CMC
+Server replies:
+	LNAK means not accepted
+	x.x.x.x-y.y.y.y-mtu-netmask means accepted (server ip, client ip, mtu, netmask bits)
+
+Case check:
+Client sends: 
+	First byte z or Z
+	Lots of data that should not be decoded
+Server replies:
+	The requested domain copied raw
+
+Switch codec:
+Client sends:
+	First byte s or S
+	5 bits coded as Base32 char, meaning userid
+	5 bits coded as Base32 char, with value 5 or 6, representing number of raw
+	bits per encoded byte
+Server sends:
+	Name of codec if accepted. After this all upstream data packets must 
+	be encoded with the new codec.
+	BADCODEC if not accepted. Client must then revert to Base32
+
+Probe downstream fragment size:
+Client sends:
+	First byte r or R
+	15 bits coded as 3 Base32 chars: UUUUF FFFFF FFFFF
+		meaning 4 bits userid, 11 bits fragment size
+	Then follows a long random query which contents does not matter
+Server sends:
+	Requested number of bytes as a response. The first two bytes contains
+	the requested length. Rest of message can be any data.
+	BADFRAG if requested length not accepted.
+
+Set downstream fragment size:
+Client sends:
+	First byte n or N
+	Rest encoded with base32:
+	1 byte userid
+	2 bytes new downstream fragment size
+	CMC
+Server sends:
+	2 bytes new downstream fragment size. After this all downstream
+	payloads will be max (fragsize + 2) bytes long.
+	BADFRAG if not accepted.
+
+Data:
+Upstream data header:
+	 3210 432 10 43 210 4321 0
+	+----+---+--+--+---+----+-+
+	|UUUU|SSS|FF|FF|DDD|GGGG|L|
+	+----+---+--+--+---+----+-+
+
+Downstream data header:
+	 7 654 3210 765 4321 0
+	+-+---+----+---+----+-+
+	|C|SSS|FFFF|DDD|GGGG|L|
+	+-+---+----+---+----+-+
+
+UUUU = Userid
+L = Last fragment in packet flag
+SS = Upstream packet sequence number
+FFFF = Upstream fragment number
+DDD = Downstream packet sequence number
+GGGG = Downstream fragment number
+C = Compression enabled for downstream packet
+
+Upstream data packet starts with 1 byte ASCII hex coded user byte, then 3 bytes 
+Base32 encoded header, then comes the payload data, encoded with chosen codec.
+
+Downstream data starts with 2 byte header. Then payload data, which may be
+compressed.
+
+Ping:
+Client sends:
+	First byte p or P
+	Rest encoded with Base32:
+	1 byte with 4 bits userid
+	1 byte with:
+		3 bits downstream seqno
+		4 bits downstream fragment
+	CMC
+
+The server response to Ping and Data packets is a DNS NULL type response:
+If server has nothing to send, data length is 0 bytes.
+If server has something to send, it will send a downstream data packet, 
+prefixed with 2 bytes header as shown above.
diff --git a/jni/iodine/doc/proto_00000502.txt b/jni/iodine/doc/proto_00000502.txt
new file mode 100644
index 0000000..46cf2de
--- /dev/null
+++ b/jni/iodine/doc/proto_00000502.txt
@@ -0,0 +1,287 @@
+Detailed specification of protocol in version 00000502
+======================================================
+
+Note: work in progress!!
+
+======================================================
+1. DNS protocol
+======================================================
+
+Quick alphabetical index / register:
+	0-9	Data packet
+	A-F	Data packet
+	I	IP address
+	L	Login
+	N	Downstream fragsize	(NS.topdomain A-type reply)
+	O	Options
+	P	Ping
+	R	Downstream fragsize probe
+	S	Switch upstream codec
+	V	Version
+	W				(WWW.topdomain A-type reply)
+	Y	Downstream codec check
+	Z	Upstream codec check
+
+
+CMC = 2 byte Cache Miss Counter, increased every time it is used
+
+Version:
+Client sends:
+	First byte v or V
+	Rest encoded with base32:
+	4 bytes big endian protocol version
+	CMC
+Server replies:
+	4 chars:
+		VACK (version ok), followed by login challenge
+		VNAK (version differs), followed by server protocol version
+		VFUL (server has no free slots), followed by max users
+	4 byte value: means login challenge/server protocol version/max users
+	1 byte userid of the new user, or any byte if not VACK
+	
+Login:
+Client sends:
+	First byte l or L
+	Rest encoded with base32:
+	1 byte userid
+	16 bytes MD5 hash of: (first 32 bytes of password) xor (8 repetitions of login challenge)
+	CMC
+Server replies:
+	LNAK means not accepted
+	x.x.x.x-y.y.y.y-mtu-netmask means accepted (server ip, client ip, mtu, netmask bits)
+
+IP Request:
+Client sends:
+	First byte i or I
+	5 bits coded as Base32 char, meaning userid
+	CMC as 3 Base32 chars
+Server replies
+	BADIP if bad userid, or
+	I and then 4 bytes network order external IP address of iodined server
+
+Upstream codec check / bounce:
+Client sends: 
+	First byte z or Z
+	Lots of data that should not be decoded
+Server replies:
+	The requested domain copied raw, in the lowest-grade downstream codec
+	available for the request type.
+
+Downstream codec check:
+Client sends:
+	First byte y or Y
+	1 char, meaning downstream codec to use
+	5 bits coded as Base32 char, meaning check variant
+	CMC as 3 Base32 chars
+	Possibly extra data, depending on check variant
+Server sends:
+	Data encoded with requested downstream codec; data content depending
+	on check variant number.
+	BADCODEC if requested downstream codec not available.
+	BADLEN if check variant is not available, or problem with extra data.
+
+	Downstream codec chars are same as in 'O' Option request, below.
+
+	Check variants:
+	1: Send encoded DOWNCODECCHECK1 string as defined in encoding.h
+
+	(Other variants reserved; possibly variant that sends a decoded-encoded
+	copy of Base32-encoded extra data in the request)
+
+Switch codec:
+Client sends:
+	First byte s or S
+	5 bits coded as Base32 char, meaning userid
+	5 bits coded as Base32 char, representing number of raw bits per
+	encoded byte:
+		5: Base32   (a-z0-5)
+		6: Base64   (a-zA-Z0-9+-)
+		26: Base64u (a-zA-Z0-9_-)
+		7: Base128  (a-zA-Z0-9\274-\375)
+	CMC as 3 Base32 chars
+Server sends:
+	Name of codec if accepted. After this all upstream data packets must 
+	be encoded with the new codec.
+	BADCODEC if not accepted. Client must then revert to previous codec
+	BADLEN if length of query is too short
+
+Options:
+Client sends:
+	First byte o or O
+	5 bits coded as Base32 char, meaning userid
+	1 char, meaning option
+	CMC as 3 Base32 chars
+Server sends:
+	Full name of option if accepted. After this, option immediately takes
+	effect in server.
+	BADCODEC if not accepted. Previous situation remains.
+	All options affect only the requesting client.
+
+	Option chars:
+	t or T: Downstream encoding Base32, for TXT/CNAME/A/MX (default)
+	s or S: Downstream encoding Base64, for TXT/CNAME/A/MX
+	u or U: Downstream encoding Base64u, for TXT/CNAME/A/MX
+	v or V: Downstream encoding Base128, for TXT/CNAME/A/MX
+	r or R: Downstream encoding Raw, for TXT/NULL (default for NULL)
+	If codec unsupported for request type, server will use Base32; note
+	that server will answer any mix of request types that a client sends.
+	Server may disregard this option; client must always use the downstream
+	encoding type indicated in every downstream DNS packet.
+
+	l or L: Lazy mode, server will keep one request unanswered until the
+	next one comes in. Applies only to data transfer; handshake is always
+	answered immediately.
+	i or I: Immediate (non-lazy) mode, server will answer all requests
+	(nearly) immediately.
+
+Probe downstream fragment size:
+Client sends:
+	First byte r or R
+	15 bits coded as 3 Base32 chars: UUUUF FFFFF FFFFF
+		meaning 4 bits userid, 11 bits fragment size
+	Then follows a long random query which contents does not matter
+Server sends:
+	Requested number of bytes as a response. The first two bytes contain
+	the requested length. The third byte is 107 (0x6B). The fourth byte
+	is a random value, and each following byte is incremented with 107.
+	This is checked by the client to determine corruption.
+	BADFRAG if requested length not accepted.
+
+Set downstream fragment size:
+Client sends:
+	First byte n or N
+	Rest encoded with base32:
+	1 byte userid
+	2 bytes new downstream fragment size
+	CMC
+Server sends:
+	2 bytes new downstream fragment size. After this all downstream
+	payloads will be max (fragsize + 2) bytes long.
+	BADFRAG if not accepted.
+
+Data:
+Upstream data header:
+	 3210 432 10 43 210 4321 0 43210
+	+----+---+--+--+---+----+-+-----+
+	|UUUU|SSS|FF|FF|DDD|GGGG|L|UDCMC|
+	+----+---+--+--+---+----+-+-----+
+
+Downstream data header:
+	 7 654 3210 765 4321 0
+	+-+---+----+---+----+-+
+	|C|SSS|FFFF|DDD|GGGG|L|
+	+-+---+----+---+----+-+
+
+UUUU = Userid
+L = Last fragment in packet flag
+SS = Upstream packet sequence number
+FFFF = Upstream fragment number
+DDD = Downstream packet sequence number
+GGGG = Downstream fragment number
+C = Compression enabled for downstream packet
+UDCMC = Upstream Data CMC, 36 steps a-z0-9, case-insensitive
+
+Upstream data packet starts with 1 byte ASCII hex coded user byte; then 3 bytes 
+Base32 encoded header; then 1 char data-CMC; then comes the payload data,
+encoded with the chosen upstream codec.
+
+Downstream data starts with 2 byte header. Then payload data, which may be
+compressed.
+
+In NULL responses, downstream data is always raw. In all other response types,
+downstream data is encoded (see Options above).
+Encoding type is indicated by 1 prefix char:
+TXT:
+	End result is always DNS-chopped (series of len-prefixed strings
+	<=255 bytes)
+	t or T: Base32	 encoded before chop, decoded after un-chop
+	s or S: Base64	 encoded before chop, decoded after un-chop
+	u or U: Base64u	 encoded before chop, decoded after un-chop
+	v or V: Base128	 encoded before chop, decoded after un-chop
+	r or R: Raw	 no encoding, only DNS-chop
+SRV/MX/CNAME/A:
+	h or H: Hostname encoded with Base32
+	i or I: Hostname encoded with Base64
+	j or J: Hostname encoded with Base64u
+	k or K: Hostname encoded with Base128
+SRV and MX may reply with multiple hostnames, each encoded separately. Each
+has a 10-multiple priority, and encoding/decoding is done in strictly
+increasing priority sequence 10, 20, 30, etc. without gaps. Note that some DNS
+relays will shuffle the answer records in the response.
+
+Ping:
+Client sends:
+	First byte p or P
+	Rest encoded with Base32:
+	1 byte with 4 bits userid
+	1 byte with:
+		3 bits downstream seqno
+		4 bits downstream fragment
+	CMC
+
+The server response to Ping and Data packets is a DNS NULL/TXT/.. type response,
+always starting with the 2 bytes downstream data header as shown above.
+If server has nothing to send, no data is added after the header.
+If server has something to send, it will add the downstream data packet
+(or some fragment of it) after the header.
+ 
+ 
+"Lazy-mode" operation
+=====================
+
+Client-server DNS traffic sequence has been reordered to provide increased
+(interactive) performance and greatly reduced latency.
+
+Idea taken from Lucas Nussbaum's slides (24th IFIP International Security
+Conference, 2009) at http://www.loria.fr/~lnussbau/tuns.html. Current
+implementation is original to iodine, no code or documentation from any other
+project was consulted during development.
+
+Server:
+Upstream data is acked immediately*, to keep the slow upstream data flowing
+as fast as possible (client waits for ack to send next frag).
+
+Upstream pings are answered _only_ when 1) downstream data arrives from tun,
+OR 2) new upstream ping/data arrives from client.
+In most cases, this means we answer the previous DNS query instead of the
+current one. The current query is kept in queue and used as soon as
+downstream data has to be sent.
+
+*: upstream data ack is usually done as reply on the previous ping packet,
+and the upstream-data packet itself is kept in queue.
+ 
+Client:
+Downstream data is acked immediately, to keep it flowing fast (includes a
+ping after last downstream frag).
+
+Also, after all available upstream data is sent & acked by the server (which
+in some cases uses up the last query), send an additional ping to prime the
+server for the next downstream data.
+
+
+======================================================
+2. Raw UDP protocol
+======================================================
+
+All Raw UDP protcol messages start with a 3 byte header: 0x10d19e
+This is not the start of a valid DNS message so it is easy to identify.
+The fourth byte contains the command and the user id.
+
+	 7654 3210
+	+----+----+
+	|CCCC|UUUU|
+	+----+----+
+
+Login message (command = 1):
+The header is followed by a MD5 hash with the same password as in the DNS
+login. The client starts the raw mode by sending this message, and uses
+the login challenge +1, and the server responds using the login challenge -1.
+After the login message has been exchanged, both the server and the client
+switch to raw udp mode for the rest of the connection.
+
+Data message (command = 2):
+After the header comes the payload data, which may be compressed.
+
+Ping message (command = 3):
+Sent from client to server and back to keep session open. Has no payload.
+
diff --git a/jni/iodine/man/iodine.8 b/jni/iodine/man/iodine.8
new file mode 100644
index 0000000..6eee603
--- /dev/null
+++ b/jni/iodine/man/iodine.8
@@ -0,0 +1,338 @@
+.\" groff -man -Tascii iodine.8
+.TH IODINE 8 "DEC 2009" "User Manuals"
+.SH NAME
+iodine, iodined \- tunnel IPv4 over DNS
+.SH SYNOPSIS
+.B iodine [-v]
+
+.B iodine [-h]
+
+.B iodine [-f] [-r] [-u
+.I user
+.B ] [-P
+.I password
+.B ] [-m
+.I fragsize
+.B ] [-t
+.I chrootdir
+.B ] [-d
+.I device
+.B ] [-m
+.I fragsize
+.B ] [-M
+.I namelen
+.B ] [-z
+.I context
+.B ] [-F
+.I pidfile
+.B ] [-T
+.I dnstype
+.B ] [-O
+.I downenc
+.B ] [-L
+.I 0|1
+.B ] [-I
+.I interval
+.B ]
+.B [
+.I nameserver
+.B ]
+.I topdomain
+
+.B iodined [-v]
+
+.B iodined [-h]
+
+.B iodined [-c] [-s] [-f] [-D] [-u
+.I user
+.B ] [-t
+.I chrootdir
+.B ] [-d
+.I device
+.B ] [-m
+.I mtu
+.B ] [-l
+.I listen_ip
+.B ] [-p
+.I port
+.B ] [-n
+.I external_ip
+.B ] [-b
+.I dnsport
+.B ] [-P
+.I password
+.B ] [-z
+.I context
+.B ] [-F
+.I pidfile
+.B ]
+.I tunnel_ip
+.B [
+.I /netmask
+.B ]
+.I topdomain
+.SH DESCRIPTION
+.B iodine
+lets you tunnel IPv4 data through a DNS 
+server. This can be useful in situations where Internet access is firewalled,
+but DNS queries are allowed. It needs a TUN/TAP device to operate. The 
+bandwidth is asymmetrical,
+with a measured maximum of 680 kbit/s upstream and 2.3 Mbit/s
+downstream in a wired LAN test network.
+Realistic sustained throughput on a Wifi network using a carrier-grade
+DNS cache has been measured at some 50 kbit/s upstream and over 200 kbit/s
+downstream.
+.B iodine
+is the client application,
+.B iodined
+is the server.
+
+Note: server and client are required to speak the exact same protocol. In most
+cases, this means running the same iodine version. Unfortunately, implementing
+backward and forward protocol compatibility is usually not feasible.
+.SH OPTIONS
+.SS Common Options:
+.TP
+.B -v
+Print version info and exit.
+.TP
+.B -h
+Print usage info and exit.
+.TP
+.B -f
+Keep running in foreground.
+.TP
+.B -u user
+Drop privileges and run as user 'user' after setting up tunnel.
+.TP
+.B -t chrootdir
+Chroot to 'chrootdir' after setting up tunnel.
+.TP
+.B -d device
+Use the TUN device 'device' instead of the normal one, which is dnsX on Linux
+and otherwise tunX.
+.TP
+.B -P password
+Use 'password' to authenticate. If not used, 
+.B stdin
+will be used as input. Only the first 32 characters will be used.
+.TP
+.B -z context
+Apply SELinux 'context' after initialization.
+.TP
+.B -F pidfile
+Create 'pidfile' and write process id in it.
+.SS Client Options:
+.TP
+.B -r
+Skip raw UDP mode. If not used, iodine will try getting the public IP address
+of the iodined host and test if it is reachable directly. If it is, traffic
+will be sent to the server instead of the DNS relay.
+.TP
+.B -m fragsize
+Force maximum downstream fragment size. Not setting this will cause the
+client to automatically probe the maximum accepted downstream fragment size.
+.TP
+.B -M namelen
+Maximum length of upstream hostnames, default 255.
+Usable range ca. 100 to 255.
+Use this option to scale back upstream bandwidth in favor of downstream
+bandwidth.
+Also useful for DNS servers that perform unreliably when using full-length
+hostnames, noticable when fragment size autoprobe returns very
+different results each time.
+.TP
+.B -T dnstype
+DNS request type override.
+By default, autodetection will probe for working DNS request types, and
+will select the request type that is expected to provide the most bandwidth.
+However, it may turn out that a DNS relay imposes limits that skew the
+picture, which may lead to an "unexpected" DNS request type providing
+more bandwidth.
+In that case, use this option to override the autodetection.
+In (expected) decreasing bandwidth order, the supported DNS request types are:
+.IR NULL ,
+.IR TXT ,
+.IR SRV ,
+.IR MX ,
+.I CNAME
+and
+.I A
+(returning CNAME).
+Note that
+.IR SRV ,
+.I MX
+and
+.I A
+may/will cause additional lookups by "smart" caching
+nameservers to get an actual IP address, which may either slow down or fail
+completely.
+.TP
+.B -O downenc
+Force downstream encoding type for all query type responses except NULL.
+Default is autodetected, but may not spot all problems for the more advanced
+codecs.
+Use this option to override the autodetection.
+.I Base32
+is the lowest-grade codec and should always work; this is used when
+autodetection fails.
+.I Base64
+provides more bandwidth, but may not work on all nameservers.
+.I Base64u
+is equal to Base64 except in using underscore ('_')
+instead of plus sign ('+'), possibly working where
+.I Base64
+does not.
+.I Base128
+uses high byte values (mostly accented letters in iso8859-1),
+which might work with some nameservers.
+For TXT queries,
+.I Raw
+will provide maximum performance, but this will only work if the nameserver
+path is fully 8-bit-clean for responses that are assumed to be "legible text".
+.TP
+.B -L 0|1
+Lazy-mode switch.
+\-L1 (default): Use lazy mode for improved performance and decreased latency.
+A very small minority of DNS relays appears to be unable to handle the
+lazy mode traffic pattern, resulting in no or very little data coming through.
+The iodine client will detect this and try to switch back to legacy mode,
+but this may not always work.
+In these situations use \-L0 to force running in legacy mode
+(implies \-I1).
+.TP
+.B -I interval
+Maximum interval between requests (pings) so that intermediate DNS
+servers will not time out. Default is 4 in lazy mode, which will work
+fine in most cases. When too many SERVFAIL errors occur, iodine
+will automatically reduce this to 1.
+To get absolute minimum DNS traffic,
+increase well above 4, but not so high that SERVFAIL errors start to occur.
+There are some DNS relays with very small timeouts,
+notably dnsadvantage.com (ultradns), that will give
+SERVFAIL errors even with \-I1; data will still get trough,
+and these errors can be ignored.
+Maximum useful value is 59, since iodined will close a client's
+connection after 60 seconds of inactivity.
+.SS Server Options:
+.TP
+.B -c
+Disable checking the client IP address on all incoming requests.
+By default, requests originating from non-matching IP adresses will be
+rejected, however this will cause problems when requests are routed
+via a cluster of DNS servers.
+.TP
+.B -s
+Don't try to configure IP address or MTU. 
+This should only be used if you have already configured the device that will be
+used.
+.TP
+.B -D
+Increase debug level. Level 1 prints info about each RX/TX packet.
+Implies the
+.B -f
+option.
+On level 2 (-DD) or higher, DNS queries will be printed literally.
+When using Base128 upstream encoding, this is best viewed as
+ISO Latin-1 text instead of (illegal) UTF-8.
+This is easily done with : "LC_ALL=C luit iodined -DD ..."
+(see luit(1)).
+.TP
+.B -m mtu
+Set 'mtu' as mtu size for the tun device. 
+This will be sent to the client on login, and the client will use the same mtu
+for its tun device.  Default 1130.  Note that the DNS traffic will be
+automatically fragmented when needed.
+.TP
+.B -l listen_ip
+Make the server listen only on 'listen_ip' for incoming requests.
+By default, incoming requests are accepted from all interfaces.
+.TP
+.B -p port
+Make the server listen on 'port' instead of 53 for traffic. 
+.B Note:
+You must make sure the dns requests are forwarded to this port yourself.
+.TP
+.B -n external_ip
+The IP address to return in NS responses. Default is to return the address used
+as destination in the query.
+.TP
+.B -b dnsport
+If this port is specified, all incoming requests not inside the tunnel domain
+will be forwarded to this port on localhost, to be handled by a real dns.
+.B Note:
+The forwarding is not fully transparent, and not advised for use
+in production environments.
+.SS Client Arguments:
+.TP
+.B nameserver
+The nameserver to use to relay the dns traffic. This can be any relaying
+nameserver or the server running iodined if reachable. This field can be
+given as an IP address, or as a hostname. This argument is optional, and 
+if not specified a nameserver will be read from the
+.I /etc/resolv.conf
+file.
+.TP
+.B topdomain
+The dns traffic will be sent as queries for subdomains under
+\'topdomain'. This is normally a subdomain to a domain you own. Use a short
+domain name to get better throughput. If 
+.B nameserver
+is the iodined server, then the topdomain can be chosen freely. This argument
+must be the same on both the client and the server.
+.SS Server Arguments:
+.TP
+.B tunnel_ip[/netmask]
+This is the server's ip address on the tun interface. The client will be
+given the next ip number in the range. It is recommended to use the 
+10.0.0.0 or 172.16.0.0 ranges. The default netmask is /27, can be overriden
+by specifying it here. Using a smaller network will limit the number of
+concurrent users.
+.TP
+.B topdomain
+The dns traffic is expected to arrive as queries for
+subdomains under 'topdomain'. This is normally a subdomain to a domain you 
+own. Use a short domain name to get better throughput. This argument must be 
+the same on both the client and the server. Queries for domains other
+than 'topdomain' will be forwarded when the \-b option is given, otherwise
+they will be dropped.
+.SH EXAMPLES
+See the README file for both a quick test scenario, and a detailed description
+of real-world deployment.
+.SH SECURITY
+Login is a relatively secure challenge-response MD5 hash, with the
+password never passing the wire.
+However, all other data is
+.B NOT
+encrypted in any way. The DNS traffic is also vulnerable to replay,
+injection and man-in-the-middle attacks, especially when iodined is used
+with the \-c option. Use of ssh or vpn tunneling is strongly recommended.
+On both server and client, use
+.IR iptables ,
+.I pf
+or other firewalls to block all traffic coming in from the tun interfaces,
+except to the used ssh or vpn ports.
+.SH ENVIRONMENT
+.SS IODINE_PASS
+If the environment variable
+.B IODINE_PASS
+is set, iodine will use the value it is set to as password instead of asking
+for one. The 
+.B -P
+option still has precedence.
+.SS IODINED_PASS
+If the environment variable
+.B IODINED_PASS
+is set, iodined will use the value it is set to as password instead of asking
+for one. The
+.B -P
+option still has precedence.
+.El
+.SH SEE ALSO
+The README file in the source distribution contains some more elaborate
+information.
+.SH BUGS
+File bugs at http://dev.kryo.se/iodine/
+.SH AUTHORS
+Erik Ekman <yarrick@kryo.se> and Bjorn Andersson <flex@kryo.se>. Major
+contributions by Anne Bezemer.
diff --git a/jni/iodine/src/Makefile b/jni/iodine/src/Makefile
new file mode 100644
index 0000000..a5b9838
--- /dev/null
+++ b/jni/iodine/src/Makefile
@@ -0,0 +1,46 @@
+COMMONOBJS = tun.o dns.o read.o encoding.o login.o base32.o base64.o base64u.o base128.o md5.o common.o
+CLIENTOBJS = iodine.o client.o util.o
+CLIENT = ../bin/iodine
+SERVEROBJS = iodined.o user.o fw_query.o
+SERVER = ../bin/iodined
+
+OS = `echo $(TARGETOS) | tr "a-z" "A-Z"`
+ARCH = `uname -m`
+
+LIBPATH = -L.
+LDFLAGS +=  -lz `sh osflags $(TARGETOS) link` $(LIBPATH)
+CFLAGS += -c -g -Wall -D$(OS) -pedantic `sh osflags $(TARGETOS) cflags`
+
+all: stateos $(CLIENT) $(SERVER)
+
+stateos:
+	@echo OS is $(OS), arch is $(ARCH)
+
+$(CLIENT): $(COMMONOBJS) $(CLIENTOBJS)
+	@echo LD $@
+	@mkdir -p ../bin
+	@$(CC) $(COMMONOBJS) $(CLIENTOBJS) -o $(CLIENT) $(LDFLAGS)
+
+$(SERVER): $(COMMONOBJS) $(SERVEROBJS)
+	@echo LD $@
+	@mkdir -p ../bin
+	@$(CC) $(COMMONOBJS) $(SERVEROBJS) -o $(SERVER) $(LDFLAGS)
+
+.c.o: 
+	@echo CC $<
+	@$(CC) $(CFLAGS) $< -o $@
+
+base64u.o client.o iodined.o: base64u.h
+base64u.c: base64.c
+	@echo Making $@
+	@echo '/* No use in editing, produced by Makefile! */' > $@
+	@sed -e 's/\([Bb][Aa][Ss][Ee]64\)/\1u/g ; s/0123456789+/0123456789_/' < base64.c >> $@
+base64u.h: base64.h
+	@echo Making $@
+	@echo '/* No use in editing, produced by Makefile! */' > $@
+	@sed -e 's/\([Bb][Aa][Ss][Ee]64\)/\1u/g ; s/0123456789+/0123456789_/' < base64.h >> $@
+
+clean:
+	@echo "Cleaning src/"
+	@rm -f $(CLIENT){,.exe} $(SERVER){,.exe} *~ *.o *.core base64u.*
+
diff --git a/jni/iodine/src/base128.c b/jni/iodine/src/base128.c
new file mode 100644
index 0000000..32a29f8
--- /dev/null
+++ b/jni/iodine/src/base128.c
@@ -0,0 +1,291 @@
+/*
+ * Copyright (C) 2009 J.A.Bezemer@opensourcepartners.nl
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * raw	76543210 76543210 76543210 76543210 76543210 76543210 76543210
+ * enc	65432106 54321065 43210654 32106543 21065432 10654321 06543210
+ *	^      ^       ^       ^       ^       ^       ^       ^
+ *
+ *	0001 1  0001 1
+ *	0011 3  0011 3
+ *	0111 7  0111 7
+ *	1111 f  0110 6
+ *	1110 e  0100 4
+ *	1100 c
+ *	1000 8
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "encoding.h"
+#include "base128.h"
+
+#define BLKSIZE_RAW 7
+#define BLKSIZE_ENC 8
+
+/* Don't use '-' (restricted to middle of labels), prefer iso_8859-1
+ * accent chars since they might readily be entered in normal use,
+ * don't use 254-255 because of possible function overloading in DNS systems.
+ */
+static const unsigned char cb128[] = 
+	"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
+	"\274\275\276\277"
+	"\300\301\302\303\304\305\306\307\310\311\312\313\314\315\316\317"
+	"\320\321\322\323\324\325\326\327\330\331\332\333\334\335\336\337"
+	"\340\341\342\343\344\345\346\347\350\351\352\353\354\355\356\357"
+	"\360\361\362\363\364\365\366\367\370\371\372\373\374\375";
+static unsigned char rev128[256];
+static int reverse_init = 0;
+
+static int base128_encode(char *, size_t *, const void *, size_t);
+static int base128_decode(void *, size_t *, const char *, size_t);
+static int base128_handles_dots();
+static int base128_blksize_raw();
+static int base128_blksize_enc();
+
+static struct encoder base128_encoder =
+{
+	"Base128",
+	base128_encode,
+	base128_decode,
+	base128_handles_dots,
+	base128_handles_dots,
+	base128_blksize_raw,
+	base128_blksize_enc
+};
+
+struct encoder
+*get_base128_encoder()
+{
+	return &base128_encoder;
+}
+
+static int 
+base128_handles_dots()
+{
+	return 0;
+}
+
+static int 
+base128_blksize_raw()
+{
+	return BLKSIZE_RAW;
+}
+
+static int 
+base128_blksize_enc()
+{
+	return BLKSIZE_ENC;
+}
+
+inline static void
+base128_reverse_init()
+{
+	int i;
+	unsigned char c;
+
+	if (!reverse_init) {
+		memset (rev128, 0, 256);
+		for (i = 0; i < 128; i++) {
+			c = cb128[i];
+			rev128[(int) c] = i;
+		}
+		reverse_init = 1;
+	}
+}
+
+static int 
+base128_encode(char *buf, size_t *buflen, const void *data, size_t size)
+/*
+ * Fills *buf with max. *buflen characters, encoding size bytes of *data.
+ *
+ * NOTE: *buf space should be at least 1 byte _more_ than *buflen
+ * to hold the trailing '\0'.
+ *
+ * return value    : #bytes filled in buf   (excluding \0)
+ * sets *buflen to : #bytes encoded from data
+ */
+{
+	unsigned char *ubuf = (unsigned char *) buf;
+	unsigned char *udata = (unsigned char *) data;
+	int iout = 0;	/* to-be-filled output char */
+	int iin = 0;	/* one more than last input byte that can be
+			   successfully decoded */
+
+	/* Note: Don't bother to optimize manually. GCC optimizes
+	   better(!) when using simplistic array indexing. */
+
+	while (1) {
+		if (iout >= *buflen || iin >= size)
+			break;
+		ubuf[iout] = cb128[((udata[iin] & 0xfe) >> 1)];
+		iout++;
+
+		if (iout >= *buflen || iin >= size) {
+			iout--; 	/* previous char is useless */
+			break;
+		}
+		ubuf[iout] = cb128[((udata[iin] & 0x01) << 6) |
+				   ((iin + 1 < size) ?
+				    ((udata[iin + 1] & 0xfc) >> 2) : 0)];
+		iin++;			/* 0 complete, iin=1 */
+		iout++;
+
+		if (iout >= *buflen || iin >= size)
+			break;
+		ubuf[iout] = cb128[((udata[iin] & 0x03) << 5) |
+				   ((iin + 1 < size) ?
+				    ((udata[iin + 1] & 0xf8) >> 3) : 0)];
+		iin++;			/* 1 complete, iin=2 */
+		iout++;
+
+		if (iout >= *buflen || iin >= size)
+			break;
+		ubuf[iout] = cb128[((udata[iin] & 0x07) << 4) |
+				   ((iin + 1 < size) ?
+				    ((udata[iin + 1] & 0xf0) >> 4) : 0)];
+		iin++;			/* 2 complete, iin=3 */
+		iout++;
+
+		if (iout >= *buflen || iin >= size)
+			break;
+		ubuf[iout] = cb128[((udata[iin] & 0x0f) << 3) |
+				   ((iin + 1 < size) ?
+				    ((udata[iin + 1] & 0xe0) >> 5) : 0)];
+		iin++;			/* 3 complete, iin=4 */
+		iout++;
+
+		if (iout >= *buflen || iin >= size)
+			break;
+		ubuf[iout] = cb128[((udata[iin] & 0x1f) << 2) |
+				   ((iin + 1 < size) ?
+				    ((udata[iin + 1] & 0xc0) >> 6) : 0)];
+		iin++;			/* 4 complete, iin=5 */
+		iout++;
+
+		if (iout >= *buflen || iin >= size)
+			break;
+		ubuf[iout] = cb128[((udata[iin] & 0x3f) << 1) |
+				   ((iin + 1 < size) ?
+				    ((udata[iin + 1] & 0x80) >> 7) : 0)];
+		iin++;			/* 5 complete, iin=6 */
+		iout++;
+
+		if (iout >= *buflen || iin >= size)
+			break;
+		ubuf[iout] = cb128[(udata[iin] & 0x7f)];
+		iin++;			/* 6 complete, iin=7 */
+		iout++;
+	}
+
+	ubuf[iout] = '\0';
+
+	/* store number of bytes from data that was used */
+	*buflen = iin;
+
+	return iout;
+}
+
+#define REV128(x) rev128[(int) (x)]
+
+static int
+base128_decode(void *buf, size_t *buflen, const char *str, size_t slen)
+/*
+ * Fills *buf with max. *buflen bytes, decoded from slen chars in *str.
+ * Decoding stops early when *str contains \0.
+ * Illegal encoded chars are assumed to decode to zero.
+ *
+ * NOTE: *buf space should be at least 1 byte _more_ than *buflen
+ * to hold a trailing '\0' that is added (though *buf will usually
+ * contain full-binary data).
+ *
+ * return value    : #bytes filled in buf   (excluding \0)
+ */
+{
+	unsigned char *ustr = (unsigned char *) str;
+	unsigned char *ubuf = (unsigned char *) buf;
+	int iout = 0;	/* to-be-filled output byte */
+	int iin = 0;	/* next input char to use in decoding */
+
+	base128_reverse_init ();
+
+	/* Note: Don't bother to optimize manually. GCC optimizes
+	   better(!) when using simplistic array indexing. */
+
+	while (1) {
+		if (iout >= *buflen || iin + 1 >= slen ||
+		    str[iin] == '\0' || str[iin + 1] == '\0')
+			break;
+		ubuf[iout] = ((REV128(ustr[iin]) & 0x7f) << 1) | 
+			     ((REV128(ustr[iin + 1]) & 0x40) >> 6);
+		iin++;  		/* 0 used up, iin=1 */
+		iout++;
+
+		if (iout >= *buflen || iin + 1 >= slen ||
+		    str[iin] == '\0' || str[iin + 1] == '\0')
+			break;
+		ubuf[iout] = ((REV128(ustr[iin]) & 0x3f) << 2) |
+			     ((REV128(ustr[iin + 1]) & 0x60) >> 5);
+		iin++;  		/* 1 used up, iin=2 */
+		iout++;
+
+		if (iout >= *buflen || iin + 1 >= slen ||
+		    str[iin] == '\0' || str[iin + 1] == '\0')
+			break;
+		ubuf[iout] = ((REV128(ustr[iin]) & 0x1f) << 3) |
+			     ((REV128(ustr[iin + 1]) & 0x70) >> 4);
+		iin++;  		/* 2 used up, iin=3 */
+		iout++;
+
+		if (iout >= *buflen || iin + 1 >= slen ||
+		    str[iin] == '\0' || str[iin + 1] == '\0')
+			break;
+		ubuf[iout] = ((REV128(ustr[iin]) & 0x0f) << 4) |
+			     ((REV128(ustr[iin + 1]) & 0x78) >> 3);
+		iin++;  		/* 3 used up, iin=4 */
+		iout++;
+
+		if (iout >= *buflen || iin + 1 >= slen ||
+		    str[iin] == '\0' || str[iin + 1] == '\0')
+			break;
+		ubuf[iout] = ((REV128(ustr[iin]) & 0x07) << 5) |
+			     ((REV128(ustr[iin + 1]) & 0x7c) >> 2);
+		iin++;  		/* 4 used up, iin=5 */
+		iout++;
+
+		if (iout >= *buflen || iin + 1 >= slen ||
+		    str[iin] == '\0' || str[iin + 1] == '\0')
+			break;
+		ubuf[iout] = ((REV128(ustr[iin]) & 0x03) << 6) |
+			     ((REV128(ustr[iin + 1]) & 0x7e) >> 1);
+		iin++;  		/* 5 used up, iin=6 */
+		iout++;
+
+		if (iout >= *buflen || iin + 1 >= slen ||
+		    str[iin] == '\0' || str[iin + 1] == '\0')
+			break;
+		ubuf[iout] = ((REV128(ustr[iin]) & 0x01) << 7) |
+			     ((REV128(ustr[iin + 1]) & 0x7f));
+		iin += 2;  		/* 6,7 used up, iin=8 */
+		iout++;
+	}
+
+	ubuf[iout] = '\0';
+
+	return iout;
+}
diff --git a/jni/iodine/src/base128.h b/jni/iodine/src/base128.h
new file mode 100644
index 0000000..235b2f9
--- /dev/null
+++ b/jni/iodine/src/base128.h
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) 2009 J.A.Bezemer@opensourcepartners.nl
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef __BASE128_H__
+#define __BASE128_H__
+
+struct encoder *get_base128_encoder(void);
+
+#endif
diff --git a/jni/iodine/src/base32.c b/jni/iodine/src/base32.c
new file mode 100644
index 0000000..8731a92
--- /dev/null
+++ b/jni/iodine/src/base32.c
@@ -0,0 +1,270 @@
+/*
+ * Copyright (c) 2006-2009 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
+ * Mostly rewritten 2009 J.A.Bezemer@opensourcepartners.nl
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "encoding.h"
+#include "base32.h"
+
+#define BLKSIZE_RAW 5
+#define BLKSIZE_ENC 8
+
+static const char cb32[] = 
+	"abcdefghijklmnopqrstuvwxyz012345";
+static const char cb32_ucase[] = 
+	"ABCDEFGHIJKLMNOPQRSTUVWXYZ012345";
+static unsigned char rev32[256];
+static int reverse_init = 0;
+
+static int base32_encode(char *, size_t *, const void *, size_t);
+static int base32_decode(void *, size_t *, const char *, size_t);
+static int base32_handles_dots();
+static int base32_blksize_raw();
+static int base32_blksize_enc();
+
+static struct encoder base32_encoder =
+{
+	"Base32",
+	base32_encode,
+	base32_decode,
+	base32_handles_dots,
+	base32_handles_dots,
+	base32_blksize_raw,
+	base32_blksize_enc
+};
+
+struct encoder
+*get_base32_encoder()
+{
+	return &base32_encoder;
+}
+
+static int 
+base32_handles_dots()
+{
+	return 0;
+}
+
+static int 
+base32_blksize_raw()
+{
+	return BLKSIZE_RAW;
+}
+
+static int 
+base32_blksize_enc()
+{
+	return BLKSIZE_ENC;
+}
+
+inline static void
+base32_reverse_init()
+{
+	int i;
+	unsigned char c;
+
+	if (!reverse_init) {
+		memset (rev32, 0, 256);
+		for (i = 0; i < 32; i++) {
+			c = cb32[i];
+			rev32[(int) c] = i;
+			c = cb32_ucase[i];
+			rev32[(int) c] = i;
+		}
+		reverse_init = 1;
+	}
+}
+
+int
+b32_5to8(int in)
+{
+	return cb32[in & 31];
+}
+
+int
+b32_8to5(int in)
+{
+	base32_reverse_init();
+	return rev32[in];
+}
+
+static int 
+base32_encode(char *buf, size_t *buflen, const void *data, size_t size)
+/*
+ * Fills *buf with max. *buflen characters, encoding size bytes of *data.
+ *
+ * NOTE: *buf space should be at least 1 byte _more_ than *buflen
+ * to hold the trailing '\0'.
+ *
+ * return value    : #bytes filled in buf   (excluding \0)
+ * sets *buflen to : #bytes encoded from data
+ */
+{
+	unsigned char *udata = (unsigned char *) data;
+	int iout = 0;	/* to-be-filled output char */
+	int iin = 0;	/* one more than last input byte that can be
+			   successfully decoded */
+
+	/* Note: Don't bother to optimize manually. GCC optimizes
+	   better(!) when using simplistic array indexing. */
+
+	while (1) {
+		if (iout >= *buflen || iin >= size)
+			break;
+		buf[iout] = cb32[((udata[iin] & 0xf8) >> 3)];
+		iout++;
+
+		if (iout >= *buflen || iin >= size) {
+			iout--; 	/* previous char is useless */
+			break;
+		}
+		buf[iout] = cb32[((udata[iin] & 0x07) << 2) |
+				  ((iin + 1 < size) ?
+				   ((udata[iin + 1] & 0xc0) >> 6) : 0)];
+		iin++;			/* 0 complete, iin=1 */
+		iout++;
+
+		if (iout >= *buflen || iin >= size)
+			break;
+		buf[iout] = cb32[((udata[iin] & 0x3e) >> 1)];
+		iout++;
+
+		if (iout >= *buflen || iin >= size) {
+			iout--;		/* previous char is useless */
+			break;
+		}
+		buf[iout] = cb32[((udata[iin] & 0x01) << 4) |
+				  ((iin + 1 < size) ?
+				   ((udata[iin + 1] & 0xf0) >> 4) : 0)];
+		iin++;			/* 1 complete, iin=2 */
+		iout++;
+
+		if (iout >= *buflen || iin >= size)
+			break;
+		buf[iout] = cb32[((udata[iin] & 0x0f) << 1) |
+				  ((iin + 1 < size) ?
+				   ((udata[iin + 1] & 0x80) >> 7) : 0)];
+		iin++;			/* 2 complete, iin=3 */
+		iout++;
+
+		if (iout >= *buflen || iin >= size)
+			break;
+		buf[iout] = cb32[((udata[iin] & 0x7c) >> 2)];
+		iout++;
+
+		if (iout >= *buflen || iin >= size) {
+			iout--;		/* previous char is useless */
+			break;
+		}
+		buf[iout] = cb32[((udata[iin] & 0x03) << 3) |
+				  ((iin + 1 < size) ?
+				   ((udata[iin + 1] & 0xe0) >> 5) : 0)];
+		iin++;			/* 3 complete, iin=4 */
+		iout++;
+
+		if (iout >= *buflen || iin >= size)
+			break;
+		buf[iout] = cb32[((udata[iin] & 0x1f))];
+		iin++;			/* 4 complete, iin=5 */
+		iout++;
+	}
+
+	buf[iout] = '\0';
+
+	/* store number of bytes from data that was used */
+	*buflen = iin;
+
+	return iout;
+}
+
+#define REV32(x) rev32[(int) (x)]
+
+static int
+base32_decode(void *buf, size_t *buflen, const char *str, size_t slen)
+/*
+ * Fills *buf with max. *buflen bytes, decoded from slen chars in *str.
+ * Decoding stops early when *str contains \0.
+ * Illegal encoded chars are assumed to decode to zero.
+ *
+ * NOTE: *buf space should be at least 1 byte _more_ than *buflen
+ * to hold a trailing '\0' that is added (though *buf will usually
+ * contain full-binary data).
+ *
+ * return value    : #bytes filled in buf   (excluding \0)
+ */
+{
+	unsigned char *ubuf = (unsigned char *) buf;
+	int iout = 0;	/* to-be-filled output byte */
+	int iin = 0;	/* next input char to use in decoding */
+
+	base32_reverse_init ();
+
+	/* Note: Don't bother to optimize manually. GCC optimizes
+	   better(!) when using simplistic array indexing. */
+
+	while (1) {
+		if (iout >= *buflen || iin + 1 >= slen ||
+		    str[iin] == '\0' || str[iin + 1] == '\0')
+			break;
+		ubuf[iout] = ((REV32(str[iin]) & 0x1f) << 3) | 
+			     ((REV32(str[iin + 1]) & 0x1c) >> 2);
+		iin++;  		/* 0 used up, iin=1 */
+		iout++;
+
+		if (iout >= *buflen || iin + 2 >= slen ||
+		    str[iin] == '\0' || str[iin + 1] == '\0' ||
+		    str[iin + 2] == '\0')
+			break;
+		ubuf[iout] = ((REV32(str[iin]) & 0x03) << 6) | 
+			     ((REV32(str[iin + 1]) & 0x1f) << 1) | 
+			     ((REV32(str[iin + 2]) & 0x10) >> 4);
+		iin += 2;  		/* 1,2 used up, iin=3 */
+		iout++;
+
+		if (iout >= *buflen || iin + 1 >= slen ||
+		    str[iin] == '\0' || str[iin + 1] == '\0')
+			break;
+		ubuf[iout] = ((REV32(str[iin]) & 0x0f) << 4) |
+			     ((REV32(str[iin + 1]) & 0x1e) >> 1);
+		iin++;  		/* 3 used up, iin=4 */
+		iout++;
+
+		if (iout >= *buflen || iin + 2 >= slen ||
+		    str[iin] == '\0' || str[iin + 1] == '\0' ||
+		    str[iin + 2] == '\0')
+			break;
+		ubuf[iout] = ((REV32(str[iin]) & 0x01) << 7) |
+			     ((REV32(str[iin + 1]) & 0x1f) << 2) |
+			     ((REV32(str[iin + 2]) & 0x18) >> 3);
+		iin += 2;  		/* 4,5 used up, iin=6 */
+		iout++;
+
+		if (iout >= *buflen || iin + 1 >= slen ||
+		    str[iin] == '\0' || str[iin + 1] == '\0')
+			break;
+		ubuf[iout] = ((REV32(str[iin]) & 0x07) << 5) |
+			     ((REV32(str[iin + 1]) & 0x1f));
+		iin += 2;  		/* 6,7 used up, iin=8 */
+		iout++;
+	}
+
+	ubuf[iout] = '\0';
+
+	return iout;
+}
diff --git a/jni/iodine/src/base32.h b/jni/iodine/src/base32.h
new file mode 100644
index 0000000..497ca33
--- /dev/null
+++ b/jni/iodine/src/base32.h
@@ -0,0 +1,24 @@
+/*
+ * Copyright (c) 2006-2009 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef __BASE32_H__
+#define __BASE32_H__
+
+struct encoder *get_base32_encoder(void);
+
+int b32_5to8(int);
+int b32_8to5(int);
+#endif
diff --git a/jni/iodine/src/base64.c b/jni/iodine/src/base64.c
new file mode 100644
index 0000000..5218c09
--- /dev/null
+++ b/jni/iodine/src/base64.c
@@ -0,0 +1,205 @@
+/*
+ * Copyright (c) 2006-2009 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
+ * Mostly rewritten 2009 J.A.Bezemer@opensourcepartners.nl
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "encoding.h"
+#include "base64.h"
+
+#define BLKSIZE_RAW 3
+#define BLKSIZE_ENC 4
+
+/* Note: the "unofficial" char is last here, which means that the \377 pattern
+   in DOWNCODECCHECK1 ('Y' request) will properly test it. */
+static const char cb64[] = 
+	"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ-0123456789+";
+static unsigned char rev64[256];
+static int reverse_init = 0;
+
+static int base64_encode(char *, size_t *, const void *, size_t);
+static int base64_decode(void *, size_t *, const char *, size_t);
+static int base64_handles_dots();
+static int base64_blksize_raw();
+static int base64_blksize_enc();
+
+static struct encoder base64_encoder =
+{
+	"Base64",
+	base64_encode,
+	base64_decode,
+	base64_handles_dots,
+	base64_handles_dots,
+	base64_blksize_raw,
+	base64_blksize_enc
+};
+
+struct encoder
+*get_base64_encoder()
+{
+	return &base64_encoder;
+}
+
+static int 
+base64_handles_dots()
+{
+	return 0;
+}
+
+static int 
+base64_blksize_raw()
+{
+	return BLKSIZE_RAW;
+}
+
+static int 
+base64_blksize_enc()
+{
+	return BLKSIZE_ENC;
+}
+
+inline static void
+base64_reverse_init()
+{
+	int i;
+	unsigned char c;
+
+	if (!reverse_init) {
+		memset (rev64, 0, 256);
+		for (i = 0; i < 64; i++) {
+			c = cb64[i];
+			rev64[(int) c] = i;
+		}
+		reverse_init = 1;
+	}
+}
+
+static int 
+base64_encode(char *buf, size_t *buflen, const void *data, size_t size)
+/*
+ * Fills *buf with max. *buflen characters, encoding size bytes of *data.
+ *
+ * NOTE: *buf space should be at least 1 byte _more_ than *buflen
+ * to hold the trailing '\0'.
+ *
+ * return value    : #bytes filled in buf   (excluding \0)
+ * sets *buflen to : #bytes encoded from data
+ */
+{
+	unsigned char *udata = (unsigned char *) data;
+	int iout = 0;	/* to-be-filled output char */
+	int iin = 0;	/* one more than last input byte that can be
+			   successfully decoded */
+
+	/* Note: Don't bother to optimize manually. GCC optimizes
+	   better(!) when using simplistic array indexing. */
+
+	while (1) {
+		if (iout >= *buflen || iin >= size)
+			break;
+		buf[iout] = cb64[((udata[iin] & 0xfc) >> 2)];
+		iout++;
+
+		if (iout >= *buflen || iin >= size) {
+			iout--;		/* previous char is useless */
+			break;
+		}
+		buf[iout] = cb64[((udata[iin] & 0x03) << 4) |
+				  ((iin + 1 < size) ?
+				   ((udata[iin + 1] & 0xf0) >> 4) : 0)];
+		iin++;			/* 0 complete, iin=1 */
+		iout++;
+
+		if (iout >= *buflen || iin >= size)
+			break;
+		buf[iout] = cb64[((udata[iin] & 0x0f) << 2 ) |
+				  ((iin + 1 < size) ?
+				   ((udata[iin + 1] & 0xc0) >> 6) : 0)];
+		iin++;			/* 1 complete, iin=2 */
+		iout++;
+
+		if (iout >= *buflen || iin >= size)
+			break;
+		buf[iout] = cb64[(udata[iin] & 0x3f)];
+		iin++;			/* 2 complete, iin=3 */
+		iout++;
+	}
+
+	buf[iout] = '\0';
+
+	/* store number of bytes from data that was used */
+	*buflen = iin;
+
+	return iout;
+}
+
+#define REV64(x) rev64[(int) (x)]
+
+static int
+base64_decode(void *buf, size_t *buflen, const char *str, size_t slen)
+/*
+ * Fills *buf with max. *buflen bytes, decoded from slen chars in *str.
+ * Decoding stops early when *str contains \0.
+ * Illegal encoded chars are assumed to decode to zero.
+ *
+ * NOTE: *buf space should be at least 1 byte _more_ than *buflen
+ * to hold a trailing '\0' that is added (though *buf will usually
+ * contain full-binary data).
+ *
+ * return value    : #bytes filled in buf   (excluding \0)
+ */
+{
+	unsigned char *ubuf = (unsigned char *) buf;
+	int iout = 0;	/* to-be-filled output byte */
+	int iin = 0;	/* next input char to use in decoding */
+
+	base64_reverse_init ();
+
+	/* Note: Don't bother to optimize manually. GCC optimizes
+	   better(!) when using simplistic array indexing. */
+
+	while (1) {
+		if (iout >= *buflen || iin + 1 >= slen ||
+		    str[iin] == '\0' || str[iin + 1] == '\0')
+			break;
+		ubuf[iout] = ((REV64(str[iin]) & 0x3f) << 2) | 
+			     ((REV64(str[iin + 1]) & 0x30) >> 4);
+		iin++;  		/* 0 used up, iin=1 */
+		iout++;
+
+		if (iout >= *buflen || iin + 1 >= slen ||
+		    str[iin] == '\0' || str[iin + 1] == '\0')
+			break;
+		ubuf[iout] = ((REV64(str[iin]) & 0x0f) << 4) | 
+			     ((REV64(str[iin + 1]) & 0x3c) >> 2);
+		iin++;  		/* 1 used up, iin=2 */
+		iout++;
+
+		if (iout >= *buflen || iin + 1 >= slen ||
+		    str[iin] == '\0' || str[iin + 1] == '\0')
+			break;
+		ubuf[iout] = ((REV64(str[iin]) & 0x03) << 6) |
+			     (REV64(str[iin + 1]) & 0x3f);
+		iin += 2;  		/* 2,3 used up, iin=4 */
+		iout++;
+	}
+
+	ubuf[iout] = '\0';
+
+	return iout;
+}
diff --git a/jni/iodine/src/base64.h b/jni/iodine/src/base64.h
new file mode 100644
index 0000000..d550cf3
--- /dev/null
+++ b/jni/iodine/src/base64.h
@@ -0,0 +1,22 @@
+/*
+ * Copyright (c) 2006-2009 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef __BASE64_H__
+#define __BASE64_H__
+
+struct encoder *get_base64_encoder(void);
+
+#endif
diff --git a/jni/iodine/src/client.c b/jni/iodine/src/client.c
new file mode 100644
index 0000000..552344b
--- /dev/null
+++ b/jni/iodine/src/client.c
@@ -0,0 +1,2527 @@
+/*
+ * Copyright (c) 2006-2009 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <ctype.h>
+#include <stdio.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
+#include <signal.h>
+#include <unistd.h>
+#include <sys/param.h>
+#include <sys/time.h>
+#include <fcntl.h>
+#include <zlib.h>
+#include <time.h>
+
+#ifdef WINDOWS32
+#include "windows.h"
+#include <winsock2.h>
+#else
+#include <arpa/nameser.h>
+#ifdef DARWIN
+#define BIND_8_COMPAT
+#include <arpa/nameser_compat.h>
+#endif
+#include <grp.h>
+#include <pwd.h>
+#include <netdb.h>
+#endif
+
+#include "common.h"
+#include "encoding.h"
+#include "base32.h"
+#include "base64.h"
+#include "base64u.h"
+#include "base128.h"
+#include "dns.h"
+#include "login.h"
+#include "tun.h"
+#include "version.h"
+#include "client.h"
+
+static void handshake_lazyoff(int dns_fd);
+
+static int running;
+static const char *password;
+
+static struct sockaddr_in nameserv;
+static struct sockaddr_in raw_serv;
+static const char *topdomain;
+
+static uint16_t rand_seed;
+
+/* Current up/downstream IP packet */
+static struct packet outpkt;
+static struct packet inpkt;
+int outchunkresent = 0;
+
+/* My userid at the server */
+static char userid;
+static char userid_char;		/* used when sending (lowercase) */
+static char userid_char2;		/* also accepted when receiving (uppercase) */
+
+/* DNS id for next packet */
+static uint16_t chunkid;
+static uint16_t chunkid_prev;
+static uint16_t chunkid_prev2;
+
+/* Base32 encoder used for non-data packets and replies */
+static struct encoder *b32;
+/* Base64 etc encoders for replies */
+static struct encoder *b64;
+static struct encoder *b64u;
+static struct encoder *b128;
+
+/* The encoder used for data packets
+ * Defaults to Base32, can be changed after handshake */
+static struct encoder *dataenc;
+  
+/* The encoder to use for downstream data */
+static char downenc = ' ';
+ 
+/* set query type to send */
+static unsigned short do_qtype = T_UNSET;
+
+/* My connection mode */
+static enum connection conn;
+
+static int selecttimeout;		/* RFC says timeout minimum 5sec */
+static int lazymode;
+static long send_ping_soon;
+static time_t lastdownstreamtime;
+static long send_query_sendcnt = -1;
+static long send_query_recvcnt = 0;
+static int hostname_maxlen = 0xFF;
+
+void
+client_init()
+{
+	running = 1;
+	b32 = get_base32_encoder();
+	b64 = get_base64_encoder();
+	b64u = get_base64u_encoder();
+	b128 = get_base128_encoder();
+	dataenc = get_base32_encoder();
+	rand_seed = ((unsigned int) rand()) & 0xFFFF;
+	send_ping_soon = 1;	/* send ping immediately after startup */
+	conn = CONN_DNS_NULL;
+
+	chunkid = ((unsigned int) rand()) & 0xFFFF;
+	chunkid_prev = 0;
+	chunkid_prev2 = 0;
+
+	outpkt.len = 0;
+	outpkt.seqno = 0;
+	outpkt.fragment = 0;
+	outchunkresent = 0;
+	inpkt.len = 0;
+	inpkt.seqno = 0;
+	inpkt.fragment = 0;
+}
+
+void
+client_stop()
+{
+	running = 0;
+}
+
+enum connection
+client_get_conn()
+{
+	return conn;
+}
+
+void
+client_set_nameserver(const char *cp, int port) 
+{
+	struct in_addr addr;
+
+	if (inet_aton(cp, &addr) != 1) {
+		/* try resolving if a domain is given */
+		struct hostent *host;
+		const char *err;
+		host = gethostbyname(cp);
+		if (host != NULL && h_errno > 0) {
+			int i = 0;
+			while (host->h_addr_list[i] != 0) {
+				addr = *(struct in_addr *) host->h_addr_list[i++];
+				fprintf(stderr, "Resolved %s to %s\n", cp, inet_ntoa(addr));
+				goto setaddr;
+			}
+		}
+#ifndef WINDOWS32
+		err = hstrerror(h_errno);
+#else
+		{
+			DWORD wserr = WSAGetLastError();
+			switch (wserr) {
+			case WSAHOST_NOT_FOUND:
+				err = "Host not found";
+				break;
+			case WSANO_DATA:
+				err = "No data record found";
+				break;
+			default:
+				err = "Unknown error";
+				break;
+			}
+		}
+#endif /* !WINDOWS32 */
+		errx(1, "error resolving nameserver '%s': %s", cp, err);
+	}
+
+setaddr:
+	memset(&nameserv, 0, sizeof(nameserv));
+	nameserv.sin_family = AF_INET;
+	nameserv.sin_port = htons(port);
+	nameserv.sin_addr = addr;
+}
+
+void
+client_set_topdomain(const char *cp)
+{
+	topdomain = cp;
+}
+
+void
+client_set_password(const char *cp)
+{
+	password = cp;
+}
+
+void
+set_qtype(char *qtype)
+{
+	if (!strcasecmp(qtype, "NULL"))
+      		do_qtype = T_NULL;
+	else if (!strcasecmp(qtype, "CNAME"))
+		do_qtype = T_CNAME;
+	else if (!strcasecmp(qtype, "A"))
+		do_qtype = T_A;
+	else if (!strcasecmp(qtype, "MX"))
+		do_qtype = T_MX;
+	else if (!strcasecmp(qtype, "SRV"))
+		do_qtype = T_SRV;
+	else if (!strcasecmp(qtype, "TXT"))
+		do_qtype = T_TXT;
+}
+
+char *
+get_qtype()
+{
+	char *c = "UNDEFINED";
+
+	if (do_qtype == T_NULL)		c = "NULL";
+	else if (do_qtype == T_CNAME)	c = "CNAME";
+	else if (do_qtype == T_A)	c = "A";
+	else if (do_qtype == T_MX)	c = "MX";
+	else if (do_qtype == T_SRV)	c = "SRV";
+	else if (do_qtype == T_TXT)	c = "TXT";
+
+	return c;
+}
+
+void
+set_downenc(char *encoding)
+{
+	if (!strcasecmp(encoding, "base32"))
+		downenc = 'T';
+	else if (!strcasecmp(encoding, "base64"))
+		downenc = 'S';
+	else if (!strcasecmp(encoding, "base64u"))
+		downenc = 'U';
+	else if (!strcasecmp(encoding, "base128"))
+		downenc = 'V';
+	else if (!strcasecmp(encoding, "raw"))
+		downenc = 'R';
+}
+
+void 
+client_set_selecttimeout(int select_timeout)
+{
+	selecttimeout = select_timeout;
+}
+
+void
+client_set_lazymode(int lazy_mode)
+{
+	lazymode = lazy_mode;
+}
+
+void
+client_set_hostname_maxlen(int i)
+{
+	if (i <= 0xFF)
+		hostname_maxlen = i;
+}
+
+const char *
+client_get_raw_addr()
+{
+	return inet_ntoa(raw_serv.sin_addr);
+}
+
+static void
+send_query(int fd, char *hostname)
+{
+	char packet[4096];
+	struct query q;
+	size_t len;
+
+	chunkid_prev2 = chunkid_prev;
+	chunkid_prev = chunkid;
+	chunkid += 7727;
+	if (chunkid == 0)
+		/* 0 is used as "no-query" in iodined.c */
+		chunkid = 7727;
+
+	q.id = chunkid;
+	q.type = do_qtype;
+
+	len = dns_encode(packet, sizeof(packet), &q, QR_QUERY, hostname, strlen(hostname));
+	if (len < 1) {
+		warnx("dns_encode doesn't fit");
+		return;
+	}
+
+#if 0
+	fprintf(stderr, "  Sendquery: id %5d name[0] '%c'\n", q.id, hostname[0]);
+#endif
+
+	sendto(fd, packet, len, 0, (struct sockaddr*)&nameserv, sizeof(nameserv));
+
+	/* There are DNS relays that time out quickly but don't send anything
+	   back on timeout.
+	   And there are relays where, in lazy mode, our new query apparently
+	   _replaces_ our previous query, and we get no answers at all in
+	   lazy mode while legacy immediate-ping-pong works just fine.
+	   Here we detect and fix these situations.
+	   (Can't very well do this anywhere else; this is the only place
+	   we'll reliably get to in such situations.)
+	 */
+
+	if (send_query_sendcnt >= 0 && send_query_sendcnt < 100 && lazymode) {
+		send_query_sendcnt++;
+
+		if ((send_query_sendcnt > 6 && send_query_recvcnt <= 0) ||
+		    (send_query_sendcnt > 10 &&
+		     4 * send_query_recvcnt < send_query_sendcnt)) {
+			if (selecttimeout > 1) {
+				warnx("Receiving too few answers. Setting interval to 1 (-I1)");
+				selecttimeout = 1;
+				/* restart counting */
+				send_query_sendcnt = 0;
+				send_query_recvcnt = 0;
+			} else if (lazymode) {
+				warnx("Receiving too few answers. Will try to switch lazy mode off, but that may not always work any more. Start with -L0 next time on this network.");
+				lazymode = 0;
+				selecttimeout = 1;
+				handshake_lazyoff(fd);
+			}
+		}
+	}
+}
+
+static void
+send_raw(int fd, char *buf, int buflen, int user, int cmd)
+{
+	char packet[4096];
+	int len;
+
+	len = MIN(sizeof(packet) - RAW_HDR_LEN, buflen);
+
+	memcpy(packet, raw_header, RAW_HDR_LEN);
+	if (len) {
+		memcpy(&packet[RAW_HDR_LEN], buf, len);
+	}
+
+	len += RAW_HDR_LEN;
+	packet[RAW_HDR_CMD] = cmd | (user & 0x0F);
+
+	sendto(fd, packet, len, 0, (struct sockaddr*)&raw_serv, sizeof(raw_serv));
+}
+
+static void
+send_raw_data(int dns_fd)
+{
+	send_raw(dns_fd, outpkt.data, outpkt.len, userid, RAW_HDR_CMD_DATA);
+	outpkt.len = 0;
+}
+
+
+static void
+send_packet(int fd, char cmd, const char *data, const size_t datalen)
+{
+	char buf[4096];
+
+	buf[0] = cmd;
+	
+	build_hostname(buf + 1, sizeof(buf) - 1, data, datalen, topdomain,
+		       b32, hostname_maxlen);
+	send_query(fd, buf);
+}
+
+static inline int
+is_sending()
+{
+	return (outpkt.len != 0);
+}
+
+static void
+send_chunk(int fd)
+{
+	char buf[4096];
+	int avail;
+	int code;
+	char *p;
+	static int datacmc = 0;
+	char *datacmcchars = "abcdefghijklmnopqrstuvwxyz0123456789";
+
+	p = outpkt.data;
+	p += outpkt.offset;
+	avail = outpkt.len - outpkt.offset;
+
+	/* Note: must be same, or smaller than send_fragsize_probe() */
+	outpkt.sentlen = build_hostname(buf + 5, sizeof(buf) - 5, p, avail,
+					topdomain, dataenc, hostname_maxlen);
+
+	/* Build upstream data header (see doc/proto_xxxxxxxx.txt) */
+
+	buf[0] = userid_char;		/* First byte is hex userid */
+  
+	code = ((outpkt.seqno & 7) << 2) | ((outpkt.fragment & 15) >> 2);
+	buf[1] = b32_5to8(code); /* Second byte is 3 bits seqno, 2 upper bits fragment count */
+
+	code = ((outpkt.fragment & 3) << 3) | (inpkt.seqno & 7);
+	buf[2] = b32_5to8(code); /* Third byte is 2 bits lower fragment count, 3 bits downstream packet seqno */
+
+	code = ((inpkt.fragment & 15) << 1) | (outpkt.sentlen == avail);
+	buf[3] = b32_5to8(code); /* Fourth byte is 4 bits downstream fragment count, 1 bit last frag flag */
+
+	buf[4] = datacmcchars[datacmc];	/* Fifth byte is data-CMC */
+	datacmc++;
+	if (datacmc >= 36)
+		datacmc = 0;
+  
+#if 0
+	fprintf(stderr, "  Send: down %d/%d up %d/%d, %d bytes\n",
+		inpkt.seqno, inpkt.fragment, outpkt.seqno, outpkt.fragment,
+		outpkt.sentlen);
+#endif
+
+	send_query(fd, buf);
+}
+
+static void
+send_ping(int fd)
+{
+	if (conn == CONN_DNS_NULL) {
+		char data[4];
+		
+		data[0] = userid;
+		data[1] = ((inpkt.seqno & 7) << 4) | (inpkt.fragment & 15);
+		data[2] = (rand_seed >> 8) & 0xff;
+		data[3] = (rand_seed >> 0) & 0xff;
+		
+		rand_seed++;
+
+#if 0
+		fprintf(stderr, "  Send: down %d/%d         (ping)\n",
+			inpkt.seqno, inpkt.fragment);
+#endif
+
+		send_packet(fd, 'p', data, sizeof(data));
+	} else {
+		send_raw(fd, NULL, 0, userid, RAW_HDR_CMD_PING);
+	}
+}
+
+static void
+write_dns_error(struct query *q, int ignore_some_errors)
+/* This is called from:
+   1. handshake_waitdns() when already checked that reply fits to our
+      latest query.
+   2. tunnel_dns() when already checked that reply is for our ping or data
+      packet, but not necessarily the most recent (SERVFAIL mostly comes
+      after long delay).
+   So ignorable errors are never printed.
+*/
+{
+	if (!q) return;
+
+	switch (q->rcode) {
+	case NOERROR:	/* 0 */
+		if (!ignore_some_errors)
+			warnx("Got reply without error, but also without question and/or answer");
+		break;
+	case FORMERR:	/* 1 */
+		warnx("Got FORMERR as reply: server does not understand our request");
+		break;
+	case SERVFAIL:	/* 2 */
+		if (!ignore_some_errors)
+			warnx("Got SERVFAIL as reply: server failed or recursion timeout");
+		break;
+	case NXDOMAIN:	/* 3 */
+		warnx("Got NXDOMAIN as reply: domain does not exist");
+		break;
+	case NOTIMP:	/* 4 */
+		warnx("Got NOTIMP as reply: server does not support our request");
+		break;
+	case REFUSED:	/* 5 */
+		warnx("Got REFUSED as reply");
+		break;
+	default:
+		warnx("Got RCODE %u as reply", q->rcode);
+		break;
+	}
+}
+
+static int
+dns_namedec(char *outdata, int outdatalen, char *buf, int buflen)
+/* Decodes *buf to *outdata.
+ * *buf WILL be changed by undotify.
+ * Note: buflen must be _exactly_ strlen(buf) before undotifying.
+ * (undotify of reduced-len won't copy \0, base-X decode will decode too much.)
+ * Returns #bytes usefully filled in outdata.
+ */
+{
+	size_t outdatalenu = outdatalen;
+
+	switch (buf[0]) {
+	case 'h': /* Hostname with base32 */
+	case 'H':
+		/* Need 1 byte H, 3 bytes ".xy", >=1 byte data */
+		if (buflen < 5)
+			return 0;
+
+		/* this also does undotify */
+		return unpack_data(outdata, outdatalen, buf + 1, buflen - 4,
+				   b32);
+
+	case 'i': /* Hostname++ with base64 */
+	case 'I':
+		/* Need 1 byte I, 3 bytes ".xy", >=1 byte data */
+		if (buflen < 5)
+			return 0;
+
+		/* this also does undotify */
+		return unpack_data(outdata, outdatalen, buf + 1, buflen - 4,
+				   b64);
+
+	case 'j': /* Hostname++ with base64u */
+	case 'J':
+		/* Need 1 byte J, 3 bytes ".xy", >=1 byte data */
+		if (buflen < 5)
+			return 0;
+
+		/* this also does undotify */
+		return unpack_data(outdata, outdatalen, buf + 1, buflen - 4,
+				   b64u);
+
+	case 'k': /* Hostname++ with base128 */
+	case 'K':
+		/* Need 1 byte J, 3 bytes ".xy", >=1 byte data */
+		if (buflen < 5)
+			return 0;
+
+		/* this also does undotify */
+		return unpack_data(outdata, outdatalen, buf + 1, buflen - 4,
+				   b128);
+
+	case 't': /* plain base32(Thirty-two) from TXT */
+	case 'T':
+		if (buflen < 2)
+			return 0;
+
+		return b32->decode(outdata, &outdatalenu, buf + 1, buflen - 1);
+
+	case 's': /* plain base64(Sixty-four) from TXT */
+	case 'S':
+		if (buflen < 2)
+			return 0;
+
+		return b64->decode(outdata, &outdatalenu, buf + 1, buflen - 1);
+
+	case 'u': /* plain base64u (Underscore) from TXT */
+	case 'U':
+		if (buflen < 2)
+			return 0;
+
+		return b64u->decode(outdata, &outdatalenu, buf + 1, buflen - 1);
+
+	case 'v': /* plain base128 from TXT */
+	case 'V':
+		if (buflen < 2)
+			return 0;
+
+		return b128->decode(outdata, &outdatalenu, buf + 1, buflen - 1);
+
+	case 'r': /* Raw binary from TXT */
+	case 'R':
+		/* buflen>=1 already checked */
+		buflen--;
+		buflen = MIN(buflen, outdatalen);
+		memcpy(outdata, buf + 1, buflen);
+		return buflen;
+
+	default:
+		warnx("Received unsupported encoding");
+		return 0;
+	}
+
+	/* notreached */
+	return 0;
+}
+
+static int
+read_dns_withq(int dns_fd, int tun_fd, char *buf, int buflen, struct query *q)
+/* FIXME: tun_fd needed for raw handling */
+/* Returns -1 on receive error or decode error, including DNS error replies.
+   Returns 0 on replies that could be correct but are useless, and are not
+   DNS error replies.
+   Returns >0 on correct replies; value is #valid bytes in *buf.
+*/
+{
+	struct sockaddr_in from;
+	char data[64*1024];
+	socklen_t addrlen;
+	int r;
+
+	addrlen = sizeof(struct sockaddr);
+	if ((r = recvfrom(dns_fd, data, sizeof(data), 0, 
+			  (struct sockaddr*)&from, &addrlen)) < 0) {
+		warn("recvfrom");
+		return -1;
+	}
+
+	if (conn == CONN_DNS_NULL) {
+		int rv;
+		if (r <= 0)
+			/* useless packet */
+			return 0;
+
+		rv = dns_decode(buf, buflen, q, QR_ANSWER, data, r);
+		if (rv <= 0)
+			return rv;
+
+		if (q->type == T_CNAME || q->type == T_TXT)
+		/* CNAME can also be returned from an A question */
+		{
+			/*
+			 * buf is a hostname or txt stream that we still need to
+			 * decode to binary
+			 * 
+			 * also update rv with the number of valid bytes
+			 * 
+			 * data is unused here, and will certainly hold the smaller binary
+			 */
+
+			rv = dns_namedec(data, sizeof(data), buf, rv);
+
+			rv = MIN(rv, buflen);
+			if (rv > 0)
+				memcpy(buf, data, rv);
+
+		} else if (q->type == T_MX || q->type == T_SRV) {
+			/* buf is like "Hname.com\0Hanother.com\0\0" */
+			int buftotal = rv;	/* idx of last \0 */
+			int bufoffset = 0;
+			int dataoffset = 0;
+			int thispartlen, dataspace, datanew;
+
+			while (1) {
+				thispartlen = strlen(buf);
+				thispartlen = MIN(thispartlen, buftotal-bufoffset);
+				dataspace = sizeof(data) - dataoffset;
+				if (thispartlen <= 0 || dataspace <= 0)
+					break;
+
+				datanew = dns_namedec(data + dataoffset, dataspace,
+						      buf + bufoffset, thispartlen);
+				if (datanew <= 0)
+					break;
+
+				bufoffset += thispartlen + 1;
+				dataoffset += datanew;
+			}
+			rv = dataoffset;
+			rv = MIN(rv, buflen);
+			if (rv > 0)
+				memcpy(buf, data, rv);
+		}
+
+		return rv;
+	} else { /* CONN_RAW_UDP */
+		unsigned long datalen;
+		char buf[64*1024];
+
+		/* minimum length */
+		if (r < RAW_HDR_LEN) return 0;
+		/* should start with header */
+		if (memcmp(data, raw_header, RAW_HDR_IDENT_LEN)) return 0;
+		/* should be my user id */
+		if (RAW_HDR_GET_USR(data) != userid) return 0;
+
+		if (RAW_HDR_GET_CMD(data) == RAW_HDR_CMD_DATA ||
+		    RAW_HDR_GET_CMD(data) == RAW_HDR_CMD_PING)
+			lastdownstreamtime = time(NULL);
+
+		/* should be data packet */
+		if (RAW_HDR_GET_CMD(data) != RAW_HDR_CMD_DATA) return 0;
+
+		r -= RAW_HDR_LEN;
+		datalen = sizeof(buf);
+		if (uncompress((uint8_t*)buf, &datalen, (uint8_t*) &data[RAW_HDR_LEN], r) == Z_OK) {
+			write_tun(tun_fd, buf, datalen);
+		}
+
+		/* don't process any further */
+		return 0;
+	}
+}
+
+static int
+handshake_waitdns(int dns_fd, char *buf, int buflen, char c1, char c2, int timeout)
+/* Wait for DNS reply fitting to our latest query and returns it.
+   Returns length of reply = #bytes used in buf.
+   Returns 0 if fitting reply happens to be useless.
+   Returns -2 on (at least) DNS error that fits to our latest query,
+   error message already printed.
+   Returns -3 on timeout (given in seconds).
+   Returns -1 on other errors.
+
+   Timeout is restarted when "wrong" (previous/delayed) replies are received,
+   so effective timeout may be longer than specified.
+*/
+{
+	struct query q;
+	int r, rv;
+	fd_set fds;
+	struct timeval tv;
+
+	while (1) {
+		tv.tv_sec = timeout;
+		tv.tv_usec = 0;
+		FD_ZERO(&fds);
+		FD_SET(dns_fd, &fds);
+		r = select(dns_fd + 1, &fds, NULL, NULL, &tv);
+
+		if (r < 0)
+			return -1;	/* select error */
+		if (r == 0)
+			return -3;	/* select timeout */
+
+		q.id = 0;
+		q.name[0] = '\0';
+		rv = read_dns_withq(dns_fd, 0, buf, buflen, &q);
+
+		if (q.id != chunkid || (q.name[0] != c1 && q.name[0] != c2)) {
+#if 0
+			fprintf(stderr, "Ignoring unfitting reply id %d starting with '%c'\n", q.id, q.name[0]);
+#endif
+			continue;
+		}
+
+		/* if still here: reply matches our latest query */
+
+		/* Non-recursive DNS servers (such as [a-m].root-servers.net)
+		   return no answer, but only additional and authority records.
+		   Can't explicitly test for that here, just assume that
+		   NOERROR is such situation. Only trigger on the very first
+		   requests (Y or V, depending if -T given).
+		 */
+		if (rv < 0 && q.rcode == NOERROR &&
+		    (q.name[0] == 'Y' || q.name[0] == 'y' ||
+		     q.name[0] == 'V' || q.name[0] == 'v')) {
+			fprintf(stderr, "Got empty reply. This nameserver may not be resolving recursively, use another.\n");
+			fprintf(stderr, "Try \"iodine [options] ns.%s %s\" first, it might just work.\n",
+				topdomain, topdomain);
+			return -2;
+		}
+
+		/* If we get an immediate SERVFAIL on the handshake query
+		   we're waiting for, wait a while before sending the next.
+		   SERVFAIL reliably happens during fragsize autoprobe, but
+		   mostly long after we've moved along to some other queries.
+		   However, some DNS relays, once they throw a SERVFAIL, will
+		   for several seconds apply it immediately to _any_ new query
+		   for the same topdomain. When this happens, waiting a while
+		   is the only option that works.
+		 */
+		if (rv < 0 && q.rcode == SERVFAIL)
+			sleep(1);
+
+		if (rv < 0) {
+			write_dns_error(&q, 1);
+			return -2;
+		}
+		/* rv either 0 or >0, return it as is. */
+		return rv;
+	}
+
+	/* not reached */
+	return -1;
+}
+
+static int
+tunnel_tun(int tun_fd, int dns_fd)
+{
+	unsigned long outlen;
+	unsigned long inlen;
+	char out[64*1024];
+	char in[64*1024];
+	ssize_t read;
+
+	if ((read = read_tun(tun_fd, in, sizeof(in))) <= 0)
+		return -1;
+
+	/* We may be here only to empty the tun device; then return -1
+	   to force continue in select loop. */
+	if (is_sending())
+		return -1;
+
+	outlen = sizeof(out);
+	inlen = read;
+	compress2((uint8_t*)out, &outlen, (uint8_t*)in, inlen, 9);
+
+	memcpy(outpkt.data, out, MIN(outlen, sizeof(outpkt.data)));
+	outpkt.sentlen = 0;
+	outpkt.offset = 0;
+	outpkt.seqno = (outpkt.seqno + 1) & 7;
+	outpkt.len = outlen;
+	outpkt.fragment = 0;
+	outchunkresent = 0;
+
+	if (conn == CONN_DNS_NULL) {
+		send_chunk(dns_fd);
+
+		send_ping_soon = 0;
+	} else {
+		send_raw_data(dns_fd);
+	}
+
+	return read;
+}
+
+static int
+tunnel_dns(int tun_fd, int dns_fd)
+{
+	static long packrecv = 0;
+	static long packrecv_oos = 0;
+	static long packrecv_servfail = 0;
+	int up_ack_seqno;
+	int up_ack_fragment;
+	int new_down_seqno;
+	int new_down_fragment;
+	struct query q;
+	unsigned long datalen;
+	char buf[64*1024];
+	int read;
+	int send_something_now = 0;
+
+	memset(q.name, 0, sizeof(q.name));
+	read = read_dns_withq(dns_fd, tun_fd, buf, sizeof(buf), &q);
+
+	if (conn != CONN_DNS_NULL)
+		return 1;  /* everything already done */
+
+#if 0
+	fprintf(stderr, "				Recv: id %5d name[0]='%c'\n",
+		q.id, q.name[0]);
+#endif
+
+	/* Don't process anything that isn't data for us; usually error
+	   replies from fragsize probes etc. However a sequence of those,
+	   mostly 1 sec apart, will continuously break the >=2-second select
+	   timeout, which means we won't send a proper ping for a while.
+	   So make select a bit faster, <1sec. */
+	if (q.name[0] != 'P' && q.name[0] != 'p' &&
+	    q.name[0] != userid_char && q.name[0] != userid_char2) {
+		send_ping_soon = 700;
+		return -1;	/* nothing done */
+	}
+
+	if (read < 2) {
+		/* Maybe SERVFAIL etc. Send ping to get things back in order,
+		   but wait a bit to prevent fast ping-pong loops. */
+
+		if (read < 0)
+			write_dns_error(&q, 0);
+
+		if (read < 0 && q.rcode == SERVFAIL && lazymode &&
+		    selecttimeout > 1) {
+			if (packrecv < 500 && packrecv_servfail < 4) {
+				packrecv_servfail++;
+				warnx("Hmm, that's %ld. Your data should still go through...", packrecv_servfail);
+			} else if (packrecv < 500 && packrecv_servfail == 4) {
+				packrecv_servfail++;
+				warnx("I think %ld is too many. Setting interval to 1 to hopefully reduce SERVFAILs. But just ignore them if data still comes through. (Use -I1 next time on this network.)", packrecv_servfail);
+				selecttimeout = 1;
+				send_query_sendcnt = 0;
+				send_query_recvcnt = 0;
+			} else if (packrecv >= 500 && packrecv_servfail > 0) {
+				warnx("(Sorry, stopped counting; try -I1 if you experience hiccups.)");
+				packrecv_servfail = 0;
+			}
+		}
+
+		/* read==1 happens with "QMEM" illegal replies, caused by
+		   heavy reordering, or after short disconnections when
+		   data-CMC has looped around into the "duplicate" values.
+		   All these cases are helped by faster pinging. */
+#if 0
+		if (read == 1)
+			fprintf(stderr, "   q=%c id %5d 1-byte illegal \"QMEM\" reply\n", q.name[0], q.id);
+#endif
+
+		send_ping_soon = 900;
+		return -1;	/* nothing done */
+	}
+
+	if (read == 5 && !strncmp("BADIP", buf, 5)) {
+		warnx("BADIP: Server rejected sender IP address (maybe iodined -c will help), or server kicked us due to timeout. Will exit if no downstream data is received in 60 seconds.");
+		return -1;	/* nothing done */
+	}
+
+	if (send_ping_soon) {
+		send_something_now = 1;
+		send_ping_soon = 0;
+	}
+
+	/* Decode the data header, update seqno and frag;
+	   already checked read>=2
+	   Note that buf[] gets overwritten when down-pkt complete */
+	new_down_seqno = (buf[1] >> 5) & 7;
+	new_down_fragment = (buf[1] >> 1) & 15;
+	up_ack_seqno = (buf[0] >> 4) & 7;
+	up_ack_fragment = buf[0] & 15;
+
+#if 0
+	fprintf(stderr, "				Recv: id %5d down %d/%d up %d/%d, %d bytes\n",
+		q.id, new_down_seqno, new_down_fragment, up_ack_seqno,
+		up_ack_fragment, read);
+#endif
+
+	/* Downstream data traffic */
+
+	if (read > 2 && new_down_seqno != inpkt.seqno &&
+	    recent_seqno(inpkt.seqno, new_down_seqno)) {
+		/* This is the previous seqno, or a bit earlier.
+		   Probably out-of-sequence dupe due to unreliable
+		   intermediary DNS. Don't get distracted, but send
+		   ping quickly to get things back in order.
+		   Ping will send our current seqno idea.
+		   If it's really a new packet that skipped multiple seqnos
+		   (why??), server will re-send and drop a few times and
+		   eventually everything will work again. */
+		read = 2;
+		send_ping_soon = 500;
+		/* Still process upstream ack, if any */
+	}
+
+	if (!(packrecv & 0x1000000))
+		packrecv++;
+	send_query_recvcnt++;  /* overflow doesn't matter */
+
+	/* Don't process any non-recent stuff any further.
+	   No need to remember more than 3 ids: in practice any older replies
+	   arrive after new/current replies, and whatever data the old replies
+	   have, it has become useless in the mean time.
+	   Actually, ever since iodined is replying to both the original query
+	   and the last dupe, this hardly triggers any more.
+	 */
+	if (q.id != chunkid && q.id != chunkid_prev && q.id != chunkid_prev2) {
+		packrecv_oos++;
+#if 0
+		fprintf(stderr, "   q=%c Packs received = %8ld  Out-of-sequence = %8ld\n", q.name[0], packrecv, packrecv_oos);
+#endif
+		if (lazymode && packrecv < 1000 && packrecv_oos == 5) {
+			if (selecttimeout > 1)
+				warnx("Hmm, getting some out-of-sequence DNS replies. Setting interval to 1 (use -I1 next time on this network). If data traffic still has large hiccups, try if -L0 works better.");
+			else
+				warnx("Hmm, getting some out-of-sequence DNS replies. If data traffic often has large hiccups, try running with -L0 .");
+			selecttimeout = 1;
+			send_query_sendcnt = 0;
+			send_query_recvcnt = 0;
+		}
+
+		if (send_something_now) {
+			send_ping(dns_fd);
+			send_ping_soon = 0;
+		}
+		return -1;	/* nothing done */
+	}
+#if 0
+	fprintf(stderr, "   q=%c Packs received = %8ld  Out-of-sequence = %8ld\n", q.name[0], packrecv, packrecv_oos);
+#endif
+
+	/* Okay, we have a recent downstream packet */
+	lastdownstreamtime = time(NULL);
+
+	/* In lazy mode, we shouldn't get much replies to our most-recent
+	   query, only during heavy data transfer. Since this means the server
+	   doesn't have any packets left, send one relatively fast (but not
+	   too fast, to avoid runaway ping-pong loops..) */
+	if (q.id == chunkid && lazymode) {
+		if (!send_ping_soon || send_ping_soon > 900)
+			send_ping_soon = 900;
+	}
+
+	if (read == 2 && new_down_seqno != inpkt.seqno &&
+	    !recent_seqno(inpkt.seqno, new_down_seqno)) {
+		/* This is a seqno that we didn't see yet, but it has
+		   no data any more. Possible since iodined will send
+		   fitting packs just once and not wait for ack.
+		   Real data got lost, or will arrive shortly.
+		   Update our idea of the seqno, and drop any waiting
+		   old pack. Send ping to get things back on track. */
+		inpkt.seqno = new_down_seqno;
+		inpkt.fragment = new_down_fragment;
+		inpkt.len = 0;
+		send_ping_soon = 500;
+	}
+
+	while (read > 2) {
+	/* "if" with easy exit */
+
+		if (new_down_seqno != inpkt.seqno) {
+			/* New packet (and not dupe of recent; checked above) */
+			/* Forget any old packet, even if incomplete */
+			inpkt.seqno = new_down_seqno;
+			inpkt.fragment = new_down_fragment;   /* hopefully 0 */
+			inpkt.len = 0;
+		} else if (inpkt.fragment == 0 && new_down_fragment == 0 &&
+			   inpkt.len == 0) {
+			/* Weird situation: we probably got a no-data reply
+			   for this seqno (see above), and the actual data
+			   is following now. */
+			/* okay, nothing to do here, just so that next else-if
+			   doesn't trigger */
+		} else if (new_down_fragment <= inpkt.fragment) {
+			/* Same packet but duplicate fragment, ignore.
+			   If the server didn't get our ack for it, the next
+			   ping or chunk will do that. */
+			send_ping_soon = 500;
+			break;
+		} else if (new_down_fragment > inpkt.fragment + 1) {
+			/* Quite impossible. We missed a fragment, but the
+			   server got our ack for it and is sending the next
+			   fragment already. Don't handle it but let server
+			   re-send and drop. */
+			send_ping_soon = 500;
+			break;
+		}
+		inpkt.fragment = new_down_fragment;
+
+		datalen = MIN(read - 2, sizeof(inpkt.data) - inpkt.len);
+
+		/* we are here only when read > 2, so datalen "always" >=1 */
+
+		/* Skip 2 byte data header and append to packet */
+		memcpy(&inpkt.data[inpkt.len], &buf[2], datalen);
+		inpkt.len += datalen;
+
+		if (buf[1] & 1) { /* If last fragment flag is set */
+			/* Uncompress packet and send to tun */
+			/* RE-USES buf[] */
+			datalen = sizeof(buf);
+			if (uncompress((uint8_t*)buf, &datalen, (uint8_t*) inpkt.data, inpkt.len) == Z_OK) {
+				write_tun(tun_fd, buf, datalen);
+			}
+			inpkt.len = 0;
+			/* Keep .seqno and .fragment as is, so that we won't
+			   reassemble from duplicate fragments */
+		}
+
+		/* Send anything to ack the received seqno/frag, and get more */
+		if (inpkt.len == 0) {
+			/* was last frag; wait just a trifle because our
+			   tun will probably return TCP-ack immediately.
+			   5msec = 200 DNSreq/sec */
+			send_ping_soon = 5;
+		} else {
+			/* server certainly has more data */
+			send_something_now = 1;
+		}
+
+	        break;
+	}
+
+	/* NOTE: buf[] was overwritten when down-packet complete */
+
+
+	/* Upstream data traffic */
+
+	if (is_sending()) {
+		/* already checked read>=2 */
+#if 0
+		fprintf(stderr, "Got ack for %d,%d - expecting %d,%d - id=%d cur=%d prev=%d prev2=%d\n",
+			up_ack_seqno, up_ack_fragment, outpkt.seqno, outpkt.fragment,
+			q.id, chunkid, chunkid_prev, chunkid_prev2);
+#endif
+
+		if (up_ack_seqno == outpkt.seqno &&
+		    up_ack_fragment == outpkt.fragment) {
+			/* Okay, previously sent fragment has arrived */
+
+			outpkt.offset += outpkt.sentlen;
+			if (outpkt.offset >= outpkt.len) {
+				/* Packet completed */
+				outpkt.offset = 0;
+				outpkt.len = 0;
+				outpkt.sentlen = 0;
+				outchunkresent = 0;
+
+				/* Normally, server still has a query in queue,
+				   but sometimes not. So send a ping.
+				   (Comment this out and you'll see occasional
+				   hiccups.)
+				   But since the server often still has a
+				   query and we can expect a TCP-ack returned
+				   from our tun device quickly in many cases,
+				   don't be too fast.
+				   20msec still is 50 DNSreq/second... */
+				if (!send_ping_soon || send_ping_soon > 20)
+					send_ping_soon = 20;
+			} else {
+				/* More to send */
+				outpkt.fragment++;
+				outchunkresent = 0;
+				send_chunk(dns_fd);
+				send_ping_soon = 0;
+				send_something_now = 0;
+			}
+		}
+		/* else: Some wrong fragment has arrived, or old fragment is
+		   acked again, mostly by ping responses.
+		   Don't resend chunk, usually not needed; select loop will
+		   re-send on timeout (1sec if is_sending()). */
+	}
+
+
+	/* Send ping if we didn't send anything yet */
+	if (send_something_now) {
+		send_ping(dns_fd);
+		send_ping_soon = 0;
+	}
+
+	return read;
+}
+
+static int
+always_1()
+{
+	return 1;
+}
+
+int
+client_tunnel(int tun_fd, int dns_fd)
+{
+	return client_tunnel_cb(tun_fd, dns_fd, &always_1);
+}
+
+int
+client_tunnel_cb(int tun_fd, int dns_fd, int
+                 (*cb_ask_continue)())
+{
+	struct timeval tv;
+	fd_set fds;
+	int rv;
+	int i;
+
+	rv = 0;
+	lastdownstreamtime = time(NULL);
+	send_query_sendcnt = 0;  /* start counting now */
+
+	while (running && cb_ask_continue()) {
+		tv.tv_sec = selecttimeout;
+		tv.tv_usec = 0;
+
+		if (is_sending()) {
+			/* fast timeout for retransmits */
+			tv.tv_sec = 1;
+			tv.tv_usec = 0;
+		}
+
+		if (send_ping_soon) {
+			tv.tv_sec = 0;
+			tv.tv_usec = send_ping_soon * 1000;
+		}
+
+		FD_ZERO(&fds);
+		if (!is_sending() || outchunkresent >= 2) {
+			/* If re-sending upstream data, chances are that
+			   we're several seconds behind already and TCP
+			   will start filling tun buffer with (useless)
+			   retransmits.
+			   Get up-to-date fast by simply dropping stuff,
+			   that's what TCP is designed to handle. */
+			FD_SET(tun_fd, &fds);
+		}
+		FD_SET(dns_fd, &fds);
+
+		i = select(MAX(tun_fd, dns_fd) + 1, &fds, NULL, NULL, &tv);
+
+ 		if (lastdownstreamtime + 60 < time(NULL)) {
+ 			warnx("No downstream data received in 60 seconds, shutting down.");
+ 			running = 0;
+ 		}
+		
+		if (running == 0)
+			break;
+
+		if (i < 0) 
+			err(1, "select");
+
+		if (i == 0) {
+			/* timeout */
+			if (is_sending()) {
+				/* Re-send current fragment; either frag
+				   or ack probably dropped somewhere.
+				   But problem: no cache-miss-counter,
+				   so hostname will be identical.
+				   Just drop whole packet after 3 retries,
+				   and TCP retransmit will solve it.
+				   NOTE: tun dropping above should be
+				   >=(value_here - 1) */
+				if (outchunkresent < 3) {
+					outchunkresent++;
+					send_chunk(dns_fd);
+				} else {
+					outpkt.offset = 0;
+					outpkt.len = 0;
+					outpkt.sentlen = 0;
+					outchunkresent = 0;
+
+					send_ping(dns_fd);
+				}
+			} else {
+				send_ping(dns_fd);
+			}
+			send_ping_soon = 0;
+
+		} else {
+
+			if (FD_ISSET(tun_fd, &fds)) {
+				if (tunnel_tun(tun_fd, dns_fd) <= 0)
+					continue;
+				/* Returns -1 on error OR when quickly
+				   dropping data in case of DNS congestion;
+				   we need to _not_ do tunnel_dns() then.
+				   If chunk sent, sets send_ping_soon=0. */
+			}
+			if (FD_ISSET(dns_fd, &fds)) {
+				if (tunnel_dns(tun_fd, dns_fd) <= 0)
+					continue;
+			} 
+		}
+	}
+
+	return rv;
+}
+
+static void
+send_login(int fd, char *login, int len)
+{
+	char data[19];
+
+	memset(data, 0, sizeof(data));
+	data[0] = userid;
+	memcpy(&data[1], login, MIN(len, 16));
+
+	data[17] = (rand_seed >> 8) & 0xff;
+	data[18] = (rand_seed >> 0) & 0xff;
+	
+	rand_seed++;
+
+	send_packet(fd, 'l', data, sizeof(data));
+}
+
+static void
+send_fragsize_probe(int fd, int fragsize)
+{
+	char probedata[256];
+	char buf[4096];
+
+	/*
+	 * build a large query domain which is random and maximum size,
+	 * will also take up maximal space in the return packet
+	 */
+	memset(probedata, MAX(1, rand_seed & 0xff), sizeof(probedata));
+	probedata[1] = MAX(1, (rand_seed >> 8) & 0xff);
+	rand_seed++;
+
+	/* Note: must either be same, or larger, than send_chunk() */
+	build_hostname(buf + 5, sizeof(buf) - 5, probedata, sizeof(probedata),
+		       topdomain, dataenc, hostname_maxlen);
+
+	fragsize &= 2047;
+
+	buf[0] = 'r'; /* Probe downstream fragsize packet */
+	buf[1] = b32_5to8((userid << 1) | ((fragsize >> 10) & 1));
+	buf[2] = b32_5to8((fragsize >> 5) & 31);
+	buf[3] = b32_5to8(fragsize & 31);
+	buf[4] = 'd'; /* dummy to match send_chunk() */
+
+	send_query(fd, buf);
+}
+
+static void
+send_set_downstream_fragsize(int fd, int fragsize)
+{
+	char data[5];
+	
+	data[0] = userid;
+	data[1] = (fragsize & 0xff00) >> 8;
+	data[2] = (fragsize & 0x00ff);
+	data[3] = (rand_seed >> 8) & 0xff;
+	data[4] = (rand_seed >> 0) & 0xff;
+	
+	rand_seed++;
+
+	send_packet(fd, 'n', data, sizeof(data));
+}
+
+static void 
+send_version(int fd, uint32_t version)
+{
+	char data[6];
+ 
+	data[0] = (version >> 24) & 0xff;
+	data[1] = (version >> 16) & 0xff;
+	data[2] = (version >> 8) & 0xff;
+	data[3] = (version >> 0) & 0xff;
+
+	data[4] = (rand_seed >> 8) & 0xff;
+	data[5] = (rand_seed >> 0) & 0xff;
+	
+	rand_seed++;
+
+	send_packet(fd, 'v', data, sizeof(data));
+}
+
+static void
+send_ip_request(int fd, int userid)
+{
+	char buf[512] = "i____.";
+	buf[1] = b32_5to8(userid);
+	
+	buf[2] = b32_5to8((rand_seed >> 10) & 0x1f);
+	buf[3] = b32_5to8((rand_seed >> 5) & 0x1f);
+	buf[4] = b32_5to8((rand_seed ) & 0x1f);
+	rand_seed++;
+
+	strncat(buf, topdomain, 512 - strlen(buf));
+	send_query(fd, buf);
+}
+
+static void
+send_raw_udp_login(int dns_fd, int userid, int seed)
+{
+	char buf[16];
+	login_calculate(buf, 16, password, seed + 1);
+
+	send_raw(dns_fd, buf, sizeof(buf), userid, RAW_HDR_CMD_LOGIN);
+}
+
+static void
+send_upenctest(int fd, char *s)
+/* NOTE: String may be at most 63-4=59 chars to fit in 1 dns chunk. */
+{
+	char buf[512] = "z___";
+	
+	buf[1] = b32_5to8((rand_seed >> 10) & 0x1f);
+	buf[2] = b32_5to8((rand_seed >> 5) & 0x1f);
+	buf[3] = b32_5to8((rand_seed ) & 0x1f);
+	rand_seed++;
+
+	strncat(buf, s, 512);
+	strncat(buf, ".", 512);
+	strncat(buf, topdomain, 512 - strlen(buf));
+	send_query(fd, buf);
+}
+
+static void
+send_downenctest(int fd, char downenc, int variant, char *s, int slen)
+/* Note: content/handling of s is not defined yet. */
+{
+	char buf[512] = "y_____.";
+
+	buf[1] = tolower(downenc);
+	buf[2] = b32_5to8(variant);
+
+	buf[3] = b32_5to8((rand_seed >> 10) & 0x1f);
+	buf[4] = b32_5to8((rand_seed >> 5) & 0x1f);
+	buf[5] = b32_5to8((rand_seed ) & 0x1f);
+	rand_seed++;
+
+	strncat(buf, topdomain, 512 - strlen(buf));
+	send_query(fd, buf);
+}
+
+static void
+send_codec_switch(int fd, int userid, int bits)
+{
+	char buf[512] = "s_____.";
+	buf[1] = b32_5to8(userid);
+	buf[2] = b32_5to8(bits);
+	
+	buf[3] = b32_5to8((rand_seed >> 10) & 0x1f);
+	buf[4] = b32_5to8((rand_seed >> 5) & 0x1f);
+	buf[5] = b32_5to8((rand_seed ) & 0x1f);
+	rand_seed++;
+
+	strncat(buf, topdomain, 512 - strlen(buf));
+	send_query(fd, buf);
+}
+
+
+static void
+send_downenc_switch(int fd, int userid)
+{
+	char buf[512] = "o_____.";
+	buf[1] = b32_5to8(userid);
+	buf[2] = tolower(downenc);
+
+	buf[3] = b32_5to8((rand_seed >> 10) & 0x1f);
+	buf[4] = b32_5to8((rand_seed >> 5) & 0x1f);
+	buf[5] = b32_5to8((rand_seed ) & 0x1f);
+	rand_seed++;
+
+	strncat(buf, topdomain, 512 - strlen(buf));
+	send_query(fd, buf);
+}
+
+static void
+send_lazy_switch(int fd, int userid)
+{
+	char buf[512] = "o_____.";
+	buf[1] = b32_5to8(userid);
+
+	if (lazymode)
+		buf[2] = 'l';
+	else
+		buf[2] = 'i';
+
+	buf[3] = b32_5to8((rand_seed >> 10) & 0x1f);
+	buf[4] = b32_5to8((rand_seed >> 5) & 0x1f);
+	buf[5] = b32_5to8((rand_seed ) & 0x1f);
+	rand_seed++;
+
+	strncat(buf, topdomain, 512 - strlen(buf));
+	send_query(fd, buf);
+}
+
+static int
+handshake_version(int dns_fd, int *seed)
+{
+	char hex[] = "0123456789abcdef";
+	char hex2[] = "0123456789ABCDEF";
+	char in[4096];
+	uint32_t payload;
+	int i;
+	int read;
+
+	for (i = 0; running && i < 5; i++) {
+
+		send_version(dns_fd, VERSION);
+
+		read = handshake_waitdns(dns_fd, in, sizeof(in), 'v', 'V', i+1);
+
+		/*XXX START adjust indent 1 tab back*/
+			if (read >= 9) {
+				payload =  (((in[4] & 0xff) << 24) |
+						((in[5] & 0xff) << 16) |
+						((in[6] & 0xff) << 8) |
+						((in[7] & 0xff)));
+
+				if (strncmp("VACK", in, 4) == 0) {
+					*seed = payload;
+					userid = in[8];
+					userid_char = hex[userid & 15];
+					userid_char2 = hex2[userid & 15];
+
+					fprintf(stderr, "Version ok, both using protocol v 0x%08x. You are user #%d\n", VERSION, userid);
+					return 0;
+				} else if (strncmp("VNAK", in, 4) == 0) {
+					warnx("You use protocol v 0x%08x, server uses v 0x%08x. Giving up", 
+							VERSION, payload);
+					return 1;
+				} else if (strncmp("VFUL", in, 4) == 0) {
+					warnx("Server full, all %d slots are taken. Try again later", payload);
+					return 1;
+				}
+			} else if (read > 0)
+				warnx("did not receive proper login challenge");
+		/*XXX END adjust indent 1 tab back*/
+		
+		fprintf(stderr, "Retrying version check...\n");
+	}
+	warnx("couldn't connect to server (maybe other -T options will work)");
+	return 1;
+}
+
+static int
+handshake_login(int dns_fd, int seed)
+{
+	char in[4096];
+	char login[16];
+	char server[65];
+	char client[65];
+	int mtu;
+	int i;
+	int read;
+
+	login_calculate(login, 16, password, seed);
+	
+	for (i=0; running && i<5 ;i++) {
+
+		send_login(dns_fd, login, 16);
+
+		read = handshake_waitdns(dns_fd, in, sizeof(in), 'l', 'L', i+1);
+
+		/*XXX START adjust indent 1 tab back*/
+			if (read > 0) {
+				int netmask;
+				if (strncmp("LNAK", in, 4) == 0) {
+					fprintf(stderr, "Bad password\n");
+					return 1;
+				} else if (sscanf(in, "%64[^-]-%64[^-]-%d-%d", 
+					server, client, &mtu, &netmask) == 4) {
+					
+					server[64] = 0;
+					client[64] = 0;
+					if (tun_setip(client, server, netmask) == 0 && 
+						tun_setmtu(mtu) == 0) {
+
+						fprintf(stderr, "Server tunnel IP is %s\n", server);
+						return 0;
+					} else {
+						errx(4, "Failed to set IP and MTU");
+					}
+				} else {
+					fprintf(stderr, "Received bad handshake\n");
+				}
+			}
+		/*XXX END adjust indent 1 tab back*/
+
+		fprintf(stderr, "Retrying login...\n");
+	}
+	warnx("couldn't login to server");
+	return 1;
+}
+
+static int
+handshake_raw_udp(int dns_fd, int seed)
+{
+	struct timeval tv;
+	char in[4096];
+	fd_set fds;
+	int i;
+	int r;
+	int len;
+	unsigned remoteaddr = 0;
+	struct in_addr server;
+
+	fprintf(stderr, "Testing raw UDP data to the server (skip with -r)");
+	for (i=0; running && i<3 ;i++) {
+
+		send_ip_request(dns_fd, userid);
+
+		len = handshake_waitdns(dns_fd, in, sizeof(in), 'i', 'I', i+1);
+
+		/*XXX START adjust indent 1 tab back*/
+			if (len == 5 && in[0] == 'I') {
+				/* Received IP address */
+				remoteaddr = (in[1] & 0xff);
+				remoteaddr <<= 8;
+				remoteaddr |= (in[2] & 0xff);
+				remoteaddr <<= 8;
+				remoteaddr |= (in[3] & 0xff);
+				remoteaddr <<= 8;
+				remoteaddr |= (in[4] & 0xff);
+				server.s_addr = ntohl(remoteaddr);
+				break;
+			}
+		/*XXX END adjust indent 1 tab back*/
+
+		fprintf(stderr, ".");
+		fflush(stderr);
+	}
+	fprintf(stderr, "\n");
+	if (!running)
+		return 0;
+	
+	if (!remoteaddr) {
+		fprintf(stderr, "Failed to get raw server IP, will use DNS mode.\n");
+		return 0;
+	}
+	fprintf(stderr, "Server is at %s, trying raw login: ", inet_ntoa(server));
+	fflush(stderr);
+
+	/* Store address to iodined server */
+	memset(&raw_serv, 0, sizeof(raw_serv));
+	raw_serv.sin_family = AF_INET;
+	raw_serv.sin_port = htons(53);
+	raw_serv.sin_addr = server;
+
+	/* do login against port 53 on remote server 
+	 * based on the old seed. If reply received,
+	 * switch to raw udp mode */
+	for (i=0; running && i<4 ;i++) {
+		tv.tv_sec = i + 1;
+		tv.tv_usec = 0;
+
+		send_raw_udp_login(dns_fd, userid, seed);
+		
+		FD_ZERO(&fds);
+		FD_SET(dns_fd, &fds);
+
+		r = select(dns_fd + 1, &fds, NULL, NULL, &tv);
+
+		if(r > 0) {
+			/* recv() needed for windows, dont change to read() */
+			len = recv(dns_fd, in, sizeof(in), 0);
+			if (len >= (16 + RAW_HDR_LEN)) {
+				char hash[16];
+				login_calculate(hash, 16, password, seed - 1);
+				if (memcmp(in, raw_header, RAW_HDR_IDENT_LEN) == 0
+					&& RAW_HDR_GET_CMD(in) == RAW_HDR_CMD_LOGIN 
+					&& memcmp(&in[RAW_HDR_LEN], hash, sizeof(hash)) == 0) {
+
+					fprintf(stderr, "OK\n");
+					return 1;
+				}
+			}
+		}
+		fprintf(stderr, ".");
+		fflush(stderr);
+	}
+	
+	fprintf(stderr, "failed\n");
+	return 0;
+}
+
+static int
+handshake_upenctest(int dns_fd, char *s)
+/* NOTE: *s may be max 59 chars; must start with "aA" for case-swap check
+   Returns:
+   -1: case swap, no need for any further test: error printed; or Ctrl-C
+   0: not identical or error or timeout
+   1: identical string returned
+*/
+{
+	char in[4096];
+	unsigned char *uin = (unsigned char *) in;
+	unsigned char *us = (unsigned char *) s;
+	int i;
+	int read;
+        int slen;
+
+	slen = strlen(s);
+	for (i=0; running && i<3 ;i++) {
+
+		send_upenctest(dns_fd, s);
+
+		read = handshake_waitdns(dns_fd, in, sizeof(in), 'z', 'Z', i+1);
+
+		if (read == -2)
+			return 0;	/* hard error */
+
+		if (read > 0 && read < slen + 4)
+			return 0;	/* reply too short (chars dropped) */
+
+		if (read > 0) {
+			int k;
+#if 0
+			/* in[56] = '@'; */
+			/* in[56] = '_'; */
+			/* if (in[29] == '\344') in[29] = 'a'; */
+			in[read] = '\0';
+			fprintf(stderr, "BounceReply: >%s<\n", in);
+#endif
+			/* quick check if case swapped, to give informative error msg */
+			if (in[4] == 'A') {
+				fprintf(stderr, "DNS queries get changed to uppercase, keeping upstream codec Base32\n");
+				return -1;
+			}
+			if (in[5] == 'a') {
+				fprintf(stderr, "DNS queries get changed to lowercase, keeping upstream codec Base32\n");
+				return -1;
+			}
+
+			for (k = 0; k < slen; k++) {
+				if (in[k+4] != s[k]) {
+					/* Definitely not reliable */
+					if (in[k+4] >= ' ' && in[k+4] <= '~' &&
+					    s[k] >= ' ' && s[k] <= '~') {
+						fprintf(stderr, "DNS query char '%c' gets changed into '%c'\n",
+							s[k], in[k+4]);
+					} else {
+						fprintf(stderr, "DNS query char 0x%02X gets changed into 0x%02X\n",
+							(unsigned int) us[k],
+							(unsigned int) uin[k+4]);
+					}
+					return 0;
+				}
+			}
+			/* if still here, then all okay */
+			return 1;
+		}
+
+		fprintf(stderr, "Retrying upstream codec test...\n");
+	}
+
+	if (!running)
+		return -1;
+
+	/* timeout */
+	return 0;
+}
+
+static int
+handshake_upenc_autodetect(int dns_fd)
+/* Returns:
+   0: keep Base32
+   1: Base64 is okay
+   2: Base64u is okay
+   3: Base128 is okay
+*/
+{
+	/* Note: max 59 chars, must start with "aA".
+	   pat64: If 0129 work, assume 3-8 are okay too.
+
+	   RFC1035 par 2.3.1 states that [A-Z0-9-] allowed, but only
+	   [A-Z] as first, and [A-Z0-9] as last char _per label_.
+	   Test by having '-' as last char.
+	 */
+        char *pat64="aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ+0129-";
+        char *pat64u="aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ_0129-";
+        char *pat128a="aA-Aaahhh-Drink-mal-ein-J\344germeister-";
+        char *pat128b="aA-La-fl\373te-na\357ve-fran\347aise-est-retir\351-\340-Cr\350te";
+        char *pat128c="aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ";
+        char *pat128d="aA0123456789\274\275\276\277"
+		      "\300\301\302\303\304\305\306\307\310\311\312\313\314\315\316\317";
+        char *pat128e="aA"
+		      "\320\321\322\323\324\325\326\327\330\331\332\333\334\335\336\337"
+		      "\340\341\342\343\344\345\346\347\350\351\352\353\354\355\356\357"
+		      "\360\361\362\363\364\365\366\367\370\371\372\373\374\375";
+	int res;
+
+	/* Try Base128, starting very gently to not draw attention */
+	while (1) {
+		res = handshake_upenctest(dns_fd, pat128a);
+		if (res < 0) {
+			/* DNS swaps case, msg already printed; or Ctrl-C */
+			return 0;
+		} else if (res == 0) {
+			/* Probably not okay, skip Base128 entirely */
+			break;
+		}
+
+		res = handshake_upenctest(dns_fd, pat128b);
+		if (res < 0)
+			return 0;
+		else if (res == 0)
+			break;
+
+		/* if this works, we can test the real stuff */
+
+		res = handshake_upenctest(dns_fd, pat128c);
+		if (res < 0)
+			return 0;
+		else if (res == 0)
+			break;
+
+		res = handshake_upenctest(dns_fd, pat128d);
+		if (res < 0)
+			return 0;
+		else if (res == 0)
+			break;
+
+		res = handshake_upenctest(dns_fd, pat128e);
+		if (res < 0)
+			return 0;
+		else if (res == 0)
+			break;
+
+		/* if still here, then base128 works completely */
+		return 3;
+	}
+
+	/* Try Base64 (with plus sign) */
+	res = handshake_upenctest(dns_fd, pat64);
+	if (res < 0) {
+		/* DNS swaps case, msg already printed; or Ctrl-C */
+		return 0;
+	} else if (res > 0) {
+		/* All okay, Base64 msg will be printed later */
+		return 1;
+	}
+
+	/* Try Base64u (with _u_nderscore) */
+	res = handshake_upenctest(dns_fd, pat64u);
+	if (res < 0) {
+		/* DNS swaps case, msg already printed; or Ctrl-C */
+		return 0;
+	} else if (res > 0) {
+		/* All okay, Base64u msg will be printed later */
+		return 2;
+	}
+
+	/* if here, then nonthing worked */
+	fprintf(stderr, "Keeping upstream codec Base32\n");
+	return 0;
+}
+
+static int
+handshake_downenctest(int dns_fd, char trycodec)
+/* Returns:
+   0: not identical or error or timeout
+   1: identical string returned
+*/
+{
+	char in[4096];
+	int i;
+	int read;
+	char *s = DOWNCODECCHECK1;
+        int slen = DOWNCODECCHECK1_LEN;
+
+	for (i=0; running && i<3 ;i++) {
+
+		send_downenctest(dns_fd, trycodec, 1, NULL, 0);
+
+		read = handshake_waitdns(dns_fd, in, sizeof(in), 'y', 'Y', i+1);
+
+		if (read == -2)
+			return 0;	/* hard error */
+
+		if (read > 0 && read != slen)
+			return 0;	/* reply incorrect = unreliable */
+
+		if (read > 0) {
+			int k;
+			for (k = 0; k < slen; k++) {
+				if (in[k] != s[k]) {
+					/* Definitely not reliable */
+					return 0;
+				}
+			}
+			/* if still here, then all okay */
+			return 1;
+		}
+
+		fprintf(stderr, "Retrying downstream codec test...\n");
+	}
+
+	/* timeout */
+	return 0;
+}
+
+static char
+handshake_downenc_autodetect(int dns_fd)
+/* Returns codec char (or ' ' if no advanced codec works) */
+{
+	int base64ok = 0;
+	int base64uok = 0;
+	int base128ok = 0;
+
+	if (do_qtype == T_NULL) {
+		/* no other choice than raw */
+		fprintf(stderr, "No alternative downstream codec available, using default (Raw)\n");
+		return ' ';
+	}
+
+	fprintf(stderr, "Autodetecting downstream codec (use -O to override)\n");
+
+	/* Try Base64 */
+	if (handshake_downenctest(dns_fd, 'S'))
+		base64ok = 1;
+	else if (running && handshake_downenctest(dns_fd, 'U'))
+		base64uok = 1;
+
+	/* Try Base128 only if 64 gives us some perspective */
+	if (running && (base64ok || base64uok)) {
+		if (handshake_downenctest(dns_fd, 'V'))
+			base128ok = 1;
+	}
+
+	/* If 128 works, then TXT may give us Raw as well */
+	if (running && (base128ok && do_qtype == T_TXT)) {
+		if (handshake_downenctest(dns_fd, 'R'))
+			return 'R';
+	}
+
+	if (!running)
+		return ' ';
+
+	if (base128ok)
+		return 'V';
+	if (base64ok)
+		return 'S';
+	if (base64uok)
+		return 'U';
+
+	fprintf(stderr, "No advanced downstream codecs seem to work, using default (Base32)\n");
+	return ' ';
+}
+
+static int
+handshake_qtypetest(int dns_fd, int timeout)
+/* Returns:
+   0: doesn't work with this timeout
+   1: works properly
+*/
+{
+	char in[4096];
+	int read;
+	char *s = DOWNCODECCHECK1;
+        int slen = DOWNCODECCHECK1_LEN;
+	int trycodec;
+	int k;
+
+	if (do_qtype == T_NULL)
+		trycodec = 'R';
+	else
+		trycodec = 'T';
+
+	/* We could use 'Z' bouncing here, but 'Y' also tests that 0-255
+	   byte values can be returned, which is needed for NULL to work. */
+
+	send_downenctest(dns_fd, trycodec, 1, NULL, 0);
+
+	read = handshake_waitdns(dns_fd, in, sizeof(in), 'y', 'Y', timeout);
+
+	if (read != slen)
+		return 0;	/* incorrect */
+
+	for (k = 0; k < slen; k++) {
+		if (in[k] != s[k]) {
+			/* corrupted */
+			return 0;
+		}
+	}
+
+	/* if still here, then all okay */
+	return 1;
+}
+
+static int
+handshake_qtype_numcvt(int num)
+{
+	switch (num) {
+	case 0:	return T_NULL;
+	case 1:	return T_TXT;
+	case 2:	return T_SRV;
+	case 3:	return T_MX;
+	case 4:	return T_CNAME;
+	case 5:	return T_A;
+	}
+	return T_UNSET;
+}
+
+static int
+handshake_qtype_autodetect(int dns_fd)
+/* Returns:
+   0: okay, do_qtype set
+   1: problem, program exit
+*/
+{
+	int highestworking = 100;
+	int timeout;
+	int qtypenum;
+
+	fprintf(stderr, "Autodetecting DNS query type (use -T to override)");
+	fflush(stderr);
+
+	/* Method: try all "interesting" qtypes with a 1-sec timeout, then try
+	   all "still-interesting" qtypes with a 2-sec timeout, etc.
+	   "Interesting" means: qtypes that (are expected to) have higher
+	   bandwidth than what we know is working already (highestworking).
+
+	   Note that DNS relays may not immediately resolve the first (NULL)
+	   query in 1 sec, due to long recursive lookups, so we keep trying
+	   to see if things will start working after a while.
+	 */
+
+	for (timeout = 1; running && timeout <= 3; timeout++) {
+		for (qtypenum = 0; running && qtypenum < highestworking; qtypenum++) {
+			do_qtype = handshake_qtype_numcvt(qtypenum);
+			if (do_qtype == T_UNSET)
+				break;	/* this round finished */
+
+			fprintf(stderr, ".");
+			fflush(stderr);
+
+			if (handshake_qtypetest(dns_fd, timeout)) {
+				/* okay */
+				highestworking = qtypenum;
+#if 0
+				fprintf(stderr, " Type %s timeout %d works\n",
+					get_qtype(), timeout);
+#endif
+				break;
+				/* try others with longer timeout */
+			}
+			/* else: try next qtype with same timeout */
+		}
+		if (highestworking == 0)
+			/* good, we have NULL; abort immediately */
+			break;
+	}
+
+	fprintf(stderr, "\n");
+
+	if (!running) {
+		warnx("Stopped while autodetecting DNS query type (try setting manually with -T)");
+		return 1;  /* problem */
+	}
+
+	/* finished */
+	do_qtype = handshake_qtype_numcvt(highestworking);
+
+	if (do_qtype == T_UNSET) {
+		/* also catches highestworking still 100 */
+		warnx("No suitable DNS query type found. Are you connected to a network?");
+		warnx("If you expect very long roundtrip delays, use -T explicitly.");
+		warnx("(Also, connecting to an \"ancient\" version of iodined won't work.)");
+		return 1;  /* problem */
+	}
+
+	/* "using qtype" message printed in handshake function */
+	return 0;  /* okay */
+}
+
+static int
+handshake_edns0_check(int dns_fd)
+/* Returns:
+   0: EDNS0 not supported; or Ctrl-C
+   1: EDNS0 works
+*/
+{
+	char in[4096];
+	int i;
+	int read;
+	char *s = DOWNCODECCHECK1;
+        int slen = DOWNCODECCHECK1_LEN;
+	char trycodec;
+
+	if (do_qtype == T_NULL)
+		trycodec = 'R';
+	else
+		trycodec = 'T';
+
+	for (i=0; running && i<3 ;i++) {
+
+		send_downenctest(dns_fd, trycodec, 1, NULL, 0);
+
+		read = handshake_waitdns(dns_fd, in, sizeof(in), 'y', 'Y', i+1);
+
+		if (read == -2)
+			return 0;	/* hard error */
+
+		if (read > 0 && read != slen)
+			return 0;	/* reply incorrect = unreliable */
+
+		if (read > 0) {
+			int k;
+			for (k = 0; k < slen; k++) {
+				if (in[k] != s[k]) {
+					/* Definitely not reliable */
+					return 0;
+				}
+			}
+			/* if still here, then all okay */
+			return 1;
+		}
+
+		fprintf(stderr, "Retrying EDNS0 support test...\n");
+	}
+
+	/* timeout or Ctrl-C */
+	return 0;
+}
+
+static void
+handshake_switch_codec(int dns_fd, int bits)
+{
+	char in[4096];
+	int i;
+	int read;
+	struct encoder *tempenc;
+
+	if (bits == 5)
+		tempenc = get_base32_encoder();
+	else if (bits == 6)
+		tempenc = get_base64_encoder();
+	else if (bits == 26)	/* "2nd" 6 bits per byte, with underscore */
+		tempenc = get_base64u_encoder();
+	else if (bits == 7)
+		tempenc = get_base128_encoder();
+	else return;
+
+	fprintf(stderr, "Switching upstream to codec %s\n", tempenc->name);
+
+	for (i=0; running && i<5 ;i++) {
+
+		send_codec_switch(dns_fd, userid, bits);
+		
+		read = handshake_waitdns(dns_fd, in, sizeof(in), 's', 'S', i+1);
+
+		/*XXX START adjust indent 1 tab back*/			
+			if (read > 0) {
+				if (strncmp("BADLEN", in, 6) == 0) {
+					fprintf(stderr, "Server got bad message length. ");
+					goto codec_revert;
+				} else if (strncmp("BADIP", in, 5) == 0) {
+					fprintf(stderr, "Server rejected sender IP address. ");
+					goto codec_revert;
+				} else if (strncmp("BADCODEC", in, 8) == 0) {
+					fprintf(stderr, "Server rejected the selected codec. ");
+					goto codec_revert;
+				}
+				in[read] = 0; /* zero terminate */
+				fprintf(stderr, "Server switched upstream to codec %s\n", in);
+				dataenc = tempenc;
+				return;
+			}
+		/*XXX END adjust indent 1 tab back*/
+
+		fprintf(stderr, "Retrying codec switch...\n");
+	}
+	if (!running)
+		return;
+
+	fprintf(stderr, "No reply from server on codec switch. ");
+
+codec_revert: 
+	fprintf(stderr, "Falling back to upstream codec %s\n", dataenc->name);
+}
+
+static void
+handshake_switch_downenc(int dns_fd)
+{
+	char in[4096];
+	int i;
+	int read;
+	char *dname;
+
+	dname = "Base32";
+	if (downenc == 'S')
+		dname = "Base64";
+	else if (downenc == 'U')
+		dname = "Base64u";
+	else if (downenc == 'V')
+		dname = "Base128";
+	else if (downenc == 'R')
+		dname = "Raw";
+
+	fprintf(stderr, "Switching downstream to codec %s\n", dname);
+	for (i=0; running && i<5 ;i++) {
+
+		send_downenc_switch(dns_fd, userid);
+
+		read = handshake_waitdns(dns_fd, in, sizeof(in), 'o', 'O', i+1);
+
+		/*XXX START adjust indent 1 tab back*/
+			if (read > 0) {
+				if (strncmp("BADLEN", in, 6) == 0) {
+					fprintf(stderr, "Server got bad message length. ");
+					goto codec_revert;
+				} else if (strncmp("BADIP", in, 5) == 0) {
+					fprintf(stderr, "Server rejected sender IP address. ");
+					goto codec_revert;
+				} else if (strncmp("BADCODEC", in, 8) == 0) {
+					fprintf(stderr, "Server rejected the selected codec. ");
+					goto codec_revert;
+				}
+				in[read] = 0; /* zero terminate */
+				fprintf(stderr, "Server switched downstream to codec %s\n", in);
+				return;
+			}
+		/*XXX END adjust indent 1 tab back*/
+
+		fprintf(stderr, "Retrying codec switch...\n");
+	}
+	if (!running)
+		return;
+
+	fprintf(stderr, "No reply from server on codec switch. ");
+
+codec_revert: 
+	fprintf(stderr, "Falling back to downstream codec Base32\n");
+}
+
+static void
+handshake_try_lazy(int dns_fd)
+{
+	char in[4096];
+	int i;
+	int read;
+
+	fprintf(stderr, "Switching to lazy mode for low-latency\n");
+	for (i=0; running && i<5; i++) {
+
+		send_lazy_switch(dns_fd, userid);
+
+		read = handshake_waitdns(dns_fd, in, sizeof(in), 'o', 'O', i+1);
+
+		/*XXX START adjust indent 1 tab back*/
+			if (read > 0) {
+				if (strncmp("BADLEN", in, 6) == 0) {
+					fprintf(stderr, "Server got bad message length. ");
+					goto codec_revert;
+				} else if (strncmp("BADIP", in, 5) == 0) {
+					fprintf(stderr, "Server rejected sender IP address. ");
+					goto codec_revert;
+				} else if (strncmp("BADCODEC", in, 8) == 0) {
+					fprintf(stderr, "Server rejected lazy mode. ");
+					goto codec_revert;
+				} else if (strncmp("Lazy", in, 4) == 0) {
+					fprintf(stderr, "Server switched to lazy mode\n");
+					lazymode = 1;
+					return;
+				}
+			}
+		/*XXX END adjust indent 1 tab back*/
+
+		fprintf(stderr, "Retrying lazy mode switch...\n");
+	}
+	if (!running)
+		return;
+
+	fprintf(stderr, "No reply from server on lazy switch. ");
+
+codec_revert: 
+	fprintf(stderr, "Falling back to legacy mode\n");
+	lazymode = 0;
+	selecttimeout = 1;
+}
+
+static void
+handshake_lazyoff(int dns_fd)
+/* Used in the middle of data transfer, timing is different and no error msgs */
+{
+	char in[4096];
+	int i;
+	int read;
+
+	for (i=0; running && i<5; i++) {
+
+		send_lazy_switch(dns_fd, userid);
+
+		read = handshake_waitdns(dns_fd, in, sizeof(in), 'o', 'O', 1);
+
+		/*XXX START adjust indent 2 tabs back*/
+				if (read == 9 && strncmp("Immediate", in, 9) == 0) {
+					warnx("Server switched back to legacy mode.\n");
+					lazymode = 0;
+					selecttimeout = 1;
+					return;
+				}
+		/*XXX END adjust indent 2 tabs back*/
+	}
+	if (!running)
+		return;
+
+	warnx("No reply from server on legacy mode switch.\n");
+}
+
+static int
+fragsize_check(char *in, int read, int proposed_fragsize, int *max_fragsize)
+/* Returns: 0: keep checking, 1: break loop (either okay or definitely wrong) */
+{
+	int acked_fragsize = ((in[0] & 0xff) << 8) | (in[1] & 0xff);
+	int okay;
+	int i;
+	unsigned int v;
+
+	if (read >= 5 && strncmp("BADIP", in, 5) == 0) {
+		fprintf(stderr, "got BADIP (Try iodined -c)..\n");
+		fflush(stderr);
+		return 0;		/* maybe temporary error */
+	}
+
+	if (acked_fragsize != proposed_fragsize) {
+		/*
+		 * got ack for wrong fragsize, maybe late response for
+		 * earlier query, or ack corrupted
+		 */
+		return 0;
+	}
+
+	if (read != proposed_fragsize) {
+		/*
+		 * correctly acked fragsize but read too little (or too
+		 * much): this fragsize is definitely not reliable
+		 */
+		return 1;
+	}
+
+	/* here: read == proposed_fragsize == acked_fragsize */
+
+	/* test: */
+	/* in[123] = 123; */
+
+	if ((in[2] & 0xff) != 107) {
+		fprintf(stderr, "\n");
+		warnx("corruption at byte 2, this won't work. Try -O Base32, or other -T options.");
+		*max_fragsize = -1;
+		return 1;
+	}
+
+	/* Check for corruption */
+	okay = 1;
+	v = in[3] & 0xff;
+
+	/*XXX START adjust indent 1 tab back*/
+		for (i = 3; i < read; i++, v = (v + 107) & 0xff)
+			if ((in[i] & 0xff) != v) {
+				okay = 0;
+				break;
+			}
+
+		if (okay) {
+			fprintf(stderr, "%d ok.. ", acked_fragsize);
+			fflush(stderr);
+			*max_fragsize = acked_fragsize;
+			return 1;
+		} else {
+			if (downenc != ' ' && downenc != 'T') {
+				fprintf(stderr, "%d corrupted at %d.. (Try -O Base32)\n", acked_fragsize, i);
+			} else {
+				fprintf(stderr, "%d corrupted at %d.. ", acked_fragsize, i);
+			}
+			fflush(stderr);
+			return 1;
+		}
+	/*XXX END adjust indent 1 tab back*/
+
+	/* notreached */
+	return 1;
+}
+
+
+static int
+handshake_autoprobe_fragsize(int dns_fd)
+{
+	char in[4096];
+	int i;
+	int read;
+	int proposed_fragsize = 768;
+	int range = 768;
+	int max_fragsize;
+
+	max_fragsize = 0;
+	fprintf(stderr, "Autoprobing max downstream fragment size... (skip with -m fragsize)\n"); 
+	while (running && range > 0 && (range >= 8 || max_fragsize < 300)) {
+		/* stop the slow probing early when we have enough bytes anyway */
+		for (i=0; running && i<3 ;i++) {
+
+			send_fragsize_probe(dns_fd, proposed_fragsize);
+
+			read = handshake_waitdns(dns_fd, in, sizeof(in), 'r', 'R', 1);
+				
+			/*XXX START adjust indent 1 tab back*/
+				if (read > 0) {
+					/* We got a reply */
+					if (fragsize_check(in, read, proposed_fragsize, &max_fragsize) == 1)
+						break;
+				}
+			/*XXX END adjust indent 1 tab back*/
+
+			fprintf(stderr, ".");
+			fflush(stderr);
+		}
+		if (max_fragsize < 0)
+			break;
+
+		range >>= 1;
+		if (max_fragsize == proposed_fragsize) {
+			/* Try bigger */
+			proposed_fragsize += range;
+		} else {
+			/* Try smaller */
+			fprintf(stderr, "%d not ok.. ", proposed_fragsize);
+			fflush(stderr);
+			proposed_fragsize -= range;
+		}
+	}
+	if (!running) {
+		fprintf(stderr, "\n");
+		warnx("stopped while autodetecting fragment size (Try setting manually with -m)");
+		return 0;
+	}
+	if (max_fragsize <= 2) {
+		/* Tried all the way down to 2 and found no good size.
+		   But we _did_ do all handshake before this, so there must
+		   be some workable connection. */
+		fprintf(stderr, "\n");
+		warnx("found no accepted fragment size.");
+		warnx("try setting -M to 200 or lower, or try other -T or -O options.");
+		return 0;
+	}
+	/* data header adds 2 bytes */
+	fprintf(stderr, "will use %d-2=%d\n", max_fragsize, max_fragsize - 2);
+
+	/* need 1200 / 16frags = 75 bytes fragsize */
+	if (max_fragsize < 82) {
+		fprintf(stderr, "Note: this probably won't work well.\n");
+		fprintf(stderr, "Try setting -M to 200 or lower, or try other DNS types (-T option).\n");
+	} else if (max_fragsize < 202 &&
+	    (do_qtype == T_NULL || do_qtype == T_TXT ||
+	     do_qtype == T_SRV || do_qtype == T_MX)) {
+		fprintf(stderr, "Note: this isn't very much.\n");
+		fprintf(stderr, "Try setting -M to 200 or lower, or try other DNS types (-T option).\n");
+	}
+
+	return max_fragsize - 2;
+}
+
+static void
+handshake_set_fragsize(int dns_fd, int fragsize)
+{
+	char in[4096];
+	int i;
+	int read;
+
+	fprintf(stderr, "Setting downstream fragment size to max %d...\n", fragsize);
+	for (i=0; running && i<5 ;i++) {
+
+		send_set_downstream_fragsize(dns_fd, fragsize);
+
+		read = handshake_waitdns(dns_fd, in, sizeof(in), 'n', 'N', i+1);
+
+		/*XXX START adjust indent 1 tab back*/			
+			if (read > 0) {
+				int accepted_fragsize;
+
+				if (strncmp("BADFRAG", in, 7) == 0) {
+					fprintf(stderr, "Server rejected fragsize. Keeping default.");
+					return;
+				} else if (strncmp("BADIP", in, 5) == 0) {
+					fprintf(stderr, "Server rejected sender IP address.\n");
+					return;
+				}
+
+				accepted_fragsize = ((in[0] & 0xff) << 8) | (in[1] & 0xff);
+				return;
+			}
+		/*XXX END adjust indent 1 tab back*/
+
+		fprintf(stderr, "Retrying set fragsize...\n");
+	}
+	if (!running)
+		return;
+
+	fprintf(stderr, "No reply from server when setting fragsize. Keeping default.\n");
+}
+
+int
+client_handshake(int dns_fd, int raw_mode, int autodetect_frag_size, int fragsize)
+{
+	int seed;
+	int upcodec;
+	int r;
+
+	dnsc_use_edns0 = 0;
+
+	/* qtype message printed in handshake function */
+	if (do_qtype == T_UNSET) {
+		r = handshake_qtype_autodetect(dns_fd);
+		if (r) {
+			return r;
+		}
+	}
+
+	fprintf(stderr, "Using DNS type %s queries\n", get_qtype());
+
+	r = handshake_version(dns_fd, &seed);
+	if (r) {
+		return r;
+	}
+
+	r = handshake_login(dns_fd, seed);
+	if (r) {
+		return r;
+	}
+
+	if (raw_mode && handshake_raw_udp(dns_fd, seed)) {
+		conn = CONN_RAW_UDP;
+		selecttimeout = 20;
+	} else {
+		if (raw_mode == 0) {
+			fprintf(stderr, "Skipping raw mode\n");
+		}
+
+		dnsc_use_edns0 = 1;
+		if (handshake_edns0_check(dns_fd) && running) {
+			fprintf(stderr, "Using EDNS0 extension\n");
+		} else if (!running) {
+			return -1;
+		} else {
+			fprintf(stderr, "DNS relay does not support EDNS0 extension\n");
+			dnsc_use_edns0 = 0;
+		}
+
+		upcodec = handshake_upenc_autodetect(dns_fd);
+		if (!running)
+			return -1;
+
+		if (upcodec == 1) {
+			handshake_switch_codec(dns_fd, 6);
+		} else if (upcodec == 2) {
+			handshake_switch_codec(dns_fd, 26);
+		} else if (upcodec == 3) {
+			handshake_switch_codec(dns_fd, 7);
+		}
+		if (!running)
+			return -1;
+
+		if (downenc == ' ') {
+			downenc = handshake_downenc_autodetect(dns_fd);
+		}
+		if (!running)
+			return -1;
+
+		if (downenc != ' ') {
+			handshake_switch_downenc(dns_fd);
+		}
+		if (!running)
+			return -1;
+
+		if (lazymode) {
+			handshake_try_lazy(dns_fd);
+		}
+		if (!running)
+			return -1;
+
+		if (autodetect_frag_size) {
+			fragsize = handshake_autoprobe_fragsize(dns_fd);
+			if (!fragsize) {
+				return 1;
+			}
+		}
+
+		handshake_set_fragsize(dns_fd, fragsize);
+		if (!running)
+			return -1;
+	}
+
+	return 0;
+}
+
diff --git a/jni/iodine/src/client.h b/jni/iodine/src/client.h
new file mode 100644
index 0000000..e2d9501
--- /dev/null
+++ b/jni/iodine/src/client.h
@@ -0,0 +1,40 @@
+/*
+ * Copyright (c) 2006-2009 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef __CLIENT_H__
+#define __CLIENT_H__
+
+void client_init();
+void client_stop();
+
+enum connection client_get_conn();
+const char *client_get_raw_addr();
+
+void client_set_nameserver(const char *cp, int port);
+void client_set_topdomain(const char *cp);
+void client_set_password(const char *cp);
+void set_qtype(char *qtype);
+char *get_qtype();
+void set_downenc(char *encoding);
+void client_set_selecttimeout(int select_timeout);
+void client_set_lazymode(int lazy_mode);
+void client_set_hostname_maxlen(int i);
+
+int client_handshake(int dns_fd, int raw_mode, int autodetect_frag_size, int fragsize);
+int client_tunnel(int tun_fd, int dns_fd);
+int client_tunnel_cb(int tun_fd, int dns_fd, int (*cb_ask_continue)());
+
+#endif
diff --git a/jni/iodine/src/common.c b/jni/iodine/src/common.c
new file mode 100644
index 0000000..7a57a8a
--- /dev/null
+++ b/jni/iodine/src/common.c
@@ -0,0 +1,381 @@
+/* Copyright (c) 2006-2009 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
+ * Copyright (c) 2007 Albert Lee <trisk@acm.jhu.edu>.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <time.h>
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/stat.h>
+#include <stdio.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <stdint.h>
+#include <unistd.h>
+#include <string.h>
+#include <ctype.h>
+#include <fcntl.h>
+#include <errno.h>
+
+#ifdef WINDOWS32
+#include <winsock2.h>
+#include <conio.h>
+#else
+#include <arpa/nameser.h>
+#ifdef DARWIN
+#define BIND_8_COMPAT
+#include <arpa/nameser_compat.h>
+#endif
+#include <termios.h>
+#include <err.h>
+#include <arpa/inet.h>
+#include <netinet/in.h>
+#include <syslog.h>
+#endif
+
+#ifdef HAVE_SETCON
+# include <selinux/selinux.h>
+#endif
+
+#include "common.h"
+
+/* The raw header used when not using DNS protocol */
+const unsigned char raw_header[RAW_HDR_LEN] = { 0x10, 0xd1, 0x9e, 0x00 };
+
+/* daemon(3) exists only in 4.4BSD or later, and in GNU libc */
+#if !defined(WINDOWS32) && !(defined(BSD) && (BSD >= 199306)) && !defined(__GLIBC__) && !defined(__ANDROID__)
+static int daemon(int nochdir, int noclose)
+{
+ 	int fd, i;
+ 
+ 	switch (fork()) {
+ 		case 0:
+ 			break;
+ 		case -1:
+ 			return -1;
+ 		default:
+ 			_exit(0);
+ 	}
+ 
+ 	if (!nochdir) {
+ 		chdir("/");
+ 	}
+ 
+ 	if (setsid() < 0) {
+ 		return -1;
+ 	}
+ 	
+ 	if (!noclose) {
+ 		if ((fd = open("/dev/null", O_RDWR)) >= 0) {
+ 			for (i = 0; i < 3; i++) {
+ 				dup2(fd, i);
+ 			}
+ 			if (fd > 2) {
+ 				close(fd);
+ 			}
+ 		}
+ 	}
+	return 0;
+}
+#endif
+
+#if defined(__BEOS__) && !defined(__HAIKU__)
+int setgroups(int count, int *groups)
+{
+	/* errno = ENOSYS; */
+	return -1;
+}
+#endif
+
+
+void
+check_superuser(void (*usage_fn)(void))
+{
+#ifndef WINDOWS32
+	if (geteuid() != 0) {
+		warnx("Run as root and you'll be happy.\n");
+		usage_fn();
+		/* NOTREACHED */
+	}
+#endif
+}
+
+int 
+open_dns(int localport, in_addr_t listen_ip) 
+{
+	struct sockaddr_in addr;
+	int flag = 1;
+	int fd;
+
+	memset(&addr, 0, sizeof(addr));
+	addr.sin_family = AF_INET;
+	addr.sin_port = htons(localport);
+	/* listen_ip already in network byte order from inet_addr, or 0 */
+	addr.sin_addr.s_addr = listen_ip; 
+
+	if ((fd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) < 0) {
+		fprintf(stderr, "got fd %d\n", fd);
+		err(1, "socket");
+	}
+
+	flag = 1;
+#ifdef SO_REUSEPORT
+	setsockopt(fd, SOL_SOCKET, SO_REUSEPORT, (const void*) &flag, sizeof(flag));
+#endif
+	setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, (const void*) &flag, sizeof(flag));
+
+#ifndef WINDOWS32
+	/* To get destination address from each UDP datagram, see iodined.c:read_dns() */
+	setsockopt(fd, IPPROTO_IP, DSTADDR_SOCKOPT, (const void*) &flag, sizeof(flag));
+#endif
+
+#ifdef IP_OPT_DONT_FRAG
+	/* Set dont-fragment ip header flag */
+	flag = DONT_FRAG_VALUE;
+	setsockopt(fd, IPPROTO_IP, IP_OPT_DONT_FRAG, (const void*) &flag, sizeof(flag));
+#endif
+
+	if(bind(fd, (struct sockaddr*)&addr, sizeof(addr)) < 0) 
+		err(1, "bind");
+
+	fprintf(stderr, "Opened UDP socket\n");
+
+	return fd;
+}
+
+void
+close_dns(int fd)
+{
+	close(fd);
+}
+
+void
+do_chroot(char *newroot)
+{
+#if !(defined(WINDOWS32) || defined(__BEOS__) || defined(__HAIKU__))
+	if (chroot(newroot) != 0 || chdir("/") != 0)
+		err(1, "%s", newroot);
+
+	seteuid(geteuid());
+	setuid(getuid());
+#else
+	warnx("chroot not available");
+#endif
+}
+
+void
+do_setcon(char *context)
+{
+#ifdef HAVE_SETCON
+	if (-1 == setcon(context))
+		err(1, "%s", context);
+#else
+	warnx("No SELinux support built in");
+#endif
+}
+
+void
+do_pidfile(char *pidfile)
+{
+#ifndef WINDOWS32
+	FILE *file;
+
+	if ((file = fopen(pidfile, "w")) == NULL) {
+		syslog(LOG_ERR, "Cannot write pidfile to %s, exiting", pidfile);
+		err(1, "do_pidfile: Can not write pidfile to %s", pidfile);
+	} else {
+		fprintf(file, "%d\n", (int)getpid());
+		fclose(file);
+	}
+#else
+	fprintf(stderr, "Windows version does not support pid file\n");
+#endif
+}
+
+void
+do_detach()
+{
+#ifndef WINDOWS32
+	fprintf(stderr, "Detaching from terminal...\n");
+	daemon(0, 0);
+	umask(0);
+	alarm(0);
+#else
+	fprintf(stderr, "Windows version does not support detaching\n");
+#endif
+}
+
+void
+read_password(char *buf, size_t len)
+{
+	char pwd[80];
+#ifndef WINDOWS32
+	struct termios old;
+	struct termios tp;
+
+	tcgetattr(0, &tp);
+	old = tp;
+	
+	tp.c_lflag &= (~ECHO);
+	tcsetattr(0, TCSANOW, &tp);
+#else
+	int i;
+#endif
+
+	fprintf(stderr, "Enter password: ");
+	fflush(stderr);
+#ifndef WINDOWS32
+	scanf("%79s", pwd);
+#else
+	for (i = 0; i < sizeof(pwd); i++) {
+		pwd[i] = getch();
+		if (pwd[i] == '\r' || pwd[i] == '\n') {
+			pwd[i] = 0;
+			break;
+		} else if (pwd[i] == '\b') {
+			i--; 			/* Remove the \b char */
+			if (i >=0) i--; 	/* If not first char, remove one more */
+		}
+	}
+#endif
+	fprintf(stderr, "\n");
+
+#ifndef WINDOWS32
+	tcsetattr(0, TCSANOW, &old);	
+#endif
+
+	strncpy(buf, pwd, len);
+	buf[len-1] = '\0';
+}
+
+int
+check_topdomain(char *str)
+{
+       int i;
+
+       if(str[0] == '.') /* special case */
+               return 1;
+
+       for( i = 0; i < strlen(str); i++) {
+               if( isalpha(str[i]) || isdigit(str[i]) || str[i] == '-' || str[i] == '.' )
+                       continue;
+               else 
+		       return 1;
+       }
+       return 0;
+}
+
+#if defined(WINDOWS32)
+int
+inet_aton(const char *cp, struct in_addr *inp)
+{
+ inp->s_addr = inet_addr(cp);
+ return inp->s_addr != INADDR_ANY;
+}
+
+void
+warn(const char *fmt, ...)
+{
+	va_list list;
+
+	va_start(list, fmt);
+	if (fmt) fprintf(stderr, fmt, list);
+	if (errno == 0) {
+		fprintf(stderr, ": WSA error %d\n", WSAGetLastError()); 
+	} else {
+		fprintf(stderr, ": %s\n", strerror(errno));
+	}
+	va_end(list);
+}
+#endif
+
+#ifdef __ANDROID__
+
+void android_printf(const char *fmt, ...)
+{
+    static char buf[1024];
+	va_list list;
+	va_start(list, fmt);
+
+	snprintf(buf,1024,fmt,list);
+
+    android_log_callback(buf);
+
+	va_end(list);
+}
+
+
+void
+warn(const char *fmt, ...)
+{
+	va_list list;
+
+	va_start(list, fmt);
+	if (fmt) fprintf(stderr, fmt, list);
+	if (errno != 0)
+		fprintf(stderr, ": %s\n", strerror(errno));
+	va_end(list);
+}
+#endif
+
+#if defined(WINDOWS32) || defined(__ANDROID__)
+void
+warnx(const char *fmt, ...)
+{
+	va_list list;
+
+	va_start(list, fmt);
+	if (fmt) fprintf(stderr, fmt, list);
+	fprintf(stderr, "\n");
+	va_end(list);
+}
+
+void
+err(int eval, const char *fmt, ...)
+{
+	va_list list;
+
+	va_start(list, fmt);
+	warn(fmt, list);
+	va_end(list);
+	exit(eval);
+}
+
+void
+errx(int eval, const char *fmt, ...)
+{
+	va_list list;
+
+	va_start(list, fmt);
+	warnx(fmt, list);
+	va_end(list);
+	exit(eval);
+}
+#endif
+
+
+int recent_seqno(int ourseqno, int gotseqno)
+/* Return 1 if we've seen gotseqno recently (current or up to 3 back).
+   Return 0 if gotseqno is new (or very old).
+*/
+{
+	int i;
+	for (i = 0; i < 4; i++, ourseqno--) {
+		if (ourseqno < 0)
+			ourseqno = 7;
+		if (gotseqno == ourseqno)
+			return 1;
+	}
+	return 0;
+}
diff --git a/jni/iodine/src/common.h b/jni/iodine/src/common.h
new file mode 100644
index 0000000..0b0efb8
--- /dev/null
+++ b/jni/iodine/src/common.h
@@ -0,0 +1,147 @@
+/*
+ * Copyright (c) 2006-2009 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef __COMMON_H__
+#define __COMMON_H__
+
+/* Last byte of raw header is the command */
+#define RAW_HDR_LEN 4
+#define RAW_HDR_IDENT_LEN 3
+#define RAW_HDR_CMD 3
+#define RAW_HDR_CMD_LOGIN 0x10
+#define RAW_HDR_CMD_DATA  0x20
+#define RAW_HDR_CMD_PING  0x30
+
+#define RAW_HDR_CMD_MASK  0xF0
+#define RAW_HDR_USR_MASK  0x0F
+#define RAW_HDR_GET_CMD(x) ((x)[RAW_HDR_CMD] & RAW_HDR_CMD_MASK)
+#define RAW_HDR_GET_USR(x) ((x)[RAW_HDR_CMD] & RAW_HDR_USR_MASK)
+extern const unsigned char raw_header[RAW_HDR_LEN];
+
+#ifdef WINDOWS32
+#include "windows.h"
+#else
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <err.h>
+#include <arpa/inet.h>
+#include <netinet/in.h>
+#endif
+
+#define DNS_PORT 53
+
+#ifndef MIN
+#define MIN(a,b) ((a)<(b)?(a):(b))
+#endif
+#ifndef MAX
+#define MAX(a,b) ((a)>(b)?(a):(b))
+#endif
+
+#define QUERY_NAME_SIZE 256
+
+#if defined IP_RECVDSTADDR 
+# define DSTADDR_SOCKOPT IP_RECVDSTADDR 
+# define dstaddr(x) ((struct in_addr *) CMSG_DATA(x)) 
+#elif defined IP_PKTINFO 
+# define DSTADDR_SOCKOPT IP_PKTINFO 
+# define dstaddr(x) (&(((struct in_pktinfo *)(CMSG_DATA(x)))->ipi_addr)) 
+#endif
+
+#if defined IP_MTU_DISCOVER
+  /* Linux */
+# define IP_OPT_DONT_FRAG IP_MTU_DISCOVER
+# define DONT_FRAG_VALUE IP_PMTUDISC_DO
+#elif defined IP_DONTFRAG
+  /* FreeBSD */
+# define IP_OPT_DONT_FRAG IP_DONTFRAG
+# define DONT_FRAG_VALUE 1
+#elif defined IP_DONTFRAGMENT
+  /* Winsock2 */
+# define IP_OPT_DONT_FRAG IP_DONTFRAGMENT
+# define DONT_FRAG_VALUE 1
+#endif
+
+#define T_UNSET 65432
+/* Unused RR type; "private use" range, see http://www.bind9.net/dns-parameters */
+
+struct packet 
+{
+	int len;		/* Total packet length */
+	int sentlen;		/* Length of chunk currently transmitted */
+	int offset;		/* Current offset */
+	char data[64*1024];	/* The data */
+	char seqno;		/* The packet sequence number */
+	char fragment;		/* Fragment index */
+};
+
+struct query {
+	char name[QUERY_NAME_SIZE];
+	unsigned short type;
+	unsigned short rcode;
+	unsigned short id;
+	struct in_addr destination;
+	struct sockaddr from;
+	int fromlen;
+	unsigned short id2;
+	struct sockaddr from2;
+	int fromlen2;
+};
+
+enum connection {
+	CONN_RAW_UDP,
+	CONN_DNS_NULL,
+	CONN_MAX
+};
+
+void check_superuser(void (*usage_fn)(void));
+int open_dns(int, in_addr_t);
+void close_dns(int);
+
+void do_chroot(char *);
+void do_setcon(char *);
+void do_detach();
+void do_pidfile(char *);
+
+void read_password(char*, size_t);
+
+int check_topdomain(char *);
+
+#ifdef __ANDROID__
+//#define printf(...) __android_log_print(ANDROID_LOG_DEBUG, "iodine", __VA_ARGS__)
+#define printf(...) android_printf(__VA_ARGS__)
+
+void android_printf(const char *fmt, ...);
+
+
+#define fprintf(__fd_unused, ...) printf(__VA_ARGS__)
+
+#include <android/log.h>
+void err(int eval, const char *fmt, ...);
+void warn(const char *fmt, ...);
+void errx(int eval, const char *fmt, ...);
+void warnx(const char *fmt, ...);
+#elif WINDOWS32
+int inet_aton(const char *cp, struct in_addr *inp);
+
+void err(int eval, const char *fmt, ...);
+void warn(const char *fmt, ...);
+void errx(int eval, const char *fmt, ...);
+void warnx(const char *fmt, ...);
+#endif
+
+int recent_seqno(int , int);
+
+#endif
diff --git a/jni/iodine/src/dns.c b/jni/iodine/src/dns.c
new file mode 100644
index 0000000..fb2bcaf
--- /dev/null
+++ b/jni/iodine/src/dns.c
@@ -0,0 +1,610 @@
+/*
+ * Copyright (c) 2006-2009 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <time.h>
+#include <stdio.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <stdint.h>
+#include <string.h>
+#include <ctype.h>
+
+#ifdef WINDOWS32
+#include "windows.h"
+#else
+#include <arpa/nameser.h>
+#ifdef DARWIN
+#define BIND_8_COMPAT
+#include <arpa/nameser_compat.h>
+#endif
+#include <arpa/inet.h>
+#include <err.h>
+#endif
+
+
+#include "dns.h"
+#include "encoding.h"
+#include "read.h"
+
+int dnsc_use_edns0 = 1;
+
+#define CHECKLEN(x) if (buflen - (p-buf) < (x))  return 0
+
+int
+dns_encode(char *buf, size_t buflen, struct query *q, qr_t qr, char *data, size_t datalen)
+{
+	HEADER *header;
+	short name;
+	char *p;
+	int len;
+	int ancnt;
+
+	if (buflen < sizeof(HEADER))
+		return 0;
+
+	memset(buf, 0, buflen);
+	
+	header = (HEADER*)buf;
+	
+	header->id = htons(q->id);
+	header->qr = (qr == QR_ANSWER);
+	header->opcode = 0;
+	header->aa = (qr == QR_ANSWER);
+	header->tc = 0;
+	header->rd = (qr == QR_QUERY);
+	header->ra = 0;
+
+	p = buf + sizeof(HEADER);
+
+	switch (qr) {
+	case QR_ANSWER:
+		header->qdcount = htons(1);
+	
+		name = 0xc000 | ((p - buf) & 0x3fff);
+
+		/* Question section */
+		putname(&p, buflen - (p - buf), q->name);
+
+		CHECKLEN(4);
+		putshort(&p, q->type);
+		putshort(&p, C_IN);
+
+		/* Answer section */
+
+		if (q->type == T_CNAME || q->type == T_A) {
+			/* data is expected to be like "Hblabla.host.name.com\0" */
+
+			char *startp;
+			int namelen;
+
+			CHECKLEN(10);
+			putshort(&p, name);	
+			if (q->type == T_A)
+				/* answer CNAME to A question */
+				putshort(&p, T_CNAME);
+			else
+				putshort(&p, q->type);
+			putshort(&p, C_IN);
+			putlong(&p, 0);		/* TTL */
+
+			startp = p;
+			p += 2;			/* skip 2 bytes length */
+			putname(&p, buflen - (p - buf), data);
+			CHECKLEN(0);
+			namelen = p - startp;
+			namelen -= 2;
+			putshort(&startp, namelen);
+			ancnt = 1;
+		} else if (q->type == T_MX || q->type == T_SRV) {
+			/* Data is expected to be like
+			   "Hblabla.host.name.com\0Hanother.com\0\0"
+			   For SRV, see RFC2782.
+			 */
+
+			char *mxdata = data;
+			char *startp;
+			int namelen;
+
+			ancnt = 1;
+			while (1) {
+				CHECKLEN(10);
+				putshort(&p, name);	
+				putshort(&p, q->type);
+				putshort(&p, C_IN);
+				putlong(&p, 0);		/* TTL */
+
+				startp = p;
+				p += 2;			/* skip 2 bytes length */
+				CHECKLEN(2);
+				putshort(&p, 10 * ancnt);	/* preference */
+
+				if (q->type == T_SRV) {
+					/* weight, port (5060 = SIP) */
+					CHECKLEN(4);
+					putshort(&p, 10);
+					putshort(&p, 5060);
+				}
+
+				putname(&p, buflen - (p - buf), mxdata);
+				CHECKLEN(0);
+				namelen = p - startp;
+				namelen -= 2;
+				putshort(&startp, namelen);
+
+				mxdata = mxdata + strlen(mxdata) + 1;
+				if (*mxdata == '\0')
+					break;
+
+				ancnt++;
+			}
+		} else if (q->type == T_TXT) {
+			/* TXT has binary or base-X data */
+			char *startp;
+			int txtlen;
+
+			CHECKLEN(10);
+			putshort(&p, name);	
+			putshort(&p, q->type);
+			putshort(&p, C_IN);
+			putlong(&p, 0);		/* TTL */
+
+			startp = p;
+			p += 2;			/* skip 2 bytes length */
+			puttxtbin(&p, buflen - (p - buf), data, datalen);
+			CHECKLEN(0);
+			txtlen = p - startp;
+			txtlen -= 2;
+			putshort(&startp, txtlen);
+			ancnt = 1;
+		} else {
+			/* NULL has raw binary data */
+
+			CHECKLEN(10);
+			putshort(&p, name);	
+			putshort(&p, q->type);
+			putshort(&p, C_IN);
+			putlong(&p, 0);		/* TTL */
+
+			datalen = MIN(datalen, buflen - (p - buf));
+			CHECKLEN(2);
+			putshort(&p, datalen);
+			CHECKLEN(datalen);
+			putdata(&p, data, datalen);
+			CHECKLEN(0);
+			ancnt = 1;
+		}
+		header->ancount = htons(ancnt);
+		break;
+	case QR_QUERY:
+		/* Note that iodined also uses this for forward queries */
+
+		header->qdcount = htons(1);
+	
+		datalen = MIN(datalen, buflen - (p - buf));
+		putname(&p, datalen, data);
+
+		CHECKLEN(4);
+		putshort(&p, q->type);
+		putshort(&p, C_IN);
+
+		/* EDNS0 to advertise maximum response length
+		   (even CNAME/A/MX, 255+255+header would be >512) */
+		if (dnsc_use_edns0) {
+			header->arcount = htons(1);
+			/*XXX START adjust indent 1 tab forward*/
+		CHECKLEN(11);
+		putbyte(&p, 0x00);    /* Root */
+		putshort(&p, 0x0029); /* OPT */
+		putshort(&p, 0x1000); /* Payload size: 4096 */
+		putshort(&p, 0x0000); /* Higher bits/edns version */
+		putshort(&p, 0x8000); /* Z */
+		putshort(&p, 0x0000); /* Data length */
+			/*XXX END adjust indent 1 tab forward*/
+		}
+
+		break;
+	}
+	
+	len = p - buf;
+
+	return len;
+}
+
+int
+dns_encode_ns_response(char *buf, size_t buflen, struct query *q, char *topdomain)
+/* Only used when iodined gets an NS type query */
+/* Mostly same as dns_encode_a_response() below */
+{
+	HEADER *header;
+	int len;
+	short name;
+	short topname;
+	short nsname;
+	char *ipp;
+	int domain_len;
+	char *p;
+
+	if (buflen < sizeof(HEADER))
+		return 0;
+
+	memset(buf, 0, buflen);
+	
+	header = (HEADER*)buf;
+	
+	header->id = htons(q->id);
+	header->qr = 1;
+	header->opcode = 0;
+	header->aa = 1;
+	header->tc = 0;
+	header->rd = 0;
+	header->ra = 0;
+
+	p = buf + sizeof(HEADER);
+
+	header->qdcount = htons(1);
+	header->ancount = htons(1);
+	header->arcount = htons(1);
+
+	/* pointer to start of name */
+	name = 0xc000 | ((p - buf) & 0x3fff);
+
+	domain_len = strlen(q->name) - strlen(topdomain);
+	if (domain_len < 0 || domain_len == 1)
+		return -1;
+	if (strcasecmp(q->name + domain_len, topdomain))
+		return -1;
+	if (domain_len >= 1 && q->name[domain_len - 1] != '.')
+		return -1;
+
+	/* pointer to start of topdomain; instead of dots at the end
+	   we have length-bytes in front, so total length is the same */
+	topname = 0xc000 | ((p - buf + domain_len) & 0x3fff);
+
+	/* Query section */
+	putname(&p, buflen - (p - buf), q->name);	/* Name */
+	CHECKLEN(4);
+	putshort(&p, q->type);			/* Type */
+	putshort(&p, C_IN);			/* Class */
+
+	/* Answer section */
+	CHECKLEN(12);
+	putshort(&p, name);			/* Name */
+	putshort(&p, q->type);			/* Type */
+	putshort(&p, C_IN);			/* Class */
+	putlong(&p, 3600);			/* TTL */
+	putshort(&p, 5);			/* Data length */
+
+	/* pointer to ns.topdomain */
+	nsname = 0xc000 | ((p - buf) & 0x3fff);
+	CHECKLEN(5);
+	putbyte(&p, 2);
+	putbyte(&p, 'n');
+	putbyte(&p, 's');
+	putshort(&p, topname);			/* Name Server */
+
+	/* Additional data (A-record of NS server) */
+	CHECKLEN(12);
+	putshort(&p, nsname);			/* Name Server */
+	putshort(&p, T_A);			/* Type */
+	putshort(&p, C_IN);			/* Class */
+	putlong(&p, 3600);			/* TTL */
+	putshort(&p, 4);			/* Data length */
+
+	/* ugly hack to output IP address */
+	ipp = (char *) &q->destination;
+	CHECKLEN(4);
+	putbyte(&p, *(ipp++));
+	putbyte(&p, *(ipp++));
+	putbyte(&p, *(ipp++));
+	putbyte(&p, *ipp);
+
+	len = p - buf;
+	return len;
+}
+
+int
+dns_encode_a_response(char *buf, size_t buflen, struct query *q)
+/* Only used when iodined gets an A type query for ns.topdomain or www.topdomain */
+/* Mostly same as dns_encode_ns_response() above */
+{
+	HEADER *header;
+	int len;
+	short name;
+	char *ipp;
+	char *p;
+
+	if (buflen < sizeof(HEADER))
+		return 0;
+
+	memset(buf, 0, buflen);
+	
+	header = (HEADER*)buf;
+	
+	header->id = htons(q->id);
+	header->qr = 1;
+	header->opcode = 0;
+	header->aa = 1;
+	header->tc = 0;
+	header->rd = 0;
+	header->ra = 0;
+
+	p = buf + sizeof(HEADER);
+
+	header->qdcount = htons(1);
+	header->ancount = htons(1);
+
+	/* pointer to start of name */
+	name = 0xc000 | ((p - buf) & 0x3fff);
+
+	/* Query section */
+	putname(&p, buflen - (p - buf), q->name);	/* Name */
+	CHECKLEN(4);
+	putshort(&p, q->type);			/* Type */
+	putshort(&p, C_IN);			/* Class */
+
+	/* Answer section */
+	CHECKLEN(12);
+	putshort(&p, name);			/* Name */
+	putshort(&p, q->type);			/* Type */
+	putshort(&p, C_IN);			/* Class */
+	putlong(&p, 3600);			/* TTL */
+	putshort(&p, 4);			/* Data length */
+
+	/* ugly hack to output IP address */
+	ipp = (char *) &q->destination;
+	CHECKLEN(4);
+	putbyte(&p, *(ipp++));
+	putbyte(&p, *(ipp++));
+	putbyte(&p, *(ipp++));
+	putbyte(&p, *ipp);
+
+	len = p - buf;
+	return len;
+}
+
+#undef CHECKLEN
+
+unsigned short
+dns_get_id(char *packet, size_t packetlen)
+{
+	HEADER *header;
+	header = (HEADER*)packet;
+
+	if (packetlen < sizeof(HEADER))
+		return 0;
+
+	return ntohs(header->id);
+}
+
+#define CHECKLEN(x) if (packetlen - (data-packet) < (x))  return 0
+
+int
+dns_decode(char *buf, size_t buflen, struct query *q, qr_t qr, char *packet, size_t packetlen)
+{
+	char name[QUERY_NAME_SIZE];
+	char rdata[4*1024];
+	HEADER *header;
+	short qdcount;
+	short ancount;
+	uint32_t ttl;
+	short class;
+	short type;
+	char *data;
+	short rlen;
+	int id; 
+	int rv;
+
+	q->id2 = 0;
+	rv = 0;
+	header = (HEADER*)packet;
+
+	/* Reject short packets */
+	if (packetlen < sizeof(HEADER)) 
+		return 0;
+	
+	if (header->qr != qr) {
+		warnx("header->qr does not match the requested qr");
+		return -1;
+	}
+
+	data = packet + sizeof(HEADER);
+	qdcount = ntohs(header->qdcount);
+	ancount = ntohs(header->ancount);
+	
+	id = ntohs(header->id);
+	id = id & 0xFFFF; /* Kill any sign extension */
+		
+	rlen = 0;
+
+	if (q != NULL) 
+		q->rcode = header->rcode;
+
+	switch (qr) {
+	case QR_ANSWER:
+		if(qdcount < 1) {
+			/* We need a question */
+			return -1;
+		}
+
+		if (q != NULL) 
+			q->id = id;
+
+		/* Read name even if no answer, to give better error message */
+		readname(packet, packetlen, &data, name, sizeof(name));
+		CHECKLEN(4);
+		readshort(packet, &data, &type);
+		readshort(packet, &data, &class);
+		
+		/* if CHECKLEN okay, then we're sure to have a proper name */
+		if (q != NULL) {
+			/* We only need the first char to check it */
+			q->name[0] = name[0];
+			q->name[1] = '\0';
+		} 
+		
+		if (ancount < 1) {
+			/* DNS errors like NXDOMAIN have ancount=0 and
+			   stop here. CNAME may also have A; MX/SRV may have
+			   multiple results. */
+			return -1;
+		}
+
+		/* Here type is still the question type */
+		if (type == T_NULL) {
+			/* Assume that first answer is what we wanted */
+			readname(packet, packetlen, &data, name, sizeof(name));
+			CHECKLEN(10);
+			readshort(packet, &data, &type);
+			readshort(packet, &data, &class);
+			readlong(packet, &data, &ttl);
+			readshort(packet, &data, &rlen);
+
+			rv = MIN(rlen, sizeof(rdata));
+			rv = readdata(packet, &data, rdata, rv);
+			if (rv >= 2 && buf) {
+				rv = MIN(rv, buflen);
+				memcpy(buf, rdata, rv);
+			} else {
+				rv = 0;
+			}
+		}
+		else if ((type == T_A || type == T_CNAME) && buf) {
+			/* Assume that first answer is what we wanted */
+			readname(packet, packetlen, &data, name, sizeof(name));
+			CHECKLEN(10);
+			readshort(packet, &data, &type);
+			readshort(packet, &data, &class);
+			readlong(packet, &data, &ttl);
+			readshort(packet, &data, &rlen);
+
+			memset(name, 0, sizeof(name));
+			readname(packet, packetlen, &data, name, sizeof(name) - 1);
+			name[sizeof(name)-1] = '\0';
+			strncpy(buf, name, buflen);
+			buf[buflen - 1] = '\0';
+			rv = strlen(buf);
+		}
+		else if ((type == T_MX || type == T_SRV) && buf) {
+			/* We support 250 records, 250*(255+header) ~= 64kB.
+			   Only exact 10-multiples are accepted, and gaps in
+			   numbering are not jumped over (->truncated).
+			   Hopefully DNS servers won't mess around too much.
+			 */
+			char names[250][QUERY_NAME_SIZE];
+			char *rdatastart;
+			short pref;
+			int i;
+			int offset;
+
+			memset(names, 0, sizeof(names));
+
+			for (i=0; i < ancount; i++) {
+				readname(packet, packetlen, &data, name, sizeof(name));
+				CHECKLEN(12);
+				readshort(packet, &data, &type);
+				readshort(packet, &data, &class);
+				readlong(packet, &data, &ttl);
+				readshort(packet, &data, &rlen);
+				rdatastart = data;
+				readshort(packet, &data, &pref);
+
+				if (type == T_SRV) {
+					/* skip weight, port */
+					data += 4;
+					CHECKLEN(0);
+				}
+
+				if (pref % 10 == 0 && pref >= 10 &&
+				    pref < 2500) {
+					readname(packet, packetlen, &data,
+						 names[pref / 10 - 1],
+						 QUERY_NAME_SIZE - 1);
+					names[pref / 10 - 1][QUERY_NAME_SIZE-1] = '\0';
+				}
+
+				/* always trust rlen, not name encoding */ 
+				data = rdatastart + rlen;
+				CHECKLEN(0);
+			}
+
+			/* output is like Hname10.com\0Hname20.com\0\0 */
+			offset = 0;
+			i = 0;
+			while (names[i][0] != '\0') {
+				int l = MIN(strlen(names[i]), buflen-offset-2);
+				if (l <= 0)
+					break;
+				memcpy(buf + offset, names[i], l);
+				offset += l;
+				*(buf + offset) = '\0';
+				offset++;
+				i++;
+			}
+			*(buf + offset) = '\0';
+			rv = offset;
+		}
+		else if (type == T_TXT && buf) {
+			/* Assume that first answer is what we wanted */
+			readname(packet, packetlen, &data, name, sizeof(name));
+			CHECKLEN(10);
+			readshort(packet, &data, &type);
+			readshort(packet, &data, &class);
+			readlong(packet, &data, &ttl);
+			readshort(packet, &data, &rlen);
+
+			rv = readtxtbin(packet, &data, rlen, rdata, sizeof(rdata));
+			if (rv >= 1) {
+				rv = MIN(rv, buflen);
+				memcpy(buf, rdata, rv);
+			} else {
+				rv = 0;
+			}
+		}
+
+		/* Here type is the answer type (note A->CNAME) */
+		if (q != NULL)
+			q->type = type;
+		break;
+	case QR_QUERY:
+		if (qdcount < 1) {
+			warnx("no question section in name query");
+			return -1;
+		}
+
+		memset(name, 0, sizeof(name));
+		readname(packet, packetlen, &data, name, sizeof(name) - 1);
+		name[sizeof(name)-1] = '\0';
+		CHECKLEN(4);
+		readshort(packet, &data, &type);
+		readshort(packet, &data, &class);
+
+		if (q == NULL) {
+			rv = 0;
+			break;
+		}
+
+		strncpy(q->name, name, sizeof(q->name));
+		q->name[sizeof(q->name) - 1] = '\0';
+		q->type = type;
+		q->id = id;
+
+		rv = strlen(q->name);
+		break;
+	}
+
+	return rv;
+}
+
diff --git a/jni/iodine/src/dns.h b/jni/iodine/src/dns.h
new file mode 100644
index 0000000..be8b940
--- /dev/null
+++ b/jni/iodine/src/dns.h
@@ -0,0 +1,39 @@
+/*
+ * Copyright (c) 2006-2009 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef __DNS_H__
+#define __DNS_H__
+
+#include "common.h"
+
+typedef enum {
+	QR_QUERY = 0,
+	QR_ANSWER = 1
+} qr_t;
+
+extern int dnsc_use_edns0;
+
+int dns_encode(char *, size_t, struct query *, qr_t, char *, size_t);
+int dns_encode_ns_response(char *buf, size_t buflen, struct query *q, char *topdomain);
+int dns_encode_a_response(char *buf, size_t buflen, struct query *q);
+unsigned short dns_get_id(char *packet, size_t packetlen);
+int dns_decode(char *, size_t, struct query *, qr_t, char *, size_t);
+
+#ifdef __ANDROID__
+#include "dns_android.h"
+#endif
+
+#endif /* _DNS_H_ */
diff --git a/jni/iodine/src/dns_android.h b/jni/iodine/src/dns_android.h
new file mode 100644
index 0000000..f8addf7
--- /dev/null
+++ b/jni/iodine/src/dns_android.h
@@ -0,0 +1,625 @@
+/* This file is modified to serve minimal requirements of iodine */
+
+
+/*
+ * Copyright (c) 1983, 1989, 1993
+ *    The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1996-1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+/*
+ *	$BINDId: nameser.h,v 8.37 2000/03/30 21:16:49 vixie Exp $
+ */
+
+#ifndef _ARPA_NAMESER_H_
+#define _ARPA_NAMESER_H_
+
+/*%
+ * Revision information.  This is the release date in YYYYMMDD format.
+ * It can change every day so the right thing to do with it is use it
+ * in preprocessor commands such as "#if (__NAMESER > 19931104)".  Do not
+ * compare for equality; rather, use it to determine whether your libbind.a
+ * contains a new enough lib/nameser/ to support the feature you need.
+ */
+
+#define __NAMESER	19991006	/*%< New interface version stamp. */
+/*
+ * Define constants based on RFC 883, RFC 1034, RFC 1035
+ */
+#define NS_PACKETSZ	512	/*%< default UDP packet size */
+#define NS_MAXDNAME	1025	/*%< maximum domain name */
+#define NS_MAXMSG	65535	/*%< maximum message size */
+#define NS_MAXCDNAME	255	/*%< maximum compressed domain name */
+#define NS_MAXLABEL	63	/*%< maximum length of domain label */
+#define NS_HFIXEDSZ	12	/*%< #/bytes of fixed data in header */
+#define NS_QFIXEDSZ	4	/*%< #/bytes of fixed data in query */
+#define NS_RRFIXEDSZ	10	/*%< #/bytes of fixed data in r record */
+#define NS_INT32SZ	4	/*%< #/bytes of data in a u_int32_t */
+#define NS_INT16SZ	2	/*%< #/bytes of data in a u_int16_t */
+#define NS_INT8SZ	1	/*%< #/bytes of data in a u_int8_t */
+#define NS_INADDRSZ	4	/*%< IPv4 T_A */
+#define NS_IN6ADDRSZ	16	/*%< IPv6 T_AAAA */
+#define NS_CMPRSFLGS	0xc0	/*%< Flag bits indicating name compression. */
+#define NS_DEFAULTPORT	53	/*%< For both TCP and UDP. */
+/*
+ * These can be expanded with synonyms, just keep ns_parse.c:ns_parserecord()
+ * in synch with it.
+ */
+typedef enum __ns_sect {
+	ns_s_qd = 0,		/*%< Query: Question. */
+	ns_s_zn = 0,		/*%< Update: Zone. */
+	ns_s_an = 1,		/*%< Query: Answer. */
+	ns_s_pr = 1,		/*%< Update: Prerequisites. */
+	ns_s_ns = 2,		/*%< Query: Name servers. */
+	ns_s_ud = 2,		/*%< Update: Update. */
+	ns_s_ar = 3,		/*%< Query|Update: Additional records. */
+	ns_s_max = 4
+} ns_sect;
+
+/*%
+ * This is a message handle.  It is caller allocated and has no dynamic data.
+ * This structure is intended to be opaque to all but ns_parse.c, thus the
+ * leading _'s on the member names.  Use the accessor functions, not the _'s.
+ */
+typedef struct __ns_msg {
+	const u_char	*_msg, *_eom;
+	u_int16_t	_id, _flags, _counts[ns_s_max];
+	const u_char	*_sections[ns_s_max];
+	ns_sect		_sect;
+	int		_rrnum;
+	const u_char	*_msg_ptr;
+} ns_msg;
+
+/* Private data structure - do not use from outside library. */
+struct _ns_flagdata {  int mask, shift;  };
+extern const struct _ns_flagdata _ns_flagdata[];
+
+/* Accessor macros - this is part of the public interface. */
+
+#define ns_msg_id(handle) ((handle)._id + 0)
+#define ns_msg_base(handle) ((handle)._msg + 0)
+#define ns_msg_end(handle) ((handle)._eom + 0)
+#define ns_msg_size(handle) ((handle)._eom - (handle)._msg)
+#define ns_msg_count(handle, section) ((handle)._counts[section] + 0)
+
+/*%
+ * This is a parsed record.  It is caller allocated and has no dynamic data.
+ */
+typedef	struct __ns_rr {
+	char		name[NS_MAXDNAME];
+	u_int16_t	type;
+	u_int16_t	rr_class;
+	u_int32_t	ttl;
+	u_int16_t	rdlength;
+	const u_char *	rdata;
+} ns_rr;
+
+/* Accessor macros - this is part of the public interface. */
+#define ns_rr_name(rr)	(((rr).name[0] != '\0') ? (rr).name : ".")
+#define ns_rr_type(rr)	((ns_type)((rr).type + 0))
+#define ns_rr_class(rr)	((ns_class)((rr).rr_class + 0))
+#define ns_rr_ttl(rr)	((rr).ttl + 0)
+#define ns_rr_rdlen(rr)	((rr).rdlength + 0)
+#define ns_rr_rdata(rr)	((rr).rdata + 0)
+
+/*%
+ * These don't have to be in the same order as in the packet flags word,
+ * and they can even overlap in some cases, but they will need to be kept
+ * in synch with ns_parse.c:ns_flagdata[].
+ */
+typedef enum __ns_flag {
+	ns_f_qr,		/*%< Question/Response. */
+	ns_f_opcode,		/*%< Operation code. */
+	ns_f_aa,		/*%< Authoritative Answer. */
+	ns_f_tc,		/*%< Truncation occurred. */
+	ns_f_rd,		/*%< Recursion Desired. */
+	ns_f_ra,		/*%< Recursion Available. */
+	ns_f_z,			/*%< MBZ. */
+	ns_f_ad,		/*%< Authentic Data (DNSSEC). */
+	ns_f_cd,		/*%< Checking Disabled (DNSSEC). */
+	ns_f_rcode,		/*%< Response code. */
+	ns_f_max
+} ns_flag;
+
+/*%
+ * Currently defined opcodes.
+ */
+typedef enum __ns_opcode {
+	ns_o_query = 0,		/*%< Standard query. */
+	ns_o_iquery = 1,	/*%< Inverse query (deprecated/unsupported). */
+	ns_o_status = 2,	/*%< Name server status query (unsupported). */
+				/* Opcode 3 is undefined/reserved. */
+	ns_o_notify = 4,	/*%< Zone change notification. */
+	ns_o_update = 5,	/*%< Zone update message. */
+	ns_o_max = 6
+} ns_opcode;
+
+/*%
+ * Currently defined response codes.
+ */
+typedef	enum __ns_rcode {
+	ns_r_noerror = 0,	/*%< No error occurred. */
+	ns_r_formerr = 1,	/*%< Format error. */
+	ns_r_servfail = 2,	/*%< Server failure. */
+	ns_r_nxdomain = 3,	/*%< Name error. */
+	ns_r_notimpl = 4,	/*%< Unimplemented. */
+	ns_r_refused = 5,	/*%< Operation refused. */
+	/* these are for BIND_UPDATE */
+	ns_r_yxdomain = 6,	/*%< Name exists */
+	ns_r_yxrrset = 7,	/*%< RRset exists */
+	ns_r_nxrrset = 8,	/*%< RRset does not exist */
+	ns_r_notauth = 9,	/*%< Not authoritative for zone */
+	ns_r_notzone = 10,	/*%< Zone of record different from zone section */
+	ns_r_max = 11,
+	/* The following are EDNS extended rcodes */
+	ns_r_badvers = 16,
+	/* The following are TSIG errors */
+	ns_r_badsig = 16,
+	ns_r_badkey = 17,
+	ns_r_badtime = 18
+} ns_rcode;
+
+/* BIND_UPDATE */
+typedef enum __ns_update_operation {
+	ns_uop_delete = 0,
+	ns_uop_add = 1,
+	ns_uop_max = 2
+} ns_update_operation;
+
+/*%
+ * This structure is used for TSIG authenticated messages
+ */
+struct ns_tsig_key {
+        char name[NS_MAXDNAME], alg[NS_MAXDNAME];
+        unsigned char *data;
+        int len;
+};
+typedef struct ns_tsig_key ns_tsig_key;
+
+/*%
+ * This structure is used for TSIG authenticated TCP messages
+ */
+struct ns_tcp_tsig_state {
+	int counter;
+	struct dst_key *key;
+	void *ctx;
+	unsigned char sig[NS_PACKETSZ];
+	int siglen;
+};
+typedef struct ns_tcp_tsig_state ns_tcp_tsig_state;
+
+#define NS_TSIG_FUDGE 300
+#define NS_TSIG_TCP_COUNT 100
+#define NS_TSIG_ALG_HMAC_MD5 "HMAC-MD5.SIG-ALG.REG.INT"
+
+#define NS_TSIG_ERROR_NO_TSIG -10
+#define NS_TSIG_ERROR_NO_SPACE -11
+#define NS_TSIG_ERROR_FORMERR -12
+
+/*%
+ * Currently defined type values for resources and queries.
+ */
+typedef enum __ns_type {
+	ns_t_invalid = 0,	/*%< Cookie. */
+	ns_t_a = 1,		/*%< Host address. */
+	ns_t_ns = 2,		/*%< Authoritative server. */
+	ns_t_md = 3,		/*%< Mail destination. */
+	ns_t_mf = 4,		/*%< Mail forwarder. */
+	ns_t_cname = 5,		/*%< Canonical name. */
+	ns_t_soa = 6,		/*%< Start of authority zone. */
+	ns_t_mb = 7,		/*%< Mailbox domain name. */
+	ns_t_mg = 8,		/*%< Mail group member. */
+	ns_t_mr = 9,		/*%< Mail rename name. */
+	ns_t_null = 10,		/*%< Null resource record. */
+	ns_t_wks = 11,		/*%< Well known service. */
+	ns_t_ptr = 12,		/*%< Domain name pointer. */
+	ns_t_hinfo = 13,	/*%< Host information. */
+	ns_t_minfo = 14,	/*%< Mailbox information. */
+	ns_t_mx = 15,		/*%< Mail routing information. */
+	ns_t_txt = 16,		/*%< Text strings. */
+	ns_t_rp = 17,		/*%< Responsible person. */
+	ns_t_afsdb = 18,	/*%< AFS cell database. */
+	ns_t_x25 = 19,		/*%< X_25 calling address. */
+	ns_t_isdn = 20,		/*%< ISDN calling address. */
+	ns_t_rt = 21,		/*%< Router. */
+	ns_t_nsap = 22,		/*%< NSAP address. */
+	ns_t_nsap_ptr = 23,	/*%< Reverse NSAP lookup (deprecated). */
+	ns_t_sig = 24,		/*%< Security signature. */
+	ns_t_key = 25,		/*%< Security key. */
+	ns_t_px = 26,		/*%< X.400 mail mapping. */
+	ns_t_gpos = 27,		/*%< Geographical position (withdrawn). */
+	ns_t_aaaa = 28,		/*%< Ip6 Address. */
+	ns_t_loc = 29,		/*%< Location Information. */
+	ns_t_nxt = 30,		/*%< Next domain (security). */
+	ns_t_eid = 31,		/*%< Endpoint identifier. */
+	ns_t_nimloc = 32,	/*%< Nimrod Locator. */
+	ns_t_srv = 33,		/*%< Server Selection. */
+	ns_t_atma = 34,		/*%< ATM Address */
+	ns_t_naptr = 35,	/*%< Naming Authority PoinTeR */
+	ns_t_kx = 36,		/*%< Key Exchange */
+	ns_t_cert = 37,		/*%< Certification record */
+	ns_t_a6 = 38,		/*%< IPv6 address (deprecated, use ns_t_aaaa) */
+	ns_t_dname = 39,	/*%< Non-terminal DNAME (for IPv6) */
+	ns_t_sink = 40,		/*%< Kitchen sink (experimentatl) */
+	ns_t_opt = 41,		/*%< EDNS0 option (meta-RR) */
+	ns_t_apl = 42,		/*%< Address prefix list (RFC3123) */
+	ns_t_tkey = 249,	/*%< Transaction key */
+	ns_t_tsig = 250,	/*%< Transaction signature. */
+	ns_t_ixfr = 251,	/*%< Incremental zone transfer. */
+	ns_t_axfr = 252,	/*%< Transfer zone of authority. */
+	ns_t_mailb = 253,	/*%< Transfer mailbox records. */
+	ns_t_maila = 254,	/*%< Transfer mail agent records. */
+	ns_t_any = 255,		/*%< Wildcard match. */
+	ns_t_zxfr = 256,	/*%< BIND-specific, nonstandard. */
+	ns_t_max = 65536
+} ns_type;
+
+/* Exclusively a QTYPE? (not also an RTYPE) */
+#define	ns_t_qt_p(t) (ns_t_xfr_p(t) || (t) == ns_t_any || \
+		      (t) == ns_t_mailb || (t) == ns_t_maila)
+/* Some kind of meta-RR? (not a QTYPE, but also not an RTYPE) */
+#define	ns_t_mrr_p(t) ((t) == ns_t_tsig || (t) == ns_t_opt)
+/* Exclusively an RTYPE? (not also a QTYPE or a meta-RR) */
+#define ns_t_rr_p(t) (!ns_t_qt_p(t) && !ns_t_mrr_p(t))
+#define ns_t_udp_p(t) ((t) != ns_t_axfr && (t) != ns_t_zxfr)
+#define ns_t_xfr_p(t) ((t) == ns_t_axfr || (t) == ns_t_ixfr || \
+		       (t) == ns_t_zxfr)
+
+/*%
+ * Values for class field
+ */
+typedef enum __ns_class {
+	ns_c_invalid = 0,	/*%< Cookie. */
+	ns_c_in = 1,		/*%< Internet. */
+	ns_c_2 = 2,		/*%< unallocated/unsupported. */
+	ns_c_chaos = 3,		/*%< MIT Chaos-net. */
+	ns_c_hs = 4,		/*%< MIT Hesiod. */
+	/* Query class values which do not appear in resource records */
+	ns_c_none = 254,	/*%< for prereq. sections in update requests */
+	ns_c_any = 255,		/*%< Wildcard match. */
+	ns_c_max = 65536
+} ns_class;
+
+/* DNSSEC constants. */
+
+typedef enum __ns_key_types {
+	ns_kt_rsa = 1,		/*%< key type RSA/MD5 */
+	ns_kt_dh  = 2,		/*%< Diffie Hellman */
+	ns_kt_dsa = 3,		/*%< Digital Signature Standard (MANDATORY) */
+	ns_kt_private = 254	/*%< Private key type starts with OID */
+} ns_key_types;
+
+typedef enum __ns_cert_types {
+	cert_t_pkix = 1,	/*%< PKIX (X.509v3) */
+	cert_t_spki = 2,	/*%< SPKI */
+	cert_t_pgp  = 3,	/*%< PGP */
+	cert_t_url  = 253,	/*%< URL private type */
+	cert_t_oid  = 254	/*%< OID private type */
+} ns_cert_types;
+
+/* Flags field of the KEY RR rdata. */
+#define	NS_KEY_TYPEMASK		0xC000	/*%< Mask for "type" bits */
+#define	NS_KEY_TYPE_AUTH_CONF	0x0000	/*%< Key usable for both */
+#define	NS_KEY_TYPE_CONF_ONLY	0x8000	/*%< Key usable for confidentiality */
+#define	NS_KEY_TYPE_AUTH_ONLY	0x4000	/*%< Key usable for authentication */
+#define	NS_KEY_TYPE_NO_KEY	0xC000	/*%< No key usable for either; no key */
+/* The type bits can also be interpreted independently, as single bits: */
+#define	NS_KEY_NO_AUTH		0x8000	/*%< Key unusable for authentication */
+#define	NS_KEY_NO_CONF		0x4000	/*%< Key unusable for confidentiality */
+#define	NS_KEY_RESERVED2	0x2000	/* Security is *mandatory* if bit=0 */
+#define	NS_KEY_EXTENDED_FLAGS	0x1000	/*%< reserved - must be zero */
+#define	NS_KEY_RESERVED4	0x0800  /*%< reserved - must be zero */
+#define	NS_KEY_RESERVED5	0x0400  /*%< reserved - must be zero */
+#define	NS_KEY_NAME_TYPE	0x0300	/*%< these bits determine the type */
+#define	NS_KEY_NAME_USER	0x0000	/*%< key is assoc. with user */
+#define	NS_KEY_NAME_ENTITY	0x0200	/*%< key is assoc. with entity eg host */
+#define	NS_KEY_NAME_ZONE	0x0100	/*%< key is zone key */
+#define	NS_KEY_NAME_RESERVED	0x0300	/*%< reserved meaning */
+#define	NS_KEY_RESERVED8	0x0080  /*%< reserved - must be zero */
+#define	NS_KEY_RESERVED9	0x0040  /*%< reserved - must be zero */
+#define	NS_KEY_RESERVED10	0x0020  /*%< reserved - must be zero */
+#define	NS_KEY_RESERVED11	0x0010  /*%< reserved - must be zero */
+#define	NS_KEY_SIGNATORYMASK	0x000F	/*%< key can sign RR's of same name */
+#define	NS_KEY_RESERVED_BITMASK ( NS_KEY_RESERVED2 | \
+				  NS_KEY_RESERVED4 | \
+				  NS_KEY_RESERVED5 | \
+				  NS_KEY_RESERVED8 | \
+				  NS_KEY_RESERVED9 | \
+				  NS_KEY_RESERVED10 | \
+				  NS_KEY_RESERVED11 )
+#define NS_KEY_RESERVED_BITMASK2 0xFFFF /*%< no bits defined here */
+/* The Algorithm field of the KEY and SIG RR's is an integer, {1..254} */
+#define	NS_ALG_MD5RSA		1	/*%< MD5 with RSA */
+#define	NS_ALG_DH               2	/*%< Diffie Hellman KEY */
+#define	NS_ALG_DSA              3	/*%< DSA KEY */
+#define	NS_ALG_DSS              NS_ALG_DSA
+#define	NS_ALG_EXPIRE_ONLY	253	/*%< No alg, no security */
+#define	NS_ALG_PRIVATE_OID	254	/*%< Key begins with OID giving alg */
+/* Protocol values  */
+/* value 0 is reserved */
+#define NS_KEY_PROT_TLS         1
+#define NS_KEY_PROT_EMAIL       2
+#define NS_KEY_PROT_DNSSEC      3
+#define NS_KEY_PROT_IPSEC       4
+#define NS_KEY_PROT_ANY		255
+
+/* Signatures */
+#define	NS_MD5RSA_MIN_BITS	 512	/*%< Size of a mod or exp in bits */
+#define	NS_MD5RSA_MAX_BITS	4096
+	/* Total of binary mod and exp */
+#define	NS_MD5RSA_MAX_BYTES	((NS_MD5RSA_MAX_BITS+7/8)*2+3)
+	/* Max length of text sig block */
+#define	NS_MD5RSA_MAX_BASE64	(((NS_MD5RSA_MAX_BYTES+2)/3)*4)
+#define NS_MD5RSA_MIN_SIZE	((NS_MD5RSA_MIN_BITS+7)/8)
+#define NS_MD5RSA_MAX_SIZE	((NS_MD5RSA_MAX_BITS+7)/8)
+
+#define NS_DSA_SIG_SIZE         41
+#define NS_DSA_MIN_SIZE         213
+#define NS_DSA_MAX_BYTES        405
+
+/* Offsets into SIG record rdata to find various values */
+#define	NS_SIG_TYPE	0	/*%< Type flags */
+#define	NS_SIG_ALG	2	/*%< Algorithm */
+#define	NS_SIG_LABELS	3	/*%< How many labels in name */
+#define	NS_SIG_OTTL	4	/*%< Original TTL */
+#define	NS_SIG_EXPIR	8	/*%< Expiration time */
+#define	NS_SIG_SIGNED	12	/*%< Signature time */
+#define	NS_SIG_FOOT	16	/*%< Key footprint */
+#define	NS_SIG_SIGNER	18	/*%< Domain name of who signed it */
+/* How RR types are represented as bit-flags in NXT records */
+#define	NS_NXT_BITS 8
+#define	NS_NXT_BIT_SET(  n,p) (p[(n)/NS_NXT_BITS] |=  (0x80>>((n)%NS_NXT_BITS)))
+#define	NS_NXT_BIT_CLEAR(n,p) (p[(n)/NS_NXT_BITS] &= ~(0x80>>((n)%NS_NXT_BITS)))
+#define	NS_NXT_BIT_ISSET(n,p) (p[(n)/NS_NXT_BITS] &   (0x80>>((n)%NS_NXT_BITS)))
+#define NS_NXT_MAX 127
+
+/*%
+ * EDNS0 extended flags and option codes, host order.
+ */
+#define NS_OPT_DNSSEC_OK        0x8000U
+#define NS_OPT_NSID		3
+
+/*%
+ * Inline versions of get/put short/long.  Pointer is advanced.
+ */
+#define NS_GET16(s, cp) do { \
+	register const u_char *t_cp = (const u_char *)(cp); \
+	(s) = ((u_int16_t)t_cp[0] << 8) \
+	    | ((u_int16_t)t_cp[1]) \
+	    ; \
+	(cp) += NS_INT16SZ; \
+} while (0)
+
+#define NS_GET32(l, cp) do { \
+	register const u_char *t_cp = (const u_char *)(cp); \
+	(l) = ((u_int32_t)t_cp[0] << 24) \
+	    | ((u_int32_t)t_cp[1] << 16) \
+	    | ((u_int32_t)t_cp[2] << 8) \
+	    | ((u_int32_t)t_cp[3]) \
+	    ; \
+	(cp) += NS_INT32SZ; \
+} while (0)
+
+#define NS_PUT16(s, cp) do { \
+	register u_int16_t t_s = (u_int16_t)(s); \
+	register u_char *t_cp = (u_char *)(cp); \
+	*t_cp++ = t_s >> 8; \
+	*t_cp   = t_s; \
+	(cp) += NS_INT16SZ; \
+} while (0)
+
+#define NS_PUT32(l, cp) do { \
+	register u_int32_t t_l = (u_int32_t)(l); \
+	register u_char *t_cp = (u_char *)(cp); \
+	*t_cp++ = t_l >> 24; \
+	*t_cp++ = t_l >> 16; \
+	*t_cp++ = t_l >> 8; \
+	*t_cp   = t_l; \
+	(cp) += NS_INT32SZ; \
+} while (0)
+
+#endif /* !_ARPA_NAMESER_H_ */
+/*! \file */
+
+
+
+/*%
+ *      from nameser.h	8.1 (Berkeley) 6/2/93
+ *	$BINDId: nameser_compat.h,v 8.11 1999/01/02 08:00:58 vixie Exp $
+ */
+
+#ifndef _ARPA_NAMESER_COMPAT_
+#define	_ARPA_NAMESER_COMPAT_
+
+#define	__BIND		19950621	/*%< (DEAD) interface version stamp. */
+
+#include <endian.h>
+
+/*%
+ * Structure for query header.  The order of the fields is machine- and
+ * compiler-dependent, depending on the byte/bit order and the layout
+ * of bit fields.  We use bit fields only in int variables, as this
+ * is all ANSI requires.  This requires a somewhat confusing rearrangement.
+ */
+
+typedef struct {
+	unsigned	id :16;		/*%< query identification number */
+#if BYTE_ORDER == BIG_ENDIAN
+			/* fields in third byte */
+	unsigned	qr: 1;		/*%< response flag */
+	unsigned	opcode: 4;	/*%< purpose of message */
+	unsigned	aa: 1;		/*%< authoritive answer */
+	unsigned	tc: 1;		/*%< truncated message */
+	unsigned	rd: 1;		/*%< recursion desired */
+			/* fields in fourth byte */
+	unsigned	ra: 1;		/*%< recursion available */
+	unsigned	unused :1;	/*%< unused bits (MBZ as of 4.9.3a3) */
+	unsigned	ad: 1;		/*%< authentic data from named */
+	unsigned	cd: 1;		/*%< checking disabled by resolver */
+	unsigned	rcode :4;	/*%< response code */
+#endif
+#if BYTE_ORDER == LITTLE_ENDIAN || BYTE_ORDER == PDP_ENDIAN
+			/* fields in third byte */
+	unsigned	rd :1;		/*%< recursion desired */
+	unsigned	tc :1;		/*%< truncated message */
+	unsigned	aa :1;		/*%< authoritive answer */
+	unsigned	opcode :4;	/*%< purpose of message */
+	unsigned	qr :1;		/*%< response flag */
+			/* fields in fourth byte */
+	unsigned	rcode :4;	/*%< response code */
+	unsigned	cd: 1;		/*%< checking disabled by resolver */
+	unsigned	ad: 1;		/*%< authentic data from named */
+	unsigned	unused :1;	/*%< unused bits (MBZ as of 4.9.3a3) */
+	unsigned	ra :1;		/*%< recursion available */
+#endif
+			/* remaining bytes */
+	unsigned	qdcount :16;	/*%< number of question entries */
+	unsigned	ancount :16;	/*%< number of answer entries */
+	unsigned	nscount :16;	/*%< number of authority entries */
+	unsigned	arcount :16;	/*%< number of resource entries */
+} HEADER;
+
+#define PACKETSZ	NS_PACKETSZ
+#define MAXDNAME	NS_MAXDNAME
+#define MAXCDNAME	NS_MAXCDNAME
+#define MAXLABEL	NS_MAXLABEL
+#define	HFIXEDSZ	NS_HFIXEDSZ
+#define QFIXEDSZ	NS_QFIXEDSZ
+#define RRFIXEDSZ	NS_RRFIXEDSZ
+#define	INT32SZ		NS_INT32SZ
+#define	INT16SZ		NS_INT16SZ
+#define INT8SZ		NS_INT8SZ
+#define	INADDRSZ	NS_INADDRSZ
+#define	IN6ADDRSZ	NS_IN6ADDRSZ
+#define	INDIR_MASK	NS_CMPRSFLGS
+#define NAMESERVER_PORT	NS_DEFAULTPORT
+
+#define S_ZONE		ns_s_zn
+#define S_PREREQ	ns_s_pr
+#define S_UPDATE	ns_s_ud
+#define S_ADDT		ns_s_ar
+
+#define QUERY		ns_o_query
+#define IQUERY		ns_o_iquery
+#define STATUS		ns_o_status
+#define	NS_NOTIFY_OP	ns_o_notify
+#define	NS_UPDATE_OP	ns_o_update
+
+#define NOERROR		ns_r_noerror
+#define FORMERR		ns_r_formerr
+#define SERVFAIL	ns_r_servfail
+#define NXDOMAIN	ns_r_nxdomain
+#define NOTIMP		ns_r_notimpl
+#define REFUSED		ns_r_refused
+#define YXDOMAIN	ns_r_yxdomain
+#define YXRRSET		ns_r_yxrrset
+#define NXRRSET		ns_r_nxrrset
+#define NOTAUTH		ns_r_notauth
+#define NOTZONE		ns_r_notzone
+/*#define BADSIG		ns_r_badsig*/
+/*#define BADKEY		ns_r_badkey*/
+/*#define BADTIME		ns_r_badtime*/
+
+
+#define DELETE		ns_uop_delete
+#define ADD		ns_uop_add
+
+#define T_A		ns_t_a
+#define T_NS		ns_t_ns
+#define T_MD		ns_t_md
+#define T_MF		ns_t_mf
+#define T_CNAME		ns_t_cname
+#define T_SOA		ns_t_soa
+#define T_MB		ns_t_mb
+#define T_MG		ns_t_mg
+#define T_MR		ns_t_mr
+#define T_NULL		ns_t_null
+#define T_WKS		ns_t_wks
+#define T_PTR		ns_t_ptr
+#define T_HINFO		ns_t_hinfo
+#define T_MINFO		ns_t_minfo
+#define T_MX		ns_t_mx
+#define T_TXT		ns_t_txt
+#define	T_RP		ns_t_rp
+#define T_AFSDB		ns_t_afsdb
+#define T_X25		ns_t_x25
+#define T_ISDN		ns_t_isdn
+#define T_RT		ns_t_rt
+#define T_NSAP		ns_t_nsap
+#define T_NSAP_PTR	ns_t_nsap_ptr
+#define	T_SIG		ns_t_sig
+#define	T_KEY		ns_t_key
+#define	T_PX		ns_t_px
+#define	T_GPOS		ns_t_gpos
+#define	T_AAAA		ns_t_aaaa
+#define	T_LOC		ns_t_loc
+#define	T_NXT		ns_t_nxt
+#define	T_EID		ns_t_eid
+#define	T_NIMLOC	ns_t_nimloc
+#define	T_SRV		ns_t_srv
+#define T_ATMA		ns_t_atma
+#define T_NAPTR		ns_t_naptr
+#define T_A6		ns_t_a6
+#define T_DNAME		ns_t_dname
+#define	T_TSIG		ns_t_tsig
+#define	T_IXFR		ns_t_ixfr
+#define T_AXFR		ns_t_axfr
+#define T_MAILB		ns_t_mailb
+#define T_MAILA		ns_t_maila
+#define T_ANY		ns_t_any
+
+#define C_IN		ns_c_in
+#define C_CHAOS		ns_c_chaos
+#define C_HS		ns_c_hs
+/* BIND_UPDATE */
+#define C_NONE		ns_c_none
+#define C_ANY		ns_c_any
+
+#define	GETSHORT		NS_GET16
+#define	GETLONG			NS_GET32
+#define	PUTSHORT		NS_PUT16
+#define	PUTLONG			NS_PUT32
+
+#endif /* _ARPA_NAMESER_COMPAT_ */
+/*! \file */
diff --git a/jni/iodine/src/encoding.c b/jni/iodine/src/encoding.c
new file mode 100644
index 0000000..896d67d
--- /dev/null
+++ b/jni/iodine/src/encoding.c
@@ -0,0 +1,130 @@
+/*
+ * Copyright (c) 2006-2009 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <string.h>
+#include "common.h"
+#include "encoding.h"
+
+int
+build_hostname(char *buf, size_t buflen, 
+		const char *data, const size_t datalen, 
+		const char *topdomain, struct encoder *encoder, int maxlen)
+{
+	int encsize;
+	size_t space;
+	char *b;
+
+	space = MIN(maxlen, buflen) - strlen(topdomain) - 8;
+	/* 8 = 5 max header length + 1 dot before topdomain + 2 safety */
+
+	if (!encoder->places_dots())
+		space -= (space / 57); /* space for dots */
+
+	memset(buf, 0, buflen);
+	
+	encsize = encoder->encode(buf, &space, data, datalen);
+
+	if (!encoder->places_dots())
+		inline_dotify(buf, buflen);
+
+	b = buf;
+	b += strlen(buf);
+
+	/* move b back one step to see if the dot is there */
+	b--;
+	if (*b != '.') 
+		*++b = '.';
+	b++;
+	/* move b ahead of the string so we can copy to it */
+
+	strncpy(b, topdomain, strlen(topdomain)+1);
+
+	return space;
+}
+
+int
+unpack_data(char *buf, size_t buflen, char *data, size_t datalen, struct encoder *enc)
+{
+	if (!enc->eats_dots())
+		datalen = inline_undotify(data, datalen);
+	return enc->decode(buf, &buflen, data, datalen);
+}
+
+int 
+inline_dotify(char *buf, size_t buflen)
+{
+	unsigned dots;
+	unsigned pos;
+	unsigned total;
+	char *reader, *writer;
+
+	total = strlen(buf);
+	dots = total / 57;
+
+	writer = buf;
+	writer += total;
+	writer += dots;
+
+	total += dots;
+	if (strlen(buf) + dots > buflen) {
+		writer = buf;
+		writer += buflen;
+		total = buflen;
+	}
+
+	reader = writer - dots;
+	pos = (unsigned) (reader - buf) + 1;
+
+	while (dots) {
+		*writer-- = *reader--;
+		pos--;
+		if (pos % 57 == 0) {
+			*writer-- = '.';
+			dots--;
+		}
+	}
+
+	/* return new length of string */
+	return total;
+}
+
+int 
+inline_undotify(char *buf, size_t len)
+{
+	unsigned pos;
+	unsigned dots;
+	char *reader, *writer;
+
+	writer = buf;
+	reader = writer;
+
+	pos = 0;
+	dots = 0;
+
+	while (pos < len) {
+		if (*reader == '.') {
+			reader++;
+			pos++;
+			dots++;
+			continue;
+		}
+		*writer++ = *reader++;
+		pos++;
+	}
+	
+	/* return new length of string */
+	return len - dots;
+}
diff --git a/jni/iodine/src/encoding.h b/jni/iodine/src/encoding.h
new file mode 100644
index 0000000..7ddf6e0
--- /dev/null
+++ b/jni/iodine/src/encoding.h
@@ -0,0 +1,43 @@
+/*
+ * Copyright (c) 2006-2009 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef _ENCODING_H_
+#define _ENCODING_H_
+
+/* All-0, all-1, 01010101, 10101010: each 4 times to make sure the pattern
+   spreads across multiple encoded chars -> 16 bytes total.
+   Followed by 32 bytes from my /dev/random; should be enough.
+ */
+#define DOWNCODECCHECK1      "\000\000\000\000\377\377\377\377\125\125\125\125\252\252\252\252\201\143\310\322\307\174\262\027\137\117\316\311\111\055\122\041\141\251\161\040\045\263\006\163\346\330\104\060\171\120\127\277"
+#define DOWNCODECCHECK1_LEN  48
+
+struct encoder {
+	char name[8];
+	int (*encode) (char *, size_t *, const void *, size_t);
+	int (*decode) (void *, size_t *, const char *, size_t);
+	int (*places_dots) (void);
+	int (*eats_dots) (void);
+	int (*blocksize_raw)(void);
+	int (*blocksize_encoded)(void);
+};
+
+int build_hostname(char *, size_t, const char *, const size_t, const char *, struct encoder *, int);
+int unpack_data(char *, size_t, char *, size_t, struct encoder *);
+int inline_dotify(char *, size_t);
+int inline_undotify(char *, size_t);
+
+
+#endif /* _ENCODING_H_ */
diff --git a/jni/iodine/src/fw_query.c b/jni/iodine/src/fw_query.c
new file mode 100644
index 0000000..3727f08
--- /dev/null
+++ b/jni/iodine/src/fw_query.c
@@ -0,0 +1,49 @@
+/*
+ * Copyright (c) 2008 Erik Ekman <yarrick@kryo.se>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <string.h>
+#include "fw_query.h"
+
+static struct fw_query fwq[FW_QUERY_CACHE_SIZE];
+static int fwq_ix;
+
+void fw_query_init()
+{
+	memset(fwq, 0, sizeof(struct fw_query) * FW_QUERY_CACHE_SIZE);
+	fwq_ix = 0;
+}
+
+void fw_query_put(struct fw_query *fw_query)
+{
+	memcpy(&(fwq[fwq_ix]), fw_query, sizeof(struct fw_query));
+	
+	++fwq_ix;
+	if (fwq_ix >= FW_QUERY_CACHE_SIZE) 
+		fwq_ix = 0;
+}
+
+void fw_query_get(unsigned short query_id, struct fw_query **fw_query)
+{
+	int i;
+
+	*fw_query = NULL;
+	for (i = 0; i < FW_QUERY_CACHE_SIZE; i++) {
+		if (fwq[i].id == query_id) {
+			*fw_query = &(fwq[i]);
+			return;
+		}
+	}
+}
diff --git a/jni/iodine/src/fw_query.h b/jni/iodine/src/fw_query.h
new file mode 100644
index 0000000..7568a5f
--- /dev/null
+++ b/jni/iodine/src/fw_query.h
@@ -0,0 +1,41 @@
+/*
+ * Copyright (c) 2008 Erik Ekman <yarrick@kryo.se>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef __FW_QUERY_H__
+#define __FW_QUERY_H__
+
+#include <sys/types.h>
+#ifdef WINDOWS32
+#include "windows.h"
+#include <winsock2.h>
+#else
+#include <sys/socket.h>
+#endif
+
+#define FW_QUERY_CACHE_SIZE 16
+
+struct fw_query {
+	struct sockaddr addr;
+	int addrlen;
+	unsigned short id;
+};
+
+void fw_query_init();
+void fw_query_put(struct fw_query *fw_query);
+void fw_query_get(unsigned short query_id, struct fw_query **fw_query);
+
+#endif /*__FW_QUERY_H__*/
+
diff --git a/jni/iodine/src/iodine.c b/jni/iodine/src/iodine.c
new file mode 100644
index 0000000..03efb18
--- /dev/null
+++ b/jni/iodine/src/iodine.c
@@ -0,0 +1,375 @@
+/*
+ * Copyright (c) 2006-2009 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <stdio.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
+#include <signal.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/time.h>
+#include <fcntl.h>
+#include <time.h>
+
+#ifdef WINDOWS32
+#include "windows.h"
+#include <winsock2.h>
+#else
+#include <grp.h>
+#include <pwd.h>
+#endif
+
+#include "common.h"
+#include "tun.h"
+#include "client.h"
+#include "util.h"
+
+#ifdef WINDOWS32
+WORD req_version = MAKEWORD(2, 2);
+WSADATA wsa_data;
+#endif
+
+#if !defined(BSD) && !defined(__GLIBC__)
+static char *__progname;
+#endif
+
+#define PASSWORD_ENV_VAR "IODINE_PASS"
+
+static void
+sighandler(int sig) 
+{
+	client_stop();
+}
+
+static void
+usage() {
+	extern char *__progname;
+
+	fprintf(stderr, "Usage: %s [-v] [-h] [-f] [-r] [-u user] [-t chrootdir] [-d device] "
+			"[-P password] [-m maxfragsize] [-M maxlen] [-T type] [-O enc] [-L 0|1] [-I sec] "
+			"[-z context] [-F pidfile] [nameserver] topdomain\n", __progname);
+	exit(2);
+}
+
+static void
+help() {
+	extern char *__progname;
+
+	fprintf(stderr, "iodine IP over DNS tunneling client\n");
+	fprintf(stderr, "Usage: %s [-v] [-h] [-f] [-r] [-u user] [-t chrootdir] [-d device] "
+			"[-P password] [-m maxfragsize] [-M maxlen] [-T type] [-O enc] [-L 0|1] [-I sec] "
+			"[-z context] [-F pidfile] [nameserver] topdomain\n", __progname);
+	fprintf(stderr, "Options to try if connection doesn't work:\n");
+	fprintf(stderr, "  -T force dns type: NULL, TXT, SRV, MX, CNAME, A (default: autodetect)\n");
+	fprintf(stderr, "  -O force downstream encoding for -T other than NULL: Base32, Base64, Base64u,\n");
+	fprintf(stderr, "     Base128, or (only for TXT:) Raw  (default: autodetect)\n");
+	fprintf(stderr, "  -I max interval between requests (default 4 sec) to prevent DNS timeouts\n");
+	fprintf(stderr, "  -L 1: use lazy mode for low-latency (default). 0: don't (implies -I1)\n");
+	fprintf(stderr, "  -m max size of downstream fragments (default: autodetect)\n");
+	fprintf(stderr, "  -M max size of upstream hostnames (~100-255, default: 255)\n");
+	fprintf(stderr, "  -r to skip raw UDP mode attempt\n");
+	fprintf(stderr, "  -P password used for authentication (max 32 chars will be used)\n");
+	fprintf(stderr, "Other options:\n");
+	fprintf(stderr, "  -v to print version info and exit\n");
+	fprintf(stderr, "  -h to print this help and exit\n");
+	fprintf(stderr, "  -f to keep running in foreground\n");
+	fprintf(stderr, "  -u name to drop privileges and run as user 'name'\n");
+	fprintf(stderr, "  -t dir to chroot to directory dir\n");
+	fprintf(stderr, "  -d device to set tunnel device name\n");
+	fprintf(stderr, "  -z context, to apply specified SELinux context after initialization\n");
+	fprintf(stderr, "  -F pidfile to write pid to a file\n");
+	fprintf(stderr, "nameserver is the IP number/hostname of the relaying nameserver. if absent, /etc/resolv.conf is used\n");
+	fprintf(stderr, "topdomain is the FQDN that is delegated to the tunnel endpoint.\n");
+
+	exit(0);
+}
+
+static void
+version() {
+	fprintf(stderr, "iodine IP over DNS tunneling client\n");
+	fprintf(stderr, "version: 0.6.0-rc1 from 2010-02-13\n");
+
+	exit(0);
+}
+
+int
+main(int argc, char **argv)
+{
+	char *nameserv_addr;
+	char *topdomain;
+#ifndef WINDOWS32
+	struct passwd *pw;
+#endif
+	char *username;
+	char password[33];
+	int foreground;
+	char *newroot;
+	char *context;
+	char *device;
+	char *pidfile;
+	int choice;
+	int tun_fd;
+	int dns_fd;
+	int max_downstream_frag_size;
+	int autodetect_frag_size;
+	int retval;
+	int raw_mode;
+	int lazymode;
+	int selecttimeout;
+	int hostname_maxlen;
+
+	nameserv_addr = NULL;
+	topdomain = NULL;
+#ifndef WINDOWS32
+	pw = NULL;
+#endif
+	username = NULL;
+	memset(password, 0, 33);
+	srand(time(NULL));
+	foreground = 0;
+	newroot = NULL;
+	context = NULL;
+	device = NULL;
+	pidfile = NULL;
+
+	autodetect_frag_size = 1;
+	max_downstream_frag_size = 3072;
+	retval = 0;
+	raw_mode = 1;
+	lazymode = 1;
+	selecttimeout = 4;
+	hostname_maxlen = 0xFF;
+
+#ifdef WINDOWS32
+	WSAStartup(req_version, &wsa_data);
+#endif
+
+	srand((unsigned) time(NULL));
+	client_init();
+	
+#if !defined(BSD) && !defined(__GLIBC__)
+	__progname = strrchr(argv[0], '/');
+	if (__progname == NULL)
+		__progname = argv[0];
+	else
+		__progname++;
+#endif
+
+	while ((choice = getopt(argc, argv, "vfhru:t:d:P:m:M:F:T:O:L:I:")) != -1) {
+		switch(choice) {
+		case 'v':
+			version();
+			/* NOTREACHED */
+			break;
+		case 'f':
+			foreground = 1;
+			break;
+		case 'h':
+			help();
+			/* NOTREACHED */
+			break;
+		case 'r':
+			raw_mode = 0;
+		case 'u':
+			username = optarg;
+			break;
+		case 't':
+			newroot = optarg;
+			break;
+		case 'd':
+			device = optarg;
+			break;
+		case 'P':
+			strncpy(password, optarg, sizeof(password));
+			password[sizeof(password)-1] = 0;
+			
+			/* XXX: find better way of cleaning up ps(1) */
+			memset(optarg, 0, strlen(optarg)); 
+			break;
+		case 'm':
+			autodetect_frag_size = 0;
+			max_downstream_frag_size = atoi(optarg);
+			break;
+		case 'M':
+			hostname_maxlen = atoi(optarg);
+			if (hostname_maxlen > 255)
+				hostname_maxlen = 255;
+			if (hostname_maxlen < 10)
+				hostname_maxlen = 10;
+			break;
+		case 'z':
+			context = optarg;
+			break;
+		case 'F':
+			pidfile = optarg;
+			break;    
+		case 'T':
+			set_qtype(optarg);
+			break;
+		case 'O':       /* not -D, is Debug in server */
+			set_downenc(optarg);
+			break;
+		case 'L':
+			lazymode = atoi(optarg);
+			if (lazymode > 1)
+				lazymode = 1;
+			if (lazymode < 0)
+				lazymode = 0;
+			if (!lazymode)
+				selecttimeout = 1;
+			break;
+		case 'I':
+			selecttimeout = atoi(optarg);
+			if (selecttimeout < 1)
+				selecttimeout = 1;
+			break;
+		default:
+			usage();
+			/* NOTREACHED */
+		}
+	}
+	
+	check_superuser(usage);
+
+	argc -= optind;
+	argv += optind;
+
+	switch (argc) {
+	case 1:
+		nameserv_addr = get_resolvconf_addr();
+		topdomain = strdup(argv[0]);
+		break;
+	case 2:
+		nameserv_addr = argv[0];
+		topdomain = strdup(argv[1]);
+		break;
+	default:
+		usage();
+		/* NOTREACHED */
+	}
+
+	if (max_downstream_frag_size < 1 || max_downstream_frag_size > 0xffff) {
+		warnx("Use a max frag size between 1 and 65535 bytes.\n");
+		usage();
+		/* NOTREACHED */
+	}
+
+	if (nameserv_addr) {
+		client_set_nameserver(nameserv_addr, DNS_PORT);
+	} else {
+		warnx("No nameserver found - not connected to any network?\n");
+		usage();
+		/* NOTREACHED */
+	}	
+
+	if (strlen(topdomain) <= 128) {
+		if(check_topdomain(topdomain)) {
+			warnx("Topdomain contains invalid characters.\n");
+			usage();
+			/* NOTREACHED */
+		}
+	} else {
+		warnx("Use a topdomain max 128 chars long.\n");
+		usage();
+		/* NOTREACHED */
+	}
+
+	client_set_selecttimeout(selecttimeout);
+	client_set_lazymode(lazymode);
+	client_set_topdomain(topdomain);
+	client_set_hostname_maxlen(hostname_maxlen);
+	
+	if (username != NULL) {
+#ifndef WINDOWS32
+		if ((pw = getpwnam(username)) == NULL) {
+			warnx("User %s does not exist!\n", username);
+			usage();
+			/* NOTREACHED */
+		}
+#endif
+	}
+	
+	if (strlen(password) == 0) {
+		if (NULL != getenv(PASSWORD_ENV_VAR))
+			snprintf(password, sizeof(password), "%s", getenv(PASSWORD_ENV_VAR));
+		else
+			read_password(password, sizeof(password));
+	}
+	
+	client_set_password(password);
+
+	if ((tun_fd = open_tun(device)) == -1) {
+		retval = 1;
+		goto cleanup1;
+	}
+	if ((dns_fd = open_dns(0, INADDR_ANY)) == -1) {
+		retval = 1;
+		goto cleanup2;
+	}
+
+	signal(SIGINT, sighandler);
+	signal(SIGTERM, sighandler);
+
+	fprintf(stderr, "Sending DNS queries for %s to %s\n",
+		topdomain, nameserv_addr);
+
+	if (client_handshake(dns_fd, raw_mode, autodetect_frag_size, max_downstream_frag_size)) {
+		retval = 1;
+		goto cleanup2;
+	}
+	
+	if (client_get_conn() == CONN_RAW_UDP) {
+		fprintf(stderr, "Sending raw traffic directly to %s\n", client_get_raw_addr());
+	}
+
+	fprintf(stderr, "Connection setup complete, transmitting data.\n");
+
+	if (foreground == 0) 
+		do_detach();
+	
+	if (pidfile != NULL)
+		do_pidfile(pidfile);
+
+	if (newroot != NULL)
+		do_chroot(newroot);
+	
+	if (username != NULL) {
+#ifndef WINDOWS32
+		gid_t gids[1];
+		gids[0] = pw->pw_gid;
+		if (setgroups(1, gids) < 0 || setgid(pw->pw_gid) < 0 || setuid(pw->pw_uid) < 0) {
+			warnx("Could not switch to user %s!\n", username);
+			usage();
+			/* NOTREACHED */
+		}
+#endif
+	}
+
+	if (context != NULL)
+		do_setcon(context);
+
+	client_tunnel(tun_fd, dns_fd);
+
+cleanup2:
+	close_dns(dns_fd);
+	close_tun(tun_fd);
+cleanup1:
+
+	return retval;
+}
+
diff --git a/jni/iodine/src/iodined.c b/jni/iodine/src/iodined.c
new file mode 100644
index 0000000..3681084
--- /dev/null
+++ b/jni/iodine/src/iodined.c
@@ -0,0 +1,2486 @@
+/*
+ * Copyright (c) 2006-2009 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <stdio.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
+#include <signal.h>
+#include <unistd.h>
+#include <sys/param.h>
+#include <sys/time.h>
+#include <fcntl.h>
+#include <time.h>
+#include <zlib.h>
+
+#include "common.h"
+
+#ifdef WINDOWS32
+#include "windows.h"
+#include <winsock2.h>
+#else
+#include <arpa/nameser.h>
+#ifdef DARWIN
+#define BIND_8_COMPAT
+#include <arpa/nameser_compat.h>
+#endif
+#define _XPG4_2
+#include <netinet/in_systm.h>
+#include <netinet/ip.h>
+#include <grp.h>
+#include <sys/uio.h>
+#include <pwd.h>
+#include <netdb.h>
+#include <syslog.h>
+#endif
+
+#include "dns.h"
+#include "encoding.h"
+#include "base32.h"
+#include "base64.h"
+#include "base64u.h"
+#include "base128.h"
+#include "user.h"
+#include "login.h"
+#include "tun.h"
+#include "fw_query.h"
+#include "version.h"
+
+#ifdef WINDOWS32
+WORD req_version = MAKEWORD(2, 2);
+WSADATA wsa_data;
+#endif
+
+#define PASSWORD_ENV_VAR "IODINED_PASS"
+
+static int running = 1;
+static char *topdomain;
+static char password[33];
+static struct encoder *b32;
+static struct encoder *b64;
+static struct encoder *b64u;
+static struct encoder *b128;
+static int created_users;
+
+static int check_ip;
+static int my_mtu;
+static in_addr_t my_ip;
+static int netmask;
+
+static in_addr_t ns_ip;
+
+static int bind_port;
+static int debug;
+
+#if !defined(BSD) && !defined(__GLIBC__)
+static char *__progname;
+#endif
+
+static int read_dns(int, int, struct query *);
+static void write_dns(int, struct query *, char *, int, char);
+static void handle_full_packet(int, int, int);
+
+static void
+sigint(int sig) 
+{
+	running = 0;
+}
+
+#ifdef WINDOWS32
+#define	LOG_EMERG	0
+#define	LOG_ALERT	1
+#define	LOG_CRIT	2
+#define	LOG_ERR		3
+#define	LOG_WARNING	4
+#define	LOG_NOTICE	5
+#define	LOG_INFO	6
+#define	LOG_DEBUG	7
+static void
+syslog(int a, const char *str, ...)
+{
+	/* TODO: implement (add to event log), move to common.c */
+	;
+}
+#endif
+
+static int
+check_user_and_ip(int userid, struct query *q)
+{
+	struct sockaddr_in *tempin;
+
+	/* Note: duplicate in handle_raw_login() except IP-address check */
+
+	if (userid < 0 || userid >= created_users ) {
+		return 1; 
+	}
+	if (!users[userid].active || users[userid].disabled) {
+		return 1;
+	}
+	if (users[userid].last_pkt + 60 < time(NULL)) {
+		return 1;
+	}
+
+	/* return early if IP checking is disabled */
+	if (!check_ip) {
+		return 0;
+	}
+
+	tempin = (struct sockaddr_in *) &(q->from);
+	return memcmp(&(users[userid].host), &(tempin->sin_addr), sizeof(struct in_addr));
+}
+
+static void
+send_raw(int fd, char *buf, int buflen, int user, int cmd, struct query *q)
+{
+	char packet[4096];
+	int len;
+
+	len = MIN(sizeof(packet) - RAW_HDR_LEN, buflen);
+
+	memcpy(packet, raw_header, RAW_HDR_LEN);
+	if (len) {
+		memcpy(&packet[RAW_HDR_LEN], buf, len);
+	}
+
+	len += RAW_HDR_LEN;
+	packet[RAW_HDR_CMD] = cmd | (user & 0x0F);
+
+	if (debug >= 2) {
+		struct sockaddr_in *tempin;
+		tempin = (struct sockaddr_in *) &(q->from);
+		fprintf(stderr, "TX-raw: client %s, cmd %d, %d bytes\n", 
+			inet_ntoa(tempin->sin_addr), cmd, len);
+	}
+
+	sendto(fd, packet, len, 0, &q->from, q->fromlen);
+}
+
+
+static void
+start_new_outpacket(int userid, char *data, int datalen)
+/* Copies data to .outpacket and resets all counters.
+   data is expected to be compressed already. */
+{
+	datalen = MIN(datalen, sizeof(users[userid].outpacket.data));
+	memcpy(users[userid].outpacket.data, data, datalen);
+	users[userid].outpacket.len = datalen;
+	users[userid].outpacket.offset = 0;
+	users[userid].outpacket.sentlen = 0;
+	users[userid].outpacket.seqno = (users[userid].outpacket.seqno + 1) & 7;
+	users[userid].outpacket.fragment = 0;
+	users[userid].outfragresent = 0;
+}
+
+#ifdef OUTPACKETQ_LEN
+
+static int
+save_to_outpacketq(int userid, char *data, int datalen)
+/* Find space in outpacket-queue and store data (expected compressed already).
+   Returns: 1 = okay, 0 = no space. */
+{
+	int fill;
+
+	if (users[userid].outpacketq_filled >= OUTPACKETQ_LEN)
+		/* no space */
+		return 0;
+
+	fill = users[userid].outpacketq_nexttouse +
+	       users[userid].outpacketq_filled;
+	if (fill >= OUTPACKETQ_LEN)
+		fill -= OUTPACKETQ_LEN;
+
+	datalen = MIN(datalen, sizeof(users[userid].outpacketq[fill].data));
+	memcpy(users[userid].outpacketq[fill].data, data, datalen);
+	users[userid].outpacketq[fill].len = datalen;
+
+	users[userid].outpacketq_filled++;
+
+	if (debug >= 3)
+		fprintf(stderr, "    Qstore, now %d\n",
+			users[userid].outpacketq_filled);
+
+	return 1;
+}
+
+static int
+get_from_outpacketq(int userid)
+/* Starts new outpacket from queue, if any.
+   Returns: 1 = okay, 0 = no packets were waiting. */
+{
+	int use;
+
+	if (users[userid].outpacketq_filled <= 0)
+		/* no packets */
+		return 0;
+
+	use = users[userid].outpacketq_nexttouse;
+
+	start_new_outpacket(userid, users[userid].outpacketq[use].data,
+			    users[userid].outpacketq[use].len);
+
+	use++;
+	if (use >= OUTPACKETQ_LEN)
+		use = 0;
+	users[userid].outpacketq_nexttouse = use;
+	users[userid].outpacketq_filled--;
+
+	if (debug >= 3)
+		fprintf(stderr, "    Qget, now %d\n",
+			users[userid].outpacketq_filled);
+
+	return 1;
+}
+
+#endif /* OUTPACKETQ_LEN */
+
+#ifdef DNSCACHE_LEN
+
+/* On the DNS cache:
+
+   This cache is implemented to better handle the aggressively impatient DNS
+   servers that very quickly re-send requests when we choose to not
+   immediately answer them in lazy mode. This cache works much better than
+   pruning(=dropping) the improper requests, since the DNS server will
+   actually get an answer instead of silence.
+
+   Because of the CMC in both ping and upstream data, unwanted cache hits
+   are prevented. Data-CMC is only 36 counts, so our cache length should
+   not exceed 36/2=18 packets. (This quick rule assumes all packets are
+   otherwise equal, which they arent: up/downstream seq/frag, tcp sequence
+   number, and of course data.)
+*/
+
+static void
+save_to_dnscache(int userid, struct query *q, char *answer, int answerlen)
+/* Store answer in our little DNS cache. */
+{
+	int fill;
+
+	if (answerlen > sizeof(users[userid].dnscache_answer[fill]))
+		return;  /* can't store this */
+
+	fill = users[userid].dnscache_lastfilled + 1;
+	if (fill >= DNSCACHE_LEN)
+		fill = 0;
+
+	memcpy(&(users[userid].dnscache_q[fill]), q, sizeof(struct query));
+	memcpy(users[userid].dnscache_answer[fill], answer, answerlen);
+	users[userid].dnscache_answerlen[fill] = answerlen;
+
+	users[userid].dnscache_lastfilled = fill;
+}
+
+static int
+answer_from_dnscache(int dns_fd, int userid, struct query *q)
+/* Checks cache and sends repeated answer if we alreay saw this query recently.
+   Returns: 1 = answer sent, drop this query, 0 = no answer sent, this is
+   a new query. */
+{
+	int i;
+	int use;
+
+	for (i = 0; i < DNSCACHE_LEN ; i++) {
+		/* Try cache most-recent-first */
+		use = users[userid].dnscache_lastfilled - i;
+		if (use < 0)
+			use += DNSCACHE_LEN;
+
+		if (users[userid].dnscache_q[use].id == 0)
+			continue;
+		if (users[userid].dnscache_answerlen[use] <= 0)
+			continue;
+
+		if (users[userid].dnscache_q[use].type != q->type ||
+		    strcmp(users[userid].dnscache_q[use].name, q->name))
+			continue;
+
+		/* okay, match */
+		if (debug >= 1)
+			fprintf(stderr, "OUT  user %d %s from dnscache\n", userid, q->name);
+
+		write_dns(dns_fd, q, users[userid].dnscache_answer[use],
+			  users[userid].dnscache_answerlen[use],
+			  users[userid].downenc);
+
+		q->id = 0;	/* this query was used */
+		return 1;
+	}
+
+	/* here only when no match found */
+	return 0;
+}
+
+#endif /* DNSCACHE_LEN */
+
+static inline void
+save_to_qmem(unsigned char *qmem_cmc, unsigned short *qmem_type, int qmem_len,
+	     int *qmem_lastfilled, unsigned char *cmc_to_add,
+	     unsigned short type_to_add)
+/* Remember query to check for duplicates */
+{
+	int fill;
+
+	fill = *qmem_lastfilled + 1;
+	if (fill >= qmem_len)
+		fill = 0;
+
+	memcpy(qmem_cmc + fill * 4, cmc_to_add, 4);
+	qmem_type[fill] = type_to_add;
+	*qmem_lastfilled = fill;
+}
+
+static inline void
+save_to_qmem_pingordata(int userid, struct query *q)
+{
+	/* Our CMC is a bit more than the "official" CMC; we store 4 bytes
+	   just because we can, and because it may prevent some false matches.
+	   For ping, we save the 4 decoded bytes: userid + seq/frag + CMC.
+	   For data, we save the 4 _un_decoded chars in lowercase: seq/frag's
+	   + 1 char CMC; that last char is non-Base32.
+	 */
+
+	char cmc[8];
+	int i;
+
+	if (q->name[0] == 'P' || q->name[0] == 'p') {
+		/* Ping packet */
+
+		size_t cmcsize = sizeof(cmc);
+		char *cp = strchr(q->name, '.');
+
+		if (cp == NULL)
+			return;  /* illegal hostname; shouldn't happen */
+
+		/* We already unpacked in handle_null_request(), but that's
+		   lost now... Note: b32 directly, we want no undotify here! */
+		i = b32->decode(cmc, &cmcsize, q->name + 1, (cp - q->name) - 1);
+
+		if (i < 4)
+			return;	 /* illegal ping; shouldn't happen */
+
+		save_to_qmem(users[userid].qmemping_cmc,
+			     users[userid].qmemping_type, QMEMPING_LEN,
+			     &users[userid].qmemping_lastfilled,
+			     (void *) cmc, q->type);
+	} else {
+		/* Data packet, hopefully not illegal */
+		if (strlen(q->name) < 5)
+			return;
+
+		/* We store CMC in lowercase; if routing via multiple parallel
+		   DNS servers, one may do case-switch and another may not,
+		   and we still want to detect duplicates.
+		   Data-header is always base32, so case-swap won't hurt.
+		 */
+		for (i = 0; i < 4; i++)
+			if (q->name[i+1] >= 'A' && q->name[i+1] <= 'Z')
+				cmc[i] = q->name[i+1] + ('a' - 'A');
+			else
+				cmc[i] = q->name[i+1];
+
+		save_to_qmem(users[userid].qmemdata_cmc,
+			     users[userid].qmemdata_type, QMEMDATA_LEN,
+			     &users[userid].qmemdata_lastfilled,
+			     (void *) cmc, q->type);
+	}
+}
+
+static int
+answer_from_qmem(int dns_fd, struct query *q, unsigned char *qmem_cmc,
+		 unsigned short *qmem_type, int qmem_len,
+		 unsigned char *cmc_to_check)
+/* Checks query memory and sends an (illegal) answer if this is a duplicate.
+   Returns: 1 = answer sent, drop this query, 0 = no answer sent, this is
+   not a duplicate. */
+{
+	int i;
+
+	for (i = 0; i < qmem_len ; i++) {
+
+		if (qmem_type[i] == T_UNSET)
+			continue;
+		if (qmem_type[i] != q->type)
+			continue;
+		if (memcmp(qmem_cmc + i * 4, cmc_to_check, 4))
+			continue;
+
+		/* okay, match */
+		if (debug >= 1)
+			fprintf(stderr, "OUT  from qmem for %s == duplicate, sending illegal reply\n", q->name);
+
+		write_dns(dns_fd, q, "x", 1, 'T');
+
+		q->id = 0;	/* this query was used */
+		return 1;
+	}
+
+	/* here only when no match found */
+	return 0;
+}
+
+static inline int
+answer_from_qmem_data(int dns_fd, int userid, struct query *q)
+/* Quick helper function to keep handle_null_request() clean */
+{
+	char cmc[4];
+	int i;
+
+	for (i = 0; i < 4; i++)
+		if (q->name[i+1] >= 'A' && q->name[i+1] <= 'Z')
+			cmc[i] = q->name[i+1] + ('a' - 'A');
+		else
+			cmc[i] = q->name[i+1];
+
+	return answer_from_qmem(dns_fd, q, users[userid].qmemdata_cmc,
+				users[userid].qmemdata_type, QMEMDATA_LEN,
+				(void *) cmc);
+}
+
+static int
+send_chunk_or_dataless(int dns_fd, int userid, struct query *q)
+/* Sends current fragment to user, or dataless packet if there is no
+   current fragment available (-> normal "quiet" ping reply).
+   Does not update anything, except:
+   - discards q always (query is used)
+   - forgets entire users[userid].outpacket if it was sent in one go,
+     and then tries to get new packet from outpacket-queue
+   Returns: 1 = can call us again immediately, new packet from queue;
+   0 = don't call us again for now.
+*/
+{
+	char pkt[4096];
+	int datalen = 0;
+	int last = 0;
+
+	/* If re-sent too many times, drop entire packet */
+	if (users[userid].outpacket.len > 0 &&
+	    users[userid].outfragresent > 5) {
+		users[userid].outpacket.len = 0;
+		users[userid].outpacket.offset = 0;
+		users[userid].outpacket.sentlen = 0;
+		users[userid].outfragresent = 0;
+
+#ifdef OUTPACKETQ_LEN
+		/* Maybe more in queue, use immediately */
+		get_from_outpacketq(userid);
+#endif
+	}
+
+	if (users[userid].outpacket.len > 0) {
+		datalen = MIN(users[userid].fragsize, users[userid].outpacket.len - users[userid].outpacket.offset);
+		datalen = MIN(datalen, sizeof(pkt)-2);
+
+		memcpy(&pkt[2], users[userid].outpacket.data + users[userid].outpacket.offset, datalen);
+		users[userid].outpacket.sentlen = datalen;
+		last = (users[userid].outpacket.len == users[userid].outpacket.offset + datalen);
+
+		users[userid].outfragresent++;
+	}
+
+	/* Build downstream data header (see doc/proto_xxxxxxxx.txt) */
+
+	/* First byte is 1 bit compression flag, 3 bits upstream seqno, 4 bits upstream fragment */
+	pkt[0] = (1<<7) | ((users[userid].inpacket.seqno & 7) << 4) |
+		(users[userid].inpacket.fragment & 15);
+	/* Second byte is 3 bits downstream seqno, 4 bits downstream fragment, 1 bit last flag */
+	pkt[1] = ((users[userid].outpacket.seqno & 7) << 5) | 
+		((users[userid].outpacket.fragment & 15) << 1) | (last & 1);
+
+	if (debug >= 1) {
+		fprintf(stderr, "OUT  pkt seq# %d, frag %d (last=%d), offset %d, fragsize %d, total %d, to user %d\n",
+			users[userid].outpacket.seqno & 7, users[userid].outpacket.fragment & 15, 
+			last, users[userid].outpacket.offset, datalen, users[userid].outpacket.len, userid);
+	}
+	write_dns(dns_fd, q, pkt, datalen + 2, users[userid].downenc);
+
+	if (q->id2 != 0) {
+		q->id = q->id2;
+		q->fromlen = q->fromlen2;
+		memcpy(&(q->from), &(q->from2), q->fromlen2);
+		if (debug >= 1)
+			fprintf(stderr, "OUT  again to last duplicate\n");
+		write_dns(dns_fd, q, pkt, datalen + 2, users[userid].downenc);
+	}
+
+	save_to_qmem_pingordata(userid, q);
+
+#ifdef DNSCACHE_LEN
+	save_to_dnscache(userid, q, pkt, datalen + 2);
+#endif
+
+	q->id = 0;			/* this query is used */
+
+	if (datalen > 0 && datalen == users[userid].outpacket.len) {
+		/* Whole packet was sent in one chunk, dont wait for ack */
+		users[userid].outpacket.len = 0;
+		users[userid].outpacket.offset = 0;
+		users[userid].outpacket.sentlen = 0;
+		users[userid].outfragresent = 0;
+
+#ifdef OUTPACKETQ_LEN
+		/* Maybe more in queue, prepare for next time */
+		if (get_from_outpacketq(userid) == 1) {
+			if (debug >= 3)
+				fprintf(stderr, "    Chunk & fromqueue: callagain\n");
+			return 1;	/* call us again */
+		}
+#endif
+	}
+
+	return 0;	/* don't call us again */
+}
+
+static int
+tunnel_tun(int tun_fd, int dns_fd)
+{
+	unsigned long outlen;
+	struct ip *header;
+	char out[64*1024];
+	char in[64*1024];
+	int userid;
+	int read;
+
+	if ((read = read_tun(tun_fd, in, sizeof(in))) <= 0)
+		return 0;
+	
+	/* find target ip in packet, in is padded with 4 bytes TUN header */
+	header = (struct ip*) (in + 4);
+	userid = find_user_by_ip(header->ip_dst.s_addr);
+	if (userid < 0)
+		return 0;
+
+	outlen = sizeof(out);
+	compress2((uint8_t*)out, &outlen, (uint8_t*)in, read, 9);
+
+	if (users[userid].conn == CONN_DNS_NULL) {
+#ifdef OUTPACKETQ_LEN
+		/* If a packet is being sent, try storing the new one in the queue.
+		   If the queue is full, drop the packet. TCP will hopefully notice
+		   and reduce the packet rate. */
+		if (users[userid].outpacket.len > 0) {
+			save_to_outpacketq(userid, out, outlen);
+			return 0;
+		}
+#endif
+
+		start_new_outpacket(userid, out, outlen);
+
+		/* Start sending immediately if query is waiting */
+		if (users[userid].q_sendrealsoon.id != 0)
+			send_chunk_or_dataless(dns_fd, userid, &users[userid].q_sendrealsoon);
+		else if (users[userid].q.id != 0)
+			send_chunk_or_dataless(dns_fd, userid, &users[userid].q);
+
+		return outlen;
+	} else { /* CONN_RAW_UDP */
+		send_raw(dns_fd, out, outlen, userid, RAW_HDR_CMD_DATA, &users[userid].q);
+		return outlen;
+	}
+}
+
+typedef enum {
+	VERSION_ACK,
+	VERSION_NACK,
+	VERSION_FULL
+} version_ack_t;
+
+static void
+send_version_response(int fd, version_ack_t ack, uint32_t payload, int userid, struct query *q)
+{
+	char out[9];
+	
+	switch (ack) {
+	case VERSION_ACK:
+		strncpy(out, "VACK", sizeof(out));
+		break;
+	case VERSION_NACK:
+		strncpy(out, "VNAK", sizeof(out));
+		break;
+	case VERSION_FULL:
+		strncpy(out, "VFUL", sizeof(out));
+		break;
+	}
+	
+	out[4] = ((payload >> 24) & 0xff);
+	out[5] = ((payload >> 16) & 0xff);
+	out[6] = ((payload >> 8) & 0xff);
+	out[7] = ((payload) & 0xff);
+	out[8] = userid & 0xff;
+
+	write_dns(fd, q, out, sizeof(out), users[userid].downenc);
+}
+
+static void
+process_downstream_ack(int userid, int down_seq, int down_frag)
+/* Process acks from downstream fragments.
+   After this, .offset and .fragment are updated (if ack correct),
+   or .len is set to zero when all is done.
+*/
+{
+	if (users[userid].outpacket.len <= 0)
+		/* No packet to apply acks to */
+		return;
+
+	if (users[userid].outpacket.seqno != down_seq ||
+	    users[userid].outpacket.fragment != down_frag)
+		/* Not the ack we're waiting for; probably duplicate of old
+		   ack, happens a lot with ping packets */
+		return;
+
+	/* Received proper ack */
+	users[userid].outpacket.offset += users[userid].outpacket.sentlen;
+	users[userid].outpacket.sentlen = 0;
+	users[userid].outpacket.fragment++;
+	users[userid].outfragresent = 0;
+
+	/* Is packet done? */
+	if (users[userid].outpacket.offset >= users[userid].outpacket.len) {
+		users[userid].outpacket.len = 0;
+		users[userid].outpacket.offset = 0;
+		users[userid].outpacket.fragment--;	/* unneeded ++ above */
+		/* ^keep last seqno/frag, are always returned on pings */
+		/* users[userid].outfragresent = 0; already above */
+
+#ifdef OUTPACKETQ_LEN
+		/* Possibly get new packet from queue */
+		get_from_outpacketq(userid);
+#endif
+	}
+}
+
+static void
+handle_null_request(int tun_fd, int dns_fd, struct query *q, int domain_len)
+{
+	struct in_addr tempip;
+	char in[512];
+	char logindata[16];
+	char out[64*1024];
+	char unpacked[64*1024];
+	char *tmp[2];
+	int userid;
+	int read;
+
+	userid = -1;
+
+	/* Everything here needs at least two chars in the name */
+	if (domain_len < 2)
+		return;
+
+	memcpy(in, q->name, MIN(domain_len, sizeof(in)));
+
+	if(in[0] == 'V' || in[0] == 'v') {
+		int version = 0;
+
+		read = unpack_data(unpacked, sizeof(unpacked), &(in[1]), domain_len - 1, b32);
+		/* Version greeting, compare and send ack/nak */
+		if (read > 4) { 
+			/* Received V + 32bits version */
+			version = (((unpacked[0] & 0xff) << 24) |
+					   ((unpacked[1] & 0xff) << 16) |
+					   ((unpacked[2] & 0xff) << 8) |
+					   ((unpacked[3] & 0xff)));
+		}
+
+		if (version == VERSION) {
+			userid = find_available_user();
+			if (userid >= 0) {
+				int i;
+				struct sockaddr_in *tempin;
+
+				users[userid].seed = rand();
+				/* Store remote IP number */
+				tempin = (struct sockaddr_in *) &(q->from);
+				memcpy(&(users[userid].host), &(tempin->sin_addr), sizeof(struct in_addr));
+				
+				memcpy(&(users[userid].q), q, sizeof(struct query));
+				users[userid].encoder = get_base32_encoder();
+				users[userid].downenc = 'T';
+				send_version_response(dns_fd, VERSION_ACK, users[userid].seed, userid, q);
+				syslog(LOG_INFO, "accepted version for user #%d from %s",
+					userid, inet_ntoa(tempin->sin_addr));
+				users[userid].q.id = 0;
+				users[userid].q.id2 = 0;
+				users[userid].q_sendrealsoon.id = 0;
+				users[userid].q_sendrealsoon.id2 = 0;
+				users[userid].q_sendrealsoon_new = 0;
+				users[userid].outpacket.len = 0;
+				users[userid].outpacket.offset = 0;
+				users[userid].outpacket.sentlen = 0;
+				users[userid].outpacket.seqno = 0;
+				users[userid].outpacket.fragment = 0;
+				users[userid].outfragresent = 0;
+				users[userid].inpacket.len = 0;
+				users[userid].inpacket.offset = 0;
+				users[userid].inpacket.seqno = 0;
+				users[userid].inpacket.fragment = 0;
+				users[userid].fragsize = 100; /* very safe */
+				users[userid].conn = CONN_DNS_NULL;
+				users[userid].lazy = 0;
+#ifdef OUTPACKETQ_LEN
+				users[userid].outpacketq_nexttouse = 0;
+				users[userid].outpacketq_filled = 0;
+#endif
+#ifdef DNSCACHE_LEN
+				{
+					for (i = 0; i < DNSCACHE_LEN; i++) {
+					        users[userid].dnscache_q[i].id = 0;
+					        users[userid].dnscache_answerlen[i] = 0;
+					}
+				}
+				users[userid].dnscache_lastfilled = 0;
+#endif
+				for (i = 0; i < QMEMPING_LEN; i++)
+				        users[userid].qmemping_type[i] = T_UNSET;
+				users[userid].qmemping_lastfilled = 0;
+				for (i = 0; i < QMEMDATA_LEN; i++)
+				        users[userid].qmemdata_type[i] = T_UNSET;
+				users[userid].qmemdata_lastfilled = 0;
+			} else {
+				/* No space for another user */
+				send_version_response(dns_fd, VERSION_FULL, created_users, 0, q);
+				syslog(LOG_INFO, "dropped user from %s, server full", 
+					inet_ntoa(((struct sockaddr_in *) &q->from)->sin_addr));
+			}
+		} else {
+			send_version_response(dns_fd, VERSION_NACK, VERSION, 0, q);
+			syslog(LOG_INFO, "dropped user from %s, sent bad version %08X", 
+				inet_ntoa(((struct sockaddr_in *) &q->from)->sin_addr), version);
+		}
+		return;
+	} else if(in[0] == 'L' || in[0] == 'l') {
+		read = unpack_data(unpacked, sizeof(unpacked), &(in[1]), domain_len - 1, b32);
+		if (read < 17) {
+			write_dns(dns_fd, q, "BADLEN", 6, 'T');
+			return;
+		}
+
+		/* Login phase, handle auth */
+		userid = unpacked[0];
+
+		if (check_user_and_ip(userid, q) != 0) {
+			write_dns(dns_fd, q, "BADIP", 5, 'T');
+			syslog(LOG_WARNING, "dropped login request from user #%d from unexpected source %s",
+				userid, inet_ntoa(((struct sockaddr_in *) &q->from)->sin_addr));
+			return;
+		} else {
+			users[userid].last_pkt = time(NULL);
+			login_calculate(logindata, 16, password, users[userid].seed);
+
+			if (read >= 18 && (memcmp(logindata, unpacked+1, 16) == 0)) {
+				/* Login ok, send ip/mtu/netmask info */
+
+				tempip.s_addr = my_ip;
+				tmp[0] = strdup(inet_ntoa(tempip));
+				tempip.s_addr = users[userid].tun_ip;
+				tmp[1] = strdup(inet_ntoa(tempip));
+
+				read = snprintf(out, sizeof(out), "%s-%s-%d-%d", 
+						tmp[0], tmp[1], my_mtu, netmask);
+
+				write_dns(dns_fd, q, out, read, users[userid].downenc);
+				q->id = 0;
+				syslog(LOG_NOTICE, "accepted password from user #%d, given IP %s", userid, tmp[1]);
+
+				free(tmp[1]);
+				free(tmp[0]);
+			} else {
+				write_dns(dns_fd, q, "LNAK", 4, 'T');
+				syslog(LOG_WARNING, "rejected login request from user #%d from %s, bad password",
+					userid, inet_ntoa(((struct sockaddr_in *) &q->from)->sin_addr));
+			}
+		}
+		return;
+	} else if(in[0] == 'I' || in[0] == 'i') {
+		/* Request for IP number */
+		in_addr_t replyaddr;
+		unsigned addr;
+		char reply[5];
+		
+		userid = b32_8to5(in[1]);
+		if (check_user_and_ip(userid, q) != 0) {
+			write_dns(dns_fd, q, "BADIP", 5, 'T');
+			return; /* illegal id */
+		}
+
+		if (ns_ip != INADDR_ANY) {
+			/* If set, use assigned external ip (-n option) */
+			replyaddr = ns_ip;
+		} else {
+			/* otherwise return destination ip from packet */
+			memcpy(&replyaddr, &q->destination.s_addr, sizeof(in_addr_t));
+		}
+
+		addr = htonl(replyaddr);
+		reply[0] = 'I';
+		reply[1] = (addr >> 24) & 0xFF;
+		reply[2] = (addr >> 16) & 0xFF;
+		reply[3] = (addr >>  8) & 0xFF;
+		reply[4] = (addr >>  0) & 0xFF;
+		write_dns(dns_fd, q, reply, sizeof(reply), 'T');
+	} else if(in[0] == 'Z' || in[0] == 'z') {
+		/* Check for case conservation and chars not allowed according to RFC */
+
+		/* Reply with received hostname as data */
+		/* No userid here, reply with lowest-grade downenc */
+		write_dns(dns_fd, q, in, domain_len, 'T');
+		return;
+	} else if(in[0] == 'S' || in[0] == 's') {
+		int codec;
+		struct encoder *enc;
+		if (domain_len < 3) { /* len at least 3, example: "S15" */
+			write_dns(dns_fd, q, "BADLEN", 6, 'T');
+			return;
+		}
+
+		userid = b32_8to5(in[1]);
+		
+		if (check_user_and_ip(userid, q) != 0) {
+			write_dns(dns_fd, q, "BADIP", 5, 'T');
+			return; /* illegal id */
+		}
+		
+		codec = b32_8to5(in[2]);
+
+		switch (codec) {
+		case 5: /* 5 bits per byte = base32 */
+			enc = get_base32_encoder();
+			user_switch_codec(userid, enc);
+			write_dns(dns_fd, q, enc->name, strlen(enc->name), users[userid].downenc);
+			break;
+		case 6: /* 6 bits per byte = base64 */
+			enc = get_base64_encoder();
+			user_switch_codec(userid, enc);
+			write_dns(dns_fd, q, enc->name, strlen(enc->name), users[userid].downenc);
+			break;
+		case 26: /* "2nd" 6 bits per byte = base64u, with underscore */
+			enc = get_base64u_encoder();
+			user_switch_codec(userid, enc);
+			write_dns(dns_fd, q, enc->name, strlen(enc->name), users[userid].downenc);
+			break;
+		case 7: /* 7 bits per byte = base128 */
+			enc = get_base128_encoder();
+			user_switch_codec(userid, enc);
+			write_dns(dns_fd, q, enc->name, strlen(enc->name), users[userid].downenc);
+			break;
+		default:
+			write_dns(dns_fd, q, "BADCODEC", 8, users[userid].downenc);
+			break;
+		}
+		return;
+	} else if(in[0] == 'O' || in[0] == 'o') {
+		if (domain_len < 3) { /* len at least 3, example: "O1T" */
+			write_dns(dns_fd, q, "BADLEN", 6, 'T');
+			return;
+		}
+
+		userid = b32_8to5(in[1]);
+
+		if (check_user_and_ip(userid, q) != 0) {
+			write_dns(dns_fd, q, "BADIP", 5, 'T');
+			return; /* illegal id */
+		}
+
+		switch (in[2]) {
+		case 'T':
+		case 't':
+			users[userid].downenc = 'T';
+			write_dns(dns_fd, q, "Base32", 6, users[userid].downenc);
+			break;
+		case 'S':
+		case 's':
+			users[userid].downenc = 'S';
+			write_dns(dns_fd, q, "Base64", 6, users[userid].downenc);
+			break;
+		case 'U':
+		case 'u':
+			users[userid].downenc = 'U';
+			write_dns(dns_fd, q, "Base64u", 7, users[userid].downenc);
+			break;
+		case 'V':
+		case 'v':
+			users[userid].downenc = 'V';
+			write_dns(dns_fd, q, "Base128", 7, users[userid].downenc);
+			break;
+		case 'R':
+		case 'r':
+			users[userid].downenc = 'R';
+			write_dns(dns_fd, q, "Raw", 3, users[userid].downenc);
+			break;
+		case 'L':
+		case 'l':
+			users[userid].lazy = 1;
+			write_dns(dns_fd, q, "Lazy", 4, users[userid].downenc);
+			break;
+		case 'I':
+		case 'i':
+			users[userid].lazy = 0;
+			write_dns(dns_fd, q, "Immediate", 9, users[userid].downenc);
+			break;
+		default:
+			write_dns(dns_fd, q, "BADCODEC", 8, users[userid].downenc);
+			break;
+		}
+		return;
+	} else if(in[0] == 'Y' || in[0] == 'y') {
+		int i;
+		char *datap;
+		int datalen;
+
+		if (domain_len < 6) { /* len at least 6, example: "YTxCMC" */
+			write_dns(dns_fd, q, "BADLEN", 6, 'T');
+			return;
+		}
+
+		i = b32_8to5(in[2]);	/* check variant */
+
+		switch (i) {
+		case 1:
+			datap = DOWNCODECCHECK1;
+			datalen = DOWNCODECCHECK1_LEN;
+			break;
+		default:
+			write_dns(dns_fd, q, "BADLEN", 6, 'T');
+			return;
+		}
+
+		switch (in[1]) {
+		case 'T':
+		case 't':
+			if (q->type == T_TXT ||
+			    q->type == T_SRV || q->type == T_MX ||
+			    q->type == T_CNAME || q->type == T_A) {
+				write_dns(dns_fd, q, datap, datalen, 'T');
+				return;
+			}
+			break;
+		case 'S':
+		case 's':
+			if (q->type == T_TXT ||
+			    q->type == T_SRV || q->type == T_MX ||
+			    q->type == T_CNAME || q->type == T_A) {
+				write_dns(dns_fd, q, datap, datalen, 'S');
+				return;
+			}
+			break;
+		case 'U':
+		case 'u':
+			if (q->type == T_TXT ||
+			    q->type == T_SRV || q->type == T_MX ||
+			    q->type == T_CNAME || q->type == T_A) {
+				write_dns(dns_fd, q, datap, datalen, 'U');
+				return;
+			}
+			break;
+		case 'V':
+		case 'v':
+			if (q->type == T_TXT ||
+			    q->type == T_SRV || q->type == T_MX ||
+			    q->type == T_CNAME || q->type == T_A) {
+				write_dns(dns_fd, q, datap, datalen, 'V');
+				return;
+			}
+			break;
+		case 'R':
+		case 'r':
+			if (q->type == T_NULL || q->type == T_TXT) {
+				write_dns(dns_fd, q, datap, datalen, 'R');
+				return;
+			}
+			break;
+		}
+
+		/* if still here, then codec not available */
+		write_dns(dns_fd, q, "BADCODEC", 8, 'T');
+		return;
+
+	} else if(in[0] == 'R' || in[0] == 'r') {
+		int req_frag_size;
+
+		if (domain_len < 16) {  /* we'd better have some chars for data... */
+			write_dns(dns_fd, q, "BADLEN", 6, 'T');
+			return;
+		}
+
+		/* Downstream fragsize probe packet */
+		userid = (b32_8to5(in[1]) >> 1) & 15;
+		if (check_user_and_ip(userid, q) != 0) {
+			write_dns(dns_fd, q, "BADIP", 5, 'T');
+			return; /* illegal id */
+		}
+				
+		req_frag_size = ((b32_8to5(in[1]) & 1) << 10) | ((b32_8to5(in[2]) & 31) << 5) | (b32_8to5(in[3]) & 31);
+		if (req_frag_size < 2 || req_frag_size > 2047) {	
+			write_dns(dns_fd, q, "BADFRAG", 7, users[userid].downenc);
+		} else {
+			char buf[2048];
+			int i;
+			unsigned int v = ((unsigned int) rand()) & 0xff ;
+
+			memset(buf, 0, sizeof(buf));
+			buf[0] = (req_frag_size >> 8) & 0xff;
+			buf[1] = req_frag_size & 0xff;
+			/* make checkable pseudo-random sequence */
+			buf[2] = 107;
+			for (i = 3; i < 2048; i++, v = (v + 107) & 0xff)
+				buf[i] = v;
+			write_dns(dns_fd, q, buf, req_frag_size, users[userid].downenc);
+		}
+		return;
+	} else if(in[0] == 'N' || in[0] == 'n') {
+		int max_frag_size;
+
+		read = unpack_data(unpacked, sizeof(unpacked), &(in[1]), domain_len - 1, b32);
+
+		if (read < 3) {
+			write_dns(dns_fd, q, "BADLEN", 6, 'T');
+			return;
+		}
+
+		/* Downstream fragsize packet */
+		userid = unpacked[0];
+		if (check_user_and_ip(userid, q) != 0) {
+			write_dns(dns_fd, q, "BADIP", 5, 'T');
+			return; /* illegal id */
+		}
+				
+		max_frag_size = ((unpacked[1] & 0xff) << 8) | (unpacked[2] & 0xff);
+		if (max_frag_size < 2) {	
+			write_dns(dns_fd, q, "BADFRAG", 7, users[userid].downenc);
+		} else {
+			users[userid].fragsize = max_frag_size;
+			write_dns(dns_fd, q, &unpacked[1], 2, users[userid].downenc);
+		}
+		return;
+	} else if(in[0] == 'P' || in[0] == 'p') {
+		int dn_seq;
+		int dn_frag;
+		int didsend = 0;
+
+		/* We can't handle id=0, that's "no packet" to us. So drop
+		   request completely. Note that DNS servers rewrite the id.
+		   We'll drop 1 in 64k times. If DNS server retransmits with
+		   different id, then all okay.
+		   Else client won't retransmit, and we'll just keep the
+		   previous ping in cache, no problem either. */
+		if (q->id == 0)
+			return;
+
+		read = unpack_data(unpacked, sizeof(unpacked), &(in[1]), domain_len - 1, b32);
+		if (read < 4)
+			return;
+
+		/* Ping packet, store userid */
+		userid = unpacked[0];
+		if (check_user_and_ip(userid, q) != 0) {
+			write_dns(dns_fd, q, "BADIP", 5, 'T');
+			return; /* illegal id */
+		}
+
+#ifdef DNSCACHE_LEN
+		/* Check if cached */
+		if (answer_from_dnscache(dns_fd, userid, q))
+			return;
+#endif
+
+		/* Check if duplicate (and not in full dnscache any more) */
+		if (answer_from_qmem(dns_fd, q, users[userid].qmemping_cmc,
+				     users[userid].qmemping_type, QMEMPING_LEN,
+				     (void *) unpacked))
+			return;
+
+		/* Check if duplicate of waiting queries; impatient DNS relays
+		   like to re-try early and often (with _different_ .id!)  */
+		if (users[userid].q.id != 0 &&
+		    q->type == users[userid].q.type &&
+		    !strcmp(q->name, users[userid].q.name) &&
+		    users[userid].lazy) {
+			/* We have this ping already, and it's waiting to be
+			   answered. Always keep the last duplicate, since the
+			   relay may have forgotten its first version already.
+			   Our answer will go to both.
+			   (If we already sent an answer, qmem/cache will
+			   have triggered.) */
+			if (debug >= 2) {
+				fprintf(stderr, "PING pkt from user %d = dupe from impatient DNS server, remembering\n",
+					userid);
+			}
+			users[userid].q.id2 = q->id;
+			users[userid].q.fromlen2 = q->fromlen;
+			memcpy(&(users[userid].q.from2), &(q->from), q->fromlen);
+			return;
+		}
+ 
+		if (users[userid].q_sendrealsoon.id != 0 &&
+		    q->type == users[userid].q_sendrealsoon.type &&
+		    !strcmp(q->name, users[userid].q_sendrealsoon.name)) {
+			/* Outer select loop will send answer immediately,
+			   to both queries. */
+			if (debug >= 2) {
+				fprintf(stderr, "PING pkt from user %d = dupe from impatient DNS server, remembering\n",
+					userid);
+			}
+			users[userid].q_sendrealsoon.id2 = q->id;
+			users[userid].q_sendrealsoon.fromlen2 = q->fromlen;
+			memcpy(&(users[userid].q_sendrealsoon.from2),
+			       &(q->from), q->fromlen);
+			return;
+		}
+				
+		dn_seq = unpacked[1] >> 4;
+		dn_frag = unpacked[1] & 15;
+
+		if (debug >= 1) {
+			fprintf(stderr, "PING pkt from user %d, ack for downstream %d/%d\n",
+				userid, dn_seq, dn_frag);
+		}
+
+		process_downstream_ack(userid, dn_seq, dn_frag);
+
+		if (debug >= 3) {
+			fprintf(stderr, "PINGret (if any) will ack upstream %d/%d\n",
+				users[userid].inpacket.seqno, users[userid].inpacket.fragment);
+		}
+
+		/* If there is a query that must be returned real soon, do it.
+		   May contain new downstream data if the ping had a new ack.
+		   Otherwise, may also be re-sending old data. */
+		if (users[userid].q_sendrealsoon.id != 0) {
+			send_chunk_or_dataless(dns_fd, userid, &users[userid].q_sendrealsoon);
+		}
+
+		/* We need to store a new query, so if there still is an
+		   earlier query waiting, always send a reply to finish it.
+		   May contain new downstream data if the ping had a new ack.
+		   Otherwise, may also be re-sending old data.
+		   (This is duplicate data if we had q_sendrealsoon above.) */
+		if (users[userid].q.id != 0) {
+			didsend = 1;
+			if (send_chunk_or_dataless(dns_fd, userid, &users[userid].q) == 1)
+				/* new packet from queue, send immediately */
+				didsend = 0;
+		}
+
+		/* Save new query and time info */
+		memcpy(&(users[userid].q), q, sizeof(struct query));
+		users[userid].last_pkt = time(NULL);
+
+		/* If anything waiting and we didn't already send above, send
+		   it now. And always send immediately if we're not lazy
+		   (then above won't have sent at all). */
+		if ((!didsend && users[userid].outpacket.len > 0) ||
+		    !users[userid].lazy)
+			send_chunk_or_dataless(dns_fd, userid, &users[userid].q);
+
+	} else if((in[0] >= '0' && in[0] <= '9')
+			|| (in[0] >= 'a' && in[0] <= 'f')
+			|| (in[0] >= 'A' && in[0] <= 'F')) {
+		int up_seq, up_frag, dn_seq, dn_frag, lastfrag;
+		int upstream_ok = 1;
+		int didsend = 0;
+		int code = -1;
+
+		/* Need 5char header + >=1 char data */
+		if (domain_len < 6)
+			return;
+
+		/* We can't handle id=0, that's "no packet" to us. So drop
+		   request completely. Note that DNS servers rewrite the id.
+		   We'll drop 1 in 64k times. If DNS server retransmits with
+		   different id, then all okay.
+		   Else client doesn't get our ack, and will retransmit in
+		   1 second. */
+		if (q->id == 0)
+			return;
+
+		if ((in[0] >= '0' && in[0] <= '9'))
+			code = in[0] - '0';
+		if ((in[0] >= 'a' && in[0] <= 'f'))
+			code = in[0] - 'a' + 10;
+		if ((in[0] >= 'A' && in[0] <= 'F'))
+			code = in[0] - 'A' + 10;
+
+		userid = code;
+		/* Check user and sending ip number */
+		if (check_user_and_ip(userid, q) != 0) {
+			write_dns(dns_fd, q, "BADIP", 5, 'T');
+			return; /* illegal id */
+		}
+
+#ifdef DNSCACHE_LEN
+		/* Check if cached */
+		if (answer_from_dnscache(dns_fd, userid, q))
+			return;
+#endif
+
+		/* Check if duplicate (and not in full dnscache any more) */
+		if (answer_from_qmem_data(dns_fd, userid, q))
+			return;
+
+		/* Check if duplicate of waiting queries; impatient DNS relays
+		   like to re-try early and often (with _different_ .id!)  */
+		if (users[userid].q.id != 0 &&
+		    q->type == users[userid].q.type &&
+		    !strcmp(q->name, users[userid].q.name) && 
+		    users[userid].lazy) {
+			/* We have this packet already, and it's waiting to be
+			   answered. Always keep the last duplicate, since the
+			   relay may have forgotten its first version already.
+			   Our answer will go to both.
+			   (If we already sent an answer, qmem/cache will
+			   have triggered.) */
+			if (debug >= 2) {
+				fprintf(stderr, "IN   pkt from user %d = dupe from impatient DNS server, remembering\n",
+					userid);
+			}
+			users[userid].q.id2 = q->id;
+			users[userid].q.fromlen2 = q->fromlen;
+			memcpy(&(users[userid].q.from2), &(q->from), q->fromlen);
+			return;
+		}
+  
+		if (users[userid].q_sendrealsoon.id != 0 &&
+		    q->type == users[userid].q_sendrealsoon.type &&
+		    !strcmp(q->name, users[userid].q_sendrealsoon.name)) {
+			/* Outer select loop will send answer immediately,
+			   to both queries. */
+			if (debug >= 2) {
+				fprintf(stderr, "IN   pkt from user %d = dupe from impatient DNS server, remembering\n",
+					userid);
+			}
+			users[userid].q_sendrealsoon.id2 = q->id;
+			users[userid].q_sendrealsoon.fromlen2 = q->fromlen;
+			memcpy(&(users[userid].q_sendrealsoon.from2),
+			       &(q->from), q->fromlen);
+			return;
+		}
+  
+
+		/* Decode data header */
+		up_seq = (b32_8to5(in[1]) >> 2) & 7;
+		up_frag = ((b32_8to5(in[1]) & 3) << 2) | ((b32_8to5(in[2]) >> 3) & 3);
+		dn_seq = (b32_8to5(in[2]) & 7);
+		dn_frag = b32_8to5(in[3]) >> 1;
+		lastfrag = b32_8to5(in[3]) & 1;
+
+		process_downstream_ack(userid, dn_seq, dn_frag);
+
+		if (up_seq == users[userid].inpacket.seqno && 
+			up_frag <= users[userid].inpacket.fragment) {
+			/* Got repeated old packet _with data_, probably
+			   because client didn't receive our ack. So re-send
+			   our ack(+data) immediately to keep things flowing
+			   fast.
+			   If it's a _really_ old frag, it's a nameserver
+			   that tries again, and sending our current (non-
+			   matching) fragno won't be a problem. */
+			if (debug >= 1) {
+				fprintf(stderr, "IN   pkt seq# %d, frag %d, dropped duplicate frag\n",
+					up_seq, up_frag);
+			}
+			upstream_ok = 0;
+		}
+		else if (up_seq != users[userid].inpacket.seqno &&
+			 recent_seqno(users[userid].inpacket.seqno, up_seq)) {
+			/* Duplicate of recent upstream data packet; probably
+			   need to answer this to keep DNS server happy */
+			if (debug >= 1) {
+				fprintf(stderr, "IN   pkt seq# %d, frag %d, dropped duplicate recent seqno\n",
+					up_seq, up_frag);
+ 			}
+			upstream_ok = 0;
+		}
+		else if (up_seq != users[userid].inpacket.seqno) {
+			/* Really new packet has arrived, no recent duplicate */
+			/* Forget any old packet, even if incomplete */
+			users[userid].inpacket.seqno = up_seq;
+			users[userid].inpacket.fragment = up_frag;
+			users[userid].inpacket.len = 0;
+			users[userid].inpacket.offset = 0;
+		} else {
+			/* seq is same, frag is higher; don't care about
+			   missing fragments, TCP checksum will fail */
+  			users[userid].inpacket.fragment = up_frag;
+		}
+
+		if (debug >= 3) {
+			fprintf(stderr, "INpack with upstream %d/%d, we are going to ack upstream %d/%d\n",
+				up_seq, up_frag,
+				users[userid].inpacket.seqno, users[userid].inpacket.fragment);
+		}
+
+		if (upstream_ok) {
+			/* decode with this user's encoding */
+			read = unpack_data(unpacked, sizeof(unpacked), &(in[5]), domain_len - 5,
+					   users[userid].encoder);
+
+			/* copy to packet buffer, update length */
+			read = MIN(read, sizeof(users[userid].inpacket.data) - users[userid].inpacket.offset);
+			memcpy(users[userid].inpacket.data + users[userid].inpacket.offset, unpacked, read);
+			users[userid].inpacket.len += read;
+			users[userid].inpacket.offset += read;
+
+			if (debug >= 1) {
+				fprintf(stderr, "IN   pkt seq# %d, frag %d (last=%d), fragsize %d, total %d, from user %d\n",
+					up_seq, up_frag, lastfrag, read, users[userid].inpacket.len, userid);
+			}
+		}
+
+		if (upstream_ok && lastfrag) { /* packet is complete */
+			handle_full_packet(tun_fd, dns_fd, userid);
+		}
+
+		/* If there is a query that must be returned real soon, do it.
+		   Includes an ack of the just received upstream fragment,
+		   may contain new data. */
+		if (users[userid].q_sendrealsoon.id != 0) {
+			didsend = 1;
+			if (send_chunk_or_dataless(dns_fd, userid, &users[userid].q_sendrealsoon) == 1)
+				/* new packet from queue, send immediately */
+				didsend = 0;
+		}
+
+		/* If we already have an earlier query waiting, we need to
+		   get rid of it to store the new query.
+		   - If we have new data waiting and not yet sent above,
+		     send immediately.
+		   - If this wasn't the last upstream fragment, then we expect
+		     more, so ack immediately if we didn't already.
+		   - If we are in non-lazy mode, there should be no query
+		     waiting, but if there is, send immediately.
+		   - In all other cases (mostly the last-fragment cases),
+		     we can afford to wait just a tiny little while for the
+		     TCP ack to arrive from our tun. Note that this works best
+		     when there is only one client.
+		 */
+		if (users[userid].q.id != 0) {
+			if ((users[userid].outpacket.len > 0 && !didsend) ||
+			    (upstream_ok && !lastfrag && !didsend) ||
+			    (!upstream_ok && !didsend) ||
+			    !users[userid].lazy) {
+				didsend = 1;
+				if (send_chunk_or_dataless(dns_fd, userid, &users[userid].q) == 1)
+					/* new packet from queue, send immediately */
+					didsend = 0;
+			} else {
+				memcpy(&(users[userid].q_sendrealsoon),
+				       &(users[userid].q),
+				       sizeof(struct query));
+				users[userid].q_sendrealsoon_new = 1;
+				users[userid].q.id = 0;  /* used */
+				didsend = 1;
+			}
+		}
+
+		/* Save new query and time info */
+		memcpy(&(users[userid].q), q, sizeof(struct query));
+		users[userid].last_pkt = time(NULL);
+
+		/* If we still need to ack this upstream frag, do it to keep
+		   upstream flowing.
+		   - If we have new data waiting and not yet sent above,
+		     send immediately.
+		   - If this wasn't the last upstream fragment, then we expect
+		     more, so ack immediately if we didn't already or are
+		     in non-lazy mode.
+		   - If this was the last fragment, and we didn't ack already
+		     or are in non-lazy mode, send the ack after just a tiny
+		     little while so that the TCP ack may have arrived from
+		     our tun device.
+		   - In all other cases, don't send anything now.
+		*/
+		if (users[userid].outpacket.len > 0 && !didsend)
+			send_chunk_or_dataless(dns_fd, userid, &users[userid].q);
+		else if (!didsend || !users[userid].lazy) {
+			if (upstream_ok && lastfrag) {
+				memcpy(&(users[userid].q_sendrealsoon),
+				       &(users[userid].q),
+				       sizeof(struct query));
+				users[userid].q_sendrealsoon_new = 1;
+				users[userid].q.id = 0;  /* used */
+			} else {
+				send_chunk_or_dataless(dns_fd, userid, &users[userid].q);
+			}
+		}
+	}
+}
+
+static void
+handle_ns_request(int dns_fd, struct query *q)
+/* Mostly identical to handle_a_request() below */
+{
+	char buf[64*1024];
+	int len;
+
+	if (ns_ip != INADDR_ANY) {
+		/* If ns_ip set, overwrite destination addr with it.
+		 * Destination addr will be sent as additional record (A, IN) */
+		memcpy(&q->destination.s_addr, &ns_ip, sizeof(in_addr_t));
+	}
+
+	len = dns_encode_ns_response(buf, sizeof(buf), q, topdomain);
+	if (len < 1) {
+		warnx("dns_encode_ns_response doesn't fit");
+		return;
+	}
+	
+	if (debug >= 2) {
+		struct sockaddr_in *tempin;
+		tempin = (struct sockaddr_in *) &(q->from);
+		fprintf(stderr, "TX: client %s, type %d, name %s, %d bytes NS reply\n", 
+			inet_ntoa(tempin->sin_addr), q->type, q->name, len);
+	}
+	if (sendto(dns_fd, buf, len, 0, (struct sockaddr*)&q->from, q->fromlen) <= 0) {
+		warn("ns reply send error");
+	}
+}
+
+static void
+handle_a_request(int dns_fd, struct query *q, int fakeip)
+/* Mostly identical to handle_ns_request() above */
+{
+	char buf[64*1024];
+	int len;
+
+	if (fakeip) {
+		in_addr_t ip = inet_addr("127.0.0.1");
+		memcpy(&q->destination.s_addr, &ip, sizeof(in_addr_t));
+
+	} else if (ns_ip != INADDR_ANY) {
+		/* If ns_ip set, overwrite destination addr with it.
+		 * Destination addr will be sent as additional record (A, IN) */
+		memcpy(&q->destination.s_addr, &ns_ip, sizeof(in_addr_t));
+	}
+
+	len = dns_encode_a_response(buf, sizeof(buf), q);
+	if (len < 1) {
+		warnx("dns_encode_a_response doesn't fit");
+		return;
+	}
+	
+	if (debug >= 2) {
+		struct sockaddr_in *tempin;
+		tempin = (struct sockaddr_in *) &(q->from);
+		fprintf(stderr, "TX: client %s, type %d, name %s, %d bytes A reply\n",
+			inet_ntoa(tempin->sin_addr), q->type, q->name, len);
+	}
+	if (sendto(dns_fd, buf, len, 0, (struct sockaddr*)&q->from, q->fromlen) <= 0) {
+		warn("a reply send error");
+	}
+}
+
+static void
+forward_query(int bind_fd, struct query *q)
+{
+	char buf[64*1024];
+	int len;
+	struct fw_query fwq;
+	struct sockaddr_in *myaddr;
+	in_addr_t newaddr;
+
+	len = dns_encode(buf, sizeof(buf), q, QR_QUERY, q->name, strlen(q->name));
+	if (len < 1) {
+		warnx("dns_encode doesn't fit");
+		return;
+	}
+
+	/* Store sockaddr for q->id */
+	memcpy(&(fwq.addr), &(q->from), q->fromlen);
+	fwq.addrlen = q->fromlen;
+	fwq.id = q->id;
+	fw_query_put(&fwq);
+
+	newaddr = inet_addr("127.0.0.1");
+	myaddr = (struct sockaddr_in *) &(q->from);
+	memcpy(&(myaddr->sin_addr), &newaddr, sizeof(in_addr_t));
+	myaddr->sin_port = htons(bind_port);
+	
+	if (debug >= 2) {
+		fprintf(stderr, "TX: NS reply \n");
+	}
+
+	if (sendto(bind_fd, buf, len, 0, (struct sockaddr*)&q->from, q->fromlen) <= 0) {
+		warn("forward query error");
+	}
+}
+  
+static int
+tunnel_bind(int bind_fd, int dns_fd)
+{
+	char packet[64*1024];
+	struct sockaddr_in from;
+	socklen_t fromlen;
+	struct fw_query *query;
+	unsigned short id;
+	int r;
+
+	fromlen = sizeof(struct sockaddr);
+	r = recvfrom(bind_fd, packet, sizeof(packet), 0, 
+		(struct sockaddr*)&from, &fromlen);
+
+	if (r <= 0)
+		return 0;
+
+	id = dns_get_id(packet, r);
+	
+	if (debug >= 2) {
+		fprintf(stderr, "RX: Got response on query %u from DNS\n", (id & 0xFFFF));
+	}
+
+	/* Get sockaddr from id */
+	fw_query_get(id, &query);
+	if (!query && debug >= 2) {
+		fprintf(stderr, "Lost sender of id %u, dropping reply\n", (id & 0xFFFF));
+		return 0;
+	}
+
+	if (debug >= 2) {
+		struct sockaddr_in *in;
+		in = (struct sockaddr_in *) &(query->addr);
+		fprintf(stderr, "TX: client %s id %u, %d bytes\n",
+			inet_ntoa(in->sin_addr), (id & 0xffff), r);
+	}
+	
+	if (sendto(dns_fd, packet, r, 0, (const struct sockaddr *) &(query->addr), 
+		query->addrlen) <= 0) {
+		warn("forward reply error");
+	}
+
+	return 0;
+}
+
+static int
+tunnel_dns(int tun_fd, int dns_fd, int bind_fd)
+{
+	struct query q;
+	int read;
+	int domain_len;
+	int inside_topdomain;
+
+	if ((read = read_dns(dns_fd, tun_fd, &q)) <= 0)
+		return 0;
+
+	if (debug >= 2) {
+		struct sockaddr_in *tempin;
+		tempin = (struct sockaddr_in *) &(q.from);
+		fprintf(stderr, "RX: client %s, type %d, name %s\n", 
+			inet_ntoa(tempin->sin_addr), q.type, q.name);
+	}
+
+	domain_len = strlen(q.name) - strlen(topdomain);
+	if (domain_len >= 0 && !strcasecmp(q.name + domain_len, topdomain))
+		inside_topdomain = 1;
+	/* require dot before topdomain */
+	if (domain_len >= 1 && q.name[domain_len - 1] != '.')
+		inside_topdomain = 0;
+
+	if (inside_topdomain) {
+		/* This is a query we can handle */
+
+		/* Handle A-type query for ns.topdomain, possibly caused
+		   by our proper response to any NS request */
+		if (domain_len == 3 && q.type == T_A &&
+		    (q.name[0] == 'n' || q.name[0] == 'N') &&
+		    (q.name[1] == 's' || q.name[1] == 'S') &&
+		     q.name[2] == '.') {
+			handle_a_request(dns_fd, &q, 0);
+			return 0;
+		}
+
+		/* Handle A-type query for www.topdomain, for anyone that's
+		   poking around */
+		if (domain_len == 4 && q.type == T_A &&
+		    (q.name[0] == 'w' || q.name[0] == 'W') &&
+		    (q.name[1] == 'w' || q.name[1] == 'W') &&
+		    (q.name[2] == 'w' || q.name[2] == 'W') &&
+		     q.name[3] == '.') {
+			handle_a_request(dns_fd, &q, 1);
+			return 0;
+		}
+
+		switch (q.type) {
+		case T_NULL:
+		case T_CNAME:
+		case T_A:
+		case T_MX:
+		case T_SRV:
+		case T_TXT:
+			/* encoding is "transparent" here */
+			handle_null_request(tun_fd, dns_fd, &q, domain_len);
+			break;
+		case T_NS:
+			handle_ns_request(dns_fd, &q);
+			break;
+		default:
+			break;
+		}
+	} else {
+		/* Forward query to other port ? */
+		if (bind_fd) {
+			forward_query(bind_fd, &q);
+		}
+	}
+	return 0;
+}
+
+static int
+tunnel(int tun_fd, int dns_fd, int bind_fd)
+{
+	struct timeval tv;
+	fd_set fds;
+	int i;
+	int userid;
+
+	while (running) {
+		int maxfd;
+		tv.tv_sec = 10;			/* doesn't really matter */
+		tv.tv_usec = 0;
+
+		/* Adjust timeout if there is anything to send realsoon.
+		   Clients won't be sending new data until we send our ack,
+		   so don't keep them waiting long. This only triggers at
+		   final upstream fragments, which is about once per eight
+		   requests during heavy upstream traffic.
+		   20msec: ~8 packs every 1/50sec = ~400 DNSreq/sec,
+		   or ~1200bytes every 1/50sec = ~0.5 Mbit/sec upstream */
+		for (userid = 0; userid < USERS; userid++) {
+			if (users[userid].active && !users[userid].disabled &&
+			    users[userid].last_pkt + 60 > time(NULL)) {
+				users[userid].q_sendrealsoon_new = 0;
+				if (users[userid].q_sendrealsoon.id != 0) {
+					tv.tv_sec = 0;
+					tv.tv_usec = 20000;
+				}
+			}
+		}
+
+		FD_ZERO(&fds);
+
+		FD_SET(dns_fd, &fds);
+		maxfd = dns_fd;
+
+		if (bind_fd) {
+			/* wait for replies from real DNS */
+			FD_SET(bind_fd, &fds);
+			maxfd = MAX(bind_fd, maxfd);
+		}
+
+		/* Don't read from tun if no users can accept data anyway;
+		   tun queue/TCP buffers are larger than our outpacket-queues */
+		if(!all_users_waiting_to_send()) {
+			FD_SET(tun_fd, &fds);
+			maxfd = MAX(tun_fd, maxfd);
+		}
+
+		i = select(maxfd + 1, &fds, NULL, NULL, &tv);
+		
+		if(i < 0) {
+			if (running) 
+				warn("select");
+			return 1;
+		}
+
+ 		if (i==0) {	
+			/* timeout; whatever; doesn't matter anymore */
+ 		} else {
+ 			if (FD_ISSET(tun_fd, &fds)) {
+ 				tunnel_tun(tun_fd, dns_fd);
+ 			}
+ 			if (FD_ISSET(dns_fd, &fds)) {
+ 				tunnel_dns(tun_fd, dns_fd, bind_fd);
+ 			} 
+			if (FD_ISSET(bind_fd, &fds)) {
+				tunnel_bind(bind_fd, dns_fd);
+			}
+		}
+
+		/* Send realsoon's if tun or dns didn't already */
+		for (userid = 0; userid < USERS; userid++)
+			if (users[userid].active && !users[userid].disabled &&
+			    users[userid].last_pkt + 60 > time(NULL) &&
+			    users[userid].q_sendrealsoon.id != 0 &&
+			    users[userid].conn == CONN_DNS_NULL &&
+			    !users[userid].q_sendrealsoon_new)
+				send_chunk_or_dataless(dns_fd, userid, &users[userid].q_sendrealsoon);
+	}
+
+	return 0;
+}
+
+static void
+handle_full_packet(int tun_fd, int dns_fd, int userid)
+{
+	unsigned long outlen;
+	char out[64*1024];
+	int touser;
+	int ret;
+
+	outlen = sizeof(out);
+	ret = uncompress((uint8_t*)out, &outlen, 
+		   (uint8_t*)users[userid].inpacket.data, users[userid].inpacket.len);
+
+	if (ret == Z_OK) {
+		struct ip *hdr;
+
+		hdr = (struct ip*) (out + 4);
+		touser = find_user_by_ip(hdr->ip_dst.s_addr);
+
+		if (touser == -1) {
+			/* send the uncompressed packet to tun device */
+			write_tun(tun_fd, out, outlen);
+		} else {
+			/* send the compressed(!) packet to other client */
+		/*XXX START adjust indent 1 tab forward*/
+		if (users[touser].conn == CONN_DNS_NULL) {
+			if (users[touser].outpacket.len == 0) {
+				start_new_outpacket(touser,
+					users[userid].inpacket.data,
+					users[userid].inpacket.len);
+
+				/* Start sending immediately if query is waiting */
+				if (users[touser].q_sendrealsoon.id != 0)
+					send_chunk_or_dataless(dns_fd, touser, &users[touser].q_sendrealsoon);
+				else if (users[touser].q.id != 0)
+					send_chunk_or_dataless(dns_fd, touser, &users[touser].q);
+#ifdef OUTPACKETQ_LEN
+			} else {
+				save_to_outpacketq(touser,
+					users[userid].inpacket.data,
+					users[userid].inpacket.len);
+#endif
+			}
+		} else{ /* CONN_RAW_UDP */
+			send_raw(dns_fd, users[userid].inpacket.data,
+				 users[userid].inpacket.len, touser,
+				 RAW_HDR_CMD_DATA, &users[touser].q);
+		}
+		/*XXX END adjust indent 1 tab forward*/
+		}
+	} else {
+		if (debug >= 1)
+			fprintf(stderr, "Discarded data, uncompress() result: %d\n", ret);
+	}
+
+	/* This packet is done */
+	users[userid].inpacket.len = 0;
+	users[userid].inpacket.offset = 0;
+}
+
+static void
+handle_raw_login(char *packet, int len, struct query *q, int fd, int userid)
+{
+	char myhash[16];
+	
+	if (len < 16) return;
+
+	/* can't use check_user_and_ip() since IP address will be different,
+	   so duplicate here except IP address */
+	if (userid < 0 || userid >= created_users) return;
+	if (!users[userid].active || users[userid].disabled) return;
+	if (users[userid].last_pkt + 60 < time(NULL)) return;
+
+	if (debug >= 1) {
+		fprintf(stderr, "IN   login raw, len %d, from user %d\n",
+			len, userid);
+	}
+
+	/* User sends hash of seed + 1 */
+	login_calculate(myhash, 16, password, users[userid].seed + 1);
+	if (memcmp(packet, myhash, 16) == 0) {
+		struct sockaddr_in *tempin;
+
+		/* Update query and time info for user */
+		users[userid].last_pkt = time(NULL);
+		memcpy(&(users[userid].q), q, sizeof(struct query));
+
+		/* Store remote IP number */
+		tempin = (struct sockaddr_in *) &(q->from);
+		memcpy(&(users[userid].host), &(tempin->sin_addr), sizeof(struct in_addr));
+		 
+		/* Correct hash, reply with hash of seed - 1 */
+		user_set_conn_type(userid, CONN_RAW_UDP);
+		login_calculate(myhash, 16, password, users[userid].seed - 1);
+		send_raw(fd, myhash, 16, userid, RAW_HDR_CMD_LOGIN, q);
+	}
+}
+
+static void
+handle_raw_data(char *packet, int len, struct query *q, int dns_fd, int tun_fd, int userid)
+{
+	if (check_user_and_ip(userid, q) != 0) {
+		return;
+	}
+
+	/* Update query and time info for user */
+	users[userid].last_pkt = time(NULL);
+	memcpy(&(users[userid].q), q, sizeof(struct query));
+
+	/* copy to packet buffer, update length */
+	users[userid].inpacket.offset = 0;
+	memcpy(users[userid].inpacket.data, packet, len);
+	users[userid].inpacket.len = len;
+
+	if (debug >= 1) {
+		fprintf(stderr, "IN   pkt raw, total %d, from user %d\n",
+			users[userid].inpacket.len, userid);
+	}
+
+	handle_full_packet(tun_fd, dns_fd, userid);
+}
+
+static void
+handle_raw_ping(struct query *q, int dns_fd, int userid)
+{
+	if (check_user_and_ip(userid, q) != 0) {
+		return;
+	}
+
+	/* Update query and time info for user */
+	users[userid].last_pkt = time(NULL);
+	memcpy(&(users[userid].q), q, sizeof(struct query));
+
+	if (debug >= 1) {
+		fprintf(stderr, "IN   ping raw, from user %d\n", userid);
+	}
+
+	/* Send ping reply */
+	send_raw(dns_fd, NULL, 0, userid, RAW_HDR_CMD_PING, q);
+}
+
+static int
+raw_decode(char *packet, int len, struct query *q, int dns_fd, int tun_fd)
+{
+	int raw_user;
+
+	/* minimum length */
+	if (len < RAW_HDR_LEN) return 0;
+	/* should start with header */
+	if (memcmp(packet, raw_header, RAW_HDR_IDENT_LEN)) return 0;
+
+	raw_user = RAW_HDR_GET_USR(packet);
+	switch (RAW_HDR_GET_CMD(packet)) {
+	case RAW_HDR_CMD_LOGIN:
+		/* Login challenge */
+		handle_raw_login(&packet[RAW_HDR_LEN], len - RAW_HDR_LEN, q, dns_fd, raw_user);
+		break;
+	case RAW_HDR_CMD_DATA:
+		/* Data packet */
+		handle_raw_data(&packet[RAW_HDR_LEN], len - RAW_HDR_LEN, q, dns_fd, tun_fd, raw_user);
+		break;
+	case RAW_HDR_CMD_PING:
+		/* Keepalive packet */
+		handle_raw_ping(q, dns_fd, raw_user);
+		break;
+	default:
+		warnx("Unhandled raw command %02X from user %d", RAW_HDR_GET_CMD(packet), raw_user);
+		break;
+	}
+	return 1;
+}
+
+static int
+read_dns(int fd, int tun_fd, struct query *q) /* FIXME: tun_fd is because of raw_decode() below */
+{
+	struct sockaddr_in from;
+	socklen_t addrlen;
+	char packet[64*1024];
+	int r;
+#ifndef WINDOWS32
+	char address[96];
+	struct msghdr msg;
+	struct iovec iov;
+	struct cmsghdr *cmsg;
+
+	addrlen = sizeof(struct sockaddr);
+	iov.iov_base = packet;
+	iov.iov_len = sizeof(packet);
+
+	msg.msg_name = (caddr_t) &from;
+	msg.msg_namelen = (unsigned) addrlen;
+	msg.msg_iov = &iov;
+	msg.msg_iovlen = 1;
+	msg.msg_control = address;
+	msg.msg_controllen = sizeof(address);
+	msg.msg_flags = 0;
+	
+	r = recvmsg(fd, &msg, 0);
+#else
+	addrlen = sizeof(struct sockaddr);
+	r = recvfrom(fd, packet, sizeof(packet), 0, (struct sockaddr*)&from, &addrlen);
+#endif /* !WINDOWS32 */
+
+	if (r > 0) {
+		memcpy((struct sockaddr*)&q->from, (struct sockaddr*)&from, addrlen);
+		q->fromlen = addrlen;
+
+		/* TODO do not handle raw packets here! */
+		if (raw_decode(packet, r, q, fd, tun_fd)) {
+			return 0;
+		}
+		if (dns_decode(NULL, 0, q, QR_QUERY, packet, r) < 0) {
+			return 0;
+		}
+		
+#ifndef WINDOWS32
+		for (cmsg = CMSG_FIRSTHDR(&msg); cmsg != NULL; 
+			cmsg = CMSG_NXTHDR(&msg, cmsg)) { 
+			
+			if (cmsg->cmsg_level == IPPROTO_IP && 
+				cmsg->cmsg_type == DSTADDR_SOCKOPT) { 
+				
+				q->destination = *dstaddr(cmsg); 
+				break;
+			} 
+		}
+#endif
+
+		return strlen(q->name);
+	} else if (r < 0) { 
+		/* Error */
+		warn("read dns");
+	}
+
+	return 0;
+}
+
+static size_t
+write_dns_nameenc(char *buf, size_t buflen, char *data, int datalen, char downenc)
+/* Returns #bytes of data that were encoded */
+{
+	static int td1 = 0;
+	static int td2 = 0;
+	size_t space;
+	char *b;
+
+	/* Make a rotating topdomain to prevent filtering */
+	td1+=3;
+	td2+=7;
+	if (td1>=26) td1-=26;
+	if (td2>=25) td2-=25;
+
+	/* encode data,datalen to CNAME/MX answer
+	   (adapted from build_hostname() in encoding.c)
+	 */
+
+	space = MIN(0xFF, buflen) - 4 - 2;
+	/* -1 encoding type, -3 ".xy", -2 for safety */
+
+	memset(buf, 0, sizeof(buf));
+
+	if (downenc == 'S') {
+		buf[0] = 'i';
+		if (!b64->places_dots())
+			space -= (space / 57);	/* space for dots */
+		b64->encode(buf+1, &space, data, datalen);
+		if (!b64->places_dots())
+			inline_dotify(buf, buflen);
+	} else if (downenc == 'U') {
+		buf[0] = 'j';
+		if (!b64u->places_dots())
+			space -= (space / 57);	/* space for dots */
+		b64u->encode(buf+1, &space, data, datalen);
+		if (!b64u->places_dots())
+			inline_dotify(buf, buflen);
+	} else if (downenc == 'V') {
+		buf[0] = 'k';
+		if (!b128->places_dots())
+			space -= (space / 57);	/* space for dots */
+		b128->encode(buf+1, &space, data, datalen);
+		if (!b128->places_dots())
+			inline_dotify(buf, buflen);
+	} else {
+		buf[0] = 'h';
+		if (!b32->places_dots())
+			space -= (space / 57);	/* space for dots */
+		b32->encode(buf+1, &space, data, datalen);
+		if (!b32->places_dots())
+			inline_dotify(buf, buflen);
+	}
+
+	/* Add dot (if it wasn't there already) and topdomain */
+	b = buf;
+	b += strlen(buf) - 1;
+	if (*b != '.') 
+		*++b = '.';
+        b++;
+
+	*b = 'a' + td1;
+	b++;
+	*b = 'a' + td2;
+	b++;
+	*b = '\0';
+
+	return space;
+}
+
+static void
+write_dns(int fd, struct query *q, char *data, int datalen, char downenc)
+{
+	char buf[64*1024];
+	int len = 0;
+
+	if (q->type == T_CNAME || q->type == T_A) {
+		char cnamebuf[1024];		/* max 255 */
+
+		write_dns_nameenc(cnamebuf, sizeof(cnamebuf),
+				  data, datalen, downenc);
+
+		len = dns_encode(buf, sizeof(buf), q, QR_ANSWER, cnamebuf,
+				 sizeof(cnamebuf));
+	} else if (q->type == T_MX || q->type == T_SRV) {
+		char mxbuf[64*1024];
+		char *b = mxbuf;
+		int offset = 0;
+		int res;
+
+		while (1) {
+			res = write_dns_nameenc(b, sizeof(mxbuf) - (b - mxbuf),
+						data + offset,
+						datalen - offset, downenc);
+			if (res < 1) {
+				/* nothing encoded */
+				b++;	/* for final \0 */
+				break;
+			}
+
+			b = b + strlen(b) + 1;
+
+			offset += res;
+			if (offset >= datalen)
+				break;
+		}
+
+		/* Add final \0 */
+		*b = '\0';
+
+		len = dns_encode(buf, sizeof(buf), q, QR_ANSWER, mxbuf,
+				 sizeof(mxbuf));
+	} else if (q->type == T_TXT) {
+		/* TXT with base32 */
+		char txtbuf[64*1024];
+		size_t space = sizeof(txtbuf) - 1;;
+
+		memset(txtbuf, 0, sizeof(txtbuf));
+
+		if (downenc == 'S') {
+			txtbuf[0] = 's';	/* plain base64(Sixty-four) */
+			len = b64->encode(txtbuf+1, &space, data, datalen);
+		}
+		else if (downenc == 'U') {
+			txtbuf[0] = 'u';	/* Base64 with Underscore */
+			len = b64u->encode(txtbuf+1, &space, data, datalen);
+		}
+		else if (downenc == 'V') {
+			txtbuf[0] = 'v';	/* Base128 */
+			len = b128->encode(txtbuf+1, &space, data, datalen);
+		}
+		else if (downenc == 'R') {
+			txtbuf[0] = 'r';	/* Raw binary data */
+			len = MIN(datalen, sizeof(txtbuf) - 1);
+			memcpy(txtbuf + 1, data, len);
+		} else {
+			txtbuf[0] = 't';	/* plain base32(Thirty-two) */
+			len = b32->encode(txtbuf+1, &space, data, datalen);
+		}
+		len = dns_encode(buf, sizeof(buf), q, QR_ANSWER, txtbuf, len+1);
+	} else {
+		/* Normal NULL-record encode */
+		len = dns_encode(buf, sizeof(buf), q, QR_ANSWER, data, datalen);
+	}
+
+	if (len < 1) {
+		warnx("dns_encode doesn't fit");
+		return;
+	}
+	
+	if (debug >= 2) {
+		struct sockaddr_in *tempin;
+		tempin = (struct sockaddr_in *) &(q->from);
+		fprintf(stderr, "TX: client %s, type %d, name %s, %d bytes data\n", 
+			inet_ntoa(tempin->sin_addr), q->type, q->name, datalen);
+	}
+
+	sendto(fd, buf, len, 0, (struct sockaddr*)&q->from, q->fromlen);
+}
+
+static void
+usage() {
+	extern char *__progname;
+
+	fprintf(stderr, "Usage: %s [-v] [-h] [-c] [-s] [-f] [-D] [-u user] "
+		"[-t chrootdir] [-d device] [-m mtu] [-z context] "
+		"[-l ip address to listen on] [-p port] [-n external ip] "
+		"[-b dnsport] [-P password] [-F pidfile] "
+		"tunnel_ip[/netmask] topdomain\n", __progname);
+	exit(2);
+}
+
+static void
+help() {
+	extern char *__progname;
+
+	fprintf(stderr, "iodine IP over DNS tunneling server\n");
+	fprintf(stderr, "Usage: %s [-v] [-h] [-c] [-s] [-f] [-D] [-u user] "
+		"[-t chrootdir] [-d device] [-m mtu] [-z context] "
+		"[-l ip address to listen on] [-p port] [-n external ip] [-b dnsport] [-P password] "
+		"[-F pidfile] tunnel_ip[/netmask] topdomain\n", __progname);
+	fprintf(stderr, "  -v to print version info and exit\n");
+	fprintf(stderr, "  -h to print this help and exit\n");
+	fprintf(stderr, "  -c to disable check of client IP/port on each request\n");
+	fprintf(stderr, "  -s to skip creating and configuring the tun device, "
+		"which then has to be created manually\n");
+	fprintf(stderr, "  -f to keep running in foreground\n");
+	fprintf(stderr, "  -D to increase debug level\n");
+	fprintf(stderr, "     (using -DD in UTF-8 terminal: \"LC_ALL=C luit iodined -DD ...\")\n");
+	fprintf(stderr, "  -u name to drop privileges and run as user 'name'\n");
+	fprintf(stderr, "  -t dir to chroot to directory dir\n");
+	fprintf(stderr, "  -d device to set tunnel device name\n");
+	fprintf(stderr, "  -m mtu to set tunnel device mtu\n");
+	fprintf(stderr, "  -z context to apply SELinux context after initialization\n");
+	fprintf(stderr, "  -l ip address to listen on for incoming dns traffic "
+		"(default 0.0.0.0)\n");
+	fprintf(stderr, "  -p port to listen on for incoming dns traffic (default 53)\n");
+	fprintf(stderr, "  -n ip to respond with to NS queries\n");
+	fprintf(stderr, "  -b port to forward normal DNS queries to (on localhost)\n");
+	fprintf(stderr, "  -P password used for authentication (max 32 chars will be used)\n");
+	fprintf(stderr, "  -F pidfile to write pid to a file\n");
+	fprintf(stderr, "tunnel_ip is the IP number of the local tunnel interface.\n");
+	fprintf(stderr, "   /netmask sets the size of the tunnel network.\n");
+	fprintf(stderr, "topdomain is the FQDN that is delegated to this server.\n");
+	exit(0);
+}
+
+static void
+version() {
+	fprintf(stderr, "iodine IP over DNS tunneling server\n");
+	fprintf(stderr, "version: 0.6.0-rc1 from 2010-02-13\n");
+	exit(0);
+}
+
+int
+main(int argc, char **argv)
+{
+	extern char *__progname;
+	in_addr_t listen_ip;
+#ifndef WINDOWS32
+	struct passwd *pw;
+#endif
+	int foreground;
+	char *username;
+	char *newroot;
+	char *context;
+	char *device;
+	char *pidfile;
+	int dnsd_fd;
+	int tun_fd;
+
+	/* settings for forwarding normal DNS to 
+	 * local real DNS server */
+	int bind_fd;
+	int bind_enable;
+	
+	int choice;
+	int port;
+	int mtu;
+	int skipipconfig;
+	char *netsize;
+	int retval;
+
+#ifndef WINDOWS32
+	pw = NULL;
+#endif
+	username = NULL;
+	newroot = NULL;
+	context = NULL;
+	device = NULL;
+	foreground = 0;
+	bind_enable = 0;
+	bind_fd = 0;
+	mtu = 1130;	/* Very many relays give fragsize 1150 or slightly
+			   higher for NULL; tun/zlib adds ~17 bytes. */
+	listen_ip = INADDR_ANY;
+	port = 53;
+	ns_ip = INADDR_ANY;
+	check_ip = 1;
+	skipipconfig = 0;
+	debug = 0;
+	netmask = 27;
+	pidfile = NULL;
+
+	b32 = get_base32_encoder();
+	b64 = get_base64_encoder();
+	b64u = get_base64u_encoder();
+	b128 = get_base128_encoder();
+	
+	retval = 0;
+
+#ifdef WINDOWS32
+	WSAStartup(req_version, &wsa_data);
+#endif
+
+#if !defined(BSD) && !defined(__GLIBC__)
+	__progname = strrchr(argv[0], '/');
+	if (__progname == NULL)
+		__progname = argv[0];
+	else
+		__progname++;
+#endif
+
+	memset(password, 0, sizeof(password));
+	srand(time(NULL));
+	fw_query_init();
+	
+	while ((choice = getopt(argc, argv, "vcsfhDu:t:d:m:l:p:n:b:P:z:F:")) != -1) {
+		switch(choice) {
+		case 'v':
+			version();
+			break;
+		case 'c':
+			check_ip = 0;
+			break;
+		case 's':
+			skipipconfig = 1;
+			break;
+		case 'f':
+			foreground = 1;
+			break;
+		case 'h':
+			help();
+			break;
+		case 'D':
+			debug++;
+			break;
+		case 'u':
+			username = optarg;
+			break;
+		case 't':
+			newroot = optarg;
+			break;
+		case 'd':
+			device = optarg;
+			break;
+		case 'm':
+			mtu = atoi(optarg);
+			break;
+		case 'l':
+			listen_ip = inet_addr(optarg);
+			break;
+		case 'p':
+			port = atoi(optarg);
+			break;
+		case 'n':
+			ns_ip = inet_addr(optarg);
+			break;
+		case 'b':
+			bind_enable = 1;
+			bind_port = atoi(optarg);
+			break;
+		case 'F':
+			pidfile = optarg;
+			break;    
+		case 'P':
+			strncpy(password, optarg, sizeof(password));
+			password[sizeof(password)-1] = 0;
+			
+			/* XXX: find better way of cleaning up ps(1) */
+			memset(optarg, 0, strlen(optarg)); 
+			break;
+		case 'z':
+			context = optarg;
+			break;
+		default:
+			usage();
+			break;
+		}
+	}
+
+	argc -= optind;
+	argv += optind;
+
+	check_superuser(usage);
+
+	if (argc != 2) 
+		usage();
+	
+	netsize = strchr(argv[0], '/');
+	if (netsize) {
+		*netsize = 0;
+		netsize++;
+		netmask = atoi(netsize);
+	}
+
+	my_ip = inet_addr(argv[0]);
+	
+	if (my_ip == INADDR_NONE) {
+		warnx("Bad IP address to use inside tunnel.");
+		usage();
+	}
+
+	topdomain = strdup(argv[1]);
+	if (strlen(topdomain) <= 128) {
+		if(check_topdomain(topdomain)) {
+			warnx("Topdomain contains invalid characters.");
+			usage();
+		}
+	} else {
+		warnx("Use a topdomain max 128 chars long.");
+		usage();
+	}
+
+	if (username != NULL) {
+#ifndef WINDOWS32
+		if ((pw = getpwnam(username)) == NULL) {
+			warnx("User %s does not exist!", username);
+			usage();
+		}
+#endif
+	}
+
+	if (mtu <= 0) {
+		warnx("Bad MTU given.");
+		usage();
+	}
+	
+	if(port < 1 || port > 65535) {
+		warnx("Bad port number given.");
+		usage();
+	}
+	
+	if(bind_enable) {
+		if (bind_port < 1 || bind_port > 65535) {
+			warnx("Bad DNS server port number given.");
+			usage();
+			/* NOTREACHED */
+		}
+		/* Avoid forwarding loops */
+		if (bind_port == port && (listen_ip == INADDR_ANY || listen_ip == htonl(0x7f000001L))) {
+			warnx("Forward port is same as listen port (%d), will create a loop!", bind_port);
+			fprintf(stderr, "Use -l to set listen ip to avoid this.\n");
+			usage();
+			/* NOTREACHED */
+		}
+		fprintf(stderr, "Requests for domains outside of %s will be forwarded to port %d\n",
+			topdomain, bind_port);
+	}
+	
+	if (port != 53) {
+		fprintf(stderr, "ALERT! Other dns servers expect you to run on port 53.\n");
+		fprintf(stderr, "You must manually forward port 53 to port %d for things to work.\n", port);
+	}
+
+	if (debug) {
+		fprintf(stderr, "Debug level %d enabled, will stay in foreground.\n", debug);
+		fprintf(stderr, "Add more -D switches to set higher debug level.\n");
+		foreground = 1;
+	}
+
+	if (listen_ip == INADDR_NONE) {
+		warnx("Bad IP address to listen on.");
+		usage();
+	}
+	
+	if (ns_ip == INADDR_NONE) {
+		warnx("Bad IP address to return as nameserver.");
+		usage();
+	}
+	if (netmask > 30 || netmask < 8) {
+		warnx("Bad netmask (%d bits). Use 8-30 bits.", netmask);
+		usage();
+	}
+	
+	if (strlen(password) == 0) {
+		if (NULL != getenv(PASSWORD_ENV_VAR))
+			snprintf(password, sizeof(password), "%s", getenv(PASSWORD_ENV_VAR));
+		else
+			read_password(password, sizeof(password));
+	}
+
+	created_users = init_users(my_ip, netmask);
+
+	if ((tun_fd = open_tun(device)) == -1) {
+		retval = 1;
+		goto cleanup0;
+	}
+	if (!skipipconfig) {
+		if (tun_setip(argv[0], users_get_first_ip(), netmask) != 0 || tun_setmtu(mtu) != 0) {
+			retval = 1;
+			goto cleanup1;
+		}
+	}
+	if ((dnsd_fd = open_dns(port, listen_ip)) == -1) {
+		retval = 1;
+		goto cleanup2;
+	}
+	if (bind_enable) {
+		if ((bind_fd = open_dns(0, INADDR_ANY)) == -1) {
+			retval = 1;
+			goto cleanup3;
+		}
+	}
+
+	my_mtu = mtu;
+	
+	if (created_users < USERS) {
+		fprintf(stderr, "Limiting to %d simultaneous users because of netmask /%d\n",
+			created_users, netmask);
+	}
+	fprintf(stderr, "Listening to dns for domain %s\n", topdomain);
+
+	if (foreground == 0) 
+		do_detach();
+	
+	if (pidfile != NULL)
+		do_pidfile(pidfile);
+
+#ifdef FREEBSD
+	tzsetwall();
+#endif
+#ifndef WINDOWS32
+	openlog( __progname, LOG_NDELAY, LOG_DAEMON );
+#endif
+
+	if (newroot != NULL)
+		do_chroot(newroot);
+
+	signal(SIGINT, sigint);
+	if (username != NULL) {
+#ifndef WINDOWS32
+		gid_t gids[1];
+		gids[0] = pw->pw_gid;
+		if (setgroups(1, gids) < 0 || setgid(pw->pw_gid) < 0 || setuid(pw->pw_uid) < 0) {
+			warnx("Could not switch to user %s!\n", username);
+			usage();
+		}
+#endif
+	}
+
+	if (context != NULL)
+		do_setcon(context);
+
+	syslog(LOG_INFO, "started, listening on port %d", port);
+	
+	tunnel(tun_fd, dnsd_fd, bind_fd);
+
+	syslog(LOG_INFO, "stopping");
+cleanup3:
+	close_dns(bind_fd);
+cleanup2:
+	close_dns(dnsd_fd);
+cleanup1:
+	close_tun(tun_fd);	
+cleanup0:
+
+	return retval;
+}
diff --git a/jni/iodine/src/login.c b/jni/iodine/src/login.c
new file mode 100644
index 0000000..c8827c3
--- /dev/null
+++ b/jni/iodine/src/login.c
@@ -0,0 +1,57 @@
+/*
+ * Copyright (c) 2006-2009 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <string.h>
+#include <sys/types.h>
+
+#ifdef WINDOWS32
+#include "windows.h"
+#else
+#include <arpa/inet.h>
+#endif
+
+#include "md5.h"
+
+/* 
+ * Needs a 16byte array for output, and 32 bytes password 
+ */
+void 
+login_calculate(char *buf, int buflen, const char *pass, int seed) 
+{
+	unsigned char temp[32];
+	md5_state_t ctx;
+	int *ix;
+	int i;
+	int k;
+
+	if (buflen < 16) 
+		return;
+
+	memcpy(temp, pass, 32);
+	ix = (int*) temp;
+
+	for (i = 0; i < 8; i++) {
+		k = ntohl(*ix);
+		k ^= seed;
+		*ix++ = htonl(k);
+	}
+
+	md5_init(&ctx);
+	md5_append(&ctx, temp, 32);
+	md5_finish(&ctx, (unsigned char *) buf);
+
+}
+
diff --git a/jni/iodine/src/login.h b/jni/iodine/src/login.h
new file mode 100644
index 0000000..840c920
--- /dev/null
+++ b/jni/iodine/src/login.h
@@ -0,0 +1,23 @@
+/*
+ * Copyright (c) 2006-2009 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef __LOGIN_H__
+#define __LOGIN_H__
+
+void login_calculate(char *, int, const char *, int);
+
+#endif
+
diff --git a/jni/iodine/src/md5.c b/jni/iodine/src/md5.c
new file mode 100644
index 0000000..89d3d5e
--- /dev/null
+++ b/jni/iodine/src/md5.c
@@ -0,0 +1,384 @@
+/*
+  Copyright (C) 1999, 2000, 2002 Aladdin Enterprises.  All rights reserved.
+
+  This software is provided 'as-is', without any express or implied
+  warranty.  In no event will the authors be held liable for any damages
+  arising from the use of this software.
+
+  Permission is granted to anyone to use this software for any purpose,
+  including commercial applications, and to alter it and redistribute it
+  freely, subject to the following restrictions:
+
+  1. The origin of this software must not be misrepresented; you must not
+     claim that you wrote the original software. If you use this software
+     in a product, an acknowledgment in the product documentation would be
+     appreciated but is not required.
+  2. Altered source versions must be plainly marked as such, and must not be
+     misrepresented as being the original software.
+  3. This notice may not be removed or altered from any source distribution.
+
+  L. Peter Deutsch
+  ghost@aladdin.com
+
+ */
+/* $Id: md5.c,v 1.6 2002/04/13 19:20:28 lpd Exp $ */
+/*
+  Independent implementation of MD5 (RFC 1321).
+
+  This code implements the MD5 Algorithm defined in RFC 1321, whose
+  text is available at
+	http://www.ietf.org/rfc/rfc1321.txt
+  The code is derived from the text of the RFC, including the test suite
+  (section A.5) but excluding the rest of Appendix A.  It does not include
+  any code or documentation that is identified in the RFC as being
+  copyrighted.
+
+  The original and principal author of md5.c is L. Peter Deutsch
+  <ghost@aladdin.com>.  Other authors are noted in the change history
+  that follows (in reverse chronological order):
+
+  2002-04-13 lpd Clarified derivation from RFC 1321; now handles byte order
+	either statically or dynamically; added missing #include <string.h>
+	in library.
+  2002-03-11 lpd Corrected argument list for main(), and added int return
+	type, in test program and T value program.
+  2002-02-21 lpd Added missing #include <stdio.h> in test program.
+  2000-07-03 lpd Patched to eliminate warnings about "constant is
+	unsigned in ANSI C, signed in traditional"; made test program
+	self-checking.
+  1999-11-04 lpd Edited comments slightly for automatic TOC extraction.
+  1999-10-18 lpd Fixed typo in header comment (ansi2knr rather than md5).
+  1999-05-03 lpd Original version.
+ */
+
+#include "md5.h"
+#include <string.h>
+
+#undef BYTE_ORDER	/* 1 = big-endian, -1 = little-endian, 0 = unknown */
+#ifdef ARCH_IS_BIG_ENDIAN
+#  define BYTE_ORDER (ARCH_IS_BIG_ENDIAN ? 1 : -1)
+#else
+#  define BYTE_ORDER 0
+#endif
+
+#define T_MASK ((md5_word_t)~0)
+#define T1 /* 0xd76aa478 */ (T_MASK ^ 0x28955b87)
+#define T2 /* 0xe8c7b756 */ (T_MASK ^ 0x173848a9)
+#define T3    0x242070db
+#define T4 /* 0xc1bdceee */ (T_MASK ^ 0x3e423111)
+#define T5 /* 0xf57c0faf */ (T_MASK ^ 0x0a83f050)
+#define T6    0x4787c62a
+#define T7 /* 0xa8304613 */ (T_MASK ^ 0x57cfb9ec)
+#define T8 /* 0xfd469501 */ (T_MASK ^ 0x02b96afe)
+#define T9    0x698098d8
+#define T10 /* 0x8b44f7af */ (T_MASK ^ 0x74bb0850)
+#define T11 /* 0xffff5bb1 */ (T_MASK ^ 0x0000a44e)
+#define T12 /* 0x895cd7be */ (T_MASK ^ 0x76a32841)
+#define T13    0x6b901122
+#define T14 /* 0xfd987193 */ (T_MASK ^ 0x02678e6c)
+#define T15 /* 0xa679438e */ (T_MASK ^ 0x5986bc71)
+#define T16    0x49b40821
+#define T17 /* 0xf61e2562 */ (T_MASK ^ 0x09e1da9d)
+#define T18 /* 0xc040b340 */ (T_MASK ^ 0x3fbf4cbf)
+#define T19    0x265e5a51
+#define T20 /* 0xe9b6c7aa */ (T_MASK ^ 0x16493855)
+#define T21 /* 0xd62f105d */ (T_MASK ^ 0x29d0efa2)
+#define T22    0x02441453
+#define T23 /* 0xd8a1e681 */ (T_MASK ^ 0x275e197e)
+#define T24 /* 0xe7d3fbc8 */ (T_MASK ^ 0x182c0437)
+#define T25    0x21e1cde6
+#define T26 /* 0xc33707d6 */ (T_MASK ^ 0x3cc8f829)
+#define T27 /* 0xf4d50d87 */ (T_MASK ^ 0x0b2af278)
+#define T28    0x455a14ed
+#define T29 /* 0xa9e3e905 */ (T_MASK ^ 0x561c16fa)
+#define T30 /* 0xfcefa3f8 */ (T_MASK ^ 0x03105c07)
+#define T31    0x676f02d9
+#define T32 /* 0x8d2a4c8a */ (T_MASK ^ 0x72d5b375)
+#define T33 /* 0xfffa3942 */ (T_MASK ^ 0x0005c6bd)
+#define T34 /* 0x8771f681 */ (T_MASK ^ 0x788e097e)
+#define T35    0x6d9d6122
+#define T36 /* 0xfde5380c */ (T_MASK ^ 0x021ac7f3)
+#define T37 /* 0xa4beea44 */ (T_MASK ^ 0x5b4115bb)
+#define T38    0x4bdecfa9
+#define T39 /* 0xf6bb4b60 */ (T_MASK ^ 0x0944b49f)
+#define T40 /* 0xbebfbc70 */ (T_MASK ^ 0x4140438f)
+#define T41    0x289b7ec6
+#define T42 /* 0xeaa127fa */ (T_MASK ^ 0x155ed805)
+#define T43 /* 0xd4ef3085 */ (T_MASK ^ 0x2b10cf7a)
+#define T44    0x04881d05
+#define T45 /* 0xd9d4d039 */ (T_MASK ^ 0x262b2fc6)
+#define T46 /* 0xe6db99e5 */ (T_MASK ^ 0x1924661a)
+#define T47    0x1fa27cf8
+#define T48 /* 0xc4ac5665 */ (T_MASK ^ 0x3b53a99a)
+#define T49 /* 0xf4292244 */ (T_MASK ^ 0x0bd6ddbb)
+#define T50    0x432aff97
+#define T51 /* 0xab9423a7 */ (T_MASK ^ 0x546bdc58)
+#define T52 /* 0xfc93a039 */ (T_MASK ^ 0x036c5fc6)
+#define T53    0x655b59c3
+#define T54 /* 0x8f0ccc92 */ (T_MASK ^ 0x70f3336d)
+#define T55 /* 0xffeff47d */ (T_MASK ^ 0x00100b82)
+#define T56 /* 0x85845dd1 */ (T_MASK ^ 0x7a7ba22e)
+#define T57    0x6fa87e4f
+#define T58 /* 0xfe2ce6e0 */ (T_MASK ^ 0x01d3191f)
+#define T59 /* 0xa3014314 */ (T_MASK ^ 0x5cfebceb)
+#define T60    0x4e0811a1
+#define T61 /* 0xf7537e82 */ (T_MASK ^ 0x08ac817d)
+#define T62 /* 0xbd3af235 */ (T_MASK ^ 0x42c50dca)
+#define T63    0x2ad7d2bb
+#define T64 /* 0xeb86d391 */ (T_MASK ^ 0x14792c6e)
+
+
+static void
+md5_process(md5_state_t *pms, const md5_byte_t *data /*[64]*/)
+{
+    md5_word_t
+	a = pms->abcd[0], b = pms->abcd[1],
+	c = pms->abcd[2], d = pms->abcd[3];
+    md5_word_t t;
+#if BYTE_ORDER > 0
+    /* Define storage only for big-endian CPUs. */
+    md5_word_t X[16];
+#else
+    /* Define storage for little-endian or both types of CPUs. */
+    md5_word_t xbuf[16];
+    const md5_word_t *X;
+#endif
+
+    {
+#if BYTE_ORDER == 0
+	/*
+	 * Determine dynamically whether this is a big-endian or
+	 * little-endian machine, since we can use a more efficient
+	 * algorithm on the latter.
+	 */
+	static const int w = 1;
+
+	if (*((const md5_byte_t *)&w)) /* dynamic little-endian */
+#endif
+#if BYTE_ORDER <= 0		/* little-endian */
+	{
+	    /*
+	     * On little-endian machines, we can process properly aligned
+	     * data without copying it.
+	     */
+	    if (!((data - (const md5_byte_t *)0) & 3)) {
+		/* data are properly aligned */
+		X = (const md5_word_t *)data;
+	    } else {
+		/* not aligned */
+		memcpy(xbuf, data, 64);
+		X = xbuf;
+	    }
+	}
+#endif
+#if BYTE_ORDER == 0
+	else			/* dynamic big-endian */
+#endif
+#if BYTE_ORDER >= 0		/* big-endian */
+	{
+	    /*
+	     * On big-endian machines, we must arrange the bytes in the
+	     * right order.
+	     */
+	    const md5_byte_t *xp = data;
+	    int i;
+
+#  if BYTE_ORDER == 0
+	    X = xbuf;		/* (dynamic only) */
+#  else
+#    define xbuf X		/* (static only) */
+#  endif
+	    for (i = 0; i < 16; ++i, xp += 4)
+		xbuf[i] = xp[0] + (xp[1] << 8) + (xp[2] << 16) + (xp[3] << 24);
+	}
+#endif
+    }
+
+#define ROTATE_LEFT(x, n) (((x) << (n)) | ((x) >> (32 - (n))))
+
+    /* Round 1. */
+    /* Let [abcd k s i] denote the operation
+       a = b + ((a + F(b,c,d) + X[k] + T[i]) <<< s). */
+#define F(x, y, z) (((x) & (y)) | (~(x) & (z)))
+#define SET(a, b, c, d, k, s, Ti)\
+  t = a + F(b,c,d) + X[k] + Ti;\
+  a = ROTATE_LEFT(t, s) + b
+    /* Do the following 16 operations. */
+    SET(a, b, c, d,  0,  7,  T1);
+    SET(d, a, b, c,  1, 12,  T2);
+    SET(c, d, a, b,  2, 17,  T3);
+    SET(b, c, d, a,  3, 22,  T4);
+    SET(a, b, c, d,  4,  7,  T5);
+    SET(d, a, b, c,  5, 12,  T6);
+    SET(c, d, a, b,  6, 17,  T7);
+    SET(b, c, d, a,  7, 22,  T8);
+    SET(a, b, c, d,  8,  7,  T9);
+    SET(d, a, b, c,  9, 12, T10);
+    SET(c, d, a, b, 10, 17, T11);
+    SET(b, c, d, a, 11, 22, T12);
+    SET(a, b, c, d, 12,  7, T13);
+    SET(d, a, b, c, 13, 12, T14);
+    SET(c, d, a, b, 14, 17, T15);
+    SET(b, c, d, a, 15, 22, T16);
+#undef SET
+
+     /* Round 2. */
+     /* Let [abcd k s i] denote the operation
+          a = b + ((a + G(b,c,d) + X[k] + T[i]) <<< s). */
+#define G(x, y, z) (((x) & (z)) | ((y) & ~(z)))
+#define SET(a, b, c, d, k, s, Ti)\
+  t = a + G(b,c,d) + X[k] + Ti;\
+  a = ROTATE_LEFT(t, s) + b
+     /* Do the following 16 operations. */
+    SET(a, b, c, d,  1,  5, T17);
+    SET(d, a, b, c,  6,  9, T18);
+    SET(c, d, a, b, 11, 14, T19);
+    SET(b, c, d, a,  0, 20, T20);
+    SET(a, b, c, d,  5,  5, T21);
+    SET(d, a, b, c, 10,  9, T22);
+    SET(c, d, a, b, 15, 14, T23);
+    SET(b, c, d, a,  4, 20, T24);
+    SET(a, b, c, d,  9,  5, T25);
+    SET(d, a, b, c, 14,  9, T26);
+    SET(c, d, a, b,  3, 14, T27);
+    SET(b, c, d, a,  8, 20, T28);
+    SET(a, b, c, d, 13,  5, T29);
+    SET(d, a, b, c,  2,  9, T30);
+    SET(c, d, a, b,  7, 14, T31);
+    SET(b, c, d, a, 12, 20, T32);
+#undef SET
+
+     /* Round 3. */
+     /* Let [abcd k s t] denote the operation
+          a = b + ((a + H(b,c,d) + X[k] + T[i]) <<< s). */
+#define H(x, y, z) ((x) ^ (y) ^ (z))
+#define SET(a, b, c, d, k, s, Ti)\
+  t = a + H(b,c,d) + X[k] + Ti;\
+  a = ROTATE_LEFT(t, s) + b
+     /* Do the following 16 operations. */
+    SET(a, b, c, d,  5,  4, T33);
+    SET(d, a, b, c,  8, 11, T34);
+    SET(c, d, a, b, 11, 16, T35);
+    SET(b, c, d, a, 14, 23, T36);
+    SET(a, b, c, d,  1,  4, T37);
+    SET(d, a, b, c,  4, 11, T38);
+    SET(c, d, a, b,  7, 16, T39);
+    SET(b, c, d, a, 10, 23, T40);
+    SET(a, b, c, d, 13,  4, T41);
+    SET(d, a, b, c,  0, 11, T42);
+    SET(c, d, a, b,  3, 16, T43);
+    SET(b, c, d, a,  6, 23, T44);
+    SET(a, b, c, d,  9,  4, T45);
+    SET(d, a, b, c, 12, 11, T46);
+    SET(c, d, a, b, 15, 16, T47);
+    SET(b, c, d, a,  2, 23, T48);
+#undef SET
+
+     /* Round 4. */
+     /* Let [abcd k s t] denote the operation
+          a = b + ((a + I(b,c,d) + X[k] + T[i]) <<< s). */
+#define I(x, y, z) ((y) ^ ((x) | ~(z)))
+#define SET(a, b, c, d, k, s, Ti)\
+  t = a + I(b,c,d) + X[k] + Ti;\
+  a = ROTATE_LEFT(t, s) + b
+     /* Do the following 16 operations. */
+    SET(a, b, c, d,  0,  6, T49);
+    SET(d, a, b, c,  7, 10, T50);
+    SET(c, d, a, b, 14, 15, T51);
+    SET(b, c, d, a,  5, 21, T52);
+    SET(a, b, c, d, 12,  6, T53);
+    SET(d, a, b, c,  3, 10, T54);
+    SET(c, d, a, b, 10, 15, T55);
+    SET(b, c, d, a,  1, 21, T56);
+    SET(a, b, c, d,  8,  6, T57);
+    SET(d, a, b, c, 15, 10, T58);
+    SET(c, d, a, b,  6, 15, T59);
+    SET(b, c, d, a, 13, 21, T60);
+    SET(a, b, c, d,  4,  6, T61);
+    SET(d, a, b, c, 11, 10, T62);
+    SET(c, d, a, b,  2, 15, T63);
+    SET(b, c, d, a,  9, 21, T64);
+#undef SET
+
+     /* Then perform the following additions. (That is increment each
+        of the four registers by the value it had before this block
+        was started.) */
+    pms->abcd[0] += a;
+    pms->abcd[1] += b;
+    pms->abcd[2] += c;
+    pms->abcd[3] += d;
+}
+
+void
+md5_init(md5_state_t *pms)
+{
+    pms->count[0] = pms->count[1] = 0;
+    pms->abcd[0] = 0x67452301;
+    pms->abcd[1] = /*0xefcdab89*/ T_MASK ^ 0x10325476;
+    pms->abcd[2] = /*0x98badcfe*/ T_MASK ^ 0x67452301;
+    pms->abcd[3] = 0x10325476;
+}
+
+void
+md5_append(md5_state_t *pms, const md5_byte_t *data, int nbytes)
+{
+    const md5_byte_t *p = data;
+    int left = nbytes;
+    int offset = (pms->count[0] >> 3) & 63;
+    md5_word_t nbits = (md5_word_t)(nbytes << 3);
+
+    if (nbytes <= 0)
+	return;
+
+    /* Update the message length. */
+    pms->count[1] += nbytes >> 29;
+    pms->count[0] += nbits;
+    if (pms->count[0] < nbits)
+	pms->count[1]++;
+
+    /* Process an initial partial block. */
+    if (offset) {
+	int copy = (offset + nbytes > 64 ? 64 - offset : nbytes);
+
+	memcpy(pms->buf + offset, p, copy);
+	if (offset + copy < 64)
+	    return;
+	p += copy;
+	left -= copy;
+	md5_process(pms, pms->buf);
+    }
+
+    /* Process full blocks. */
+    for (; left >= 64; p += 64, left -= 64)
+	md5_process(pms, p);
+
+    /* Process a final partial block. */
+    if (left)
+	memcpy(pms->buf, p, left);
+}
+
+void
+md5_finish(md5_state_t *pms, md5_byte_t digest[16])
+{
+    static const md5_byte_t pad[64] = {
+	0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
+    };
+    md5_byte_t data[8];
+    int i;
+
+    /* Save the length before padding. */
+    for (i = 0; i < 8; ++i)
+	data[i] = (md5_byte_t)(pms->count[i >> 2] >> ((i & 3) << 3));
+    /* Pad to 56 bytes mod 64. */
+    md5_append(pms, pad, ((55 - (pms->count[0] >> 3)) & 63) + 1);
+    /* Append the length. */
+    md5_append(pms, data, 8);
+    for (i = 0; i < 16; ++i)
+	digest[i] = (md5_byte_t)(pms->abcd[i >> 2] >> ((i & 3) << 3));
+}
+
+
+
diff --git a/jni/iodine/src/md5.h b/jni/iodine/src/md5.h
new file mode 100644
index 0000000..698c995
--- /dev/null
+++ b/jni/iodine/src/md5.h
@@ -0,0 +1,91 @@
+/*
+  Copyright (C) 1999, 2002 Aladdin Enterprises.  All rights reserved.
+
+  This software is provided 'as-is', without any express or implied
+  warranty.  In no event will the authors be held liable for any damages
+  arising from the use of this software.
+
+  Permission is granted to anyone to use this software for any purpose,
+  including commercial applications, and to alter it and redistribute it
+  freely, subject to the following restrictions:
+
+  1. The origin of this software must not be misrepresented; you must not
+     claim that you wrote the original software. If you use this software
+     in a product, an acknowledgment in the product documentation would be
+     appreciated but is not required.
+  2. Altered source versions must be plainly marked as such, and must not be
+     misrepresented as being the original software.
+  3. This notice may not be removed or altered from any source distribution.
+
+  L. Peter Deutsch
+  ghost@aladdin.com
+
+ */
+/* $Id: md5.h,v 1.4 2002/04/13 19:20:28 lpd Exp $ */
+/*
+  Independent implementation of MD5 (RFC 1321).
+
+  This code implements the MD5 Algorithm defined in RFC 1321, whose
+  text is available at
+	http://www.ietf.org/rfc/rfc1321.txt
+  The code is derived from the text of the RFC, including the test suite
+  (section A.5) but excluding the rest of Appendix A.  It does not include
+  any code or documentation that is identified in the RFC as being
+  copyrighted.
+
+  The original and principal author of md5.h is L. Peter Deutsch
+  <ghost@aladdin.com>.  Other authors are noted in the change history
+  that follows (in reverse chronological order):
+
+  2002-04-13 lpd Removed support for non-ANSI compilers; removed
+	references to Ghostscript; clarified derivation from RFC 1321;
+	now handles byte order either statically or dynamically.
+  1999-11-04 lpd Edited comments slightly for automatic TOC extraction.
+  1999-10-18 lpd Fixed typo in header comment (ansi2knr rather than md5);
+	added conditionalization for C++ compilation from Martin
+	Purschke <purschke@bnl.gov>.
+  1999-05-03 lpd Original version.
+ */
+
+#ifndef md5_INCLUDED
+#  define md5_INCLUDED
+
+/*
+ * This package supports both compile-time and run-time determination of CPU
+ * byte order.  If ARCH_IS_BIG_ENDIAN is defined as 0, the code will be
+ * compiled to run only on little-endian CPUs; if ARCH_IS_BIG_ENDIAN is
+ * defined as non-zero, the code will be compiled to run only on big-endian
+ * CPUs; if ARCH_IS_BIG_ENDIAN is not defined, the code will be compiled to
+ * run on either big- or little-endian CPUs, but will run slightly less
+ * efficiently on either one than if ARCH_IS_BIG_ENDIAN is defined.
+ */
+
+typedef unsigned char md5_byte_t; /* 8-bit byte */
+typedef unsigned int md5_word_t; /* 32-bit word */
+
+/* Define the state of the MD5 Algorithm. */
+typedef struct md5_state_s {
+    md5_word_t count[2];	/* message length in bits, lsw first */
+    md5_word_t abcd[4];		/* digest buffer */
+    md5_byte_t buf[64];		/* accumulate block */
+} md5_state_t;
+
+#ifdef __cplusplus
+extern "C" 
+{
+#endif
+
+/* Initialize the algorithm. */
+void md5_init(md5_state_t *pms);
+
+/* Append a string to the message. */
+void md5_append(md5_state_t *pms, const md5_byte_t *data, int nbytes);
+
+/* Finish the message and return the digest. */
+void md5_finish(md5_state_t *pms, md5_byte_t digest[16]);
+
+#ifdef __cplusplus
+}  /* end extern "C" */
+#endif
+
+#endif /* md5_INCLUDED */
diff --git a/jni/iodine/src/osflags b/jni/iodine/src/osflags
new file mode 100755
index 0000000..787ffaa
--- /dev/null
+++ b/jni/iodine/src/osflags
@@ -0,0 +1,36 @@
+#!/bin/sh
+
+case $2 in
+link)
+
+	case $1 in
+		SunOS | solaris)
+			echo '-lsocket -lnsl';
+		;;
+		BeOS)
+			echo '-lsocket -lbind -lbsd';
+		;;
+		Haiku)
+			echo '-lnetwork';
+		;;
+		windows32)
+			echo '-lws2_32 -liphlpapi';
+		;;
+		Linux)
+			[ -e /usr/include/selinux/selinux.h ] && echo '-lselinux';
+		;;
+	esac
+	;;
+cflags)
+	case $1 in
+		BeOS)
+			echo '-Dsocklen_t=int';
+		;;
+		Linux)
+			[ -e /usr/include/selinux/selinux.h ] && echo '-DHAVE_SETCON';
+		;;
+	esac
+;;
+*)
+;;
+esac
diff --git a/jni/iodine/src/read.c b/jni/iodine/src/read.c
new file mode 100644
index 0000000..ff40382
--- /dev/null
+++ b/jni/iodine/src/read.c
@@ -0,0 +1,275 @@
+/*
+ * Copyright (c) 2006-2009 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <string.h>
+#include <stdint.h>
+#include <stdlib.h>
+
+static int
+readname_loop(char *packet, int packetlen, char **src, char *dst, size_t length, size_t loop)
+{
+	char *dummy;
+	char *s;
+	char *d;
+	int len;
+	int offset;
+	char c;
+
+	if (loop <= 0)
+		return 0;
+
+	len = 0;
+	s = *src;
+	d = dst;
+	while(*s && len < length - 2) {
+		c = *s++;
+
+		/* is this a compressed label? */
+		if((c & 0xc0) == 0xc0) {
+			offset = (((s[-1] & 0x3f) << 8) | (s[0] & 0xff));
+			if (offset > packetlen) {
+				if (len == 0) {
+					/* Bad jump first in packet */
+					return 0;
+				} else {
+					/* Bad jump after some data */
+					break;
+				}
+			}
+			dummy = packet + offset;
+			len += readname_loop(packet, packetlen, &dummy, d, length - len, loop - 1);
+			goto end;
+		}
+
+		while(c && len < length - 1) {
+			*d++ = *s++;
+			len++;
+
+			c--;
+		}
+		
+		if (len >= length - 1) {
+			break; /* We used up all space */
+		}
+
+		if (*s != 0) {
+			*d++ = '.';
+			len++;
+		}
+	}
+	dst[len++] = '\0';
+
+end:
+	(*src) = s+1;
+	return len;
+}
+
+int
+readname(char *packet, int packetlen, char **src, char *dst, size_t length)
+{
+	return readname_loop(packet, packetlen, src, dst, length, 10);
+}
+
+int
+readshort(char *packet, char **src, short *dst)
+{
+	unsigned char *p;
+
+	p = (unsigned char *) *src;
+	*dst = (p[0] << 8) | p[1];
+
+	(*src) += sizeof(short);
+	return sizeof(short);
+}
+
+int
+readlong(char *packet, char **src, uint32_t *dst)
+{
+	/* A long as described in dns protocol is always 32 bits */
+	unsigned char *p;
+
+	p = (unsigned char *) *src;
+
+	*dst = ((uint32_t)p[0] << 24) 
+		 | ((uint32_t)p[1] << 16) 
+		 | ((uint32_t)p[2] << 8)
+		 | ((uint32_t)p[3]);
+
+	(*src) += sizeof(uint32_t);
+	return sizeof(uint32_t);
+}
+
+int
+readdata(char *packet, char **src, char *dst, size_t len)
+{
+	if (len < 0)
+		return 0;
+
+	memcpy(dst, *src, len);
+
+	(*src) += len;
+
+	return len;
+}
+
+int
+readtxtbin(char *packet, char **src, size_t srcremain, char *dst, size_t dstremain)
+{
+	unsigned char *uc;
+	int tocopy;
+	int dstused = 0;
+
+	while (srcremain > 0)
+	{
+		uc = (unsigned char*) (*src);
+		tocopy = *uc;
+		(*src)++;
+		srcremain--;
+
+		if (tocopy > srcremain)
+			return 0;	/* illegal, better have nothing */
+		if (tocopy > dstremain)
+			return 0;	/* doesn't fit, better have nothing */
+
+		memcpy(dst, *src, tocopy);
+		dst += tocopy;
+		(*src) += tocopy;
+		srcremain -= tocopy;
+		dstremain -= tocopy;
+		dstused += tocopy;
+	}
+	return dstused;
+}
+
+int
+putname(char **buf, size_t buflen, const char *host)
+{
+	char *word;
+	int left;
+	char *h;
+	char *p;
+
+	h = strdup(host);
+	left = buflen;
+	p = *buf;
+	
+	word = strtok(h, ".");
+	while(word) {
+		if (strlen(word) > 63 || strlen(word) > left) {
+			free(h);
+			return -1;
+		}
+
+		left -= (strlen(word) + 1);
+		*p++ = (char)strlen(word);
+		memcpy(p, word, strlen(word));
+		p += strlen(word);
+
+		word = strtok(NULL, ".");
+	}
+
+	*p++ = 0;
+
+	free(h);
+
+	*buf = p;
+	return buflen - left;
+}
+
+int
+putbyte(char **dst, unsigned char value)
+{
+	**dst = value;
+	(*dst)++;
+
+	return sizeof(char);
+}
+
+int
+putshort(char **dst, unsigned short value)
+{
+	unsigned char *p;
+
+	p = (unsigned char *) *dst;
+
+	*p++ = (value >> 8);
+	*p++ = value;
+
+	(*dst) = (char *) p;
+	return sizeof(short);
+}
+
+int
+putlong(char **dst, uint32_t value)
+{
+	/* A long as described in dns protocol is always 32 bits */
+	unsigned char *p;
+
+	p = (unsigned char *) *dst;
+
+	*p++ = (value >> 24);
+	*p++ = (value >> 16);
+	*p++ = (value >> 8);
+	*p++ = (value);
+
+	(*dst) = (char *) p;
+	return sizeof(uint32_t);
+}
+
+int
+putdata(char **dst, char *data, size_t len)
+{
+	if (len < 0)
+		return 0;
+
+	memcpy(*dst, data, len);
+	
+	(*dst) += len;
+	return len;
+}
+
+int
+puttxtbin(char **buf, size_t bufremain, char *from, size_t fromremain)
+{
+	unsigned char uc;
+	unsigned char *ucp = &uc;
+	char *cp = (char *) ucp;
+	int tocopy;
+	int bufused = 0;
+
+	while (fromremain > 0)
+	{
+		tocopy = fromremain;
+		if (tocopy > 252)
+			tocopy = 252;	/* allow off-by-1s in caches etc */
+		if (tocopy + 1 > bufremain)
+			return -1;	/* doesn't fit, better have nothing */
+
+		uc = tocopy;
+		**buf = *cp;
+		(*buf)++;
+		bufremain--;
+		bufused++;
+
+		memcpy(*buf, from, tocopy);
+		(*buf) += tocopy;
+		from += tocopy;
+		bufremain -= tocopy;
+		fromremain -= tocopy;
+		bufused += tocopy;
+	}
+	return bufused;
+}
diff --git a/jni/iodine/src/read.h b/jni/iodine/src/read.h
new file mode 100644
index 0000000..b33f3bb
--- /dev/null
+++ b/jni/iodine/src/read.h
@@ -0,0 +1,33 @@
+/*
+ * Copyright (c) 2006-2009 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef _READ_H_
+#define _READ_H_
+
+int readname(char *, int, char **, char *, size_t);
+int readshort(char *, char **, short *);
+int readlong(char *, char **, uint32_t *);
+int readdata(char *, char **, char *, size_t);
+int readtxtbin(char *, char **, size_t, char *, size_t);
+
+int putname(char **, size_t, const char *);
+int putbyte(char **, unsigned char);
+int putshort(char **, unsigned short);
+int putlong(char **, uint32_t);
+int putdata(char **, char *, size_t);
+int puttxtbin(char **, size_t, char *, size_t);
+
+#endif
diff --git a/jni/iodine/src/tun.c b/jni/iodine/src/tun.c
new file mode 100644
index 0000000..eb52959
--- /dev/null
+++ b/jni/iodine/src/tun.c
@@ -0,0 +1,555 @@
+/*
+ * Copyright (c) 2006-2009 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <string.h>
+#include <errno.h>
+#include <stdint.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+
+#ifdef WINDOWS32
+#include <winsock2.h>
+#include <winioctl.h>
+#include "windows.h"
+
+HANDLE dev_handle;
+struct tun_data data;
+
+static void get_name(char *ifname, int namelen, char *dev_name);
+
+#define TAP_CONTROL_CODE(request,method) CTL_CODE(FILE_DEVICE_UNKNOWN, request, method, FILE_ANY_ACCESS)
+#define TAP_IOCTL_CONFIG_TUN       TAP_CONTROL_CODE(10, METHOD_BUFFERED)
+#define TAP_IOCTL_SET_MEDIA_STATUS TAP_CONTROL_CODE(6, METHOD_BUFFERED)
+
+#define TAP_ADAPTER_KEY "SYSTEM\\CurrentControlSet\\Control\\Class\\{4D36E972-E325-11CE-BFC1-08002BE10318}"
+#define NETWORK_KEY "SYSTEM\\CurrentControlSet\\Control\\Network\\{4D36E972-E325-11CE-BFC1-08002BE10318}"
+#define TAP_DEVICE_SPACE "\\\\.\\Global\\"
+#define TAP_VERSION_ID_0801 "tap0801"
+#define TAP_VERSION_ID_0901 "tap0901"
+#define KEY_COMPONENT_ID "ComponentId"
+#define NET_CFG_INST_ID "NetCfgInstanceId"
+#else
+#include <err.h>
+#include <arpa/inet.h>
+#include <netinet/in.h>
+
+#define TUN_MAX_TRY 50
+#endif
+
+#include "tun.h"
+#include "common.h"
+
+char if_name[250];
+
+#ifndef WINDOWS32
+#ifdef LINUX
+
+#include <sys/ioctl.h>
+#include <net/if.h>
+#include <linux/if_tun.h>
+
+int 
+open_tun(const char *tun_device) 
+{
+	int i;
+	int tun_fd;
+	struct ifreq ifreq;
+	char *tunnel = "/dev/net/tun";
+
+	if ((tun_fd = open(tunnel, O_RDWR)) < 0) {
+		warn("open_tun: %s: %s", tunnel, strerror(errno));
+		return -1;
+	}
+
+	memset(&ifreq, 0, sizeof(ifreq));
+
+	ifreq.ifr_flags = IFF_TUN; 
+
+	if (tun_device != NULL) {
+		strncpy(ifreq.ifr_name, tun_device, IFNAMSIZ);
+		ifreq.ifr_name[IFNAMSIZ-1] = '\0';
+		strncpy(if_name, tun_device, sizeof(if_name));
+		if_name[sizeof(if_name)-1] = '\0';
+
+		if (ioctl(tun_fd, TUNSETIFF, (void *) &ifreq) != -1) {
+			fprintf(stderr, "Opened %s\n", ifreq.ifr_name);
+			return tun_fd;
+		}
+
+		if (errno != EBUSY) {
+			warn("open_tun: ioctl[TUNSETIFF]: %s", strerror(errno));
+			return -1;
+		}
+	} else {
+		for (i = 0; i < TUN_MAX_TRY; i++) {
+			snprintf(ifreq.ifr_name, IFNAMSIZ, "dns%d", i);
+
+			if (ioctl(tun_fd, TUNSETIFF, (void *) &ifreq) != -1) {
+				fprintf(stderr, "Opened %s\n", ifreq.ifr_name);
+				snprintf(if_name, sizeof(if_name), "dns%d", i);
+				return tun_fd;
+			}
+
+			if (errno != EBUSY) {
+				warn("open_tun: ioctl[TUNSETIFF]: %s", strerror(errno));
+				return -1;
+			}
+		}
+
+		warn("open_tun: Couldn't set interface name");
+	}
+	warn("error when opening tun");
+	return -1;
+}
+
+#else /* BSD */
+
+int 
+open_tun(const char *tun_device) 
+{
+	int i;
+	int tun_fd;
+	char tun_name[50];
+
+	if (tun_device != NULL) {
+		snprintf(tun_name, sizeof(tun_name), "/dev/%s", tun_device);
+		strncpy(if_name, tun_device, sizeof(if_name));
+		if_name[sizeof(if_name)-1] = '\0';
+
+		if ((tun_fd = open(tun_name, O_RDWR)) < 0) {
+			warn("open_tun: %s: %s", tun_name, strerror(errno));
+			return -1;
+		}
+
+		fprintf(stderr, "Opened %s\n", tun_name);
+		return tun_fd;
+	} else {
+		for (i = 0; i < TUN_MAX_TRY; i++) {
+			snprintf(tun_name, sizeof(tun_name), "/dev/tun%d", i);
+
+			if ((tun_fd = open(tun_name, O_RDWR)) >= 0) {
+				fprintf(stderr, "Opened %s\n", tun_name);
+				snprintf(if_name, sizeof(if_name), "tun%d", i);
+				return tun_fd;
+			}
+
+			if (errno == ENOENT)
+				break;
+		}
+
+		warn("open_tun: Failed to open tunneling device");
+	}
+
+	return -1;
+}
+
+#endif /* !LINUX */
+#else /* WINDOWS32 */
+static void
+get_device(char *device, int device_len, const char *wanted_dev)
+{
+	LONG status;
+	HKEY adapter_key;
+	int index;
+
+	index = 0;
+	status = RegOpenKeyEx(HKEY_LOCAL_MACHINE, TAP_ADAPTER_KEY, 0, KEY_READ, &adapter_key);
+
+	if (status != ERROR_SUCCESS) {
+		warnx("Error opening registry key " TAP_ADAPTER_KEY );
+		return;
+	}
+	
+	while (TRUE) {
+		char name[256];
+		char unit[256];
+		char component[256];
+
+		char cid_string[256] = KEY_COMPONENT_ID;
+		HKEY device_key;
+		DWORD datatype;
+		DWORD len;
+
+		/* Iterate through all adapter of this kind */
+		len = sizeof(name);
+		status = RegEnumKeyEx(adapter_key, index, name, &len, NULL, NULL, NULL, NULL);
+		if (status == ERROR_NO_MORE_ITEMS) {
+			break;
+		} else if (status != ERROR_SUCCESS) {
+			warnx("Error enumerating subkeys of registry key " TAP_ADAPTER_KEY );
+			break;
+		}
+
+		snprintf(unit, sizeof(unit), TAP_ADAPTER_KEY "\\%s", name);
+		status = RegOpenKeyEx(HKEY_LOCAL_MACHINE, unit, 0, KEY_READ, &device_key);
+		if (status != ERROR_SUCCESS) {
+			warnx("Error opening registry key %s", unit);
+			goto next;
+		}
+
+		/* Check component id */
+		len = sizeof(component);
+		status = RegQueryValueEx(device_key, cid_string, NULL, &datatype, (LPBYTE)component, &len);
+		if (status != ERROR_SUCCESS || datatype != REG_SZ) {
+			goto next;
+		}
+		if (strncmp(TAP_VERSION_ID_0801, component, strlen(TAP_VERSION_ID_0801)) == 0 ||
+			strncmp(TAP_VERSION_ID_0901, component, strlen(TAP_VERSION_ID_0901)) == 0) {
+			/* We found a TAP32 device, get its NetCfgInstanceId */
+			char iid_string[256] = NET_CFG_INST_ID;
+			
+			status = RegQueryValueEx(device_key, iid_string, NULL, &datatype, (LPBYTE) device, (DWORD *) &device_len);
+			if (status != ERROR_SUCCESS || datatype != REG_SZ) {
+				warnx("Error reading registry key %s\\%s on TAP device", unit, iid_string);
+			} else {
+				/* Done getting GUID of TAP device,
+				 * now check if the name is the requested one */
+				if (wanted_dev) {
+					char name[250];
+					get_name(name, sizeof(name), device);
+					if (strncmp(name, wanted_dev, strlen(wanted_dev))) {
+						/* Skip if name mismatch */
+						goto next;
+					}
+				}
+				/* Get the if name */
+				get_name(if_name, sizeof(if_name), device);
+				RegCloseKey(device_key);
+				return;
+			}
+		}
+next:
+		RegCloseKey(device_key);
+		index++;
+	}
+	RegCloseKey(adapter_key);
+}
+
+static void
+get_name(char *ifname, int namelen, char *dev_name)
+{
+	char path[256];
+	char name_str[256] = "Name";
+	LONG status;
+	HKEY conn_key;
+	DWORD len;
+	DWORD datatype;
+
+	memset(ifname, 0, namelen);
+
+	snprintf(path, sizeof(path), NETWORK_KEY "\\%s\\Connection", dev_name);
+	status = RegOpenKeyEx(HKEY_LOCAL_MACHINE, path, 0, KEY_READ, &conn_key);
+	if (status != ERROR_SUCCESS) {
+		fprintf(stderr, "Could not look up name of interface %s: error opening key\n", dev_name);
+		RegCloseKey(conn_key);
+		return;
+	}
+	len = namelen;
+	status = RegQueryValueEx(conn_key, name_str, NULL, &datatype, (LPBYTE)ifname, &len);
+	if (status != ERROR_SUCCESS || datatype != REG_SZ) {
+		fprintf(stderr, "Could not look up name of interface %s: error reading value\n", dev_name);
+		RegCloseKey(conn_key);
+		return;
+	}
+	RegCloseKey(conn_key);
+}
+
+DWORD WINAPI tun_reader(LPVOID arg)
+{
+	struct tun_data *tun = arg;
+	char buf[64*1024];
+	int len;
+	int res;
+	OVERLAPPED olpd;
+	int sock;
+
+	sock = open_dns(0, INADDR_ANY);
+
+	olpd.hEvent = CreateEvent(NULL, TRUE, FALSE, NULL);
+
+	while(TRUE) {
+		olpd.Offset = 0;
+		olpd.OffsetHigh = 0;
+		res = ReadFile(tun->tun, buf, sizeof(buf), (LPDWORD) &len, &olpd);
+		if (!res) {
+			WaitForSingleObject(olpd.hEvent, INFINITE);
+			res = GetOverlappedResult(dev_handle, &olpd, (LPDWORD) &len, FALSE);
+			res = sendto(sock, buf, len, 0, (struct sockaddr*) &(tun->addr), 
+				sizeof(struct sockaddr_in));
+		}
+	}
+
+	return 0;
+}
+
+int 
+open_tun(const char *tun_device) 
+{
+	char adapter[256];
+	char tapfile[512];
+	int tunfd;
+	in_addr_t local;
+
+	memset(adapter, 0, sizeof(adapter));
+	memset(if_name, 0, sizeof(if_name));
+	get_device(adapter, sizeof(adapter), tun_device);
+
+	if (strlen(adapter) == 0 || strlen(if_name) == 0) {
+		if (tun_device) {
+			warnx("No TAP adapters found. Try without -d.");
+		} else {
+			warnx("No TAP adapters found. Version 0801 and 0901 are supported.");
+		}
+		return -1;
+	}
+	
+	fprintf(stderr, "Opening device %s\n", if_name);
+	snprintf(tapfile, sizeof(tapfile), "%s%s.tap", TAP_DEVICE_SPACE, adapter);
+	dev_handle = CreateFile(tapfile, GENERIC_WRITE | GENERIC_READ, 0, 0, OPEN_EXISTING, FILE_ATTRIBUTE_SYSTEM | FILE_FLAG_OVERLAPPED, NULL);
+	if (dev_handle == INVALID_HANDLE_VALUE) {
+		warnx("Could not open device!");
+		return -1;
+	}
+
+	/* Use a UDP connection to forward packets from tun,
+	 * so we can still use select() in main code.
+	 * A thread does blocking reads on tun device and 
+	 * sends data as udp to this socket */
+	
+	local = htonl(0x7f000001); /* 127.0.0.1 */
+	tunfd = open_dns(55353, local);
+
+	data.tun = dev_handle;
+	memset(&(data.addr), 0, sizeof(data.addr));
+	data.addr.sin_family = AF_INET;
+	data.addr.sin_port = htons(55353);
+	data.addr.sin_addr.s_addr = local;
+	CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)tun_reader, &data, 0, NULL);
+	
+	return tunfd;
+}
+#endif 
+
+void 
+close_tun(int tun_fd) 
+{
+	if (tun_fd >= 0)
+		close(tun_fd);
+}
+
+int 
+write_tun(int tun_fd, char *data, size_t len) 
+{
+#if defined (FREEBSD) || defined (DARWIN) || defined(NETBSD) || defined(WINDOWS32) || defined(__ANDROID__)
+	data += 4;
+	len -= 4;
+#else /* !FREEBSD/DARWIN */
+#ifdef LINUX
+	data[0] = 0x00;
+	data[1] = 0x00;
+	data[2] = 0x08;
+	data[3] = 0x00;
+#else /* OPENBSD */
+	data[0] = 0x00;
+	data[1] = 0x00;
+	data[2] = 0x00;
+	data[3] = 0x02;
+#endif /* !LINUX */
+#endif /* FREEBSD */
+
+#ifndef WINDOWS32
+	if (write(tun_fd, data, len) != len) {
+		warn("write_tun");
+		return 1;
+	}
+#else /* WINDOWS32 */
+	{
+		DWORD written;
+		DWORD res;
+		OVERLAPPED olpd;
+
+		olpd.Offset = 0;
+		olpd.OffsetHigh = 0;
+		olpd.hEvent = CreateEvent(NULL, TRUE, FALSE, NULL);
+		res = WriteFile(dev_handle, data, len, &written, &olpd);
+		if (!res && GetLastError() == ERROR_IO_PENDING) {
+			WaitForSingleObject(olpd.hEvent, INFINITE);
+			res = GetOverlappedResult(dev_handle, &olpd, &written, FALSE);
+			if (written != len) {
+				return -1;
+			}
+		}
+	}
+#endif
+	return 0;
+}
+
+ssize_t
+read_tun(int tun_fd, char *buf, size_t len) 
+{
+#if defined (FREEBSD) || defined (DARWIN) || defined(NETBSD) || defined(WINDOWS32) || defined(__ANDROID__)
+	/* FreeBSD/Darwin/NetBSD/Android-VPN has no header */
+	int bytes;
+	memset(buf, 0, 4);
+#ifdef WINDOWS32
+	/* Windows needs recv() since it is local UDP socket */
+	bytes = recv(tun_fd, buf + 4, len - 4, 0);
+#else
+	/* The other need read() because fd is not a socket */
+	bytes = read(tun_fd, buf + 4, len - 4);
+#endif /*WINDOWS32*/
+	if (bytes < 0) {
+		return bytes;
+	} else {
+		return bytes + 4;
+	}
+#else /* !FREEBSD */
+	return read(tun_fd, buf, len);
+#endif /* !FREEBSD */
+}
+
+int
+tun_setip(const char *ip, const char *remoteip, int netbits)
+{
+	char cmdline[512];
+	int netmask;
+	struct in_addr net;
+	int i;
+#ifndef LINUX
+	int r;
+#endif
+#ifdef WINDOWS32
+	DWORD status;
+	DWORD ipdata[3];
+	struct in_addr addr;
+	DWORD len;
+#endif
+
+	netmask = 0;
+	for (i = 0; i < netbits; i++) {
+		netmask = (netmask << 1) | 1;
+	}
+	netmask <<= (32 - netbits);
+	net.s_addr = htonl(netmask);
+
+	if (inet_addr(ip) == INADDR_NONE) {
+		fprintf(stderr, "Invalid IP: %s!\n", ip);
+		return 1;
+	}
+#if defined(__ANDROID__)
+	if (tun_config_android.ip) {
+		free(tun_config_android.ip);
+	}
+	if (tun_config_android.remoteip) {
+		free(tun_config_android.remoteip);
+	}
+	tun_config_android.ip = strdup(ip);
+	tun_config_android.remoteip = strdup(remoteip);
+	tun_config_android.netbits = netbits;
+	return 0;
+#elif !defined(WINDOWS32)
+	snprintf(cmdline, sizeof(cmdline), 
+			"/sbin/ifconfig %s %s %s netmask %s",
+			if_name,
+			ip,
+#ifdef FREEBSD
+			remoteip, /* FreeBSD wants other IP as second IP */
+#else
+			ip,
+#endif
+			inet_ntoa(net));
+	
+	fprintf(stderr, "Setting IP of %s to %s\n", if_name, ip);
+#ifndef LINUX
+	r = system(cmdline);
+	if(r != 0) {
+		return r;
+	} else {
+		snprintf(cmdline, sizeof(cmdline),
+				"/sbin/route add %s/%d %s",
+				ip, netbits, ip);
+	}
+	fprintf(stderr, "Adding route %s/%d to %s\n", ip, netbits, ip);
+#endif
+	return system(cmdline);
+#else /* WINDOWS32 */
+
+	/* Set device as connected */
+	fprintf(stderr, "Enabling interface '%s'\n", if_name);
+	status = 1;
+	r = DeviceIoControl(dev_handle, TAP_IOCTL_SET_MEDIA_STATUS, &status, 
+		sizeof(status), &status, sizeof(status), &len, NULL);
+	if (!r) {
+		fprintf(stderr, "Failed to enable interface\n");
+		return -1;
+	}
+	
+	if (inet_aton(ip, &addr)) {
+		ipdata[0] = (DWORD) addr.s_addr;   /* local ip addr */
+		ipdata[1] = net.s_addr & ipdata[0]; /* network addr */
+		ipdata[2] = (DWORD) net.s_addr;    /* netmask */
+	} else {
+		return -1;
+	}
+
+	/* Tell ip/networkaddr/netmask to device for arp use */
+	r = DeviceIoControl(dev_handle, TAP_IOCTL_CONFIG_TUN, &ipdata, 
+		sizeof(ipdata), &ipdata, sizeof(ipdata), &len, NULL);
+	if (!r) {
+		fprintf(stderr, "Failed to set interface in TUN mode\n");
+		return -1;
+	}
+
+	/* use netsh to set ip address */
+	fprintf(stderr, "Setting IP of interface '%s' to %s (can take a few seconds)...\n", if_name, ip);
+	snprintf(cmdline, sizeof(cmdline), "netsh interface ip set address \"%s\" static %s %s",
+		if_name, ip, inet_ntoa(net));
+	return system(cmdline);
+#endif
+}
+
+int 
+tun_setmtu(const unsigned mtu)
+{
+#ifdef __ANDROID__
+	tun_config_android.mtu = mtu;
+	return 0;
+#elif !defined(WINDOWS32)
+	char cmdline[512];
+
+	if (mtu > 200 && mtu <= 1500) {
+		snprintf(cmdline, sizeof(cmdline), 
+				"/sbin/ifconfig %s mtu %u",
+				if_name,
+				mtu);
+		
+		fprintf(stderr, "Setting MTU of %s to %u\n", if_name, mtu);
+		return system(cmdline);
+	} else {
+		warn("MTU out of range: %u\n", mtu);
+	}
+
+	return 1;
+#else /* WINDOWS32 */
+
+	return 0;
+#endif
+}
+
diff --git a/jni/iodine/src/tun.h b/jni/iodine/src/tun.h
new file mode 100644
index 0000000..397e7a9
--- /dev/null
+++ b/jni/iodine/src/tun.h
@@ -0,0 +1,37 @@
+/*
+ * Copyright (c) 2006-2009 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef _TUN_H_
+#define _TUN_H_
+
+int open_tun(const char *);
+void close_tun(int);
+int write_tun(int, char *, size_t);
+ssize_t read_tun(int, char *, size_t);
+int tun_setip(const char *, const char *, int);
+int tun_setmtu(const unsigned);
+
+#ifdef __ANDROID__
+struct _tun_config_android {
+	char *ip;
+	char *remoteip;
+	int netbits;
+	unsigned mtu;
+	int request_disconnect;
+} tun_config_android;
+#endif /* __ANDROID__ */
+
+#endif /* _TUN_H_ */
diff --git a/jni/iodine/src/user.c b/jni/iodine/src/user.c
new file mode 100644
index 0000000..dfe9c36
--- /dev/null
+++ b/jni/iodine/src/user.c
@@ -0,0 +1,204 @@
+/*
+ * Copyright (c) 2006-2009 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <stdio.h>
+#include <stdint.h>
+#include <time.h>
+#include <stdlib.h>
+#include <string.h>
+#include <signal.h>
+#include <unistd.h>
+#include <fcntl.h>
+
+#ifdef WINDOWS32
+#include <winsock2.h>
+#else
+#include <netdb.h>
+#endif
+
+#include "common.h"
+#include "encoding.h"
+#include "user.h"
+
+struct user users[USERS];
+
+int
+init_users(in_addr_t my_ip, int netbits)
+{
+	int i;
+	int skip = 0;
+	char newip[16];
+	int created_users = 0;
+
+	int maxusers;
+
+	in_addr_t netmask = 0;
+	struct in_addr net;
+	struct in_addr ipstart;
+
+	for (i = 0; i < netbits; i++) {
+		netmask = (netmask << 1) | 1;
+	}
+	netmask <<= (32 - netbits);
+	net.s_addr = htonl(netmask);
+	ipstart.s_addr = my_ip & net.s_addr;
+
+	maxusers = (1 << (32-netbits)) - 3; /* 3: Net addr, broadcast addr, iodined addr */
+	
+	memset(users, 0, USERS * sizeof(struct user));
+	for (i = 0; i < USERS; i++) {
+		in_addr_t ip;
+		users[i].id = i;
+		snprintf(newip, sizeof(newip), "0.0.0.%d", i + skip + 1);
+		ip = ipstart.s_addr + inet_addr(newip);
+		if (ip == my_ip && skip == 0) {
+			/* This IP was taken by iodined */
+			skip++;
+			snprintf(newip, sizeof(newip), "0.0.0.%d", i + skip + 1);
+			ip = ipstart.s_addr + inet_addr(newip);
+		}
+		users[i].tun_ip = ip;
+		net.s_addr = ip;
+		if (maxusers--  < 1) {
+			users[i].disabled = 1;
+		} else {
+			users[i].disabled = 0;
+			created_users++;
+		}
+		users[i].active = 0;
+ 		/* Rest is reset on login ('V' packet) */
+	}
+
+	return created_users;
+}
+
+const char*
+users_get_first_ip()
+{
+	struct in_addr ip;
+	ip.s_addr = users[0].tun_ip;
+	return inet_ntoa(ip);
+}
+
+int
+users_waiting_on_reply()
+{
+	int ret;
+	int i;
+
+	ret = 0;
+	for (i = 0; i < USERS; i++) {
+		if (users[i].active && !users[i].disabled && 
+			users[i].last_pkt + 60 > time(NULL) &&
+			users[i].q.id != 0 && users[i].conn == CONN_DNS_NULL) {
+			ret++;
+		}
+	}
+	
+	return ret;
+}
+
+int
+find_user_by_ip(uint32_t ip)
+{
+	int ret;
+	int i;
+
+	ret = -1;
+	for (i = 0; i < USERS; i++) {
+		if (users[i].active && !users[i].disabled &&
+			users[i].last_pkt + 60 > time(NULL) &&
+			ip == users[i].tun_ip) {
+			ret = i;
+			break;
+		}
+	}
+	return ret;
+}
+
+int
+all_users_waiting_to_send()
+/* If this returns true, then reading from tun device is blocked.
+   So only return true when all clients have at least one packet in
+   the outpacket-queue, so that sending back-to-back is possible
+   without going through another select loop.
+*/
+{
+	time_t now;
+	int ret;
+	int i;
+
+	ret = 1;
+	now = time(NULL);
+	for (i = 0; i < USERS; i++) {
+		if (users[i].active && !users[i].disabled &&
+			users[i].last_pkt + 60 > now &&
+			((users[i].conn == CONN_RAW_UDP) || 
+			((users[i].conn == CONN_DNS_NULL) 
+#ifdef OUTPACKETQ_LEN
+				&& users[i].outpacketq_filled < 1
+#else
+				&& users[i].outpacket.len == 0
+#endif
+			))) {
+
+			ret = 0;
+			break;
+		}
+	}
+	return ret;
+}
+
+int
+find_available_user()
+{
+	int ret = -1;
+	int i;
+	for (i = 0; i < USERS; i++) {
+		/* Not used at all or not used in one minute */
+		if ((!users[i].active || users[i].last_pkt + 60 < time(NULL)) && !users[i].disabled) {
+			users[i].active = 1;
+			users[i].last_pkt = time(NULL);
+			users[i].fragsize = 4096;
+			users[i].conn = CONN_DNS_NULL;
+			ret = i;
+			break;
+		}
+	}
+	return ret;
+}
+
+void
+user_switch_codec(int userid, struct encoder *enc)
+{
+	if (userid < 0 || userid >= USERS)
+		return;
+	
+	users[userid].encoder = enc;
+}
+
+void
+user_set_conn_type(int userid, enum connection c)
+{
+	if (userid < 0 || userid >= USERS)
+		return;
+
+	if (c < 0 || c >= CONN_MAX)
+		return;
+	
+	users[userid].conn = c;
+}
+	
diff --git a/jni/iodine/src/user.h b/jni/iodine/src/user.h
new file mode 100644
index 0000000..51a6092
--- /dev/null
+++ b/jni/iodine/src/user.h
@@ -0,0 +1,87 @@
+/*
+ * Copyright (c) 2006-2009 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef __USER_H__
+#define __USER_H__
+
+#define USERS 16
+
+#define OUTPACKETQ_LEN 4		/* Note: 16 users * 1 packet = 1MB */
+/* Undefine to have no queue for packets coming in from tun device, which may
+   lead to massive dropping in multi-user situations with high traffic. */
+
+#define DNSCACHE_LEN 4
+/* Undefine to disable. Should be less than 18; also see comments in iodined.c */
+
+
+#define QMEMPING_LEN 30
+/* Max advisable: 64k/2 = 32000. Total mem usage: QMEMPING_LEN * USERS * 6 bytes */
+
+#define QMEMDATA_LEN 15
+/* Max advisable: 36/2 = 18. Total mem usage: QMEMDATA_LEN * USERS * 6 bytes */
+
+struct user {
+	char id;
+	int active;
+	int disabled;
+	time_t last_pkt;
+	int seed;
+	in_addr_t tun_ip;
+	struct in_addr host;
+	struct query q;
+	struct query q_sendrealsoon;
+	int q_sendrealsoon_new;
+	struct packet inpacket;
+	struct packet outpacket;
+	int outfragresent;
+	struct encoder *encoder;
+	char downenc;
+	int out_acked_seqno;
+	int out_acked_fragment;
+	int fragsize;
+	enum connection conn;
+	int lazy;
+	unsigned char qmemping_cmc[QMEMPING_LEN * 4];
+	unsigned short qmemping_type[QMEMPING_LEN];
+	int qmemping_lastfilled;
+	unsigned char qmemdata_cmc[QMEMDATA_LEN * 4];
+	unsigned short qmemdata_type[QMEMDATA_LEN];
+	int qmemdata_lastfilled;
+#ifdef OUTPACKETQ_LEN
+	struct packet outpacketq[OUTPACKETQ_LEN];
+	int outpacketq_nexttouse;
+	int outpacketq_filled;
+#endif
+#ifdef DNSCACHE_LEN
+	struct query dnscache_q[DNSCACHE_LEN];
+	char dnscache_answer[DNSCACHE_LEN][4096];
+	int dnscache_answerlen[DNSCACHE_LEN];
+	int dnscache_lastfilled;
+#endif
+};
+
+extern struct user users[USERS];
+
+int init_users(in_addr_t, int);
+const char* users_get_first_ip();
+int users_waiting_on_reply();
+int find_user_by_ip(uint32_t);
+int all_users_waiting_to_send();
+int find_available_user();
+void user_switch_codec(int userid, struct encoder *enc);
+void user_set_conn_type(int userid, enum connection c);
+
+#endif
diff --git a/jni/iodine/src/util.c b/jni/iodine/src/util.c
new file mode 100644
index 0000000..bc5fc8d
--- /dev/null
+++ b/jni/iodine/src/util.c
@@ -0,0 +1,69 @@
+/*
+ * Copyright (c) 2006-2009 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <stdio.h>
+#include "common.h"
+
+char *
+get_resolvconf_addr()
+{
+	static char addr[16];
+	char *rv;
+#ifndef WINDOWS32
+	char buf[80];
+	FILE *fp;
+	
+	rv = NULL;
+
+	if ((fp = fopen("/etc/resolv.conf", "r")) == NULL) 
+		err(1, "/etc/resolv.conf");
+	
+	while (feof(fp) == 0) {
+		fgets(buf, sizeof(buf), fp);
+
+		if (sscanf(buf, "nameserver %15s", addr) == 1) {
+			rv = addr;
+			break;
+		}
+	}
+	
+	fclose(fp);
+#else /* !WINDOWS32 */
+	FIXED_INFO  *fixed_info;
+	ULONG       buflen;
+	DWORD       ret;
+
+	rv = NULL;
+	fixed_info = malloc(sizeof(FIXED_INFO));
+	buflen = sizeof(FIXED_INFO);
+
+	if (GetNetworkParams(fixed_info, &buflen) == ERROR_BUFFER_OVERFLOW) {
+		/* official ugly api workaround */
+		free(fixed_info);
+		fixed_info = malloc(buflen);
+	}
+
+	ret = GetNetworkParams(fixed_info, &buflen);
+	if (ret == NO_ERROR) {
+		strncpy(addr, fixed_info->DnsServerList.IpAddress.String, sizeof(addr));
+		addr[15] = 0;
+		rv = addr;
+	}
+	free(fixed_info);
+#endif
+	return rv;
+}
+
diff --git a/jni/iodine/src/util.h b/jni/iodine/src/util.h
new file mode 100644
index 0000000..f514139
--- /dev/null
+++ b/jni/iodine/src/util.h
@@ -0,0 +1,6 @@
+#ifndef __UTIL_H__
+#define __UTIL_H__
+
+char *get_resolvconf_addr();
+
+#endif
diff --git a/jni/iodine/src/version.h b/jni/iodine/src/version.h
new file mode 100644
index 0000000..1561b9e
--- /dev/null
+++ b/jni/iodine/src/version.h
@@ -0,0 +1,25 @@
+/*
+ * Copyright (c) 2006-2009 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef _VERSION_H_
+#define _VERSION_H_
+
+/* This is the version of the network protocol
+   It is usually equal to the latest iodine version number */
+#define VERSION 0x00000502
+
+#endif /* _VERSION_H_ */
+
diff --git a/jni/iodine/src/windows.h b/jni/iodine/src/windows.h
new file mode 100644
index 0000000..7e0e16c
--- /dev/null
+++ b/jni/iodine/src/windows.h
@@ -0,0 +1,100 @@
+/*

+ * Copyright (c) 2006-2009 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>

+ *

+ * Permission to use, copy, modify, and distribute this software for any

+ * purpose with or without fee is hereby granted, provided that the above

+ * copyright notice and this permission notice appear in all copies.

+ *

+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES

+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF

+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR

+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES

+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN

+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF

+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

+ */

+

+#ifndef __FIX_WINDOWS_H__

+#define __FIX_WINDOWS_H__

+

+typedef unsigned int in_addr_t;

+

+#include <windows.h>

+#include <windns.h>

+#include <winsock2.h>

+#include <ws2tcpip.h>

+#include <iphlpapi.h>

+

+/* Missing from the mingw headers */

+#ifndef DNS_TYPE_SRV

+# define DNS_TYPE_SRV 33

+#endif

+#ifndef DNS_TYPE_TXT

+# define DNS_TYPE_TXT 16

+#endif

+

+#define T_A DNS_TYPE_A

+#define T_NS DNS_TYPE_NS

+#define T_NULL DNS_TYPE_NULL

+#define T_CNAME DNS_TYPE_CNAME

+#define T_MX DNS_TYPE_MX

+#define T_TXT DNS_TYPE_TXT

+#define T_SRV DNS_TYPE_SRV

+

+#define C_IN 1

+

+#define FORMERR 1

+#define SERVFAIL 2

+#define NXDOMAIN 3

+#define NOTIMP 4

+#define REFUSED 5

+

+#define sleep(seconds) Sleep((seconds)*1000)

+

+typedef struct {

+        unsigned        id :16;         /* query identification number */

+                        /* fields in third byte */

+        unsigned        rd :1;          /* recursion desired */

+        unsigned        tc :1;          /* truncated message */

+        unsigned        aa :1;          /* authoritive answer */

+        unsigned        opcode :4;      /* purpose of message */

+        unsigned        qr :1;          /* response flag */

+                        /* fields in fourth byte */

+        unsigned        rcode :4;       /* response code */

+        unsigned        cd: 1;          /* checking disabled by resolver */

+        unsigned        ad: 1;          /* authentic data from named */

+        unsigned        unused :1;      /* unused bits (MBZ as of 4.9.3a3) */

+        unsigned        ra :1;          /* recursion available */

+                        /* remaining bytes */

+        unsigned        qdcount :16;    /* number of question entries */

+        unsigned        ancount :16;    /* number of answer entries */

+        unsigned        nscount :16;    /* number of authority entries */

+        unsigned        arcount :16;    /* number of resource entries */

+} HEADER;

+

+struct ip

+  {

+    unsigned int ip_hl:4;               /* header length */

+    unsigned int ip_v:4;                /* version */

+    u_char ip_tos;                      /* type of service */

+    u_short ip_len;                     /* total length */

+    u_short ip_id;                      /* identification */

+    u_short ip_off;                     /* fragment offset field */

+#define IP_RF 0x8000                    /* reserved fragment flag */

+#define IP_DF 0x4000                    /* dont fragment flag */

+#define IP_MF 0x2000                    /* more fragments flag */

+#define IP_OFFMASK 0x1fff               /* mask for fragmenting bits */

+    u_char ip_ttl;                      /* time to live */

+    u_char ip_p;                        /* protocol */

+    u_short ip_sum;                     /* checksum */

+    struct in_addr ip_src, ip_dst;      /* source and dest address */

+  };

+

+DWORD WINAPI tun_reader(LPVOID arg);

+struct tun_data {

+	HANDLE tun;

+	int sock;

+	struct sockaddr_in addr;

+};

+

+#endif

diff --git a/jni/iodine/tests/Makefile b/jni/iodine/tests/Makefile
new file mode 100644
index 0000000..3a7ac01
--- /dev/null
+++ b/jni/iodine/tests/Makefile
@@ -0,0 +1,27 @@
+CC = gcc
+TEST = test
+OBJS = test.o base32.o base64.o read.o dns.o encoding.o login.o user.o fw_query.o
+SRCOBJS = ../src/base32.o  ../src/base64.o ../src/read.o ../src/dns.o ../src/encoding.o ../src/login.o ../src/md5.o ../src/user.o ../src/fw_query.o
+
+OS = `uname | tr "a-z" "A-Z"`
+
+CHECK_PATH = /usr/local
+LDFLAGS = -L$(CHECK_PATH)/lib -lcheck `../src/osflags link`
+CFLAGS = -g -Wall -D$(OS) -I../src -I$(CHECK_PATH)/include -pedantic `../src/osflags cflags`
+
+all: $(TEST)
+	@LD_LIBRARY_PATH=${CHECK_PATH}/lib ./$(TEST)
+
+$(TEST): $(OBJS) $(SRCOBJS)
+	@echo LD $(TEST)
+	@$(CC) -o $@ $(SRCOBJS) $(OBJS) $(LDFLAGS) 
+
+.c.o: 
+	@echo CC $<
+	@$(CC) $(CFLAGS) -c $<
+
+
+clean:
+	@echo "Cleaning tests/"
+	@rm -f *~ *.core $(TEST) $(OBJS)
+
diff --git a/jni/iodine/tests/base32.c b/jni/iodine/tests/base32.c
new file mode 100644
index 0000000..9ff0cf7
--- /dev/null
+++ b/jni/iodine/tests/base32.c
@@ -0,0 +1,142 @@
+/*
+ * Copyright (c) 2006-2009 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <check.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+
+#include "encoding.h"
+#include "base32.h"
+#include "test.h"
+
+#define TUPLES 5
+
+static struct tuple
+{
+	char *a;
+	char *b;
+} testpairs[TUPLES] = {
+	{ "iodinetestingtesting", "nfxwi0lomv0gk21unfxgo3dfon0gs1th" },
+	{ "abc123", "mfrggmjsgm" },
+	{ "test", "orsxg3a" },
+	{ "tst", "orzxi" },
+	{ "", "" },
+};
+
+START_TEST(test_base32_encode)
+{
+	size_t len;
+	char buf[4096];
+	struct encoder *b32;
+	int val;
+
+	b32 = get_base32_encoder();
+
+	len = sizeof(buf);
+	val = b32->encode(buf, &len, testpairs[_i].a, strlen(testpairs[_i].a));
+
+	fail_unless(strcmp(buf, testpairs[_i].b) == 0,
+			"'%s' != '%s'", buf, testpairs[_i].b);
+}
+END_TEST
+
+START_TEST(test_base32_decode)
+{
+	size_t len;
+	char buf[4096];
+	struct encoder *b32;
+	int val;
+	
+	b32 = get_base32_encoder();
+
+	len = sizeof(buf);
+	val = b32->decode(buf, &len, testpairs[_i].b, strlen(testpairs[_i].b));
+
+	fail_unless(buf != NULL, "buf == NULL");
+	fail_unless(strcmp(buf, testpairs[_i].a) == 0,
+			"'%s' != '%s'", buf, testpairs[_i].a);
+}
+END_TEST
+
+START_TEST(test_base32_5to8_8to5)
+{
+	int i;
+	int c;
+
+	for (i = 0; i < 32; i++) {
+		c = b32_5to8(i);	
+		fail_unless(b32_8to5(c) == i);
+	}
+}
+END_TEST
+
+START_TEST(test_base32_blksize)
+{
+	size_t rawlen;
+	size_t enclen;
+	char *rawbuf;
+	char *encbuf;
+	struct encoder *b32;
+	int i;
+	int val;
+
+	b32 = get_base32_encoder();
+
+	rawlen = b32->blocksize_raw();
+	enclen = b32->blocksize_encoded();
+
+	rawbuf = malloc(rawlen + 16);
+	encbuf = malloc(enclen + 16);
+
+	for (i = 0; i < rawlen; i++) {
+		rawbuf[i] = 'A';
+	}
+	rawbuf[i] = 0;
+
+	val = b32->encode(encbuf, &enclen, rawbuf, rawlen);
+
+	fail_unless(rawlen == 5, "raw length was %d not 5", rawlen);
+	fail_unless(enclen == 5, "encoded %d bytes, not 5", enclen);
+	fail_unless(val == 8, "encoded string %s was length %d", encbuf, val);
+
+	memset(rawbuf, 0, rawlen + 16);
+
+	enclen = val;
+	val = b32->decode(rawbuf, &rawlen, encbuf, enclen);
+
+	fail_unless(rawlen == 5, "raw length was %d not 5", rawlen);
+	fail_unless(val == 5, "val was not 5 but %d", val);
+	for (i = 0; i < rawlen; i++) {
+		fail_unless(rawbuf[i] == 'A');
+	}
+}
+END_TEST
+
+TCase *
+test_base32_create_tests()
+{
+	TCase *tc;
+
+	tc = tcase_create("Base32");
+	tcase_add_loop_test(tc, test_base32_encode, 0, TUPLES);
+	tcase_add_loop_test(tc, test_base32_decode, 0, TUPLES);
+	tcase_add_test(tc, test_base32_5to8_8to5);
+	tcase_add_test(tc, test_base32_blksize);
+
+	return tc;
+}
diff --git a/jni/iodine/tests/base64.c b/jni/iodine/tests/base64.c
new file mode 100644
index 0000000..bd0e9ce
--- /dev/null
+++ b/jni/iodine/tests/base64.c
@@ -0,0 +1,155 @@
+/*
+ * Copyright (c) 2006-2009 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <check.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+
+#include "encoding.h"
+#include "base64.h"
+#include "test.h"
+
+#define TUPLES 5
+
+static struct tuple
+{
+	char *a;
+	char *b;
+} testpairs[TUPLES] = {
+	{ "iodinetestingtesting", "Aw8KAw4LDgvZDgLUz2rLC2rPBMC" },
+	{ "abc1231", "ywjJmtiZmq" },
+	{
+	  "\xFF\xEF\x7C\xEF\xAE\x78\xDF\x6D\x74\xCF\x2C\x70\xBE\xEB\x6C\xAE\xAA\x68"
+	  "\x9E\x69\x64\x8E\x28\x60\x7D\xE7\x5C\x6D\xA6\x58\x5D\x65\x54\x4D\x24\x50"
+	  "\x3C\xE3\x4C\x2C\xA2\x48\x1C\x61\x44\x0C\x20\x40\x3F\x3F\x3C\xEF\xAE\x78"
+	  "\xDF\x6D\x74\xCF\x2C\x70\xBE\xEB\x6C\xAE\xAA\x68\x9E\x69\x64\x8E\x28\x60"
+	  "\x7D\xE7\x5C\x6D\xA6\x58\x5D\x65\x54\x4D\x24\x50\x3C\xE3\x4C\x2C\xA2\x48"
+	  "\x1C\x61\x44\x0C\x20\x40\xFF\xEF\x7C\xEF\xAE\x78\xDF\x6D\x74\xCF\x2C\x70"
+	  "\xBE\xEB\x6C\xAE\xAA\x68\x9E\x69\x64\x8E\x28\x60\x7D\xE7\x5C\x6D\xA6\x58"
+	  "\x5D\x65\x54\x4D\x24\x50\x3C\xE3\x4C\x2C\xA2\x48\x1C\x61\x44\x0C\x20\x40",
+
+	  "+9876543210-ZYXWVUTSRQPONMLKJIHGFEDCBAzyxwvutsrqponmlkjihgfedcbapZ"
+	  "776543210-ZYXWVUTSRQPONMLKJIHGFEDCBAzyxwvutsrqponmlkjihgfedcba+987654"
+	  "3210-ZYXWVUTSRQPONMLKJIHGFEDCBAzyxwvutsrqponmlkjihgfedcba"
+	},
+	{
+	  "\xFF\xEF\x7C\xEF\xAE\x78\xDF\x6D\x74\xCF\x2C\x70\xBE\xEB\x6C\xAE\xAA\x68"
+	  "\x9E\x69\x64\x8E\x28\x60\x7D\xE7\x5C\x6D\xA6\x58\x5D\x65\x54\x4D\x24\x50"
+	  "\x3C\xE3\x4C\x2C\xA2\x48\x1C\x61\x44\x0C\x20\x40\x3F\x3F\x3C\xEF\xAE\x78"
+	  "\xDF\x6D\x74\xCF\x2C\x70\xBE\xEB\x6C\xAE\xA1\x61\x91\x61\x61\x81\x28\x60"
+	  "\x7D\xE7\x5C\x6D\xA6\x58\x5D\x65\x54\x4D\x24\x50\x3C\xE3\x4C\x2C\xA2\x48"
+	  "\x1C\x61\x44\x0C\x20\x40\xFF\xEF\x7C\xEF\xAE\x78\xDF\x6D\x74\xCF\x2C\x70"
+	  "\xBE\xEB\x6C\xAE\xA1\x61\x91\x61\x61\x81\x28\x60\x7D\xE7\x5C\x6D\xA6\x58"
+	  "\x5D\x65\x54\x4D\x24\x50\x3C\xE3\x4C\x2C\xA2\x48\x1C\x61\x44\x0C\x20\x40",
+
+	  "+9876543210-ZYXWVUTSRQPONMLKJIHGFEDCBAzyxwvutsrqponmlkjihgfedcbapZ"
+	  "776543210-ZYXWVUTSRQfHKwfHGsHGFEDCBAzyxwvutsrqponmlkjihgfedcba+987654321"
+	  "0-ZYXWVUTSRQfHKwfHGsHGFEDCBAzyxwvutsrqponmlkjihgfedcba"
+	},
+	{ "", "" }
+};
+
+START_TEST(test_base64_encode)
+{
+	size_t len;
+	char buf[4096];
+	struct encoder *b64;
+	int val;
+
+	b64 = get_base64_encoder();
+
+	len = sizeof(buf);
+	val = b64->encode(buf, &len, testpairs[_i].a, strlen(testpairs[_i].a));
+
+	fail_unless(strcmp(buf, testpairs[_i].b) == 0,
+			"'%s' != '%s'", buf, testpairs[_i].b);
+}
+END_TEST
+
+START_TEST(test_base64_decode)
+{
+	size_t len;
+	char buf[4096];
+	struct encoder *b64;
+	int val;
+
+	b64 = get_base64_encoder();
+
+	len = sizeof(buf);
+	val = b64->decode(buf, &len, testpairs[_i].b, strlen(testpairs[_i].b));
+
+	fail_unless(buf != NULL, "buf == NULL");
+	fail_unless(strcmp(buf, testpairs[_i].a) == 0,
+			"'%s' != '%s'", buf, testpairs[_i].a);
+}
+END_TEST
+
+START_TEST(test_base64_blksize)
+{
+	size_t rawlen;
+	size_t enclen;
+	char *rawbuf;
+	char *encbuf;
+	struct encoder *b64;
+	int i;
+	int val;
+
+	b64 = get_base64_encoder();
+
+	rawlen = b64->blocksize_raw();
+	enclen = b64->blocksize_encoded();
+
+	rawbuf = malloc(rawlen + 16);
+	encbuf = malloc(enclen + 16);
+
+	for (i = 0; i < rawlen; i++) {
+		rawbuf[i] = 'A';
+	}
+	rawbuf[i] = 0;
+
+	val = b64->encode(encbuf, &enclen, rawbuf, rawlen);
+
+	fail_unless(rawlen == 3, "raw length was %d not 3", rawlen);
+	fail_unless(enclen == 3, "encoded %d bytes, not 3", enclen);
+	fail_unless(val == 4, "encoded string %s was length %d", encbuf, val);
+
+	memset(rawbuf, 0, rawlen + 16);
+
+	enclen = val;
+	val = b64->decode(rawbuf, &rawlen, encbuf, enclen);
+
+	fail_unless(rawlen == 3, "raw length was %d not 3", rawlen);
+	fail_unless(val == 3);
+	for (i = 0; i < rawlen; i++) {
+		fail_unless(rawbuf[i] == 'A');
+	}
+}
+END_TEST
+
+TCase *
+test_base64_create_tests()
+{
+	TCase *tc;
+
+	tc = tcase_create("Base64");
+	tcase_add_loop_test(tc, test_base64_encode, 0, TUPLES);
+	tcase_add_loop_test(tc, test_base64_decode, 0, TUPLES);
+	tcase_add_test(tc, test_base64_blksize);
+
+	return tc;
+}
diff --git a/jni/iodine/tests/dns.c b/jni/iodine/tests/dns.c
new file mode 100644
index 0000000..3d21e4c
--- /dev/null
+++ b/jni/iodine/tests/dns.c
@@ -0,0 +1,252 @@
+/*
+ * Copyright (c) 2006-2009 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <check.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <ctype.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <sys/stat.h>
+#include <arpa/nameser.h>
+
+#include "common.h"
+#include "dns.h"
+#include "encoding.h"
+#include "base32.h"
+#include "test.h"
+
+static void dump_packet(char *, size_t);
+
+static char query_packet[] =
+	"\x05\x39\x01\x00\x00\x01\x00\x00\x00\x00\x00\x01\x2D\x41\x6A\x62\x63"
+	"\x75\x79\x74\x63\x70\x65\x62\x30\x67\x71\x30\x6C\x74\x65\x62\x75\x78"
+	"\x67\x69\x64\x75\x6E\x62\x73\x73\x61\x33\x64\x66\x6F\x6E\x30\x63\x61"
+	"\x7A\x64\x62\x6F\x72\x71\x71\x04\x6B\x72\x79\x6F\x02\x73\x65\x00\x00"
+	"\x0A\x00\x01\x00\x00\x29\x10\x00\x00\x00\x80\x00\x00\x00";
+
+static char answer_packet[] =
+	"\x05\x39\x84\x00\x00\x01\x00\x01\x00\x00\x00\x00\x05\x73\x69\x6C\x6C"
+	"\x79\x04\x68\x6F\x73\x74\x02\x6F\x66\x06\x69\x6F\x64\x69\x6E\x65\x04"
+	"\x63\x6F\x64\x65\x04\x6B\x72\x79\x6F\x02\x73\x65\x00\x00\x0A\x00\x01"
+	"\xC0\x0C\x00\x0A\x00\x01\x00\x00\x00\x00\x00\x23\x74\x68\x69\x73\x20"
+	"\x69\x73\x20\x74\x68\x65\x20\x6D\x65\x73\x73\x61\x67\x65\x20\x74\x6F"
+	"\x20\x62\x65\x20\x64\x65\x6C\x69\x76\x65\x72\x65\x64";
+
+static char answer_packet_high_trans_id[] =
+	"\x85\x39\x84\x00\x00\x01\x00\x01\x00\x00\x00\x00\x05\x73\x69\x6C\x6C"
+	"\x79\x04\x68\x6F\x73\x74\x02\x6F\x66\x06\x69\x6F\x64\x69\x6E\x65\x04"
+	"\x63\x6F\x64\x65\x04\x6B\x72\x79\x6F\x02\x73\x65\x00\x00\x0A\x00\x01"
+	"\xC0\x0C\x00\x0A\x00\x01\x00\x00\x00\x00\x00\x23\x74\x68\x69\x73\x20"
+	"\x69\x73\x20\x74\x68\x65\x20\x6D\x65\x73\x73\x61\x67\x65\x20\x74\x6F"
+	"\x20\x62\x65\x20\x64\x65\x6C\x69\x76\x65\x72\x65\x64";
+static char *msgData = "this is the message to be delivered";
+static char *topdomain = "kryo.se";
+
+static char *innerData = "HELLO this is the test data";
+
+START_TEST(test_encode_query)
+{
+	char buf[512];
+	char resolv[512];
+	struct query q;
+	struct encoder *enc;
+	char *d;
+	size_t len;
+	size_t enclen;
+	int ret;
+
+	enclen = sizeof(resolv);
+	memset(&buf, 0, sizeof(buf));
+	memset(&resolv, 0, sizeof(resolv));
+	memset(&q, 0, sizeof(struct query));
+	q.type = T_NULL;
+	q.id = 1337;
+	d = resolv;
+	enc = get_base32_encoder();
+
+	*d++ = 'A';
+	enc->encode(d, &enclen, innerData, strlen(innerData));
+	d = resolv + strlen(resolv);
+	if (*d != '.') {
+		*d++ = '.';
+	}
+	strcpy(d, topdomain);
+	len = sizeof(buf);
+	ret = dns_encode(buf, len, &q, QR_QUERY, resolv, strlen(resolv));
+	len = sizeof(query_packet) - 1; /* Skip extra null character */
+
+	if (strncmp(query_packet, buf, sizeof(query_packet)) || ret != len) {
+		printf("\n");
+		dump_packet(query_packet, len);
+		dump_packet(buf, ret);
+	}
+	fail_unless(strncmp(query_packet, buf, sizeof(query_packet)) == 0, "Did not compile expected packet");
+	fail_unless(ret == len, "Bad packet length: %d, expected %d", ret, len);
+}
+END_TEST
+
+START_TEST(test_decode_query)
+{
+	char buf[512];
+	char *domain;
+	struct query q;
+	struct encoder *enc;
+	size_t len;
+
+	memset(&q, 0, sizeof(struct query));
+	memset(&buf, 0, sizeof(buf));
+	q.id = 0;
+	len = sizeof(query_packet) - 1;
+	enc = get_base32_encoder();
+
+	dns_decode(buf, sizeof(buf), &q, QR_QUERY, query_packet, len);
+	domain = strstr(q.name, topdomain);
+	len = sizeof(buf);
+	unpack_data(buf, len, &(q.name[1]), (int) (domain - q.name) - 1, enc);
+
+	fail_unless(strncmp(buf, innerData, strlen(innerData)) == 0, "Did not extract expected host: '%s'", buf);
+	fail_unless(strlen(buf) == strlen(innerData), "Bad host length: %d, expected %d: '%s'", strlen(buf), strlen(innerData), buf);
+}
+END_TEST
+
+START_TEST(test_encode_response)
+{
+	char buf[512];
+	char *host = "silly.host.of.iodine.code.kryo.se";
+	struct query q;
+	int len;
+	int ret;
+
+	len = sizeof(buf);
+	memset(&buf, 0, sizeof(buf));
+	memset(&q, 0, sizeof(struct query));
+	strncpy(q.name, host, strlen(host));
+	q.type = T_NULL;
+	q.id = 1337;
+
+	ret = dns_encode(buf, len, &q, QR_ANSWER, msgData, strlen(msgData));
+	len = sizeof(answer_packet) - 1; /* Skip extra null character */
+
+	fail_unless(strncmp(answer_packet, buf, sizeof(answer_packet)) == 0, "Did not compile expected packet");
+	fail_unless(ret == len, "Bad packet length: %d, expected %d", ret, len);
+}
+END_TEST
+
+START_TEST(test_decode_response)
+{
+	char buf[512];
+	struct query q;
+	int len;
+	int ret;
+
+	len = sizeof(buf);
+	memset(&buf, 0, sizeof(buf));
+
+	ret = dns_decode(buf, len, &q, QR_ANSWER, answer_packet, sizeof(answer_packet)-1);
+	fail_unless(strncmp(msgData, buf, sizeof(msgData)) == 0, "Did not extract expected data");
+	fail_unless(ret == strlen(msgData), "Bad data length: %d, expected %d", ret, strlen(msgData));
+	fail_unless(q.id == 0x0539);
+}
+END_TEST
+
+START_TEST(test_decode_response_with_high_trans_id)
+{
+	char buf[512];
+	struct query q;
+	int len;
+	int ret;
+
+	len = sizeof(buf);
+	memset(&buf, 0, sizeof(buf));
+
+	ret = dns_decode(buf, len, &q, QR_ANSWER, answer_packet_high_trans_id, sizeof(answer_packet_high_trans_id)-1);
+	fail_unless(strncmp(msgData, buf, sizeof(msgData)) == 0, "Did not extract expected data");
+	fail_unless(ret == strlen(msgData), "Bad data length: %d, expected %d", ret, strlen(msgData));
+	fail_unless(q.id == 0x8539, "q.id was %08X instead of %08X!", q.id, 0x8539);
+}
+END_TEST
+
+START_TEST(test_get_id_short_packet)
+{
+	char buf[5];
+	int len;
+	unsigned short id;
+
+	len = sizeof(buf);
+	memset(&buf, 5, sizeof(buf));
+
+	id = dns_get_id(buf, len);
+	fail_unless(id == 0);
+}
+END_TEST
+
+START_TEST(test_get_id_low)
+{
+	unsigned short id;
+
+	id = dns_get_id(answer_packet, sizeof(answer_packet));
+	fail_unless(id == 1337);
+}
+END_TEST
+
+START_TEST(test_get_id_high)
+{
+	unsigned short id;
+
+	id = dns_get_id(answer_packet_high_trans_id, sizeof(answer_packet_high_trans_id));
+	fail_unless(id == 0x8539);
+}
+END_TEST
+
+static void
+dump_packet(char *buf, size_t len)
+{
+	int pos;
+
+	for (pos = 0; pos < len; pos++) {
+		printf("\\x%02X", (unsigned char) buf[pos]);
+	}
+	printf("\n");
+	for (pos = 0; pos < len; pos++) {
+		if (isalnum((unsigned char) buf[pos])) {
+			printf(" %c  ", (unsigned char) buf[pos]);
+		} else {
+			printf("    ");
+		}
+	}
+	printf("\n");
+}
+
+TCase *
+test_dns_create_tests()
+{
+	TCase *tc;
+
+	tc = tcase_create("Dns");
+	tcase_add_test(tc, test_encode_query);
+	tcase_add_test(tc, test_decode_query);
+	tcase_add_test(tc, test_encode_response);
+	tcase_add_test(tc, test_decode_response);
+	tcase_add_test(tc, test_decode_response_with_high_trans_id);
+	tcase_add_test(tc, test_get_id_short_packet);
+	tcase_add_test(tc, test_get_id_low);
+	tcase_add_test(tc, test_get_id_high);
+
+	return tc;
+}
diff --git a/jni/iodine/tests/encoding.c b/jni/iodine/tests/encoding.c
new file mode 100644
index 0000000..ac22452
--- /dev/null
+++ b/jni/iodine/tests/encoding.c
@@ -0,0 +1,108 @@
+/*
+ * Copyright (c) 2006-2009 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <check.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "encoding.h"
+#include "test.h"
+#include "base32.h"
+#include "base64.h"
+
+#define TUPLES 4
+
+static struct tuple
+{
+	char *a;
+	char *b;
+} dottests[] = {
+	{ "aaaaaaaaaaaaaabaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
+	  "aaaaaaaaaaaaaabaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaa"},
+	{ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
+	  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa."},
+	{ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
+	  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"},
+	{ "abc123", "abc123" },
+	{ NULL, NULL }
+};
+
+START_TEST(test_inline_dotify)
+{
+	char temp[1024];
+	char *b;
+
+	memset(temp, 0, sizeof(temp));
+	strcpy(temp, dottests[_i].a);
+	b = temp;
+	inline_dotify(b, sizeof(temp));
+
+	fail_unless(strcmp(dottests[_i].b, temp) == 0,
+			"'%s' != '%s'", temp, dottests[_i].b);
+}
+END_TEST
+
+START_TEST(test_inline_undotify)
+{
+	char temp[1024];
+	char *b;
+
+	memset(temp, 0, sizeof(temp));
+	strcpy(temp, dottests[_i].b);
+	b = temp;
+	inline_undotify(b, sizeof(temp));
+
+	fail_unless(strcmp(dottests[_i].a, temp) == 0,
+			"'%s' != '%s'", temp, dottests[_i].a);
+}
+END_TEST
+
+START_TEST(test_build_hostname)
+{
+	char data[256];
+	char buf[1024];
+	char *topdomain = "a.c";
+	int buflen;
+	int i;
+
+	for (i = 0; i < sizeof(data); i++) {
+		data[i] = i & 0xFF;
+	}
+
+	buflen = sizeof(buf);
+	
+	for (i = 1; i < sizeof(data); i++) {
+		int len = build_hostname(buf, buflen, data, i, topdomain, get_base32_encoder(), sizeof(buf));
+
+		fail_if(len > i);
+		fail_if(strstr(buf, ".."), "Found double dots when encoding data len %d! buf: %s", i, buf);
+	}
+}
+END_TEST
+
+TCase *
+test_encoding_create_tests()
+{
+	TCase *tc;
+
+	tc = tcase_create("Encoding");
+	tcase_add_loop_test(tc, test_inline_dotify, 0, TUPLES);
+	tcase_add_loop_test(tc, test_inline_undotify, 0, TUPLES);
+	tcase_add_test(tc, test_build_hostname);
+
+	return tc;
+}
diff --git a/jni/iodine/tests/fw_query.c b/jni/iodine/tests/fw_query.c
new file mode 100644
index 0000000..6d23924
--- /dev/null
+++ b/jni/iodine/tests/fw_query.c
@@ -0,0 +1,88 @@
+/*
+ * Copyright (c) 2006-2009 Erik Ekman <yarrick@kryo.se>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <check.h>
+
+#include "fw_query.h"
+#include "test.h"
+
+START_TEST(test_fw_query_simple)
+{
+	struct fw_query q;
+	struct fw_query *qp;
+
+	q.addrlen = 33;
+	q.id = 0x848A;
+
+	fw_query_init();
+	
+	/* Test empty cache */
+	fw_query_get(0x848A, &qp);
+	fail_unless(qp == NULL);
+
+	fw_query_put(&q);
+
+	/* Test cache with one entry */
+	fw_query_get(0x848A, &qp);
+	fail_unless(qp->addrlen == q.addrlen);
+	fail_unless(qp->id == q.id);
+}
+END_TEST
+
+START_TEST(test_fw_query_edge)
+{
+	struct fw_query q;
+	struct fw_query *qp;
+	int i;
+
+	fw_query_init();
+	
+	q.addrlen = 33;
+	q.id = 0x848A;
+	fw_query_put(&q);
+
+	for (i = 1; i < FW_QUERY_CACHE_SIZE; i++) {
+		q.addrlen++;
+		q.id++;
+		fw_query_put(&q);
+	}
+
+	/* The query should still be cached */
+	fw_query_get(0x848A, &qp);
+	fail_unless(qp->addrlen == 33);
+	fail_unless(qp->id == 0x848A);
+		
+	q.addrlen++;
+	q.id++;
+	fw_query_put(&q);
+
+	/* but now it is overwritten */
+	fw_query_get(0x848A, &qp);
+	fail_unless(qp == NULL);
+}
+END_TEST
+
+TCase *
+test_fw_query_create_tests()
+{
+	TCase *tc;
+
+	tc = tcase_create("Forwarded query");
+	tcase_add_test(tc, test_fw_query_simple);
+	tcase_add_test(tc, test_fw_query_edge);
+
+	return tc;
+}
diff --git a/jni/iodine/tests/login.c b/jni/iodine/tests/login.c
new file mode 100644
index 0000000..1ef23f4
--- /dev/null
+++ b/jni/iodine/tests/login.c
@@ -0,0 +1,70 @@
+/*
+ * Copyright (c) 2006-2009 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <check.h>
+#include <string.h>
+
+#include "test.h"
+#include "login.h"
+
+START_TEST(test_login_hash)
+{
+	char ans[16];
+	char good[] = "\x2A\x8A\x12\xB4\xE0\x42\xEE\xAB\xD0\x19\x17\x1E\x44\xA0\x88\xCD";
+	char pass[32] = "iodine is the shit";
+	int len;
+	int seed;
+
+	len = sizeof(ans);
+	seed = 15;
+
+	memset(ans, 0, sizeof(ans));
+	login_calculate(ans, len, pass, seed);
+	fail_unless(strncmp(ans, good, len) == 0, NULL);
+}
+END_TEST
+
+START_TEST(test_login_hash_short)
+{
+	char ans[8];
+	char check[sizeof(ans)];
+	char pass[32] = "iodine is the shit";
+	int len;
+	int seed;
+
+	len = sizeof(ans);
+	seed = 15;
+
+	memset(ans, 0, sizeof(ans));
+	memset(check, 0, sizeof(check));
+
+	/* If len < 16, it should do nothing */
+	login_calculate(ans, len, pass, seed);
+	fail_if(memcmp(ans, check, sizeof(ans)));
+}
+END_TEST
+
+TCase *
+test_login_create_tests()
+{
+	TCase *tc;
+
+	tc = tcase_create("Login");
+	tcase_add_test(tc, test_login_hash);
+	tcase_add_test(tc, test_login_hash_short);
+
+	return tc;
+}
diff --git a/jni/iodine/tests/read.c b/jni/iodine/tests/read.c
new file mode 100644
index 0000000..18cc29c
--- /dev/null
+++ b/jni/iodine/tests/read.c
@@ -0,0 +1,297 @@
+/*
+ * Copyright (c) 2006-2009 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <sys/stat.h>
+#include <arpa/nameser.h>
+#ifdef DARWIN
+#include <arpa/nameser8_compat.h>
+#endif
+#include <stdio.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
+#include <check.h>
+
+#include "common.h"
+#include "encoding.h"
+#include "dns.h"
+#include "read.h"
+#include "test.h"
+
+START_TEST(test_read_putshort)
+{
+	unsigned short k;
+	unsigned short l;
+	char* p;
+	int i;
+
+	for (i = 0; i < 65536; i++) {
+		p = (char*)&k;
+		putshort(&p, i);
+		fail_unless(ntohs(k) == i,
+				"Bad value on putshort for %d: %d != %d",
+					i, ntohs(k), i);
+
+		p = (char*)&k;
+		readshort(NULL, &p, (short *) &l);
+		fail_unless(l == i,
+				"Bad value on readshort for %d: %d != %d",
+					i, l, i);
+	}
+}
+END_TEST
+
+START_TEST(test_read_putlong)
+{
+	uint32_t k;
+	uint32_t l;
+	char* p;
+	int i;
+	int j;
+
+	for (i = 0; i < 32; i++) {
+		p = (char*)&k;
+		j = 0xf << i;
+
+		putlong(&p, j);
+
+		fail_unless(ntohl(k) == j,
+				"Bad value on putlong for %d: %d != %d", i, ntohl(j), j);
+
+		p = (char*)&k;
+		readlong(NULL, &p, &l);
+
+		fail_unless(l == j,
+				"Bad value on readlong for %d: %d != %d", i, l, j);
+	}
+}
+END_TEST
+
+START_TEST(test_read_name_empty_loop)
+{
+	unsigned char emptyloop[] = {
+		'A', 'A', 0x81, 0x80, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+		0xc0, 0x0c, 0x00, 0x01, 0x00, 0x01 };
+	char buf[1024];
+	char *data;
+	int rv;
+
+	memset(buf, 0, sizeof(buf));
+	data = (char*) emptyloop + sizeof(HEADER);
+	buf[1023] = 'A';
+	rv = readname((char *) emptyloop, sizeof(emptyloop), &data, buf, 1023);
+	fail_unless(buf[1023] == 'A');
+}
+END_TEST
+
+START_TEST(test_read_name_inf_loop)
+{
+	unsigned char infloop[] = {
+		'A', 'A', 0x81, 0x80, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+		0x01, 'A', 0xc0, 0x0c, 0x00, 0x01, 0x00, 0x01 };
+	char buf[1024];
+	char *data;
+	int rv;
+
+	memset(buf, 0, sizeof(buf));
+	data = (char*) infloop + sizeof(HEADER);
+	buf[4] = '\a';
+	rv = readname((char*) infloop, sizeof(infloop), &data, buf, 4);
+	fail_unless(buf[4] == '\a');
+}
+END_TEST
+
+START_TEST(test_read_name_longname)
+{
+	unsigned char longname[] =
+		"AA\x81\x80\x00\x01\x00\x00\x00\x00\x00\x00"
+		"\x3FzBCDEFGHIJKLMNOPQURSTUVXYZ0123456789abcdefghijklmnopqrstuvxyzAA"
+		"\x3FzBCDEFGHIJKLMNOPQURSTUVXYZ0123456789abcdefghijklmnopqrstuvxyzAA"
+		"\x3FzBCDEFGHIJKLMNOPQURSTUVXYZ0123456789abcdefghijklmnopqrstuvxyzAA"
+		"\x3FzBCDEFGHIJKLMNOPQURSTUVXYZ0123456789abcdefghijklmnopqrstuvxyzAA"
+		"\x3FzBCDEFGHIJKLMNOPQURSTUVXYZ0123456789abcdefghijklmnopqrstuvxyzAA"
+		"\x3FzBCDEFGHIJKLMNOPQURSTUVXYZ0123456789abcdefghijklmnopqrstuvxyzAA"
+		"\x00\x00\x01\x00\x01";
+	char buf[1024];
+	char *data;
+	int rv;
+
+	memset(buf, 0, sizeof(buf));
+	data = (char*) longname + sizeof(HEADER);
+	buf[256] = '\a';
+	rv = readname((char*) longname, sizeof(longname), &data, buf, 256);
+	fail_unless(buf[256] == '\a');
+}
+END_TEST
+
+START_TEST(test_read_name_onejump)
+{
+	unsigned char onejump[] =
+		"AA\x81\x80\x00\x01\x00\x00\x00\x00\x00\x00"
+		"\x02hh\xc0\x15\x00\x01\x00\x01\x05zBCDE\x00";
+	char buf[1024];
+	char *data;
+	int rv;
+
+	memset(buf, 0, sizeof(buf));
+	data = (char*) onejump + sizeof(HEADER);
+	rv = readname((char*) onejump, sizeof(onejump), &data, buf, 256);
+	fail_unless(rv == 9);
+}
+END_TEST
+
+START_TEST(test_read_name_badjump_start)
+{
+	unsigned char badjump[] = {
+		'A', 'A', 0x81, 0x80, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+		0xfe, 0xcc, 0x00, 0x01, 0x00, 0x01 };
+	unsigned char *jumper;
+	char buf[1024];
+	char *data;
+	int rv;
+
+	/* This test uses malloc to cause segfault if jump is executed */
+	memset(buf, 0, sizeof(buf));
+	jumper = malloc(sizeof(badjump));
+	if (jumper) {
+		memcpy(jumper, badjump, sizeof(badjump));
+		data = (char*) jumper + sizeof(HEADER);
+		rv = readname((char*) jumper, sizeof(badjump), &data, buf, 256);
+
+		fail_unless(rv == 0);
+		fail_unless(buf[0] == 0);
+	}
+	free(jumper);
+}
+END_TEST
+
+START_TEST(test_read_name_badjump_second)
+{
+	unsigned char badjump2[] = {
+		'A', 'A', 0x81, 0x80, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+		0x02, 'B', 'A', 0xfe, 0xcc, 0x00, 0x01, 0x00, 0x01 };
+	unsigned char *jumper;
+	char buf[1024];
+	char *data;
+	int rv;
+
+	/* This test uses malloc to cause segfault if jump is executed */
+	memset(buf, 0, sizeof(buf));
+	jumper = malloc(sizeof(badjump2));
+	if (jumper) {
+		memcpy(jumper, badjump2, sizeof(badjump2));
+		data = (char*) jumper + sizeof(HEADER);
+		rv = readname((char*) jumper, sizeof(badjump2), &data, buf, 256);
+
+		fail_unless(rv == 4);
+		fail_unless(strcmp("BA.", buf) == 0,
+				"buf is not BA: %s", buf);
+	}
+	free(jumper);
+}
+END_TEST
+
+START_TEST(test_putname)
+{
+	char out[] = "\x06" "BADGER\x06" "BADGER\x04" "KRYO\x02" "SE\x00";
+	char buf[256];
+	char *domain = "BADGER.BADGER.KRYO.SE";
+	char *b;
+	int len;
+	int ret;
+
+	len = 256;
+
+	memset(buf, 0, 256);
+	b = buf;
+	ret = putname(&b, 256, domain);
+
+	fail_unless(ret == strlen(domain) + 1);
+	fail_unless(strncmp(buf, out, ret) == 0, "Happy flow failed");
+}
+END_TEST
+
+START_TEST(test_putname_nodot)
+{
+	char buf[256];
+	char *nodot =
+		"ABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZ"
+		"ABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZ";
+	char *b;
+	int len;
+	int ret;
+
+	len = 256;
+
+	memset(buf, 0, 256);
+	b = buf;
+	ret = putname(&b, 256, nodot);
+
+	fail_unless(ret == -1);
+	fail_unless(b == buf);
+}
+END_TEST
+
+START_TEST(test_putname_toolong)
+{
+	char buf[256];
+	char *toolong =
+		"ABCDEFGHIJKLMNOPQRSTUVWXYZ.ABCDEFGHIJKLMNOPQRSTUVWXYZ."
+		"ABCDEFGHIJKLMNOPQRSTUVWXYZ.ABCDEFGHIJKLMNOPQRSTUVWXYZ."
+		"ABCDEFGHIJKLMNOPQRSTUVWXYZ.ABCDEFGHIJKLMNOPQRSTUVWXYZ."
+		"ABCDEFGHIJKLMNOPQRSTUVWXYZ.ABCDEFGHIJKLMNOPQRSTUVWXYZ."
+		"ABCDEFGHIJKLMNOPQRSTUVWXYZ.ABCDEFGHIJKLMNOPQRSTUVWXYZ."
+		"ABCDEFGHIJKLMNOPQRSTUVWXYZ.ABCDEFGHIJKLMNOPQRSTUVWXYZ.";
+	char *b;
+	int len;
+	int ret;
+
+	len = 256;
+
+	memset(buf, 0, 256);
+	b = buf;
+	ret = putname(&b, 256, toolong);
+
+	fail_unless(ret == -1);
+	fail_unless(b == buf);
+}
+END_TEST
+
+
+TCase *
+test_read_create_tests()
+{
+	TCase *tc;
+
+	tc = tcase_create("Read");
+	tcase_set_timeout(tc, 60);
+	tcase_add_test(tc, test_read_putshort);
+	tcase_add_test(tc, test_read_putlong);
+	tcase_add_test(tc, test_read_name_empty_loop);
+	tcase_add_test(tc, test_read_name_inf_loop);
+	tcase_add_test(tc, test_read_name_longname);
+	tcase_add_test(tc, test_read_name_onejump);
+	tcase_add_test(tc, test_read_name_badjump_start);
+	tcase_add_test(tc, test_read_name_badjump_second);
+	tcase_add_test(tc, test_putname);
+	tcase_add_test(tc, test_putname_nodot);
+	tcase_add_test(tc, test_putname_toolong);
+
+	return tc;
+}
diff --git a/jni/iodine/tests/test.c b/jni/iodine/tests/test.c
new file mode 100644
index 0000000..5bee9d2
--- /dev/null
+++ b/jni/iodine/tests/test.c
@@ -0,0 +1,66 @@
+/*
+ * Copyright (c) 2006-2009 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <check.h>
+#include <stdio.h>
+#include <stdarg.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "test.h"
+
+int
+main()
+{
+	SRunner *runner;
+	Suite *iodine;
+	TCase *test;
+	int failed;
+
+	iodine = suite_create("iodine");
+
+	test = test_base32_create_tests();
+	suite_add_tcase(iodine, test);
+
+	test = test_base64_create_tests();
+	suite_add_tcase(iodine, test);
+
+	test = test_dns_create_tests();
+	suite_add_tcase(iodine, test);
+
+	test = test_encoding_create_tests();
+	suite_add_tcase(iodine, test);
+
+ 	test = test_read_create_tests();
+	suite_add_tcase(iodine, test);
+
+ 	test = test_login_create_tests();
+	suite_add_tcase(iodine, test);
+
+ 	test = test_user_create_tests();
+	suite_add_tcase(iodine, test);
+
+ 	test = test_fw_query_create_tests();
+	suite_add_tcase(iodine, test);
+
+	runner = srunner_create(iodine);
+	srunner_run_all(runner, CK_NORMAL);
+	failed = srunner_ntests_failed(runner);
+
+	srunner_free(runner);
+
+	return (failed == 0) ? EXIT_SUCCESS : EXIT_FAILURE;
+}
diff --git a/jni/iodine/tests/test.h b/jni/iodine/tests/test.h
new file mode 100644
index 0000000..1022a9e
--- /dev/null
+++ b/jni/iodine/tests/test.h
@@ -0,0 +1,37 @@
+/*
+ * Copyright (c) 2006-2009 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef __TEST_H__
+#define __TEST_H__
+
+TCase *test_base32_create_tests();
+TCase *test_base64_create_tests();
+TCase *test_dns_create_tests();
+TCase *test_encoding_create_tests();
+TCase *test_read_create_tests();
+TCase *test_login_create_tests();
+TCase *test_user_create_tests();
+TCase *test_fw_query_create_tests();
+
+char *va_str(const char *, ...);
+	
+#if (CHECK_MAJOR_VERSION == 0 && \
+	((CHECK_MINOR_VERSION == 9 && CHECK_MICRO_VERSION < 2) || \
+	 (CHECK_MINOR_VERSION < 9)))
+#define tcase_set_timeout(...) 
+#endif
+
+#endif
diff --git a/jni/iodine/tests/user.c b/jni/iodine/tests/user.c
new file mode 100644
index 0000000..afd61ca
--- /dev/null
+++ b/jni/iodine/tests/user.c
@@ -0,0 +1,199 @@
+/*
+ * Copyright (c) 2006-2009 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <check.h>
+#include <stdio.h>
+#include <string.h>
+#include <time.h>
+#include <sys/socket.h>
+#include <arpa/inet.h>
+#include <netinet/in.h>
+
+#include "common.h"
+#include "encoding.h"
+#include "user.h"
+#include "test.h"
+
+START_TEST(test_init_users)
+{
+	in_addr_t ip;
+	char givenip[16];
+	int i;
+
+	ip = inet_addr("127.0.0.1");
+	init_users(ip, 27);
+	for (i = 0; i < USERS; i++) {
+		fail_unless(users[i].id == i);
+		fail_unless(users[i].q.id == 0);
+		fail_unless(users[i].inpacket.len == 0);
+		fail_unless(users[i].outpacket.len == 0);
+		snprintf(givenip, sizeof(givenip), "127.0.0.%d", i + 2);
+		fail_unless(users[i].tun_ip == inet_addr(givenip));
+	}
+}
+END_TEST
+
+START_TEST(test_users_waiting)
+{
+	in_addr_t ip;
+
+	ip = inet_addr("127.0.0.1");
+	init_users(ip, 27);
+
+	fail_unless(users_waiting_on_reply() == 0);
+
+	users[3].active = 1;
+
+	fail_unless(users_waiting_on_reply() == 0);
+
+	users[3].last_pkt = time(NULL);
+	
+	fail_unless(users_waiting_on_reply() == 0);
+	
+	users[3].conn = CONN_DNS_NULL;
+	users[3].q.id = 1;
+	
+	fail_unless(users_waiting_on_reply() == 1);
+}
+END_TEST
+
+START_TEST(test_find_user_by_ip)
+{
+	in_addr_t ip;
+	unsigned int testip;
+
+	ip = inet_addr("127.0.0.1");
+	init_users(ip, 27);
+	users[0].conn = CONN_DNS_NULL;
+
+	testip = (unsigned int) inet_addr("10.0.0.1");
+	fail_unless(find_user_by_ip(testip) == -1);
+	
+	testip = (unsigned int) inet_addr("127.0.0.2");
+	fail_unless(find_user_by_ip(testip) == -1);
+	
+	users[0].active = 1;
+	
+	testip = (unsigned int) inet_addr("127.0.0.2");
+	fail_unless(find_user_by_ip(testip) == -1);
+	
+	users[0].last_pkt = time(NULL);
+	
+	testip = (unsigned int) inet_addr("127.0.0.2");
+	fail_unless(find_user_by_ip(testip) == 0);
+}
+END_TEST
+
+START_TEST(test_all_users_waiting_to_send)
+{
+	in_addr_t ip;
+
+	ip = inet_addr("127.0.0.1");
+	init_users(ip, 27);
+
+	fail_unless(all_users_waiting_to_send() == 1);
+	
+	users[0].conn = CONN_DNS_NULL;
+	users[0].active = 1;
+	
+	fail_unless(all_users_waiting_to_send() == 1);
+	
+	users[0].last_pkt = time(NULL);
+	users[0].outpacket.len = 0;
+	
+	fail_unless(all_users_waiting_to_send() == 0);
+
+#ifdef OUTPACKETQ_LEN
+	users[0].outpacketq_filled = 1;
+#else
+	users[0].outpacket.len = 44;
+#endif
+	
+	fail_unless(all_users_waiting_to_send() == 1);
+}
+END_TEST
+
+START_TEST(test_find_available_user)
+{
+	in_addr_t ip;
+	int i;
+
+	ip = inet_addr("127.0.0.1");
+	init_users(ip, 27);
+
+	for (i = 0; i < USERS; i++) {
+		fail_unless(find_available_user() == i);
+	}
+
+	for (i = 0; i < USERS; i++) {
+		fail_unless(find_available_user() == -1);
+	}
+
+	users[3].active = 0;
+
+	fail_unless(find_available_user() == 3);
+	fail_unless(find_available_user() == -1);
+
+	users[3].last_pkt = 55;
+	
+	fail_unless(find_available_user() == 3);
+	fail_unless(find_available_user() == -1);
+}
+END_TEST
+
+START_TEST(test_find_available_user_small_net)
+{
+	in_addr_t ip;
+	int i;
+
+	ip = inet_addr("127.0.0.1");
+	init_users(ip, 29); /* this should result in 5 enabled users */
+
+	for (i = 0; i < 5; i++) {
+		fail_unless(find_available_user() == i);
+	}
+
+	for (i = 0; i < USERS; i++) {
+		fail_unless(find_available_user() == -1);
+	}
+
+	users[3].active = 0;
+
+	fail_unless(find_available_user() == 3);
+	fail_unless(find_available_user() == -1);
+
+	users[3].last_pkt = 55;
+	
+	fail_unless(find_available_user() == 3);
+	fail_unless(find_available_user() == -1);
+}
+END_TEST
+
+TCase *
+test_user_create_tests()
+{
+	TCase *tc;
+
+	tc = tcase_create("User");
+	tcase_add_test(tc, test_init_users);
+	tcase_add_test(tc, test_users_waiting);
+	tcase_add_test(tc, test_find_user_by_ip);
+	tcase_add_test(tc, test_all_users_waiting_to_send);
+	tcase_add_test(tc, test_find_available_user);
+	tcase_add_test(tc, test_find_available_user_small_net);
+
+	return tc;
+}
diff --git a/proguard-project.txt b/proguard-project.txt
new file mode 100644
index 0000000..f2fe155
--- /dev/null
+++ b/proguard-project.txt
@@ -0,0 +1,20 @@
+# To enable ProGuard in your project, edit project.properties
+# to define the proguard.config property as described in that file.
+#
+# Add project specific ProGuard rules here.
+# By default, the flags in this file are appended to flags specified
+# in ${sdk.dir}/tools/proguard/proguard-android.txt
+# You can edit the include path and order by changing the ProGuard
+# include property in project.properties.
+#
+# For more details, see
+#   http://developer.android.com/guide/developing/tools/proguard.html
+
+# Add any project specific keep options here:
+
+# If your project uses WebView with JS, uncomment the following
+# and specify the fully qualified class name to the JavaScript interface
+# class:
+#-keepclassmembers class fqcn.of.javascript.interface.for.webview {
+#   public *;
+#}
diff --git a/project.properties b/project.properties
new file mode 100644
index 0000000..0840b4a
--- /dev/null
+++ b/project.properties
@@ -0,0 +1,14 @@
+# This file is automatically generated by Android Tools.
+# Do not modify this file -- YOUR CHANGES WILL BE ERASED!
+#
+# This file must be checked in Version Control Systems.
+#
+# To customize properties used by the Ant build system edit
+# "ant.properties", and override values to adapt the script to your
+# project structure.
+#
+# To enable ProGuard to shrink and obfuscate your code, uncomment this (available properties: sdk.dir, user.home):
+#proguard.config=${sdk.dir}/tools/proguard/proguard-android.txt:proguard-project.txt
+
+# Project target.
+target=android-15
diff --git a/res/anim/main_status_image_connect.xml b/res/anim/main_status_image_connect.xml
new file mode 100644
index 0000000..dadf0d6
--- /dev/null
+++ b/res/anim/main_status_image_connect.xml
@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="utf-8"?>
+<scale xmlns:android="http://schemas.android.com/apk/res/android"
+    android:duration="200"
+    android:fromXScale="1.0"
+    android:fromYScale="1.0"
+    android:interpolator="@android:anim/overshoot_interpolator"
+    android:pivotX="50%"
+    android:pivotY="50%"
+    android:repeatCount="infinite"
+    android:repeatMode="restart"
+    android:toXScale="0.8"
+    android:toYScale="0.8" >
+
+</scale>
\ No newline at end of file
diff --git a/res/anim/main_status_image_connected.xml b/res/anim/main_status_image_connected.xml
new file mode 100644
index 0000000..e9aba80
--- /dev/null
+++ b/res/anim/main_status_image_connected.xml
@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="utf-8"?>
+<rotate xmlns:android="http://schemas.android.com/apk/res/android"
+    android:duration="2000"
+    android:fromDegrees="0"
+    android:interpolator="@android:anim/linear_interpolator"
+    android:pivotX="50%"
+    android:pivotY="50%"
+    android:repeatCount="infinite"
+    android:repeatMode="restart"
+    android:toDegrees="359" >
+</rotate>
\ No newline at end of file
diff --git a/res/anim/main_status_image_disconnect.xml b/res/anim/main_status_image_disconnect.xml
new file mode 100644
index 0000000..49677b5
--- /dev/null
+++ b/res/anim/main_status_image_disconnect.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="utf-8"?>
+<translate xmlns:android="http://schemas.android.com/apk/res/android"
+    android:duration="200"
+    android:fromXDelta="20"
+    android:repeatCount="infinite"
+    android:repeatMode="reverse"
+    android:toXDelta="-20" >
+
+</translate>
\ No newline at end of file
diff --git a/res/anim/main_status_image_error.xml b/res/anim/main_status_image_error.xml
new file mode 100644
index 0000000..55472d0
--- /dev/null
+++ b/res/anim/main_status_image_error.xml
@@ -0,0 +1,20 @@
+<?xml version="1.0" encoding="utf-8"?>
+<set xmlns:android="http://schemas.android.com/apk/res/android"
+    android:interpolator="@android:anim/decelerate_interpolator" >
+
+    <set
+        android:duration="200"
+        android:interpolator="@android:anim/anticipate_overshoot_interpolator" >
+        <scale
+            android:fromXScale="1.0"
+            android:fromYScale="1.0"
+            android:pivotX="50%"
+            android:pivotY="50%"
+            android:repeatCount="infinite"
+            android:repeatMode="reverse"
+            android:startOffset="800"
+            android:toXScale="2.8"
+            android:toYScale="0.0" />
+    </set>
+
+</set>
\ No newline at end of file
diff --git a/res/anim/main_status_image_idle.xml b/res/anim/main_status_image_idle.xml
new file mode 100644
index 0000000..68802e7
--- /dev/null
+++ b/res/anim/main_status_image_idle.xml
@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="utf-8"?>
+<set xmlns:android="http://schemas.android.com/apk/res/android" >
+
+</set>
\ No newline at end of file
diff --git a/res/drawable/action_help.png b/res/drawable/action_help.png
new file mode 100644
index 0000000..1bf05f2
--- /dev/null
+++ b/res/drawable/action_help.png
diff --git a/res/drawable/cancel.png b/res/drawable/cancel.png
new file mode 100644
index 0000000..d743d75
--- /dev/null
+++ b/res/drawable/cancel.png
diff --git a/res/drawable/delete.png b/res/drawable/delete.png
new file mode 100644
index 0000000..a9d4d6e
--- /dev/null
+++ b/res/drawable/delete.png
diff --git a/res/drawable/device_access_new_account.png b/res/drawable/device_access_new_account.png
new file mode 100644
index 0000000..6e92072
--- /dev/null
+++ b/res/drawable/device_access_new_account.png
diff --git a/res/drawable/error.png b/res/drawable/error.png
new file mode 100644
index 0000000..2d0283e
--- /dev/null
+++ b/res/drawable/error.png
diff --git a/res/drawable/ic_bt_config.png b/res/drawable/ic_bt_config.png
new file mode 100644
index 0000000..6754469
--- /dev/null
+++ b/res/drawable/ic_bt_config.png
diff --git a/res/drawable/logo.png b/res/drawable/logo.png
new file mode 100644
index 0000000..a1eb6d2
--- /dev/null
+++ b/res/drawable/logo.png
diff --git a/res/layout/configitem.xml b/res/layout/configitem.xml
new file mode 100644
index 0000000..d8d279d
--- /dev/null
+++ b/res/layout/configitem.xml
@@ -0,0 +1,40 @@
+<?xml version="1.0" encoding="utf-8"?>
+<LinearLayout xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:tools="http://schemas.android.com/tools"
+    android:layout_width="match_parent"
+    android:layout_height="wrap_content"
+    android:baselineAligned="false"
+    android:orientation="horizontal" >
+
+    <LinearLayout
+        android:id="@+id/configitem_layout_name"
+        android:layout_width="0dp"
+        android:layout_height="wrap_content"
+        android:layout_gravity="center_vertical"
+        android:layout_weight="1"
+        android:clickable="true"
+        android:orientation="vertical" >
+
+        <TextView
+            android:id="@+id/configitem_text_name"
+            android:layout_width="match_parent"
+            android:layout_height="wrap_content"
+            android:text="name der verbindung"
+            tools:ignore="HardcodedText" />
+
+        <TextView
+            android:id="@+id/configitem_text_topdomain"
+            android:layout_width="match_parent"
+            android:layout_height="wrap_content"
+            android:text="xxx.topdomain.org"
+            tools:ignore="HardcodedText" />
+    </LinearLayout>
+
+    <ImageButton
+        android:id="@+id/configitem_btn_manage"
+        android:layout_width="50dp"
+        android:layout_height="50dp"
+        android:background="@drawable/ic_bt_config"
+        android:contentDescription="@string/configitem_description_manage" />
+
+</LinearLayout>
\ No newline at end of file
diff --git a/res/layout/fragment_list.xml b/res/layout/fragment_list.xml
new file mode 100644
index 0000000..3b1e678
--- /dev/null
+++ b/res/layout/fragment_list.xml
@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="utf-8"?>
+
+<LinearLayout xmlns:android="http://schemas.android.com/apk/res/android"
+              android:orientation="vertical"
+              android:layout_width="match_parent"
+              android:layout_height="match_parent"
+        >
+
+    <ListView
+            android:id="@+id/list_view"
+            android:layout_width="match_parent"
+            android:layout_height="0dp"
+            android:layout_weight="1">
+    </ListView>
+</LinearLayout>
\ No newline at end of file
diff --git a/res/layout/fragment_status.xml b/res/layout/fragment_status.xml
new file mode 100644
index 0000000..d6030e3
--- /dev/null
+++ b/res/layout/fragment_status.xml
@@ -0,0 +1,47 @@
+<?xml version="1.0" encoding="utf-8"?>
+
+<LinearLayout xmlns:android="http://schemas.android.com/apk/res/android"
+              xmlns:tools="http://schemas.android.com/tools"
+              android:orientation="vertical"
+              android:layout_width="match_parent"
+              android:layout_height="match_parent"
+        >
+
+    <TextView
+            android:layout_width="fill_parent"
+            android:layout_height="wrap_content"
+            android:text="Message Placeholder"
+            android:id="@+id/status_message"
+            style="@android:style/TextAppearance.DeviceDefault.Large"
+            tools:ignore="HardcodedText"/>
+
+    <LinearLayout
+            android:layout_width="fill_parent"
+            android:layout_height="fill_parent"
+            android:orientation="vertical"
+            >
+
+
+        <ScrollView
+                android:layout_width="fill_parent"
+                android:layout_height="wrap_content"
+                android:autoText="true"
+                android:id="@+id/status_scrollview"
+                android:layout_weight="1">
+
+            <TextView
+                    android:layout_height="match_parent"
+                    android:layout_width="match_parent"
+                    android:id="@+id/status_logmessages"/>
+        </ScrollView>
+
+        <Button
+                android:drawableLeft="@drawable/cancel"
+                android:text="Cancel"
+                android:id="@+id/status_cancel"
+                android:layout_width="match_parent"
+                android:layout_height="50dp"
+                />
+
+    </LinearLayout>
+</LinearLayout>
\ No newline at end of file
diff --git a/res/layout/main.xml b/res/layout/main.xml
new file mode 100644
index 0000000..64bf136
--- /dev/null
+++ b/res/layout/main.xml
@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="utf-8"?>
+<LinearLayout xmlns:android="http://schemas.android.com/apk/res/android"
+              xmlns:tools="http://schemas.android.com/tools"
+              android:layout_width="match_parent"
+              android:layout_height="match_parent"
+              android:orientation="vertical">
+
+    <FrameLayout
+            android:id="@+id/main_fragment_status"
+            android:layout_width="match_parent"
+            android:layout_height="match_parent"/>
+</LinearLayout>
\ No newline at end of file
diff --git a/res/layout/pref.xml b/res/layout/pref.xml
new file mode 100644
index 0000000..ff54538
--- /dev/null
+++ b/res/layout/pref.xml
@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="utf-8"?>
+<LinearLayout xmlns:android="http://schemas.android.com/apk/res/android"
+    android:layout_width="match_parent"
+    android:layout_height="match_parent"
+    android:orientation="vertical" >
+
+    <ListView
+        android:id="@+id/pref_list"
+        android:layout_width="match_parent"
+        android:layout_height="match_parent" >
+    </ListView>
+
+</LinearLayout>
\ No newline at end of file
diff --git a/res/layout/rowlayout.xml b/res/layout/rowlayout.xml
new file mode 100644
index 0000000..7fd7f4e
--- /dev/null
+++ b/res/layout/rowlayout.xml
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="utf-8"?>
+<LinearLayout xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:tools="http://schemas.android.com/tools"
+    android:layout_width="match_parent"
+    android:layout_height="wrap_content"
+    android:orientation="horizontal" >
+
+    <LinearLayout
+        android:id="@+id/rowlayout_content"
+        android:layout_width="0dp"
+        android:layout_height="wrap_content"
+        android:layout_weight="2"
+        android:orientation="vertical" >
+
+        <TextView
+            android:id="@+id/rowlayout_title"
+            android:layout_width="match_parent"
+            android:layout_height="wrap_content" />
+
+    </LinearLayout>
+
+    <ImageButton
+        android:id="@+id/rowlayout_help"
+        android:layout_width="40dp"
+        android:layout_height="40dp"
+        android:layout_gravity="center"
+        android:background="@drawable/action_help"
+        android:contentDescription="Help"
+        tools:ignore="HardcodedText" />
+
+</LinearLayout>
\ No newline at end of file
diff --git a/res/menu/fragment_list.xml b/res/menu/fragment_list.xml
new file mode 100644
index 0000000..44f54e9
--- /dev/null
+++ b/res/menu/fragment_list.xml
@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="utf-8"?>
+
+<menu xmlns:android="http://schemas.android.com/apk/res/android">
+    <item
+            android:id="@+id/menu_main_add"
+            android:icon="@drawable/device_access_new_account"
+            android:showAsAction="always"
+            android:title="@string/fragment_list_add">
+    </item>
+</menu>
\ No newline at end of file
diff --git a/res/menu/main.xml b/res/menu/main.xml
new file mode 100644
index 0000000..4a179ff
--- /dev/null
+++ b/res/menu/main.xml
@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="utf-8"?>
+<menu xmlns:android="http://schemas.android.com/apk/res/android">
+
+    <item
+            android:id="@+id/menu_main_about"
+            android:icon="@drawable/action_help"
+            android:showAsAction="never"
+            android:title="@string/main_about">
+    </item>
+
+</menu>
\ No newline at end of file
diff --git a/res/menu/pref.xml b/res/menu/pref.xml
new file mode 100644
index 0000000..a73acea
--- /dev/null
+++ b/res/menu/pref.xml
@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="utf-8"?>
+<menu xmlns:android="http://schemas.android.com/apk/res/android">
+
+    <item
+            android:id="@+id/menu_pref_delete"
+            android:icon="@drawable/delete"
+            android:title="@string/pref_delete"
+            android:showAsAction="always">
+    </item>
+
+</menu>
\ No newline at end of file
diff --git a/res/raw/license b/res/raw/license
new file mode 100644
index 0000000..1265d24
--- /dev/null
+++ b/res/raw/license
@@ -0,0 +1,56 @@
+== Andiodine iodine Android App:
+Copyright (c) 2013 Yves Fischer <yvesf@xapek.org>
+licensed under the same terms as iodine
+
+== iodine C-Implementation: (jni/iodine)
+Copyright (c) 2006-2009 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
+Also major contributions by Anne Bezemer.
+Android modifications by Yves Fischer.
+
+http://code.kryo.se/iodine/
+
+Permission to use, copy, modify, and distribute this software for any purpose
+with or without fee is hereby granted, provided that the above copyright notice
+and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH
+REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND 
+FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT,
+INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
+OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+PERFORMANCE OF THIS SOFTWARE.
+
+
+== MD5 implementation (jni/iodine/src/md5.[ch])
+MD5 implementation by L. Peter Deutsch (license and source in src/md5.[ch])
+Copyright (C) 1999, 2000, 2002 Aladdin Enterprises.  All rights reserved.
+
+
+== dns definitions (jni/iodine/src/dns_android.h)
+ * Copyright (c) 1983, 1989, 1993
+ *    The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
\ No newline at end of file
diff --git a/res/raw/logo.svg b/res/raw/logo.svg
new file mode 100644
index 0000000..91f5776
--- /dev/null
+++ b/res/raw/logo.svg
@@ -0,0 +1,742 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<svg
+   xmlns:dc="http://purl.org/dc/elements/1.1/"
+   xmlns:cc="http://creativecommons.org/ns#"
+   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:xlink="http://www.w3.org/1999/xlink"
+   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+   version="1.1"
+   preserveAspectRatio="xMidYMid meet"
+   zoomAndPan="magnify"
+   viewBox="-800 -800 1000 1000"
+   width="1000"
+   height="1000"
+   id="svg2"
+   inkscape:version="0.48.3.1 r9886"
+   sodipodi:docname="logo.svg">
+  <metadata
+     id="metadata82">
+    <rdf:RDF>
+      <cc:Work
+         rdf:about="">
+        <dc:format>image/svg+xml</dc:format>
+        <dc:type
+           rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
+      </cc:Work>
+    </rdf:RDF>
+  </metadata>
+  <sodipodi:namedview
+     pagecolor="#ffffff"
+     bordercolor="#666666"
+     borderopacity="1"
+     objecttolerance="10"
+     gridtolerance="10"
+     guidetolerance="10"
+     inkscape:pageopacity="0"
+     inkscape:pageshadow="2"
+     inkscape:window-width="1916"
+     inkscape:window-height="1180"
+     id="namedview80"
+     showgrid="false"
+     inkscape:zoom="0.236"
+     inkscape:cx="-309.15823"
+     inkscape:cy="-43.472837"
+     inkscape:window-x="0"
+     inkscape:window-y="18"
+     inkscape:window-maximized="0"
+     inkscape:current-layer="g3243-6" />
+  <defs
+     id="defs6">
+    <circle
+       id="electron"
+       r="30"
+       cx="0"
+       cy="0"
+       sodipodi:cx="0"
+       sodipodi:cy="0"
+       sodipodi:rx="30"
+       sodipodi:ry="30"
+       style="fill:#b7c6cb;stroke:none" />
+  </defs>
+  <g
+     style="display:inline"
+     id="g3225-7"
+     transform="matrix(0.89905744,0,0,0.94208582,-25.711286,-29.3741)">
+    <circle
+       transform="matrix(0.87892157,0,0,0.83654869,-305.08475,-287.26247)"
+       style="fill:#f6ffec;stroke:#343434;stroke-width:10;fill-opacity:1"
+       sodipodi:ry="200"
+       sodipodi:rx="200"
+       sodipodi:cy="0"
+       sodipodi:cx="0"
+       cy="0"
+       cx="0"
+       id="circle3227-5"
+       r="200"
+       d="m 200,0 c 0,110.45695 -89.54305,200 -200,200 -110.45695,0 -200,-89.54305 -200,-200 0,-110.45695 89.54305,-200 200,-200 110.45695,0 200,89.54305 200,200 z" />
+    <g
+       transform="matrix(0.86112107,0,0,0.86112107,-303.56771,-377.84524)"
+       id="g3229-2">
+      <g
+         style="fill:#a4c639"
+         id="g3231-9">
+        <g
+           id="use3233-3"
+           style="stroke:#ffffff;stroke-width:7.19999981"
+           transform="scale(-1,1)">
+          <rect
+             id="rect3571"
+             x="14"
+             y="-86"
+             width="13"
+             height="86"
+             transform="matrix(0.87461971,0.48480962,-0.48480962,0.87461971,0,0)"
+             rx="6.5"
+             style="stroke:none" />
+          <rect
+             x="-143"
+             y="41"
+             width="48"
+             height="133"
+             rx="24"
+             id="rect3573"
+             style="stroke:none" />
+          <rect
+             x="-58"
+             y="138"
+             width="48"
+             height="133"
+             rx="24"
+             id="use3575"
+             style="stroke:none" />
+        </g>
+        <g
+           style="stroke:#ffffff;stroke-width:7.19999981"
+           id="g3235-5">
+          <rect
+             style="stroke:none"
+             rx="6.5"
+             transform="matrix(0.87461971,0.48480962,-0.48480962,0.87461971,0,0)"
+             height="86"
+             width="13"
+             y="-86"
+             x="14"
+             id="rect3237-7" />
+          <rect
+             style="stroke:none"
+             id="rect3239-4"
+             rx="24"
+             height="133"
+             width="48"
+             y="41"
+             x="-143" />
+          <rect
+             x="-58"
+             y="138"
+             width="48"
+             height="133"
+             rx="24"
+             id="use3241-5"
+             style="stroke:none" />
+        </g>
+        <g
+           id="g3243-6">
+          <ellipse
+             d="m 91,41 c 0,46.391919 -40.742088,84 -91,84 -50.257912,0 -91,-37.608081 -91,-84 0,-46.391919 40.742088,-84 91,-84 50.257912,0 91,37.608081 91,84 z"
+             sodipodi:ry="84"
+             sodipodi:rx="91"
+             sodipodi:cy="41"
+             sodipodi:cx="0"
+             cx="0"
+             cy="41"
+             rx="91"
+             ry="84"
+             id="ellipse3245-2"
+             style="fill:#a4c639;fill-opacity:1;stroke:#a4c639;stroke-opacity:1" />
+          <path
+             style=""
+             d="M 447.9375 430.875 C 439.93814 430.875 433.28525 436.60888 431.4375 444.375 L 571.28125 444.375 C 569.43246 436.61046 562.77955 430.875 554.78125 430.875 L 447.9375 430.875 z M 430.90625 451 L 430.90625 560.6875 C 430.90625 570.57501 438.50158 578.53125 447.9375 578.53125 L 554.78125 578.53125 C 564.21717 578.53125 571.8125 570.57501 571.8125 560.6875 L 571.8125 451 L 430.90625 451 z "
+             transform="matrix(1.2916604,0,0,1.2326657,-647.5919,-511.14118)"
+             id="rect3247-7" />
+          <path
+             inkscape:connector-curvature="0"
+             style="fill:#ffffff;stroke:#ffffff;stroke-width:7.04677343;display:inline"
+             d="M -90.99955,40.88152 H 90.999549"
+             id="path3251-2" />
+        </g>
+        <g
+           style="fill:#ffffff;stroke:#ffffff;stroke-width:7.19999981;display:inline"
+           id="g3249-3"
+           transform="translate(-0.049281,4.3465664)">
+          <circle
+             d="m -38,0 c 0,2.209139 -1.790861,4 -4,4 -2.209139,0 -4,-1.790861 -4,-4 0,-2.209139 1.790861,-4 4,-4 2.209139,0 4,1.790861 4,4 z"
+             sodipodi:ry="4"
+             sodipodi:rx="4"
+             sodipodi:cy="0"
+             sodipodi:cx="-42"
+             cy="0"
+             cx="-42"
+             r="4"
+             id="circle3253-6" />
+          <circle
+             d="m 46,0 c 0,2.209139 -1.790861,4 -4,4 -2.209139,0 -4,-1.790861 -4,-4 0,-2.209139 1.790861,-4 4,-4 2.209139,0 4,1.790861 4,4 z"
+             sodipodi:ry="4"
+             sodipodi:rx="4"
+             sodipodi:cy="0"
+             sodipodi:cx="42"
+             cy="0"
+             cx="42"
+             r="4"
+             id="circle3255-6" />
+        </g>
+      </g>
+    </g>
+  </g>
+  <g
+     id="g4283"
+     transform="translate(0,-8.73212)">
+    <circle
+       transform="matrix(0.73071782,0,0,0.73071782,-300,-291.26788)"
+       id="shell_1"
+       r="300"
+       cx="0"
+       cy="0"
+       sodipodi:cx="0"
+       sodipodi:cy="0"
+       sodipodi:rx="300"
+       sodipodi:ry="300"
+       d="M 300,0 C 300,165.68542 165.68542,300 0,300 -165.68542,300 -300,165.68542 -300,0 c 0,-165.68542 134.31458,-300 300,-300 165.68542,0 300,134.31458 300,300 z"
+       style="fill:none;stroke:#77868b;stroke-width:8" />
+    <use
+       transform="matrix(0.73071782,0,0,0.73071782,-300,-291.26788)"
+       id="electron_0_shell_1"
+       xlink:href="#electron"
+       y="-300"
+       x="0"
+       width="1600"
+       height="1600"
+       style="fill:#ff0000;stroke:#ff0000;stroke-width:8;fill-opacity:1" />
+    <use
+       id="electron_1_shell_1"
+       xlink:href="#electron_0_shell_1"
+       transform="matrix(-1,0,0,-1,-600,-582.53576)"
+       x="0"
+       y="0"
+       width="1600"
+       height="1600"
+       style="fill:#ff0000;stroke:#ff0000;stroke-width:8;fill-opacity:1" />
+    <circle
+       transform="matrix(0.67170146,0,0,0.67170146,-300,-291.26788)"
+       id="shell_2"
+       r="400"
+       cx="0"
+       cy="0"
+       sodipodi:cx="0"
+       sodipodi:cy="0"
+       sodipodi:rx="400"
+       sodipodi:ry="400"
+       d="M 400,0 C 400,220.9139 220.9139,400 0,400 -220.9139,400 -400,220.9139 -400,0 c 0,-220.9139 179.0861,-400 400,-400 220.9139,0 400,179.0861 400,400 z"
+       style="fill:none;stroke:#77868b;stroke-width:8" />
+    <use
+       transform="matrix(0.67170146,0,0,0.67170146,-300,-291.26788)"
+       id="electron_0_shell_2"
+       xlink:href="#electron"
+       y="-400"
+       x="0"
+       width="1600"
+       height="1600"
+       style="fill:#ff0000;stroke:#ff0000;stroke-width:8;fill-opacity:1" />
+    <use
+       id="electron_1_shell_2"
+       xlink:href="#electron_0_shell_2"
+       transform="matrix(0.70710678,0.70710678,-0.70710678,0.70710678,-293.82546,126.82165)"
+       x="0"
+       y="0"
+       width="1600"
+       height="1600"
+       style="fill:#ff0000;stroke:#ff0000;stroke-width:8;fill-opacity:1" />
+    <use
+       id="electron_2_shell_2"
+       xlink:href="#electron_0_shell_2"
+       transform="matrix(0,1,-1,0,-591.26788,8.73212)"
+       x="0"
+       y="0"
+       width="1600"
+       height="1600"
+       style="fill:#ff0000;stroke:#ff0000;stroke-width:8;fill-opacity:1" />
+    <use
+       id="electron_3_shell_2"
+       xlink:href="#electron_0_shell_2"
+       transform="matrix(-0.70710678,0.70710678,-0.70710678,-0.70710678,-718.08953,-285.09334)"
+       x="0"
+       y="0"
+       width="1600"
+       height="1600"
+       style="fill:#ff0000;stroke:#ff0000;stroke-width:8;fill-opacity:1" />
+    <use
+       id="electron_4_shell_2"
+       xlink:href="#electron_0_shell_2"
+       transform="matrix(-1,0,0,-1,-600,-582.53576)"
+       x="0"
+       y="0"
+       width="1600"
+       height="1600"
+       style="fill:#ff0000;stroke:#ff0000;stroke-width:8;fill-opacity:1" />
+    <use
+       id="electron_5_shell_2"
+       xlink:href="#electron_0_shell_2"
+       transform="matrix(-0.70710678,-0.70710678,0.70710678,-0.70710678,-306.17454,-709.35741)"
+       x="0"
+       y="0"
+       width="1600"
+       height="1600"
+       style="fill:#ff0000;stroke:#ff0000;stroke-width:8;fill-opacity:1" />
+    <use
+       id="electron_6_shell_2"
+       xlink:href="#electron_0_shell_2"
+       transform="matrix(0,-1,1,0,-8.73212,-591.26788)"
+       x="0"
+       y="0"
+       width="1600"
+       height="1600"
+       style="fill:#ff0000;stroke:#ff0000;stroke-width:8;fill-opacity:1" />
+    <use
+       id="electron_7_shell_2"
+       xlink:href="#electron_0_shell_2"
+       transform="matrix(0.70710678,-0.70710678,0.70710678,0.70710678,118.08953,-297.44242)"
+       x="0"
+       y="0"
+       width="1600"
+       height="1600"
+       style="fill:#ff0000;stroke:#ff0000;stroke-width:8;fill-opacity:1" />
+    <circle
+       transform="matrix(0.67170146,0,0,0.67170146,-300,-291.26788)"
+       id="shell_3"
+       r="500"
+       cx="0"
+       cy="0"
+       sodipodi:cx="0"
+       sodipodi:cy="0"
+       sodipodi:rx="500"
+       sodipodi:ry="500"
+       d="M 500,0 C 500,276.14237 276.14237,500 0,500 -276.14237,500 -500,276.14237 -500,0 c 0,-276.14237 223.85763,-500 500,-500 276.14237,0 500,223.85763 500,500 z"
+       style="fill:none;stroke:#77868b;stroke-width:8" />
+    <use
+       transform="matrix(0.67170146,0,0,0.67170146,-300,-291.26788)"
+       id="electron_0_shell_3"
+       xlink:href="#electron"
+       y="-500"
+       x="0"
+       width="1600"
+       height="1600"
+       style="fill:#ff0000;stroke:#ff0000;stroke-width:8;fill-opacity:1" />
+    <use
+       id="electron_1_shell_3"
+       xlink:href="#electron_0_shell_3"
+       transform="matrix(0.93969262,0.34202014,-0.34202014,0.93969262,-117.7117,85.040439)"
+       x="0"
+       y="0"
+       width="1600"
+       height="1600"
+       style="fill:#ff0000;stroke:#ff0000;stroke-width:8;fill-opacity:1" />
+    <use
+       id="electron_2_shell_3"
+       xlink:href="#electron_0_shell_3"
+       transform="matrix(0.76604444,0.64278761,-0.64278761,0.76604444,-257.41005,124.69254)"
+       x="0"
+       y="0"
+       width="1600"
+       height="1600"
+       style="fill:#ff0000;stroke:#ff0000;stroke-width:8;fill-opacity:1" />
+    <use
+       id="electron_3_shell_3"
+       xlink:href="#electron_0_shell_3"
+       transform="matrix(0.5,0.8660254,-0.8660254,0.5,-402.24538,114.17368)"
+       x="0"
+       y="0"
+       width="1600"
+       height="1600"
+       style="fill:#ff0000;stroke:#ff0000;stroke-width:8;fill-opacity:1" />
+    <use
+       id="electron_4_shell_3"
+       xlink:href="#electron_0_shell_3"
+       transform="matrix(0.17364818,0.98480775,-0.98480775,0.17364818,-534.74841,54.752582)"
+       x="0"
+       y="0"
+       width="1600"
+       height="1600"
+       style="fill:#ff0000;stroke:#ff0000;stroke-width:8;fill-opacity:1" />
+    <use
+       id="electron_5_shell_3"
+       xlink:href="#electron_0_shell_3"
+       transform="matrix(-0.17364818,0.98480775,-0.98480775,-0.17364818,-638.93732,-46.403692)"
+       x="0"
+       y="0"
+       width="1600"
+       height="1600"
+       style="fill:#ff0000;stroke:#ff0000;stroke-width:8;fill-opacity:1" />
+    <use
+       id="electron_6_shell_3"
+       xlink:href="#electron_0_shell_3"
+       transform="matrix(-0.5,0.8660254,-0.8660254,-0.5,-702.24538,-177.0942)"
+       x="0"
+       y="0"
+       width="1600"
+       height="1600"
+       style="fill:#ff0000;stroke:#ff0000;stroke-width:8;fill-opacity:1" />
+    <use
+       id="electron_7_shell_3"
+       xlink:href="#electron_0_shell_3"
+       transform="matrix(-0.76604444,0.64278761,-0.64278761,-0.76604444,-717.03672,-321.55574)"
+       x="0"
+       y="0"
+       width="1600"
+       height="1600"
+       style="fill:#ff0000;stroke:#ff0000;stroke-width:8;fill-opacity:1" />
+    <use
+       id="electron_8_shell_3"
+       xlink:href="#electron_0_shell_3"
+       transform="matrix(-0.93969262,0.34202014,-0.34202014,-0.93969262,-681.52727,-462.36412)"
+       x="0"
+       y="0"
+       width="1600"
+       height="1600"
+       style="fill:#ff0000;stroke:#ff0000;stroke-width:8;fill-opacity:1" />
+    <use
+       id="electron_9_shell_3"
+       xlink:href="#electron_0_shell_3"
+       transform="matrix(-1,0,0,-1,-600,-582.53576)"
+       x="0"
+       y="0"
+       width="1600"
+       height="1600"
+       style="fill:#ff0000;stroke:#ff0000;stroke-width:8;fill-opacity:1" />
+    <use
+       id="electron_10_shell_3"
+       xlink:href="#electron_0_shell_3"
+       transform="matrix(-0.93969262,-0.34202014,0.34202014,-0.93969262,-482.2883,-667.5762)"
+       x="0"
+       y="0"
+       width="1600"
+       height="1600"
+       style="fill:#ff0000;stroke:#ff0000;stroke-width:8;fill-opacity:1" />
+    <use
+       id="electron_11_shell_3"
+       xlink:href="#electron_0_shell_3"
+       transform="matrix(-0.76604444,-0.64278761,0.64278761,-0.76604444,-342.58995,-707.2283)"
+       x="0"
+       y="0"
+       width="1600"
+       height="1600"
+       style="fill:#ff0000;stroke:#ff0000;stroke-width:8;fill-opacity:1" />
+    <use
+       id="electron_12_shell_3"
+       xlink:href="#electron_0_shell_3"
+       transform="matrix(-0.5,-0.8660254,0.8660254,-0.5,-197.75462,-696.70944)"
+       x="0"
+       y="0"
+       width="1600"
+       height="1600"
+       style="fill:#ff0000;stroke:#ff0000;stroke-width:8;fill-opacity:1" />
+    <use
+       id="electron_13_shell_3"
+       xlink:href="#electron_0_shell_3"
+       transform="matrix(-0.17364818,-0.98480775,0.98480775,-0.17364818,-65.251588,-637.28834)"
+       x="0"
+       y="0"
+       width="1600"
+       height="1600"
+       style="fill:#ff0000;stroke:#ff0000;stroke-width:8;fill-opacity:1" />
+    <use
+       id="electron_14_shell_3"
+       xlink:href="#electron_0_shell_3"
+       transform="matrix(0.17364818,-0.98480775,0.98480775,0.17364818,38.93732,-536.13207)"
+       x="0"
+       y="0"
+       width="1600"
+       height="1600"
+       style="fill:#ff0000;stroke:#ff0000;stroke-width:8;fill-opacity:1" />
+    <use
+       id="electron_15_shell_3"
+       xlink:href="#electron_0_shell_3"
+       transform="matrix(0.5,-0.8660254,0.8660254,0.5,102.24538,-405.44156)"
+       x="0"
+       y="0"
+       width="1600"
+       height="1600"
+       style="fill:#ff0000;stroke:#ff0000;stroke-width:8;fill-opacity:1" />
+    <use
+       id="electron_16_shell_3"
+       xlink:href="#electron_0_shell_3"
+       transform="matrix(0.76604444,-0.64278761,0.64278761,0.76604444,117.03672,-260.98002)"
+       x="0"
+       y="0"
+       width="1600"
+       height="1600"
+       style="fill:#00d7d7;fill-opacity:1;stroke:#000000;stroke-width:8" />
+    <use
+       id="electron_17_shell_3"
+       xlink:href="#electron_0_shell_3"
+       transform="matrix(0.93969262,-0.34202014,0.34202014,0.93969262,81.527267,-120.17164)"
+       x="0"
+       y="0"
+       width="1600"
+       height="1600"
+       style="fill:#ff0000;stroke:#ff0000;stroke-width:8;fill-opacity:1" />
+    <circle
+       transform="matrix(0.67170146,0,0,0.67170146,-300,-291.26788)"
+       id="shell_4"
+       r="600"
+       cx="0"
+       cy="0"
+       sodipodi:cx="0"
+       sodipodi:cy="0"
+       sodipodi:rx="600"
+       sodipodi:ry="600"
+       d="M 600,0 C 600,331.37085 331.37085,600 0,600 -331.37085,600 -600,331.37085 -600,0 c 0,-331.37085 268.62915,-600 600,-600 331.37085,0 600,268.62915 600,600 z"
+       style="fill:none;stroke:#77868b;stroke-width:8" />
+    <use
+       transform="matrix(0.67170146,0,0,0.67170146,-300,-291.26788)"
+       id="electron_0_shell_4"
+       xlink:href="#electron"
+       y="-600"
+       x="0"
+       width="1600"
+       height="1600"
+       style="fill:#ff0000;stroke:#ff0000;stroke-width:8;fill-opacity:1" />
+    <use
+       id="electron_1_shell_4"
+       xlink:href="#electron_0_shell_4"
+       transform="matrix(0.93969262,0.34202014,-0.34202014,0.93969262,-117.7117,85.040439)"
+       x="0"
+       y="0"
+       width="1600"
+       height="1600"
+       style="fill:#ff0000;stroke:#ff0000;stroke-width:8;fill-opacity:1" />
+    <use
+       id="electron_2_shell_4"
+       xlink:href="#electron_0_shell_4"
+       transform="matrix(0.76604444,0.64278761,-0.64278761,0.76604444,-257.41005,124.69254)"
+       x="0"
+       y="0"
+       width="1600"
+       height="1600"
+       style="fill:#ff0000;stroke:#ff0000;stroke-width:8;fill-opacity:1" />
+    <use
+       id="electron_3_shell_4"
+       xlink:href="#electron_0_shell_4"
+       transform="matrix(0.5,0.8660254,-0.8660254,0.5,-402.24538,114.17368)"
+       x="0"
+       y="0"
+       width="1600"
+       height="1600"
+       style="fill:#ff0000;stroke:#ff0000;stroke-width:8;fill-opacity:1" />
+    <use
+       id="electron_4_shell_4"
+       xlink:href="#electron_0_shell_4"
+       transform="matrix(0.17364818,0.98480775,-0.98480775,0.17364818,-534.74841,54.752582)"
+       x="0"
+       y="0"
+       width="1600"
+       height="1600"
+       style="fill:#ff0000;stroke:#ff0000;stroke-width:8;fill-opacity:1" />
+    <use
+       id="electron_5_shell_4"
+       xlink:href="#electron_0_shell_4"
+       transform="matrix(-0.17364818,0.98480775,-0.98480775,-0.17364818,-638.93732,-46.403692)"
+       x="0"
+       y="0"
+       width="1600"
+       height="1600"
+       style="fill:#ff0000;stroke:#ff0000;stroke-width:8;fill-opacity:1" />
+    <use
+       id="electron_6_shell_4"
+       xlink:href="#electron_0_shell_4"
+       transform="matrix(-0.5,0.8660254,-0.8660254,-0.5,-702.24538,-177.0942)"
+       x="0"
+       y="0"
+       width="1600"
+       height="1600"
+       style="fill:#ff0000;stroke:#ff0000;stroke-width:8;fill-opacity:1" />
+    <use
+       id="electron_7_shell_4"
+       xlink:href="#electron_0_shell_4"
+       transform="matrix(-0.76604444,0.64278761,-0.64278761,-0.76604444,-717.03672,-321.55574)"
+       x="0"
+       y="0"
+       width="1600"
+       height="1600"
+       style="fill:#ff0000;stroke:#ff0000;stroke-width:8;fill-opacity:1" />
+    <use
+       id="electron_8_shell_4"
+       xlink:href="#electron_0_shell_4"
+       transform="matrix(-0.93969262,0.34202014,-0.34202014,-0.93969262,-681.52727,-462.36412)"
+       x="0"
+       y="0"
+       width="1600"
+       height="1600"
+       style="fill:#ff0000;stroke:#ff0000;stroke-width:8;fill-opacity:1" />
+    <use
+       id="electron_9_shell_4"
+       xlink:href="#electron_0_shell_4"
+       transform="matrix(-1,0,0,-1,-600,-582.53576)"
+       x="0"
+       y="0"
+       width="1600"
+       height="1600"
+       style="fill:#ff0000;stroke:#ff0000;stroke-width:8;fill-opacity:1" />
+    <use
+       id="electron_10_shell_4"
+       xlink:href="#electron_0_shell_4"
+       transform="matrix(-0.93969262,-0.34202014,0.34202014,-0.93969262,-482.2883,-667.5762)"
+       x="0"
+       y="0"
+       width="1600"
+       height="1600"
+       style="fill:#ff0000;stroke:#ff0000;stroke-width:8;fill-opacity:1" />
+    <use
+       id="electron_11_shell_4"
+       xlink:href="#electron_0_shell_4"
+       transform="matrix(-0.76604444,-0.64278761,0.64278761,-0.76604444,-342.58995,-707.2283)"
+       x="0"
+       y="0"
+       width="1600"
+       height="1600"
+       style="fill:#ff0000;stroke:#ff0000;stroke-width:8;fill-opacity:1" />
+    <use
+       id="electron_12_shell_4"
+       xlink:href="#electron_0_shell_4"
+       transform="matrix(-0.5,-0.8660254,0.8660254,-0.5,-197.75462,-696.70944)"
+       x="0"
+       y="0"
+       width="1600"
+       height="1600"
+       style="fill:#ff0000;stroke:#ff0000;stroke-width:8;fill-opacity:1" />
+    <use
+       id="electron_13_shell_4"
+       xlink:href="#electron_0_shell_4"
+       transform="matrix(-0.17364818,-0.98480775,0.98480775,-0.17364818,-65.251588,-637.28834)"
+       x="0"
+       y="0"
+       width="1600"
+       height="1600"
+       style="fill:#ff0000;stroke:#ff0000;stroke-width:8;fill-opacity:1" />
+    <use
+       id="electron_14_shell_4"
+       xlink:href="#electron_0_shell_4"
+       transform="matrix(0.17364818,-0.98480775,0.98480775,0.17364818,38.93732,-536.13207)"
+       x="0"
+       y="0"
+       width="1600"
+       height="1600"
+       style="fill:#ff0000;stroke:#ff0000;stroke-width:8;fill-opacity:1" />
+    <use
+       id="electron_15_shell_4"
+       xlink:href="#electron_0_shell_4"
+       transform="matrix(0.5,-0.8660254,0.8660254,0.5,102.24538,-405.44156)"
+       x="0"
+       y="0"
+       width="1600"
+       height="1600"
+       style="fill:#ff0000;stroke:#ff0000;stroke-width:8;fill-opacity:1" />
+    <use
+       id="electron_16_shell_4"
+       xlink:href="#electron_0_shell_4"
+       transform="matrix(0.76604444,-0.64278761,0.64278761,0.76604444,117.03672,-260.98002)"
+       x="0"
+       y="0"
+       width="1600"
+       height="1600"
+       style="fill:#ff0000;stroke:#ff0000;stroke-width:8;fill-opacity:1" />
+    <use
+       id="electron_17_shell_4"
+       xlink:href="#electron_0_shell_4"
+       transform="matrix(0.93969262,-0.34202014,0.34202014,0.93969262,81.527267,-120.17164)"
+       x="0"
+       y="0"
+       width="1600"
+       height="1600"
+       style="fill:#ff0000;stroke:#ff0000;stroke-width:8;fill-opacity:1" />
+    <circle
+       transform="matrix(0.67170146,0,0,0.67170146,-300,-291.26788)"
+       id="shell_5"
+       r="700"
+       cx="0"
+       cy="0"
+       sodipodi:cx="0"
+       sodipodi:cy="0"
+       sodipodi:rx="700"
+       sodipodi:ry="700"
+       d="M 700,0 C 700,386.59932 386.59932,700 0,700 -386.59932,700 -700,386.59932 -700,0 c 0,-386.59932 313.40068,-700 700,-700 386.59932,0 700,313.40068 700,700 z"
+       style="fill:none;stroke:#77868b;stroke-width:8" />
+    <a
+       id="a4147">
+      <use
+         style="fill:#ff0000;stroke:#ff0000;stroke-width:8;fill-opacity:1"
+         height="1600"
+         width="1600"
+         x="0"
+         y="-700"
+         xlink:href="#electron"
+         id="electron_0_shell_5"
+         transform="matrix(0.67170146,0,0,0.67170146,-300,-291.26788)" />
+    </a>
+    <use
+       id="electron_1_shell_5"
+       xlink:href="#electron_0_shell_5"
+       transform="matrix(0.62348981,0.78183148,-0.78183148,0.62348981,-340.67545,124.88412)"
+       x="0"
+       y="0"
+       width="1600"
+       height="1600"
+       style="fill:#ff0000;stroke:#ff0000;stroke-width:8;fill-opacity:1" />
+    <use
+       id="electron_2_shell_5"
+       xlink:href="#electron_0_shell_5"
+       transform="matrix(-0.22252094,0.97492791,-0.97492791,-0.22252094,-650.72147,-63.602709)"
+       x="0"
+       y="0"
+       width="1600"
+       height="1600"
+       style="fill:#ff0000;stroke:#ff0000;stroke-width:8;fill-opacity:1" />
+    <use
+       id="electron_3_shell_5"
+       xlink:href="#electron_0_shell_5"
+       transform="matrix(-0.90096887,0.43388374,-0.43388374,-0.90096887,-696.66706,-423.52605)"
+       x="0"
+       y="0"
+       width="1600"
+       height="1600"
+       style="fill:#ff0000;stroke:#ff0000;stroke-width:8;fill-opacity:1" />
+    <use
+       id="electron_4_shell_5"
+       xlink:href="#electron_0_shell_5"
+       transform="matrix(-0.90096887,-0.43388374,0.43388374,-0.90096887,-443.91426,-683.85629)"
+       x="0"
+       y="0"
+       width="1600"
+       height="1600"
+       style="fill:#ff0000;stroke:#ff0000;stroke-width:8;fill-opacity:1" />
+    <use
+       id="electron_5_shell_5"
+       xlink:href="#electron_0_shell_5"
+       transform="matrix(-0.22252094,-0.97492791,0.97492791,-0.22252094,-82.791097,-648.55946)"
+       x="0"
+       y="0"
+       width="1600"
+       height="1600"
+       style="fill:#ff0000;stroke:#ff0000;stroke-width:8;fill-opacity:1" />
+    <use
+       id="electron_6_shell_5"
+       xlink:href="#electron_0_shell_5"
+       transform="matrix(0.62348981,-0.78183148,0.78183148,0.62348981,114.76934,-344.21477)"
+       x="0"
+       y="0"
+       width="1600"
+       height="1600"
+       style="fill:#ff0000;stroke:#ff0000;stroke-width:8;fill-opacity:1" />
+  </g>
+</svg>
diff --git a/res/values-de/strings.xml b/res/values-de/strings.xml
new file mode 100644
index 0000000..3cc17ac
--- /dev/null
+++ b/res/values-de/strings.xml
@@ -0,0 +1,34 @@
+<?xml version="1.0" encoding="utf-8"?>
+<resources>
+
+    <string name="pref_text_password_label">Passwort</string>
+    <string name="pref_text_topdomain_label">Tunnel Toplevel Domain</string>
+    <string name="pref_text_tunnel_nameserver_label">Tunnel Nameserver</string>
+    <string name="pref_text_nameserver_mode_label">Nameserver Modus</string>
+    <string name="pref_text_nameserver_address_label">Nameserver Adresse</string>
+    <string name="pref_text_name_label">Profil Name</string>
+    <string name="pref_text_use_default_nameserver">Verwende standard Nameserver</string>
+    <string name="pref_help_name">Name für diese Verbindungskonfiguration</string>
+    <string name="pref_help_topdomain">Der DNS Traffic wird als Anfragen für subdomains unterhalb dieser Topdomain gesendert. Dies ist gewöhnlich eine Domain die Dir gehört. Verwende eine kurze Domain um mehr Durchsatz zu erzielen. Diese Einstellung muss am Server und am Client gleich sein</string>
+    <string name="pref_help_lazy">Verwende lazy mode für bessere performance und niedrigere latenzzeiten. Eine kleine Minderheit an DNS Relays scheinen damit nicht klarzukommen was darin resultiert dass keine oder fast keine Daten übertragen werden. Der Client wird dies aber in der Regel feststellen und den Lazy mode ausschalten. Falls nicht verwende diese Option</string>
+    <string name="pref_help_raw">Falls gesetzt wird iodine versuchen die öffentliche IP-Adresse des iodined Server aufzulösen und testen ob er direkt erreichbar ist. Falls ja, wird er den Traffic direkt an den Server senden anstatt an ein DNS relay</string>
+    <string name="pref_help_tunnel_nameserver">Der Nameserver/DNS Relay der verwendet wird um mit iodined zu kommunizieren.  Dieses Feld ist optional und wenn es nicht gesetzt ist wird der im System hinterlegte DNS Server verwendet</string>
+    <string name="pref_help_password">Dieses Feld ist optional. Es werden nur die ersten 32 Zeichen verwendet.</string>
+    <string name="pref_help_nameserver_mode">Legt fest wie der Nameserver gesetzt werden soll nachdem der Tunnel aufgebaut wurde</string>
+    <string name="pref_help_nameserver">IP-Adresse eine speziellen Nameserver der gesetzt werden soll wenn Nameserver Modus = Custom ist.</string>
+    <string name="pref_help_request_type">Typ der DNS Abfragen. Standardmäßig wird die beste Request type automatisch ausgewählt.</string>
+    <string name="pref_help_default_route">Legt fest ob die Default Route gesetzt wird nachdem die Verbindung aufgebaut wurde</string>
+    <string name="enable">Aktivieren</string>
+    <string name="vpnservice_error_configuration_incomplete">Konfiguration ist unvollständig</string>
+    <string name="vpnservice_error_already_running">Kann das VPN nicht starten, es läuft bereits.</string>
+    <string name="vpnservice_error_thread_exited">VPN Thread hat sich unerwartet beendet.</string>
+    <string name="vpnservice_error_cant_open_dnssocket">Kann den DNS Socket nicht öffnen</string>
+    <string name="vpnservice_error_handshake_failed">Handshake fehlgeschlagen</string>
+    <string name="vpnservice_error_unknown_error_code">Unbekannter Fehler. Kode %d</string>
+    <string name="vpnservice_error_unknown_error_string">Unbekannter Fehler. Grund: %s</string>
+    <string name="idle">Leerlauf</string>
+    <string name="warning">Warnung</string>
+    <string name="configitem_description_manage">Konfiguriere dieses Verbindungsprofil</string>
+    <string name="pref_title">Verbindungseinstellungen</string>
+
+</resources>
\ No newline at end of file
diff --git a/res/values/strings.xml b/res/values/strings.xml
new file mode 100644
index 0000000..e07212c
--- /dev/null
+++ b/res/values/strings.xml
@@ -0,0 +1,82 @@
+<?xml version="1.0" encoding="utf-8"?>
+<resources>
+
+    <string name="app_name">AndIodine</string>
+    <string name="app_about">About</string>
+
+    <string-array name="pref_entries_dnstype">
+        <item>autodetect</item>
+        <item>NULL</item>
+        <item>TXT</item>
+        <item>SRV</item>
+        <item>MX</item>
+        <item>CNAME</item>
+        <item>A</item>
+    </string-array>
+    <string-array name="pref_entries_nameserver_mode">
+        <item>Network default</item>
+        <item>Custom</item>
+        <item>Tunnel Endpoint</item>
+    </string-array>
+
+    <string name="main_description_add_account">Add Account</string>
+    <string name="pref_description_cancel">Cancel</string>
+    <string name="configitem_description_close">Close Tunnel</string>
+    <string name="pref_text_password_label">Password</string>
+    <string name="pref_text_topdomain_label">Tunnel Toplevel Domain</string>
+    <string name="pref_text_tunnel_nameserver_label">Tunnel Nameserver</string>
+    <string name="pref_text_nameserver_mode_label">Nameserver Mode</string>
+    <string name="pref_text_nameserver_address_label">Nameserver Address</string>
+    <string name="pref_text_name_label">Configuration Profile Name</string>
+    <string name="pref_text_use_default_nameserver">Use default Nameserver for tunneling</string>
+    <string name="pref_help_name">Name for this configuration.</string>
+    <string name="pref_help_topdomain">The dns traffic will be sent as queries for subdomains under _topdomain_. This is
+        normally a subdomain to a domain you own. Use a short domain name to get better throughput. If nameserver is the
+        iodined server, then the topdomain can be chosen freely. This argument must be the same on both the client and
+        the server.
+    </string>
+    <string name="pref_help_lazy">Use lazy mode for improved performance and decreased latency. A very small minority of
+        DNS relays appears to be unable to handle the lazy mode traffic pattern, resulting in no or very little data
+        coming through. The iodine client will detect this and try to switch back to legacy mode, but this may not
+        always work. In these situations use this switch.
+    </string>
+    <string name="pref_help_raw">If set used, iodine will try getting the public IP address of the iodined host and test
+        if it is reachable directly. If it is, traffic will be sent to the server instead of the DNS relay.
+    </string>
+    <string name="pref_help_tunnel_nameserver">The nameserver to use to relay the dns traffic. This can be any relaying
+        nameserver or the server running iodined if reachable. This field can be given as an IP address, or as a
+        hostname. This argument is optional, and if not specified the default system Nameserver will be used.
+    </string>
+    <string name="pref_help_password">This field is optional. Only the first 32 characters will be used</string>
+    <string name="pref_help_nameserver_mode">Source of the Nameserver to use for name resolution while tunnel is
+        active
+    </string>
+    <string name="pref_help_nameserver">Custom Nameserver IP-Address to set if Nameserver-mode is "Custom"</string>
+    <string name="pref_help_request_type">DNS request type override. By default, autodetection will probe for working
+        DNS request types, and will select the request type that is expected to provide the most bandwidth. However, it
+        may turn out that a DNS relay imposes limits that skew the picture, which may lead to an "unexpected" DNS
+        request type providing more bandwidth. In that case, use this option to override the autodetection. In
+        (expected) decreasing bandwidth order, the supported DNS request types are: NULL, TXT, SRV, MX, CNAME and A
+        (returning CNAME). Note that SRV, MX and A may/will cause additional lookups by "smart" caching nameservers to
+        get an actual IP address, which may either slow down or fail completely.
+    </string>
+    <string name="enable">Enable</string>
+    <string name="vpnservice_error_configuration_incomplete">Configuration is incomplete</string>
+    <string name="vpnservice_error_already_running">Cannot start VPN Service, VPN-Thread is already running</string>
+    <string name="vpnservice_error_thread_exited">VPN Thread exited unexpected</string>
+    <string name="vpnservice_error_cant_open_dnssocket">Can\'t open DNS Socket</string>
+    <string name="vpnservice_error_handshake_failed">Handshake failed</string>
+    <string name="vpnservice_error_unknown_error_code">Unknown Error. Code %d</string>
+    <string name="vpnservice_error_unknown_error_string">Unknown Error. Reason: %s</string>
+    <string name="idle">Idle</string>
+    <string name="warning">Warning</string>
+    <string name="error">Error</string>
+    <string name="configitem_description_manage">Configure this Connection Profile</string>
+    <string name="pref_title">Connection Configuration</string>
+    <string name="pref_help_default_route">Set default Route for the tunnel device</string>
+    <string name="main_create_tunnel">Create DNS Tunnel from Configuration named %s</string>
+    <string name="fragment_list_add">New Account</string>
+    <string name="main_about">About</string>
+    <string name="pref_delete">Delete</string>
+
+</resources>
\ No newline at end of file
diff --git a/src/org/xapek/andiodine/FragmentList.java b/src/org/xapek/andiodine/FragmentList.java
new file mode 100644
index 0000000..e07aee4
--- /dev/null
+++ b/src/org/xapek/andiodine/FragmentList.java
@@ -0,0 +1,207 @@
+package org.xapek.andiodine;
+
+import android.app.Activity;
+import android.app.AlertDialog;
+import android.app.Fragment;
+import android.content.BroadcastReceiver;
+import android.content.Context;
+import android.content.DialogInterface;
+import android.content.Intent;
+import android.content.IntentFilter;
+import android.database.DataSetObserver;
+import android.os.Bundle;
+import android.util.Log;
+import android.view.LayoutInflater;
+import android.view.Menu;
+import android.view.MenuInflater;
+import android.view.View;
+import android.view.ViewGroup;
+import android.widget.BaseAdapter;
+import android.widget.ImageButton;
+import android.widget.LinearLayout;
+import android.widget.ListView;
+import android.widget.TextView;
+
+import org.xapek.andiodine.config.ConfigDatabase;
+import org.xapek.andiodine.config.IodineConfiguration;
+
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+
+public class FragmentList extends Fragment {
+    public static final String TAG = "FRAGMENT_LIST";
+
+    private ListView mListView;
+    private ConfigDatabase mConfigDatabase;
+    private IodineConfiguration mSelectedConfiguration;
+    private IodineConfigurationAdapter mAdapter;
+
+    private static final int INTENT_REQUEST_CODE_PREPARE = 0;
+
+    private class IodineConfigurationAdapter extends BaseAdapter {
+        private List<IodineConfiguration> configurations;
+        private final Set<DataSetObserver> observers = new HashSet<DataSetObserver>();
+
+        public IodineConfigurationAdapter() {
+            reload();
+        }
+
+        @Override
+        public int getCount() {
+            return configurations.size();
+        }
+
+        @Override
+        public IodineConfiguration getItem(int position) {
+            return configurations.get(position);
+        }
+
+        @Override
+        public long getItemId(int position) {
+            return 0;
+        }
+
+        @Override
+        public View getView(int position, View convertView, ViewGroup parent) {
+            final IodineConfiguration item = getItem(position);
+            View view = View.inflate(parent.getContext(), R.layout.configitem, null);
+            ((TextView) view.findViewById(R.id.configitem_text_name)).setText(item.getName());
+            ((TextView) view.findViewById(R.id.configitem_text_topdomain)).setText(item.getTopDomain());
+
+            view.findViewById(R.id.configitem_btn_manage)
+                    .setOnClickListener(new View.OnClickListener() {
+                        @Override
+                        public void onClick(View v) {
+                            FragmentList.this.vpnPreferences(item);
+                        }
+                    });
+
+            view.findViewById(R.id.configitem_layout_name)
+                    .setOnClickListener(new View.OnClickListener() {
+                        @Override
+                        public void onClick(View v) {
+                            FragmentList.this.vpnServiceConnect(item);
+                        }
+                    });
+
+            return view;
+        }
+
+        @Override
+        public void registerDataSetObserver(DataSetObserver observer) {
+            observers.add(observer);
+        }
+
+        private void reload() {
+            this.configurations = mConfigDatabase.selectAll();
+            triggerOnChanged();
+        }
+
+        public void triggerOnChanged() {
+            for (DataSetObserver observer : observers) {
+                observer.onChanged();
+            }
+        }
+
+        @Override
+        public void unregisterDataSetObserver(DataSetObserver observer) {
+            observers.remove(observer);
+        }
+    }
+
+    private final BroadcastReceiver broadcastReceiverConfigurationChanged = new BroadcastReceiver() {
+        @Override
+        public void onReceive(Context context, Intent intent) {
+            if (IodinePref.ACTION_CONFIGURATION_CHANGED.equals(intent.getAction())) {
+                // CONFIGURATION_CHANGED
+                mAdapter.reload();
+            }
+        }
+    };
+
+
+    @Override
+    public void onActivityCreated(Bundle savedInstanceState) {
+        super.onActivityCreated(savedInstanceState);
+        mConfigDatabase = new ConfigDatabase(getActivity());
+        mListView = (ListView) getActivity().findViewById(R.id.list_view);
+        mAdapter = new IodineConfigurationAdapter();
+        mListView.setAdapter(mAdapter);
+
+        IntentFilter intentFilterConfigurationChanged = new IntentFilter();
+        intentFilterConfigurationChanged.addAction(IodinePref.ACTION_CONFIGURATION_CHANGED);
+        getActivity().registerReceiver(broadcastReceiverConfigurationChanged, intentFilterConfigurationChanged);
+
+        setHasOptionsMenu(true); //activate onCreateOptionsMenu
+    }
+
+    @Override
+    public void onDestroy() {
+        getActivity().unregisterReceiver(broadcastReceiverConfigurationChanged);
+        mConfigDatabase.close();
+        super.onDestroy();
+    }
+
+    @Override
+    public View onCreateView(LayoutInflater inflater, ViewGroup container, Bundle savedInstanceState) {
+        return inflater.inflate(R.layout.fragment_list, null);
+    }
+
+    @Override
+    public void onCreateOptionsMenu(Menu menu, MenuInflater inflater) {
+        super.onCreateOptionsMenu(menu, inflater);
+        inflater.inflate(R.menu.fragment_list, menu);
+    }
+
+    private void vpnPreferences(IodineConfiguration item) {
+        Intent intent = new Intent(getActivity(), IodinePref.class);
+        intent.putExtra(IodinePref.EXTRA_CONFIGURATION_ID, item.getId());
+        startActivity(intent);
+    }
+
+    private void vpnServiceConnect(IodineConfiguration configuration) {
+        Intent intent = IodineVpnService.prepare(getActivity());
+        mSelectedConfiguration = configuration;
+        if (intent != null) {
+            // Ask for permission
+            intent.putExtra(IodineVpnService.EXTRA_CONFIGURATION_ID, configuration.getId());
+            startActivityForResult(intent, INTENT_REQUEST_CODE_PREPARE);
+        } else {
+            // Permission already granted
+            new AlertDialog.Builder(getActivity()) //
+                    .setTitle(R.string.warning) //
+                    .setCancelable(true) //
+                    .setMessage(getString(R.string.main_create_tunnel, configuration.getName()))
+                    .setPositiveButton(android.R.string.ok, new DialogInterface.OnClickListener() {
+                        @Override
+                        public void onClick(DialogInterface dialog, int which) {
+                            vpnServiceConnect2(mSelectedConfiguration);
+                        }
+                    }) //
+                    .setNegativeButton(android.R.string.cancel, new DialogInterface.OnClickListener() {
+                        @Override
+                        public void onClick(DialogInterface dialog, int which) {
+                            dialog.dismiss();
+                        }
+                    }) //
+                    .create() //
+                    .show();
+
+        }
+    }
+
+    @Override
+    public void onActivityResult(int requestCode, int resultCode, Intent data) {
+        if (requestCode == INTENT_REQUEST_CODE_PREPARE && resultCode == Activity.RESULT_OK) {
+            vpnServiceConnect2(mSelectedConfiguration);
+        }
+    }
+
+    private void vpnServiceConnect2(IodineConfiguration configuration) {
+        Log.d(TAG, "Call VPN Service for configuration: " + configuration.getId());
+        Intent intent = new Intent(IodineVpnService.ACTION_CONTROL_CONNECT);
+        intent.putExtra(IodineVpnService.EXTRA_CONFIGURATION_ID, configuration.getId());
+        getActivity().sendBroadcast(intent);
+    }
+}
diff --git a/src/org/xapek/andiodine/FragmentStatus.java b/src/org/xapek/andiodine/FragmentStatus.java
new file mode 100644
index 0000000..aaa64fb
--- /dev/null
+++ b/src/org/xapek/andiodine/FragmentStatus.java
@@ -0,0 +1,107 @@
+package org.xapek.andiodine;
+
+import android.app.AlertDialog;
+import android.app.Fragment;
+import android.content.BroadcastReceiver;
+import android.content.Context;
+import android.content.Intent;
+import android.content.IntentFilter;
+import android.os.Bundle;
+import android.util.Log;
+import android.view.LayoutInflater;
+import android.view.View;
+import android.view.ViewGroup;
+import android.widget.Button;
+import android.widget.ScrollView;
+import android.widget.TextView;
+
+public class FragmentStatus extends Fragment {
+    public static final String TAG = "FRAGMENT_STATUS";
+
+    private TextView mStatus;
+    private TextView mLogmessages;
+    private ScrollView mScrollview;
+    private Button mCancel;
+
+    private final BroadcastReceiver broadcastReceiverStatusUpdates = new BroadcastReceiver() {
+        @Override
+        public void onReceive(Context context, Intent intent) {
+            Log.d(TAG, "Got intent: " + intent);
+            if (IodineVpnService.ACTION_STATUS_ERROR.equals(intent.getAction())) {
+                new AlertDialog.Builder(FragmentStatus.this.getActivity())//
+                        .setIcon(R.drawable.error) //
+                        .setTitle(intent.getStringExtra(IodineVpnService.EXTRA_ERROR_MESSAGE)) //
+                        .setMessage(mLogmessages.getText()) //
+                        .create() //
+                        .show();
+            } else if (IodineVpnService.ACTION_STATUS_CONNECT.equals(intent.getAction())) {
+                mStatus.setText("Connect");
+            } else if (IodineVpnService.ACTION_STATUS_CONNECTED.equals(intent.getAction())) {
+                mStatus.setText("Connected");
+            } else if (IodineVpnService.ACTION_STATUS_DISCONNECT.equals(intent.getAction())) {
+                mStatus.setText("Disconnect");
+            }
+        }
+    };
+
+    private final BroadcastReceiver broadcastReceiverLogMessages = new BroadcastReceiver() {
+        @Override
+        public void onReceive(Context context, Intent intent) {
+            if (IodineClient.ACTION_LOG_MESSAGE.equals(intent.getAction())) {
+                mLogmessages.append("\n");
+                mLogmessages.append(intent.getStringExtra(IodineClient.EXTRA_MESSAGE));
+                mScrollview.fullScroll(View.FOCUS_DOWN);
+            }
+        }
+    };
+
+    @Override
+    public void onActivityCreated(Bundle savedInstanceState) {
+        super.onActivityCreated(savedInstanceState);
+        mStatus = (TextView) getActivity().findViewById(R.id.status_message);
+        mLogmessages = (TextView) getActivity().findViewById(R.id.status_logmessages);
+        mScrollview = (ScrollView) getActivity().findViewById(R.id.status_scrollview);
+        mCancel = (Button) getActivity().findViewById(R.id.status_cancel);
+        mCancel.setOnClickListener(new View.OnClickListener() {
+            @Override
+            public void onClick(View view) {
+                requestDisconnect();
+            }
+        });
+    }
+
+    @Override
+    public void onCreate(Bundle savedInstanceState) {
+        super.onCreate(savedInstanceState);
+        IntentFilter intentFilterStatusUpdates = new IntentFilter();
+        intentFilterStatusUpdates.addAction(IodineVpnService.ACTION_STATUS_CONNECT);
+        intentFilterStatusUpdates.addAction(IodineVpnService.ACTION_STATUS_CONNECTED);
+        intentFilterStatusUpdates.addAction(IodineVpnService.ACTION_STATUS_DISCONNECT);
+        intentFilterStatusUpdates.addAction(IodineVpnService.ACTION_STATUS_ERROR);
+        getActivity().registerReceiver(broadcastReceiverStatusUpdates, intentFilterStatusUpdates);
+
+        Intent intent = new Intent(IodineVpnService.ACTION_CONTROL_UPDATE);
+        getActivity().sendBroadcast(intent);
+
+        IntentFilter intentFilterLogMessages = new IntentFilter();
+        intentFilterLogMessages.addAction(IodineClient.ACTION_LOG_MESSAGE);
+        getActivity().registerReceiver(broadcastReceiverLogMessages, intentFilterLogMessages);
+    }
+
+    @Override
+    public void onDestroy() {
+        getActivity().unregisterReceiver(broadcastReceiverStatusUpdates);
+        getActivity().unregisterReceiver(broadcastReceiverLogMessages);
+        super.onDestroy();
+    }
+
+    @Override
+    public View onCreateView(LayoutInflater inflater, ViewGroup container, Bundle savedInstanceState) {
+        return inflater.inflate(R.layout.fragment_status, null);
+    }
+
+    private void requestDisconnect() {
+        Intent intent = new Intent(IodineVpnService.ACTION_CONTROL_DISCONNECT);
+        getActivity().sendBroadcast(intent);
+    }
+}
diff --git a/src/org/xapek/andiodine/IodineClient.java b/src/org/xapek/andiodine/IodineClient.java
new file mode 100644
index 0000000..e9383ec
--- /dev/null
+++ b/src/org/xapek/andiodine/IodineClient.java
@@ -0,0 +1,54 @@
+package org.xapek.andiodine;
+
+import android.content.Intent;
+import android.util.Log;
+
+public class IodineClient {
+    public static final String TAG = "NATIVE";
+
+    public static native int getDnsFd();
+
+    public static native int connect(String nameserv_addr, String topdomain, boolean raw_mode, boolean lazy_mode,
+                                     String password);
+
+    public static native String getIp();
+
+    public static native String getRemoteIp();
+
+    public static native int getNetbits();
+
+    public static native int getMtu();
+
+    public static native int tunnel(int fd);
+
+    public static native void tunnelInterrupt();
+
+    public static native String getPropertyNetDns1();
+
+    /**
+     * Intent to distribute logmessages from native code
+     * LOG_MESSAGE(EXTRA_MESSAGE)
+     */
+    public static final String ACTION_LOG_MESSAGE = "org.xapek.andiodine.IodineClient.ACTION_LOG_MESSAGE";
+
+    public static final String EXTRA_MESSAGE = "message";
+
+    @SuppressWarnings("UnusedDeclaration")
+    public static void log_callback(String message) {
+        Log.d(TAG, "Message: " + message);
+        Intent intent = new Intent(ACTION_LOG_MESSAGE);
+
+        intent.putExtra(EXTRA_MESSAGE, message);
+        if (IodineVpnService.instance != null) {
+            IodineVpnService.instance.sendBroadcast(intent);
+        } else {
+            Log.d(TAG, "No VPNService running, cannot broadcast native message");
+        }
+
+    }
+
+    static {
+        System.loadLibrary("iodine-client");
+        Log.d(TAG, "Native Library iodine-client loaded");
+    }
+}
\ No newline at end of file
diff --git a/src/org/xapek/andiodine/IodineMain.java b/src/org/xapek/andiodine/IodineMain.java
new file mode 100644
index 0000000..b53ea10
--- /dev/null
+++ b/src/org/xapek/andiodine/IodineMain.java
@@ -0,0 +1,102 @@
+package org.xapek.andiodine;
+
+import android.app.Activity;
+import android.app.AlertDialog;
+import android.app.FragmentTransaction;
+import android.content.BroadcastReceiver;
+import android.content.Context;
+import android.content.Intent;
+import android.content.IntentFilter;
+import android.os.Bundle;
+import android.util.Log;
+import android.view.Menu;
+import android.view.MenuItem;
+
+import org.xapek.andiodine.config.ConfigDatabase;
+
+import java.util.Scanner;
+
+public class IodineMain extends Activity {
+    private static final String TAG = "MAIN";
+    private ConfigDatabase mConfigDatabase;
+
+    private final FragmentList fragmentList = new FragmentList();
+    private final FragmentStatus fragmentStatus = new FragmentStatus();
+
+    private final BroadcastReceiver broadcastReceiverStatusUpdates = new BroadcastReceiver() {
+        @Override
+        public void onReceive(Context context, Intent intent) {
+            Log.d(TAG, "Got intent: " + intent);
+            if (IodineVpnService.ACTION_STATUS_ERROR.equals(intent.getAction())) {
+                // Switch to List of Configurations Fragment
+                FragmentTransaction ft = getFragmentManager().beginTransaction();
+                ft.replace(R.id.main_fragment_status, fragmentList);
+                ft.setTransition(FragmentTransaction.TRANSIT_FRAGMENT_FADE);
+                ft.commit();
+            } else if (IodineVpnService.ACTION_STATUS_IDLE.equals(intent.getAction())) {
+                // Switch to List of Configurations Fragment
+                FragmentTransaction ft = getFragmentManager().beginTransaction();
+                ft.replace(R.id.main_fragment_status, fragmentList);
+                ft.setTransition(FragmentTransaction.TRANSIT_FRAGMENT_FADE);
+                ft.commit();
+            } else if (IodineVpnService.ACTION_STATUS_CONNECT.equals(intent.getAction())) {
+                // Switch to Status Fragment
+                FragmentTransaction ft = getFragmentManager().beginTransaction();
+                ft.replace(R.id.main_fragment_status, fragmentStatus);
+                ft.setTransition(FragmentTransaction.TRANSIT_FRAGMENT_FADE);
+                ft.commit();
+            }
+        }
+    };
+
+
+    @Override
+    protected void onCreate(Bundle savedInstanceState) {
+        super.onCreate(savedInstanceState);
+        setContentView(R.layout.main);
+
+        mConfigDatabase = new ConfigDatabase(this);
+
+        IntentFilter intentFilterStatusUpdates = new IntentFilter();
+        intentFilterStatusUpdates.addAction(IodineVpnService.ACTION_STATUS_CONNECT);
+        intentFilterStatusUpdates.addAction(IodineVpnService.ACTION_STATUS_ERROR);
+        intentFilterStatusUpdates.addAction(IodineVpnService.ACTION_STATUS_IDLE);
+        registerReceiver(broadcastReceiverStatusUpdates, intentFilterStatusUpdates);
+
+        startService(new Intent(this, IodineVpnService.class));
+    }
+
+    @Override
+    public boolean onCreateOptionsMenu(Menu menu) {
+        getMenuInflater().inflate(R.menu.main, menu);
+        return true;
+    }
+
+    @Override
+    protected void onDestroy() {
+        unregisterReceiver(broadcastReceiverStatusUpdates);
+        mConfigDatabase.close();
+        super.onDestroy();
+    }
+
+    @Override
+    public boolean onOptionsItemSelected(MenuItem item) {
+        if (item.getItemId() == R.id.menu_main_about) {
+            Scanner scanner = new Scanner(getResources().openRawResource(R.raw.license));
+            scanner.useDelimiter("\\A");
+            new AlertDialog.Builder(IodineMain.this)//
+                    .setMessage(scanner.next()) //
+                    .setCancelable(true)//
+                    .create() //
+                    .show();
+        } else if (item.getItemId() == R.id.menu_main_add) {
+            startActivity(new Intent(this, IodinePref.class));
+        }
+        return super.onOptionsItemSelected(item);
+    }
+
+
+    private void vpnServiceDisconnect() {
+        sendBroadcast(new Intent(IodineVpnService.ACTION_CONTROL_DISCONNECT));
+    }
+}
diff --git a/src/org/xapek/andiodine/IodinePref.java b/src/org/xapek/andiodine/IodinePref.java
new file mode 100644
index 0000000..cc21b59
--- /dev/null
+++ b/src/org/xapek/andiodine/IodinePref.java
@@ -0,0 +1,112 @@
+package org.xapek.andiodine;
+
+import android.content.Intent;
+import android.os.Bundle;
+import android.util.Log;
+import android.view.Menu;
+import android.view.MenuItem;
+
+import org.xapek.andiodine.config.ConfigDatabase;
+import org.xapek.andiodine.config.IodineConfiguration;
+import org.xapek.andiodine.config.IodineConfiguration.NameserverMode;
+import org.xapek.andiodine.config.IodineConfiguration.RequestType;
+
+public class IodinePref extends org.xapek.andiodine.preferences.PreferenceActivity {
+    public static final String EXTRA_CONFIGURATION_ID = "uuid";
+    public static final String ACTION_CONFIGURATION_CHANGED = "org.xapek.andiodine.preferences.PreferenceActivity.CONFIGURATION_CHANGED";
+
+    private static final String TAG = "PREF";
+
+    private ConfigDatabase mConfigDatabase;
+
+    private IodineConfiguration mIodineConfiguration;
+
+    @Override
+    public void onCreate(Bundle savedInstanceState) {
+        super.onCreate(savedInstanceState);
+
+        getActionBar().setDisplayHomeAsUpEnabled(true);
+
+        mConfigDatabase = new ConfigDatabase(this);
+        Long configurationId = getIntent().getLongExtra(EXTRA_CONFIGURATION_ID, -1);
+        if (configurationId == null || configurationId == -1) {
+            // Configuration ID is empty; create new configuration
+            mIodineConfiguration = new IodineConfiguration();
+        } else {
+            mIodineConfiguration = mConfigDatabase.selectById(configurationId);
+            if (mIodineConfiguration == null) {
+                Log.e(TAG, "No configuration with uuid: " + configurationId + " found");
+                finish();
+            }
+        }
+        setContentValues(mIodineConfiguration.getContentValues());
+
+        // Name
+        addPreference(ConfigDatabase.COLUMN_CONF_NAME, "Name", R.string.pref_help_name, "New Connection");
+        // Topdomain
+        addPreference(ConfigDatabase.COLUMN_CONF_TOP_DOMAIN, "Tunnel Topdomain", R.string.pref_help_topdomain,
+                "tun.example.com");
+        // Password
+        addPreference(ConfigDatabase.COLUMN_CONF_PASSWORD, "Password", R.string.pref_help_password, "");
+        // Tunnel Nameserver
+        addPreference(ConfigDatabase.COLUMN_CONF_TUNNEL_NAMESERVER, "Tunnel Nameserver (or empty)",
+                R.string.pref_help_tunnel_nameserver, "");
+        // Nameserver Mode
+        String[] nameserverModes = new String[NameserverMode.values().length];
+        for (int i = 0; i < NameserverMode.values().length; i++) {
+            nameserverModes[i] = NameserverMode.values()[i].name();
+        }
+        addPreference(ConfigDatabase.COLUMN_CONF_NAMESERVER_MODE, "Nameserver Mode",
+                R.string.pref_help_nameserver_mode, nameserverModes, NameserverMode.LEAVE_DEFAULT.name());
+        // Nameserver
+        addPreference(ConfigDatabase.COLUMN_CONF_NAMESERVER, "Nameserver", R.string.pref_help_nameserver, "");
+        // Request Type
+        String[] requestTypes = new String[RequestType.values().length];
+        for (int i = 0; i < RequestType.values().length; i++) {
+            requestTypes[i] = RequestType.values()[i].name();
+        }
+        addPreference(ConfigDatabase.COLUMN_CONF_REQUEST_TYPE, "Request Type", R.string.pref_help_request_type,
+                requestTypes, RequestType.AUTODETECT.name());
+        // Lazy Mode
+        addPreference(ConfigDatabase.COLUMN_CONF_LAZY_MODE, "Lazy mode", R.string.pref_help_lazy, true);
+        // Raw Mode
+        addPreference(ConfigDatabase.COLUMN_CONF_RAW_MODE, "Raw Mode", R.string.pref_help_raw, false);
+        // Default Route
+        addPreference(ConfigDatabase.COLUMN_CONF_DEFAULT_ROUTE, "Default Route", R.string.pref_help_default_route, true);
+    }
+
+    @Override
+    protected void onDestroy() {
+        mConfigDatabase.close();
+        super.onDestroy();
+    }
+
+    @Override
+    public boolean onCreateOptionsMenu(Menu menu) {
+        getMenuInflater().inflate(R.menu.pref, menu);
+        return super.onCreateOptionsMenu(menu);
+    }
+
+    @Override
+    protected void onStop() {
+        mConfigDatabase.insertOrUpdate(mIodineConfiguration.getContentValues());
+        Intent intent = new Intent(ACTION_CONFIGURATION_CHANGED);
+        intent.putExtra(EXTRA_CONFIGURATION_ID, mIodineConfiguration.getId());
+        sendBroadcast(intent);
+        super.onStop();
+    }
+
+    @Override
+    public boolean onOptionsItemSelected(MenuItem item) {
+        if (item.getItemId() == R.id.menu_pref_delete) {
+            // Delete current connection
+            if (mIodineConfiguration.getId() != null) {
+                mConfigDatabase.delete(mIodineConfiguration.getContentValues());
+            }
+            finish();
+        } else if (item.getItemId() == android.R.id.home) {
+            finish();
+        }
+        return super.onOptionsItemSelected(item);
+    }
+}
diff --git a/src/org/xapek/andiodine/IodineVpnService.java b/src/org/xapek/andiodine/IodineVpnService.java
new file mode 100644
index 0000000..f816aaa
--- /dev/null
+++ b/src/org/xapek/andiodine/IodineVpnService.java
@@ -0,0 +1,328 @@
+package org.xapek.andiodine;
+
+import android.content.BroadcastReceiver;
+import android.content.Context;
+import android.content.Intent;
+import android.content.IntentFilter;
+import android.net.VpnService;
+import android.os.ParcelFileDescriptor;
+import android.util.Log;
+
+import org.xapek.andiodine.config.ConfigDatabase;
+import org.xapek.andiodine.config.IodineConfiguration;
+
+import java.net.InetAddress;
+import java.net.UnknownHostException;
+
+public class IodineVpnService extends VpnService implements Runnable {
+    private class IodineVpnException extends Exception {
+        private static final long serialVersionUID = 32487871521160156L;
+
+        public IodineVpnException(String message, Throwable e) {
+            super(message, e);
+        }
+
+        public IodineVpnException(String message) {
+            super(message);
+        }
+    }
+
+    private static final String TAG = "VPN_SERVICE";
+
+    public static IodineVpnService instance = null;
+
+    /**
+     * long
+     */
+    public static final String EXTRA_CONFIGURATION_ID = "configuration_id";
+    /**
+     * String
+     */
+    public static final String EXTRA_ERROR_MESSAGE = "message";
+
+    /**
+     * Intent to connect to VPN Connection
+     * CONTROL_CONNECT(EXTRA_CONFIGURATION_ID)
+     */
+
+    public static final String ACTION_CONTROL_CONNECT = "org.xapek.andiodine.IodineVpnService.CONTROL_CONNECT";
+    /**
+     * Intent to close the vpn connection
+     */
+    public static final String ACTION_CONTROL_DISCONNECT = "org.xapek.andiodine.IodineVpnService.CONTROL_DISCONNECT";
+
+    /**
+     * Intent to request a new status update
+     */
+    public static final String ACTION_CONTROL_UPDATE = "org.xapek.andiodine.IodineVpnService.CONTROL_UPDATE";
+
+    /**
+     * Broadcast Action: The tunnel service is idle. This Action contains no
+     * extras.
+     */
+    public static final String ACTION_STATUS_IDLE = "org.xapek.andiodine.IodineVpnService.STATUS_IDLE";
+
+    /**
+     * Broadcast Action: The user sent CONTROL_CONNECT and the vpn service is
+     * trying to connect.
+     *
+     * @see #EXTRA_CONFIGURATION_ID
+     */
+    public static final String ACTION_STATUS_CONNECT = "org.xapek.andiodine.IodineVpnService.STATUS_CONNECT";
+    /**
+     * Broadcast Action: The tunnel is connected
+     *
+     * @see #EXTRA_CONFIGURATION_ID
+     */
+    public static final String ACTION_STATUS_CONNECTED = "org.xapek.andiodine.IodineVpnService.STATUS_CONNECTED";
+    /**
+     * Broadcast Action: The tunnel was disconnected
+     *
+     * @see #EXTRA_CONFIGURATION_ID
+     */
+    public static final String ACTION_STATUS_DISCONNECT = "org.xapek.andiodine.IodineVpnService.STATUS_DISCONNECT";
+    /**
+     * Broadcast Action: An error occured
+     *
+     * @see #EXTRA_CONFIGURATION_ID
+     * @see #EXTRA_ERROR_MESSAGE
+     */
+    public static final String ACTION_STATUS_ERROR = "org.xapek.andiodine.IodineVpnService.STATUS_ERROR";
+
+    private Thread mThread;
+    private ConfigDatabase configDatabase;
+    private IodineConfiguration mConfiguration;
+    private final BroadcastReceiver broadcastReceiver = new BroadcastReceiver() {
+        @Override
+        public void onReceive(Context context, Intent intent) {
+            if (ACTION_CONTROL_DISCONNECT.equals(intent.getAction())) {
+                shutdown();
+            } else if (ACTION_CONTROL_UPDATE.equals(intent.getAction())) {
+                sendStatus();
+            } else if (ACTION_CONTROL_CONNECT.equals(intent.getAction())) {
+                if (mThread != null) {
+                    setStatus(ACTION_STATUS_ERROR, -1L, getString(R.string.vpnservice_error_already_running));
+                    return;
+                }
+
+                long configurationId = intent.getLongExtra(EXTRA_CONFIGURATION_ID, -1);
+                if (configurationId == -1L) {
+                    setStatus(ACTION_STATUS_ERROR, -1L, getString(R.string.vpnservice_error_configuration_incomplete));
+                    return;
+                }
+
+                mConfiguration = configDatabase.selectById(configurationId);
+                if (mConfiguration == null) {
+                    setStatus(ACTION_STATUS_ERROR, mConfiguration.getId(),
+                            getString(R.string.vpnservice_error_configuration_incomplete));
+                    return;
+                }
+
+                mThread = new Thread(IodineVpnService.this, IodineVpnService.class.getName());
+                mThread.start();
+            }
+        }
+    };
+
+    private String currentActionStatus = ACTION_STATUS_IDLE;
+
+    private Long currentConfigurationId = null;
+
+    private String currentMessage = null;
+
+    @Override
+    public void onCreate() {
+        super.onCreate();
+        instance = this;
+
+        configDatabase = new ConfigDatabase(this);
+
+        IntentFilter filterInterruptAction = new IntentFilter();
+        filterInterruptAction.addAction(ACTION_CONTROL_CONNECT);
+        filterInterruptAction.addAction(ACTION_CONTROL_DISCONNECT);
+        filterInterruptAction.addAction(ACTION_CONTROL_UPDATE);
+        registerReceiver(broadcastReceiver, filterInterruptAction);
+    }
+
+    @Override
+    public int onStartCommand(Intent intent, int flags, int startId) {
+        sendStatus();
+        return START_STICKY;
+    }
+
+    private void shutdown() {
+        setStatus(ACTION_STATUS_DISCONNECT, mConfiguration.getId(), null);
+
+        if (mThread != null) {
+            mThread.interrupt();
+            IodineClient.tunnelInterrupt();
+        }
+    }
+
+    @Override
+    public void onRevoke() {
+        shutdown();
+    }
+
+    @Override
+    public void onDestroy() {
+        if (mThread != null) {
+            mThread.interrupt();
+            IodineClient.tunnelInterrupt();
+            mThread = null;
+        }
+        instance = null;
+        configDatabase.close();
+        unregisterReceiver(broadcastReceiver);
+    }
+
+    private void setStatus(String ACTION_STATUS, Long configurationId, String message) {
+        currentActionStatus = ACTION_STATUS;
+        currentConfigurationId = configurationId;
+        currentMessage = message;
+        sendStatus();
+    }
+
+    private void sendStatus() {
+        if (currentActionStatus != null) {
+            Intent intent = new Intent(currentActionStatus);
+
+            if (currentConfigurationId != null) {
+                intent.putExtra(EXTRA_CONFIGURATION_ID, currentConfigurationId);
+            }
+            if (currentMessage != null) {
+                intent.putExtra(EXTRA_ERROR_MESSAGE, currentMessage);
+            }
+            Log.d(TAG, "Send: " + intent);
+            sendBroadcast(intent);
+        }
+    }
+
+    @Override
+    public void run() {
+        try {
+            Log.d(TAG, "VPN Thread enter");
+            setStatus(ACTION_STATUS_CONNECT, mConfiguration.getId(), null);
+
+            String tunnelNamesver = IodineClient.getPropertyNetDns1();
+            if (!"".equals(mConfiguration.getTunnelNameserver())) {
+                tunnelNamesver = mConfiguration.getTunnelNameserver();
+            }
+            String password = "";
+            if (!"".equals(mConfiguration.getPassword())) {
+                password = mConfiguration.getPassword();
+            }
+
+            int ret = IodineClient.connect(tunnelNamesver, mConfiguration.getTopDomain(), mConfiguration.getRawMode(),
+                    mConfiguration.getLazyMode(), password);
+
+            String errorMessage = "";
+            switch (ret) {
+                case 0:
+                    Log.d(TAG, "Handshake successful");
+                    setStatus(ACTION_STATUS_CONNECTED, currentConfigurationId, null);
+                    runTunnel();
+                    setStatus(ACTION_STATUS_IDLE, null, null);
+                    break;
+                case 1:
+                    if (errorMessage.equals(""))
+                        errorMessage = getString(R.string.vpnservice_error_cant_open_dnssocket);
+                    // Fall through
+                case 2:
+                    if (errorMessage.equals(""))
+                        errorMessage = getString(R.string.vpnservice_error_handshake_failed);
+                    // fall through
+                default:
+                    if (errorMessage.equals(""))
+                        errorMessage = String.format(getString(R.string.vpnservice_error_unknown_error_code), ret);
+
+                    setStatus(ACTION_STATUS_ERROR, mConfiguration.getId(), errorMessage);
+                    break;
+            }
+        } catch (IllegalStateException e) {
+            String errorMessage = "IllegalStateException";
+            if (e.getMessage().contains("Cannot create interface")) {
+                errorMessage = "Failed to create tunnel network device";
+            } else {
+                e.printStackTrace();
+            }
+            setStatus(ACTION_STATUS_ERROR, mConfiguration.getId(), errorMessage);
+        } catch (IodineVpnException e) {
+            e.printStackTrace();
+
+            setStatus(ACTION_STATUS_ERROR, mConfiguration.getId(),
+                    String.format(getString(R.string.vpnservice_error_unknown_error_string), e.getMessage()));
+        } finally {
+            mThread = null;
+            mConfiguration = null;
+            Log.d(TAG, "VPN Thread exit");
+        }
+    }
+
+    private void runTunnel() throws IodineVpnException {
+        Builder b = new Builder();
+        b.setSession("Iodine VPN Service");
+
+        String ip = IodineClient.getIp();
+        int netbits = IodineClient.getNetbits();
+        int mtu = IodineClient.getMtu();
+        Log.d(TAG, "Build tunnel for configuration: ip=" + ip + " netbits=" + netbits + " mtu=" + mtu);
+
+        String[] ipBytesString = ip.split("\\.");
+        if (ipBytesString.length != 4) {
+            throw new IodineVpnException("Server sent invalid IP");
+        }
+        byte[] ipBytes = new byte[4];
+        for (int i = 0; i < 4; i++) {
+            try {
+                int integer = Integer.parseInt(ipBytesString[i]);
+                ipBytes[i] = (byte) (integer);
+            } catch (NumberFormatException e) {
+                throw new IodineVpnException("Server sent invalid IP", e);
+            }
+        }
+
+        InetAddress hostAddress;
+        try {
+            hostAddress = InetAddress.getByAddress(ipBytes);
+        } catch (UnknownHostException e) {
+            throw new IodineVpnException("Server sent invalid IP", e);
+        }
+        try {
+            switch (mConfiguration.getNameserverMode()) {
+                case LEAVE_DEFAULT:
+                    // do nothing
+                    break;
+                case SET_SERVER_TUNNEL_IP:
+                    b.addDnsServer(IodineClient.getRemoteIp());
+                    break;
+                case SET_CUSTOM:
+                    b.addDnsServer(InetAddress.getByName(mConfiguration.getNameserver()));
+                    break;
+                default:
+                    throw new IodineVpnException("Invalid Nameserver mode");
+            }
+        } catch (UnknownHostException e) {
+            throw new IodineVpnException("Invalid Nameserver address", e);
+        }
+
+        b.addAddress(hostAddress, netbits);
+        if (mConfiguration.getDefaultRoute()) {
+            Log.d(TAG, "Set default route");
+            b.addRoute("0.0.0.0", 0); // Default Route
+        }
+        b.setMtu(mtu);
+
+        Log.d(TAG, "Build tunnel interface");
+        ParcelFileDescriptor parcelFD = b.establish();
+
+        protect(IodineClient.getDnsFd());
+
+        int tun_fd = parcelFD.detachFd();
+
+        setStatus(ACTION_STATUS_CONNECTED, mConfiguration.getId(), null);
+
+        Log.d(TAG, "Tunnel active");
+        IodineClient.tunnel(tun_fd);
+    }
+}
diff --git a/src/org/xapek/andiodine/config/ConfigDatabase.java b/src/org/xapek/andiodine/config/ConfigDatabase.java
new file mode 100644
index 0000000..ffc1656
--- /dev/null
+++ b/src/org/xapek/andiodine/config/ConfigDatabase.java
@@ -0,0 +1,126 @@
+package org.xapek.andiodine.config;
+
+import android.content.ContentValues;
+import android.content.Context;
+import android.database.Cursor;
+import android.database.DatabaseUtils;
+import android.database.SQLException;
+import android.database.sqlite.SQLiteDatabase;
+import android.database.sqlite.SQLiteOpenHelper;
+import android.util.Log;
+
+import java.util.ArrayList;
+import java.util.List;
+
+public class ConfigDatabase extends SQLiteOpenHelper {
+    public static final String TAG = "ConfigDatabase";
+
+    private static final String DATABASE_NAME = "andiodine.db";
+    private static final int DATABASE_VERSION = 1;
+    static public final String TABLE_NAME_CONF = "configuration";
+    static public final String COLUMN_CONF_ID = "id";
+    static public final String COLUMN_CONF_NAME = "name";
+    static public final String COLUMN_CONF_LAST_USED = "last_used";
+    static public final String COLUMN_CONF_TUNNEL_NAMESERVER = "tunnel_nameserver";
+    static public final String COLUMN_CONF_TOP_DOMAIN = "top_domain";
+    static public final String COLUMN_CONF_PASSWORD = "password";
+    static public final String COLUMN_CONF_NAMESERVER_MODE = "nameserver_mode";
+    static public final String COLUMN_CONF_NAMESERVER = "nameserver";
+    static public final String COLUMN_CONF_RAW_MODE = "raw_mode";
+    static public final String COLUMN_CONF_LAZY_MODE = "lazy_mode";
+    static public final String COLUMN_CONF_DEFAULT_ROUTE = "default_route";
+    static public final String COLUMN_CONF_REQUEST_TYPE = "request_type";
+
+    private static final String createStmt = "CREATE TABLE " + TABLE_NAME_CONF + " (" + //
+            COLUMN_CONF_ID + " INTEGER PRIMARY KEY," + //
+            COLUMN_CONF_NAME + " TEXT," + //
+            COLUMN_CONF_LAST_USED + " INTEGER," + //
+            COLUMN_CONF_TUNNEL_NAMESERVER + " TEXT," + //
+            COLUMN_CONF_TOP_DOMAIN + " TEXT," + //
+            COLUMN_CONF_PASSWORD + " TEXT," + //
+            COLUMN_CONF_NAMESERVER_MODE + " TEXT," + //
+            COLUMN_CONF_NAMESERVER + " TEXT," + //
+            COLUMN_CONF_RAW_MODE + " INTEGER," + // Boolean stored as 1=true / 0=false
+            COLUMN_CONF_LAZY_MODE + " INTEGER," + //
+            COLUMN_CONF_DEFAULT_ROUTE + " INTEGER," + //
+            COLUMN_CONF_REQUEST_TYPE + " TEXT" + //
+            ");";
+
+    public ConfigDatabase(Context context) {
+        super(context, DATABASE_NAME, null, DATABASE_VERSION);
+    }
+
+    @Override
+    public void onCreate(SQLiteDatabase db) {
+        db.execSQL(createStmt);
+    }
+
+    @Override
+    public void onUpgrade(SQLiteDatabase db, int oldVersion, int newVersion) {
+    }
+
+    public void insert(ContentValues config) throws SQLException {
+        if (config.getAsLong(COLUMN_CONF_ID) != null)
+            throw new SQLException("id must be null for update");
+        SQLiteDatabase writableDatabase = getWritableDatabase();
+        long id = writableDatabase.insertOrThrow(TABLE_NAME_CONF, null, config);
+        writableDatabase.close();
+        config.put(COLUMN_CONF_ID, id);
+
+        Log.d(TAG, "Insert id=" + id);
+    }
+
+    public int update(ContentValues config) throws SQLException {
+        if (config.getAsLong(COLUMN_CONF_ID) == null)
+            throw new SQLException("id must NOT be null for update");
+        SQLiteDatabase writableDatabase = getWritableDatabase();
+        int rows = writableDatabase.update(TABLE_NAME_CONF, config, COLUMN_CONF_ID + " = ?",
+                new String[]{config.getAsString(COLUMN_CONF_ID)});
+        writableDatabase.close();
+        Log.d(TAG, config.toString());
+        Log.d(TAG, "Update rows=" + rows);
+        return rows;
+    }
+
+    public void delete(ContentValues config) throws SQLException {
+        if (config.getAsLong(COLUMN_CONF_ID) == null)
+            throw new SQLException("id must NOT be null for delete");
+        SQLiteDatabase writableDatabase = getWritableDatabase();
+        writableDatabase.delete(TABLE_NAME_CONF, COLUMN_CONF_ID + " = ?",
+                new String[]{config.getAsString(COLUMN_CONF_ID)});
+        writableDatabase.close();
+    }
+
+    public IodineConfiguration selectById(Long id) throws SQLException {
+        ContentValues v = new ContentValues();
+        SQLiteDatabase readableDatabase = getReadableDatabase();
+        Cursor query = readableDatabase.query(TABLE_NAME_CONF, null, COLUMN_CONF_ID + " = ?",
+                new String[]{id.toString()}, null, null, null);
+        assert query.isLast();
+        query.moveToFirst();
+        DatabaseUtils.cursorRowToContentValues(query, v);
+        Log.d(TAG, "Selected: " + v.toString());
+        return new IodineConfiguration(v);
+    }
+
+    public List<IodineConfiguration> selectAll() throws SQLException {
+        List<IodineConfiguration> configurations = new ArrayList<IodineConfiguration>();
+        SQLiteDatabase readableDatabase = getReadableDatabase();
+        Cursor query = readableDatabase.query(TABLE_NAME_CONF, null, null, null, null, null, null);
+
+        while (query.moveToNext()) {
+            ContentValues v = new ContentValues();
+            DatabaseUtils.cursorRowToContentValues(query, v);
+            configurations.add(new IodineConfiguration(v));
+        }
+        return configurations;
+    }
+
+    public void insertOrUpdate(ContentValues config) {
+        try {
+            update(config);
+        } catch (SQLException e) {
+            insert(config);
+        }
+    }
+}
diff --git a/src/org/xapek/andiodine/config/IodineConfiguration.java b/src/org/xapek/andiodine/config/IodineConfiguration.java
new file mode 100644
index 0000000..c41621b
--- /dev/null
+++ b/src/org/xapek/andiodine/config/IodineConfiguration.java
@@ -0,0 +1,127 @@
+package org.xapek.andiodine.config;
+
+import android.content.ContentValues;
+
+/**
+ * Wrapper around ContentValues in Database
+ */
+public class IodineConfiguration {
+	public static enum NameserverMode {
+		LEAVE_DEFAULT, SET_SERVER_TUNNEL_IP, SET_CUSTOM
+	}
+
+	public static enum RequestType {
+		AUTODETECT, NULL, TXT, SRV, MX, CNAME, A
+	}
+
+	private final ContentValues v;
+
+	public IodineConfiguration() {
+		v = new ContentValues();
+	}
+
+	public IodineConfiguration(ContentValues v) {
+		this.v = v;
+	}
+
+	@Override
+	public boolean equals(Object o) {
+		if (o instanceof IodineConfiguration) {
+			return getId() != null && getId().equals(((IodineConfiguration) o).getId());
+		} else {
+			return super.equals(o);
+		}
+	}
+
+	public Long getId() {
+		return v.getAsLong(ConfigDatabase.COLUMN_CONF_ID);
+	}
+
+	public boolean getDefaultRoute() {
+		return v.getAsInteger(ConfigDatabase.COLUMN_CONF_DEFAULT_ROUTE) == 1;
+	}
+
+	public void setDefaultRoute(boolean isDefaultRoute) {
+		v.put(ConfigDatabase.COLUMN_CONF_DEFAULT_ROUTE, isDefaultRoute ? 1 : 0);
+	}
+
+	public boolean getLazyMode() {
+		return v.getAsInteger(ConfigDatabase.COLUMN_CONF_LAZY_MODE) == 1;
+	}
+
+	public String getName() {
+		return v.getAsString(ConfigDatabase.COLUMN_CONF_NAME);
+	}
+
+	public String getNameserver() {
+		return v.getAsString(ConfigDatabase.COLUMN_CONF_NAMESERVER);
+	}
+
+	public NameserverMode getNameserverMode() {
+		return NameserverMode.valueOf(v.getAsString(ConfigDatabase.COLUMN_CONF_NAMESERVER_MODE));
+	}
+
+	public String getPassword() {
+		return v.getAsString(ConfigDatabase.COLUMN_CONF_PASSWORD);
+	}
+
+	public boolean getRawMode() {
+		return v.getAsInteger(ConfigDatabase.COLUMN_CONF_RAW_MODE) == 1;
+	}
+
+	public RequestType getRequestType() {
+		return RequestType.valueOf(v.getAsString(ConfigDatabase.COLUMN_CONF_REQUEST_TYPE));
+	}
+
+	public String getTopDomain() {
+		return v.getAsString(ConfigDatabase.COLUMN_CONF_TOP_DOMAIN);
+	}
+
+	public String getTunnelNameserver() {
+		return v.getAsString(ConfigDatabase.COLUMN_CONF_TUNNEL_NAMESERVER);
+	}
+
+	public void setLazyMode(boolean lazyMode) {
+		v.put(ConfigDatabase.COLUMN_CONF_LAZY_MODE, lazyMode ? 1 : 0);
+	}
+
+	public void setName(String name) {
+		v.put(ConfigDatabase.COLUMN_CONF_NAME, name);
+	}
+
+	public void setNameserver(String nameserver) {
+		v.put(ConfigDatabase.COLUMN_CONF_NAMESERVER, nameserver);
+	}
+
+	public void setNameserverMode(NameserverMode nameserverMode) {
+		v.put(ConfigDatabase.COLUMN_CONF_NAMESERVER_MODE, nameserverMode.name());
+	}
+
+	public void setPassword(String password) {
+		v.put(ConfigDatabase.COLUMN_CONF_PASSWORD, password);
+	}
+
+	public void setRawMode(boolean rawMode) {
+		v.put(ConfigDatabase.COLUMN_CONF_RAW_MODE, rawMode ? 1 : 0);
+	}
+
+	public void setRequestType(RequestType requestType) {
+		v.put(ConfigDatabase.COLUMN_CONF_REQUEST_TYPE, requestType.name());
+	}
+
+	public void setTopDomain(String topDomain) {
+		v.put(ConfigDatabase.COLUMN_CONF_TOP_DOMAIN, topDomain);
+	}
+
+	public void setTunnelNameserver(String tunnelNameserver) {
+		v.put(ConfigDatabase.COLUMN_CONF_TUNNEL_NAMESERVER, tunnelNameserver);
+	}
+
+	public void setId(Long id) {
+		v.put(ConfigDatabase.COLUMN_CONF_ID, id);
+	}
+
+	public ContentValues getContentValues() {
+		return v;
+	}
+}
diff --git a/src/org/xapek/andiodine/preferences/AbstractPreference.java b/src/org/xapek/andiodine/preferences/AbstractPreference.java
new file mode 100644
index 0000000..278de63
--- /dev/null
+++ b/src/org/xapek/andiodine/preferences/AbstractPreference.java
@@ -0,0 +1,49 @@
+package org.xapek.andiodine.preferences;
+
+import android.content.Context;
+import android.util.Log;
+import android.view.View;
+
+abstract class AbstractPreference {
+    public static final String TAG = "Preference";
+    private final String mKey;
+    private final PreferenceActivity mPreferenceActivity;
+    private final String mTitle;
+    private final int mHelpMsgId;
+
+    public AbstractPreference(PreferenceActivity preferenceActivity, String title, int helpResId, String key) {
+        mPreferenceActivity = preferenceActivity;
+        mTitle = title;
+        mHelpMsgId = helpResId;
+        mKey = key;
+    }
+
+    protected abstract View getListItemView(Context context);
+
+    public void persist(final String value) {
+        Log.d(TAG, String.format("persist String %s -> %s", mKey, value));
+        mPreferenceActivity.getContentValues().put(mKey, value);
+    }
+
+    public void persist(final boolean value) {
+        Log.d(TAG, String.format("persist boolean %s -> %s", mKey, "" + value));
+        mPreferenceActivity.getContentValues().put(mKey, value ? 1 : 0);
+    }
+
+    public boolean getAsBoolean() {
+        return mPreferenceActivity.getContentValues().getAsInteger(mKey) != null
+                && mPreferenceActivity.getContentValues().getAsInteger(mKey) == 1;
+    }
+
+    public String getAsString() {
+        return mPreferenceActivity.getContentValues().getAsString(mKey);
+    }
+
+    public String getTitle() {
+        return mTitle;
+    }
+
+    public String getMessage() {
+        return mPreferenceActivity.getResources().getString(mHelpMsgId);
+    }
+}
diff --git a/src/org/xapek/andiodine/preferences/BooleanPreference.java b/src/org/xapek/andiodine/preferences/BooleanPreference.java
new file mode 100644
index 0000000..9e7917d
--- /dev/null
+++ b/src/org/xapek/andiodine/preferences/BooleanPreference.java
@@ -0,0 +1,33 @@
+package org.xapek.andiodine.preferences;
+
+import android.content.Context;
+import android.util.Log;
+import android.view.View;
+import android.widget.CheckBox;
+import android.widget.CompoundButton;
+import android.widget.CompoundButton.OnCheckedChangeListener;
+
+import org.xapek.andiodine.R;
+
+public class BooleanPreference extends AbstractPreference {
+
+    public BooleanPreference(PreferenceActivity preferenceActivity, String title, int helpMsgId, String key) {
+        super(preferenceActivity, title, helpMsgId, key);
+    }
+
+    @Override
+    protected View getListItemView(Context context) {
+        CheckBox view = new CheckBox(context);
+        view.setText(context.getString(R.string.enable) + " " + getTitle());
+        Log.d(TAG, "Status: " + getTitle() + " = " + getAsBoolean());
+        view.setChecked(getAsBoolean());
+        view.setOnCheckedChangeListener(new OnCheckedChangeListener() {
+            @Override
+            public void onCheckedChanged(CompoundButton buttonView, boolean isChecked) {
+                persist(isChecked);
+            }
+        });
+        return view;
+    }
+
+}
diff --git a/src/org/xapek/andiodine/preferences/PreferenceActivity.java b/src/org/xapek/andiodine/preferences/PreferenceActivity.java
new file mode 100644
index 0000000..dd0faa4
--- /dev/null
+++ b/src/org/xapek/andiodine/preferences/PreferenceActivity.java
@@ -0,0 +1,104 @@
+package org.xapek.andiodine.preferences;
+
+import android.app.AlertDialog;
+import android.app.ListActivity;
+import android.content.ContentValues;
+import android.content.Context;
+import android.os.Bundle;
+import android.view.LayoutInflater;
+import android.view.View;
+import android.view.View.OnClickListener;
+import android.view.ViewGroup;
+import android.widget.ArrayAdapter;
+import android.widget.ImageButton;
+import android.widget.LinearLayout;
+import android.widget.ListView;
+import android.widget.TextView;
+
+import org.xapek.andiodine.R;
+
+import java.util.ArrayList;
+import java.util.List;
+
+public abstract class PreferenceActivity extends ListActivity {
+    private ArrayList<AbstractPreference> mPreferences;
+
+    private ContentValues mContentValues = new ContentValues();
+
+    private static class DialogPreferenceAdapter extends ArrayAdapter<AbstractPreference> {
+
+        private final LayoutInflater mInflater;
+
+        private static class HelpOnClickListener implements OnClickListener {
+            private final AbstractPreference p;
+
+            public HelpOnClickListener(AbstractPreference p) {
+                this.p = p;
+            }
+
+            @Override
+            public void onClick(View v) {
+                new AlertDialog.Builder(v.getContext())//
+                        .setTitle(p.getTitle())//
+                        .setMessage(p.getMessage())//
+                        .create().show();
+            }
+        }
+
+        public DialogPreferenceAdapter(Context context, List<AbstractPreference> preferences) {
+            super(context, -1, preferences);
+            mInflater = (LayoutInflater) getContext().getSystemService(Context.LAYOUT_INFLATER_SERVICE);
+
+        }
+
+        @Override
+        public View getView(int position, View convertView, ViewGroup parent) {
+            AbstractPreference item = getItem(position);
+            View rowView = mInflater.inflate(R.layout.rowlayout, parent, false);
+            LinearLayout content = (LinearLayout) rowView.findViewById(R.id.rowlayout_content);
+            ImageButton helpButton = (ImageButton) rowView.findViewById(R.id.rowlayout_help);
+            TextView title = (TextView) rowView.findViewById(R.id.rowlayout_title);
+
+            content.addView(item.getListItemView(getContext()));
+            helpButton.setOnClickListener(new HelpOnClickListener(item));
+            title.setText(item.getTitle());
+
+            return rowView;
+        }
+    }
+
+    @Override
+    protected void onCreate(Bundle savedInstanceState) {
+        super.onCreate(savedInstanceState);
+        mPreferences = new ArrayList<AbstractPreference>();
+
+        setListAdapter(new DialogPreferenceAdapter(this, mPreferences));
+    }
+
+    public void setContentValues(final ContentValues contentValues) {
+        mContentValues = contentValues;
+    }
+
+    public ContentValues getContentValues() {
+        return mContentValues;
+    }
+
+    public void addPreference(String key, String title, int helpMsgId, String defaultValue) {
+        if (mContentValues.get(key) == null)
+            mContentValues.put(key, defaultValue);
+        mPreferences.add(new TextPreference(this, title, helpMsgId, key));
+    }
+
+    public void addPreference(String key, String title, int helpMsgId, boolean defaultValue) {
+        BooleanPreference preference = new BooleanPreference(this, title, helpMsgId, key);
+        if (mContentValues.get(key) == null)
+            preference.persist(defaultValue);
+        mPreferences.add(preference);
+    }
+
+    public void addPreference(String key, String title, int helpMsgId, String[] values, String defaultValue) {
+        if (mContentValues.get(key) == null)
+            mContentValues.put(key, defaultValue);
+        mPreferences.add(new SpinnerPreference(this, key, title, helpMsgId, values));
+    }
+}
diff --git a/src/org/xapek/andiodine/preferences/SpinnerPreference.java b/src/org/xapek/andiodine/preferences/SpinnerPreference.java
new file mode 100644
index 0000000..3528f05
--- /dev/null
+++ b/src/org/xapek/andiodine/preferences/SpinnerPreference.java
@@ -0,0 +1,47 @@
+package org.xapek.andiodine.preferences;
+
+import android.content.Context;
+import android.view.View;
+import android.widget.AdapterView;
+import android.widget.AdapterView.OnItemSelectedListener;
+import android.widget.ArrayAdapter;
+import android.widget.Spinner;
+
+public class SpinnerPreference extends AbstractPreference {
+	private final String[] mValues;
+
+	public SpinnerPreference(PreferenceActivity preferenceActivity, String key, String title, int helpResId,
+			String[] values) {
+		super(preferenceActivity, title, helpResId, key);
+		mValues = values;
+	}
+
+	@Override
+	protected View getListItemView(Context context) {
+		Spinner view = new Spinner(context);
+		view.setAdapter(new ArrayAdapter<String>(context, android.R.layout.simple_list_item_1, mValues));
+
+		int i = 0;
+		for (final String value : mValues) {
+			if (value != null && value.equals(getAsString())) {
+				view.setSelection(i);
+				break;
+			}
+			i++;
+		}
+
+		view.setOnItemSelectedListener(new OnItemSelectedListener() {
+			@Override
+			public void onItemSelected(AdapterView<?> parent, View view, int position, long id) {
+				String item = mValues[position];
+				persist(item);
+			}
+
+			@Override
+			public void onNothingSelected(AdapterView<?> parent) {
+			}
+		});
+
+		return view;
+	}
+}
diff --git a/src/org/xapek/andiodine/preferences/TextPreference.java b/src/org/xapek/andiodine/preferences/TextPreference.java
new file mode 100644
index 0000000..ae28f1e
--- /dev/null
+++ b/src/org/xapek/andiodine/preferences/TextPreference.java
@@ -0,0 +1,35 @@
+package org.xapek.andiodine.preferences;
+
+import android.content.Context;
+import android.text.Editable;
+import android.text.TextWatcher;
+import android.view.View;
+import android.widget.EditText;
+
+public class TextPreference extends AbstractPreference {
+	public TextPreference(PreferenceActivity preferenceActivity, String title, int helpMsgId, String key) {
+		super(preferenceActivity, title, helpMsgId, key);
+	}
+
+	@Override
+	protected View getListItemView(Context context) {
+		final EditText view = new EditText(context);
+		view.setSingleLine();
+		view.setText(getAsString());
+		view.addTextChangedListener(new TextWatcher() {
+			@Override
+			public void onTextChanged(CharSequence s, int start, int before, int count) {
+			}
+
+			@Override
+			public void beforeTextChanged(CharSequence s, int start, int count, int after) {
+			}
+
+			@Override
+			public void afterTextChanged(Editable s) {
+				persist(s.toString());
+			}
+		});
+		return view;
+	}
+}
diff --git a/tests/AndroidManifest.xml b/tests/AndroidManifest.xml
new file mode 100644
index 0000000..e9e5343
--- /dev/null
+++ b/tests/AndroidManifest.xml
@@ -0,0 +1,30 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- package name must be unique so suffix with "tests" so package loader doesn't ignore us -->
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+    package="com.example.HelloJni.tests"
+    android:versionCode="1"
+    android:versionName="1.0" >
+
+    <uses-sdk
+            android:minSdkVersion="14"
+            android:targetSdkVersion="16" />
+
+    <!--
+         We add an application tag here just so that we can indicate that
+         this package needs to link against the android.test library,
+         which is needed when building test cases.
+    -->
+    <application>
+        <uses-library android:name="android.test.runner" />
+    </application>
+    <!--
+    This declares that this application uses the instrumentation test runner targeting
+    the package of com.example.HelloJni.  To run the tests use the command:
+    "adb shell am instrument -w com.example.HelloJni.tests/android.test.InstrumentationTestRunner"
+    -->
+    <instrumentation
+        android:name="android.test.InstrumentationTestRunner"
+        android:label="Tests for HelloJni"
+        android:targetPackage="com.example.HelloJni" />
+
+</manifest>
\ No newline at end of file
diff --git a/tests/proguard-project.txt b/tests/proguard-project.txt
new file mode 100644
index 0000000..f2fe155
--- /dev/null
+++ b/tests/proguard-project.txt
@@ -0,0 +1,20 @@
+# To enable ProGuard in your project, edit project.properties
+# to define the proguard.config property as described in that file.
+#
+# Add project specific ProGuard rules here.
+# By default, the flags in this file are appended to flags specified
+# in ${sdk.dir}/tools/proguard/proguard-android.txt
+# You can edit the include path and order by changing the ProGuard
+# include property in project.properties.
+#
+# For more details, see
+#   http://developer.android.com/guide/developing/tools/proguard.html
+
+# Add any project specific keep options here:
+
+# If your project uses WebView with JS, uncomment the following
+# and specify the fully qualified class name to the JavaScript interface
+# class:
+#-keepclassmembers class fqcn.of.javascript.interface.for.webview {
+#   public *;
+#}
diff --git a/tests/project.properties b/tests/project.properties
new file mode 100644
index 0000000..9fb894d
--- /dev/null
+++ b/tests/project.properties
@@ -0,0 +1,14 @@
+# This file is automatically generated by Android Tools.
+# Do not modify this file -- YOUR CHANGES WILL BE ERASED!
+#
+# This file must be checked in Version Control Systems.
+#
+# To customize properties used by the Ant build system edit
+# "ant.properties", and override values to adapt the script to your
+# project structure.
+#
+# To enable ProGuard to shrink and obfuscate your code, uncomment this (available properties: sdk.dir, user.home):
+#proguard.config=${sdk.dir}/tools/proguard/proguard-android.txt:proguard-project.txt
+
+# Project target.
+target=android-3
diff --git a/tests/src/org/xapek/andiodine/HelloJniTest.java b/tests/src/org/xapek/andiodine/HelloJniTest.java
new file mode 100644
index 0000000..14322f3
--- /dev/null
+++ b/tests/src/org/xapek/andiodine/HelloJniTest.java
@@ -0,0 +1,22 @@
+package org.xapek.andiodine;
+
+import android.test.ActivityInstrumentationTestCase2;
+
+import org.xapek.andiodine.IodineMain;
+
+/**
+ * This is a simple framework for a test of an Application.  See
+ * {@link android.test.ApplicationTestCase ApplicationTestCase} for more information on
+ * how to write and extend Application tests.
+ * <p/>
+ * To run this test, you can type:
+ * adb shell am instrument -w \
+ * -e class org.xapek.andiodine.HelloJniTest \
+ * com.example.HelloJni.tests/android.test.InstrumentationTestRunner
+ */
+public class HelloJniTest extends ActivityInstrumentationTestCase2<org.xapek.andiodine.IodineMain> {
+    public HelloJniTest() {
+        super(IodineMain.class);
+    }
+
+}
diff --git a/tests/tests.iml b/tests/tests.iml
new file mode 100644
index 0000000..6698b2b
--- /dev/null
+++ b/tests/tests.iml
@@ -0,0 +1,26 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<module type="JAVA_MODULE" version="4">
+  <component name="FacetManager">
+    <facet type="android" name="Android">
+      <configuration>
+        <notImportedProperties>
+          <property>MANIFEST_FILE_PATH</property>
+          <property>RESOURCES_DIR_PATH</property>
+          <property>ASSETS_DIR_PATH</property>
+          <property>NATIVE_LIBS_DIR_PATH</property>
+        </notImportedProperties>
+      </configuration>
+    </facet>
+  </component>
+  <component name="NewModuleRootManager" inherit-compiler-output="true">
+    <exclude-output />
+    <content url="file://$MODULE_DIR$">
+      <sourceFolder url="file://$MODULE_DIR$/src" isTestSource="true" />
+      <sourceFolder url="file://$MODULE_DIR$/gen" isTestSource="false" />
+    </content>
+    <orderEntry type="inheritedJdk" />
+    <orderEntry type="sourceFolder" forTests="false" />
+    <orderEntry type="module" module-name="andiodine" scope="PROVIDED" />
+  </component>
+</module>
+