diff --git a/configure.ac b/configure.ac

index 518b6d8..d90a88f 100644

--- a/configure.ac

+++ b/configure.ac

@@ -425,6 +425,8 @@ AC_CONFIG_FILES([

 	tools/nlmtest/Makefile

 	tools/rpcdebug/Makefile

 	tools/rpcgen/Makefile

+	tools/mountstats/Makefile

+	tools/nfs-iostat/Makefile

 	utils/Makefile

 	utils/exportfs/Makefile

 	utils/gssd/Makefile

diff --git a/support/export/client.c b/support/export/client.c

index 5e937b0..6a25928 100644

--- a/support/export/client.c

+++ b/support/export/client.c

@@ -32,11 +32,26 @@ extern int	innetgr(char *netgr, char *host, char *, char *);

 static char	*add_name(char *old, const char *add);

 static void	client_init(nfs_client *clp, const char *hname,

 					struct hostent *hp);

-static int	client_checkaddr(nfs_client *clp, struct in_addr addr);

 nfs_client	*clientlist[MCL_MAXTYPES] = { NULL, };

+static void

+init_addrlist(nfs_client *clp, const struct hostent *hp)

+{

+	char **ap;

+	int i;

+

+	if (hp == NULL)

+		return;

+

+	ap = hp->h_addr_list;

+	for (i = 0; *ap != NULL && i < NFSCLNT_ADDRMAX; i++, ap++)

+		clp->m_addrlist[i] = *(struct in_addr *)*ap;

+

+	clp->m_naddr = i;

+}

+

 /* if canonical is set, then we *know* this is already a canonical name

  * so hostname lookup is avoided.

  * This is used when reading /proc/fs/nfs/exports

@@ -97,14 +112,8 @@ client_lookup(char *hname, int canonical)

 		client_add(clp);

 	}

-	if (htype == MCL_FQDN && clp->m_naddr == 0 && hp != NULL) {

-		char	**ap = hp->h_addr_list;

-		int	i;

-

-		for (i = 0; *ap && i < NFSCLNT_ADDRMAX; i++, ap++)

-			clp->m_addrlist[i] = *(struct in_addr *)*ap;

-		clp->m_naddr = i;

-	}

+	if (htype == MCL_FQDN && clp->m_naddr == 0)

+		init_addrlist(clp, hp);

 	if (hp)

 		free (hp);

@@ -138,6 +147,7 @@ client_init(nfs_client *clp, const char *hname, struct hostent *hp)

 	clp->m_exported = 0;

 	clp->m_count = 0;

+	clp->m_naddr = 0;

 	if (clp->m_type == MCL_SUBNETWORK) {

 		char	*cp = strchr(clp->m_hostname, '/');

@@ -161,18 +171,10 @@ client_init(nfs_client *clp, const char *hname, struct hostent *hp)

 			}

 		}

 		*cp = '/';

-		clp->m_naddr = 0;

-	} else if (!hp) {

-		clp->m_naddr = 0;

-	} else {

-		char	**ap = hp->h_addr_list;

-		int	i;

-

-		for (i = 0; *ap && i < NFSCLNT_ADDRMAX; i++, ap++) {

-			clp->m_addrlist[i] = *(struct in_addr *)*ap;

-		}

-		clp->m_naddr = i;

+		return;

 	}

+	

+	init_addrlist(clp, hp);

 }

 void

@@ -329,101 +331,158 @@ add_name(char *old, const char *add)

 }

 /*

- * Match a host (given its hostent record) to a client record. This

- * is usually called from mountd.

+ * Check each address listed in @hp against each address

+ * stored in @clp.  Return 1 if a match is found, otherwise

+ * zero.

  */

-int

-client_check(nfs_client *clp, struct hostent *hp)

+static int

+check_fqdn(const nfs_client *clp, const struct hostent *hp)

 {

-	char	*hname = (char *) hp->h_name;

-	char	*cname = clp->m_hostname;

-	char	**ap;

+	struct in_addr addr;

+	char **ap;

+	int i;

-	switch (clp->m_type) {

-	case MCL_FQDN:

-	case MCL_SUBNETWORK:

-		for (ap = hp->h_addr_list; *ap; ap++) {

-			if (client_checkaddr(clp, *(struct in_addr *) *ap))

-				return 1;

-		}

-		return 0;

-	case MCL_WILDCARD:

-		if (wildmat(hname, cname))

-			return 1;

-		else {

-			for (ap = hp->h_aliases; *ap; ap++)

-				if (wildmat(*ap, cname))

-					return 1;

-		}

-		return 0;

-	case MCL_NETGROUP:

-#ifdef HAVE_INNETGR

-		{

-			char	*dot;

-			int	match, i;

-			struct hostent *nhp = NULL;

-			struct sockaddr_in addr;

-

-			/* First, try to match the hostname without

-			 * splitting off the domain */

-			if (innetgr(cname+1, hname, NULL, NULL))

+	for (ap = hp->h_addr_list; *ap; ap++) {

+		addr = *(struct in_addr *)*ap;

+

+		for (i = 0; i < clp->m_naddr; i++)

+			if (clp->m_addrlist[i].s_addr == addr.s_addr)

 				return 1;

+	}

+	return 0;

+}

-			/* try the aliases as well */

-			for (i = 0; hp->h_aliases[i]; i++) {

-				if (innetgr(cname+1, hp->h_aliases[i], NULL, NULL))

-					return 1;

-			}

+/*

+ * Check each address listed in @hp against the subnetwork or

+ * host address stored in @clp.  Return 1 if an address in @hp

+ * matches the host address stored in @clp, otherwise zero.

+ */

+static int

+check_subnetwork(const nfs_client *clp, const struct hostent *hp)

+{

+	struct in_addr addr;

+	char **ap;

-			/* If hname is ip address convert to FQDN */

-			if (inet_aton(hname, &addr.sin_addr) &&

-			   (nhp = gethostbyaddr((const char *)&(addr.sin_addr),

-			    sizeof(addr.sin_addr), AF_INET))) {

-				hname = (char *)nhp->h_name;

-				if (innetgr(cname+1, hname, NULL, NULL))

-					return 1;

-			}

+	for (ap = hp->h_addr_list; *ap; ap++) {

+		addr = *(struct in_addr *)*ap;

-			/* Okay, strip off the domain (if we have one) */

-			if ((dot = strchr(hname, '.')) == NULL)

-				return 0;

+		if (!((clp->m_addrlist[0].s_addr ^ addr.s_addr) &

+		      clp->m_addrlist[1].s_addr))

+			return 1;

+	}

+	return 0;

+}

-			*dot = '\0';

-			match = innetgr(cname+1, hname, NULL, NULL);

-			*dot = '.';

+/*

+ * Check if a wildcard nfs_client record matches the canonical name

+ * or the aliases of a host.  Return 1 if a match is found, otherwise

+ * zero.

+ */

+static int

+check_wildcard(const nfs_client *clp, const struct hostent *hp)

+{

+	char *cname = clp->m_hostname;

+	char *hname = hp->h_name;

+	char **ap;

-			return match;

-		}

-#else

-		return 0;

-#endif

-	case MCL_ANONYMOUS:

+	if (wildmat(hname, cname))

 		return 1;

-	case MCL_GSS:

-		return 0;

-	default:

-		xlog(L_FATAL, "internal: bad client type %d", clp->m_type);

+

+	/* See if hname aliases listed in /etc/hosts or nis[+]

+	 * match the requested wildcard */

+	for (ap = hp->h_aliases; *ap; ap++) {

+		if (wildmat(*ap, cname))

+			return 1;

 	}

 	return 0;

 }

+/*

+ * Check if @hp's hostname or aliases fall in a given netgroup.

+ * Return 1 if @hp represents a host in the netgroup, otherwise zero.

+ */

+#ifdef HAVE_INNETGR

+static int

+check_netgroup(const nfs_client *clp, const struct hostent *hp)

+{

+	const char *netgroup = clp->m_hostname + 1;

+	const char *hname = hp->h_name;

+	struct hostent *nhp = NULL;

+	struct sockaddr_in addr;

+	int match, i;

+	char *dot;

+

+	/* First, try to match the hostname without

+	 * splitting off the domain */

+	if (innetgr(netgroup, hname, NULL, NULL))

+		return 1;

+

+	/* See if hname aliases listed in /etc/hosts or nis[+]

+	 * match the requested netgroup */

+	for (i = 0; hp->h_aliases[i]; i++) {

+		if (innetgr(netgroup, hp->h_aliases[i], NULL, NULL))

+			return 1;

+	}

+

+	/* If hname is ip address convert to FQDN */

+	if (inet_aton(hname, &addr.sin_addr) &&

+	   (nhp = gethostbyaddr((const char *)&(addr.sin_addr),

+	    sizeof(addr.sin_addr), AF_INET))) {

+		hname = nhp->h_name;

+		if (innetgr(netgroup, hname, NULL, NULL))

+			return 1;

+	}

+

+	/* Okay, strip off the domain (if we have one) */

+	dot = strchr(hname, '.');

+	if (dot == NULL)

+		return 0;

+

+	*dot = '\0';

+	match = innetgr(netgroup, hname, NULL, NULL);

+	*dot = '.';

+

+	return match;

+}

+#else	/* !HAVE_INNETGR */

 static int

-client_checkaddr(nfs_client *clp, struct in_addr addr)

+check_netgroup(__attribute__((unused)) const nfs_client *clp,

+		__attribute__((unused)) const struct hostent *hp)

 {

-	int	i;

+	return 0;

+}

+#endif	/* !HAVE_INNETGR */

+/**

+ * client_check - check if IP address information matches a cached nfs_client

+ * @clp: pointer to a cached nfs_client record

+ * @hp: pointer to hostent containing host IP information

+ *

+ * Returns 1 if the address information matches the cached nfs_client,

+ * otherwise zero.

+ */

+int

+client_check(nfs_client *clp, struct hostent *hp)

+{

 	switch (clp->m_type) {

 	case MCL_FQDN:

-		for (i = 0; i < clp->m_naddr; i++) {

-			if (clp->m_addrlist[i].s_addr == addr.s_addr)

-				return 1;

-		}

-		return 0;

+		return check_fqdn(clp, hp);

 	case MCL_SUBNETWORK:

-		return !((clp->m_addrlist[0].s_addr ^ addr.s_addr)

-			& clp->m_addrlist[1].s_addr);

+		return check_subnetwork(clp, hp);

+	case MCL_WILDCARD:

+		return check_wildcard(clp, hp);

+	case MCL_NETGROUP:

+		return check_netgroup(clp, hp);

+	case MCL_ANONYMOUS:

+		return 1;

+	case MCL_GSS:

+		return 0;

+	default:

+		xlog(D_GENERAL, "%s: unrecognized client type: %d",

+				__func__, clp->m_type);

 	}

+

 	return 0;

 }

diff --git a/support/export/export.c b/support/export/export.c

index 42e78f6..3e4da69 100644

--- a/support/export/export.c

+++ b/support/export/export.c

@@ -28,6 +28,18 @@ static int	export_check(nfs_export *, struct hostent *, char *);

 static nfs_export *

 		export_allowed_internal(struct hostent *hp, char *path);

+static void

+export_free(nfs_export *exp)

+{

+	xfree(exp->m_export.e_squids);

+	xfree(exp->m_export.e_sqgids);

+	free(exp->m_export.e_mountpoint);

+	free(exp->m_export.e_fslocdata);

+

+	xfree(exp->m_export.e_hostname);

+	xfree(exp);

+}

+

 static void warn_duplicated_exports(nfs_export *exp, struct exportent *eep)

 {

 	if (exp->m_export.e_flags != eep->e_flags) {

@@ -117,6 +129,10 @@ export_dup(nfs_export *exp, struct hostent *hp)

 	if (exp->m_export.e_hostname)

 		new->m_export.e_hostname = xstrdup(exp->m_export.e_hostname);

 	clp = client_dup(exp->m_client, hp);

+	if (clp == NULL) {

+		export_free(new);

+		return NULL;

+	}

 	clp->m_count++;

 	new->m_client = clp;

 	new->m_mayexport = exp->m_mayexport;

@@ -260,6 +276,10 @@ export_check(nfs_export *exp, struct hostent *hp, char *path)

 	return client_check(exp->m_client, hp);

 }

+/**

+ * export_freeall - deallocate all nfs_export records

+ *

+ */

 void

 export_freeall(void)

 {

@@ -270,16 +290,7 @@ export_freeall(void)

 		for (exp = exportlist[i].p_head; exp; exp = nxt) {

 			nxt = exp->m_next;

 			client_release(exp->m_client);

-			if (exp->m_export.e_squids)

-				xfree(exp->m_export.e_squids);

-			if (exp->m_export.e_sqgids)

-				xfree(exp->m_export.e_sqgids);

-			if (exp->m_export.e_mountpoint)

-				free(exp->m_export.e_mountpoint);

-			if (exp->m_export.e_fslocdata)

-				free(exp->m_export.e_fslocdata);

-			xfree(exp->m_export.e_hostname);

-			xfree(exp);

+			export_free(exp);

 		}

 		for (j = 0; j < HASH_TABLE_SIZE; j++) {

 			exportlist[i].entries[j].p_first = NULL;

diff --git a/support/include/nfslib.h b/support/include/nfslib.h

index 537a31e..e44cf8f 100644

--- a/support/include/nfslib.h

+++ b/support/include/nfslib.h

@@ -152,6 +152,8 @@ void qword_addhex(char **bpp, int *lp, char *buf, int blen);

 void qword_addint(char **bpp, int *lp, int n);

 void qword_adduint(char **bpp, int *lp, unsigned int n);

 void qword_addeol(char **bpp, int *lp);

+int qword_get_uint(char **bpp, unsigned int *anint);

+void qword_printuint(FILE *f, unsigned int num);

 void closeall(int min);

diff --git a/support/nfs/cacheio.c b/support/nfs/cacheio.c

index 0587ecb..55fa45d 100644

--- a/support/nfs/cacheio.c

+++ b/support/nfs/cacheio.c

@@ -241,7 +241,7 @@ int qword_get_int(char **bpp, int *anint)

 	return 0;

 }

-int qword_get_uint(char *bpp, unsigned int *anint)

+int qword_get_uint(char **bpp, unsigned int *anint)

 {

 	char buf[50];

 	char *ep;

diff --git a/tests/t0001-statd-basic-mon-unmon.sh b/tests/t0001-statd-basic-mon-unmon.sh

old mode 100644

new mode 100755

diff --git a/tools/Makefile.am b/tools/Makefile.am

index db15346..f2ce282 100644

--- a/tools/Makefile.am

+++ b/tools/Makefile.am

@@ -6,6 +6,6 @@ if CONFIG_RPCGEN

 OPTDIRS += rpcgen

 endif

-SUBDIRS = locktest rpcdebug nlmtest $(OPTDIRS)

+SUBDIRS = locktest rpcdebug nlmtest mountstats nfs-iostat $(OPTDIRS)

 MAINTAINERCLEANFILES = Makefile.in

diff --git a/tools/mountstats/Makefile.am b/tools/mountstats/Makefile.am

new file mode 100644

index 0000000..ca617a2

--- /dev/null

+++ b/tools/mountstats/Makefile.am

@@ -0,0 +1,13 @@

+## Process this file with automake to produce Makefile.in

+PYTHON_FILES =  mountstats.py

+

+man8_MANS	= mountstats.man

+

+EXTRA_DIST	= $(man8_MANS) $(PYTHON_FILES)

+

+all-local: $(PYTHON_FILES)

+

+install-data-hook:

+	$(INSTALL) --mode 755 mountstats.py $(DESTDIR)$(sbindir)/mountstats

+

+MAINTAINERCLEANFILES=Makefile.in

diff --git a/tools/mountstats/mountstats.man b/tools/mountstats/mountstats.man

new file mode 100644

index 0000000..0de31b7

--- /dev/null

+++ b/tools/mountstats/mountstats.man

@@ -0,0 +1,32 @@

+.\"

+.\" mountstats(8)

+.\"

+.TH mountstats 8 "15 Apr 2010"

+.SH NAME

+mountstats \- Displays NFS client per-mount statistics

+.SH SYNOPSIS

+.BI "mountstats ["<options> "] " <mount_point> " [ " <mount_point> "]" 

+.SH DESCRIPTION

+The

+.B mountstats

+command displays NFS client statisitics on each given

+.I <mount_point>

+.SH OPTIONS

+.TP

+.B " \-\-nfs

+display only the NFS statistics

+.TP

+.B " \-\-rpc 

+display only the RPC statistics

+.TP

+.B " \-\-version 

+display the version of this command

+.SH FILES

+.TP

+.B /proc/self/mountstats

+.SH SEE ALSO

+.BR iostat (8),

+.BR nfsiostat (8),

+.BR nfsstat(8)

+.SH AUTHOR

+Chuck Lever <chuck.lever@oracle.com>

diff --git a/tools/nfs-iostat/Makefile.am b/tools/nfs-iostat/Makefile.am

new file mode 100644

index 0000000..30f4054

--- /dev/null

+++ b/tools/nfs-iostat/Makefile.am

@@ -0,0 +1,13 @@

+## Process this file with automake to produce Makefile.in

+PYTHON_FILES =  nfs-iostat.py

+

+man8_MANS	= nfsiostat.man

+

+EXTRA_DIST	= $(man8_MANS) $(PYTHON_FILES)

+

+all-local: $(PYTHON_FILES)

+

+install-data-hook:

+	$(INSTALL) --mode 755 nfs-iostat.py $(DESTDIR)$(sbindir)/nfsiostat

+

+MAINTAINERCLEANFILES=Makefile.in

diff --git a/tools/nfs-iostat/nfsiostat.man b/tools/nfs-iostat/nfsiostat.man

new file mode 100644

index 0000000..7b1e0a8

--- /dev/null

+++ b/tools/nfs-iostat/nfsiostat.man

@@ -0,0 +1,70 @@

+.\"

+.\" nfsiostat(8)

+.\"

+.TH nfsiostat 8 "15 Apr 2010"

+.SH NAME

+nfsiostat \- Emulate iostat for NFS mount points using /proc/self/mountstats

+.SH SYNOPSIS

+.BI "nfsiostat [[" <interval> "] [" <count> "]] [" <options> "]["<mount_point> "]

+.SH DESCRIPTION

+The

+.B nfsiostat

+command displays NFS client per-mount statisitics. 

+.TP 

+<interval>

+specifies the amount of time in seconds between each report.

+The first report contains statistics for the time since each file

+system was mounted.  Each subsequent report contains statistics collected

+during the interval since the previous report.

+.TP

+<count>

+If the

+.I <count>

+parameter is

+specified, the value of 

+.I <count> 

+determines the number of reports generated at

+. <interval> 

+seconds apart. if the interval parameter is 

+specified without the

+.I <count> 

+parameter, the command generates reports continuously.

+.TP

+<options>

+Define below

+.TP

+<mount_point>

+If one or more

+.I <mount point> 

+names are specified, statistics for only these mount points will

+be displayed.  Otherwise, all NFS mount points on the client are listed.

+.SH OPTIONS

+.TP

+.B \-a " or " \-\-attr

+displays statistics related to the attribute cache

+.TP

+.B \-d " or " \-\-dir 

+displays statistics related to directory operations

+.TP

+.B \-h " or " \-\-help 

+shows help message and exit

+.TP

+.B \-l LIST or " \-\-list=LIST 

+only print stats for first LIST mount points

+.TP

+.B \-p " or " \-\-page

+displays statistics related to the page cache

+.TP

+.B \-s " or " \-\-sort

+Sort NFS mount points by ops/second

+.B \-\-version

+show program's version number and exit

+.SH FILES

+.TP

+.B /proc/self/mountstats

+.SH SEE ALSO

+.BR iostat (8),

+.BR mountstats (8),

+.BR nfsstat(8)

+.SH AUTHOR

+Chuck Lever <chuck.lever@oracle.com>

diff --git a/utils/gssd/context.h b/utils/gssd/context.h

index be47f9c..c9cb0bd 100644

--- a/utils/gssd/context.h

+++ b/utils/gssd/context.h

@@ -1,5 +1,5 @@

 /*

-  Copyright (c) 2004 The Regents of the University of Michigan.

+  Copyright (c) 2004,2008 The Regents of the University of Michigan.

   All rights reserved.

   Redistribution and use in source and binary forms, with or without

@@ -36,6 +36,10 @@

 /* Hopefully big enough to hold any serialized context */

 #define MAX_CTX_LEN 4096

+/* New context format flag values */

+#define KRB5_CTX_FLAG_INITIATOR         0x00000001

+#define KRB5_CTX_FLAG_CFX               0x00000002

+#define KRB5_CTX_FLAG_ACCEPTOR_SUBKEY   0x00000004

 int serialize_context_for_kernel(gss_ctx_id_t ctx, gss_buffer_desc *buf,

 				 gss_OID mech, int32_t *endtime);

diff --git a/utils/gssd/context_lucid.c b/utils/gssd/context_lucid.c

index 4a682ae..b87bf76 100644

--- a/utils/gssd/context_lucid.c

+++ b/utils/gssd/context_lucid.c

@@ -42,6 +42,7 @@

 #include <stdio.h>

 #include <syslog.h>

 #include <string.h>

+#include <errno.h>

 #include <gssapi/gssapi_krb5.h>

@@ -119,15 +120,13 @@ prepare_krb5_rfc1964_buffer(gss_krb5_lucid_context_v1_t *lctx,

 	 * Note that the rfc1964 version only supports DES enctypes.

 	 */

 	if (lctx->rfc1964_kd.ctx_key.type != 4) {

-		printerr(1, "prepare_krb5_rfc1964_buffer: "

-			    "overriding heimdal keytype (%d => %d)\n",

-			    lctx->rfc1964_kd.ctx_key.type, 4);

+		printerr(2, "%s: overriding heimdal keytype (%d => %d)\n",

+			 __FUNCTION__, lctx->rfc1964_kd.ctx_key.type, 4);

 		lctx->rfc1964_kd.ctx_key.type = 4;

 	}

 #endif

-	printerr(2, "prepare_krb5_rfc1964_buffer: serializing keys with "

-		 "enctype %d and length %d\n",

-		 lctx->rfc1964_kd.ctx_key.type,

+	printerr(2, "%s: serializing keys with enctype %d and length %d\n",

+		 __FUNCTION__, lctx->rfc1964_kd.ctx_key.type,

 		 lctx->rfc1964_kd.ctx_key.length);

 	/* derive the encryption key and copy it into buffer */

@@ -158,11 +157,100 @@ out_err:

 	return -1;

 }

+/* Flags for version 2 context flags */

+#define KRB5_CTX_FLAG_INITIATOR		0x00000001

+#define KRB5_CTX_FLAG_CFX		0x00000002

+#define KRB5_CTX_FLAG_ACCEPTOR_SUBKEY	0x00000004

+

+/*

+ * Prepare a new-style buffer, as defined in rfc4121 (a.k.a. cfx),

+ * to send to the kernel for newer encryption types -- or for DES3.

+ *

+ * The new format is:

+ *

+ *	u32 flags;

+ *	#define KRB5_CTX_FLAG_INITIATOR		0x00000001

+ *	#define KRB5_CTX_FLAG_CFX		0x00000002

+ *	#define KRB5_CTX_FLAG_ACCEPTOR_SUBKEY	0x00000004

+ *	s32 endtime;

+ *	u64 seq_send;

+ *	u32  enctype;			( encrption type of key )

+ *	raw key;			( raw key bytes (kernel will derive))

+ *

+ */

 static int

-prepare_krb5_rfc_cfx_buffer(gss_krb5_lucid_context_v1_t *lctx,

+prepare_krb5_rfc4121_buffer(gss_krb5_lucid_context_v1_t *lctx,

 	gss_buffer_desc *buf, int32_t *endtime)

 {

-	printerr(0, "ERROR: prepare_krb5_rfc_cfx_buffer: not implemented\n");

+	char *p, *end;

+	uint32_t v2_flags = 0;

+	uint32_t enctype;

+	uint32_t keysize;

+

+	if (!(buf->value = calloc(1, MAX_CTX_LEN)))

+		goto out_err;

+	p = buf->value;

+	end = buf->value + MAX_CTX_LEN;

+

+	/* Version 2 */

+	if (lctx->initiate)

+		v2_flags |= KRB5_CTX_FLAG_INITIATOR;

+	if (lctx->protocol != 0)

+		v2_flags |= KRB5_CTX_FLAG_CFX;

+	if (lctx->protocol != 0 && lctx->cfx_kd.have_acceptor_subkey == 1)

+		v2_flags |= KRB5_CTX_FLAG_ACCEPTOR_SUBKEY;

+

+	if (WRITE_BYTES(&p, end, v2_flags)) goto out_err;

+	if (WRITE_BYTES(&p, end, lctx->endtime)) goto out_err;

+	if (WRITE_BYTES(&p, end, lctx->send_seq)) goto out_err;

+

+	/* Protocol 0 here implies DES3 or RC4 */

+	printerr(2, "%s: protocol %d\n", __FUNCTION__, lctx->protocol);

+	if (lctx->protocol == 0) {

+		enctype = lctx->rfc1964_kd.ctx_key.type;

+		keysize = lctx->rfc1964_kd.ctx_key.length;

+	} else {

+		if (lctx->cfx_kd.have_acceptor_subkey) {

+			enctype = lctx->cfx_kd.acceptor_subkey.type;

+			keysize = lctx->cfx_kd.acceptor_subkey.length;

+		} else {

+			enctype = lctx->cfx_kd.ctx_key.type;

+			keysize = lctx->cfx_kd.ctx_key.length;

+		}

+	}

+	printerr(2, "%s: serializing key with enctype %d and size %d\n",

+		 __FUNCTION__, enctype, keysize);

+

+	if (WRITE_BYTES(&p, end, enctype)) goto out_err;

+

+	if (lctx->protocol == 0) {

+		if (write_bytes(&p, end, lctx->rfc1964_kd.ctx_key.data,

+				lctx->rfc1964_kd.ctx_key.length))

+			goto out_err;

+	} else {

+		if (lctx->cfx_kd.have_acceptor_subkey) {

+			if (write_bytes(&p, end,

+					lctx->cfx_kd.acceptor_subkey.data,

+					lctx->cfx_kd.acceptor_subkey.length))

+				goto out_err;

+		} else {