diff --git a/lib/libcrypt/crypt.3 b/lib/libcrypt/crypt.3
index 41c36c32ca95..8fc6da25d279 100644
--- a/lib/libcrypt/crypt.3
+++ b/lib/libcrypt/crypt.3
@@ -1,203 +1,204 @@
 .\" FreeSec: libcrypt for NetBSD
 .\"
 .\" Copyright (c) 1994 David Burren
 .\" All rights reserved.
 .\"
 .\" Redistribution and use in source and binary forms, with or without
 .\" modification, are permitted provided that the following conditions
 .\" are met:
 .\" 1. Redistributions of source code must retain the above copyright
 .\"    notice, this list of conditions and the following disclaimer.
 .\" 2. Redistributions in binary form must reproduce the above copyright
 .\"    notice, this list of conditions and the following disclaimer in the
 .\"    documentation and/or other materials provided with the distribution.
 .\" 4. Neither the name of the author nor the names of other contributors
 .\"    may be used to endorse or promote products derived from this software
 .\"    without specific prior written permission.
 .\"
 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 .\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
 .\"	$FreeBSD$
 .\"
 .\" Manual page, using -mandoc macros
 .\"
 .Dd January 19, 1997
 .Dt CRYPT 3
 .Os "FreeSec 1.0"
 .Sh NAME
 .Nm crypt
 .Nd Trapdoor encryption
 .Sh SYNOPSIS
+.Fd #include <unistd.h>
 .Ft char *
 .Fn crypt "const char *key" "const char *salt"
 .Sh DESCRIPTION
 The
 .Fn crypt
 function performs password hashing with additional code added to
 deter key search attempts.  Different algorithms can be used to
 in the hash.
 .\"
 .\" NOTICE:
 .\" If you add more algorithms, make sure to update this list
 .\" and the default used for the Traditional format, below.
 .\"
 Currently these include the
 .Tn NBS
 Data Encryption Standard (DES), MD5 or SHS.  The algorithm
 used will depend upon the format of the Salt--following the Modular
 Crypt Format (MCF)--and if DES is installed or not.
 .Pp
 The first argument to
 .Nm crypt
 is the data to hash (usually a password), in a
 .Dv null Ns -terminated
 string.
 The second is the salt, in one of three forms:
 .Pp
 .Bl -tag -width Traditional -compact -offset indent
 .It Extended
 If it begins with an underscore (``_'') then the DES Extended Format
 is used in interpreting both the the key and the salt, as outlined below.
 .It Modular
 If it begins with the string ``$digit$'' then the Modular Crypt Format
 is used, as outlined below.
 .It Traditional
 If neither of the above is true, it assumes the Traditional Format,
 using the entire string as the salt (or the first portion).
 .El
 .Pp
 All routines are designed to be time-consuming.  A brief test on a
 Pentium 166/MMX shows the DES crypt to do approximately 2640 crypts
 a CPU second, MD5 to do about 62 crypts a CPU second and SHA1
 to do about 18 crypts a CPU second.
 .Ss DES Extended Format:
 .Pp
 The
 .Ar key
 is divided into groups of 8 characters (the last group is null-padded)
 and the low-order 7 bits of each each character (56 bits per group) are
 used to form the DES key as follows:
 the first group of 56 bits becomes the initial DES key.
 For each additional group, the XOR of the encryption of the current DES
 key with itself and the group bits becomes the next DES key.
 .Pp
 The salt is a 9-character array consisting of an underscore followed
 by 4 bytes of iteration count and 4 bytes of salt.
 These are encoded as printable characters, 6 bits per character,
 least significant character first.
 The values 0 to 63 are encoded as ``./0-9A-Za-z''.
 This allows 24 bits for both
 .Fa count
 and
 .Fa salt .
 .Pp
 The
 .Fa salt
 introduces disorder in the
 .Tn DES
 algorithm in one of 16777216 or 4096 possible ways
 (ie. with 24 or 12 bits: if bit
 .Em i
 of the
 .Ar salt
 is set, then bits
 .Em i
 and
 .Em i+24
 are swapped in the
 .Tn DES
 E-box output).
 .Pp
 The DES key is used to encrypt a 64-bit constant using
 .Ar count
 iterations of
 .Tn DES .
 The value returned is a
 .Dv null Ns -terminated
 string, 20 or 13 bytes (plus null) in length, consisting of the
 .Ar salt
 followed by the encoded 64-bit encryption.
 .Ss "Modular" crypt:
 .Pp
 If the salt begins with the string 
 .Fa $digit$
 then the Modular Crypt Format is used.  The
 .Fa digit
 represents which algorithm is used in encryption.  Following the token is
 the actual salt to use in the encryption.  The length of the salt is limited
 to 16 characters--because the length of the returned output is also limited
 (_PASSWORD_LEN).  The salt must be terminated with the end of the string
 (NULL) or a dollar sign.  Any characters after the dollar sign are ignored.
 .Pp
 Currently supported algorithms are:
 .Pp
 .Bl -tag -width 012345678 -compact -offset indent
 .It 1
 MD5
 .It 3
 SHA1
 .El
 .Pp
 Other crypt formats may be easilly added.  An example salt would be:
 .Bl -tag -offset indent
 .It Cm "$3$thesalt$rest"
 .El
 .Pp
 .Ss "Traditional" crypt:
 .Pp
 The algorithm used will depend upon whether DES is installed or not.  If it is,
 DES will be used.  Otherwise, the best algorithm is used, which is currently
 .\"
 .\" NOTICE: Also make sure to update this
 .\"
 SHA-1.
 .Pp
 How the salt is used will depend upon the algorithm for the hash.  For
 best results, specify at least two characters of salt.
 .Sh RETURN VALUES
 .Pp
 .Fn crypt
 returns a pointer to the encrypted value on success, and NULL on failure.
 Note: this is not a standard behaviour, AT&T
 .Fn crypt
 will always return a pointer to a string.
 .Sh SEE ALSO
 .Xr login 1 ,
 .Xr passwd 1 ,
 .Xr getpass 3 ,
 .Xr passwd 5 ,
 .Xr shs 3 ,
 .Sh BUGS
 The
 .Fn crypt
 function returns a pointer to static data, and subsequent calls to
 .Fn crypt
 will modify the same data.
 .Sh HISTORY
 A rotor-based
 .Fn crypt
 function appeared in
 .At v6 .
 The current style
 .Fn crypt
 first appeared in
 .At v7 .
 .Pp
 The DES section of the code (FreeSec 1.0) was developed outside the United
 States of America as an unencumbered replacement for the U.S.-only NetBSD
 libcrypt encryption library.
 Users should be aware that this code (and programs staticly linked with it)
 may not be exported from the U.S., although it apparently can be imported.
 .Sh AUTHORS
 Originally written by David Burren <davidb@werj.com.au>, later additions
 and changes by Brandon Gillespie, Poul-henning Kamp and Mark R V Murray.
diff --git a/lib/libipsec/ipsec_set_policy.3 b/lib/libipsec/ipsec_set_policy.3
index 559d5fa1d60b..3c3d45c4c452 100644
--- a/lib/libipsec/ipsec_set_policy.3
+++ b/lib/libipsec/ipsec_set_policy.3
@@ -1,253 +1,254 @@
 .\" Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
 .\" All rights reserved.
 .\"
 .\" Redistribution and use in source and binary forms, with or without
 .\" modification, are permitted provided that the following conditions
 .\" are met:
 .\" 1. Redistributions of source code must retain the above copyright
 .\"    notice, this list of conditions and the following disclaimer.
 .\" 2. Redistributions in binary form must reproduce the above copyright
 .\"    notice, this list of conditions and the following disclaimer in the
 .\"    documentation and/or other materials provided with the distribution.
 .\" 3. Neither the name of the project nor the names of its contributors
 .\"    may be used to endorse or promote products derived from this software
 .\"    without specific prior written permission.
 .\"
 .\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 .\" ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
 .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
 .\"     $Id: ipsec_set_policy.3,v 1.5 1999/10/20 00:21:06 sakane Exp $
 .\"     $FreeBSD$
 .\"
 .Dd May 5, 1998
 .Dt IPSEC_SET_POLICY 3
 .Os KAME
 .\"
 .Sh NAME
 .Nm ipsec_set_policy ,
 .Nm ipsec_get_policylen ,
 .Nm ipsec_dump_policy
 .Nd manipulate IPsec policy specification structure from readable string
 .\"
 .Sh SYNOPSIS
+.Fd #include <sys/types.h>
 .Fd #include <netinet6/ipsec.h>
 .Ft "char *"
 .Fn ipsec_set_policy "char *policy" "int len"
 .Ft int
 .Fn ipsec_get_policylen "char *buf"
 .Ft "char *"
 .Fn ipsec_dump_policy "char *buf" "char *delim"
 .\"
 .Sh DESCRIPTION
 .Fn ipsec_set_policy
 generates IPsec policy specification structure, namely
 .Li struct sadb_x_policy
 and/or
 .Li struct sadb_x_ipsecrequest
 from human-readable policy specification.
 policy specification must be given as C string
 .Fa policy
 and length
 .Fa len
 of
 .Fa policy .
 .Fn ipsec_set_policy
 will return the buffer of IPsec policy specification structure.
 .Pp
 You may want the length of the generated buffer such when calling
 .Xr setsockopt 2 .
 .Fn ipsec_get_policylen
 will return the length.
 .Pp
 .Fn ipsec_dump_policy
 converts IPsec policy structure into readable form.
 Therefore,
 .Fn ipsec_dump_policy
 can be regarded as inverse conversion of
 .Fn ipsec_set_policy .
 .Fa buf
 points to a IPsec policy structure,
 .Li struct sadb_x_policy .
 .Fa delim
 is a delimiter string, which is usually a blank character.
 If you set
 .Fa delim
 to
 .Dv NULL ,
 single whitespace is assumed.
 .Fn ipsec_dump_policy
 returns pointer to dynamically allocated string.
 It is caller's responsibility to reclaim the region, by using
 .Xr free 3 .
 .Pp
 .\"
 .Fa policy
 is formatted as either of the following:
 .Bl -tag  -width "discard"
 .It Ar direction Li entrust
 .Ar direction
 must be
 .Li in
 or
 .Li out .
 .Ar direction
 specifies which direction the policy needs to be applied.
 .Li entrust
 means to consult to SPD defined by
 .Xr setkey 8 .
 .It Ar direction Li bypass
 .Li bypass
 means to be bypassed the IPsec processing.
 .Po
 packet will be transmitted in clear
 .Pc .
 This is for privileged socket.
 .It Xo
 .Ar direction
 .Li ipsec
 .Ar request ...
 .Xc
 .Li ipsec
 means that the matching packets are subject to IPsec processing.
 .Li ipsec
 can be followed by one or more
 .Ar request
 string, which is formatted as below:
 .Bl -tag  -width "discard"
 .It Xo
 .Ar protocol
 .Li /
 .Ar mode
 .Li /
 .Ar src
 .Li -
 .Ar dst
 .Op Ar /level
 .Xc
 .Ar protocol
 is either
 .Li ah ,
 .Li esp
 or
 .Li ipcomp .
 .Pp
 .Ar mode
 is either
 .Li transport
 or
 .Li tunnel .
 .Pp
 .Ar src
 and
 .Ar dst
 specifies IPsec endpoint.
 .Ar src
 always means
 .Dq sending node
 and
 .Ar dst
 always means
 .Dq receiving node .
 Therefore, when
 .Ar direction
 is
 .Li in ,
 .Ar dst
 is this node
 and
 .Ar src
 is the other node
 .Pq peer .
 .Pp
 .Ar level
 must be set to one of the following:
 .Li default , use
 or
 .Li require .
 .Li default
 means that the kernel should consult the system default policy
 defined by
 .Xr sysctl 8 ,
 such as
 .Li net.inet.ipsec.esp_trans_deflev .
 See
 .Xr ipsec 4
 regarding the system default.
 .Li use
 means that a relevant SA can be used when available,
 since the kernel may perform IPsec operation against packets when possible.
 In this case, packets can be transmitted in clear
 .Pq when SA is not available ,
 or encrypted
 .Pq when SA is available .
 .Li require
 means that a relevant SA is required,
 since the kernel must perform IPsec operation against packets.
 If the
 .Ar request
 string is kept unambiguous,
 .Ar level
 and slash prior to
 .Ar level
 can be omitted.
 However, it is encouraged to specify them explicitly
 to avoid unintended behaviors.
 If
 .Ar level
 is omitted, it will be interpreted as
 .Li default .
 .El
 .El
 .Pp
 Note that there is a bit difference of specification from
 .Xr setkey 8 .
 In specification by
 .Xr setkey 8 ,
 both entrust and bypass are not used.  Refer to
 .Xr setkey 8
 for detail.
 .Pp
 Here are several examples
 .Pq long lines are wrapped for readability :
 .Bd -literal -offset indent
 in discard
 out ipsec esp/transport/10.1.1.1-10.1.1.2/require
 in ipsec ah/transport/10.1.1.2-10.1.1.1/require
 in ipsec esp/transport/10.1.1.2-10.1.1.1/use
         ah/tunnel/10.1.1.2-10.1.1.1/require
 in ipsec ipcomp/transport/10.1.1.2-10.1.1.1/use
         esp/transport/10.1.1.2-10.1.1.1/use
 .Ed
 .\"
 .Sh RETURN VALUES
 .Fn ipsec_set_policy
 returns a pointer to the allocated buffer of policy specification if successful; otherwise a NULL pointer is returned.
 .Fn ipsec_get_policylen
 returns with positive value
 .Pq meaning the buffer size
 on success, and negative value on errors.
 .Fn ipsec_dump_policy
 returns a pointer to dynamically allocated region on success,
 and
 .Dv NULL
 on errors.
 .\"
 .Sh SEE ALSO
 .Xr ipsec_strerror 3 ,
 .Xr ispec 4
 .Xr setkey 8
 .\"
 .Sh HISTORY
 The functions first appeared in WIDE/KAME IPv6 protocol stack kit.
 .\"
 .\" .Sh BUGS
 .\" (to be written)